9b9952d59d9c257506828625a06f71b9358c80e8
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-13  Mark Lam  <mark.lam@apple.com>
2
3         DFG NewArrayBuffer node should watch for "have a bad time" state change.
4         https://bugs.webkit.org/show_bug.cgi?id=161927
5         <rdar://problem/27995222>
6
7         Reviewed by Geoffrey Garen.
8
9         * dfg/DFGFixupPhase.cpp:
10         (JSC::DFG::FixupPhase::fixupNode):
11
12 2016-09-13  JF Bastien  <jfbastien@apple.com>
13
14         Support jsc shell builtin `read`
15         https://bugs.webkit.org/show_bug.cgi?id=161662
16
17         Reviewed by Keith Miller.
18
19         The jsc shell currently supports a `readFile` method which returns
20         a string. SpiderMonkey's js shell and V8's d8 shell both support
21         similar file-to-string functions, as well as a
22         binary-file-to-Uint8Array function. jsc should support a similar
23         binary file method to simplify testing, including testing of
24         WebAssembly blobs.
25
26         Emscripten's shell.js (which is also used for some WebAssembly
27         things) has a polyfill [1] for a builtin called `read`. jsc should
28         therefore have a builtin with the same name if we want things to
29         "Just Work".
30
31           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
32
33         * jsc.cpp:
34         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
35         (functionReadFile): support binary files, as per SpiderMonkey.
36         * runtime/Error.h:
37         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
38         * runtime/JSTypedArrays.cpp:
39         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
40         * runtime/JSTypedArrays.h: expose private export.
41
42 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
43
44         ES6: Classes: Should be allowed to create a static method with name "arguments"
45         https://bugs.webkit.org/show_bug.cgi?id=152985
46
47         Reviewed by Keith Miller.
48
49         Current patch covered 16.2 Forbidden Extensions - first topic 
50         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
51         should not have own properties named "caller" or "arguments".
52         Also added possibility to declare static methods and getters with 
53         name 'arguments' and 'caller' for classes. i.e.:
54         class A { static arguments() { return 'value'; } }
55         A.arguments() === 'value';
56         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
57         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
58         property from Lazy to common because it necessary to use execState during init of the accessors 
59         properties.
60
61         * runtime/Executable.h:
62         * runtime/FunctionPrototype.cpp:
63         (JSC::FunctionPrototype::initRestrictedProperties):
64         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
65         * runtime/FunctionPrototype.h:
66         * runtime/JSFunction.cpp:
67         (JSC::JSFunction::getOwnPropertySlot):
68         (JSC::JSFunction::getOwnNonIndexPropertyNames):
69         (JSC::JSFunction::put):
70         (JSC::JSFunction::deleteProperty):
71         (JSC::JSFunction::defineOwnProperty):
72         * runtime/JSGlobalObject.cpp:
73         (JSC::JSGlobalObject::init):
74         (JSC::JSGlobalObject::visitChildren):
75         * runtime/JSGlobalObject.h:
76         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
77
78 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
79
80         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
81         https://bugs.webkit.org/show_bug.cgi?id=161869
82
83         Reviewed by Saam Barati.
84         
85         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
86         empty" hook, which will set a bit in the markingNotEmpty bitvector.
87         
88         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
89         If anyone else does it but they aren't marking new objects, then this prevents
90         flipIfNecessary() from triggering when the first object is marked, which means we won't
91         always detect when a block became non-empty.
92         
93         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
94         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
95         knows that it can trigger something like noteMarked(). The only places that were using
96         flipIfNecessary() should have been using needsFlip() anyway.
97
98         * heap/CellContainer.h:
99         * heap/CellContainerInlines.h:
100         (JSC::CellContainer::needsFlip):
101         * heap/Heap.cpp:
102         (JSC::Heap::markRoots):
103         (JSC::Heap::beginMarking):
104         (JSC::Heap::endMarking):
105         (JSC::Heap::clearLivenessData): Deleted.
106         (JSC::Heap::converge): Deleted.
107         (JSC::Heap::resetVisitors): Deleted.
108         * heap/Heap.h:
109         * heap/HeapInlines.h:
110         (JSC::Heap::testAndSetMarked):
111         * heap/LargeAllocation.h:
112         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
113         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
114         * heap/MarkedBlock.cpp:
115         (JSC::MarkedBlock::flipIfNecessarySlow):
116         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
117         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
118         * heap/MarkedBlock.h:
119         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
120         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
121         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
122         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
123         * heap/MarkedSpace.h:
124         (JSC::MarkedSpace::isMarking):
125         (JSC::MarkedSpace::setIsMarking):
126         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
127         * heap/SlotVisitor.cpp:
128         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
129         * heap/WeakBlock.cpp:
130         (JSC::WeakBlock::visit):
131
132 2016-09-12  Saam Barati  <sbarati@apple.com>
133
134         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
135         https://bugs.webkit.org/show_bug.cgi?id=161640
136
137         Reviewed by Geoffrey Garen.
138
139         HashMapImpl now takes into account m_deleteCount in its load factor.
140         It now knows how to rehash to either decrease its capacity, stay at
141         the same capacity, or increase its capacity. The reason we can sometimes
142         stay at the same capacity is that we can reduce the load factor enough
143         by rehashing that growing isn't warranted. The reason for this is that
144         anytime we rehash, we remove all deleted sentinels from the buffer.
145         Therefore, staying at the same same capacity, when there are deleted entries,
146         can still reduce the load factor because it removes all deleted sentinels.
147
148         * runtime/HashMapImpl.h:
149         (JSC::HashMapBuffer::create):
150         (JSC::HashMapBuffer::reset):
151         (JSC::HashMapImpl::HashMapImpl):
152         (JSC::HashMapImpl::add):
153         (JSC::HashMapImpl::remove):
154         (JSC::HashMapImpl::size):
155         (JSC::HashMapImpl::clear):
156         (JSC::HashMapImpl::approximateSize):
157         (JSC::HashMapImpl::shouldRehashAfterAdd):
158         (JSC::HashMapImpl::shouldShrink):
159         (JSC::HashMapImpl::rehash):
160         (JSC::HashMapImpl::checkConsistency):
161         (JSC::HashMapImpl::makeAndSetNewBuffer):
162         (JSC::HashMapImpl::assertBufferIsEmpty):
163
164 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
165
166         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
167         https://bugs.webkit.org/show_bug.cgi?id=161671
168
169         Reviewed by Geoffrey Garen.
170
171         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
172         it gets a butterfly with its length.
173         When we were querying that length, we were generating a generic GetById with inline cache.
174
175         This patch adds the missing bits to treat Undecided like the other types with storage.
176
177         * dfg/DFGArrayMode.cpp:
178         (JSC::DFG::canBecomeGetArrayLength):
179         (JSC::DFG::ArrayMode::refine):
180         * dfg/DFGArrayMode.h:
181         (JSC::DFG::ArrayMode::usesButterfly):
182         (JSC::DFG::ArrayMode::lengthNeedsStorage):
183         * dfg/DFGClobberize.h:
184         (JSC::DFG::clobberize):
185         * dfg/DFGFixupPhase.cpp:
186         (JSC::DFG::FixupPhase::checkArray):
187         * dfg/DFGSpeculativeJIT.cpp:
188         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
189         * ftl/FTLCapabilities.cpp:
190         (JSC::FTL::canCompile):
191         * ftl/FTLLowerDFGToB3.cpp:
192         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
193
194 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
195
196         [DFG][FTL] Add ArithTan
197         https://bugs.webkit.org/show_bug.cgi?id=161857
198
199         Reviewed by Filip Pizlo.
200
201         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
202         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
203
204         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
205         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
206         The microbenchmark shows the 9% perf improvement.
207
208             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
209
210         * dfg/DFGAbstractInterpreterInlines.h:
211         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
212         * dfg/DFGByteCodeParser.cpp:
213         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
214         * dfg/DFGClobberize.h:
215         (JSC::DFG::clobberize):
216         * dfg/DFGDoesGC.cpp:
217         (JSC::DFG::doesGC):
218         * dfg/DFGFixupPhase.cpp:
219         (JSC::DFG::FixupPhase::fixupNode):
220         * dfg/DFGNodeType.h:
221         * dfg/DFGOperations.cpp:
222         * dfg/DFGOperations.h:
223         * dfg/DFGPredictionPropagationPhase.cpp:
224         * dfg/DFGSafeToExecute.h:
225         (JSC::DFG::safeToExecute):
226         * dfg/DFGSpeculativeJIT.cpp:
227         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
228         (JSC::DFG::SpeculativeJIT::compileArithCos):
229         (JSC::DFG::SpeculativeJIT::compileArithTan):
230         (JSC::DFG::SpeculativeJIT::compileArithSin):
231         (JSC::DFG::SpeculativeJIT::compileArithLog):
232         * dfg/DFGSpeculativeJIT.h:
233         * dfg/DFGSpeculativeJIT32_64.cpp:
234         (JSC::DFG::SpeculativeJIT::compile):
235         * dfg/DFGSpeculativeJIT64.cpp:
236         (JSC::DFG::SpeculativeJIT::compile):
237         * ftl/FTLCapabilities.cpp:
238         (JSC::FTL::canCompile):
239         * ftl/FTLLowerDFGToB3.cpp:
240         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
241         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
242         * ftl/FTLOutput.cpp:
243         (JSC::FTL::Output::doubleTan):
244         * ftl/FTLOutput.h:
245         * runtime/Intrinsic.h:
246         * runtime/MathObject.cpp:
247         (JSC::MathObject::finishCreation):
248
249 2016-09-12  Saam Barati  <sbarati@apple.com>
250
251         MapHash should do constant folding when it has a constant argument and its legal to hash that value
252         https://bugs.webkit.org/show_bug.cgi?id=161639
253
254         Reviewed by Filip Pizlo.
255
256         We now constant fold the MapHash node. We're careful to not resolve
257         ropes from the compiler thread, and to only hash strings if they're
258         not too large. The microbenchmark I added runs about 12% faster with
259         this patch.
260
261         * dfg/DFGAbstractInterpreterInlines.h:
262         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
263         * runtime/HashMapImpl.h:
264         (JSC::wangsInt64Hash):
265         (JSC::jsMapHash):
266         (JSC::concurrentJSMapHash):
267
268 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
269
270         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
271         https://bugs.webkit.org/show_bug.cgi?id=161849
272
273         Reviewed by Saam Barati.
274         
275         This is a fairly obvious change. This turns a loop that would query each bit individually
276         into a loop that will process a word at a time. I would expect a very tiny progression in
277         DFG compile times.
278         
279         This also gave me an opportunity to test and fix the new FastBitVector functionality.
280
281         * dfg/DFGForAllKills.h:
282         (JSC::DFG::forAllKilledOperands):
283
284 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
285
286         FastBitVector should have efficient and easy-to-use vector-vector operations
287         https://bugs.webkit.org/show_bug.cgi?id=161847
288
289         Reviewed by Saam Barati.
290         
291         Adapt existing users of FastBitVector to the new API.
292
293         * bytecode/BytecodeLivenessAnalysis.cpp:
294         (JSC::BytecodeLivenessAnalysis::computeKills):
295         (JSC::BytecodeLivenessAnalysis::dumpResults):
296         * bytecode/BytecodeLivenessAnalysisInlines.h:
297         (JSC::operandThatIsNotAlwaysLiveIsLive):
298         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
299         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
300         * bytecode/CodeBlock.cpp:
301         (JSC::CodeBlock::validate):
302         * dfg/DFGByteCodeParser.cpp:
303         (JSC::DFG::ByteCodeParser::flushForTerminal):
304         * dfg/DFGForAllKills.h:
305         (JSC::DFG::forAllKilledOperands):
306         * dfg/DFGGraph.h:
307         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
308         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
309         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
310         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
311         * dfg/DFGNaturalLoops.cpp:
312         (JSC::DFG::NaturalLoops::NaturalLoops):
313         * dfg/DFGPlan.cpp:
314         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
315
316 2016-09-10  Chris Dumez  <cdumez@apple.com>
317
318         parseHTMLInteger() should take a StringView in parameter
319         https://bugs.webkit.org/show_bug.cgi?id=161669
320
321         Reviewed by Ryosuke Niwa.
322
323         * runtime/DateConversion.cpp:
324         (JSC::formatDateTime):
325         Explicitly construct a String from the const WCHAR* on Windows because
326         it is ambiguous otherwise now that there is a StringBuilder::append()
327         overload taking an AtomicString in.
328
329 2016-09-08  Keith Miller  <keith_miller@apple.com>
330
331         WASM should support if-then-else
332         https://bugs.webkit.org/show_bug.cgi?id=161778
333
334         Reviewed by Michael Saboff.
335
336         This patch makes some major changes to the way that the WASM
337         function parser works. First, the control stack has been moved
338         from the parser's context to the parser itself. This simplifies
339         the way that the parser works and allows us to make the decoder
340         iterative rather than recursive. Since the control stack has been
341         moved to the parser, any context operation that refers to some
342         block now receives that block by reference.
343
344         For any if block, regardless of whether or not it is an
345         if-then-else or not, we will allocate both the entire control flow
346         diamond. This is not a major issue in the if-then case since B3
347         will immediately cleanup these blocks. In order to support if-then
348         and if-then-else we needed to be able to distinguish what the type
349         of the top block on the control stack is. This will be necessary
350         when validating the else opcode in the future. In the B3 IR
351         generator we decide to the type of the block strictly by the
352         shape.
353
354         Currently, if blocks don't handle passed and returned stack values
355         correctly. I plan to fix this when I add support for the block
356         signatures. See: https://github.com/WebAssembly/design/pull/765
357
358         * testWASM.cpp:
359         (runWASMTests):
360         * wasm/WASMB3IRGenerator.cpp:
361         (dumpProcedure):
362         (JSC::WASM::parseAndCompile):
363         * wasm/WASMB3IRGenerator.h:
364         * wasm/WASMFunctionParser.h:
365         (JSC::WASM::FunctionParser<Context>::parseBlock):
366         (JSC::WASM::FunctionParser<Context>::parseExpression):
367         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
368         * wasm/WASMOps.h:
369
370 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
371
372         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
373         https://bugs.webkit.org/show_bug.cgi?id=161801
374
375         Reviewed by Keith Miller.
376         
377         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
378         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
379         that is to call initializeMainThread().
380
381         * jsc.cpp:
382         (jscmain):
383
384 2016-09-09  Saam Barati  <sbarati@apple.com>
385
386         Make hasOwnProperty ALWAYS_INLINE
387         https://bugs.webkit.org/show_bug.cgi?id=161775
388
389         Reviewed by Ryosuke Niwa.
390
391         Speedometer spends around 2.5% of its time in hasOwnProperty.
392         Let's reduce the overhead of calling that function by marking
393         it as inline. Also, it's likely that the function will call into
394         JSObject::getOwnPropertySlot. I added a check to see if that's
395         the function we're calling, if it is, we do a direct call instead
396         of an indirect call.
397
398         * runtime/JSObject.cpp:
399         (JSC::JSObject::hasOwnProperty): Deleted.
400         * runtime/JSObjectInlines.h:
401         (JSC::JSObject::hasOwnProperty):
402
403 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
404
405         HashMapImpl needs to m_buffer.clear() in its constructor
406         https://bugs.webkit.org/show_bug.cgi?id=161796
407
408         Reviewed by Keith Miller.
409         
410         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
411         itself. That seemed like a good idea because maybe sometimes the user knows better how to
412         initialize it. But, it's not worth it if it's a constant source of bugs.
413         
414         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
415         m_value.
416
417         * runtime/AuxiliaryBarrier.h:
418         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
419         * runtime/DirectArguments.cpp:
420         (JSC::DirectArguments::DirectArguments):
421
422 2016-09-09  Youenn Fablet  <youenn@apple.com>
423
424         ASSERTION FAILED: promise.inherits(JSPromise::info())
425         https://bugs.webkit.org/show_bug.cgi?id=161632
426         <rdar://problem/28184743>
427
428         Reviewed by Mark Lam.
429
430         * runtime/JSPromiseDeferred.cpp:
431         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
432
433 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
434
435         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
436         https://bugs.webkit.org/show_bug.cgi?id=161760
437
438         Reviewed by Mark Lam.
439         
440         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
441         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
442         
443         This introduces three unnecessary overheads:
444         
445         - isLive() is not called by marking, so that change was not necessary.
446         
447         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
448           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
449           isMarked().
450         
451         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
452           return false if the flip is necessary.
453         
454         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
455         during marking.
456         
457         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
458         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
459         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
460         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
461         thing.
462
463         * bytecode/CodeBlock.cpp:
464         (JSC::CodeBlock::visitWeakly):
465         (JSC::CodeBlock::shouldJettisonDueToOldAge):
466         (JSC::shouldMarkTransition):
467         (JSC::CodeBlock::propagateTransitions):
468         (JSC::CodeBlock::determineLiveness):
469         * bytecode/PolymorphicAccess.cpp:
470         (JSC::AccessCase::propagateTransitions):
471         * heap/Heap.h:
472         * heap/HeapInlines.h:
473         (JSC::Heap::isLive):
474         (JSC::Heap::isMarked):
475         (JSC::Heap::isMarkedConcurrently):
476         * heap/MarkedBlock.cpp:
477         (JSC::MarkedBlock::flipIfNecessarySlow):
478         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
479         (JSC::MarkedBlock::needsFlip):
480         * heap/MarkedBlock.h:
481         (JSC::MarkedBlock::needsFlip):
482         (JSC::MarkedBlock::flipIfNecessary):
483         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
484         * heap/SlotVisitor.cpp:
485         (JSC::SlotVisitor::appendToMarkStack):
486         (JSC::SlotVisitor::markAuxiliary):
487         (JSC::SlotVisitor::visitChildren):
488         * runtime/Structure.cpp:
489         (JSC::Structure::isCheapDuringGC):
490         (JSC::Structure::markIfCheap):
491
492 2016-09-08  Saam Barati  <sbarati@apple.com>
493
494         We should inline operationConvertJSValueToBoolean into JIT code
495         https://bugs.webkit.org/show_bug.cgi?id=161729
496
497         Reviewed by Filip Pizlo.
498
499         This patch introduces an AssemblyHelpers emitter function
500         that replaces operationConvertJSValueToBoolean. This operation
501         was showing up when I was doing performance analysis for the
502         speedometer benchmark. I saw that it was spending about 1% of
503         its time in this function. Hopefully this patch can help us speedup
504         up speedometer by a little bit.
505
506         * dfg/DFGSpeculativeJIT32_64.cpp:
507         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
508         (JSC::DFG::SpeculativeJIT::emitBranch):
509         * dfg/DFGSpeculativeJIT64.cpp:
510         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
511         (JSC::DFG::SpeculativeJIT::emitBranch):
512         * jit/AssemblyHelpers.cpp:
513         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
514         * jit/AssemblyHelpers.h:
515         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
516         * jit/JIT.cpp:
517         (JSC::JIT::privateCompileSlowCases):
518         * jit/JIT.h:
519         * jit/JITOpcodes.cpp:
520         (JSC::JIT::emit_op_jfalse):
521         (JSC::JIT::emit_op_jtrue):
522         (JSC::JIT::emitSlow_op_jfalse): Deleted.
523         (JSC::JIT::emitSlow_op_jtrue): Deleted.
524         * jit/JITOpcodes32_64.cpp:
525         (JSC::JIT::emit_op_jfalse):
526         (JSC::JIT::emit_op_jtrue):
527         (JSC::JIT::emitSlow_op_jfalse): Deleted.
528         (JSC::JIT::emitSlow_op_jtrue): Deleted.
529         * jit/JITOperations.cpp:
530         * jit/JITOperations.h:
531
532 2016-09-08  Chris Dumez  <cdumez@apple.com>
533
534         Align proto getter / setter behavior with other browsers
535         https://bugs.webkit.org/show_bug.cgi?id=161455
536
537         Reviewed by Saam Barati.
538
539         Drop allowsAccessFrom from the methodTable and delegate cross-origin
540         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
541         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
542
543         * jsc.cpp:
544         * runtime/JSGlobalObject.cpp:
545         * runtime/JSGlobalObject.h:
546         * runtime/JSGlobalObjectFunctions.cpp:
547         (JSC::globalFuncProtoGetter):
548         (JSC::globalFuncProtoSetter):
549         (JSC::globalFuncBuiltinLog): Deleted.
