Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
2
3         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
4         https://bugs.webkit.org/show_bug.cgi?id=161760
5
6         Reviewed by Mark Lam.
7         
8         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
9         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
10         
11         This introduces three unnecessary overheads:
12         
13         - isLive() is not called by marking, so that change was not necessary.
14         
15         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
16           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
17           isMarked().
18         
19         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
20           return false if the flip is necessary.
21         
22         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
23         during marking.
24         
25         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
26         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
27         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
28         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
29         thing.
30
31         * bytecode/CodeBlock.cpp:
32         (JSC::CodeBlock::visitWeakly):
33         (JSC::CodeBlock::shouldJettisonDueToOldAge):
34         (JSC::shouldMarkTransition):
35         (JSC::CodeBlock::propagateTransitions):
36         (JSC::CodeBlock::determineLiveness):
37         * bytecode/PolymorphicAccess.cpp:
38         (JSC::AccessCase::propagateTransitions):
39         * heap/Heap.h:
40         * heap/HeapInlines.h:
41         (JSC::Heap::isLive):
42         (JSC::Heap::isMarked):
43         (JSC::Heap::isMarkedConcurrently):
44         * heap/MarkedBlock.cpp:
45         (JSC::MarkedBlock::flipIfNecessarySlow):
46         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
47         (JSC::MarkedBlock::needsFlip):
48         * heap/MarkedBlock.h:
49         (JSC::MarkedBlock::needsFlip):
50         (JSC::MarkedBlock::flipIfNecessary):
51         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
52         * heap/SlotVisitor.cpp:
53         (JSC::SlotVisitor::appendToMarkStack):
54         (JSC::SlotVisitor::markAuxiliary):
55         (JSC::SlotVisitor::visitChildren):
56         * runtime/Structure.cpp:
57         (JSC::Structure::isCheapDuringGC):
58         (JSC::Structure::markIfCheap):
59
60 2016-09-08  Saam Barati  <sbarati@apple.com>
61
62         We should inline operationConvertJSValueToBoolean into JIT code
63         https://bugs.webkit.org/show_bug.cgi?id=161729
64
65         Reviewed by Filip Pizlo.
66
67         This patch introduces an AssemblyHelpers emitter function
68         that replaces operationConvertJSValueToBoolean. This operation
69         was showing up when I was doing performance analysis for the
70         speedometer benchmark. I saw that it was spending about 1% of
71         its time in this function. Hopefully this patch can help us speedup
72         up speedometer by a little bit.
73
74         * dfg/DFGSpeculativeJIT32_64.cpp:
75         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
76         (JSC::DFG::SpeculativeJIT::emitBranch):
77         * dfg/DFGSpeculativeJIT64.cpp:
78         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
79         (JSC::DFG::SpeculativeJIT::emitBranch):
80         * jit/AssemblyHelpers.cpp:
81         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
82         * jit/AssemblyHelpers.h:
83         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
84         * jit/JIT.cpp:
85         (JSC::JIT::privateCompileSlowCases):
86         * jit/JIT.h:
87         * jit/JITOpcodes.cpp:
88         (JSC::JIT::emit_op_jfalse):
89         (JSC::JIT::emit_op_jtrue):
90         (JSC::JIT::emitSlow_op_jfalse): Deleted.
91         (JSC::JIT::emitSlow_op_jtrue): Deleted.
92         * jit/JITOpcodes32_64.cpp:
93         (JSC::JIT::emit_op_jfalse):
94         (JSC::JIT::emit_op_jtrue):
95         (JSC::JIT::emitSlow_op_jfalse): Deleted.
96         (JSC::JIT::emitSlow_op_jtrue): Deleted.
97         * jit/JITOperations.cpp:
98         * jit/JITOperations.h:
99
100 2016-09-08  Chris Dumez  <cdumez@apple.com>
101
102         Align proto getter / setter behavior with other browsers
103         https://bugs.webkit.org/show_bug.cgi?id=161455
104
105         Reviewed by Saam Barati.
106
107         Drop allowsAccessFrom from the methodTable and delegate cross-origin
108         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
109         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
110
111         * jsc.cpp:
112         * runtime/JSGlobalObject.cpp:
113         * runtime/JSGlobalObject.h:
114         * runtime/JSGlobalObjectFunctions.cpp:
115         (JSC::globalFuncProtoGetter):
116         (JSC::globalFuncProtoSetter):
117         (JSC::globalFuncBuiltinLog): Deleted.
118         * runtime/JSGlobalObjectFunctions.h:
119         * runtime/JSObject.cpp:
120         (JSC::JSObject::setPrototypeWithCycleCheck):
121         Remove check added in r197648. This check was added to match
122         the latest EcmaScript spec:
123         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
124         This check allowed for [[Prototype]] chain cycles if the prototype
125         chain includes objects that do not use the ordinary object definitions
126         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
127         The issue is that the rest of our code base does not properly handle
128         such cycles and we can end up in infinite loops. This became obvious
129         because this patch updates Window / Location so that they no longer
130         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
131         remove this check, I get an infinite loop in
132         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
133         called from JSObject::setPrototypeDirect(), when running the following
134         layout test:
135         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
136         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
137         issue.
138
139         * runtime/JSObject.h:
140         (JSC::JSObject::getArrayLength): Deleted.
141         * runtime/JSProxy.cpp:
142         (JSC::JSProxy::setPrototype):
143         (JSC::JSProxy::getPrototype):
144         * runtime/JSProxy.h:
145         * runtime/ObjectConstructor.cpp:
146         (JSC::objectConstructorGetPrototypeOf):
147         (JSC::objectConstructorSetPrototypeOf):
148         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
149         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
150         * runtime/ObjectConstructor.h:
151         * runtime/ReflectObject.cpp:
152         (JSC::reflectObjectGetPrototypeOf):
153         (JSC::reflectObjectSetPrototypeOf):
154
155 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
156
157         Remove CopiedSpace and use MarkedSpace instead
158         https://bugs.webkit.org/show_bug.cgi?id=159658
159
160         Reviewed by Keith Miller.
161         
162         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
163         is a simple change.
164         
165         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
166         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
167         
168         The rest of this patch is deleting CopiedSpace.
169
170         * API/JSObjectRef.cpp:
171         * CMakeLists.txt:
172         * JavaScriptCore.xcodeproj/project.pbxproj:
173         * dfg/DFGOperations.cpp:
174         * heap/ConservativeRoots.cpp:
175         (JSC::ConservativeRoots::genericAddPointer):
176         * heap/CopiedAllocator.h: Removed.
177         * heap/CopiedBlock.cpp: Removed.
178         * heap/CopiedBlock.h: Removed.
179         * heap/CopiedBlockInlines.h: Removed.
180         * heap/CopiedSpace.cpp: Removed.
181         * heap/CopiedSpace.h: Removed.
182         * heap/CopiedSpaceInlines.h: Removed.
183         * heap/CopyBarrier.h: Removed.
184         * heap/CopyToken.h: Removed.
185         * heap/CopyVisitor.cpp: Removed.
186         * heap/CopyVisitor.h: Removed.
187         * heap/CopyVisitorInlines.h: Removed.
188         * heap/CopyWorkList.h: Removed.
189         * heap/Heap.cpp:
190         (JSC::Heap::Heap):
191         (JSC::Heap::isPagedOut):
192         (JSC::Heap::updateObjectCounts):
193         (JSC::Heap::size):
194         (JSC::Heap::capacity):
195         (JSC::Heap::collectImpl):
196         (JSC::Heap::stopAllocation):
197         (JSC::Heap::updateAllocationLimits):
198         (JSC::Heap::copyBackingStores): Deleted.
199         (JSC::Heap::threadBytesCopied): Deleted.
200         * heap/Heap.h:
201         (JSC::Heap::objectSpace):
202         (JSC::Heap::allocatorForAuxiliaryData):
203         (JSC::Heap::storageSpace): Deleted.
204         (JSC::Heap::storageAllocator): Deleted.
205         * heap/HeapCellInlines.h:
206         * heap/HeapInlines.h:
207         (JSC::Heap::tryAllocateStorage): Deleted.
208         (JSC::Heap::tryReallocateStorage): Deleted.
209         * heap/HeapVerifier.cpp:
210         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
211         (JSC::HeapVerifier::reportObject):
212         (JSC::getButterflyDetails): Deleted.
213         * heap/SlotVisitor.cpp:
214         (JSC::SlotVisitor::copyLater): Deleted.
215         * heap/SlotVisitor.h:
216         * jit/AssemblyHelpers.h:
217         * jit/JITOpcodes.cpp:
218         * jsc.cpp:
219         * runtime/ArrayConstructor.cpp:
220         * runtime/ArrayPrototype.cpp:
221         * runtime/Butterfly.h:
222         * runtime/ButterflyInlines.h:
223         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
224         * runtime/ClassInfo.h:
225         * runtime/DirectArguments.cpp:
226         (JSC::DirectArguments::visitChildren):
227         (JSC::DirectArguments::overrideThings):
228         (JSC::DirectArguments::copyBackingStore): Deleted.
229         * runtime/DirectArguments.h:
230         * runtime/JSArray.cpp:
231         * runtime/JSCell.cpp:
232         (JSC::JSCell::copyBackingStore): Deleted.
233         * runtime/JSCell.h:
234         * runtime/JSLexicalEnvironment.h:
235         * runtime/JSObject.cpp:
236         * runtime/JSTypedArrays.cpp:
237         * runtime/LiteralParser.cpp:
238         * runtime/ObjectConstructor.cpp:
239         * runtime/RegExpObject.cpp:
240         * runtime/StringPrototype.cpp:
241         * runtime/WeakMapData.cpp:
242         * tools/JSDollarVMPrototype.cpp:
243         (JSC::JSDollarVMPrototype::isInStorageSpace):
244
245 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
246
247         Heap version should be 32-bit
248         https://bugs.webkit.org/show_bug.cgi?id=161751
249
250         Reviewed by Mark Lam.
251         
252         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
253         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
254         easy to handle.
255
256         * heap/CellContainer.h:
257         * heap/CellContainerInlines.h:
258         (JSC::CellContainer::flipIfNecessary):
259         * heap/ConservativeRoots.cpp:
260         (JSC::ConservativeRoots::genericAddPointer):
261         (JSC::ConservativeRoots::genericAddSpan):
262         * heap/ConservativeRoots.h:
263         * heap/Heap.h:
264         * heap/HeapInlines.h:
265         (JSC::Heap::testAndSetMarked):
266         * heap/HeapUtil.h:
267         (JSC::HeapUtil::findGCObjectPointersForMarking):
268         * heap/MarkedBlock.cpp:
269         (JSC::MarkedBlock::MarkedBlock):
270         * heap/MarkedBlock.h:
271         (JSC::MarkedBlock::flipIfNecessary):
272         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
273         (JSC::MarkedBlock::Handle::flipIfNecessary):
274         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
275         * heap/MarkedSpace.cpp:
276         (JSC::MarkedSpace::flip):
277         * heap/MarkedSpace.h:
278         (JSC::MarkedSpace::version):
279         * heap/SlotVisitor.cpp:
280         (JSC::SlotVisitor::SlotVisitor):
281         * heap/SlotVisitor.h:
282
283 2016-09-08  Mark Lam  <mark.lam@apple.com>
284
285         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
286         https://bugs.webkit.org/show_bug.cgi?id=161724
287
288         Reviewed by Filip Pizlo.
289
290         ARM architectures support ternary sub instructions.  We should make use of them
291         in emitAllocateWithNonNullAllocator().
292
293         * assembler/MacroAssemblerARM.h:
294         (JSC::MacroAssemblerARM::sub32):
295         * assembler/MacroAssemblerARM64.h:
296         (JSC::MacroAssemblerARM64::sub32):
297         * assembler/MacroAssemblerARMv7.h:
298         (JSC::MacroAssemblerARMv7::sub32):
299         * assembler/MacroAssemblerSH4.h:
300         (JSC::MacroAssemblerSH4::sub32):
301         * assembler/MacroAssemblerX86Common.h:
302         (JSC::MacroAssemblerX86Common::sub32):
303         * b3/air/AirOpcode.opcodes:
304         * b3/testb3.cpp:
305         (JSC::B3::testTernarySubInstructionSelection):
306         (JSC::B3::run):
307         * jit/AssemblyHelpers.h:
308         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
309
310 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
311
312         Move JSMap/JSSet over to Auxiliary MarkedSpace
313         https://bugs.webkit.org/show_bug.cgi?id=161744
314
315         Reviewed by Saam Barati.
316         
317         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
318         
319         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
320         speak of CopiedSpace.
321         
322         This is a purely mechanical change.
323
324         * JavaScriptCore.xcodeproj/project.pbxproj:
325         * heap/CopyToken.h:
326         * runtime/HashMapImpl.cpp:
327         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
328         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
329         * runtime/HashMapImpl.h:
330         (JSC::HashMapBuffer::create):
331         * runtime/JSMapIterator.cpp:
332         * runtime/JSMapIterator.h:
333         * runtime/JSSetIterator.cpp:
334         * runtime/JSSetIterator.h:
335         * runtime/MapBase.cpp:
336         * runtime/MapData.h: Removed.
337         * runtime/MapDataInlines.h: Removed.
338         * runtime/MapPrototype.cpp:
339         * runtime/SetConstructor.cpp:
340         * runtime/SetPrototype.cpp:
341         * runtime/VM.cpp:
342
343 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
344
345         Typed arrays should use MarkedSpace instead of CopiedSpace
346         https://bugs.webkit.org/show_bug.cgi?id=161100
347
348         Reviewed by Geoffrey Garen.
349         
350         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
351         
352         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
353         everything that typed arrays want.
354
355         * dfg/DFGOperations.cpp:
356         (JSC::DFG::newTypedArrayWithSize):
357         * dfg/DFGOperations.h:
358         (JSC::DFG::operationNewTypedArrayWithSizeForType):
359         * dfg/DFGSpeculativeJIT.cpp:
360         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
361         * dfg/DFGSpeculativeJIT.h:
362         (JSC::DFG::SpeculativeJIT::callOperation):
363         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
364         * ftl/FTLLowerDFGToB3.cpp:
365         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
366         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
367         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
368         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
369         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
370         * heap/CopyToken.h:
371         * heap/SlotVisitor.cpp:
372         (JSC::SlotVisitor::markAuxiliary):
373         * jit/JITOperations.h:
374         * runtime/JSArrayBufferView.cpp:
375         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
376         (JSC::JSArrayBufferView::JSArrayBufferView):
377         * runtime/JSArrayBufferView.h:
378         * runtime/JSGenericTypedArrayView.h:
379         * runtime/JSGenericTypedArrayViewInlines.h:
380         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
381         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
382         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
383         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
384
385 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
386
387         [Win64] Compile fixes.
388         https://bugs.webkit.org/show_bug.cgi?id=161682
389
390         Reviewed by Brent Fulgham.
391
392         * dfg/DFGSpeculativeJIT64.cpp:
393         (JSC::DFG::SpeculativeJIT::emitCall):
394         * jit/JITCall.cpp:
395         (JSC::JIT::compileOpCall):
396         * runtime/ArrayConventions.cpp:
397         (JSC::clearArrayMemset):
398
399 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
400
401         [Win] Exception fuzz tests fail
402         https://bugs.webkit.org/show_bug.cgi?id=140928
403
404         Reviewed by Mark Lam.
405
406         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
407         The tests depend on the output to stdout being written in the correct order.
408
409         * runtime/ExceptionFuzz.cpp:
410         (JSC::doExceptionFuzzing):
411
412 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
413
414         Enable the <meter> element on iOS
415         https://bugs.webkit.org/show_bug.cgi?id=161714
416         rdar://problem/8978410
417
418         Reviewed by Tim Horton.
419
420         Define ENABLE_METER_ELEMENT unconditionally now.
421
422         * Configurations/FeatureDefines.xcconfig:
423
424 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
425
426         Modernize Debugger to use nullptr
427         https://bugs.webkit.org/show_bug.cgi?id=161718
428
429         Reviewed by Mark Lam.
430
431         * debugger/Debugger.cpp:
432         (JSC::Debugger::Debugger):
433         (JSC::Debugger::~Debugger):
434         (JSC::Debugger::detach):
435         (JSC::Debugger::stepOutOfFunction):
436         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
437         * debugger/Debugger.h:
438
439 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
440
441         Web Inspector: Remove always false case in Debugger
442         https://bugs.webkit.org/show_bug.cgi?id=161717
443
444         Reviewed by Brian Burg.
445
446         * debugger/Debugger.cpp:
447         (JSC::Debugger::didExecuteProgram):
448         We would have earlier returned a few statements ago if this case was true.
449         And we would have crashed in the previous statement if this case was true.
450
451 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
452
453         Unreviewed, build fix after r205569
454
455         Tweak CMakeLists.txt
456
457         * CMakeLists.txt:
458
459 2016-09-07  Mark Lam  <mark.lam@apple.com>
460
461         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
462         https://bugs.webkit.org/show_bug.cgi?id=161498
463
464         Reviewed by Geoffrey Garen.
465
466         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
467         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
468         introduced.
469
470         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
471         which is a more suitable name now.
472
473         Note: exception scope verification is still disabled by default.  There are still
474         many places that need to be fixed up or re-expressed in a way that is friendly
475         to the verification.  I'll address those in subsequent patches.
476
477         After this patch, the code will statically enforce that:
478         1. all calls to throwException() go through a ThrowScope.
479         2. all calls to clearException() go through a CatchScope.