550         * runtime/JSGlobalObjectFunctions.h:
551         * runtime/JSObject.cpp:
552         (JSC::JSObject::setPrototypeWithCycleCheck):
553         Remove check added in r197648. This check was added to match
554         the latest EcmaScript spec:
555         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
556         This check allowed for [[Prototype]] chain cycles if the prototype
557         chain includes objects that do not use the ordinary object definitions
558         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
559         The issue is that the rest of our code base does not properly handle
560         such cycles and we can end up in infinite loops. This became obvious
561         because this patch updates Window / Location so that they no longer
562         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
563         remove this check, I get an infinite loop in
564         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
565         called from JSObject::setPrototypeDirect(), when running the following
566         layout test:
567         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
568         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
569         issue.
570
571         * runtime/JSObject.h:
572         (JSC::JSObject::getArrayLength): Deleted.
573         * runtime/JSProxy.cpp:
574         (JSC::JSProxy::setPrototype):
575         (JSC::JSProxy::getPrototype):
576         * runtime/JSProxy.h:
577         * runtime/ObjectConstructor.cpp:
578         (JSC::objectConstructorGetPrototypeOf):
579         (JSC::objectConstructorSetPrototypeOf):
580         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
581         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
582         * runtime/ObjectConstructor.h:
583         * runtime/ReflectObject.cpp:
584         (JSC::reflectObjectGetPrototypeOf):
585         (JSC::reflectObjectSetPrototypeOf):
586
587 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
588
589         Remove CopiedSpace and use MarkedSpace instead
590         https://bugs.webkit.org/show_bug.cgi?id=159658
591
592         Reviewed by Keith Miller.
593         
594         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
595         is a simple change.
596         
597         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
598         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
599         
600         The rest of this patch is deleting CopiedSpace.
601
602         * API/JSObjectRef.cpp:
603         * CMakeLists.txt:
604         * JavaScriptCore.xcodeproj/project.pbxproj:
605         * dfg/DFGOperations.cpp:
606         * heap/ConservativeRoots.cpp:
607         (JSC::ConservativeRoots::genericAddPointer):
608         * heap/CopiedAllocator.h: Removed.
609         * heap/CopiedBlock.cpp: Removed.
610         * heap/CopiedBlock.h: Removed.
611         * heap/CopiedBlockInlines.h: Removed.
612         * heap/CopiedSpace.cpp: Removed.
613         * heap/CopiedSpace.h: Removed.
614         * heap/CopiedSpaceInlines.h: Removed.
615         * heap/CopyBarrier.h: Removed.
616         * heap/CopyToken.h: Removed.
617         * heap/CopyVisitor.cpp: Removed.
618         * heap/CopyVisitor.h: Removed.
619         * heap/CopyVisitorInlines.h: Removed.
620         * heap/CopyWorkList.h: Removed.
621         * heap/Heap.cpp:
622         (JSC::Heap::Heap):
623         (JSC::Heap::isPagedOut):
624         (JSC::Heap::updateObjectCounts):
625         (JSC::Heap::size):
626         (JSC::Heap::capacity):
627         (JSC::Heap::collectImpl):
628         (JSC::Heap::stopAllocation):
629         (JSC::Heap::updateAllocationLimits):
630         (JSC::Heap::copyBackingStores): Deleted.
631         (JSC::Heap::threadBytesCopied): Deleted.
632         * heap/Heap.h:
633         (JSC::Heap::objectSpace):
634         (JSC::Heap::allocatorForAuxiliaryData):
635         (JSC::Heap::storageSpace): Deleted.
636         (JSC::Heap::storageAllocator): Deleted.
637         * heap/HeapCellInlines.h:
638         * heap/HeapInlines.h:
639         (JSC::Heap::tryAllocateStorage): Deleted.
640         (JSC::Heap::tryReallocateStorage): Deleted.
641         * heap/HeapVerifier.cpp:
642         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
643         (JSC::HeapVerifier::reportObject):
644         (JSC::getButterflyDetails): Deleted.
645         * heap/SlotVisitor.cpp:
646         (JSC::SlotVisitor::copyLater): Deleted.
647         * heap/SlotVisitor.h:
648         * jit/AssemblyHelpers.h:
649         * jit/JITOpcodes.cpp:
650         * jsc.cpp:
651         * runtime/ArrayConstructor.cpp:
652         * runtime/ArrayPrototype.cpp:
653         * runtime/Butterfly.h:
654         * runtime/ButterflyInlines.h:
655         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
656         * runtime/ClassInfo.h:
657         * runtime/DirectArguments.cpp:
658         (JSC::DirectArguments::visitChildren):
659         (JSC::DirectArguments::overrideThings):
660         (JSC::DirectArguments::copyBackingStore): Deleted.
661         * runtime/DirectArguments.h:
662         * runtime/JSArray.cpp:
663         * runtime/JSCell.cpp:
664         (JSC::JSCell::copyBackingStore): Deleted.
665         * runtime/JSCell.h:
666         * runtime/JSLexicalEnvironment.h:
667         * runtime/JSObject.cpp:
668         * runtime/JSTypedArrays.cpp:
669         * runtime/LiteralParser.cpp:
670         * runtime/ObjectConstructor.cpp:
671         * runtime/RegExpObject.cpp:
672         * runtime/StringPrototype.cpp:
673         * runtime/WeakMapData.cpp:
674         * tools/JSDollarVMPrototype.cpp:
675         (JSC::JSDollarVMPrototype::isInStorageSpace):
676
677 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
678
679         Heap version should be 32-bit
680         https://bugs.webkit.org/show_bug.cgi?id=161751
681
682         Reviewed by Mark Lam.
683         
684         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
685         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
686         easy to handle.
687
688         * heap/CellContainer.h:
689         * heap/CellContainerInlines.h:
690         (JSC::CellContainer::flipIfNecessary):
691         * heap/ConservativeRoots.cpp:
692         (JSC::ConservativeRoots::genericAddPointer):
693         (JSC::ConservativeRoots::genericAddSpan):
694         * heap/ConservativeRoots.h:
695         * heap/Heap.h:
696         * heap/HeapInlines.h:
697         (JSC::Heap::testAndSetMarked):
698         * heap/HeapUtil.h:
699         (JSC::HeapUtil::findGCObjectPointersForMarking):
700         * heap/MarkedBlock.cpp:
701         (JSC::MarkedBlock::MarkedBlock):
702         * heap/MarkedBlock.h:
703         (JSC::MarkedBlock::flipIfNecessary):
704         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
705         (JSC::MarkedBlock::Handle::flipIfNecessary):
706         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
707         * heap/MarkedSpace.cpp:
708         (JSC::MarkedSpace::flip):
709         * heap/MarkedSpace.h:
710         (JSC::MarkedSpace::version):
711         * heap/SlotVisitor.cpp:
712         (JSC::SlotVisitor::SlotVisitor):
713         * heap/SlotVisitor.h:
714
715 2016-09-08  Mark Lam  <mark.lam@apple.com>
716
717         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
718         https://bugs.webkit.org/show_bug.cgi?id=161724
719
720         Reviewed by Filip Pizlo.
721
722         ARM architectures support ternary sub instructions.  We should make use of them
723         in emitAllocateWithNonNullAllocator().
724
725         * assembler/MacroAssemblerARM.h:
726         (JSC::MacroAssemblerARM::sub32):
727         * assembler/MacroAssemblerARM64.h:
728         (JSC::MacroAssemblerARM64::sub32):
729         * assembler/MacroAssemblerARMv7.h:
730         (JSC::MacroAssemblerARMv7::sub32):
731         * assembler/MacroAssemblerSH4.h:
732         (JSC::MacroAssemblerSH4::sub32):
733         * assembler/MacroAssemblerX86Common.h:
734         (JSC::MacroAssemblerX86Common::sub32):
735         * b3/air/AirOpcode.opcodes:
736         * b3/testb3.cpp:
737         (JSC::B3::testTernarySubInstructionSelection):
738         (JSC::B3::run):
739         * jit/AssemblyHelpers.h:
740         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
741
742 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
743
744         Move JSMap/JSSet over to Auxiliary MarkedSpace
745         https://bugs.webkit.org/show_bug.cgi?id=161744
746
747         Reviewed by Saam Barati.
748         
749         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
750         
751         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
752         speak of CopiedSpace.
753         
754         This is a purely mechanical change.
755
756         * JavaScriptCore.xcodeproj/project.pbxproj:
757         * heap/CopyToken.h:
758         * runtime/HashMapImpl.cpp:
759         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
760         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
761         * runtime/HashMapImpl.h:
762         (JSC::HashMapBuffer::create):
763         * runtime/JSMapIterator.cpp:
764         * runtime/JSMapIterator.h:
765         * runtime/JSSetIterator.cpp:
766         * runtime/JSSetIterator.h:
767         * runtime/MapBase.cpp:
768         * runtime/MapData.h: Removed.
769         * runtime/MapDataInlines.h: Removed.
770         * runtime/MapPrototype.cpp:
771         * runtime/SetConstructor.cpp:
772         * runtime/SetPrototype.cpp:
773         * runtime/VM.cpp:
774
775 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
776
777         Typed arrays should use MarkedSpace instead of CopiedSpace
778         https://bugs.webkit.org/show_bug.cgi?id=161100
779
780         Reviewed by Geoffrey Garen.
781         
782         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
783         
784         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
785         everything that typed arrays want.
786
787         * dfg/DFGOperations.cpp:
788         (JSC::DFG::newTypedArrayWithSize):
789         * dfg/DFGOperations.h:
790         (JSC::DFG::operationNewTypedArrayWithSizeForType):
791         * dfg/DFGSpeculativeJIT.cpp:
792         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
793         * dfg/DFGSpeculativeJIT.h:
794         (JSC::DFG::SpeculativeJIT::callOperation):
795         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
796         * ftl/FTLLowerDFGToB3.cpp:
797         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
798         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
799         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
800         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
801         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
802         * heap/CopyToken.h:
803         * heap/SlotVisitor.cpp:
804         (JSC::SlotVisitor::markAuxiliary):
805         * jit/JITOperations.h:
806         * runtime/JSArrayBufferView.cpp:
807         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
808         (JSC::JSArrayBufferView::JSArrayBufferView):
809         * runtime/JSArrayBufferView.h:
810         * runtime/JSGenericTypedArrayView.h:
811         * runtime/JSGenericTypedArrayViewInlines.h:
812         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
813         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
814         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
815         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
816
817 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
818
819         [Win64] Compile fixes.
820         https://bugs.webkit.org/show_bug.cgi?id=161682
821
822         Reviewed by Brent Fulgham.
823
824         * dfg/DFGSpeculativeJIT64.cpp:
825         (JSC::DFG::SpeculativeJIT::emitCall):
826         * jit/JITCall.cpp:
827         (JSC::JIT::compileOpCall):
828         * runtime/ArrayConventions.cpp:
829         (JSC::clearArrayMemset):
830
831 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
832
833         [Win] Exception fuzz tests fail
834         https://bugs.webkit.org/show_bug.cgi?id=140928
835
836         Reviewed by Mark Lam.
837
838         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
839         The tests depend on the output to stdout being written in the correct order.
840
841         * runtime/ExceptionFuzz.cpp:
842         (JSC::doExceptionFuzzing):
843
844 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
845
846         Enable the <meter> element on iOS
847         https://bugs.webkit.org/show_bug.cgi?id=161714
848         rdar://problem/8978410
849
850         Reviewed by Tim Horton.
851
852         Define ENABLE_METER_ELEMENT unconditionally now.
853
854         * Configurations/FeatureDefines.xcconfig:
855
856 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
857
858         Modernize Debugger to use nullptr
859         https://bugs.webkit.org/show_bug.cgi?id=161718
860
861         Reviewed by Mark Lam.
862
863         * debugger/Debugger.cpp:
864         (JSC::Debugger::Debugger):
865         (JSC::Debugger::~Debugger):
866         (JSC::Debugger::detach):
867         (JSC::Debugger::stepOutOfFunction):
868         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
869         * debugger/Debugger.h:
870
871 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
872
873         Web Inspector: Remove always false case in Debugger
874         https://bugs.webkit.org/show_bug.cgi?id=161717
875
876         Reviewed by Brian Burg.
877
878         * debugger/Debugger.cpp:
879         (JSC::Debugger::didExecuteProgram):
880         We would have earlier returned a few statements ago if this case was true.
881         And we would have crashed in the previous statement if this case was true.
882
883 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
884
885         Unreviewed, build fix after r205569
886
887         Tweak CMakeLists.txt
888
889         * CMakeLists.txt:
890
891 2016-09-07  Mark Lam  <mark.lam@apple.com>
892
893         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
894         https://bugs.webkit.org/show_bug.cgi?id=161498
895
896         Reviewed by Geoffrey Garen.
897
898         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
899         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
900         introduced.
901
902         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
903         which is a more suitable name now.
904
905         Note: exception scope verification is still disabled by default.  There are still
906         many places that need to be fixed up or re-expressed in a way that is friendly
907         to the verification.  I'll address those in subsequent patches.
908
909         After this patch, the code will statically enforce that:
910         1. all calls to throwException() go through a ThrowScope.
911         2. all calls to clearException() go through a CatchScope.
912         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
913            or CatchScope.
914
915         A Summary of how to use ExceptionScopes
916         =======================================
917         1. If a function can throw a JS exception, it should declare a ThrowScope at the
918            top of the function (as early as possible).
919
920         2. If a function can clear JS exceptions, it should declare a CatchScope at the
921            top of the function (as early as possible).
922
923         Declaring a ThrowScope in a function means that the function may throw an exception
924         that its caller will have to handle.  Declaring a CatchScope in a function means
925         that the function intends to clear pending exceptions before returning to its
926         caller. 
927
928         For more details, see the notes below.
929         
930         Everything you may want to know about ExceptionScopes
931         =====================================================
932         ExceptionScope verification works to simulate exception throws and detect cases
933         where exception checks are missing.  The notes below will cover:
934
935             1. The VM::m_needExceptionCheck bit
936             2. ThrowScopes and CatchScopes
937             3. Verification of needed exception checks
938             3. Checking Exceptions
939             4. Simulating throws
940             5. Using ThrowScope::release()
941             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
942             7. Checking exceptions by checking callee results
943             8. Debugging verification errors
944
945         1. The VM::m_needExceptionCheck bit
946
947            The VM has a m_needExceptionCheck bit that indicates when an exception may be
948            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
949            throw.
950
951         2. ThrowScopes and CatchScopes
952
953            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
954
955            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
956            at the top of its function (as early as possible) e.g.
957  
958                 void foo(...)
959                 {
960                     auto scope = DECLARE_THROW_SCOPE(vm);
961                     ...
962                     throwException(exec, scope, ...);
963                 }
964
965            Note: by convention, every throw helper function must take a ThrowScope argument
966            instead of instantiating its own ThrowScope.  This allows the throw to be
967            attributed to the client code rather than the throw helper itself.
968
969            Every catch site (i.e. a site that calls clearException()) must declare a
970            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
971
972            If a function can both throw or clear exceptions, then the ThrowScope should
973            be declared first so that it can simulate a throw to the function's caller.
974
975            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
976            can be aware if there's an enclosing CatchScope between it and the point where
977            C++ code returns to JS code.  This is needed to determine if the ThrowScope
978            should simulate a re-throw or not.  See (4) below for more details on returning
979            to JS code.
980
981         3. Verification of needed exception checks
982
983            a. On construction, each ThrowScope and CatchScope will verify that
984               VM::m_needExceptionCheck is not set.
985  
986               This ensures that the caller of the current function has checked for exceptions
987               where needed before doing more work which lead to calling the current function.
988
989            b. On destruction, each ThrowScope and CatchScope will verify that
990               VM::m_needExceptionCheck is not set. This verification will be skipped if
991               the ThrowScope has been released (see (5) below).
992
993               This ensures that the function that owns this exception scope is not missing
994               any exception checks before returning.
995
996            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
997               is not already set, unless it's been ask to rethrow the same Exception object.
998
999         4. Simulating throws
1000
1001            Throws are simulated by setting the m_needExceptionCheck bit.
1002
1003            The bit will only be set in the ThrowScope destructor except when the ThrowScope
1004            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
1005            check for exceptions after a host C++ function returns to it.  However, they will
1006            not clear the m_needExceptionCheck bit.
1007
1008            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
1009            it will just skip the setting of the bit.
1010
1011            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
1012            throwException methods.  This is because, in practice, we always return
1013            immediately after throwing an exception.  It doesn't make sense to set the bit in
1014            the throw just to have to clear it immediately after before we do verification in
1015            the ThrowScope destructor.
1016
1017         5. Using ThrowScope::release()
1018
1019            Calling release() means that the scope is released from its obligation to
1020            verify the VM::m_needExceptionCheck bit on destruction.
1021
1022            release() should only be used at the bottom of a function if:
1023
1024            a. This function is going to let its caller check and handle the exception, e.g.
1025
1026                 void foo(...)
1027                 {
1028                     auto scope = DECLARE_THROW_SCOPE(vm);
1029                     auto result = goo(); // may throw.
1030
1031                     ... // Code that will are not affected by a pending exceptions.
1032
1033                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1034                     return result;
1035                 }
1036
1037            b. This function is going to do a tail call that may throw.
1038
1039                 void foo(...)
1040                 {
1041                     auto scope = DECLARE_THROW_SCOPE(vm);
1042                     ...
1043                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1044                     return goo(); // may throw.
1045                 }
1046
1047               release() should not be used in code paths that branch. For example:
1048
1049                 void foo(...)
1050                 {
1051                     auto scope = DECLARE_THROW_SCOPE(vm);
1052
1053                     auto result = goo1(); // may throw.
1054                     scope.release(); // WRONG !!! Don't do this.
1055                     if (result)
1056                         return;
1057
1058                     result = goo2(); // may throw.
1059                     ...
1060                     return result;
1061                 }
1062
1063             The above will result in a verification error in goo2()'s ThrowScope.  The
1064             proper way to fix this verification is to do either (6) or (7) below.
1065
1066          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1067
1068             ThrowScope/CatchScope::exception() returns the thrown Exception object if
1069             there is one pending.  Else, it returns nullptr.
1070
1071             It also clears the m_needExceptionCheck bit thereby indicating that we've
1072             satisfied the needed exception check.  For example,
1073
1074                 void foo(...)
1075                 {
1076                     auto scope = DECLARE_THROW_SCOPE(vm);
1077
1078                     auto result = goo1(); // may throw.
1079                     if (scope.exception())
1080                         return;
1081
1082                     result = goo2(); // may throw.
1083                     ...
1084                     return result;
1085                 }
1086
1087             But sometimes, for optimization reasons, we may choose to test the result of
1088             the callee function instead doing a load of the VM exception value.  See (7)
1089             below.
1090
1091          7. Checking exceptions by checking callee results
1092
1093             This approach should only be applied when it makes a difference to performance.
1094             If we need to do this, we should add an ASSERT() that invokes the scope's
1095             exception() method to verify the result.  Since exception scope verification
1096             is only done on DEBUG builds, this ASSERT will satisfy the verification
1097             requirements without impacting performance.  For example,
1098
1099                 void foo(...)
1100                 {
1101                     auto scope = DECLARE_THROW_SCOPE(vm);
1102
1103                     bool failed = goo1(); // may throw.
1104                     ASSERT(!!scope.exception() == failed)
1105                     if (failed)
1106                         return;
1107
1108                     result = goo2(); // may throw.
1109                     ...
1110                     return result;
1111                 }
1112
1113          8. Debugging verification errors
1114
1115             a. When verification fails, you will see a message followed by an assertion
1116                failure.  For example:
1117
1118             ERROR: Unchecked JS exception:
1119                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
1120                     (ExceptionScope::m_recursionDepth was ...)
1121                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
1122                     (ExceptionScope::m_recursionDepth was ...)
1123                 [ backtrace here ]
1124
1125                The message tells you that failure was detected at in varargsSetup() at
1126                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
1127                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
1128                line 1245 and it.
1129
1130                If that is insufficient information, you can ...
1131
1132             b. Dump simulated throws
1133
1134                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
1135                back traces at each simulated throw.
1136
1137             c. Narrowing down the source of a simulated throw
1138
1139                Another technique for narrowing down the source of simulated throws is by
1140                further dividing a function to smaller regions by separating each region
1141                with additional local throw scopes.  For example,
1142
1143                 ... // Region 1
1144                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1145                 ... // Region 2
1146                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1147                 ... // Region 3
1148
1149         * API/APIUtils.h:
1150         (handleExceptionIfNeeded):
1151         * CMakeLists.txt:
1152         * JavaScriptCore.xcodeproj/project.pbxproj:
1153         * bindings/ScriptFunctionCall.cpp:
1154         (Deprecated::ScriptFunctionCall::call):
1155         * bindings/ScriptValue.cpp:
1156         (Deprecated::ScriptValue::toString):
1157         * debugger/Debugger.cpp:
1158         (JSC::Debugger::pauseIfNeeded):
1159         * debugger/DebuggerCallFrame.cpp:
1160         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1161         * dfg/DFGOSRExitCompiler.cpp:
1162         * dfg/DFGOperations.cpp:
1163         (JSC::DFG::operationPutByValInternal):
1164         * inspector/InjectedScriptManager.cpp:
1165         (Inspector::InjectedScriptManager::createInjectedScript):
1166         * inspector/JSGlobalObjectInspectorController.cpp:
1167         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1168         * inspector/JSInjectedScriptHost.cpp:
1169         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1170         (Inspector::JSInjectedScriptHost::getInternalProperties):
1171         (Inspector::JSInjectedScriptHost::weakMapEntries):
1172         (Inspector::JSInjectedScriptHost::weakSetEntries):
1173         (Inspector::JSInjectedScriptHost::iteratorEntries):
1174         * inspector/JSJavaScriptCallFrame.cpp:
1175         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1176         * inspector/ScriptCallStackFactory.cpp:
1177         (Inspector::extractSourceInformationFromException):
1178         * interpreter/CachedCall.h:
1179         (JSC::CachedCall::CachedCall):
1180         * interpreter/CallFrame.h:
1181         (JSC::ExecState::clearException): Deleted.
1182         (JSC::ExecState::exception): Deleted.
1183         (JSC::ExecState::hadException): Deleted.
1184         (JSC::ExecState::lastException): Deleted.
1185         (JSC::ExecState::clearLastException): Deleted.
1186         * interpreter/Interpreter.cpp:
1187         (JSC::eval):
1188         (JSC::sizeOfVarargs):
1189         (JSC::notifyDebuggerOfUnwinding):
1190         (JSC::Interpreter::unwind):
1191         (JSC::Interpreter::execute):
1192         (JSC::Interpreter::executeCall):
1193         (JSC::Interpreter::executeConstruct):
1194         (JSC::Interpreter::prepareForRepeatCall):
1195         (JSC::Interpreter::debug):
1196         * interpreter/Interpreter.h:
1197         (JSC::SuspendExceptionScope::SuspendExceptionScope):
1198         * interpreter/ShadowChicken.cpp:
1199         (JSC::ShadowChicken::functionsOnStack):
1200         * jit/JITCode.cpp:
1201         (JSC::JITCode::execute):
1202         * jit/JITExceptions.cpp:
1203         (JSC::genericUnwind):
1204         * jit/JITOperations.cpp:
1205         (JSC::getByVal):
1206         * jsc.cpp:
1207         (WTF::ImpureGetter::getOwnPropertySlot):
1208         (GlobalObject::moduleLoaderResolve):
1209         (GlobalObject::moduleLoaderFetch):
1210         (functionCreateElement):
1211         (functionRun):
1212         (functionRunString):
1213         (functionLoad):
1214         (functionLoadString):
1215         (functionReadFile):
1216         (functionCheckSyntax):
1217         (functionSetRandomSeed):
1218         (functionLoadModule):
1219         (functionCreateBuiltin):
1220         (functionCheckModuleSyntax):
1221         (functionGenerateHeapSnapshot):
1222         (functionSamplingProfilerStackTraces):
1223         (dumpException):
1224         (checkUncaughtException):
1225         (runWithScripts):
1226         (runInteractive):
1227         * llint/LLIntExceptions.cpp:
1228         (JSC::LLInt::returnToThrow):
1229         (JSC::LLInt::callToThrow):
1230         * llint/LLIntSlowPaths.cpp:
1231         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1232         * profiler/ProfilerBytecodeSequence.cpp:
1233         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1234         * profiler/ProfilerCompilation.cpp:
1235         (JSC::Profiler::Compilation::toJS):
1236         * profiler/ProfilerDatabase.cpp:
1237         (JSC::Profiler::Database::toJS):
1238         * profiler/ProfilerOSRExitSite.cpp:
1239         (JSC::Profiler::OSRExitSite::toJS):
1240         * profiler/ProfilerOriginStack.cpp:
1241         (JSC::Profiler::OriginStack::toJS):
1242         * runtime/ArrayPrototype.cpp:
1243         (JSC::speciesConstructArray):
1244         (JSC::shift):
1245         (JSC::unshift):
1246         (JSC::arrayProtoFuncToString):
1247         (JSC::arrayProtoFuncToLocaleString):
1248         (JSC::slowJoin):
1249         (JSC::fastJoin):
1250         (JSC::arrayProtoFuncJoin):
1251         (JSC::arrayProtoFuncPop):
1252         (JSC::arrayProtoFuncPush):
1253         (JSC::arrayProtoFuncReverse):
1254         (JSC::arrayProtoFuncShift):
1255         (JSC::arrayProtoFuncSlice):
1256         (JSC::arrayProtoFuncSplice):
1257         (JSC::arrayProtoFuncUnShift):
1258         (JSC::arrayProtoFuncIndexOf):
1259         (JSC::arrayProtoFuncLastIndexOf):
1260         (JSC::moveElements):
1261         (JSC::concatAppendOne):
1262         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1263         * runtime/BooleanConstructor.cpp:
1264         (JSC::constructWithBooleanConstructor):
1265         * runtime/CallData.cpp:
1266         (JSC::call):
1267         * runtime/CatchScope.cpp: Added.
1268         (JSC::CatchScope::CatchScope):
1269         (JSC::CatchScope::~CatchScope):
1270         * runtime/CatchScope.h: Added.
1271         (JSC::CatchScope::clearException):
1272         (JSC::CatchScope::CatchScope):
1273         * runtime/CommonSlowPaths.cpp:
1274         (JSC::SLOW_PATH_DECL):
1275         * runtime/CommonSlowPaths.h:
1276         (JSC::CommonSlowPaths::opIn):
1277         * runtime/CommonSlowPathsExceptions.cpp:
1278         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1279         * runtime/Completion.cpp:
1280         (JSC::evaluate):
1281         (JSC::rejectPromise):
1282         (JSC::loadAndEvaluateModule):
1283         (JSC::loadModule):
1284         * runtime/ConsoleObject.cpp:
1285         (JSC::consoleProtoFuncAssert):
1286         (JSC::consoleProtoFuncProfile):
1287         (JSC::consoleProtoFuncProfileEnd):
1288         (JSC::consoleProtoFuncTakeHeapSnapshot):
1289         (JSC::consoleProtoFuncTime):
1290         (JSC::consoleProtoFuncTimeEnd):
1291         * runtime/DateConstructor.cpp:
1292         (JSC::constructDate):
1293         (JSC::dateParse):
1294         * runtime/DatePrototype.cpp:
1295         (JSC::dateProtoFuncToPrimitiveSymbol):
1296         (JSC::dateProtoFuncToJSON):
1297         * runtime/ErrorConstructor.cpp:
1298         (JSC::Interpreter::constructWithErrorConstructor):
1299         * runtime/ErrorInstance.cpp:
1300         (JSC::ErrorInstance::sanitizedToString):
1301         * runtime/ErrorPrototype.cpp:
1302         (JSC::errorProtoFuncToString):
1303         * runtime/ExceptionEventLocation.cpp: Added.
1304         (WTF::printInternal):
1305         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
1306         (JSC::ExceptionEventLocation::ExceptionEventLocation):
1307         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
1308         * runtime/ExceptionHelpers.h:
1309         * runtime/ExceptionScope.cpp: Added.
1310         (JSC::ExceptionScope::ExceptionScope):
1311         (JSC::ExceptionScope::~ExceptionScope):
1312         * runtime/ExceptionScope.h: Added.
1313         (JSC::ExceptionScope::vm):
1314         (JSC::ExceptionScope::recursionDepth):
1315         (JSC::ExceptionScope::exception):
1316         (JSC::ExceptionScope::ExceptionScope):
1317         * runtime/FunctionConstructor.cpp:
1318         (JSC::constructFunctionSkippingEvalEnabledCheck):
1319         * runtime/FunctionPrototype.cpp:
1320         (JSC::functionProtoFuncBind):
1321         * runtime/GenericArgumentsInlines.h:
1322         (JSC::GenericArguments<Type>::copyToArguments):
1323         * runtime/GetterSetter.cpp:
1324         (JSC::callGetter):
1325         * runtime/InspectorInstrumentationObject.cpp:
1326         (JSC::inspectorInstrumentationObjectLog):
1327         * runtime/InternalFunction.cpp:
1328         (JSC::InternalFunction::createSubclassStructure):
1329         * runtime/IntlCollator.cpp:
1330         (JSC::IntlCollator::initializeCollator):
1331         (JSC::IntlCollator::createCollator):
1332         (JSC::IntlCollator::resolvedOptions):
1333         * runtime/IntlCollatorConstructor.cpp:
1334         (JSC::constructIntlCollator):
1335         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1336         * runtime/IntlCollatorPrototype.cpp:
1337         (JSC::IntlCollatorFuncCompare):
1338         (JSC::IntlCollatorPrototypeGetterCompare):
1339         * runtime/IntlDateTimeFormat.cpp:
1340         (JSC::toDateTimeOptionsAnyDate):
1341         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1342         (JSC::IntlDateTimeFormat::resolvedOptions):
1343         (JSC::IntlDateTimeFormat::format):
1344         * runtime/IntlDateTimeFormatConstructor.cpp:
1345         (JSC::constructIntlDateTimeFormat):
1346         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1347         * runtime/IntlDateTimeFormatPrototype.cpp:
1348         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1349         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1350         * runtime/IntlNumberFormat.cpp:
1351         (JSC::IntlNumberFormat::initializeNumberFormat):
1352         (JSC::IntlNumberFormat::createNumberFormat):
1353         (JSC::IntlNumberFormat::resolvedOptions):
1354         * runtime/IntlNumberFormatConstructor.cpp:
1355         (JSC::constructIntlNumberFormat):
1356         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1357         * runtime/IntlNumberFormatPrototype.cpp:
1358         (JSC::IntlNumberFormatFuncFormatNumber):
1359         (JSC::IntlNumberFormatPrototypeGetterFormat):
1360         * runtime/IntlObject.cpp:
1361         (JSC::intlBooleanOption):
1362         (JSC::intlStringOption):
1363         (JSC::intlNumberOption):
1364         (JSC::canonicalizeLocaleList):
1365         (JSC::supportedLocales):
1366         * runtime/IntlObjectInlines.h:
1367         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1368         * runtime/IteratorOperations.cpp:
1369         (JSC::iteratorNext):
1370         (JSC::iteratorStep):
1371         (JSC::iteratorClose):
1372         (JSC::iteratorForIterable):
1373         * runtime/IteratorOperations.h:
1374         (JSC::forEachInIterable):
1375         * runtime/JSArray.cpp:
1376         (JSC::JSArray::pop):
1377         (JSC::JSArray::push):
1378         (JSC::JSArray::copyToArguments):
1379         * runtime/JSArrayBufferConstructor.cpp:
1380         (JSC::constructArrayBuffer):
1381         * runtime/JSArrayBufferPrototype.cpp:
1382         (JSC::arrayBufferProtoFuncSlice):
1383         * runtime/JSArrayInlines.h:
1384         (JSC::getLength):
1385         (JSC::toLength):
1386         * runtime/JSBoundFunction.cpp:
1387         (JSC::getBoundFunctionStructure):
1388         (JSC::JSBoundFunction::create):
1389         * runtime/JSCJSValue.cpp:
1390         (JSC::JSValue::putToPrimitive):
1391         (JSC::JSValue::putToPrimitiveByIndex):
1392         (JSC::JSValue::toStringSlowCase):
1393         * runtime/JSCJSValueInlines.h:
1394         (JSC::toPreferredPrimitiveType):
1395         (JSC::JSValue::getPropertySlot):
1396         (JSC::JSValue::equalSlowCaseInline):
1397         * runtime/JSDataViewPrototype.cpp:
1398         (JSC::getData):
1399         (JSC::setData):
1400         * runtime/JSFunction.cpp:
1401         (JSC::JSFunction::setFunctionName):
1402         * runtime/JSGenericTypedArrayView.h:
1403         (JSC::JSGenericTypedArrayView::setIndex):
1404         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1405         (JSC::constructGenericTypedArrayViewFromIterator):
1406         (JSC::constructGenericTypedArrayViewWithArguments):
1407         (JSC::constructGenericTypedArrayView):
1408         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1409         (JSC::speciesConstruct):
1410         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1411         (JSC::genericTypedArrayViewProtoFuncIncludes):
1412         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1413         (JSC::genericTypedArrayViewProtoFuncJoin):
1414         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1415         (JSC::genericTypedArrayViewProtoFuncSlice):
1416         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1417         * runtime/JSGlobalObject.h:
1418         (JSC::constructEmptyArray):
1419         (JSC::constructArray):
1420         (JSC::constructArrayNegativeIndexed):
1421         * runtime/JSGlobalObjectFunctions.cpp:
1422         (JSC::globalFuncEval):
1423         * runtime/JSJob.cpp:
1424         (JSC::JSJobMicrotask::run):
1425         * runtime/JSModuleEnvironment.cpp:
1426         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1427         * runtime/JSModuleLoader.cpp:
1428         (JSC::JSModuleLoader::fetch):
1429         * runtime/JSModuleNamespaceObject.cpp:
1430         (JSC::JSModuleNamespaceObject::finishCreation):
1431         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1432         * runtime/JSModuleRecord.cpp:
1433         (JSC::JSModuleRecord::instantiateDeclarations):
1434         * runtime/JSONObject.cpp:
1435         (JSC::Stringifier::Stringifier):
1436         (JSC::Stringifier::stringify):
1437         (JSC::Stringifier::toJSON):
1438         (JSC::Stringifier::appendStringifiedValue):
1439         (JSC::Stringifier::Holder::appendNextProperty):
1440         (JSC::Walker::walk):
1441         (JSC::JSONProtoFuncParse):
1442         * runtime/JSObject.cpp:
1443         (JSC::ordinarySetSlow):
1444         (JSC::JSObject::setPrototypeWithCycleCheck):
1445         (JSC::callToPrimitiveFunction):
1446         (JSC::JSObject::ordinaryToPrimitive):
1447         (JSC::JSObject::defaultHasInstance):
1448         (JSC::JSObject::getPropertyNames):
1449         (JSC::JSObject::toNumber):
1450         (JSC::JSObject::toString):
1451         (JSC::JSObject::defineOwnNonIndexProperty):
1452         (JSC::JSObject::getGenericPropertyNames):
1453         (JSC::JSObject::getMethod):
1454         * runtime/JSObjectInlines.h:
1455         (JSC::createListFromArrayLike):
1456         (JSC::JSObject::getPropertySlot):
1457         (JSC::JSObject::getNonIndexPropertySlot):
1458         * runtime/JSPromiseConstructor.cpp:
1459         (JSC::constructPromise):
1460         * runtime/JSPropertyNameEnumerator.h:
1461         (JSC::propertyNameEnumerator):
1462         * runtime/JSPropertyNameIterator.cpp:
1463         (JSC::JSPropertyNameIterator::create):
1464         * runtime/JSScope.cpp:
1465         (JSC::isUnscopable):
1466         (JSC::JSScope::resolve):
1467         * runtime/JSString.cpp:
1468         (JSC::JSString::equalSlowCase):
1469         * runtime/JSStringJoiner.cpp:
1470         (JSC::JSStringJoiner::join):
1471         * runtime/LiteralParser.cpp:
1472         (JSC::LiteralParser<CharType>::parse):
1473         * runtime/MapConstructor.cpp:
1474         (JSC::constructMap):
1475         * runtime/MathObject.cpp:
1476         (JSC::mathProtoFuncClz32):
1477         (JSC::mathProtoFuncHypot):
1478         (JSC::mathProtoFuncIMul):
1479         * runtime/ModuleLoaderPrototype.cpp:
1480         (JSC::moduleLoaderPrototypeParseModule):
1481         (JSC::moduleLoaderPrototypeRequestedModules):
1482         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1483         * runtime/NativeErrorConstructor.cpp:
1484         (JSC::Interpreter::constructWithNativeErrorConstructor):
1485         * runtime/NumberConstructor.cpp:
1486         (JSC::constructWithNumberConstructor):
1487         * runtime/ObjectConstructor.cpp:
1488         (JSC::constructObject):
1489         (JSC::objectConstructorGetPrototypeOf):
1490         (JSC::objectConstructorSetPrototypeOf):
1491         (JSC::objectConstructorGetOwnPropertyDescriptor):
1492         (JSC::objectConstructorGetOwnPropertyDescriptors):
1493         (JSC::objectConstructorGetOwnPropertyNames):
1494         (JSC::objectConstructorGetOwnPropertySymbols):
1495         (JSC::objectConstructorKeys):
1496         (JSC::ownEnumerablePropertyKeys):
1497         (JSC::toPropertyDescriptor):
1498         (JSC::objectConstructorDefineProperty):
1499         (JSC::defineProperties):
1500         (JSC::objectConstructorSeal):
1501         (JSC::objectConstructorFreeze):
1502         (JSC::objectConstructorIsSealed):
1503         (JSC::objectConstructorIsFrozen):
1504         (JSC::objectConstructorIsExtensible):
1505         (JSC::ownPropertyKeys):
1506         * runtime/ObjectConstructor.h:
1507         (JSC::constructObjectFromPropertyDescriptor):
1508         * runtime/ObjectPrototype.cpp:
1509         (JSC::objectProtoFuncHasOwnProperty):
1510         (JSC::objectProtoFuncIsPrototypeOf):
1511         (JSC::objectProtoFuncDefineGetter):
1512         (JSC::objectProtoFuncDefineSetter):
1513         (JSC::objectProtoFuncLookupGetter):
1514         (JSC::objectProtoFuncLookupSetter):
1515         (JSC::objectProtoFuncPropertyIsEnumerable):
1516         (JSC::objectProtoFuncToLocaleString):
1517         (JSC::objectProtoFuncToString):
1518         * runtime/Operations.cpp:
1519         (JSC::jsAddSlowCase):
1520         * runtime/Options.h:
1521         * runtime/PropertyDescriptor.cpp:
1522         (JSC::PropertyDescriptor::slowGetterSetter):
1523         * runtime/ProxyConstructor.cpp:
1524         (JSC::makeRevocableProxy):
1525         * runtime/ProxyObject.cpp:
1526         (JSC::ProxyObject::toStringName):
1527         (JSC::performProxyGet):
1528         (JSC::ProxyObject::performGet):
1529         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1530         (JSC::ProxyObject::performHasProperty):
1531         (JSC::ProxyObject::performPut):
1532         (JSC::ProxyObject::putByIndexCommon):
1533         (JSC::performProxyCall):
1534         (JSC::performProxyConstruct):
1535         (JSC::ProxyObject::performDelete):
1536         (JSC::ProxyObject::performPreventExtensions):
1537         (JSC::ProxyObject::performIsExtensible):
1538         (JSC::ProxyObject::performDefineOwnProperty):
1539         (JSC::ProxyObject::performGetOwnPropertyNames):
1540         (JSC::ProxyObject::performSetPrototype):
1541         (JSC::ProxyObject::performGetPrototype):
1542         * runtime/ReflectObject.cpp:
1543         (JSC::reflectObjectConstruct):
1544         (JSC::reflectObjectDefineProperty):
1545         (JSC::reflectObjectGet):
1546         (JSC::reflectObjectGetOwnPropertyDescriptor):
1547         (JSC::reflectObjectIsExtensible):
1548         (JSC::reflectObjectPreventExtensions):
1549         (JSC::reflectObjectSet):
1550         (JSC::reflectObjectSetPrototypeOf):
1551         * runtime/RegExpConstructor.cpp:
1552         (JSC::toFlags):
1553         (JSC::regExpCreate):
1554         (JSC::constructRegExp):
1555         * runtime/RegExpConstructor.h:
1556         (JSC::isRegExp):
1557         * runtime/RegExpObject.cpp:
1558         (JSC::collectMatches):
1559         (JSC::RegExpObject::matchGlobal):
1560         * runtime/RegExpPrototype.cpp:
1561         (JSC::regExpProtoFuncCompile):
1562         (JSC::flagsString):
1563         (JSC::regExpProtoFuncToString):
1564         (JSC::regExpProtoGetterFlags):
1565         (JSC::regExpProtoFuncSearchFast):
1566         (JSC::regExpProtoFuncSplitFast):
1567         * runtime/SetConstructor.cpp:
1568         (JSC::constructSet):
1569         * runtime/StringConstructor.cpp:
1570         (JSC::stringFromCodePoint):
1571         (JSC::constructWithStringConstructor):
1572         * runtime/StringObject.cpp:
1573         (JSC::StringObject::defineOwnProperty):
1574         * runtime/StringPrototype.cpp:
1575         (JSC::replaceUsingRegExpSearch):
1576         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1577         (JSC::replaceUsingStringSearch):
1578         (JSC::replace):
1579         (JSC::stringProtoFuncReplaceUsingRegExp):
1580         (JSC::stringProtoFuncReplaceUsingStringSearch):
1581         (JSC::stringProtoFuncCodePointAt):
1582         (JSC::stringProtoFuncSlice):
1583         (JSC::stringProtoFuncSplitFast):
1584         (JSC::stringProtoFuncSubstr):
1585         (JSC::stringProtoFuncSubstring):
1586         (JSC::stringProtoFuncLocaleCompare):
1587         (JSC::toLocaleCase):
1588         (JSC::stringProtoFuncBig):
1589         (JSC::stringProtoFuncSmall):
1590         (JSC::stringProtoFuncBlink):
1591         (JSC::stringProtoFuncBold):
1592         (JSC::stringProtoFuncFixed):
1593         (JSC::stringProtoFuncItalics):
1594         (JSC::stringProtoFuncStrike):
1595         (JSC::stringProtoFuncSub):
1596         (JSC::stringProtoFuncSup):
1597         (JSC::stringProtoFuncFontcolor):
1598         (JSC::stringProtoFuncFontsize):
1599         (JSC::stringProtoFuncAnchor):
1600         (JSC::stringProtoFuncLink):
1601         (JSC::trimString):
1602         (JSC::stringProtoFuncStartsWith):
1603         (JSC::stringProtoFuncEndsWith):
1604         (JSC::stringIncludesImpl):
1605         (JSC::stringProtoFuncIncludes):
1606         (JSC::builtinStringIncludesInternal):
1607         (JSC::stringProtoFuncNormalize):
1608         * runtime/SymbolConstructor.cpp:
1609         (JSC::symbolConstructorFor):
1610         * runtime/TemplateRegistry.cpp:
1611         (JSC::TemplateRegistry::getTemplateObject):
1612         * runtime/ThrowScope.cpp:
1613         (JSC::ThrowScope::ThrowScope):
1614         (JSC::ThrowScope::~ThrowScope):
1615         (JSC::ThrowScope::throwException):
1616         (JSC::ThrowScope::simulateThrow):
1617         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1618         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1619         * runtime/ThrowScope.h:
1620         (JSC::ThrowScope::release):
1621         (JSC::ThrowScope::ThrowScope):
1622         (JSC::ThrowScope::throwException):
1623         (JSC::ThrowScope::vm): Deleted.