480         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
481            or CatchScope.
482
483         A Summary of how to use ExceptionScopes
484         =======================================
485         1. If a function can throw a JS exception, it should declare a ThrowScope at the
486            top of the function (as early as possible).
487
488         2. If a function can clear JS exceptions, it should declare a CatchScope at the
489            top of the function (as early as possible).
490
491         Declaring a ThrowScope in a function means that the function may throw an exception
492         that its caller will have to handle.  Declaring a CatchScope in a function means
493         that the function intends to clear pending exceptions before returning to its
494         caller. 
495
496         For more details, see the notes below.
497         
498         Everything you may want to know about ExceptionScopes
499         =====================================================
500         ExceptionScope verification works to simulate exception throws and detect cases
501         where exception checks are missing.  The notes below will cover:
502
503             1. The VM::m_needExceptionCheck bit
504             2. ThrowScopes and CatchScopes
505             3. Verification of needed exception checks
506             3. Checking Exceptions
507             4. Simulating throws
508             5. Using ThrowScope::release()
509             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
510             7. Checking exceptions by checking callee results
511             8. Debugging verification errors
512
513         1. The VM::m_needExceptionCheck bit
514
515            The VM has a m_needExceptionCheck bit that indicates when an exception may be
516            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
517            throw.
518
519         2. ThrowScopes and CatchScopes
520
521            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
522
523            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
524            at the top of its function (as early as possible) e.g.
525  
526                 void foo(...)
527                 {
528                     auto scope = DECLARE_THROW_SCOPE(vm);
529                     ...
530                     throwException(exec, scope, ...);
531                 }
532
533            Note: by convention, every throw helper function must take a ThrowScope argument
534            instead of instantiating its own ThrowScope.  This allows the throw to be
535            attributed to the client code rather than the throw helper itself.
536
537            Every catch site (i.e. a site that calls clearException()) must declare a
538            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
539
540            If a function can both throw or clear exceptions, then the ThrowScope should
541            be declared first so that it can simulate a throw to the function's caller.
542
543            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
544            can be aware if there's an enclosing CatchScope between it and the point where
545            C++ code returns to JS code.  This is needed to determine if the ThrowScope
546            should simulate a re-throw or not.  See (4) below for more details on returning
547            to JS code.
548
549         3. Verification of needed exception checks
550
551            a. On construction, each ThrowScope and CatchScope will verify that
552               VM::m_needExceptionCheck is not set.
553  
554               This ensures that the caller of the current function has checked for exceptions
555               where needed before doing more work which lead to calling the current function.
556
557            b. On destruction, each ThrowScope and CatchScope will verify that
558               VM::m_needExceptionCheck is not set. This verification will be skipped if
559               the ThrowScope has been released (see (5) below).
560
561               This ensures that the function that owns this exception scope is not missing
562               any exception checks before returning.
563
564            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
565               is not already set, unless it's been ask to rethrow the same Exception object.
566
567         4. Simulating throws
568
569            Throws are simulated by setting the m_needExceptionCheck bit.
570
571            The bit will only be set in the ThrowScope destructor except when the ThrowScope
572            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
573            check for exceptions after a host C++ function returns to it.  However, they will
574            not clear the m_needExceptionCheck bit.
575
576            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
577            it will just skip the setting of the bit.
578
579            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
580            throwException methods.  This is because, in practice, we always return
581            immediately after throwing an exception.  It doesn't make sense to set the bit in
582            the throw just to have to clear it immediately after before we do verification in
583            the ThrowScope destructor.
584
585         5. Using ThrowScope::release()
586
587            Calling release() means that the scope is released from its obligation to
588            verify the VM::m_needExceptionCheck bit on destruction.
589
590            release() should only be used at the bottom of a function if:
591
592            a. This function is going to let its caller check and handle the exception, e.g.
593
594                 void foo(...)
595                 {
596                     auto scope = DECLARE_THROW_SCOPE(vm);
597                     auto result = goo(); // may throw.
598
599                     ... // Code that will are not affected by a pending exceptions.
600
601                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
602                     return result;
603                 }
604
605            b. This function is going to do a tail call that may throw.
606
607                 void foo(...)
608                 {
609                     auto scope = DECLARE_THROW_SCOPE(vm);
610                     ...
611                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
612                     return goo(); // may throw.
613                 }
614
615               release() should not be used in code paths that branch. For example:
616
617                 void foo(...)
618                 {
619                     auto scope = DECLARE_THROW_SCOPE(vm);
620
621                     auto result = goo1(); // may throw.
622                     scope.release(); // WRONG !!! Don't do this.
623                     if (result)
624                         return;
625
626                     result = goo2(); // may throw.
627                     ...
628                     return result;
629                 }
630
631             The above will result in a verification error in goo2()'s ThrowScope.  The
632             proper way to fix this verification is to do either (6) or (7) below.
633
634          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
635
636             ThrowScope/CatchScope::exception() returns the thrown Exception object if
637             there is one pending.  Else, it returns nullptr.
638
639             It also clears the m_needExceptionCheck bit thereby indicating that we've
640             satisfied the needed exception check.  For example,
641
642                 void foo(...)
643                 {
644                     auto scope = DECLARE_THROW_SCOPE(vm);
645
646                     auto result = goo1(); // may throw.
647                     if (scope.exception())
648                         return;
649
650                     result = goo2(); // may throw.
651                     ...
652                     return result;
653                 }
654
655             But sometimes, for optimization reasons, we may choose to test the result of
656             the callee function instead doing a load of the VM exception value.  See (7)
657             below.
658
659          7. Checking exceptions by checking callee results
660
661             This approach should only be applied when it makes a difference to performance.
662             If we need to do this, we should add an ASSERT() that invokes the scope's
663             exception() method to verify the result.  Since exception scope verification
664             is only done on DEBUG builds, this ASSERT will satisfy the verification
665             requirements without impacting performance.  For example,
666
667                 void foo(...)
668                 {
669                     auto scope = DECLARE_THROW_SCOPE(vm);
670
671                     bool failed = goo1(); // may throw.
672                     ASSERT(!!scope.exception() == failed)
673                     if (failed)
674                         return;
675
676                     result = goo2(); // may throw.
677                     ...
678                     return result;
679                 }
680
681          8. Debugging verification errors
682
683             a. When verification fails, you will see a message followed by an assertion
684                failure.  For example:
685
686             ERROR: Unchecked JS exception:
687                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
688                     (ExceptionScope::m_recursionDepth was ...)
689                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
690                     (ExceptionScope::m_recursionDepth was ...)
691                 [ backtrace here ]
692
693                The message tells you that failure was detected at in varargsSetup() at
694                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
695                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
696                line 1245 and it.
697
698                If that is insufficient information, you can ...
699
700             b. Dump simulated throws
701
702                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
703                back traces at each simulated throw.
704
705             c. Narrowing down the source of a simulated throw
706
707                Another technique for narrowing down the source of simulated throws is by
708                further dividing a function to smaller regions by separating each region
709                with additional local throw scopes.  For example,
710
711                 ... // Region 1
712                 { auto scope = DECLARE_THROW_SCOPE(vm); }
713                 ... // Region 2
714                 { auto scope = DECLARE_THROW_SCOPE(vm); }
715                 ... // Region 3
716
717         * API/APIUtils.h:
718         (handleExceptionIfNeeded):
719         * CMakeLists.txt:
720         * JavaScriptCore.xcodeproj/project.pbxproj:
721         * bindings/ScriptFunctionCall.cpp:
722         (Deprecated::ScriptFunctionCall::call):
723         * bindings/ScriptValue.cpp:
724         (Deprecated::ScriptValue::toString):
725         * debugger/Debugger.cpp:
726         (JSC::Debugger::pauseIfNeeded):
727         * debugger/DebuggerCallFrame.cpp:
728         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
729         * dfg/DFGOSRExitCompiler.cpp:
730         * dfg/DFGOperations.cpp:
731         (JSC::DFG::operationPutByValInternal):
732         * inspector/InjectedScriptManager.cpp:
733         (Inspector::InjectedScriptManager::createInjectedScript):
734         * inspector/JSGlobalObjectInspectorController.cpp:
735         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
736         * inspector/JSInjectedScriptHost.cpp:
737         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
738         (Inspector::JSInjectedScriptHost::getInternalProperties):
739         (Inspector::JSInjectedScriptHost::weakMapEntries):
740         (Inspector::JSInjectedScriptHost::weakSetEntries):
741         (Inspector::JSInjectedScriptHost::iteratorEntries):
742         * inspector/JSJavaScriptCallFrame.cpp:
743         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
744         * inspector/ScriptCallStackFactory.cpp:
745         (Inspector::extractSourceInformationFromException):
746         * interpreter/CachedCall.h:
747         (JSC::CachedCall::CachedCall):
748         * interpreter/CallFrame.h:
749         (JSC::ExecState::clearException): Deleted.
750         (JSC::ExecState::exception): Deleted.
751         (JSC::ExecState::hadException): Deleted.
752         (JSC::ExecState::lastException): Deleted.
753         (JSC::ExecState::clearLastException): Deleted.
754         * interpreter/Interpreter.cpp:
755         (JSC::eval):
756         (JSC::sizeOfVarargs):
757         (JSC::notifyDebuggerOfUnwinding):
758         (JSC::Interpreter::unwind):
759         (JSC::Interpreter::execute):
760         (JSC::Interpreter::executeCall):
761         (JSC::Interpreter::executeConstruct):
762         (JSC::Interpreter::prepareForRepeatCall):
763         (JSC::Interpreter::debug):
764         * interpreter/Interpreter.h:
765         (JSC::SuspendExceptionScope::SuspendExceptionScope):
766         * interpreter/ShadowChicken.cpp:
767         (JSC::ShadowChicken::functionsOnStack):
768         * jit/JITCode.cpp:
769         (JSC::JITCode::execute):
770         * jit/JITExceptions.cpp:
771         (JSC::genericUnwind):
772         * jit/JITOperations.cpp:
773         (JSC::getByVal):
774         * jsc.cpp:
775         (WTF::ImpureGetter::getOwnPropertySlot):
776         (GlobalObject::moduleLoaderResolve):
777         (GlobalObject::moduleLoaderFetch):
778         (functionCreateElement):
779         (functionRun):
780         (functionRunString):
781         (functionLoad):
782         (functionLoadString):
783         (functionReadFile):
784         (functionCheckSyntax):
785         (functionSetRandomSeed):
786         (functionLoadModule):
787         (functionCreateBuiltin):
788         (functionCheckModuleSyntax):
789         (functionGenerateHeapSnapshot):
790         (functionSamplingProfilerStackTraces):
791         (dumpException):
792         (checkUncaughtException):
793         (runWithScripts):
794         (runInteractive):
795         * llint/LLIntExceptions.cpp:
796         (JSC::LLInt::returnToThrow):
797         (JSC::LLInt::callToThrow):
798         * llint/LLIntSlowPaths.cpp:
799         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
800         * profiler/ProfilerBytecodeSequence.cpp:
801         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
802         * profiler/ProfilerCompilation.cpp:
803         (JSC::Profiler::Compilation::toJS):
804         * profiler/ProfilerDatabase.cpp:
805         (JSC::Profiler::Database::toJS):
806         * profiler/ProfilerOSRExitSite.cpp:
807         (JSC::Profiler::OSRExitSite::toJS):
808         * profiler/ProfilerOriginStack.cpp:
809         (JSC::Profiler::OriginStack::toJS):
810         * runtime/ArrayPrototype.cpp:
811         (JSC::speciesConstructArray):
812         (JSC::shift):
813         (JSC::unshift):
814         (JSC::arrayProtoFuncToString):
815         (JSC::arrayProtoFuncToLocaleString):
816         (JSC::slowJoin):
817         (JSC::fastJoin):
818         (JSC::arrayProtoFuncJoin):
819         (JSC::arrayProtoFuncPop):
820         (JSC::arrayProtoFuncPush):
821         (JSC::arrayProtoFuncReverse):
822         (JSC::arrayProtoFuncShift):
823         (JSC::arrayProtoFuncSlice):
824         (JSC::arrayProtoFuncSplice):
825         (JSC::arrayProtoFuncUnShift):
826         (JSC::arrayProtoFuncIndexOf):
827         (JSC::arrayProtoFuncLastIndexOf):
828         (JSC::moveElements):
829         (JSC::concatAppendOne):
830         (JSC::arrayProtoPrivateFuncConcatMemcpy):
831         * runtime/BooleanConstructor.cpp:
832         (JSC::constructWithBooleanConstructor):
833         * runtime/CallData.cpp:
834         (JSC::call):
835         * runtime/CatchScope.cpp: Added.
836         (JSC::CatchScope::CatchScope):
837         (JSC::CatchScope::~CatchScope):
838         * runtime/CatchScope.h: Added.
839         (JSC::CatchScope::clearException):
840         (JSC::CatchScope::CatchScope):
841         * runtime/CommonSlowPaths.cpp:
842         (JSC::SLOW_PATH_DECL):
843         * runtime/CommonSlowPaths.h:
844         (JSC::CommonSlowPaths::opIn):
845         * runtime/CommonSlowPathsExceptions.cpp:
846         (JSC::CommonSlowPaths::interpreterThrowInCaller):
847         * runtime/Completion.cpp:
848         (JSC::evaluate):
849         (JSC::rejectPromise):
850         (JSC::loadAndEvaluateModule):
851         (JSC::loadModule):
852         * runtime/ConsoleObject.cpp:
853         (JSC::consoleProtoFuncAssert):
854         (JSC::consoleProtoFuncProfile):
855         (JSC::consoleProtoFuncProfileEnd):
856         (JSC::consoleProtoFuncTakeHeapSnapshot):
857         (JSC::consoleProtoFuncTime):
858         (JSC::consoleProtoFuncTimeEnd):
859         * runtime/DateConstructor.cpp:
860         (JSC::constructDate):
861         (JSC::dateParse):
862         * runtime/DatePrototype.cpp:
863         (JSC::dateProtoFuncToPrimitiveSymbol):
864         (JSC::dateProtoFuncToJSON):
865         * runtime/ErrorConstructor.cpp:
866         (JSC::Interpreter::constructWithErrorConstructor):
867         * runtime/ErrorInstance.cpp:
868         (JSC::ErrorInstance::sanitizedToString):
869         * runtime/ErrorPrototype.cpp:
870         (JSC::errorProtoFuncToString):
871         * runtime/ExceptionEventLocation.cpp: Added.
872         (WTF::printInternal):
873         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
874         (JSC::ExceptionEventLocation::ExceptionEventLocation):
875         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
876         * runtime/ExceptionHelpers.h:
877         * runtime/ExceptionScope.cpp: Added.
878         (JSC::ExceptionScope::ExceptionScope):
879         (JSC::ExceptionScope::~ExceptionScope):
880         * runtime/ExceptionScope.h: Added.