1624         (JSC::ThrowScope::exception): Deleted.
1625         * runtime/ThrowScopeLocation.h: Removed.
1626         * runtime/VM.cpp:
1627         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1628         * runtime/VM.h:
1629         (JSC::VM::exception):
1630         (JSC::VM::clearException):
1631         (JSC::VM::setException): Deleted.
1632         * runtime/WeakMapConstructor.cpp:
1633         (JSC::constructWeakMap):
1634         * runtime/WeakSetConstructor.cpp:
1635         (JSC::constructWeakSet):
1636         * tools/JSDollarVMPrototype.cpp:
1637         (JSC::functionPrint):
1638
1639 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1640
1641         [INTL] some valid language tags cause errors in Intl constructors
1642         https://bugs.webkit.org/show_bug.cgi?id=161672
1643
1644         Reviewed by Mark Lam.
1645
1646         Fix private use tag parsing to match spec, allowing single character parts.
1647         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1648
1649         ```
1650         privateuse    = "x" 1*("-" (1*8alphanum))
1651         ```
1652
1653         * runtime/IntlObject.cpp:
1654         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1655
1656 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1657
1658         [JSC] Remove a couple of useless forward declaration
1659         https://bugs.webkit.org/show_bug.cgi?id=161676
1660
1661         Reviewed by Mark Lam.
1662
1663         JITMathICForwards.h should take care of declarating the Math ICs.
1664
1665         * bytecode/CodeBlock.h:
1666         * jit/JITOperations.h:
1667
1668 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1669
1670         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1671         https://bugs.webkit.org/show_bug.cgi?id=161706
1672
1673         Reviewed by Geoffrey Garen.
1674         
1675         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1676         have to do something different.
1677
1678         * jit/AssemblyHelpers.h:
1679         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1680
1681 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1682
1683         Unreviewed CMake build fix after r205552
1684
1685         * CMakeLists.txt:
1686
1687 2016-09-03  Keith Miller  <keith_miller@apple.com>
1688
1689         Add support for WASM Loops and Branches
1690         https://bugs.webkit.org/show_bug.cgi?id=161569
1691
1692         Reviewed by Benjamin Poulain.
1693
1694         This patch adds support for loops and branches to WASM. In order
1695         to support loops, we needed to change the way the B3IRGenerator
1696         tracked control information. Now, the control data holds three
1697         pieces of information: The continuation block, the loop branch
1698         target, and variables exiting the block. Whenever we branch to
1699         some control point we first check if it is a loop by checking that
1700         the loop branch target is non-null. If the branch is not targeting
1701         a loop, we map the stack values to the associated B3 variables for
1702         that stack slot.
1703
1704         Another interesting thing of note is that we now only allocate the
1705         continuation basic block lazily. This is beneficial when the
1706         continuation would just fall through to another block anyway. For
1707         example, in code like: (block ... (block (add 1 2) end) end) the
1708         continuation for the inner block just falls through to the outer
1709         block's continuation so we don't need an extra block.
1710
1711         * B3CallingConventions.cpp:
1712         (JSC::B3::jscCallingConvention): Deleted.
1713         * B3CallingConventions.h:
1714         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1715         (JSC::B3::CallingConvention::iterate): Deleted.
1716         (JSC::B3::nextJSCOffset): Deleted.
1717         * JavaScriptCore.xcodeproj/project.pbxproj:
1718         * b3/B3Type.h:
1719         * testWASM.cpp:
1720         (runWASMTests):
1721         * wasm/WASMB3IRGenerator.cpp:
1722         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1723         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1724         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1725         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1726         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1727         (JSC::WASM::B3IRGenerator::ControlData::dump):
1728         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1729         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1730         (JSC::WASM::B3IRGenerator::addLocal):
1731         (JSC::WASM::B3IRGenerator::addArguments):
1732         (JSC::WASM::B3IRGenerator::setLocal):
1733         (JSC::WASM::B3IRGenerator::addBlock):
1734         (JSC::WASM::B3IRGenerator::addLoop):
1735         (JSC::WASM::B3IRGenerator::endBlock):
1736         (JSC::WASM::B3IRGenerator::addReturn):
1737         (JSC::WASM::B3IRGenerator::addBranch):
1738         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1739         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1740         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1741         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1742         (JSC::WASM::parseAndCompile):
1743         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1744         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1745         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1746         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1747         (JSC::WASM::jscCallingConvention):
1748         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1749         (JSC::WASM::CallingConvention::CallingConvention):
1750         (JSC::WASM::CallingConvention::iterate):
1751         (JSC::WASM::nextJSCOffset):
1752         * wasm/WASMFormat.h:
1753         (JSC::WASM::toB3Type):
1754         (JSC::WASM::isValueType):
1755         * wasm/WASMFunctionParser.h:
1756         (JSC::WASM::FunctionParser<Context>::parse):
1757         (JSC::WASM::FunctionParser<Context>::parseExpression):
1758         * wasm/WASMModuleParser.cpp:
1759         (JSC::WASM::ModuleParser::parseFunctionTypes):
1760         * wasm/WASMOps.h:
1761
1762 2016-09-07  Youenn Fablet  <youenn@apple.com>
1763
1764         [Streams API] Separate compile flag for ReadableStream and WritableStream
1765         https://bugs.webkit.org/show_bug.cgi?id=161044
1766
1767         Reviewed by Alex Christensen.
1768
1769         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1770         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1771
1772         * Configurations/FeatureDefines.xcconfig:
1773         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1774         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1775         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1776
1777 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1778
1779         Fix the ENABLE(WEBASSEMBLY) build on Linux
1780         https://bugs.webkit.org/show_bug.cgi?id=161685
1781
1782         Unreviewed buildfix.
1783
1784         * wasm/JSWASMModule.cpp:
1785
1786 2016-09-06  Saam Barati  <sbarati@apple.com>
1787
1788         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1789         https://bugs.webkit.org/show_bug.cgi?id=161558
1790
1791         Reviewed by Benjamin Poulain.
1792
1793         ProxyObject had ObjectPrototype as its direct prototype.
1794         This could lead to infinite loops when doing a getDirectPrototype()
1795         loop.
1796
1797         Fixing this bug revealed another bug, which I made when implementing Proxy.
1798         We should not special case "__proto__" in get and set for Proxy Object's
1799         hooks. "__proto__" should just go through the normal set and get path.
1800
1801         * runtime/JSGlobalObject.cpp:
1802         (JSC::JSGlobalObject::init):
1803         * runtime/ProxyObject.cpp:
1804         (JSC::performProxyGet):
1805         (JSC::ProxyObject::put):
1806
1807 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1808
1809         Make JSC::PrivateName copyable
1810         https://bugs.webkit.org/show_bug.cgi?id=161666
1811
1812         Reviewed by Ryosuke Niwa.
1813
1814         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1815         And since the custom copy constructor deletes the default move constructor, we explcitly define
1816         it by `= default;`.
1817
1818         * runtime/PrivateName.h:
1819         (JSC::PrivateName::PrivateName):
1820
1821 2016-09-06  Daniel Bates  <dabates@apple.com>
1822
1823         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1824         https://bugs.webkit.org/show_bug.cgi?id=161296
1825
1826         Reviewed by Dan Bernstein.
1827
1828         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1829         with the iOS 10 beta SDK.
1830
1831         * Configurations/Base.xcconfig:
1832
1833 2016-09-06  Saam Barati  <sbarati@apple.com>
1834
1835         Unreviewed build fix for 32-bit platforms after r205520.
1836
1837         * dfg/DFGSpeculativeJIT.h:
1838         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1839
1840 2016-09-06  Saam Barati  <sbarati@apple.com>
1841
1842         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1843         https://bugs.webkit.org/show_bug.cgi?id=160870
1844
1845         Reviewed by Darin Adler.
1846
1847         Credit goes to Jonathan Bedard for finding this bug using the undefined
1848         behavior sanitizer.
1849
1850         The rule for MaterializeNewObject inside AI was assuming that the graph
1851         is in SSA form. This used to be true when MaterializeNewObject was only
1852         inserted by the allocation sinking phase. However, Filip added more uses
1853         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1854         the bug by using the structure set inside the Node's OpInfo rather than
1855         generating it from m_phiChildren inside AI.
1856
1857         * dfg/DFGAbstractInterpreterInlines.h:
1858         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1859
1860 2016-09-06  Saam Barati  <sbarati@apple.com>
1861
1862         Make JSMap and JSSet faster
1863         https://bugs.webkit.org/show_bug.cgi?id=160989
1864
1865         Reviewed by Filip Pizlo.
1866
1867         This patch revamps how we implement Map and Set. It uses
1868         a new hash map implementation. The hash map uses linear
1869         probing and it uses Wang's 64 bit hash function for JSValues
1870         that aren't strings. Strings use StringImpl's hash function.
1871         The reason I wanted to roll our own HashTable is twofold:
1872         I didn't want to inline WTF::HashMap's implementation into our
1873         JIT, since that seems error prone and unmaintainable. Also, I wanted
1874         a different structure for hash map buckets where buckets also exist in
1875         a linked list.
1876
1877         The reason for making buckets part of a linked list is that iteration
1878         is now simple. Iteration works by just traversing a linked list.
1879         This design also allows for a simple implementation when doing iteration
1880         while the hash table is mutating. Whenever we remove a bucket from
1881         the hash table, it is removed from the list, meaning items in the
1882         list don't point to it. However, the removed bucket will still point
1883         to things that are either in the list, or have also been removed.
1884         e.g, from a removed bucket, you can always follow pointers until you
1885         either find an item in the list, or you find the tail of the list.
1886         This is a really nice property because it means that a Map or Set
1887         does not need to reason about the all the iterators that point
1888         into its list. Also, whenever we add items to the Map or Set, we
1889         hijack the tail as the new item, and make the new item point to a newly
1890         created tail. This means that any iterator that pointed to the "tail" now
1891         points to non-tail items. This makes the implementation of adding things
1892         to the Map/Set while iterating easy.
1893
1894         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1895         into intrinsics in the DFG. The IR can now reason about hash map
1896         operations and can even do CSE over Wang's hash function, hash map
1897         bucket lookups, hash map bucket loads, and testing if a key is in
1898         the hash table. This makes code patterns for Map like so, super fast
1899         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1900
1901         ```
1902         function getKeyIfPresent(map, key) {
1903             if (map.has(key))
1904                 return map.get(key);
1905         }
1906         ```
1907
1908         This patch is roughly an 8% speedup on ES6SampleBench.
1909
1910
1911         * CMakeLists.txt:
1912         * JavaScriptCore.xcodeproj/project.pbxproj:
1913         * assembler/MacroAssemblerARM64.h:
1914         (JSC::MacroAssemblerARM64::not64):
1915         * bytecode/SpeculatedType.cpp:
1916         (JSC::speculationFromClassInfo):
1917         * bytecode/SpeculatedType.h:
1918         * dfg/DFGAbstractInterpreterInlines.h:
1919         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1920         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1921         * dfg/DFGByteCodeParser.cpp:
1922         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1923         * dfg/DFGClobberize.h:
1924         (JSC::DFG::clobberize):
1925         * dfg/DFGDoesGC.cpp:
1926         (JSC::DFG::doesGC):
1927         * dfg/DFGEdge.h:
1928         (JSC::DFG::Edge::shift):
1929         (JSC::DFG::Edge::makeWord):
1930         * dfg/DFGFixupPhase.cpp:
1931         (JSC::DFG::FixupPhase::fixupNode):
1932         * dfg/DFGHeapLocation.cpp:
1933         (WTF::printInternal):
1934         * dfg/DFGHeapLocation.h:
1935         * dfg/DFGNode.h:
1936         (JSC::DFG::Node::hasHeapPrediction):
1937         * dfg/DFGNodeType.h:
1938         * dfg/DFGOperations.cpp:
1939         * dfg/DFGOperations.h:
1940         * dfg/DFGPredictionPropagationPhase.cpp:
1941         * dfg/DFGSafeToExecute.h:
1942         (JSC::DFG::SafeToExecuteEdge::operator()):
1943         (JSC::DFG::safeToExecute):
1944         * dfg/DFGSpeculativeJIT.cpp:
1945         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1946         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1947         (JSC::DFG::SpeculativeJIT::speculate):
1948         * dfg/DFGSpeculativeJIT.h:
1949         (JSC::DFG::SpeculativeJIT::callOperation):
1950         * dfg/DFGSpeculativeJIT32_64.cpp:
1951         (JSC::DFG::SpeculativeJIT::compile):
1952         * dfg/DFGSpeculativeJIT64.cpp:
1953         (JSC::DFG::SpeculativeJIT::compile):
1954         * dfg/DFGUseKind.cpp:
1955         (WTF::printInternal):
1956         * dfg/DFGUseKind.h:
1957         (JSC::DFG::typeFilterFor):
1958         (JSC::DFG::isCell):
1959         * ftl/FTLAbstractHeapRepository.h:
1960         * ftl/FTLCapabilities.cpp:
1961         (JSC::FTL::canCompile):
1962         * ftl/FTLLowerDFGToB3.cpp:
1963         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1964         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1965         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1966         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1967         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1968         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1969         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1970         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1971         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1972         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1973         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1974         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1975         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1976         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1977         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1978         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1979         * jit/AssemblyHelpers.cpp:
1980         (JSC::AssemblyHelpers::wangsInt64Hash):
1981         * jit/AssemblyHelpers.h:
1982         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1983         * jit/JITOperations.h:
1984         * parser/ModuleAnalyzer.cpp:
1985         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1986         * runtime/HashMapImpl.cpp: Added.
1987         (JSC::HashMapBucket<Data>::visitChildren):
1988         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1989         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1990         * runtime/HashMapImpl.h: Added.
1991         (JSC::HashMapBucket::selectStructure):
1992         (JSC::HashMapBucket::createStructure):
1993         (JSC::HashMapBucket::create):
1994         (JSC::HashMapBucket::HashMapBucket):
1995         (JSC::HashMapBucket::setNext):
1996         (JSC::HashMapBucket::setPrev):
1997         (JSC::HashMapBucket::setKey):
1998         (JSC::HashMapBucket::setValue):
1999         (JSC::HashMapBucket::key):
2000         (JSC::HashMapBucket::value):
2001         (JSC::HashMapBucket::next):
2002         (JSC::HashMapBucket::prev):
2003         (JSC::HashMapBucket::deleted):
2004         (JSC::HashMapBucket::setDeleted):
2005         (JSC::HashMapBucket::offsetOfKey):
2006         (JSC::HashMapBucket::offsetOfValue):
2007         (JSC::HashMapBuffer::allocationSize):
2008         (JSC::HashMapBuffer::buffer):
2009         (JSC::HashMapBuffer::create):
2010         (JSC::areKeysEqual):
2011         (JSC::normalizeMapKey):
2012         (JSC::jsMapHash):
2013         (JSC::HashMapImpl::selectStructure):
2014         (JSC::HashMapImpl::createStructure):
2015         (JSC::HashMapImpl::create):
2016         (JSC::HashMapImpl::HashMapImpl):
2017         (JSC::HashMapImpl::buffer):
2018         (JSC::HashMapImpl::finishCreation):
2019         (JSC::HashMapImpl::emptyValue):
2020         (JSC::HashMapImpl::isEmpty):
2021         (JSC::HashMapImpl::deletedValue):
2022         (JSC::HashMapImpl::isDeleted):
2023         (JSC::HashMapImpl::findBucket):
2024         (JSC::HashMapImpl::get):
2025         (JSC::HashMapImpl::has):
2026         (JSC::HashMapImpl::add):
2027         (JSC::HashMapImpl::remove):
2028         (JSC::HashMapImpl::size):
2029         (JSC::HashMapImpl::clear):
2030         (JSC::HashMapImpl::bufferSizeInBytes):
2031         (JSC::HashMapImpl::offsetOfBuffer):
2032         (JSC::HashMapImpl::offsetOfCapacity):
2033         (JSC::HashMapImpl::head):
2034         (JSC::HashMapImpl::tail):
2035         (JSC::HashMapImpl::approximateSize):
2036         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2037         (JSC::HashMapImpl::rehash):
2038         (JSC::HashMapImpl::makeAndSetNewBuffer):
2039         * runtime/Intrinsic.h:
2040         * runtime/JSCJSValue.h:
2041         * runtime/JSCJSValueInlines.h:
2042         (JSC::sameValue):
2043         * runtime/JSGlobalObject.cpp:
2044         (JSC::JSGlobalObject::init):
2045         * runtime/JSMap.cpp:
2046         (JSC::JSMap::destroy): Deleted.
2047         (JSC::JSMap::estimatedSize): Deleted.
2048         (JSC::JSMap::visitChildren): Deleted.
2049         (JSC::JSMap::copyBackingStore): Deleted.
2050         (JSC::JSMap::has): Deleted.
2051         (JSC::JSMap::size): Deleted.
2052         (JSC::JSMap::get): Deleted.
2053         (JSC::JSMap::set): Deleted.
2054         (JSC::JSMap::clear): Deleted.
2055         (JSC::JSMap::remove): Deleted.
2056         * runtime/JSMap.h:
2057         (JSC::JSMap::createStructure):
2058         (JSC::JSMap::create):
2059         (JSC::JSMap::get):
2060         (JSC::JSMap::set):
2061         (JSC::JSMap::JSMap):
2062         (JSC::JSMap::Entry::key): Deleted.
2063         (JSC::JSMap::Entry::value): Deleted.
2064         (JSC::JSMap::Entry::visitChildren): Deleted.
2065         (JSC::JSMap::Entry::setKey): Deleted.
2066         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2067         (JSC::JSMap::Entry::setValue): Deleted.
2068         (JSC::JSMap::Entry::clear): Deleted.
2069         * runtime/JSMapIterator.cpp:
2070         (JSC::JSMapIterator::finishCreation):
2071         (JSC::JSMapIterator::visitChildren):
2072         (JSC::JSMapIterator::clone):
2073         * runtime/JSMapIterator.h:
2074         (JSC::JSMapIterator::advanceIter):
2075         (JSC::JSMapIterator::next):
2076         (JSC::JSMapIterator::nextKeyValue):
2077         (JSC::JSMapIterator::JSMapIterator):
2078         (JSC::JSMapIterator::setIterator):
2079         (JSC::JSMapIterator::finish): Deleted.
2080         (JSC::JSMapIterator::iteratorData): Deleted.
2081         * runtime/JSModuleLoader.cpp:
2082         (JSC::JSModuleLoader::finishCreation):
2083         * runtime/JSModuleLoader.h:
2084         (JSC::JSModuleLoader::create):
2085         * runtime/JSModuleRecord.cpp:
2086         (JSC::JSModuleRecord::finishCreation):
2087         * runtime/JSModuleRecord.h:
2088         (JSC::JSModuleRecord::create):
2089         * runtime/JSSet.cpp:
2090         (JSC::JSSet::destroy): Deleted.
2091         (JSC::JSSet::estimatedSize): Deleted.
2092         (JSC::JSSet::visitChildren): Deleted.
2093         (JSC::JSSet::copyBackingStore): Deleted.
2094         (JSC::JSSet::has): Deleted.
2095         (JSC::JSSet::size): Deleted.
2096         (JSC::JSSet::add): Deleted.
2097         (JSC::JSSet::clear): Deleted.
2098         (JSC::JSSet::remove): Deleted.
2099         * runtime/JSSet.h:
2100         (JSC::JSSet::createStructure):
2101         (JSC::JSSet::create):
2102         (JSC::JSSet::add):
2103         (JSC::JSSet::JSSet):
2104         (JSC::JSSet::Entry::key): Deleted.
2105         (JSC::JSSet::Entry::value): Deleted.
2106         (JSC::JSSet::Entry::visitChildren): Deleted.
2107         (JSC::JSSet::Entry::setKey): Deleted.
2108         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2109         (JSC::JSSet::Entry::setValue): Deleted.
2110         (JSC::JSSet::Entry::clear): Deleted.
2111         * runtime/JSSetIterator.cpp:
2112         (JSC::JSSetIterator::finishCreation):
2113         (JSC::JSSetIterator::visitChildren):
2114         (JSC::JSSetIterator::clone):
2115         * runtime/JSSetIterator.h:
2116         (JSC::JSSetIterator::advanceIter):
2117         (JSC::JSSetIterator::next):
2118         (JSC::JSSetIterator::JSSetIterator):
2119         (JSC::JSSetIterator::setIterator):
2120         (JSC::JSSetIterator::finish): Deleted.
2121         (JSC::JSSetIterator::iteratorData): Deleted.
2122         * runtime/JSType.h:
2123         * runtime/MapBase.cpp: Added.
2124         (JSC::MapBase<HashMapBucketType>::visitChildren):
2125         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2126         * runtime/MapBase.h: Added.
2127         (JSC::MapBase::size):
2128         (JSC::MapBase::has):
2129         (JSC::MapBase::clear):
2130         (JSC::MapBase::remove):
2131         (JSC::MapBase::findBucket):
2132         (JSC::MapBase::offsetOfHashMapImpl):
2133         (JSC::MapBase::impl):
2134         (JSC::MapBase::finishCreation):
2135         (JSC::MapBase::MapBase):
2136         * runtime/MapConstructor.cpp:
2137         (JSC::constructMap):
2138         * runtime/MapIteratorPrototype.cpp:
2139         (JSC::MapIteratorPrototypeFuncNext):
2140         * runtime/MapPrototype.cpp:
2141         (JSC::MapPrototype::finishCreation):
2142         (JSC::getMap):
2143         (JSC::privateFuncIsMap):
2144         (JSC::privateFuncMapIteratorNext):
2145         * runtime/PropertyDescriptor.cpp:
2146         (JSC::sameValue): Deleted.
2147         * runtime/PropertyDescriptor.h:
2148         * runtime/SetConstructor.cpp:
2149         (JSC::constructSet):
2150         * runtime/SetIteratorPrototype.cpp:
2151         (JSC::SetIteratorPrototypeFuncNext):
2152         * runtime/SetPrototype.cpp:
2153         (JSC::SetPrototype::finishCreation):
2154         (JSC::getSet):
2155         (JSC::privateFuncSetIteratorNext):
2156         * runtime/VM.cpp:
2157         (JSC::VM::VM):
2158         * runtime/VM.h:
2159
2160 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2161
2162         [JSC] Make ArithClz32 work with Cell arguments
2163         https://bugs.webkit.org/show_bug.cgi?id=161369
2164
2165         Reviewed by Geoffrey Garen.
2166
2167         ArithClz32 was already working with all primitive types
2168         thanks to the magic of ValueToInt32.
2169         This patch adds support for cell arguments through a function
2170         call.
2171
2172         * dfg/DFGAbstractInterpreterInlines.h:
2173         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2174         * dfg/DFGClobberize.h:
2175         (JSC::DFG::clobberize):
2176         * dfg/DFGFixupPhase.cpp:
2177         (JSC::DFG::FixupPhase::fixupNode):
2178         * dfg/DFGNodeType.h:
2179         * dfg/DFGOperations.cpp:
2180         * dfg/DFGOperations.h:
2181         * dfg/DFGSpeculativeJIT.cpp:
2182         (JSC::DFG::SpeculativeJIT::compileArithClz32):
2183         * dfg/DFGSpeculativeJIT.h:
2184         (JSC::DFG::SpeculativeJIT::callOperation):
2185         * ftl/FTLLowerDFGToB3.cpp:
2186         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2187
2188 2016-09-06  Mark Lam  <mark.lam@apple.com>
2189
2190         Gardening: change to use old header guard to appease Win EWS.
2191
2192         Not reviewed.
2193
2194         * runtime/AuxiliaryBarrier.h:
2195
2196 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2197
2198         Unreviewed, rolling out r205494.
2199         https://bugs.webkit.org/show_bug.cgi?id=161646
2200
2201         This change broke the Windows build (Requested by ryanhaddad
2202         on #webkit).
2203
2204         Reverted changeset:
2205
2206         "Typed arrays should use MarkedSpace instead of CopiedSpace"
2207         https://bugs.webkit.org/show_bug.cgi?id=161100
2208         http://trac.webkit.org/changeset/205494
2209
2210 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2211
2212         Unreviewed, rolling out r205504.
2213         https://bugs.webkit.org/show_bug.cgi?id=161645
2214
2215         Broke the iOS device build (Requested by ryanhaddad on
2216         #webkit).
2217
2218         Reverted changeset:
2219
2220         "Make JSMap and JSSet faster"
2221         https://bugs.webkit.org/show_bug.cgi?id=160989
2222         http://trac.webkit.org/changeset/205504
2223
2224 2016-09-06  Saam Barati  <sbarati@apple.com>
2225
2226         Make JSMap and JSSet faster
2227         https://bugs.webkit.org/show_bug.cgi?id=160989
2228
2229         Reviewed by Filip Pizlo.
2230
2231         This patch revamps how we implement Map and Set. It uses
2232         a new hash map implementation. The hash map uses linear
2233         probing and it uses Wang's 64 bit hash function for JSValues
2234         that aren't strings. Strings use StringImpl's hash function.
2235         The reason I wanted to roll our own HashTable is twofold:
2236         I didn't want to inline WTF::HashMap's implementation into our
2237         JIT, since that seems error prone and unmaintainable. Also, I wanted
2238         a different structure for hash map buckets where buckets also exist in
2239         a linked list.
2240
2241         The reason for making buckets part of a linked list is that iteration
2242         is now simple. Iteration works by just traversing a linked list.
2243         This design also allows for a simple implementation when doing iteration
2244         while the hash table is mutating. Whenever we remove a bucket from
2245         the hash table, it is removed from the list, meaning items in the
2246         list don't point to it. However, the removed bucket will still point
2247         to things that are either in the list, or have also been removed.
2248         e.g, from a removed bucket, you can always follow pointers until you
2249         either find an item in the list, or you find the tail of the list.
2250         This is a really nice property because it means that a Map or Set
2251         does not need to reason about the all the iterators that point
2252         into its list. Also, whenever we add items to the Map or Set, we
2253         hijack the tail as the new item, and make the new item point to a newly
2254         created tail. This means that any iterator that pointed to the "tail" now
2255         points to non-tail items. This makes the implementation of adding things
2256         to the Map/Set while iterating easy.
2257
2258         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2259         into intrinsics in the DFG. The IR can now reason about hash map
2260         operations and can even do CSE over Wang's hash function, hash map
2261         bucket lookups, hash map bucket loads, and testing if a key is in
2262         the hash table. This makes code patterns for Map like so, super fast
2263         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2264
2265         ```
2266         function getKeyIfPresent(map, key) {
2267             if (map.has(key))
2268                 return map.get(key);
2269         }
2270         ```
2271
2272         This patch is roughly an 8% speedup on ES6SampleBench.
2273
2274         * CMakeLists.txt:
2275         * JavaScriptCore.xcodeproj/project.pbxproj:
2276         * bytecode/SpeculatedType.cpp:
2277         (JSC::speculationFromClassInfo):
2278         * bytecode/SpeculatedType.h:
2279         * dfg/DFGAbstractInterpreterInlines.h:
2280         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2281         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2282         * dfg/DFGByteCodeParser.cpp:
2283         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2284         * dfg/DFGClobberize.h:
2285         (JSC::DFG::clobberize):
2286         * dfg/DFGDoesGC.cpp:
2287         (JSC::DFG::doesGC):
2288         * dfg/DFGEdge.h:
2289         (JSC::DFG::Edge::shift):
2290         (JSC::DFG::Edge::makeWord):
2291         * dfg/DFGFixupPhase.cpp:
2292         (JSC::DFG::FixupPhase::fixupNode):
2293         * dfg/DFGHeapLocation.cpp:
2294         (WTF::printInternal):
2295         * dfg/DFGHeapLocation.h:
2296         * dfg/DFGNode.h:
2297         (JSC::DFG::Node::hasHeapPrediction):
2298         * dfg/DFGNodeType.h:
2299         * dfg/DFGOperations.cpp:
2300         * dfg/DFGOperations.h:
2301         * dfg/DFGPredictionPropagationPhase.cpp:
2302         * dfg/DFGSafeToExecute.h:
2303         (JSC::DFG::SafeToExecuteEdge::operator()):
2304         (JSC::DFG::safeToExecute):
2305         * dfg/DFGSpeculativeJIT.cpp:
2306         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2307         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2308         (JSC::DFG::SpeculativeJIT::speculate):
2309         * dfg/DFGSpeculativeJIT.h:
2310         (JSC::DFG::SpeculativeJIT::callOperation):
2311         * dfg/DFGSpeculativeJIT32_64.cpp:
2312         (JSC::DFG::SpeculativeJIT::compile):
2313         * dfg/DFGSpeculativeJIT64.cpp:
2314         (JSC::DFG::SpeculativeJIT::compile):
2315         * dfg/DFGUseKind.cpp:
2316         (WTF::printInternal):
2317         * dfg/DFGUseKind.h:
2318         (JSC::DFG::typeFilterFor):
2319         (JSC::DFG::isCell):
2320         * ftl/FTLAbstractHeapRepository.h:
2321         * ftl/FTLCapabilities.cpp:
2322         (JSC::FTL::canCompile):
2323         * ftl/FTLLowerDFGToB3.cpp:
2324         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2325         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2326         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2327         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2328         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2329         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2330         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2331         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2332         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2333         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2334         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2335         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2336         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2337         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2338         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2339         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2340         * jit/AssemblyHelpers.cpp:
2341         (JSC::AssemblyHelpers::wangsInt64Hash):
2342         * jit/AssemblyHelpers.h:
2343         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2344         * jit/JITOperations.h:
2345         * parser/ModuleAnalyzer.cpp:
2346         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2347         * runtime/HashMapImpl.cpp: Added.
2348         (JSC::HashMapBucket<Data>::visitChildren):
2349         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2350         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2351         * runtime/HashMapImpl.h: Added.
2352         (JSC::HashMapBucket::selectStructure):
2353         (JSC::HashMapBucket::createStructure):
2354         (JSC::HashMapBucket::create):
2355         (JSC::HashMapBucket::HashMapBucket):
2356         (JSC::HashMapBucket::setNext):
2357         (JSC::HashMapBucket::setPrev):
2358         (JSC::HashMapBucket::setKey):
2359         (JSC::HashMapBucket::setValue):
2360         (JSC::HashMapBucket::key):
2361         (JSC::HashMapBucket::value):
2362         (JSC::HashMapBucket::next):
2363         (JSC::HashMapBucket::prev):
2364         (JSC::HashMapBucket::deleted):
2365         (JSC::HashMapBucket::setDeleted):
2366         (JSC::HashMapBucket::offsetOfKey):
2367         (JSC::HashMapBucket::offsetOfValue):
2368         (JSC::HashMapBuffer::allocationSize):
2369         (JSC::HashMapBuffer::buffer):
2370         (JSC::HashMapBuffer::create):
2371         (JSC::areKeysEqual):
2372         (JSC::normalizeMapKey):
2373         (JSC::jsMapHash):
2374         (JSC::HashMapImpl::selectStructure):
2375         (JSC::HashMapImpl::createStructure):
2376         (JSC::HashMapImpl::create):
2377         (JSC::HashMapImpl::HashMapImpl):
2378         (JSC::HashMapImpl::buffer):
2379         (JSC::HashMapImpl::finishCreation):
2380         (JSC::HashMapImpl::emptyValue):
2381         (JSC::HashMapImpl::isEmpty):
2382         (JSC::HashMapImpl::deletedValue):
2383         (JSC::HashMapImpl::isDeleted):
2384         (JSC::HashMapImpl::findBucket):
2385         (JSC::HashMapImpl::get):
2386         (JSC::HashMapImpl::has):
2387         (JSC::HashMapImpl::add):
2388         (JSC::HashMapImpl::remove):
2389         (JSC::HashMapImpl::size):
2390         (JSC::HashMapImpl::clear):
2391         (JSC::HashMapImpl::bufferSizeInBytes):
2392         (JSC::HashMapImpl::offsetOfBuffer):
2393         (JSC::HashMapImpl::offsetOfCapacity):
2394         (JSC::HashMapImpl::head):
2395         (JSC::HashMapImpl::tail):
2396         (JSC::HashMapImpl::approximateSize):
2397         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2398         (JSC::HashMapImpl::rehash):
2399         (JSC::HashMapImpl::makeAndSetNewBuffer):
2400         * runtime/Intrinsic.h:
2401         * runtime/JSCJSValue.h:
2402         * runtime/JSCJSValueInlines.h:
2403         (JSC::sameValue):
2404         * runtime/JSGlobalObject.cpp:
2405         (JSC::JSGlobalObject::init):
2406         * runtime/JSMap.cpp:
2407         (JSC::JSMap::destroy): Deleted.
2408         (JSC::JSMap::estimatedSize): Deleted.
2409         (JSC::JSMap::visitChildren): Deleted.
2410         (JSC::JSMap::copyBackingStore): Deleted.
2411         (JSC::JSMap::has): Deleted.
2412         (JSC::JSMap::size): Deleted.
2413         (JSC::JSMap::get): Deleted.
2414         (JSC::JSMap::set): Deleted.
2415         (JSC::JSMap::clear): Deleted.
2416         (JSC::JSMap::remove): Deleted.
2417         * runtime/JSMap.h:
2418         (JSC::JSMap::createStructure):
2419         (JSC::JSMap::create):
2420         (JSC::JSMap::get):
2421         (JSC::JSMap::set):
2422         (JSC::JSMap::JSMap):
2423         (JSC::JSMap::Entry::key): Deleted.
2424         (JSC::JSMap::Entry::value): Deleted.
2425         (JSC::JSMap::Entry::visitChildren): Deleted.
2426         (JSC::JSMap::Entry::setKey): Deleted.
2427         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2428         (JSC::JSMap::Entry::setValue): Deleted.
2429         (JSC::JSMap::Entry::clear): Deleted.
2430         * runtime/JSMapIterator.cpp:
2431         (JSC::JSMapIterator::finishCreation):
2432         (JSC::JSMapIterator::visitChildren):
2433         (JSC::JSMapIterator::clone):
2434         * runtime/JSMapIterator.h:
2435         (JSC::JSMapIterator::advanceIter):
2436         (JSC::JSMapIterator::next):
2437         (JSC::JSMapIterator::nextKeyValue):
2438         (JSC::JSMapIterator::JSMapIterator):
2439         (JSC::JSMapIterator::setIterator):
2440         (JSC::JSMapIterator::finish): Deleted.
2441         (JSC::JSMapIterator::iteratorData): Deleted.
2442         * runtime/JSModuleLoader.cpp:
2443         (JSC::JSModuleLoader::finishCreation):
2444         * runtime/JSModuleLoader.h:
2445         (JSC::JSModuleLoader::create):
2446         * runtime/JSModuleRecord.cpp:
2447         (JSC::JSModuleRecord::finishCreation):
2448         * runtime/JSModuleRecord.h:
2449         (JSC::JSModuleRecord::create):
2450         * runtime/JSSet.cpp:
2451         (JSC::JSSet::destroy): Deleted.
2452         (JSC::JSSet::estimatedSize): Deleted.
2453         (JSC::JSSet::visitChildren): Deleted.
2454         (JSC::JSSet::copyBackingStore): Deleted.
2455         (JSC::JSSet::has): Deleted.
2456         (JSC::JSSet::size): Deleted.
2457         (JSC::JSSet::add): Deleted.
2458         (JSC::JSSet::clear): Deleted.
2459         (JSC::JSSet::remove): Deleted.
2460         * runtime/JSSet.h:
2461         (JSC::JSSet::createStructure):
2462         (JSC::JSSet::create):
2463         (JSC::JSSet::add):
2464         (JSC::JSSet::JSSet):
2465         (JSC::JSSet::Entry::key): Deleted.
2466         (JSC::JSSet::Entry::value): Deleted.
2467         (JSC::JSSet::Entry::visitChildren): Deleted.
2468         (JSC::JSSet::Entry::setKey): Deleted.
2469         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2470         (JSC::JSSet::Entry::setValue): Deleted.
2471         (JSC::JSSet::Entry::clear): Deleted.
2472         * runtime/JSSetIterator.cpp:
2473         (JSC::JSSetIterator::finishCreation):
2474         (JSC::JSSetIterator::visitChildren):
2475         (JSC::JSSetIterator::clone):
2476         * runtime/JSSetIterator.h:
2477         (JSC::JSSetIterator::advanceIter):
2478         (JSC::JSSetIterator::next):
2479         (JSC::JSSetIterator::JSSetIterator):
2480         (JSC::JSSetIterator::setIterator):
2481         (JSC::JSSetIterator::finish): Deleted.