881         (JSC::ExceptionScope::vm):
882         (JSC::ExceptionScope::recursionDepth):
883         (JSC::ExceptionScope::exception):
884         (JSC::ExceptionScope::ExceptionScope):
885         * runtime/FunctionConstructor.cpp:
886         (JSC::constructFunctionSkippingEvalEnabledCheck):
887         * runtime/FunctionPrototype.cpp:
888         (JSC::functionProtoFuncBind):
889         * runtime/GenericArgumentsInlines.h:
890         (JSC::GenericArguments<Type>::copyToArguments):
891         * runtime/GetterSetter.cpp:
892         (JSC::callGetter):
893         * runtime/InspectorInstrumentationObject.cpp:
894         (JSC::inspectorInstrumentationObjectLog):
895         * runtime/InternalFunction.cpp:
896         (JSC::InternalFunction::createSubclassStructure):
897         * runtime/IntlCollator.cpp:
898         (JSC::IntlCollator::initializeCollator):
899         (JSC::IntlCollator::createCollator):
900         (JSC::IntlCollator::resolvedOptions):
901         * runtime/IntlCollatorConstructor.cpp:
902         (JSC::constructIntlCollator):
903         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
904         * runtime/IntlCollatorPrototype.cpp:
905         (JSC::IntlCollatorFuncCompare):
906         (JSC::IntlCollatorPrototypeGetterCompare):
907         * runtime/IntlDateTimeFormat.cpp:
908         (JSC::toDateTimeOptionsAnyDate):
909         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
910         (JSC::IntlDateTimeFormat::resolvedOptions):
911         (JSC::IntlDateTimeFormat::format):
912         * runtime/IntlDateTimeFormatConstructor.cpp:
913         (JSC::constructIntlDateTimeFormat):
914         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
915         * runtime/IntlDateTimeFormatPrototype.cpp:
916         (JSC::IntlDateTimeFormatFuncFormatDateTime):
917         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
918         * runtime/IntlNumberFormat.cpp:
919         (JSC::IntlNumberFormat::initializeNumberFormat):
920         (JSC::IntlNumberFormat::createNumberFormat):
921         (JSC::IntlNumberFormat::resolvedOptions):
922         * runtime/IntlNumberFormatConstructor.cpp:
923         (JSC::constructIntlNumberFormat):
924         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
925         * runtime/IntlNumberFormatPrototype.cpp:
926         (JSC::IntlNumberFormatFuncFormatNumber):
927         (JSC::IntlNumberFormatPrototypeGetterFormat):
928         * runtime/IntlObject.cpp:
929         (JSC::intlBooleanOption):
930         (JSC::intlStringOption):
931         (JSC::intlNumberOption):
932         (JSC::canonicalizeLocaleList):
933         (JSC::supportedLocales):
934         * runtime/IntlObjectInlines.h:
935         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
936         * runtime/IteratorOperations.cpp:
937         (JSC::iteratorNext):
938         (JSC::iteratorStep):
939         (JSC::iteratorClose):
940         (JSC::iteratorForIterable):
941         * runtime/IteratorOperations.h:
942         (JSC::forEachInIterable):
943         * runtime/JSArray.cpp:
944         (JSC::JSArray::pop):
945         (JSC::JSArray::push):
946         (JSC::JSArray::copyToArguments):
947         * runtime/JSArrayBufferConstructor.cpp:
948         (JSC::constructArrayBuffer):
949         * runtime/JSArrayBufferPrototype.cpp:
950         (JSC::arrayBufferProtoFuncSlice):
951         * runtime/JSArrayInlines.h:
952         (JSC::getLength):
953         (JSC::toLength):
954         * runtime/JSBoundFunction.cpp:
955         (JSC::getBoundFunctionStructure):
956         (JSC::JSBoundFunction::create):
957         * runtime/JSCJSValue.cpp:
958         (JSC::JSValue::putToPrimitive):
959         (JSC::JSValue::putToPrimitiveByIndex):
960         (JSC::JSValue::toStringSlowCase):
961         * runtime/JSCJSValueInlines.h:
962         (JSC::toPreferredPrimitiveType):
963         (JSC::JSValue::getPropertySlot):
964         (JSC::JSValue::equalSlowCaseInline):
965         * runtime/JSDataViewPrototype.cpp:
966         (JSC::getData):
967         (JSC::setData):
968         * runtime/JSFunction.cpp:
969         (JSC::JSFunction::setFunctionName):
970         * runtime/JSGenericTypedArrayView.h:
971         (JSC::JSGenericTypedArrayView::setIndex):
972         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
973         (JSC::constructGenericTypedArrayViewFromIterator):
974         (JSC::constructGenericTypedArrayViewWithArguments):
975         (JSC::constructGenericTypedArrayView):
976         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
977         (JSC::speciesConstruct):
978         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
979         (JSC::genericTypedArrayViewProtoFuncIncludes):
980         (JSC::genericTypedArrayViewProtoFuncIndexOf):
981         (JSC::genericTypedArrayViewProtoFuncJoin):
982         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
983         (JSC::genericTypedArrayViewProtoFuncSlice):
984         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
985         * runtime/JSGlobalObject.h:
986         (JSC::constructEmptyArray):
987         (JSC::constructArray):
988         (JSC::constructArrayNegativeIndexed):
989         * runtime/JSGlobalObjectFunctions.cpp:
990         (JSC::globalFuncEval):
991         * runtime/JSJob.cpp:
992         (JSC::JSJobMicrotask::run):
993         * runtime/JSModuleEnvironment.cpp:
994         (JSC::JSModuleEnvironment::getOwnPropertySlot):
995         * runtime/JSModuleLoader.cpp:
996         (JSC::JSModuleLoader::fetch):
997         * runtime/JSModuleNamespaceObject.cpp:
998         (JSC::JSModuleNamespaceObject::finishCreation):
999         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1000         * runtime/JSModuleRecord.cpp:
1001         (JSC::JSModuleRecord::instantiateDeclarations):
1002         * runtime/JSONObject.cpp:
1003         (JSC::Stringifier::Stringifier):
1004         (JSC::Stringifier::stringify):
1005         (JSC::Stringifier::toJSON):
1006         (JSC::Stringifier::appendStringifiedValue):
1007         (JSC::Stringifier::Holder::appendNextProperty):
1008         (JSC::Walker::walk):
1009         (JSC::JSONProtoFuncParse):
1010         * runtime/JSObject.cpp:
1011         (JSC::ordinarySetSlow):
1012         (JSC::JSObject::setPrototypeWithCycleCheck):
1013         (JSC::callToPrimitiveFunction):
1014         (JSC::JSObject::ordinaryToPrimitive):
1015         (JSC::JSObject::defaultHasInstance):
1016         (JSC::JSObject::getPropertyNames):
1017         (JSC::JSObject::toNumber):
1018         (JSC::JSObject::toString):
1019         (JSC::JSObject::defineOwnNonIndexProperty):
1020         (JSC::JSObject::getGenericPropertyNames):
1021         (JSC::JSObject::getMethod):
1022         * runtime/JSObjectInlines.h:
1023         (JSC::createListFromArrayLike):
1024         (JSC::JSObject::getPropertySlot):
1025         (JSC::JSObject::getNonIndexPropertySlot):
1026         * runtime/JSPromiseConstructor.cpp:
1027         (JSC::constructPromise):
1028         * runtime/JSPropertyNameEnumerator.h:
1029         (JSC::propertyNameEnumerator):
1030         * runtime/JSPropertyNameIterator.cpp:
1031         (JSC::JSPropertyNameIterator::create):
1032         * runtime/JSScope.cpp:
1033         (JSC::isUnscopable):
1034         (JSC::JSScope::resolve):
1035         * runtime/JSString.cpp:
1036         (JSC::JSString::equalSlowCase):
1037         * runtime/JSStringJoiner.cpp:
1038         (JSC::JSStringJoiner::join):
1039         * runtime/LiteralParser.cpp:
1040         (JSC::LiteralParser<CharType>::parse):
1041         * runtime/MapConstructor.cpp:
1042         (JSC::constructMap):
1043         * runtime/MathObject.cpp:
1044         (JSC::mathProtoFuncClz32):
1045         (JSC::mathProtoFuncHypot):
1046         (JSC::mathProtoFuncIMul):
1047         * runtime/ModuleLoaderPrototype.cpp:
1048         (JSC::moduleLoaderPrototypeParseModule):
1049         (JSC::moduleLoaderPrototypeRequestedModules):
1050         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1051         * runtime/NativeErrorConstructor.cpp:
1052         (JSC::Interpreter::constructWithNativeErrorConstructor):
1053         * runtime/NumberConstructor.cpp:
1054         (JSC::constructWithNumberConstructor):
1055         * runtime/ObjectConstructor.cpp:
1056         (JSC::constructObject):
1057         (JSC::objectConstructorGetPrototypeOf):
1058         (JSC::objectConstructorSetPrototypeOf):
1059         (JSC::objectConstructorGetOwnPropertyDescriptor):
1060         (JSC::objectConstructorGetOwnPropertyDescriptors):
1061         (JSC::objectConstructorGetOwnPropertyNames):
1062         (JSC::objectConstructorGetOwnPropertySymbols):
1063         (JSC::objectConstructorKeys):
1064         (JSC::ownEnumerablePropertyKeys):
1065         (JSC::toPropertyDescriptor):
1066         (JSC::objectConstructorDefineProperty):
1067         (JSC::defineProperties):
1068         (JSC::objectConstructorSeal):
1069         (JSC::objectConstructorFreeze):
1070         (JSC::objectConstructorIsSealed):
1071         (JSC::objectConstructorIsFrozen):
1072         (JSC::objectConstructorIsExtensible):
1073         (JSC::ownPropertyKeys):
1074         * runtime/ObjectConstructor.h:
1075         (JSC::constructObjectFromPropertyDescriptor):
1076         * runtime/ObjectPrototype.cpp:
1077         (JSC::objectProtoFuncHasOwnProperty):
1078         (JSC::objectProtoFuncIsPrototypeOf):
1079         (JSC::objectProtoFuncDefineGetter):
1080         (JSC::objectProtoFuncDefineSetter):
1081         (JSC::objectProtoFuncLookupGetter):
1082         (JSC::objectProtoFuncLookupSetter):
1083         (JSC::objectProtoFuncPropertyIsEnumerable):
1084         (JSC::objectProtoFuncToLocaleString):
1085         (JSC::objectProtoFuncToString):
1086         * runtime/Operations.cpp:
1087         (JSC::jsAddSlowCase):
1088         * runtime/Options.h:
1089         * runtime/PropertyDescriptor.cpp:
1090         (JSC::PropertyDescriptor::slowGetterSetter):
1091         * runtime/ProxyConstructor.cpp:
1092         (JSC::makeRevocableProxy):
1093         * runtime/ProxyObject.cpp:
1094         (JSC::ProxyObject::toStringName):
1095         (JSC::performProxyGet):
1096         (JSC::ProxyObject::performGet):
1097         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1098         (JSC::ProxyObject::performHasProperty):
1099         (JSC::ProxyObject::performPut):
1100         (JSC::ProxyObject::putByIndexCommon):
1101         (JSC::performProxyCall):
1102         (JSC::performProxyConstruct):
1103         (JSC::ProxyObject::performDelete):
1104         (JSC::ProxyObject::performPreventExtensions):
1105         (JSC::ProxyObject::performIsExtensible):
1106         (JSC::ProxyObject::performDefineOwnProperty):
1107         (JSC::ProxyObject::performGetOwnPropertyNames):
1108         (JSC::ProxyObject::performSetPrototype):
1109         (JSC::ProxyObject::performGetPrototype):
1110         * runtime/ReflectObject.cpp:
1111         (JSC::reflectObjectConstruct):
1112         (JSC::reflectObjectDefineProperty):
1113         (JSC::reflectObjectGet):
1114         (JSC::reflectObjectGetOwnPropertyDescriptor):
1115         (JSC::reflectObjectIsExtensible):
1116         (JSC::reflectObjectPreventExtensions):
1117         (JSC::reflectObjectSet):
1118         (JSC::reflectObjectSetPrototypeOf):
1119         * runtime/RegExpConstructor.cpp:
1120         (JSC::toFlags):
1121         (JSC::regExpCreate):
1122         (JSC::constructRegExp):
1123         * runtime/RegExpConstructor.h:
1124         (JSC::isRegExp):
1125         * runtime/RegExpObject.cpp:
1126         (JSC::collectMatches):
1127         (JSC::RegExpObject::matchGlobal):
1128         * runtime/RegExpPrototype.cpp:
1129         (JSC::regExpProtoFuncCompile):
1130         (JSC::flagsString):
1131         (JSC::regExpProtoFuncToString):
1132         (JSC::regExpProtoGetterFlags):
1133         (JSC::regExpProtoFuncSearchFast):
1134         (JSC::regExpProtoFuncSplitFast):
1135         * runtime/SetConstructor.cpp:
1136         (JSC::constructSet):
1137         * runtime/StringConstructor.cpp:
1138         (JSC::stringFromCodePoint):
1139         (JSC::constructWithStringConstructor):
1140         * runtime/StringObject.cpp:
1141         (JSC::StringObject::defineOwnProperty):
1142         * runtime/StringPrototype.cpp:
1143         (JSC::replaceUsingRegExpSearch):
1144         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1145         (JSC::replaceUsingStringSearch):
1146         (JSC::replace):
1147         (JSC::stringProtoFuncReplaceUsingRegExp):
1148         (JSC::stringProtoFuncReplaceUsingStringSearch):
1149         (JSC::stringProtoFuncCodePointAt):
1150         (JSC::stringProtoFuncSlice):
1151         (JSC::stringProtoFuncSplitFast):
1152         (JSC::stringProtoFuncSubstr):
1153         (JSC::stringProtoFuncSubstring):
1154         (JSC::stringProtoFuncLocaleCompare):
1155         (JSC::toLocaleCase):
1156         (JSC::stringProtoFuncBig):
1157         (JSC::stringProtoFuncSmall):
1158         (JSC::stringProtoFuncBlink):
1159         (JSC::stringProtoFuncBold):
1160         (JSC::stringProtoFuncFixed):
1161         (JSC::stringProtoFuncItalics):
1162         (JSC::stringProtoFuncStrike):
1163         (JSC::stringProtoFuncSub):
1164         (JSC::stringProtoFuncSup):
1165         (JSC::stringProtoFuncFontcolor):
1166         (JSC::stringProtoFuncFontsize):
1167         (JSC::stringProtoFuncAnchor):
1168         (JSC::stringProtoFuncLink):
1169         (JSC::trimString):
1170         (JSC::stringProtoFuncStartsWith):
1171         (JSC::stringProtoFuncEndsWith):
1172         (JSC::stringIncludesImpl):
1173         (JSC::stringProtoFuncIncludes):
1174         (JSC::builtinStringIncludesInternal):
1175         (JSC::stringProtoFuncNormalize):
1176         * runtime/SymbolConstructor.cpp:
1177         (JSC::symbolConstructorFor):
1178         * runtime/TemplateRegistry.cpp:
1179         (JSC::TemplateRegistry::getTemplateObject):
1180         * runtime/ThrowScope.cpp:
1181         (JSC::ThrowScope::ThrowScope):
1182         (JSC::ThrowScope::~ThrowScope):
1183         (JSC::ThrowScope::throwException):
1184         (JSC::ThrowScope::simulateThrow):
1185         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1186         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1187         * runtime/ThrowScope.h:
1188         (JSC::ThrowScope::release):
1189         (JSC::ThrowScope::ThrowScope):
1190         (JSC::ThrowScope::throwException):
1191         (JSC::ThrowScope::vm): Deleted.
1192         (JSC::ThrowScope::exception): Deleted.
1193         * runtime/ThrowScopeLocation.h: Removed.
1194         * runtime/VM.cpp:
1195         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1196         * runtime/VM.h:
1197         (JSC::VM::exception):
1198         (JSC::VM::clearException):
1199         (JSC::VM::setException): Deleted.
1200         * runtime/WeakMapConstructor.cpp:
1201         (JSC::constructWeakMap):
1202         * runtime/WeakSetConstructor.cpp:
1203         (JSC::constructWeakSet):
1204         * tools/JSDollarVMPrototype.cpp:
1205         (JSC::functionPrint):
1206
1207 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1208
1209         [INTL] some valid language tags cause errors in Intl constructors
1210         https://bugs.webkit.org/show_bug.cgi?id=161672
1211
1212         Reviewed by Mark Lam.
1213
1214         Fix private use tag parsing to match spec, allowing single character parts.
1215         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1216
1217         ```
1218         privateuse    = "x" 1*("-" (1*8alphanum))
1219         ```
1220
1221         * runtime/IntlObject.cpp:
1222         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1223
1224 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1225
1226         [JSC] Remove a couple of useless forward declaration
1227         https://bugs.webkit.org/show_bug.cgi?id=161676
1228
1229         Reviewed by Mark Lam.
1230
1231         JITMathICForwards.h should take care of declarating the Math ICs.
1232
1233         * bytecode/CodeBlock.h:
1234         * jit/JITOperations.h:
1235
1236 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1237
1238         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1239         https://bugs.webkit.org/show_bug.cgi?id=161706
1240
1241         Reviewed by Geoffrey Garen.
1242         
1243         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1244         have to do something different.
1245
1246         * jit/AssemblyHelpers.h:
1247         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1248
1249 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1250
1251         Unreviewed CMake build fix after r205552
1252
1253         * CMakeLists.txt:
1254
1255 2016-09-03  Keith Miller  <keith_miller@apple.com>
1256
1257         Add support for WASM Loops and Branches
1258         https://bugs.webkit.org/show_bug.cgi?id=161569
1259
1260         Reviewed by Benjamin Poulain.
1261
1262         This patch adds support for loops and branches to WASM. In order
1263         to support loops, we needed to change the way the B3IRGenerator
1264         tracked control information. Now, the control data holds three
1265         pieces of information: The continuation block, the loop branch
1266         target, and variables exiting the block. Whenever we branch to
1267         some control point we first check if it is a loop by checking that
1268         the loop branch target is non-null. If the branch is not targeting
1269         a loop, we map the stack values to the associated B3 variables for
1270         that stack slot.
1271
1272         Another interesting thing of note is that we now only allocate the
1273         continuation basic block lazily. This is beneficial when the
1274         continuation would just fall through to another block anyway. For
1275         example, in code like: (block ... (block (add 1 2) end) end) the
1276         continuation for the inner block just falls through to the outer
1277         block's continuation so we don't need an extra block.
1278
1279         * B3CallingConventions.cpp:
1280         (JSC::B3::jscCallingConvention): Deleted.
1281         * B3CallingConventions.h:
1282         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1283         (JSC::B3::CallingConvention::iterate): Deleted.
1284         (JSC::B3::nextJSCOffset): Deleted.