2482         (JSC::JSSetIterator::iteratorData): Deleted.
2483         * runtime/JSType.h:
2484         * runtime/MapBase.cpp: Added.
2485         (JSC::MapBase<HashMapBucketType>::visitChildren):
2486         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2487         * runtime/MapBase.h: Added.
2488         (JSC::MapBase::size):
2489         (JSC::MapBase::has):
2490         (JSC::MapBase::clear):
2491         (JSC::MapBase::remove):
2492         (JSC::MapBase::findBucket):
2493         (JSC::MapBase::offsetOfHashMapImpl):
2494         (JSC::MapBase::impl):
2495         (JSC::MapBase::finishCreation):
2496         (JSC::MapBase::MapBase):
2497         * runtime/MapConstructor.cpp:
2498         (JSC::constructMap):
2499         * runtime/MapIteratorPrototype.cpp:
2500         (JSC::MapIteratorPrototypeFuncNext):
2501         * runtime/MapPrototype.cpp:
2502         (JSC::MapPrototype::finishCreation):
2503         (JSC::getMap):
2504         (JSC::privateFuncIsMap):
2505         (JSC::privateFuncMapIteratorNext):
2506         * runtime/PropertyDescriptor.cpp:
2507         (JSC::sameValue): Deleted.
2508         * runtime/PropertyDescriptor.h:
2509         * runtime/SetConstructor.cpp:
2510         (JSC::constructSet):
2511         * runtime/SetIteratorPrototype.cpp:
2512         (JSC::SetIteratorPrototypeFuncNext):
2513         * runtime/SetPrototype.cpp:
2514         (JSC::SetPrototype::finishCreation):
2515         (JSC::getSet):
2516         (JSC::privateFuncSetIteratorNext):
2517         * runtime/VM.cpp:
2518         (JSC::VM::VM):
2519         * runtime/VM.h:
2520
2521 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2522
2523         Typed arrays should use MarkedSpace instead of CopiedSpace
2524         https://bugs.webkit.org/show_bug.cgi?id=161100
2525
2526         Reviewed by Geoffrey Garen.
2527         
2528         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2529         
2530         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2531         everything that typed arrays want.
2532
2533         * dfg/DFGOperations.cpp:
2534         (JSC::DFG::newTypedArrayWithSize):
2535         * dfg/DFGOperations.h:
2536         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2537         * dfg/DFGSpeculativeJIT.cpp:
2538         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2539         * dfg/DFGSpeculativeJIT.h:
2540         (JSC::DFG::SpeculativeJIT::callOperation):
2541         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2542         * ftl/FTLLowerDFGToB3.cpp:
2543         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2544         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2545         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2546         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2547         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2548         * heap/CopyToken.h:
2549         * heap/SlotVisitor.cpp:
2550         (JSC::SlotVisitor::markAuxiliary):
2551         * jit/JITOperations.h:
2552         * runtime/JSArrayBufferView.cpp:
2553         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2554         (JSC::JSArrayBufferView::JSArrayBufferView):
2555         * runtime/JSArrayBufferView.h:
2556         * runtime/JSGenericTypedArrayView.h:
2557         * runtime/JSGenericTypedArrayViewInlines.h:
2558         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2559         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2560         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2561         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2562
2563 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2564
2565         Silence GCC warning spam introduced in r205462
2566
2567         Rubber-stamped by Filip Pizlo.
2568
2569         * bytecode/Opcode.h:
2570         (JSC::padOpcodeName):
2571
2572 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2573
2574         Heap::isMarked() should use concurrent lazy flipping
2575         https://bugs.webkit.org/show_bug.cgi?id=161613
2576
2577         Reviewed by Michael Catanzaro.
2578         
2579         I found out about this race condition via
2580         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2581         
2582         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2583         phase. So, they need to lazy-flip in a non-racy way.
2584
2585         * heap/HeapInlines.h:
2586         (JSC::Heap::isLive):
2587         (JSC::Heap::isMarked):
2588
2589 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2590
2591         Unreviewed, reset generator test results after the butterflies.
2592
2593         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2594         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2595         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2596         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2597         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2598         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2599         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2600         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2601         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2602         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2603         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2604         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2605         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2606         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2607
2608 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2609
2610         Unreviewed, fix cloop build.
2611
2612         * bytecode/SuperSampler.cpp:
2613
2614 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2615
2616         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2617         https://bugs.webkit.org/show_bug.cgi?id=160125
2618
2619         Reviewed by Geoffrey Garen and Keith Miller.
2620
2621         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2622         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2623         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2624         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2625         to get rid of copied space. This change moves copied space's biggest client over to marked
2626         space.
2627         
2628         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2629         allocation path. This is a fairly mechanical change, but it caused performance regressions
2630         everywhere, so this change also fixes MarkedSpace's performance issues.
2631         
2632         At a high level the mechanical changes are:
2633         
2634         - We use AuxiliaryBarrier instead of CopyBarrier.
2635         
2636         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2637           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2638         
2639         - The JITs have to emit inlined marked space allocations instead of inline copy space
2640           allocations.
2641         
2642         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2643           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2644           space doesn't.
2645         
2646         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2647         optimizations that amounted to a major MarkedSpace rewrite:
2648         
2649         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2650           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2651           size class. I got around this by making array allocations usually round up vectorLength to
2652           the maximum allowed by the size class that we would have allocated in. Also,
2653           ensureLengthSlow() and friends first make sure that the requested length can't just be
2654           fulfilled with the current allocation size. This safeguard means that not every array
2655           allocation has to do size class queries. For example, the fast path of new Array(length)
2656           never does any size class queries, under the assumption that (1) the speed gained from
2657           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2658           size class query, is too small to offset the speed lost by doing the query on every
2659           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2660           likely.
2661         
2662         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2663           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2664           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2665           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2666           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2667           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2668           size (80 bytes), we proceed using a geometric progression, but round up each size to
2669           minimize slop at the end of the block. This naturally causes the geometric progression to
2670           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2671           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2672         
2673         - Large allocations caused massive internal fragmentation, since the smallest large
2674           allocation had to use exactly blockSize, and the largest small allocation used
2675           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2676           also had 50% internal fragmentation. This is because we required large allocations to be
2677           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2678           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2679           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2680           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2681           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2682           out great since (1) typed arrays won't use large allocations anyway since they have their
2683           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2684           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2685           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2686           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2687           must be small allocations. It's also possible to use template tricks to do one check for
2688           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2689           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2690           that get used from functions that are template-specialized like this. That's mostly to
2691           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2692           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2693           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2694           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2695           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2696           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2697           that the MarkedBlock size classes end up being:
2698           
2699           16, 32, 48, 64, 80, 112, 160, 224, 320
2700           
2701           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2702           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2703           size classes you end up with by doing --dumpSizeClasses=true.
2704         
2705         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2706           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2707           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2708           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2709           side, for better locality during a sequential walk. It's no longer necessary to scan
2710           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2711           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2712           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2713           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2714           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2715           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2716           together, these optimizations allowed me to reduce block size to 16KB without losing much
2717           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2718           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2719           progression on membuster. That's not possible yet, since there is still enough per-block
2720           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2721           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2722         
2723         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2724           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2725           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2726           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2727           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2728           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2729           that we walk the block to build a free list. This means walking dead space. The new
2730           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2731           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2732           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2733           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2734           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2735           is completely empty, which is the common case because of the generational hypothesis: the
2736           number of objects that survive an eden collection is a tiny fraction of the number of
2737           objects that had been allocated, and this fraction is so small that there are typically
2738           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2739           win over tip-of-tree.
2740         
2741         - FTL now shares the same allocation fast paths as everything else, which is great, because
2742           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2743           control flow, since it won't be able to improve the machine code we write ourselves. GC
2744           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2745           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2746           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2747           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2748           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2749           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2750           variable-length allocation but then realize that the length is known). I think it makes
2751           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2752           since this makes lowering easier (you can constant fold during lowering more easily) and it
2753           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2754           constant-fold this code. That would require allowing loads to be constant-folded, which is
2755           doable but hella tricky.
2756         
2757         - It used to be that if a logical object allocation required two physical allocations (first
2758           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2759           failure in the second fast path would cause us to forget the successful first physical
2760           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2761           register to storing either the butterfly or null, because the butterfly register is anyway
2762           going to be free inside the first allocation. The only overhead here is zeroing the
2763           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2764           path, which can then either allocate a butterfly or not. So now we never waste a successful
2765           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2766           since we control registers already) and in FTL (where it's annoying, because mutable
2767           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2768           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2769           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2770           benchmark would always allocate N small things followed by one bigger thing. The problem
2771           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2772           the JSObject size class, which both the small and big thing shared for their cell, could
2773           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2774           it allocated the big thing. So, it would end up having to allocate the big thing's large
2775           butterfly twice, every single time! Ouch!
2776         
2777         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2778           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2779           of the allocator to initialize the object to whatever state they need. It used to be that
2780           we would just use a dumb loop. I initially changed this so that we would end up in memset
2781           for large allocations, but this didn't actually help performance that much. I got a much
2782           better result by playing with different memsets written in assembly. First I wrote one
2783           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2784           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2785           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2786           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2787           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2788           of stores (if the size is known), but those paths in the JIT won't trigger for
2789           NewArrayWithSize() if the size is large, since that takes us to the
2790           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2791           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2792           that need to be filled with holes.
2793         
2794         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2795         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2796         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2797         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2798         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2799         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2800         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2801         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2802         marking barrier and we simply won't need a copying barrier. This change gets us there for
2803         the purposes of our benchmarks, since the remaining clients of copied space are not very
2804         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2805         adding back the copy barrier, which costs more perf.
2806         
2807         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2808         typed arrays and a few other weird things over to Aux MarkedSpace.
2809         
2810         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2811         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2812         just including JSCInlines.h (instead of manually including the files that includes) is
2813         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2814         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2815         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2816         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2817         meant having to manually include HeapInlines.h from the places that previously got it
2818         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2819         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2820         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2821         made it impossible to include it from outside JSC. This was a lot of work, but it was
2822         necessary to get the patch to build on all ports. It's also a net win. There were many places
2823         in WebCore that were transitively including a *ton* of JSC headers just because of the
2824         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2825         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2826
2827         * API/JSManagedValue.mm:
2828         (-[JSManagedValue initWithValue:]):
2829         * API/JSTypedArray.cpp:
2830         * API/ObjCCallbackFunction.mm:
2831         * API/tests/testapi.mm:
2832         (testObjectiveCAPI):
2833         (testWeakValue): Deleted.
2834         * CMakeLists.txt:
2835         * JavaScriptCore.xcodeproj/project.pbxproj:
2836         * Scripts/builtins/builtins_generate_combined_implementation.py:
2837         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2838         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2839         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2840         * Scripts/builtins/builtins_generate_separate_implementation.py:
2841         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2842         * assembler/AbstractMacroAssembler.h:
2843         (JSC::AbstractMacroAssembler::JumpList::link):
2844         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2845         * assembler/MacroAssembler.h:
2846         * assembler/MacroAssemblerARM64.h:
2847         (JSC::MacroAssemblerARM64::add32):
2848         * assembler/MacroAssemblerCodeRef.cpp: Added.
2849         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2850         (JSC::MacroAssemblerCodePtr::dumpWithName):
2851         (JSC::MacroAssemblerCodePtr::dump):
2852         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2853         (JSC::MacroAssemblerCodeRef::dump):
2854         * assembler/MacroAssemblerCodeRef.h:
2855         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2856         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2857         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2858         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2859         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2860         * b3/B3BasicBlock.cpp:
2861         (JSC::B3::BasicBlock::appendBoolConstant):
2862         * b3/B3BasicBlock.h:
2863         * b3/B3DuplicateTails.cpp:
2864         * b3/B3StackmapGenerationParams.h:
2865         * b3/testb3.cpp:
2866         (JSC::B3::testPatchpointTerminalReturnValue):
2867         (JSC::B3::run):
2868         * bindings/ScriptValue.cpp:
2869         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2870         * bytecode/BytecodeBasicBlock.cpp:
2871         * bytecode/BytecodeLivenessAnalysis.cpp:
2872         * bytecode/BytecodeUseDef.h:
2873         * bytecode/CallLinkInfo.cpp:
2874         (JSC::CallLinkInfo::callTypeFor):
2875         * bytecode/CallLinkInfo.h:
2876         (JSC::CallLinkInfo::callTypeFor): Deleted.
2877         * bytecode/CallLinkStatus.cpp:
2878         * bytecode/CodeBlock.cpp:
2879         (JSC::CodeBlock::finishCreation):
2880         (JSC::CodeBlock::clearLLIntGetByIdCache):
2881         (JSC::CodeBlock::predictedMachineCodeSize):
2882         * bytecode/CodeBlock.h:
2883         (JSC::CodeBlock::jitCodeMap): Deleted.
2884         (JSC::clearLLIntGetByIdCache): Deleted.
2885         * bytecode/ExecutionCounter.h:
2886         * bytecode/Instruction.h:
2887         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2888         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2889         * bytecode/ObjectAllocationProfile.h:
2890         (JSC::ObjectAllocationProfile::isNull):
2891         (JSC::ObjectAllocationProfile::initialize):
2892         * bytecode/Opcode.h:
2893         (JSC::padOpcodeName):
2894         * bytecode/PolymorphicAccess.cpp:
2895         (JSC::AccessCase::generateImpl):
2896         (JSC::PolymorphicAccess::regenerate):
2897         * bytecode/PolymorphicAccess.h:
2898         * bytecode/PreciseJumpTargets.cpp:
2899         * bytecode/StructureStubInfo.cpp:
2900         * bytecode/StructureStubInfo.h:
2901         * bytecode/UnlinkedCodeBlock.cpp:
2902         (JSC::UnlinkedCodeBlock::vm): Deleted.
2903         * bytecode/UnlinkedCodeBlock.h:
2904         * bytecode/UnlinkedInstructionStream.cpp:
2905         * bytecode/UnlinkedInstructionStream.h:
2906         * dfg/DFGOperations.cpp:
2907         * dfg/DFGSpeculativeJIT.cpp:
2908         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2909         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2910         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2911         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2912         * dfg/DFGSpeculativeJIT.h:
2913         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2914         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2915         * dfg/DFGSpeculativeJIT32_64.cpp:
2916         (JSC::DFG::SpeculativeJIT::compile):
2917         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2918         * dfg/DFGSpeculativeJIT64.cpp:
2919         (JSC::DFG::SpeculativeJIT::compile):
2920         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2921         * dfg/DFGStrengthReductionPhase.cpp:
2922         (JSC::DFG::StrengthReductionPhase::handleNode):
2923         * ftl/FTLAbstractHeapRepository.h:
2924         * ftl/FTLCompile.cpp:
2925         * ftl/FTLJITFinalizer.cpp:
2926         * ftl/FTLLowerDFGToB3.cpp:
2927         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2928         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2929         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2930         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2931         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2932         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2933         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2934         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2935         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2936         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2937         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2938         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2939         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2940         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2941         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2942         * ftl/FTLOutput.cpp:
2943         (JSC::FTL::Output::constBool):
2944         (JSC::FTL::Output::add):
2945         (JSC::FTL::Output::shl):
2946         (JSC::FTL::Output::aShr):
2947         (JSC::FTL::Output::lShr):
2948         (JSC::FTL::Output::zeroExt):
2949         (JSC::FTL::Output::equal):
2950         (JSC::FTL::Output::notEqual):
2951         (JSC::FTL::Output::above):
2952         (JSC::FTL::Output::aboveOrEqual):
2953         (JSC::FTL::Output::below):
2954         (JSC::FTL::Output::belowOrEqual):
2955         (JSC::FTL::Output::greaterThan):
2956         (JSC::FTL::Output::greaterThanOrEqual):
2957         (JSC::FTL::Output::lessThan):
2958         (JSC::FTL::Output::lessThanOrEqual):
2959         (JSC::FTL::Output::select):
2960         (JSC::FTL::Output::appendSuccessor):
2961         (JSC::FTL::Output::addIncomingToPhi):
2962         * ftl/FTLOutput.h:
2963         * ftl/FTLValueFromBlock.h:
2964         (JSC::FTL::ValueFromBlock::operator bool):
2965         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2966         * ftl/FTLWeightedTarget.h:
2967         (JSC::FTL::WeightedTarget::frequentedBlock):
2968         * heap/CellContainer.h: Added.
2969         (JSC::CellContainer::CellContainer):
2970         (JSC::CellContainer::operator bool):
2971         (JSC::CellContainer::isMarkedBlock):
2972         (JSC::CellContainer::isLargeAllocation):
2973         (JSC::CellContainer::markedBlock):
2974         (JSC::CellContainer::largeAllocation):
2975         * heap/CellContainerInlines.h: Added.
2976         (JSC::CellContainer::isMarked):
2977         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2978         (JSC::CellContainer::noteMarked):
2979         (JSC::CellContainer::cellSize):
2980         (JSC::CellContainer::weakSet):
2981         (JSC::CellContainer::flipIfNecessary):
2982         * heap/ConservativeRoots.cpp:
2983         (JSC::ConservativeRoots::ConservativeRoots):
2984         (JSC::ConservativeRoots::~ConservativeRoots):
2985         (JSC::ConservativeRoots::grow):
2986         (JSC::ConservativeRoots::genericAddPointer):
2987         (JSC::ConservativeRoots::genericAddSpan):
2988         * heap/ConservativeRoots.h:
2989         (JSC::ConservativeRoots::roots):
2990         * heap/CopyToken.h:
2991         * heap/FreeList.cpp: Added.
2992         (JSC::FreeList::dump):
2993         * heap/FreeList.h: Added.
2994         (JSC::FreeList::FreeList):
2995         (JSC::FreeList::list):
2996         (JSC::FreeList::bump):
2997         (JSC::FreeList::operator==):
2998         (JSC::FreeList::operator!=):
2999         (JSC::FreeList::operator bool):
3000         (JSC::FreeList::allocationWillFail):
3001         (JSC::FreeList::allocationWillSucceed):
3002         * heap/GCTypeMap.h: Added.
3003         (JSC::GCTypeMap::operator[]):
3004         * heap/Heap.cpp:
3005         (JSC::Heap::Heap):
3006         (JSC::Heap::lastChanceToFinalize):
3007         (JSC::Heap::finalizeUnconditionalFinalizers):
3008         (JSC::Heap::markRoots):
3009         (JSC::Heap::copyBackingStores):
3010         (JSC::Heap::gatherStackRoots):
3011         (JSC::Heap::gatherJSStackRoots):
3012         (JSC::Heap::gatherScratchBufferRoots):
3013         (JSC::Heap::clearLivenessData):
3014         (JSC::Heap::visitSmallStrings):
3015         (JSC::Heap::visitConservativeRoots):
3016         (JSC::Heap::removeDeadCompilerWorklistEntries):
3017         (JSC::Heap::gatherExtraHeapSnapshotData):
3018         (JSC::Heap::removeDeadHeapSnapshotNodes):
3019         (JSC::Heap::visitProtectedObjects):
3020         (JSC::Heap::visitArgumentBuffers):
3021         (JSC::Heap::visitException):
3022         (JSC::Heap::visitStrongHandles):
3023         (JSC::Heap::visitHandleStack):
3024         (JSC::Heap::visitSamplingProfiler):
3025         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3026         (JSC::Heap::converge):
3027         (JSC::Heap::visitWeakHandles):
3028         (JSC::Heap::updateObjectCounts):
3029         (JSC::Heap::clearUnmarkedExecutables):
3030         (JSC::Heap::deleteUnmarkedCompiledCode):
3031         (JSC::Heap::collectAllGarbage):
3032         (JSC::Heap::collect):
3033         (JSC::Heap::collectWithoutAnySweep):
3034         (JSC::Heap::collectImpl):
3035         (JSC::Heap::suspendCompilerThreads):
3036         (JSC::Heap::willStartCollection):
3037         (JSC::Heap::flushOldStructureIDTables):
3038         (JSC::Heap::flushWriteBarrierBuffer):
3039         (JSC::Heap::stopAllocation):
3040         (JSC::Heap::prepareForMarking):
3041         (JSC::Heap::reapWeakHandles):
3042         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
3043         (JSC::Heap::sweepArrayBuffers):
3044         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3045         (JSC::MarkedBlockSnapshotFunctor::operator()):
3046         (JSC::Heap::snapshotMarkedSpace):
3047         (JSC::Heap::deleteSourceProviderCaches):
3048         (JSC::Heap::notifyIncrementalSweeper):
3049         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
3050         (JSC::Heap::resetAllocators):
3051         (JSC::Heap::updateAllocationLimits):
3052         (JSC::Heap::didFinishCollection):
3053         (JSC::Heap::resumeCompilerThreads):
3054         (JSC::Zombify::visit):
3055         (JSC::Heap::forEachCodeBlockImpl):
3056         * heap/Heap.h:
3057         (JSC::Heap::allocatorForObjectWithoutDestructor):
3058         (JSC::Heap::allocatorForObjectWithDestructor):
3059         (JSC::Heap::allocatorForAuxiliaryData):
3060         (JSC::Heap::jitStubRoutines):
3061         (JSC::Heap::codeBlockSet):
3062         (JSC::Heap::storageAllocator): Deleted.
3063         * heap/HeapCell.h:
3064         (JSC::HeapCell::isZapped): Deleted.
3065         * heap/HeapCellInlines.h: Added.
3066         (JSC::HeapCell::isLargeAllocation):
3067         (JSC::HeapCell::cellContainer):
3068         (JSC::HeapCell::markedBlock):
3069         (JSC::HeapCell::largeAllocation):
3070         (JSC::HeapCell::heap):
3071         (JSC::HeapCell::vm):
3072         (JSC::HeapCell::cellSize):
3073         (JSC::HeapCell::allocatorAttributes):
3074         (JSC::HeapCell::destructionMode):
3075         (JSC::HeapCell::cellKind):
3076         * heap/HeapInlines.h:
3077         (JSC::Heap::heap):
3078         (JSC::Heap::isLive):
3079         (JSC::Heap::isMarked):
3080         (JSC::Heap::testAndSetMarked):
3081         (JSC::Heap::setMarked):
3082         (JSC::Heap::cellSize):
3083         (JSC::Heap::forEachCodeBlock):
3084         (JSC::Heap::allocateObjectOfType):
3085         (JSC::Heap::subspaceForObjectOfType):
3086         (JSC::Heap::allocatorForObjectOfType):
3087         (JSC::Heap::allocateAuxiliary):
3088         (JSC::Heap::tryAllocateAuxiliary):
3089         (JSC::Heap::tryReallocateAuxiliary):
3090         (JSC::Heap::isPointerGCObject): Deleted.
3091         (JSC::Heap::isValueGCObject): Deleted.
3092         * heap/HeapOperation.cpp: Added.
3093         (WTF::printInternal):
3094         * heap/HeapOperation.h:
3095         * heap/HeapUtil.h: Added.
3096         (JSC::HeapUtil::findGCObjectPointersForMarking):
3097         (JSC::HeapUtil::isPointerGCObjectJSCell):
3098         (JSC::HeapUtil::isValueGCObject):
3099         * heap/IncrementalSweeper.cpp:
3100         (JSC::IncrementalSweeper::sweepNextBlock):
3101         * heap/IncrementalSweeper.h:
3102         * heap/LargeAllocation.cpp: Added.
3103         (JSC::LargeAllocation::tryCreate):
3104         (JSC::LargeAllocation::LargeAllocation):
3105         (JSC::LargeAllocation::lastChanceToFinalize):
3106         (JSC::LargeAllocation::shrink):
3107         (JSC::LargeAllocation::visitWeakSet):
3108         (JSC::LargeAllocation::reapWeakSet):
3109         (JSC::LargeAllocation::flip):
3110         (JSC::LargeAllocation::isEmpty):
3111         (JSC::LargeAllocation::sweep):
3112         (JSC::LargeAllocation::destroy):
3113         (JSC::LargeAllocation::dump):
3114         * heap/LargeAllocation.h: Added.
3115         (JSC::LargeAllocation::fromCell):
3116         (JSC::LargeAllocation::cell):
3117         (JSC::LargeAllocation::isLargeAllocation):
3118         (JSC::LargeAllocation::heap):
3119         (JSC::LargeAllocation::vm):
3120         (JSC::LargeAllocation::weakSet):
3121         (JSC::LargeAllocation::clearNewlyAllocated):
3122         (JSC::LargeAllocation::isNewlyAllocated):
3123         (JSC::LargeAllocation::isMarked):
3124         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3125         (JSC::LargeAllocation::isLive):
3126         (JSC::LargeAllocation::hasValidCell):
3127         (JSC::LargeAllocation::cellSize):
3128         (JSC::LargeAllocation::aboveLowerBound):
3129         (JSC::LargeAllocation::belowUpperBound):
3130         (JSC::LargeAllocation::contains):
3131         (JSC::LargeAllocation::attributes):
3132         (JSC::LargeAllocation::flipIfNecessary):
3133         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
3134         (JSC::LargeAllocation::testAndSetMarked):
3135         (JSC::LargeAllocation::setMarked):
3136         (JSC::LargeAllocation::clearMarked):
3137         (JSC::LargeAllocation::noteMarked):
3138         (JSC::LargeAllocation::headerSize):
3139         * heap/MarkedAllocator.cpp:
3140         (JSC::MarkedAllocator::MarkedAllocator):
3141         (JSC::MarkedAllocator::isPagedOut):
3142         (JSC::MarkedAllocator::retire):
3143         (JSC::MarkedAllocator::filterNextBlock):
3144         (JSC::MarkedAllocator::setNextBlockToSweep):
3145         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3146         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3147         (JSC::MarkedAllocator::allocateSlowCase):
3148         (JSC::MarkedAllocator::tryAllocateSlowCase):
3149         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3150         (JSC::blockHeaderSize):
3151         (JSC::MarkedAllocator::blockSizeForBytes):
3152         (JSC::MarkedAllocator::tryAllocateBlock):
3153         (JSC::MarkedAllocator::addBlock):
3154         (JSC::MarkedAllocator::removeBlock):
3155         (JSC::MarkedAllocator::stopAllocating):
3156         (JSC::MarkedAllocator::reset):
3157         (JSC::MarkedAllocator::lastChanceToFinalize):
3158         (JSC::MarkedAllocator::setFreeList):
3159         (JSC::isListPagedOut): Deleted.
3160         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3161         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3162         (JSC::MarkedAllocator::tryAllocate): Deleted.
3163         (JSC::MarkedAllocator::allocateBlock): Deleted.
3164         * heap/MarkedAllocator.h:
3165         (JSC::MarkedAllocator::takeLastActiveBlock):
3166         (JSC::MarkedAllocator::offsetOfFreeList):
3167         (JSC::MarkedAllocator::offsetOfCellSize):
3168         (JSC::MarkedAllocator::tryAllocate):
3169         (JSC::MarkedAllocator::allocate):
3170         (JSC::MarkedAllocator::forEachBlock):
3171         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3172         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3173         (JSC::MarkedAllocator::init): Deleted.
3174         (JSC::MarkedAllocator::stopAllocating): Deleted.
3175         * heap/MarkedBlock.cpp:
3176         (JSC::MarkedBlock::tryCreate):
3177         (JSC::MarkedBlock::Handle::Handle):
3178         (JSC::MarkedBlock::Handle::~Handle):
3179         (JSC::MarkedBlock::MarkedBlock):
3180         (JSC::MarkedBlock::Handle::specializedSweep):
3181         (JSC::MarkedBlock::Handle::sweep):
3182         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
3183         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
3184         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
3185         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3186         (JSC::SetNewlyAllocatedFunctor::operator()):
3187         (JSC::MarkedBlock::Handle::stopAllocating):
3188         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3189         (JSC::MarkedBlock::Handle::resumeAllocating):
3190         (JSC::MarkedBlock::Handle::zap):
3191         (JSC::MarkedBlock::Handle::forEachFreeCell):
3192         (JSC::MarkedBlock::flipIfNecessary):
3193         (JSC::MarkedBlock::Handle::flipIfNecessary):
3194         (JSC::MarkedBlock::flipIfNecessarySlow):
3195         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
3196         (JSC::MarkedBlock::clearMarks):
3197         (JSC::MarkedBlock::assertFlipped):
3198         (JSC::MarkedBlock::needsFlip):
3199         (JSC::MarkedBlock::Handle::needsFlip):
3200         (JSC::MarkedBlock::Handle::willRemoveBlock):
3201         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3202         (JSC::MarkedBlock::markCount):
3203         (JSC::MarkedBlock::Handle::isEmpty):
3204         (JSC::MarkedBlock::clearHasAnyMarked):
3205         (JSC::MarkedBlock::noteMarkedSlow):
3206         (WTF::printInternal):
3207         (JSC::MarkedBlock::create): Deleted.
3208         (JSC::MarkedBlock::destroy): Deleted.
3209         (JSC::MarkedBlock::callDestructor): Deleted.
3210         (JSC::MarkedBlock::specializedSweep): Deleted.
3211         (JSC::MarkedBlock::sweep): Deleted.
3212         (JSC::MarkedBlock::sweepHelper): Deleted.
3213         (JSC::MarkedBlock::stopAllocating): Deleted.
3214         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
3215         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
3216         (JSC::MarkedBlock::resumeAllocating): Deleted.
3217         (JSC::MarkedBlock::didRetireBlock): Deleted.
3218         * heap/MarkedBlock.h:
3219         (JSC::MarkedBlock::VoidFunctor::returnValue):
3220         (JSC::MarkedBlock::CountFunctor::CountFunctor):
3221         (JSC::MarkedBlock::CountFunctor::count):
3222         (JSC::MarkedBlock::CountFunctor::returnValue):
3223         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
3224         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
3225         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
3226         (JSC::MarkedBlock::Handle::state):
3227         (JSC::MarkedBlock::needsDestruction):
3228         (JSC::MarkedBlock::handle):
3229         (JSC::MarkedBlock::Handle::block):
3230         (JSC::MarkedBlock::firstAtom):
3231         (JSC::MarkedBlock::atoms):
3232         (JSC::MarkedBlock::isAtomAligned):
3233         (JSC::MarkedBlock::Handle::cellAlign):
3234         (JSC::MarkedBlock::blockFor):
3235         (JSC::MarkedBlock::Handle::allocator):
3236         (JSC::MarkedBlock::Handle::heap):
3237         (JSC::MarkedBlock::Handle::vm):
3238         (JSC::MarkedBlock::vm):
3239         (JSC::MarkedBlock::Handle::weakSet):
3240         (JSC::MarkedBlock::weakSet):
3241         (JSC::MarkedBlock::Handle::shrink):
3242         (JSC::MarkedBlock::Handle::visitWeakSet):
3243         (JSC::MarkedBlock::Handle::reapWeakSet):
3244         (JSC::MarkedBlock::Handle::cellSize):
3245         (JSC::MarkedBlock::cellSize):
3246         (JSC::MarkedBlock::Handle::attributes):
3247         (JSC::MarkedBlock::attributes):
3248         (JSC::MarkedBlock::Handle::needsDestruction):
3249         (JSC::MarkedBlock::Handle::destruction):
3250         (JSC::MarkedBlock::Handle::cellKind):
3251         (JSC::MarkedBlock::Handle::markCount):
3252         (JSC::MarkedBlock::Handle::size):
3253         (JSC::MarkedBlock::atomNumber):
3254         (JSC::MarkedBlock::flipIfNecessary):
3255         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
3256         (JSC::MarkedBlock::Handle::flipIfNecessary):
3257         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
3258         (JSC::MarkedBlock::Handle::flipForEdenCollection):
3259         (JSC::MarkedBlock::assertFlipped):
3260         (JSC::MarkedBlock::Handle::assertFlipped):
3261         (JSC::MarkedBlock::isMarked):
3262         (JSC::MarkedBlock::testAndSetMarked):
3263         (JSC::MarkedBlock::Handle::isNewlyAllocated):
3264         (JSC::MarkedBlock::Handle::setNewlyAllocated):
3265         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
3266         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
3267         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
3268         (JSC::MarkedBlock::Handle::isLive):
3269         (JSC::MarkedBlock::isAtom):
3270         (JSC::MarkedBlock::Handle::isLiveCell):
3271         (JSC::MarkedBlock::Handle::forEachCell):
3272         (JSC::MarkedBlock::Handle::forEachLiveCell):
3273         (JSC::MarkedBlock::Handle::forEachDeadCell):
3274         (JSC::MarkedBlock::Handle::needsSweeping):
3275         (JSC::MarkedBlock::Handle::isAllocated):
3276         (JSC::MarkedBlock::Handle::isMarked):
3277         (JSC::MarkedBlock::Handle::isFreeListed):
3278         (JSC::MarkedBlock::hasAnyMarked):
3279         (JSC::MarkedBlock::noteMarked):
3280         (WTF::MarkedBlockHash::hash):
3281         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
3282         (JSC::MarkedBlock::allocator): Deleted.
3283         (JSC::MarkedBlock::heap): Deleted.
3284         (JSC::MarkedBlock::shrink): Deleted.
3285         (JSC::MarkedBlock::visitWeakSet): Deleted.
3286         (JSC::MarkedBlock::reapWeakSet): Deleted.
3287         (JSC::MarkedBlock::willRemoveBlock): Deleted.
3288         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
3289         (JSC::MarkedBlock::markCount): Deleted.
3290         (JSC::MarkedBlock::isEmpty): Deleted.
3291         (JSC::MarkedBlock::destruction): Deleted.
3292         (JSC::MarkedBlock::cellKind): Deleted.
3293         (JSC::MarkedBlock::size): Deleted.
3294         (JSC::MarkedBlock::capacity): Deleted.
3295         (JSC::MarkedBlock::setMarked): Deleted.
3296         (JSC::MarkedBlock::clearMarked): Deleted.
3297         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
3298         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
3299         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
3300         (JSC::MarkedBlock::isLive): Deleted.
3301         (JSC::MarkedBlock::isLiveCell): Deleted.
3302         (JSC::MarkedBlock::forEachCell): Deleted.
3303         (JSC::MarkedBlock::forEachLiveCell): Deleted.
3304         (JSC::MarkedBlock::forEachDeadCell): Deleted.
3305         (JSC::MarkedBlock::needsSweeping): Deleted.
3306         (JSC::MarkedBlock::isAllocated): Deleted.
3307         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
3308         * heap/MarkedSpace.cpp:
3309         (JSC::MarkedSpace::initializeSizeClassForStepSize):
3310         (JSC::MarkedSpace::MarkedSpace):
3311         (JSC::MarkedSpace::~MarkedSpace):
3312         (JSC::MarkedSpace::lastChanceToFinalize):
3313         (JSC::MarkedSpace::allocate):
3314         (JSC::MarkedSpace::tryAllocate):
3315         (JSC::MarkedSpace::allocateLarge):
3316         (JSC::MarkedSpace::tryAllocateLarge):
3317         (JSC::MarkedSpace::sweep):
3318         (JSC::MarkedSpace::sweepLargeAllocations):
3319         (JSC::MarkedSpace::zombifySweep):
3320         (JSC::MarkedSpace::resetAllocators):
3321         (JSC::MarkedSpace::visitWeakSets):
3322         (JSC::MarkedSpace::reapWeakSets):
3323         (JSC::MarkedSpace::stopAllocating):
3324         (JSC::MarkedSpace::prepareForMarking):
3325         (JSC::MarkedSpace::resumeAllocating):
3326         (JSC::MarkedSpace::isPagedOut):
3327         (JSC::MarkedSpace::freeBlock):
3328         (JSC::MarkedSpace::freeOrShrinkBlock):
3329         (JSC::MarkedSpace::shrink):
3330         (JSC::MarkedSpace::clearNewlyAllocated):
3331         (JSC::VerifyMarked::operator()):
3332         (JSC::MarkedSpace::flip):
3333         (JSC::MarkedSpace::objectCount):
3334         (JSC::MarkedSpace::size):
3335         (JSC::MarkedSpace::capacity):
3336         (JSC::MarkedSpace::addActiveWeakSet):
3337         (JSC::MarkedSpace::didAddBlock):
3338         (JSC::MarkedSpace::didAllocateInBlock):
3339         (JSC::MarkedSpace::forEachAllocator): Deleted.
3340         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
3341         (JSC::MarkedSpace::clearMarks): Deleted.
3342         * heap/MarkedSpace.h:
3343         (JSC::MarkedSpace::sizeClassToIndex):
3344         (JSC::MarkedSpace::indexToSizeClass):
3345         (JSC::MarkedSpace::version):
3346         (JSC::MarkedSpace::blocksWithNewObjects):
3347         (JSC::MarkedSpace::largeAllocations):
3348         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
3349         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
3350         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
3351         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
3352         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
3353         (JSC::MarkedSpace::forEachLiveCell):
3354         (JSC::MarkedSpace::forEachDeadCell):
3355         (JSC::MarkedSpace::allocatorFor):
3356         (JSC::MarkedSpace::destructorAllocatorFor):
3357         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3358         (JSC::MarkedSpace::allocateWithoutDestructor):
3359         (JSC::MarkedSpace::allocateWithDestructor):
3360         (JSC::MarkedSpace::allocateAuxiliary):
3361         (JSC::MarkedSpace::tryAllocateAuxiliary):
3362         (JSC::MarkedSpace::forEachBlock):
3363         (JSC::MarkedSpace::forEachAllocator):
3364         (JSC::MarkedSpace::optimalSizeFor):
3365         (JSC::MarkedSpace::didAddBlock): Deleted.
3366         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
3367         (JSC::MarkedSpace::objectCount): Deleted.
3368         (JSC::MarkedSpace::size): Deleted.
3369         (JSC::MarkedSpace::capacity): Deleted.
3370         * heap/SlotVisitor.cpp:
3371         (JSC::SlotVisitor::SlotVisitor):
3372         (JSC::SlotVisitor::didStartMarking):
3373         (JSC::SlotVisitor::reset):
3374         (JSC::SlotVisitor::append):
3375         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3376         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3377         (JSC::SlotVisitor::appendToMarkStack):
3378         (JSC::SlotVisitor::markAuxiliary):
3379         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3380         (JSC::SlotVisitor::visitChildren):
3381         * heap/SlotVisitor.h:
3382         * heap/WeakBlock.cpp:
3383         (JSC::WeakBlock::create):
3384         (JSC::WeakBlock::WeakBlock):
3385         (JSC::WeakBlock::visit):
3386         (JSC::WeakBlock::reap):
3387         * heap/WeakBlock.h:
3388         (JSC::WeakBlock::disconnectContainer):
3389         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3390         * heap/WeakSet.cpp:
3391         (JSC::WeakSet::~WeakSet):
3392         (JSC::WeakSet::sweep):
3393         (JSC::WeakSet::shrink):
3394         (JSC::WeakSet::addAllocator):
3395         * heap/WeakSet.h:
3396         (JSC::WeakSet::container):
3397         (JSC::WeakSet::setContainer):
3398         (JSC::WeakSet::WeakSet):
3399         (JSC::WeakSet::visit):
3400         (JSC::WeakSet::shrink): Deleted.
3401         * heap/WeakSetInlines.h:
3402         (JSC::WeakSet::allocate):
3403         * inspector/InjectedScriptManager.cpp:
3404         * inspector/JSGlobalObjectInspectorController.cpp:
3405         * inspector/JSJavaScriptCallFrame.cpp:
3406         * inspector/ScriptDebugServer.cpp:
3407         * inspector/agents/InspectorDebuggerAgent.cpp:
3408         * interpreter/CachedCall.h:
3409         (JSC::CachedCall::CachedCall):
3410         * interpreter/Interpreter.cpp:
3411         (JSC::loadVarargs):
3412         (JSC::StackFrame::sourceID): Deleted.
3413         (JSC::StackFrame::sourceURL): Deleted.
3414         (JSC::StackFrame::functionName): Deleted.
3415         (JSC::StackFrame::computeLineAndColumn): Deleted.
3416         (JSC::StackFrame::toString): Deleted.
3417         * interpreter/Interpreter.h:
3418         (JSC::StackFrame::isNative): Deleted.