1285         * JavaScriptCore.xcodeproj/project.pbxproj:
1286         * b3/B3Type.h:
1287         * testWASM.cpp:
1288         (runWASMTests):
1289         * wasm/WASMB3IRGenerator.cpp:
1290         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1291         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1292         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1293         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1294         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1295         (JSC::WASM::B3IRGenerator::ControlData::dump):
1296         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1297         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1298         (JSC::WASM::B3IRGenerator::addLocal):
1299         (JSC::WASM::B3IRGenerator::addArguments):
1300         (JSC::WASM::B3IRGenerator::setLocal):
1301         (JSC::WASM::B3IRGenerator::addBlock):
1302         (JSC::WASM::B3IRGenerator::addLoop):
1303         (JSC::WASM::B3IRGenerator::endBlock):
1304         (JSC::WASM::B3IRGenerator::addReturn):
1305         (JSC::WASM::B3IRGenerator::addBranch):
1306         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1307         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1308         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1309         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1310         (JSC::WASM::parseAndCompile):
1311         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1312         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1313         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1314         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1315         (JSC::WASM::jscCallingConvention):
1316         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1317         (JSC::WASM::CallingConvention::CallingConvention):
1318         (JSC::WASM::CallingConvention::iterate):
1319         (JSC::WASM::nextJSCOffset):
1320         * wasm/WASMFormat.h:
1321         (JSC::WASM::toB3Type):
1322         (JSC::WASM::isValueType):
1323         * wasm/WASMFunctionParser.h:
1324         (JSC::WASM::FunctionParser<Context>::parse):
1325         (JSC::WASM::FunctionParser<Context>::parseExpression):
1326         * wasm/WASMModuleParser.cpp:
1327         (JSC::WASM::ModuleParser::parseFunctionTypes):
1328         * wasm/WASMOps.h:
1329
1330 2016-09-07  Youenn Fablet  <youenn@apple.com>
1331
1332         [Streams API] Separate compile flag for ReadableStream and WritableStream
1333         https://bugs.webkit.org/show_bug.cgi?id=161044
1334
1335         Reviewed by Alex Christensen.
1336
1337         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1338         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1339
1340         * Configurations/FeatureDefines.xcconfig:
1341         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1342         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1343         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1344
1345 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1346
1347         Fix the ENABLE(WEBASSEMBLY) build on Linux
1348         https://bugs.webkit.org/show_bug.cgi?id=161685
1349
1350         Unreviewed buildfix.
1351
1352         * wasm/JSWASMModule.cpp:
1353
1354 2016-09-06  Saam Barati  <sbarati@apple.com>
1355
1356         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1357         https://bugs.webkit.org/show_bug.cgi?id=161558
1358
1359         Reviewed by Benjamin Poulain.
1360
1361         ProxyObject had ObjectPrototype as its direct prototype.
1362         This could lead to infinite loops when doing a getDirectPrototype()
1363         loop.
1364
1365         Fixing this bug revealed another bug, which I made when implementing Proxy.
1366         We should not special case "__proto__" in get and set for Proxy Object's
1367         hooks. "__proto__" should just go through the normal set and get path.
1368
1369         * runtime/JSGlobalObject.cpp:
1370         (JSC::JSGlobalObject::init):
1371         * runtime/ProxyObject.cpp:
1372         (JSC::performProxyGet):
1373         (JSC::ProxyObject::put):
1374
1375 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1376
1377         Make JSC::PrivateName copyable
1378         https://bugs.webkit.org/show_bug.cgi?id=161666
1379
1380         Reviewed by Ryosuke Niwa.
1381
1382         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1383         And since the custom copy constructor deletes the default move constructor, we explcitly define
1384         it by `= default;`.
1385
1386         * runtime/PrivateName.h:
1387         (JSC::PrivateName::PrivateName):
1388
1389 2016-09-06  Daniel Bates  <dabates@apple.com>
1390
1391         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1392         https://bugs.webkit.org/show_bug.cgi?id=161296
1393
1394         Reviewed by Dan Bernstein.
1395
1396         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1397         with the iOS 10 beta SDK.
1398
1399         * Configurations/Base.xcconfig:
1400
1401 2016-09-06  Saam Barati  <sbarati@apple.com>
1402
1403         Unreviewed build fix for 32-bit platforms after r205520.
1404
1405         * dfg/DFGSpeculativeJIT.h:
1406         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1407
1408 2016-09-06  Saam Barati  <sbarati@apple.com>
1409
1410         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1411         https://bugs.webkit.org/show_bug.cgi?id=160870
1412
1413         Reviewed by Darin Adler.
1414
1415         Credit goes to Jonathan Bedard for finding this bug using the undefined
1416         behavior sanitizer.
1417
1418         The rule for MaterializeNewObject inside AI was assuming that the graph
1419         is in SSA form. This used to be true when MaterializeNewObject was only
1420         inserted by the allocation sinking phase. However, Filip added more uses
1421         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1422         the bug by using the structure set inside the Node's OpInfo rather than
1423         generating it from m_phiChildren inside AI.
1424
1425         * dfg/DFGAbstractInterpreterInlines.h:
1426         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1427
1428 2016-09-06  Saam Barati  <sbarati@apple.com>
1429
1430         Make JSMap and JSSet faster
1431         https://bugs.webkit.org/show_bug.cgi?id=160989
1432
1433         Reviewed by Filip Pizlo.
1434
1435         This patch revamps how we implement Map and Set. It uses
1436         a new hash map implementation. The hash map uses linear
1437         probing and it uses Wang's 64 bit hash function for JSValues
1438         that aren't strings. Strings use StringImpl's hash function.
1439         The reason I wanted to roll our own HashTable is twofold:
1440         I didn't want to inline WTF::HashMap's implementation into our
1441         JIT, since that seems error prone and unmaintainable. Also, I wanted
1442         a different structure for hash map buckets where buckets also exist in
1443         a linked list.
1444
1445         The reason for making buckets part of a linked list is that iteration
1446         is now simple. Iteration works by just traversing a linked list.
1447         This design also allows for a simple implementation when doing iteration
1448         while the hash table is mutating. Whenever we remove a bucket from
1449         the hash table, it is removed from the list, meaning items in the
1450         list don't point to it. However, the removed bucket will still point
1451         to things that are either in the list, or have also been removed.
1452         e.g, from a removed bucket, you can always follow pointers until you
1453         either find an item in the list, or you find the tail of the list.
1454         This is a really nice property because it means that a Map or Set
1455         does not need to reason about the all the iterators that point
1456         into its list. Also, whenever we add items to the Map or Set, we
1457         hijack the tail as the new item, and make the new item point to a newly
1458         created tail. This means that any iterator that pointed to the "tail" now
1459         points to non-tail items. This makes the implementation of adding things
1460         to the Map/Set while iterating easy.
1461
1462         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1463         into intrinsics in the DFG. The IR can now reason about hash map
1464         operations and can even do CSE over Wang's hash function, hash map
1465         bucket lookups, hash map bucket loads, and testing if a key is in
1466         the hash table. This makes code patterns for Map like so, super fast
1467         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1468
1469         ```
1470         function getKeyIfPresent(map, key) {
1471             if (map.has(key))
1472                 return map.get(key);
1473         }
1474         ```
1475
1476         This patch is roughly an 8% speedup on ES6SampleBench.
1477
1478
1479         * CMakeLists.txt:
1480         * JavaScriptCore.xcodeproj/project.pbxproj:
1481         * assembler/MacroAssemblerARM64.h:
1482         (JSC::MacroAssemblerARM64::not64):
1483         * bytecode/SpeculatedType.cpp:
1484         (JSC::speculationFromClassInfo):
1485         * bytecode/SpeculatedType.h:
1486         * dfg/DFGAbstractInterpreterInlines.h:
1487         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1488         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1489         * dfg/DFGByteCodeParser.cpp:
1490         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1491         * dfg/DFGClobberize.h:
1492         (JSC::DFG::clobberize):
1493         * dfg/DFGDoesGC.cpp:
1494         (JSC::DFG::doesGC):
1495         * dfg/DFGEdge.h:
1496         (JSC::DFG::Edge::shift):
1497         (JSC::DFG::Edge::makeWord):
1498         * dfg/DFGFixupPhase.cpp:
1499         (JSC::DFG::FixupPhase::fixupNode):
1500         * dfg/DFGHeapLocation.cpp:
1501         (WTF::printInternal):
1502         * dfg/DFGHeapLocation.h:
1503         * dfg/DFGNode.h:
1504         (JSC::DFG::Node::hasHeapPrediction):
1505         * dfg/DFGNodeType.h:
1506         * dfg/DFGOperations.cpp:
1507         * dfg/DFGOperations.h:
1508         * dfg/DFGPredictionPropagationPhase.cpp:
1509         * dfg/DFGSafeToExecute.h:
1510         (JSC::DFG::SafeToExecuteEdge::operator()):
1511         (JSC::DFG::safeToExecute):
1512         * dfg/DFGSpeculativeJIT.cpp:
1513         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1514         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1515         (JSC::DFG::SpeculativeJIT::speculate):
1516         * dfg/DFGSpeculativeJIT.h:
1517         (JSC::DFG::SpeculativeJIT::callOperation):
1518         * dfg/DFGSpeculativeJIT32_64.cpp:
1519         (JSC::DFG::SpeculativeJIT::compile):
1520         * dfg/DFGSpeculativeJIT64.cpp:
1521         (JSC::DFG::SpeculativeJIT::compile):
1522         * dfg/DFGUseKind.cpp:
1523         (WTF::printInternal):
1524         * dfg/DFGUseKind.h:
1525         (JSC::DFG::typeFilterFor):
1526         (JSC::DFG::isCell):
1527         * ftl/FTLAbstractHeapRepository.h:
1528         * ftl/FTLCapabilities.cpp:
1529         (JSC::FTL::canCompile):
1530         * ftl/FTLLowerDFGToB3.cpp:
1531         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1532         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1533         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1534         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1535         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1536         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1537         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1538         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1539         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1540         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1541         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1542         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1543         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1544         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1545         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1546         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1547         * jit/AssemblyHelpers.cpp:
1548         (JSC::AssemblyHelpers::wangsInt64Hash):
1549         * jit/AssemblyHelpers.h:
1550         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1551         * jit/JITOperations.h:
1552         * parser/ModuleAnalyzer.cpp:
1553         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1554         * runtime/HashMapImpl.cpp: Added.
1555         (JSC::HashMapBucket<Data>::visitChildren):
1556         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1557         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1558         * runtime/HashMapImpl.h: Added.
1559         (JSC::HashMapBucket::selectStructure):
1560         (JSC::HashMapBucket::createStructure):
1561         (JSC::HashMapBucket::create):
1562         (JSC::HashMapBucket::HashMapBucket):
1563         (JSC::HashMapBucket::setNext):
1564         (JSC::HashMapBucket::setPrev):
1565         (JSC::HashMapBucket::setKey):
1566         (JSC::HashMapBucket::setValue):
1567         (JSC::HashMapBucket::key):
1568         (JSC::HashMapBucket::value):
1569         (JSC::HashMapBucket::next):
1570         (JSC::HashMapBucket::prev):
1571         (JSC::HashMapBucket::deleted):
1572         (JSC::HashMapBucket::setDeleted):
1573         (JSC::HashMapBucket::offsetOfKey):
1574         (JSC::HashMapBucket::offsetOfValue):
1575         (JSC::HashMapBuffer::allocationSize):
1576         (JSC::HashMapBuffer::buffer):
1577         (JSC::HashMapBuffer::create):
1578         (JSC::areKeysEqual):
1579         (JSC::normalizeMapKey):
1580         (JSC::jsMapHash):
1581         (JSC::HashMapImpl::selectStructure):
1582         (JSC::HashMapImpl::createStructure):
1583         (JSC::HashMapImpl::create):
1584         (JSC::HashMapImpl::HashMapImpl):
1585         (JSC::HashMapImpl::buffer):
1586         (JSC::HashMapImpl::finishCreation):
1587         (JSC::HashMapImpl::emptyValue):
1588         (JSC::HashMapImpl::isEmpty):
1589         (JSC::HashMapImpl::deletedValue):
1590         (JSC::HashMapImpl::isDeleted):
1591         (JSC::HashMapImpl::findBucket):
1592         (JSC::HashMapImpl::get):
1593         (JSC::HashMapImpl::has):
1594         (JSC::HashMapImpl::add):
1595         (JSC::HashMapImpl::remove):
1596         (JSC::HashMapImpl::size):
1597         (JSC::HashMapImpl::clear):
1598         (JSC::HashMapImpl::bufferSizeInBytes):
1599         (JSC::HashMapImpl::offsetOfBuffer):
1600         (JSC::HashMapImpl::offsetOfCapacity):
1601         (JSC::HashMapImpl::head):
1602         (JSC::HashMapImpl::tail):
1603         (JSC::HashMapImpl::approximateSize):
1604         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1605         (JSC::HashMapImpl::rehash):
1606         (JSC::HashMapImpl::makeAndSetNewBuffer):
1607         * runtime/Intrinsic.h:
1608         * runtime/JSCJSValue.h:
1609         * runtime/JSCJSValueInlines.h:
1610         (JSC::sameValue):
1611         * runtime/JSGlobalObject.cpp:
1612         (JSC::JSGlobalObject::init):
1613         * runtime/JSMap.cpp:
1614         (JSC::JSMap::destroy): Deleted.
1615         (JSC::JSMap::estimatedSize): Deleted.
1616         (JSC::JSMap::visitChildren): Deleted.
1617         (JSC::JSMap::copyBackingStore): Deleted.
1618         (JSC::JSMap::has): Deleted.
1619         (JSC::JSMap::size): Deleted.
1620         (JSC::JSMap::get): Deleted.
1621         (JSC::JSMap::set): Deleted.
1622         (JSC::JSMap::clear): Deleted.
1623         (JSC::JSMap::remove): Deleted.
1624         * runtime/JSMap.h:
1625         (JSC::JSMap::createStructure):
1626         (JSC::JSMap::create):
1627         (JSC::JSMap::get):
1628         (JSC::JSMap::set):
1629         (JSC::JSMap::JSMap):
1630         (JSC::JSMap::Entry::key): Deleted.
1631         (JSC::JSMap::Entry::value): Deleted.
1632         (JSC::JSMap::Entry::visitChildren): Deleted.
1633         (JSC::JSMap::Entry::setKey): Deleted.
1634         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1635         (JSC::JSMap::Entry::setValue): Deleted.
1636         (JSC::JSMap::Entry::clear): Deleted.
1637         * runtime/JSMapIterator.cpp:
1638         (JSC::JSMapIterator::finishCreation):
1639         (JSC::JSMapIterator::visitChildren):
1640         (JSC::JSMapIterator::clone):
1641         * runtime/JSMapIterator.h:
1642         (JSC::JSMapIterator::advanceIter):
1643         (JSC::JSMapIterator::next):
1644         (JSC::JSMapIterator::nextKeyValue):
1645         (JSC::JSMapIterator::JSMapIterator):
1646         (JSC::JSMapIterator::setIterator):
1647         (JSC::JSMapIterator::finish): Deleted.
1648         (JSC::JSMapIterator::iteratorData): Deleted.
1649         * runtime/JSModuleLoader.cpp:
1650         (JSC::JSModuleLoader::finishCreation):
1651         * runtime/JSModuleLoader.h:
1652         (JSC::JSModuleLoader::create):
1653         * runtime/JSModuleRecord.cpp:
1654         (JSC::JSModuleRecord::finishCreation):
1655         * runtime/JSModuleRecord.h:
1656         (JSC::JSModuleRecord::create):
1657         * runtime/JSSet.cpp:
1658         (JSC::JSSet::destroy): Deleted.
1659         (JSC::JSSet::estimatedSize): Deleted.
1660         (JSC::JSSet::visitChildren): Deleted.
1661         (JSC::JSSet::copyBackingStore): Deleted.
1662         (JSC::JSSet::has): Deleted.
1663         (JSC::JSSet::size): Deleted.
1664         (JSC::JSSet::add): Deleted.
1665         (JSC::JSSet::clear): Deleted.
1666         (JSC::JSSet::remove): Deleted.
1667         * runtime/JSSet.h:
1668         (JSC::JSSet::createStructure):
1669         (JSC::JSSet::create):
1670         (JSC::JSSet::add):
1671         (JSC::JSSet::JSSet):
1672         (JSC::JSSet::Entry::key): Deleted.
1673         (JSC::JSSet::Entry::value): Deleted.
1674         (JSC::JSSet::Entry::visitChildren): Deleted.
1675         (JSC::JSSet::Entry::setKey): Deleted.
1676         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1677         (JSC::JSSet::Entry::setValue): Deleted.
1678         (JSC::JSSet::Entry::clear): Deleted.
1679         * runtime/JSSetIterator.cpp:
1680         (JSC::JSSetIterator::finishCreation):
1681         (JSC::JSSetIterator::visitChildren):
1682         (JSC::JSSetIterator::clone):
1683         * runtime/JSSetIterator.h:
1684         (JSC::JSSetIterator::advanceIter):
1685         (JSC::JSSetIterator::next):
1686         (JSC::JSSetIterator::JSSetIterator):
1687         (JSC::JSSetIterator::setIterator):
1688         (JSC::JSSetIterator::finish): Deleted.
1689         (JSC::JSSetIterator::iteratorData): Deleted.
1690         * runtime/JSType.h:
1691         * runtime/MapBase.cpp: Added.
1692         (JSC::MapBase<HashMapBucketType>::visitChildren):
1693         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1694         * runtime/MapBase.h: Added.
1695         (JSC::MapBase::size):
1696         (JSC::MapBase::has):
1697         (JSC::MapBase::clear):
1698         (JSC::MapBase::remove):
1699         (JSC::MapBase::findBucket):
1700         (JSC::MapBase::offsetOfHashMapImpl):
1701         (JSC::MapBase::impl):
1702         (JSC::MapBase::finishCreation):
1703         (JSC::MapBase::MapBase):
1704         * runtime/MapConstructor.cpp:
1705         (JSC::constructMap):
1706         * runtime/MapIteratorPrototype.cpp:
1707         (JSC::MapIteratorPrototypeFuncNext):
1708         * runtime/MapPrototype.cpp:
1709         (JSC::MapPrototype::finishCreation):
1710         (JSC::getMap):
1711         (JSC::privateFuncIsMap):
1712         (JSC::privateFuncMapIteratorNext):
1713         * runtime/PropertyDescriptor.cpp:
1714         (JSC::sameValue): Deleted.