3419         * jit/AssemblyHelpers.h:
3420         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3421         (JSC::AssemblyHelpers::emitAllocate):
3422         (JSC::AssemblyHelpers::emitAllocateJSCell):
3423         (JSC::AssemblyHelpers::emitAllocateJSObject):
3424         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3425         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3426         * jit/GCAwareJITStubRoutine.cpp:
3427         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3428         * jit/JIT.cpp:
3429         (JSC::JIT::compileCTINativeCall):
3430         (JSC::JIT::link):
3431         * jit/JIT.h:
3432         (JSC::JIT::compileCTINativeCall): Deleted.
3433         * jit/JITExceptions.cpp:
3434         (JSC::genericUnwind):
3435         * jit/JITExceptions.h:
3436         * jit/JITOpcodes.cpp:
3437         (JSC::JIT::emit_op_new_object):
3438         (JSC::JIT::emitSlow_op_new_object):
3439         (JSC::JIT::emit_op_create_this):
3440         (JSC::JIT::emitSlow_op_create_this):
3441         * jit/JITOpcodes32_64.cpp:
3442         (JSC::JIT::emit_op_new_object):
3443         (JSC::JIT::emitSlow_op_new_object):
3444         (JSC::JIT::emit_op_create_this):
3445         (JSC::JIT::emitSlow_op_create_this):
3446         * jit/JITOperations.cpp:
3447         * jit/JITOperations.h:
3448         * jit/JITPropertyAccess.cpp:
3449         (JSC::JIT::emitWriteBarrier):
3450         * jit/JITThunks.cpp:
3451         * jit/JITThunks.h:
3452         * jsc.cpp:
3453         (functionDescribeArray):
3454         (main):
3455         * llint/LLIntData.cpp:
3456         (JSC::LLInt::Data::performAssertions):
3457         * llint/LLIntExceptions.cpp:
3458         * llint/LLIntThunks.cpp:
3459         * llint/LLIntThunks.h:
3460         * llint/LowLevelInterpreter.asm:
3461         * llint/LowLevelInterpreter.cpp:
3462         * llint/LowLevelInterpreter32_64.asm:
3463         * llint/LowLevelInterpreter64.asm:
3464         * parser/ModuleAnalyzer.cpp:
3465         * parser/NodeConstructors.h:
3466         * parser/Nodes.h:
3467         * profiler/ProfilerBytecode.cpp:
3468         * profiler/ProfilerBytecode.h:
3469         * profiler/ProfilerBytecodeSequence.cpp:
3470         * runtime/ArrayConventions.h:
3471         (JSC::indexingHeaderForArrayStorage):
3472         (JSC::baseIndexingHeaderForArrayStorage):
3473         (JSC::indexingHeaderForArray): Deleted.
3474         (JSC::baseIndexingHeaderForArray): Deleted.
3475         * runtime/ArrayPrototype.cpp:
3476         (JSC::arrayProtoFuncSplice):
3477         (JSC::concatAppendOne):
3478         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3479         * runtime/ArrayStorage.h:
3480         (JSC::ArrayStorage::vectorLength):
3481         (JSC::ArrayStorage::totalSizeFor):
3482         (JSC::ArrayStorage::totalSize):
3483         (JSC::ArrayStorage::availableVectorLength):
3484         (JSC::ArrayStorage::optimalVectorLength):
3485         (JSC::ArrayStorage::sizeFor): Deleted.
3486         * runtime/AuxiliaryBarrier.h: Added.
3487         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3488         (JSC::AuxiliaryBarrier::clear):
3489         (JSC::AuxiliaryBarrier::get):
3490         (JSC::AuxiliaryBarrier::slot):
3491         (JSC::AuxiliaryBarrier::operator bool):
3492         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3493         * runtime/AuxiliaryBarrierInlines.h: Added.
3494         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3495         (JSC::AuxiliaryBarrier<T>::set):
3496         * runtime/Butterfly.h:
3497         * runtime/ButterflyInlines.h:
3498         (JSC::Butterfly::availableContiguousVectorLength):
3499         (JSC::Butterfly::optimalContiguousVectorLength):
3500         (JSC::Butterfly::createUninitialized):
3501         (JSC::Butterfly::growArrayRight):
3502         * runtime/ClonedArguments.cpp:
3503         (JSC::ClonedArguments::createEmpty):
3504         * runtime/CommonSlowPathsExceptions.cpp:
3505         * runtime/CommonSlowPathsExceptions.h:
3506         * runtime/DataView.cpp:
3507         * runtime/DirectArguments.h:
3508         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3509         * runtime/Error.cpp:
3510         * runtime/Error.h:
3511         * runtime/ErrorInstance.cpp:
3512         * runtime/ErrorInstance.h:
3513         * runtime/Exception.cpp:
3514         * runtime/Exception.h:
3515         * runtime/GeneratorFrame.cpp:
3516         * runtime/GeneratorPrototype.cpp:
3517         * runtime/InternalFunction.cpp:
3518         (JSC::InternalFunction::InternalFunction):
3519         * runtime/IntlCollator.cpp:
3520         * runtime/IntlCollatorConstructor.cpp:
3521         * runtime/IntlCollatorPrototype.cpp:
3522         * runtime/IntlDateTimeFormat.cpp:
3523         * runtime/IntlDateTimeFormatConstructor.cpp:
3524         * runtime/IntlDateTimeFormatPrototype.cpp:
3525         * runtime/IntlNumberFormat.cpp:
3526         * runtime/IntlNumberFormatConstructor.cpp:
3527         * runtime/IntlNumberFormatPrototype.cpp:
3528         * runtime/IntlObject.cpp:
3529         * runtime/IteratorPrototype.cpp:
3530         * runtime/JSArray.cpp:
3531         (JSC::JSArray::tryCreateUninitialized):
3532         (JSC::JSArray::setLengthWritable):
3533         (JSC::JSArray::unshiftCountSlowCase):
3534         (JSC::JSArray::setLengthWithArrayStorage):
3535         (JSC::JSArray::appendMemcpy):
3536         (JSC::JSArray::setLength):
3537         (JSC::JSArray::pop):
3538         (JSC::JSArray::push):
3539         (JSC::JSArray::fastSlice):
3540         (JSC::JSArray::shiftCountWithArrayStorage):
3541         (JSC::JSArray::shiftCountWithAnyIndexingType):
3542         (JSC::JSArray::unshiftCountWithArrayStorage):
3543         (JSC::JSArray::fillArgList):
3544         (JSC::JSArray::copyToArguments):
3545         * runtime/JSArray.h:
3546         (JSC::createContiguousArrayButterfly):
3547         (JSC::createArrayButterfly):
3548         (JSC::JSArray::create):
3549         (JSC::JSArray::tryCreateUninitialized): Deleted.
3550         * runtime/JSArrayBufferView.h:
3551         * runtime/JSCInlines.h:
3552         * runtime/JSCJSValue.cpp:
3553         (JSC::JSValue::dumpInContextAssumingStructure):
3554         * runtime/JSCallee.cpp:
3555         (JSC::JSCallee::JSCallee):
3556         * runtime/JSCell.cpp:
3557         (JSC::JSCell::estimatedSize):
3558         * runtime/JSCell.h:
3559         (JSC::JSCell::cellStateOffset): Deleted.
3560         * runtime/JSCellInlines.h:
3561         (JSC::ExecState::vm):
3562         (JSC::JSCell::classInfo):
3563         (JSC::JSCell::callDestructor):
3564         (JSC::JSCell::vm): Deleted.
3565         * runtime/JSFunction.cpp:
3566         (JSC::JSFunction::create):
3567         (JSC::JSFunction::allocateAndInitializeRareData):
3568         (JSC::JSFunction::initializeRareData):
3569         (JSC::JSFunction::getOwnPropertySlot):
3570         (JSC::JSFunction::put):
3571         (JSC::JSFunction::deleteProperty):
3572         (JSC::JSFunction::defineOwnProperty):
3573         (JSC::JSFunction::setFunctionName):
3574         (JSC::JSFunction::reifyLength):
3575         (JSC::JSFunction::reifyName):
3576         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3577         (JSC::JSFunction::reifyBoundNameIfNeeded):
3578         * runtime/JSFunction.h:
3579         * runtime/JSFunctionInlines.h:
3580         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3581         (JSC::JSFunction::JSFunction):
3582         * runtime/JSGenericTypedArrayViewInlines.h:
3583         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3584         * runtime/JSInternalPromise.cpp:
3585         * runtime/JSInternalPromiseConstructor.cpp:
3586         * runtime/JSInternalPromiseDeferred.cpp:
3587         * runtime/JSInternalPromisePrototype.cpp:
3588         * runtime/JSJob.cpp:
3589         * runtime/JSMapIterator.cpp:
3590         * runtime/JSModuleNamespaceObject.cpp:
3591         * runtime/JSModuleRecord.cpp:
3592         * runtime/JSObject.cpp:
3593         (JSC::JSObject::visitButterfly):
3594         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3595         (JSC::JSObject::createInitialIndexedStorage):
3596         (JSC::JSObject::createInitialUndecided):
3597         (JSC::JSObject::createInitialInt32):
3598         (JSC::JSObject::createInitialDouble):
3599         (JSC::JSObject::createInitialContiguous):
3600         (JSC::JSObject::createArrayStorage):
3601         (JSC::JSObject::createInitialArrayStorage):
3602         (JSC::JSObject::convertUndecidedToInt32):
3603         (JSC::JSObject::convertUndecidedToContiguous):
3604         (JSC::JSObject::convertUndecidedToArrayStorage):
3605         (JSC::JSObject::convertInt32ToDouble):
3606         (JSC::JSObject::convertInt32ToArrayStorage):
3607         (JSC::JSObject::convertDoubleToArrayStorage):
3608         (JSC::JSObject::convertContiguousToArrayStorage):
3609         (JSC::JSObject::putByIndexBeyondVectorLength):
3610         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3611         (JSC::JSObject::getNewVectorLength):
3612         (JSC::JSObject::increaseVectorLength):
3613         (JSC::JSObject::ensureLengthSlow):
3614         (JSC::JSObject::growOutOfLineStorage):
3615         (JSC::JSObject::copyButterfly): Deleted.
3616         (JSC::JSObject::copyBackingStore): Deleted.
3617         * runtime/JSObject.h:
3618         (JSC::JSObject::globalObject):
3619         (JSC::JSObject::putDirectInternal):
3620         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
3621         * runtime/JSObjectInlines.h:
3622         * runtime/JSPromise.cpp:
3623         * runtime/JSPromiseConstructor.cpp:
3624         * runtime/JSPromiseDeferred.cpp:
3625         * runtime/JSPromisePrototype.cpp:
3626         * runtime/JSPropertyNameIterator.cpp:
3627         * runtime/JSScope.cpp:
3628         (JSC::JSScope::resolve):
3629         * runtime/JSScope.h:
3630         (JSC::JSScope::globalObject):
3631         (JSC::JSScope::vm): Deleted.
3632         * runtime/JSSetIterator.cpp:
3633         * runtime/JSStringIterator.cpp:
3634         * runtime/JSTemplateRegistryKey.cpp:
3635         * runtime/JSTypedArrayViewConstructor.cpp:
3636         * runtime/JSTypedArrayViewPrototype.cpp:
3637         * runtime/JSWeakMap.cpp:
3638         * runtime/JSWeakSet.cpp:
3639         * runtime/MapConstructor.cpp:
3640         * runtime/MapIteratorPrototype.cpp:
3641         * runtime/MapPrototype.cpp:
3642         * runtime/NativeErrorConstructor.cpp:
3643         * runtime/NativeStdFunctionCell.cpp:
3644         * runtime/Operations.h:
3645         (JSC::scribbleFreeCells):
3646         (JSC::scribble):
3647         * runtime/Options.h:
3648         * runtime/PropertyTable.cpp:
3649         * runtime/ProxyConstructor.cpp:
3650         * runtime/ProxyObject.cpp:
3651         * runtime/ProxyRevoke.cpp:
3652         * runtime/RegExp.cpp:
3653         (JSC::RegExp::match):
3654         (JSC::RegExp::matchConcurrently):
3655         (JSC::RegExp::matchCompareWithInterpreter):
3656         * runtime/RegExp.h:
3657         * runtime/RegExpConstructor.h:
3658         * runtime/RegExpInlines.h:
3659         (JSC::RegExp::matchInline):
3660         * runtime/RegExpMatchesArray.h:
3661         (JSC::tryCreateUninitializedRegExpMatchesArray):
3662         (JSC::createRegExpMatchesArray):
3663         * runtime/RegExpPrototype.cpp:
3664         (JSC::genericSplit):
3665         * runtime/RuntimeType.cpp:
3666         * runtime/SamplingProfiler.cpp:
3667         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3668         * runtime/SetConstructor.cpp:
3669         * runtime/SetIteratorPrototype.cpp:
3670         * runtime/SetPrototype.cpp:
3671         * runtime/StackFrame.cpp: Added.
3672         (JSC::StackFrame::sourceID):
3673         (JSC::StackFrame::sourceURL):
3674         (JSC::StackFrame::functionName):
3675         (JSC::StackFrame::computeLineAndColumn):
3676         (JSC::StackFrame::toString):
3677         * runtime/StackFrame.h: Added.
3678         (JSC::StackFrame::isNative):
3679         * runtime/StringConstructor.cpp:
3680         * runtime/StringIteratorPrototype.cpp:
3681         * runtime/StructureInlines.h:
3682         (JSC::Structure::propertyTable):
3683         * runtime/TemplateRegistry.cpp:
3684         * runtime/TestRunnerUtils.cpp:
3685         (JSC::finalizeStatsAtEndOfTesting):
3686         * runtime/TestRunnerUtils.h:
3687         * runtime/TypeProfilerLog.cpp:
3688         * runtime/TypeSet.cpp:
3689         * runtime/VM.cpp:
3690         (JSC::VM::VM):
3691         (JSC::VM::ensureStackCapacityForCLoop):
3692         (JSC::VM::isSafeToRecurseSoftCLoop):
3693         * runtime/VM.h:
3694         * runtime/VMEntryScope.h:
3695         * runtime/VMInlines.h:
3696         (JSC::VM::ensureStackCapacityFor):
3697         (JSC::VM::isSafeToRecurseSoft):
3698         * runtime/WeakMapConstructor.cpp:
3699         * runtime/WeakMapData.cpp:
3700         * runtime/WeakMapPrototype.cpp:
3701         * runtime/WeakSetConstructor.cpp:
3702         * runtime/WeakSetPrototype.cpp:
3703         * testRegExp.cpp:
3704         (testOneRegExp):
3705         * tools/JSDollarVM.cpp:
3706         * tools/JSDollarVMPrototype.cpp:
3707         (JSC::JSDollarVMPrototype::isInObjectSpace):
3708
3709 2016-09-04  Commit Queue  <commit-queue@webkit.org>
3710
3711         Unreviewed, rolling out r205415.
3712         https://bugs.webkit.org/show_bug.cgi?id=161573
3713
3714         Many bots see inspector test failures, rolling out now and
3715         investigating later. (Requested by brrian on #webkit).
3716
3717         Reverted changeset:
3718
3719         "Web Inspector: unify Main.html and Test.html sources and
3720         generate different copies with the preprocessor"
3721         https://bugs.webkit.org/show_bug.cgi?id=161212
3722         http://trac.webkit.org/changeset/205415
3723
3724 2016-09-01  Brian Burg  <bburg@apple.com>
3725
3726         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
3727         https://bugs.webkit.org/show_bug.cgi?id=161212
3728         <rdar://problem/28017961>
3729
3730         Reviewed by Joseph Pecoraro.
3731
3732         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
3733
3734 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
3735
3736         Use ASCIILiteral in some more places
3737         https://bugs.webkit.org/show_bug.cgi?id=161557
3738
3739         Reviewed by Darin Adler.
3740
3741         * runtime/TypeSet.h:
3742         (JSC::StructureShape::setConstructorName):
3743
3744 2016-09-01  Michael Saboff  <msaboff@apple.com>
3745
3746         Import Chakra tests to JSC
3747         https://bugs.webkit.org/show_bug.cgi?id=154697
3748
3749         Reviewed by Saam Barati.
3750
3751         Added --dumpException option to jsc command line utility to dump uncaught exception
3752         text even for the last exception that matches --exception.  This is used to
3753         check the exception text for a text that is expected to end on an exception.
3754         Chakra has several tests of this form and does the same thing when such a test
3755         ends with an exception.  Tests that rely on this behavior have had their expected
3756         output updated for JSC specific text.
3757
3758         * jsc.cpp:
3759
3760 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
3761
3762         [JSC] Remove some more useless cases from FTL Capabilities
3763         https://bugs.webkit.org/show_bug.cgi?id=161466
3764
3765         Reviewed by Geoffrey Garen.
3766
3767         Some cases do not make sense:
3768         -In: Fixup only generate CellUse.
3769         -PutByIdXXX: same.
3770         -GetIndexedPropertyStorage: those cases are the only ones supported
3771          by DFG. We would have crashed in SpeculativeJIT if other modes
3772          were generated.
3773
3774         * ftl/FTLCapabilities.cpp:
3775         (JSC::FTL::canCompile):
3776         * ftl/FTLLowerDFGToB3.cpp:
3777         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
3778         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3779         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3780
3781 2016-09-02  Chris Dumez  <cdumez@apple.com>
3782
3783         Unreviewed, roll out r205354 because it caused JSC test failures
3784
3785         * jsc.cpp:
3786         * runtime/JSGlobalObject.cpp:
3787         * runtime/JSGlobalObject.h:
3788         (JSC::JSGlobalObject::allowsAccessFrom):
3789         (JSC::JSGlobalObject::setDebugger): Deleted.
3790         * runtime/JSGlobalObjectFunctions.cpp:
3791         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
3792         (JSC::GlobalFuncProtoGetterFunctor::result):
3793         (JSC::GlobalFuncProtoGetterFunctor::operator()):
3794         (JSC::globalFuncProtoGetter):
3795         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
3796         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
3797         (JSC::GlobalFuncProtoSetterFunctor::operator()):
3798         (JSC::checkProtoSetterAccessAllowed):
3799         (JSC::globalFuncProtoSetter):
3800         * runtime/JSGlobalObjectFunctions.h:
3801         * runtime/JSObject.cpp:
3802         (JSC::JSObject::setPrototypeWithCycleCheck):
3803         (JSC::JSObject::allowsAccessFrom):
3804         * runtime/JSObject.h:
3805         * runtime/JSProxy.cpp:
3806         * runtime/JSProxy.h:
3807         * runtime/ObjectConstructor.cpp:
3808         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
3809         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
3810         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
3811         (JSC::objectConstructorGetPrototypeOf):
3812         (JSC::objectConstructorSetPrototypeOf):
3813         * runtime/ObjectConstructor.h:
3814         * runtime/ReflectObject.cpp:
3815         (JSC::reflectObjectGetPrototypeOf):
3816         (JSC::reflectObjectSetPrototypeOf):
3817
3818 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
3819
3820         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
3821         https://bugs.webkit.org/show_bug.cgi?id=160802
3822
3823         Reviewed by Saam Barati.
3824
3825         This patch is fixing a broken mechanism of MathIC that avoids allocate
3826         a register to LHS or RHS if one of these operands are proven as valid
3827         constant for JIT*Generator. In previous implementation, even if the
3828         JIT*Generator was not using an operand register because it was proven as a
3829         constant, compileMathIC and emitICFast were allocating a register for
3830         it. This was broken because mathIC->isLeftOperandValidConstant and
3831         mathIC->isLeftOperandValidConstant were being called before its Generator be
3832         properly initialized. We changed this mechanism to enable Generators write
3833         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
3834         and isRightOperandValidConstant(SnippetOperand).
3835
3836         * dfg/DFGSpeculativeJIT.cpp:
3837         (JSC::DFG::SpeculativeJIT::compileMathIC):
3838         * jit/JITAddGenerator.h:
3839         (JSC::JITAddGenerator::JITAddGenerator):
3840         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3841         (JSC::JITAddGenerator::isRightOperandValidConstant):
3842         * jit/JITArithmetic.cpp:
3843         (JSC::JIT::emitMathICFast):
3844         * jit/JITMathIC.h:
3845         * jit/JITMulGenerator.h:
3846         (JSC::JITMulGenerator::JITMulGenerator):
3847         (JSC::JITMulGenerator::isLeftOperandValidConstant):