1715         * runtime/PropertyDescriptor.h:
1716         * runtime/SetConstructor.cpp:
1717         (JSC::constructSet):
1718         * runtime/SetIteratorPrototype.cpp:
1719         (JSC::SetIteratorPrototypeFuncNext):
1720         * runtime/SetPrototype.cpp:
1721         (JSC::SetPrototype::finishCreation):
1722         (JSC::getSet):
1723         (JSC::privateFuncSetIteratorNext):
1724         * runtime/VM.cpp:
1725         (JSC::VM::VM):
1726         * runtime/VM.h:
1727
1728 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1729
1730         [JSC] Make ArithClz32 work with Cell arguments
1731         https://bugs.webkit.org/show_bug.cgi?id=161369
1732
1733         Reviewed by Geoffrey Garen.
1734
1735         ArithClz32 was already working with all primitive types
1736         thanks to the magic of ValueToInt32.
1737         This patch adds support for cell arguments through a function
1738         call.
1739
1740         * dfg/DFGAbstractInterpreterInlines.h:
1741         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1742         * dfg/DFGClobberize.h:
1743         (JSC::DFG::clobberize):
1744         * dfg/DFGFixupPhase.cpp:
1745         (JSC::DFG::FixupPhase::fixupNode):
1746         * dfg/DFGNodeType.h:
1747         * dfg/DFGOperations.cpp:
1748         * dfg/DFGOperations.h:
1749         * dfg/DFGSpeculativeJIT.cpp:
1750         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1751         * dfg/DFGSpeculativeJIT.h:
1752         (JSC::DFG::SpeculativeJIT::callOperation):
1753         * ftl/FTLLowerDFGToB3.cpp:
1754         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1755
1756 2016-09-06  Mark Lam  <mark.lam@apple.com>
1757
1758         Gardening: change to use old header guard to appease Win EWS.
1759
1760         Not reviewed.
1761
1762         * runtime/AuxiliaryBarrier.h:
1763
1764 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1765
1766         Unreviewed, rolling out r205494.
1767         https://bugs.webkit.org/show_bug.cgi?id=161646
1768
1769         This change broke the Windows build (Requested by ryanhaddad
1770         on #webkit).
1771
1772         Reverted changeset:
1773
1774         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1775         https://bugs.webkit.org/show_bug.cgi?id=161100
1776         http://trac.webkit.org/changeset/205494
1777
1778 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1779
1780         Unreviewed, rolling out r205504.
1781         https://bugs.webkit.org/show_bug.cgi?id=161645
1782
1783         Broke the iOS device build (Requested by ryanhaddad on
1784         #webkit).
1785
1786         Reverted changeset:
1787
1788         "Make JSMap and JSSet faster"
1789         https://bugs.webkit.org/show_bug.cgi?id=160989
1790         http://trac.webkit.org/changeset/205504
1791
1792 2016-09-06  Saam Barati  <sbarati@apple.com>
1793
1794         Make JSMap and JSSet faster
1795         https://bugs.webkit.org/show_bug.cgi?id=160989
1796
1797         Reviewed by Filip Pizlo.
1798
1799         This patch revamps how we implement Map and Set. It uses
1800         a new hash map implementation. The hash map uses linear
1801         probing and it uses Wang's 64 bit hash function for JSValues
1802         that aren't strings. Strings use StringImpl's hash function.
1803         The reason I wanted to roll our own HashTable is twofold:
1804         I didn't want to inline WTF::HashMap's implementation into our
1805         JIT, since that seems error prone and unmaintainable. Also, I wanted
1806         a different structure for hash map buckets where buckets also exist in
1807         a linked list.
1808
1809         The reason for making buckets part of a linked list is that iteration
1810         is now simple. Iteration works by just traversing a linked list.
1811         This design also allows for a simple implementation when doing iteration
1812         while the hash table is mutating. Whenever we remove a bucket from
1813         the hash table, it is removed from the list, meaning items in the
1814         list don't point to it. However, the removed bucket will still point
1815         to things that are either in the list, or have also been removed.
1816         e.g, from a removed bucket, you can always follow pointers until you
1817         either find an item in the list, or you find the tail of the list.
1818         This is a really nice property because it means that a Map or Set
1819         does not need to reason about the all the iterators that point
1820         into its list. Also, whenever we add items to the Map or Set, we
1821         hijack the tail as the new item, and make the new item point to a newly
1822         created tail. This means that any iterator that pointed to the "tail" now
1823         points to non-tail items. This makes the implementation of adding things
1824         to the Map/Set while iterating easy.
1825
1826         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1827         into intrinsics in the DFG. The IR can now reason about hash map
1828         operations and can even do CSE over Wang's hash function, hash map
1829         bucket lookups, hash map bucket loads, and testing if a key is in
1830         the hash table. This makes code patterns for Map like so, super fast
1831         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1832
1833         ```
1834         function getKeyIfPresent(map, key) {
1835             if (map.has(key))
1836                 return map.get(key);
1837         }
1838         ```
1839
1840         This patch is roughly an 8% speedup on ES6SampleBench.
1841
1842         * CMakeLists.txt:
1843         * JavaScriptCore.xcodeproj/project.pbxproj:
1844         * bytecode/SpeculatedType.cpp:
1845         (JSC::speculationFromClassInfo):
1846         * bytecode/SpeculatedType.h:
1847         * dfg/DFGAbstractInterpreterInlines.h:
1848         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1849         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1850         * dfg/DFGByteCodeParser.cpp:
1851         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1852         * dfg/DFGClobberize.h:
1853         (JSC::DFG::clobberize):
1854         * dfg/DFGDoesGC.cpp:
1855         (JSC::DFG::doesGC):
1856         * dfg/DFGEdge.h:
1857         (JSC::DFG::Edge::shift):
1858         (JSC::DFG::Edge::makeWord):
1859         * dfg/DFGFixupPhase.cpp:
1860         (JSC::DFG::FixupPhase::fixupNode):
1861         * dfg/DFGHeapLocation.cpp:
1862         (WTF::printInternal):
1863         * dfg/DFGHeapLocation.h:
1864         * dfg/DFGNode.h:
1865         (JSC::DFG::Node::hasHeapPrediction):
1866         * dfg/DFGNodeType.h:
1867         * dfg/DFGOperations.cpp:
1868         * dfg/DFGOperations.h:
1869         * dfg/DFGPredictionPropagationPhase.cpp:
1870         * dfg/DFGSafeToExecute.h:
1871         (JSC::DFG::SafeToExecuteEdge::operator()):
1872         (JSC::DFG::safeToExecute):
1873         * dfg/DFGSpeculativeJIT.cpp:
1874         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1875         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1876         (JSC::DFG::SpeculativeJIT::speculate):
1877         * dfg/DFGSpeculativeJIT.h:
1878         (JSC::DFG::SpeculativeJIT::callOperation):
1879         * dfg/DFGSpeculativeJIT32_64.cpp:
1880         (JSC::DFG::SpeculativeJIT::compile):
1881         * dfg/DFGSpeculativeJIT64.cpp:
1882         (JSC::DFG::SpeculativeJIT::compile):
1883         * dfg/DFGUseKind.cpp:
1884         (WTF::printInternal):
1885         * dfg/DFGUseKind.h:
1886         (JSC::DFG::typeFilterFor):
1887         (JSC::DFG::isCell):
1888         * ftl/FTLAbstractHeapRepository.h:
1889         * ftl/FTLCapabilities.cpp:
1890         (JSC::FTL::canCompile):
1891         * ftl/FTLLowerDFGToB3.cpp:
1892         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1893         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1894         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1895         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1896         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1897         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1898         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1899         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1900         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1901         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1902         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1903         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1904         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1905         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1906         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1907         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1908         * jit/AssemblyHelpers.cpp:
1909         (JSC::AssemblyHelpers::wangsInt64Hash):
1910         * jit/AssemblyHelpers.h:
1911         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1912         * jit/JITOperations.h:
1913         * parser/ModuleAnalyzer.cpp:
1914         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1915         * runtime/HashMapImpl.cpp: Added.
1916         (JSC::HashMapBucket<Data>::visitChildren):
1917         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1918         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1919         * runtime/HashMapImpl.h: Added.
1920         (JSC::HashMapBucket::selectStructure):
1921         (JSC::HashMapBucket::createStructure):
1922         (JSC::HashMapBucket::create):
1923         (JSC::HashMapBucket::HashMapBucket):
1924         (JSC::HashMapBucket::setNext):
1925         (JSC::HashMapBucket::setPrev):
1926         (JSC::HashMapBucket::setKey):
1927         (JSC::HashMapBucket::setValue):
1928         (JSC::HashMapBucket::key):
1929         (JSC::HashMapBucket::value):
1930         (JSC::HashMapBucket::next):
1931         (JSC::HashMapBucket::prev):
1932         (JSC::HashMapBucket::deleted):
1933         (JSC::HashMapBucket::setDeleted):
1934         (JSC::HashMapBucket::offsetOfKey):
1935         (JSC::HashMapBucket::offsetOfValue):
1936         (JSC::HashMapBuffer::allocationSize):
1937         (JSC::HashMapBuffer::buffer):
1938         (JSC::HashMapBuffer::create):
1939         (JSC::areKeysEqual):
1940         (JSC::normalizeMapKey):
1941         (JSC::jsMapHash):
1942         (JSC::HashMapImpl::selectStructure):
1943         (JSC::HashMapImpl::createStructure):
1944         (JSC::HashMapImpl::create):
1945         (JSC::HashMapImpl::HashMapImpl):
1946         (JSC::HashMapImpl::buffer):
1947         (JSC::HashMapImpl::finishCreation):
1948         (JSC::HashMapImpl::emptyValue):
1949         (JSC::HashMapImpl::isEmpty):
1950         (JSC::HashMapImpl::deletedValue):
1951         (JSC::HashMapImpl::isDeleted):
1952         (JSC::HashMapImpl::findBucket):
1953         (JSC::HashMapImpl::get):
1954         (JSC::HashMapImpl::has):
1955         (JSC::HashMapImpl::add):
1956         (JSC::HashMapImpl::remove):
1957         (JSC::HashMapImpl::size):
1958         (JSC::HashMapImpl::clear):
1959         (JSC::HashMapImpl::bufferSizeInBytes):
1960         (JSC::HashMapImpl::offsetOfBuffer):
1961         (JSC::HashMapImpl::offsetOfCapacity):
1962         (JSC::HashMapImpl::head):
1963         (JSC::HashMapImpl::tail):
1964         (JSC::HashMapImpl::approximateSize):
1965         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1966         (JSC::HashMapImpl::rehash):
1967         (JSC::HashMapImpl::makeAndSetNewBuffer):
1968         * runtime/Intrinsic.h:
1969         * runtime/JSCJSValue.h:
1970         * runtime/JSCJSValueInlines.h:
1971         (JSC::sameValue):
1972         * runtime/JSGlobalObject.cpp:
1973         (JSC::JSGlobalObject::init):
1974         * runtime/JSMap.cpp:
1975         (JSC::JSMap::destroy): Deleted.
1976         (JSC::JSMap::estimatedSize): Deleted.
1977         (JSC::JSMap::visitChildren): Deleted.
1978         (JSC::JSMap::copyBackingStore): Deleted.
1979         (JSC::JSMap::has): Deleted.
1980         (JSC::JSMap::size): Deleted.
1981         (JSC::JSMap::get): Deleted.
1982         (JSC::JSMap::set): Deleted.
1983         (JSC::JSMap::clear): Deleted.
1984         (JSC::JSMap::remove): Deleted.
1985         * runtime/JSMap.h:
1986         (JSC::JSMap::createStructure):
1987         (JSC::JSMap::create):
1988         (JSC::JSMap::get):
1989         (JSC::JSMap::set):
1990         (JSC::JSMap::JSMap):
1991         (JSC::JSMap::Entry::key): Deleted.
1992         (JSC::JSMap::Entry::value): Deleted.
1993         (JSC::JSMap::Entry::visitChildren): Deleted.
1994         (JSC::JSMap::Entry::setKey): Deleted.
1995         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1996         (JSC::JSMap::Entry::setValue): Deleted.
1997         (JSC::JSMap::Entry::clear): Deleted.
1998         * runtime/JSMapIterator.cpp:
1999         (JSC::JSMapIterator::finishCreation):
2000         (JSC::JSMapIterator::visitChildren):
2001         (JSC::JSMapIterator::clone):
2002         * runtime/JSMapIterator.h:
2003         (JSC::JSMapIterator::advanceIter):
2004         (JSC::JSMapIterator::next):
2005         (JSC::JSMapIterator::nextKeyValue):
2006         (JSC::JSMapIterator::JSMapIterator):
2007         (JSC::JSMapIterator::setIterator):
2008         (JSC::JSMapIterator::finish): Deleted.
2009         (JSC::JSMapIterator::iteratorData): Deleted.
2010         * runtime/JSModuleLoader.cpp:
2011         (JSC::JSModuleLoader::finishCreation):
2012         * runtime/JSModuleLoader.h:
2013         (JSC::JSModuleLoader::create):
2014         * runtime/JSModuleRecord.cpp:
2015         (JSC::JSModuleRecord::finishCreation):
2016         * runtime/JSModuleRecord.h:
2017         (JSC::JSModuleRecord::create):
2018         * runtime/JSSet.cpp:
2019         (JSC::JSSet::destroy): Deleted.
2020         (JSC::JSSet::estimatedSize): Deleted.
2021         (JSC::JSSet::visitChildren): Deleted.
2022         (JSC::JSSet::copyBackingStore): Deleted.
2023         (JSC::JSSet::has): Deleted.
2024         (JSC::JSSet::size): Deleted.
2025         (JSC::JSSet::add): Deleted.
2026         (JSC::JSSet::clear): Deleted.
2027         (JSC::JSSet::remove): Deleted.
2028         * runtime/JSSet.h:
2029         (JSC::JSSet::createStructure):
2030         (JSC::JSSet::create):
2031         (JSC::JSSet::add):
2032         (JSC::JSSet::JSSet):
2033         (JSC::JSSet::Entry::key): Deleted.
2034         (JSC::JSSet::Entry::value): Deleted.
2035         (JSC::JSSet::Entry::visitChildren): Deleted.
2036         (JSC::JSSet::Entry::setKey): Deleted.
2037         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2038         (JSC::JSSet::Entry::setValue): Deleted.
2039         (JSC::JSSet::Entry::clear): Deleted.
2040         * runtime/JSSetIterator.cpp:
2041         (JSC::JSSetIterator::finishCreation):
2042         (JSC::JSSetIterator::visitChildren):
2043         (JSC::JSSetIterator::clone):
2044         * runtime/JSSetIterator.h:
2045         (JSC::JSSetIterator::advanceIter):
2046         (JSC::JSSetIterator::next):
2047         (JSC::JSSetIterator::JSSetIterator):
2048         (JSC::JSSetIterator::setIterator):
2049         (JSC::JSSetIterator::finish): Deleted.
2050         (JSC::JSSetIterator::iteratorData): Deleted.
2051         * runtime/JSType.h:
2052         * runtime/MapBase.cpp: Added.
2053         (JSC::MapBase<HashMapBucketType>::visitChildren):
2054         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2055         * runtime/MapBase.h: Added.
2056         (JSC::MapBase::size):
2057         (JSC::MapBase::has):
2058         (JSC::MapBase::clear):
2059         (JSC::MapBase::remove):
2060         (JSC::MapBase::findBucket):
2061         (JSC::MapBase::offsetOfHashMapImpl):
2062         (JSC::MapBase::impl):
2063         (JSC::MapBase::finishCreation):
2064         (JSC::MapBase::MapBase):
2065         * runtime/MapConstructor.cpp:
2066         (JSC::constructMap):
2067         * runtime/MapIteratorPrototype.cpp:
2068         (JSC::MapIteratorPrototypeFuncNext):
2069         * runtime/MapPrototype.cpp:
2070         (JSC::MapPrototype::finishCreation):
2071         (JSC::getMap):
2072         (JSC::privateFuncIsMap):
2073         (JSC::privateFuncMapIteratorNext):
2074         * runtime/PropertyDescriptor.cpp:
2075         (JSC::sameValue): Deleted.
2076         * runtime/PropertyDescriptor.h:
2077         * runtime/SetConstructor.cpp:
2078         (JSC::constructSet):
2079         * runtime/SetIteratorPrototype.cpp:
2080         (JSC::SetIteratorPrototypeFuncNext):
2081         * runtime/SetPrototype.cpp:
2082         (JSC::SetPrototype::finishCreation):
2083         (JSC::getSet):
2084         (JSC::privateFuncSetIteratorNext):
2085         * runtime/VM.cpp:
2086         (JSC::VM::VM):
2087         * runtime/VM.h:
2088
2089 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2090
2091         Typed arrays should use MarkedSpace instead of CopiedSpace
2092         https://bugs.webkit.org/show_bug.cgi?id=161100
2093
2094         Reviewed by Geoffrey Garen.
2095         
2096         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2097         
2098         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2099         everything that typed arrays want.
2100
2101         * dfg/DFGOperations.cpp:
2102         (JSC::DFG::newTypedArrayWithSize):
2103         * dfg/DFGOperations.h:
2104         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2105         * dfg/DFGSpeculativeJIT.cpp:
2106         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2107         * dfg/DFGSpeculativeJIT.h:
2108         (JSC::DFG::SpeculativeJIT::callOperation):
2109         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2110         * ftl/FTLLowerDFGToB3.cpp:
2111         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2112         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2113         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2114         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2115         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2116         * heap/CopyToken.h:
2117         * heap/SlotVisitor.cpp:
2118         (JSC::SlotVisitor::markAuxiliary):
2119         * jit/JITOperations.h:
2120         * runtime/JSArrayBufferView.cpp:
2121         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2122         (JSC::JSArrayBufferView::JSArrayBufferView):
2123         * runtime/JSArrayBufferView.h:
2124         * runtime/JSGenericTypedArrayView.h:
2125         * runtime/JSGenericTypedArrayViewInlines.h:
2126         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2127         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2128         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2129         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2130
2131 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2132
2133         Silence GCC warning spam introduced in r205462
2134
2135         Rubber-stamped by Filip Pizlo.
2136
2137         * bytecode/Opcode.h:
2138         (JSC::padOpcodeName):
2139
2140 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2141
2142         Heap::isMarked() should use concurrent lazy flipping
2143         https://bugs.webkit.org/show_bug.cgi?id=161613
2144
2145         Reviewed by Michael Catanzaro.
2146         
2147         I found out about this race condition via
2148         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2149         
2150         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2151         phase. So, they need to lazy-flip in a non-racy way.
2152
2153         * heap/HeapInlines.h:
2154         (JSC::Heap::isLive):
2155         (JSC::Heap::isMarked):
2156
2157 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2158
2159         Unreviewed, reset generator test results after the butterflies.
2160
2161         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2162         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2163         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2164         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2165         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2166         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2167         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2168         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2169         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2170         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2171         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2172         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2173         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2174         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2175
2176 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2177
2178         Unreviewed, fix cloop build.
2179
2180         * bytecode/SuperSampler.cpp:
2181
2182 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2183
2184         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2185         https://bugs.webkit.org/show_bug.cgi?id=160125
2186
2187         Reviewed by Geoffrey Garen and Keith Miller.
2188
2189         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2190         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2191         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2192         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2193         to get rid of copied space. This change moves copied space's biggest client over to marked
2194         space.
2195         
2196         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2197         allocation path. This is a fairly mechanical change, but it caused performance regressions
2198         everywhere, so this change also fixes MarkedSpace's performance issues.
2199         
2200         At a high level the mechanical changes are:
2201         
2202         - We use AuxiliaryBarrier instead of CopyBarrier.
2203         
2204         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2205           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2206         
2207         - The JITs have to emit inlined marked space allocations instead of inline copy space
2208           allocations.
2209         
2210         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2211           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2212           space doesn't.
2213         
2214         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2215         optimizations that amounted to a major MarkedSpace rewrite:
2216         
2217         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2218           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2219           size class. I got around this by making array allocations usually round up vectorLength to
2220           the maximum allowed by the size class that we would have allocated in. Also,
2221           ensureLengthSlow() and friends first make sure that the requested length can't just be
2222           fulfilled with the current allocation size. This safeguard means that not every array
2223           allocation has to do size class queries. For example, the fast path of new Array(length)
2224           never does any size class queries, under the assumption that (1) the speed gained from
2225           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2226           size class query, is too small to offset the speed lost by doing the query on every
2227           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2228           likely.
2229         
2230         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2231           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2232           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2233           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2234           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2235           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2236           size (80 bytes), we proceed using a geometric progression, but round up each size to
2237           minimize slop at the end of the block. This naturally causes the geometric progression to
2238           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2239           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2240         
2241         - Large allocations caused massive internal fragmentation, since the smallest large
2242           allocation had to use exactly blockSize, and the largest small allocation used
2243           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2244           also had 50% internal fragmentation. This is because we required large allocations to be
2245           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2246           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2247           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2248           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2249           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2250           out great since (1) typed arrays won't use large allocations anyway since they have their
2251           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2252           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2253           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2254           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2255           must be small allocations. It's also possible to use template tricks to do one check for
2256           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2257           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2258           that get used from functions that are template-specialized like this. That's mostly to
2259           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2260           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2261           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2262           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2263           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2264           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2265           that the MarkedBlock size classes end up being:
2266           
2267           16, 32, 48, 64, 80, 112, 160, 224, 320
2268           
2269           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2270           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2271           size classes you end up with by doing --dumpSizeClasses=true.
2272         
2273         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2274           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2275           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2276           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2277           side, for better locality during a sequential walk. It's no longer necessary to scan
2278           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2279           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2280           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2281           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2282           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2283           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2284           together, these optimizations allowed me to reduce block size to 16KB without losing much
2285           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2286           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2287           progression on membuster. That's not possible yet, since there is still enough per-block
2288           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2289           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2290         
2291         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2292           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2293           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2294           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2295           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2296           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2297           that we walk the block to build a free list. This means walking dead space. The new
2298           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2299           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2300           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2301           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2302           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2303           is completely empty, which is the common case because of the generational hypothesis: the
2304           number of objects that survive an eden collection is a tiny fraction of the number of
2305           objects that had been allocated, and this fraction is so small that there are typically
2306           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2307           win over tip-of-tree.
2308         
2309         - FTL now shares the same allocation fast paths as everything else, which is great, because
2310           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2311           control flow, since it won't be able to improve the machine code we write ourselves. GC
2312           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2313           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2314           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2315           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2316           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2317           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2318           variable-length allocation but then realize that the length is known). I think it makes
2319           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2320           since this makes lowering easier (you can constant fold during lowering more easily) and it
2321           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2322           constant-fold this code. That would require allowing loads to be constant-folded, which is
2323           doable but hella tricky.
2324         
2325         - It used to be that if a logical object allocation required two physical allocations (first
2326           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2327           failure in the second fast path would cause us to forget the successful first physical
2328           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2329           register to storing either the butterfly or null, because the butterfly register is anyway
2330           going to be free inside the first allocation. The only overhead here is zeroing the
2331           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2332           path, which can then either allocate a butterfly or not. So now we never waste a successful
2333           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2334           since we control registers already) and in FTL (where it's annoying, because mutable
2335           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2336           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2337           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2338           benchmark would always allocate N small things followed by one bigger thing. The problem
2339           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2340           the JSObject size class, which both the small and big thing shared for their cell, could
2341           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2342           it allocated the big thing. So, it would end up having to allocate the big thing's large
2343           butterfly twice, every single time! Ouch!
2344         
2345         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2346           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2347           of the allocator to initialize the object to whatever state they need. It used to be that
2348           we would just use a dumb loop. I initially changed this so that we would end up in memset
2349           for large allocations, but this didn't actually help performance that much. I got a much
2350           better result by playing with different memsets written in assembly. First I wrote one
2351           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2352           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2353           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2354           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2355           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2356           of stores (if the size is known), but those paths in the JIT won't trigger for
2357           NewArrayWithSize() if the size is large, since that takes us to the
2358           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2359           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2360           that need to be filled with holes.
2361         
2362         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2363         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2364         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2365         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2366         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2367         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2368         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2369         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2370         marking barrier and we simply won't need a copying barrier. This change gets us there for
2371         the purposes of our benchmarks, since the remaining clients of copied space are not very
2372         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2373         adding back the copy barrier, which costs more perf.
2374         
2375         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2376         typed arrays and a few other weird things over to Aux MarkedSpace.
2377         
2378         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2379         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2380         just including JSCInlines.h (instead of manually including the files that includes) is
2381         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2382         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2383         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2384         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2385         meant having to manually include HeapInlines.h from the places that previously got it
2386         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2387         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2388         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2389         made it impossible to include it from outside JSC. This was a lot of work, but it was
2390         necessary to get the patch to build on all ports. It's also a net win. There were many places
2391         in WebCore that were transitively including a *ton* of JSC headers just because of the
2392         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2393         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2394
2395         * API/JSManagedValue.mm:
2396         (-[JSManagedValue initWithValue:]):
2397         * API/JSTypedArray.cpp:
2398         * API/ObjCCallbackFunction.mm:
2399         * API/tests/testapi.mm:
2400         (testObjectiveCAPI):
2401         (testWeakValue): Deleted.
2402         * CMakeLists.txt:
2403         * JavaScriptCore.xcodeproj/project.pbxproj:
2404         * Scripts/builtins/builtins_generate_combined_implementation.py:
2405         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2406         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2407         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2408         * Scripts/builtins/builtins_generate_separate_implementation.py:
2409         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2410         * assembler/AbstractMacroAssembler.h:
2411         (JSC::AbstractMacroAssembler::JumpList::link):
2412         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2413         * assembler/MacroAssembler.h:
2414         * assembler/MacroAssemblerARM64.h:
2415         (JSC::MacroAssemblerARM64::add32):
2416         * assembler/MacroAssemblerCodeRef.cpp: Added.
2417         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2418         (JSC::MacroAssemblerCodePtr::dumpWithName):
2419         (JSC::MacroAssemblerCodePtr::dump):
2420         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2421         (JSC::MacroAssemblerCodeRef::dump):
2422         * assembler/MacroAssemblerCodeRef.h:
2423         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2424         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2425         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2426         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2427         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2428         * b3/B3BasicBlock.cpp:
2429         (JSC::B3::BasicBlock::appendBoolConstant):
2430         * b3/B3BasicBlock.h:
2431         * b3/B3DuplicateTails.cpp:
2432         * b3/B3StackmapGenerationParams.h:
2433         * b3/testb3.cpp:
2434         (JSC::B3::testPatchpointTerminalReturnValue):
2435         (JSC::B3::run):
2436         * bindings/ScriptValue.cpp:
2437         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2438         * bytecode/BytecodeBasicBlock.cpp:
2439         * bytecode/BytecodeLivenessAnalysis.cpp:
2440         * bytecode/BytecodeUseDef.h:
2441         * bytecode/CallLinkInfo.cpp:
2442         (JSC::CallLinkInfo::callTypeFor):
2443         * bytecode/CallLinkInfo.h:
2444         (JSC::CallLinkInfo::callTypeFor): Deleted.
2445         * bytecode/CallLinkStatus.cpp:
2446         * bytecode/CodeBlock.cpp:
2447         (JSC::CodeBlock::finishCreation):
2448         (JSC::CodeBlock::clearLLIntGetByIdCache):
2449         (JSC::CodeBlock::predictedMachineCodeSize):
2450         * bytecode/CodeBlock.h:
2451         (JSC::CodeBlock::jitCodeMap): Deleted.
2452         (JSC::clearLLIntGetByIdCache): Deleted.
2453         * bytecode/ExecutionCounter.h:
2454         * bytecode/Instruction.h:
2455         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2456         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2457         * bytecode/ObjectAllocationProfile.h:
2458         (JSC::ObjectAllocationProfile::isNull):
2459         (JSC::ObjectAllocationProfile::initialize):
2460         * bytecode/Opcode.h:
2461         (JSC::padOpcodeName):
2462         * bytecode/PolymorphicAccess.cpp:
2463         (JSC::AccessCase::generateImpl):
2464         (JSC::PolymorphicAccess::regenerate):
2465         * bytecode/PolymorphicAccess.h:
2466         * bytecode/PreciseJumpTargets.cpp:
2467         * bytecode/StructureStubInfo.cpp:
2468         * bytecode/StructureStubInfo.h:
2469         * bytecode/UnlinkedCodeBlock.cpp:
2470         (JSC::UnlinkedCodeBlock::vm): Deleted.
2471         * bytecode/UnlinkedCodeBlock.h:
2472         * bytecode/UnlinkedInstructionStream.cpp:
2473         * bytecode/UnlinkedInstructionStream.h:
2474         * dfg/DFGOperations.cpp:
2475         * dfg/DFGSpeculativeJIT.cpp:
2476         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2477         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2478         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2479         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2480         * dfg/DFGSpeculativeJIT.h:
2481         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2482         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2483         * dfg/DFGSpeculativeJIT32_64.cpp:
2484         (JSC::DFG::SpeculativeJIT::compile):
2485         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2486         * dfg/DFGSpeculativeJIT64.cpp:
2487         (JSC::DFG::SpeculativeJIT::compile):
2488         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2489         * dfg/DFGStrengthReductionPhase.cpp:
2490         (JSC::DFG::StrengthReductionPhase::handleNode):
2491         * ftl/FTLAbstractHeapRepository.h:
2492         * ftl/FTLCompile.cpp:
2493         * ftl/FTLJITFinalizer.cpp:
2494         * ftl/FTLLowerDFGToB3.cpp:
2495         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2496         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2497         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2498         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2499         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2500         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2501         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2502         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2503         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2504         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2505         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2506         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2507         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2508         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2509         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2510         * ftl/FTLOutput.cpp:
2511         (JSC::FTL::Output::constBool):
2512         (JSC::FTL::Output::add):
2513         (JSC::FTL::Output::shl):
2514         (JSC::FTL::Output::aShr):
2515         (JSC::FTL::Output::lShr):
2516         (JSC::FTL::Output::zeroExt):
2517         (JSC::FTL::Output::equal):
2518         (JSC::FTL::Output::notEqual):
2519         (JSC::FTL::Output::above):
2520         (JSC::FTL::Output::aboveOrEqual):
2521         (JSC::FTL::Output::below):
2522         (JSC::FTL::Output::belowOrEqual):
2523         (JSC::FTL::Output::greaterThan):
2524         (JSC::FTL::Output::greaterThanOrEqual):
2525         (JSC::FTL::Output::lessThan):
2526         (JSC::FTL::Output::lessThanOrEqual):
2527         (JSC::FTL::Output::select):
2528         (JSC::FTL::Output::appendSuccessor):
2529         (JSC::FTL::Output::addIncomingToPhi):
2530         * ftl/FTLOutput.h:
2531         * ftl/FTLValueFromBlock.h:
2532         (JSC::FTL::ValueFromBlock::operator bool):
2533         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2534         * ftl/FTLWeightedTarget.h:
2535         (JSC::FTL::WeightedTarget::frequentedBlock):
2536         * heap/CellContainer.h: Added.
2537         (JSC::CellContainer::CellContainer):
2538         (JSC::CellContainer::operator bool):
2539         (JSC::CellContainer::isMarkedBlock):
2540         (JSC::CellContainer::isLargeAllocation):
2541         (JSC::CellContainer::markedBlock):
2542         (JSC::CellContainer::largeAllocation):
2543         * heap/CellContainerInlines.h: Added.
2544         (JSC::CellContainer::isMarked):
2545         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2546         (JSC::CellContainer::noteMarked):
2547         (JSC::CellContainer::cellSize):
2548         (JSC::CellContainer::weakSet):
2549         (JSC::CellContainer::flipIfNecessary):
2550         * heap/ConservativeRoots.cpp:
2551         (JSC::ConservativeRoots::ConservativeRoots):
2552         (JSC::ConservativeRoots::~ConservativeRoots):
2553         (JSC::ConservativeRoots::grow):
2554         (JSC::ConservativeRoots::genericAddPointer):
2555         (JSC::ConservativeRoots::genericAddSpan):
2556         * heap/ConservativeRoots.h:
2557         (JSC::ConservativeRoots::roots):
2558         * heap/CopyToken.h:
2559         * heap/FreeList.cpp: Added.
2560         (JSC::FreeList::dump):
2561         * heap/FreeList.h: Added.
2562         (JSC::FreeList::FreeList):
2563         (JSC::FreeList::list):
2564         (JSC::FreeList::bump):
2565         (JSC::FreeList::operator==):
2566         (JSC::FreeList::operator!=):
2567         (JSC::FreeList::operator bool):
2568         (JSC::FreeList::allocationWillFail):
2569         (JSC::FreeList::allocationWillSucceed):
2570         * heap/GCTypeMap.h: Added.
2571         (JSC::GCTypeMap::operator[]):
2572         * heap/Heap.cpp:
2573         (JSC::Heap::Heap):
2574         (JSC::Heap::lastChanceToFinalize):
2575         (JSC::Heap::finalizeUnconditionalFinalizers):
2576         (JSC::Heap::markRoots):
2577         (JSC::Heap::copyBackingStores):
2578         (JSC::Heap::gatherStackRoots):
2579         (JSC::Heap::gatherJSStackRoots):
2580         (JSC::Heap::gatherScratchBufferRoots):
2581         (JSC::Heap::clearLivenessData):
2582         (JSC::Heap::visitSmallStrings):
2583         (JSC::Heap::visitConservativeRoots):
2584         (JSC::Heap::removeDeadCompilerWorklistEntries):
2585         (JSC::Heap::gatherExtraHeapSnapshotData):
2586         (JSC::Heap::removeDeadHeapSnapshotNodes):
2587         (JSC::Heap::visitProtectedObjects):
2588         (JSC::Heap::visitArgumentBuffers):
2589         (JSC::Heap::visitException):
2590         (JSC::Heap::visitStrongHandles):
2591         (JSC::Heap::visitHandleStack):
2592         (JSC::Heap::visitSamplingProfiler):
2593         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2594         (JSC::Heap::converge):
2595         (JSC::Heap::visitWeakHandles):
2596         (JSC::Heap::updateObjectCounts):
2597         (JSC::Heap::clearUnmarkedExecutables):
2598         (JSC::Heap::deleteUnmarkedCompiledCode):
2599         (JSC::Heap::collectAllGarbage):
2600         (JSC::Heap::collect):
2601         (JSC::Heap::collectWithoutAnySweep):
2602         (JSC::Heap::collectImpl):
2603         (JSC::Heap::suspendCompilerThreads):
2604         (JSC::Heap::willStartCollection):
2605         (JSC::Heap::flushOldStructureIDTables):
2606         (JSC::Heap::flushWriteBarrierBuffer):
2607         (JSC::Heap::stopAllocation):
2608         (JSC::Heap::prepareForMarking):
2609         (JSC::Heap::reapWeakHandles):
2610         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2611         (JSC::Heap::sweepArrayBuffers):
2612         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2613         (JSC::MarkedBlockSnapshotFunctor::operator()):
2614         (JSC::Heap::snapshotMarkedSpace):
2615         (JSC::Heap::deleteSourceProviderCaches):
2616         (JSC::Heap::notifyIncrementalSweeper):
2617         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2618         (JSC::Heap::resetAllocators):
2619         (JSC::Heap::updateAllocationLimits):
2620         (JSC::Heap::didFinishCollection):
2621         (JSC::Heap::resumeCompilerThreads):
2622         (JSC::Zombify::visit):
2623         (JSC::Heap::forEachCodeBlockImpl):
2624         * heap/Heap.h:
2625         (JSC::Heap::allocatorForObjectWithoutDestructor):
2626         (JSC::Heap::allocatorForObjectWithDestructor):
2627         (JSC::Heap::allocatorForAuxiliaryData):
2628         (JSC::Heap::jitStubRoutines):
2629         (JSC::Heap::codeBlockSet):
2630         (JSC::Heap::storageAllocator): Deleted.
2631         * heap/HeapCell.h:
2632         (JSC::HeapCell::isZapped): Deleted.
2633         * heap/HeapCellInlines.h: Added.
2634         (JSC::HeapCell::isLargeAllocation):
2635         (JSC::HeapCell::cellContainer):
2636         (JSC::HeapCell::markedBlock):
2637         (JSC::HeapCell::largeAllocation):
2638         (JSC::HeapCell::heap):
2639         (JSC::HeapCell::vm):
2640         (JSC::HeapCell::cellSize):
2641         (JSC::HeapCell::allocatorAttributes):
2642         (JSC::HeapCell::destructionMode):
2643         (JSC::HeapCell::cellKind):
2644         * heap/HeapInlines.h:
2645         (JSC::Heap::heap):
2646         (JSC::Heap::isLive):
2647         (JSC::Heap::isMarked):
2648         (JSC::Heap::testAndSetMarked):
2649         (JSC::Heap::setMarked):
2650         (JSC::Heap::cellSize):
2651         (JSC::Heap::forEachCodeBlock):
2652         (JSC::Heap::allocateObjectOfType):
2653         (JSC::Heap::subspaceForObjectOfType):
2654         (JSC::Heap::allocatorForObjectOfType):
2655         (JSC::Heap::allocateAuxiliary):
2656         (JSC::Heap::tryAllocateAuxiliary):
2657         (JSC::Heap::tryReallocateAuxiliary):
2658         (JSC::Heap::isPointerGCObject): Deleted.
2659         (JSC::Heap::isValueGCObject): Deleted.
2660         * heap/HeapOperation.cpp: Added.
2661         (WTF::printInternal):
2662         * heap/HeapOperation.h:
2663         * heap/HeapUtil.h: Added.
2664         (JSC::HeapUtil::findGCObjectPointersForMarking):
2665         (JSC::HeapUtil::isPointerGCObjectJSCell):
2666         (JSC::HeapUtil::isValueGCObject):
2667         * heap/IncrementalSweeper.cpp:
2668         (JSC::IncrementalSweeper::sweepNextBlock):
2669         * heap/IncrementalSweeper.h:
2670         * heap/LargeAllocation.cpp: Added.
2671         (JSC::LargeAllocation::tryCreate):
2672         (JSC::LargeAllocation::LargeAllocation):
2673         (JSC::LargeAllocation::lastChanceToFinalize):
2674         (JSC::LargeAllocation::shrink):
2675         (JSC::LargeAllocation::visitWeakSet):
2676         (JSC::LargeAllocation::reapWeakSet):
2677         (JSC::LargeAllocation::flip):
2678         (JSC::LargeAllocation::isEmpty):
2679         (JSC::LargeAllocation::sweep):
2680         (JSC::LargeAllocation::destroy):
2681         (JSC::LargeAllocation::dump):
2682         * heap/LargeAllocation.h: Added.
2683         (JSC::LargeAllocation::fromCell):
2684         (JSC::LargeAllocation::cell):
2685         (JSC::LargeAllocation::isLargeAllocation):
2686         (JSC::LargeAllocation::heap):
2687         (JSC::LargeAllocation::vm):
2688         (JSC::LargeAllocation::weakSet):
2689         (JSC::LargeAllocation::clearNewlyAllocated):
2690         (JSC::LargeAllocation::isNewlyAllocated):
2691         (JSC::LargeAllocation::isMarked):
2692         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2693         (JSC::LargeAllocation::isLive):
2694         (JSC::LargeAllocation::hasValidCell):
2695         (JSC::LargeAllocation::cellSize):
2696         (JSC::LargeAllocation::aboveLowerBound):
2697         (JSC::LargeAllocation::belowUpperBound):
2698         (JSC::LargeAllocation::contains):
2699         (JSC::LargeAllocation::attributes):
2700         (JSC::LargeAllocation::flipIfNecessary):
2701         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2702         (JSC::LargeAllocation::testAndSetMarked):
2703         (JSC::LargeAllocation::setMarked):
2704         (JSC::LargeAllocation::clearMarked):
2705         (JSC::LargeAllocation::noteMarked):
2706         (JSC::LargeAllocation::headerSize):
2707         * heap/MarkedAllocator.cpp:
2708         (JSC::MarkedAllocator::MarkedAllocator):
2709         (JSC::MarkedAllocator::isPagedOut):
2710         (JSC::MarkedAllocator::retire):
2711         (JSC::MarkedAllocator::filterNextBlock):
2712         (JSC::MarkedAllocator::setNextBlockToSweep):
2713         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2714         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2715         (JSC::MarkedAllocator::allocateSlowCase):
2716         (JSC::MarkedAllocator::tryAllocateSlowCase):
2717         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2718         (JSC::blockHeaderSize):
2719         (JSC::MarkedAllocator::blockSizeForBytes):
2720         (JSC::MarkedAllocator::tryAllocateBlock):
2721         (JSC::MarkedAllocator::addBlock):
2722         (JSC::MarkedAllocator::removeBlock):
2723         (JSC::MarkedAllocator::stopAllocating):
2724         (JSC::MarkedAllocator::reset):
2725         (JSC::MarkedAllocator::lastChanceToFinalize):
2726         (JSC::MarkedAllocator::setFreeList):
2727         (JSC::isListPagedOut): Deleted.
2728         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2729         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2730         (JSC::MarkedAllocator::tryAllocate): Deleted.
2731         (JSC::MarkedAllocator::allocateBlock): Deleted.
2732         * heap/MarkedAllocator.h:
2733         (JSC::MarkedAllocator::takeLastActiveBlock):
2734         (JSC::MarkedAllocator::offsetOfFreeList):
2735         (JSC::MarkedAllocator::offsetOfCellSize):
2736         (JSC::MarkedAllocator::tryAllocate):
2737         (JSC::MarkedAllocator::allocate):
2738         (JSC::MarkedAllocator::forEachBlock):
2739         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2740         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2741         (JSC::MarkedAllocator::init): Deleted.
2742         (JSC::MarkedAllocator::stopAllocating): Deleted.
2743         * heap/MarkedBlock.cpp:
2744         (JSC::MarkedBlock::tryCreate):
2745         (JSC::MarkedBlock::Handle::Handle):
2746         (JSC::MarkedBlock::Handle::~Handle):
2747         (JSC::MarkedBlock::MarkedBlock):
2748         (JSC::MarkedBlock::Handle::specializedSweep):
2749         (JSC::MarkedBlock::Handle::sweep):
2750         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2751         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2752         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2753         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2754         (JSC::SetNewlyAllocatedFunctor::operator()):
2755         (JSC::MarkedBlock::Handle::stopAllocating):
2756         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2757         (JSC::MarkedBlock::Handle::resumeAllocating):
2758         (JSC::MarkedBlock::Handle::zap):
2759         (JSC::MarkedBlock::Handle::forEachFreeCell):
2760         (JSC::MarkedBlock::flipIfNecessary):
2761         (JSC::MarkedBlock::Handle::flipIfNecessary):
2762         (JSC::MarkedBlock::flipIfNecessarySlow):
2763         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2764         (JSC::MarkedBlock::clearMarks):
2765         (JSC::MarkedBlock::assertFlipped):
2766         (JSC::MarkedBlock::needsFlip):
2767         (JSC::MarkedBlock::Handle::needsFlip):
2768         (JSC::MarkedBlock::Handle::willRemoveBlock):
2769         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2770         (JSC::MarkedBlock::markCount):
2771         (JSC::MarkedBlock::Handle::isEmpty):
2772         (JSC::MarkedBlock::clearHasAnyMarked):
2773         (JSC::MarkedBlock::noteMarkedSlow):
2774         (WTF::printInternal):
2775         (JSC::MarkedBlock::create): Deleted.
2776         (JSC::MarkedBlock::destroy): Deleted.
2777         (JSC::MarkedBlock::callDestructor): Deleted.
2778         (JSC::MarkedBlock::specializedSweep): Deleted.
2779         (JSC::MarkedBlock::sweep): Deleted.
2780         (JSC::MarkedBlock::sweepHelper): Deleted.
2781         (JSC::MarkedBlock::stopAllocating): Deleted.
2782         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2783         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2784         (JSC::MarkedBlock::resumeAllocating): Deleted.
2785         (JSC::MarkedBlock::didRetireBlock): Deleted.
2786         * heap/MarkedBlock.h:
2787         (JSC::MarkedBlock::VoidFunctor::returnValue):
2788         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2789         (JSC::MarkedBlock::CountFunctor::count):
2790         (JSC::MarkedBlock::CountFunctor::returnValue):
2791         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2792         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2793         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2794         (JSC::MarkedBlock::Handle::state):
2795         (JSC::MarkedBlock::needsDestruction):
2796         (JSC::MarkedBlock::handle):
2797         (JSC::MarkedBlock::Handle::block):
2798         (JSC::MarkedBlock::firstAtom):
2799         (JSC::MarkedBlock::atoms):
2800         (JSC::MarkedBlock::isAtomAligned):
2801         (JSC::MarkedBlock::Handle::cellAlign):
2802         (JSC::MarkedBlock::blockFor):
2803         (JSC::MarkedBlock::Handle::allocator):
2804         (JSC::MarkedBlock::Handle::heap):
2805         (JSC::MarkedBlock::Handle::vm):
2806         (JSC::MarkedBlock::vm):
2807         (JSC::MarkedBlock::Handle::weakSet):
2808         (JSC::MarkedBlock::weakSet):
2809         (JSC::MarkedBlock::Handle::shrink):
2810         (JSC::MarkedBlock::Handle::visitWeakSet):
2811         (JSC::MarkedBlock::Handle::reapWeakSet):
2812         (JSC::MarkedBlock::Handle::cellSize):
2813         (JSC::MarkedBlock::cellSize):
2814         (JSC::MarkedBlock::Handle::attributes):
2815         (JSC::MarkedBlock::attributes):
2816         (JSC::MarkedBlock::Handle::needsDestruction):
2817         (JSC::MarkedBlock::Handle::destruction):
2818         (JSC::MarkedBlock::Handle::cellKind):
2819         (JSC::MarkedBlock::Handle::markCount):
2820         (JSC::MarkedBlock::Handle::size):
2821         (JSC::MarkedBlock::atomNumber):
2822         (JSC::MarkedBlock::flipIfNecessary):
2823         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2824         (JSC::MarkedBlock::Handle::flipIfNecessary):
2825         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2826         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2827         (JSC::MarkedBlock::assertFlipped):
2828         (JSC::MarkedBlock::Handle::assertFlipped):
2829         (JSC::MarkedBlock::isMarked):
2830         (JSC::MarkedBlock::testAndSetMarked):
2831         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2832         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2833         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2834         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2835         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2836         (JSC::MarkedBlock::Handle::isLive):
2837         (JSC::MarkedBlock::isAtom):
2838         (JSC::MarkedBlock::Handle::isLiveCell):
2839         (JSC::MarkedBlock::Handle::forEachCell):
2840         (JSC::MarkedBlock::Handle::forEachLiveCell):
2841         (JSC::MarkedBlock::Handle::forEachDeadCell):
2842         (JSC::MarkedBlock::Handle::needsSweeping):
2843         (JSC::MarkedBlock::Handle::isAllocated):
2844         (JSC::MarkedBlock::Handle::isMarked):
2845         (JSC::MarkedBlock::Handle::isFreeListed):
2846         (JSC::MarkedBlock::hasAnyMarked):
2847         (JSC::MarkedBlock::noteMarked):
2848         (WTF::MarkedBlockHash::hash):
2849         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2850         (JSC::MarkedBlock::allocator): Deleted.
2851         (JSC::MarkedBlock::heap): Deleted.
2852         (JSC::MarkedBlock::shrink): Deleted.
2853         (JSC::MarkedBlock::visitWeakSet): Deleted.
2854         (JSC::MarkedBlock::reapWeakSet): Deleted.
2855         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2856         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2857         (JSC::MarkedBlock::markCount): Deleted.
2858         (JSC::MarkedBlock::isEmpty): Deleted.
2859         (JSC::MarkedBlock::destruction): Deleted.
2860         (JSC::MarkedBlock::cellKind): Deleted.
2861         (JSC::MarkedBlock::size): Deleted.
2862         (JSC::MarkedBlock::capacity): Deleted.
2863         (JSC::MarkedBlock::setMarked): Deleted.
2864         (JSC::MarkedBlock::clearMarked): Deleted.
2865         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2866         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2867         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2868         (JSC::MarkedBlock::isLive): Deleted.
2869         (JSC::MarkedBlock::isLiveCell): Deleted.
2870         (JSC::MarkedBlock::forEachCell): Deleted.
2871         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2872         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2873         (JSC::MarkedBlock::needsSweeping): Deleted.
2874         (JSC::MarkedBlock::isAllocated): Deleted.
2875         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2876         * heap/MarkedSpace.cpp:
2877         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2878         (JSC::MarkedSpace::MarkedSpace):
2879         (JSC::MarkedSpace::~MarkedSpace):
2880         (JSC::MarkedSpace::lastChanceToFinalize):
2881         (JSC::MarkedSpace::allocate):
2882         (JSC::MarkedSpace::tryAllocate):
2883         (JSC::MarkedSpace::allocateLarge):
2884         (JSC::MarkedSpace::tryAllocateLarge):
2885         (JSC::MarkedSpace::sweep):
2886         (JSC::MarkedSpace::sweepLargeAllocations):
2887         (JSC::MarkedSpace::zombifySweep):
2888         (JSC::MarkedSpace::resetAllocators):
2889         (JSC::MarkedSpace::visitWeakSets):
2890         (JSC::MarkedSpace::reapWeakSets):
2891         (JSC::MarkedSpace::stopAllocating):
2892         (JSC::MarkedSpace::prepareForMarking):
2893         (JSC::MarkedSpace::resumeAllocating):
2894         (JSC::MarkedSpace::isPagedOut):
2895         (JSC::MarkedSpace::freeBlock):
2896         (JSC::MarkedSpace::freeOrShrinkBlock):
2897         (JSC::MarkedSpace::shrink):
2898         (JSC::MarkedSpace::clearNewlyAllocated):
2899         (JSC::VerifyMarked::operator()):
2900         (JSC::MarkedSpace::flip):
2901         (JSC::MarkedSpace::objectCount):
2902         (JSC::MarkedSpace::size):
2903         (JSC::MarkedSpace::capacity):
2904         (JSC::MarkedSpace::addActiveWeakSet):
2905         (JSC::MarkedSpace::didAddBlock):
2906         (JSC::MarkedSpace::didAllocateInBlock):
2907         (JSC::MarkedSpace::forEachAllocator): Deleted.
2908         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
2909         (JSC::MarkedSpace::clearMarks): Deleted.
2910         * heap/MarkedSpace.h:
2911         (JSC::MarkedSpace::sizeClassToIndex):
2912         (JSC::MarkedSpace::indexToSizeClass):
2913         (JSC::MarkedSpace::version):
2914         (JSC::MarkedSpace::blocksWithNewObjects):
2915         (JSC::MarkedSpace::largeAllocations):
2916         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
2917         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
2918         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
2919         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
2920         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
2921         (JSC::MarkedSpace::forEachLiveCell):
2922         (JSC::MarkedSpace::forEachDeadCell):
2923         (JSC::MarkedSpace::allocatorFor):
2924         (JSC::MarkedSpace::destructorAllocatorFor):
2925         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2926         (JSC::MarkedSpace::allocateWithoutDestructor):
2927         (JSC::MarkedSpace::allocateWithDestructor):
2928         (JSC::MarkedSpace::allocateAuxiliary):
2929         (JSC::MarkedSpace::tryAllocateAuxiliary):
2930         (JSC::MarkedSpace::forEachBlock):
2931         (JSC::MarkedSpace::forEachAllocator):
2932         (JSC::MarkedSpace::optimalSizeFor):
2933         (JSC::MarkedSpace::didAddBlock): Deleted.
2934         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
2935         (JSC::MarkedSpace::objectCount): Deleted.
2936         (JSC::MarkedSpace::size): Deleted.
2937         (JSC::MarkedSpace::capacity): Deleted.
2938         * heap/SlotVisitor.cpp:
2939         (JSC::SlotVisitor::SlotVisitor):
2940         (JSC::SlotVisitor::didStartMarking):
2941         (JSC::SlotVisitor::reset):
2942         (JSC::SlotVisitor::append):
2943         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2944         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2945         (JSC::SlotVisitor::appendToMarkStack):
2946         (JSC::SlotVisitor::markAuxiliary):
2947         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
2948         (JSC::SlotVisitor::visitChildren):
2949         * heap/SlotVisitor.h:
2950         * heap/WeakBlock.cpp:
2951         (JSC::WeakBlock::create):
2952         (JSC::WeakBlock::WeakBlock):
2953         (JSC::WeakBlock::visit):
2954         (JSC::WeakBlock::reap):
2955         * heap/WeakBlock.h:
2956         (JSC::WeakBlock::disconnectContainer):
2957         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
2958         * heap/WeakSet.cpp:
2959         (JSC::WeakSet::~WeakSet):
2960         (JSC::WeakSet::sweep):
2961         (JSC::WeakSet::shrink):
2962         (JSC::WeakSet::addAllocator):
2963         * heap/WeakSet.h:
2964         (JSC::WeakSet::container):
2965         (JSC::WeakSet::setContainer):
2966         (JSC::WeakSet::WeakSet):
2967         (JSC::WeakSet::visit):
2968         (JSC::WeakSet::shrink): Deleted.
2969         * heap/WeakSetInlines.h:
2970         (JSC::WeakSet::allocate):
2971         * inspector/InjectedScriptManager.cpp:
2972         * inspector/JSGlobalObjectInspectorController.cpp:
2973         * inspector/JSJavaScriptCallFrame.cpp:
2974         * inspector/ScriptDebugServer.cpp:
2975         * inspector/agents/InspectorDebuggerAgent.cpp:
2976         * interpreter/CachedCall.h:
2977         (JSC::CachedCall::CachedCall):
2978         * interpreter/Interpreter.cpp:
2979         (JSC::loadVarargs):
2980         (JSC::StackFrame::sourceID): Deleted.
2981         (JSC::StackFrame::sourceURL): Deleted.
2982         (JSC::StackFrame::functionName): Deleted.
2983         (JSC::StackFrame::computeLineAndColumn): Deleted.
2984         (JSC::StackFrame::toString): Deleted.
2985         * interpreter/Interpreter.h:
2986         (JSC::StackFrame::isNative): Deleted.
2987         * jit/AssemblyHelpers.h:
2988         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2989         (JSC::AssemblyHelpers::emitAllocate):
2990         (JSC::AssemblyHelpers::emitAllocateJSCell):
2991         (JSC::AssemblyHelpers::emitAllocateJSObject):
2992         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2993         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2994         * jit/GCAwareJITStubRoutine.cpp:
2995         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2996         * jit/JIT.cpp:
2997         (JSC::JIT::compileCTINativeCall):
2998         (JSC::JIT::link):
2999         * jit/JIT.h:
3000         (JSC::JIT::compileCTINativeCall): Deleted.
3001         * jit/JITExceptions.cpp:
3002         (JSC::genericUnwind):
3003         * jit/JITExceptions.h:
3004         * jit/JITOpcodes.cpp:
3005         (JSC::JIT::emit_op_new_object):
3006         (JSC::JIT::emitSlow_op_new_object):
3007         (JSC::JIT::emit_op_create_this):
3008         (JSC::JIT::emitSlow_op_create_this):
3009         * jit/JITOpcodes32_64.cpp:
3010         (JSC::JIT::emit_op_new_object):
3011         (JSC::JIT::emitSlow_op_new_object):
3012         (JSC::JIT::emit_op_create_this):
3013         (JSC::JIT::emitSlow_op_create_this):
3014         * jit/JITOperations.cpp:
3015         * jit/JITOperations.h:
3016         * jit/JITPropertyAccess.cpp:
3017         (JSC::JIT::emitWriteBarrier):
3018         * jit/JITThunks.cpp:
3019         * jit/JITThunks.h:
3020         * jsc.cpp:
3021         (functionDescribeArray):
3022         (main):
3023         * llint/LLIntData.cpp:
3024         (JSC::LLInt::Data::performAssertions):
3025         * llint/LLIntExceptions.cpp:
3026         * llint/LLIntThunks.cpp:
3027         * llint/LLIntThunks.h:
3028         * llint/LowLevelInterpreter.asm:
3029         * llint/LowLevelInterpreter.cpp:
3030         * llint/LowLevelInterpreter32_64.asm:
3031         * llint/LowLevelInterpreter64.asm:
3032         * parser/ModuleAnalyzer.cpp:
3033         * parser/NodeConstructors.h:
3034         * parser/Nodes.h:
3035         * profiler/ProfilerBytecode.cpp:
3036         * profiler/ProfilerBytecode.h:
3037         * profiler/ProfilerBytecodeSequence.cpp:
3038         * runtime/ArrayConventions.h:
3039         (JSC::indexingHeaderForArrayStorage):
3040         (JSC::baseIndexingHeaderForArrayStorage):
3041         (JSC::indexingHeaderForArray): Deleted.
3042         (JSC::baseIndexingHeaderForArray): Deleted.
3043         * runtime/ArrayPrototype.cpp:
3044         (JSC::arrayProtoFuncSplice):
3045         (JSC::concatAppendOne):
3046         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3047         * runtime/ArrayStorage.h:
3048         (JSC::ArrayStorage::vectorLength):
3049         (JSC::ArrayStorage::totalSizeFor):
3050         (JSC::ArrayStorage::totalSize):
3051         (JSC::ArrayStorage::availableVectorLength):
3052         (JSC::ArrayStorage::optimalVectorLength):
3053         (JSC::ArrayStorage::sizeFor): Deleted.
3054         * runtime/AuxiliaryBarrier.h: Added.
3055         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3056         (JSC::AuxiliaryBarrier::clear):
3057         (JSC::AuxiliaryBarrier::get):
3058         (JSC::AuxiliaryBarrier::slot):
3059         (JSC::AuxiliaryBarrier::operator bool):
3060         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3061         * runtime/AuxiliaryBarrierInlines.h: Added.
3062         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3063         (JSC::AuxiliaryBarrier<T>::set):
3064         * runtime/Butterfly.h:
3065         * runtime/ButterflyInlines.h:
3066         (JSC::Butterfly::availableContiguousVectorLength):
3067         (JSC::Butterfly::optimalContiguousVectorLength):
3068         (JSC::Butterfly::createUninitialized):
3069         (JSC::Butterfly::growArrayRight):
3070         * runtime/ClonedArguments.cpp:
3071         (JSC::ClonedArguments::createEmpty):
3072         * runtime/CommonSlowPathsExceptions.cpp:
3073         * runtime/CommonSlowPathsExceptions.h:
3074         * runtime/DataView.cpp:
3075         * runtime/DirectArguments.h:
3076         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3077         * runtime/Error.cpp:
3078         * runtime/Error.h:
3079         * runtime/ErrorInstance.cpp:
3080         * runtime/ErrorInstance.h:
3081         * runtime/Exception.cpp:
3082         * runtime/Exception.h:
3083         * runtime/GeneratorFrame.cpp:
3084         * runtime/GeneratorPrototype.cpp:
3085         * runtime/InternalFunction.cpp:
3086         (JSC::InternalFunction::InternalFunction):
3087         * runtime/IntlCollator.cpp:
3088         * runtime/IntlCollatorConstructor.cpp:
3089         * runtime/IntlCollatorPrototype.cpp:
3090         * runtime/IntlDateTimeFormat.cpp:
3091         * runtime/IntlDateTimeFormatConstructor.cpp:
3092         * runtime/IntlDateTimeFormatPrototype.cpp:
3093         * runtime/IntlNumberFormat.cpp:
3094         * runtime/IntlNumberFormatConstructor.cpp:
3095         * runtime/IntlNumberFormatPrototype.cpp:
3096         * runtime/IntlObject.cpp:
3097         * runtime/IteratorPrototype.cpp:
3098         * runtime/JSArray.cpp:
3099         (JSC::JSArray::tryCreateUninitialized):
3100         (JSC::JSArray::setLengthWritable):
3101         (JSC::JSArray::unshiftCountSlowCase):
3102         (JSC::JSArray::setLengthWithArrayStorage):
3103         (JSC::JSArray::appendMemcpy):
3104         (JSC::JSArray::setLength):
3105         (JSC::JSArray::pop):
3106         (JSC::JSArray::push):
3107         (JSC::JSArray::fastSlice):
3108         (JSC::JSArray::shiftCountWithArrayStorage):
3109         (JSC::JSArray::shiftCountWithAnyIndexingType):
3110         (JSC::JSArray::unshiftCountWithArrayStorage):
3111         (JSC::JSArray::fillArgList):
3112         (JSC::JSArray::copyToArguments):
3113         * runtime/JSArray.h:
3114         (JSC::createContiguousArrayButterfly):
3115         (JSC::createArrayButterfly):
3116         (JSC::JSArray::create):
3117         (JSC::JSArray::tryCreateUninitialized): Deleted.
3118         * runtime/JSArrayBufferView.h:
3119         * runtime/JSCInlines.h:
3120         * runtime/JSCJSValue.cpp:
3121         (JSC::JSValue::dumpInContextAssumingStructure):
3122         * runtime/JSCallee.cpp:
3123         (JSC::JSCallee::JSCallee):
3124         * runtime/JSCell.cpp:
3125         (JSC::JSCell::estimatedSize):
3126         * runtime/JSCell.h:
3127         (JSC::JSCell::cellStateOffset): Deleted.
3128         * runtime/JSCellInlines.h:
3129         (JSC::ExecState::vm):
3130         (JSC::JSCell::classInfo):
3131         (JSC::JSCell::callDestructor):
3132         (JSC::JSCell::vm): Deleted.
3133         * runtime/JSFunction.cpp:
3134         (JSC::JSFunction::create):
3135         (JSC::JSFunction::allocateAndInitializeRareData):
3136         (JSC::JSFunction::initializeRareData):
3137         (JSC::JSFunction::getOwnPropertySlot):
3138         (JSC::JSFunction::put):
3139         (JSC::JSFunction::deleteProperty):
3140         (JSC::JSFunction::defineOwnProperty):
3141         (JSC::JSFunction::setFunctionName):
3142         (JSC::JSFunction::reifyLength):
3143         (JSC::JSFunction::reifyName):
3144         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3145         (JSC::JSFunction::reifyBoundNameIfNeeded):
3146         * runtime/JSFunction.h:
3147         * runtime/JSFunctionInlines.h:
3148         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3149         (JSC::JSFunction::JSFunction):
3150         * runtime/JSGenericTypedArrayViewInlines.h:
3151         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3152         * runtime/JSInternalPromise.cpp:
3153         * runtime/JSInternalPromiseConstructor.cpp:
3154         * runtime/JSInternalPromiseDeferred.cpp:
3155         * runtime/JSInternalPromisePrototype.cpp:
3156         * runtime/JSJob.cpp:
3157         * runtime/JSMapIterator.cpp:
3158         * runtime/JSModuleNamespaceObject.cpp:
3159         * runtime/JSModuleRecord.cpp:
3160         * runtime/JSObject.cpp:
3161         (JSC::JSObject::visitButterfly):
3162         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3163         (JSC::JSObject::createInitialIndexedStorage):
3164         (JSC::JSObject::createInitialUndecided):
3165         (JSC::JSObject::createInitialInt32):
3166         (JSC::JSObject::createInitialDouble):
3167         (JSC::JSObject::createInitialContiguous):
3168         (JSC::JSObject::createArrayStorage):
3169         (JSC::JSObject::createInitialArrayStorage):
3170         (JSC::JSObject::convertUndecidedToInt32):
3171         (JSC::JSObject::convertUndecidedToContiguous):
3172         (JSC::JSObject::convertUndecidedToArrayStorage):
3173         (JSC::JSObject::convertInt32ToDouble):
3174         (JSC::JSObject::convertInt32ToArrayStorage):
3175         (JSC::JSObject::convertDoubleToArrayStorage):
3176         (JSC::JSObject::convertContiguousToArrayStorage):
3177         (JSC::JSObject::putByIndexBeyondVectorLength):
3178         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3179         (JSC::JSObject::getNewVectorLength):
3180         (JSC::JSObject::increaseVectorLength):
3181         (JSC::JSObject::ensureLengthSlow):
3182         (JSC::JSObject::growOutOfLineStorage):
3183         (JSC::JSObject::copyButterfly): Deleted.
3184         (JSC::JSObject::copyBackingStore): Deleted.
3185         * runtime/JSObject.h:
3186         (JSC::JSObject::globalObject):
3187         (JSC::JSObject::putDirectInternal):
3188         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
3189         * runtime/JSObjectInlines.h:
3190         * runtime/JSPromise.cpp:
3191         * runtime/JSPromiseConstructor.cpp:
3192         * runtime/JSPromiseDeferred.cpp:
3193         * runtime/JSPromisePrototype.cpp:
3194         * runtime/JSPropertyNameIterator.cpp:
3195         * runtime/JSScope.cpp:
3196         (JSC::JSScope::resolve):
3197         * runtime/JSScope.h:
3198         (JSC::JSScope::globalObject):
3199         (JSC::JSScope::vm): Deleted.
3200         * runtime/JSSetIterator.cpp:
3201         * runtime/JSStringIterator.cpp:
3202         * runtime/JSTemplateRegistryKey.cpp:
3203         * runtime/JSTypedArrayViewConstructor.cpp:
3204         * runtime/JSTypedArrayViewPrototype.cpp:
3205         * runtime/JSWeakMap.cpp:
3206         * runtime/JSWeakSet.cpp:
3207         * runtime/MapConstructor.cpp:
3208         * runtime/MapIteratorPrototype.cpp:
3209         * runtime/MapPrototype.cpp:
3210         * runtime/NativeErrorConstructor.cpp:
3211         * runtime/NativeStdFunctionCell.cpp:
3212         * runtime/Operations.h:
3213         (JSC::scribbleFreeCells):
3214         (JSC::scribble):
3215         * runtime/Options.h:
3216         * runtime/PropertyTable.cpp:
3217         * runtime/ProxyConstructor.cpp:
3218         * runtime/ProxyObject.cpp:
3219         * runtime/ProxyRevoke.cpp:
3220         * runtime/RegExp.cpp:
3221         (JSC::RegExp::match):
3222         (JSC::RegExp::matchConcurrently):
3223         (JSC::RegExp::matchCompareWithInterpreter):
3224         * runtime/RegExp.h:
3225         * runtime/RegExpConstructor.h:
3226         * runtime/RegExpInlines.h:
3227         (JSC::RegExp::matchInline):
3228         * runtime/RegExpMatchesArray.h:
3229         (JSC::tryCreateUninitializedRegExpMatchesArray):
3230         (JSC::createRegExpMatchesArray):
3231         * runtime/RegExpPrototype.cpp:
3232         (JSC::genericSplit):
3233         * runtime/RuntimeType.cpp:
3234         * runtime/SamplingProfiler.cpp:
3235         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3236         * runtime/SetConstructor.cpp:
3237         * runtime/SetIteratorPrototype.cpp:
3238         * runtime/SetPrototype.cpp:
3239         * runtime/StackFrame.cpp: Added.
3240         (JSC::StackFrame::sourceID):
3241         (JSC::StackFrame::sourceURL):
3242         (JSC::StackFrame::functionName):
3243         (JSC::StackFrame::computeLineAndColumn):
3244         (JSC::StackFrame::toString):
3245         * runtime/StackFrame.h: Added.
3246         (JSC::StackFrame::isNative):
3247         * runtime/StringConstructor.cpp:
3248         * runtime/StringIteratorPrototype.cpp:
3249         * runtime/StructureInlines.h:
3250         (JSC::Structure::propertyTable):
3251         * runtime/TemplateRegistry.cpp:
3252         * runtime/TestRunnerUtils.cpp:
3253         (JSC::finalizeStatsAtEndOfTesting):
3254         * runtime/TestRunnerUtils.h:
3255         * runtime/TypeProfilerLog.cpp:
3256         * runtime/TypeSet.cpp:
3257         * runtime/VM.cpp:
3258         (JSC::VM::VM):
3259         (JSC::VM::ensureStackCapacityForCLoop):
3260         (JSC::VM::isSafeToRecurseSoftCLoop):
3261         * runtime/VM.h:
3262         * runtime/VMEntryScope.h:
3263         * runtime/VMInlines.h:
3264         (JSC::VM::ensureStackCapacityFor):
3265         (JSC::VM::isSafeToRecurseSoft):
3266         * runtime/WeakMapConstructor.cpp:
3267         * runtime/WeakMapData.cpp:
3268         * runtime/WeakMapPrototype.cpp:
3269         * runtime/WeakSetConstructor.cpp:
3270         * runtime/WeakSetPrototype.cpp:
3271         * testRegExp.cpp:
3272         (testOneRegExp):
3273         * tools/JSDollarVM.cpp:
3274         * tools/JSDollarVMPrototype.cpp:
3275         (JSC::JSDollarVMPrototype::isInObjectSpace):
3276
3277 2016-09-04  Commit Queue  <commit-queue@webkit.org>
3278
3279         Unreviewed, rolling out r205415.
3280         https://bugs.webkit.org/show_bug.cgi?id=161573
3281
3282         Many bots see inspector test failures, rolling out now and
3283         investigating later. (Requested by brrian on #webkit).
3284
3285         Reverted changeset:
3286
3287         "Web Inspector: unify Main.html and Test.html sources and
3288         generate different copies with the preprocessor"
3289         https://bugs.webkit.org/show_bug.cgi?id=161212
3290         http://trac.webkit.org/changeset/205415
3291
3292 2016-09-01  Brian Burg  <bburg@apple.com>
3293
3294         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
3295         https://bugs.webkit.org/show_bug.cgi?id=161212
3296         <rdar://problem/28017961>
3297
3298         Reviewed by Joseph Pecoraro.
3299
3300         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.