bc527632b36af3a083e8089969edecf4e279c7ff
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-15  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r205931.
4         https://bugs.webkit.org/show_bug.cgi?id=162021
5
6         Tests for this change fail on 32-bit JSC bots (Requested by
7         ryanhaddad on #webkit).
8
9         Reverted changeset:
10
11         "[JSC] Make the rounding-related nodes support any type"
12         https://bugs.webkit.org/show_bug.cgi?id=161895
13         http://trac.webkit.org/changeset/205931
14
15 2016-09-15  Joseph Pecoraro  <pecoraro@apple.com>
16
17         test262: Should be a SyntaxError for duplicate parameter names in function with default parameters
18         https://bugs.webkit.org/show_bug.cgi?id=162013
19
20         Reviewed by Saam Barati.
21
22         https://tc39.github.io/ecma262/#sec-function-definitions-static-semantics-early-errors
23         It is a Syntax Error if IsSimpleParameterList of FormalParameterList is
24         false and BoundNames of FormalParameterList contains any duplicate elements.
25
26         Non-simple parameter lists include rest parameters, destructuring,
27         and default parameters.
28
29         * parser/Parser.cpp:
30         (JSC::Parser<LexerType>::parseFormalParameters):
31         Previously, we were not failing if there were default parameters
32         early in the parameter list that were not yet identified as duplicates
33         and simple parameters later were duplicates. Now, we fail if there
34         are default parameters anywhere in the parameter list with a duplicate.
35
36 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
37
38         ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply
39         https://bugs.webkit.org/show_bug.cgi?id=162003
40
41         Reviewed by Saam Barati.
42
43         * bytecompiler/NodesCodegen.cpp:
44         (JSC::ArrayNode::isSimpleArray):
45         Don't treat an Array that has a spread expression inside it as simple.
46         This avoids a fast path for f.apply(x, simpleArray) that was not handling
47         spread expressions within arrays, and instead taking a path that can
48         handle the spreading.
49
50 2016-09-14  Commit Queue  <commit-queue@webkit.org>
51
52         Unreviewed, rolling out r205933 and r205936.
53         https://bugs.webkit.org/show_bug.cgi?id=162002
54
55         broke the build (Requested by keith_miller on #webkit).
56
57         Reverted changesets:
58
59         "Pragma out undefined-var-template warnings in JSC for
60         JSObjects that are templatized"
61         https://bugs.webkit.org/show_bug.cgi?id=161985
62         http://trac.webkit.org/changeset/205933
63
64         "Unreviewed, fix the Windows build."
65         http://trac.webkit.org/changeset/205936
66
67 2016-09-14  Chris Dumez  <cdumez@apple.com>
68
69         REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
70         https://bugs.webkit.org/show_bug.cgi?id=161982
71
72         Reviewed by Saam Barati.
73
74         Update JSProxy::setPrototype() to return false unconditionally instead
75         of forwarding the call to its target. We used to forward to the target
76         and then the JSDOMWindow's [[SetPrototypeOf]] would return false.
77         However, the JSC tests use a different GlobalObject and forwarding
78         the setPrototypeOf() call to the GlobalObject lead to hitting an
79         assertion. This patch aligns the behavior of the GlobalObject used by
80         the JSC tests with JSDOMWindow.
81
82         * runtime/JSProxy.cpp:
83         (JSC::JSProxy::setPrototype):
84
85 2016-09-14  Michael Saboff  <msaboff@apple.com>
86
87         YARR doesn't check for invalid flags for literal regular expressions
88         https://bugs.webkit.org/show_bug.cgi?id=161995
89
90         Reviewed by Mark Lam.
91
92         Added a new error and a check that the flags are valid when we create a
93         literal regular expression.
94
95         * runtime/RegExp.cpp:
96         (JSC::RegExp::finishCreation):
97         * yarr/YarrPattern.cpp:
98         (JSC::Yarr::YarrPattern::errorMessage):
99         (JSC::Yarr::YarrPattern::compile):
100         * yarr/YarrPattern.h:
101
102 2016-09-14  Keith Miller  <keith_miller@apple.com>
103
104         Unreviewed, fix the Windows build.
105
106         * runtime/HashMapImpl.cpp:
107
108 2016-09-14  Keith Miller  <keith_miller@apple.com>
109
110         Pragma out undefined-var-template warnings in JSC for JSObjects that are templatized
111         https://bugs.webkit.org/show_bug.cgi?id=161985
112
113         Reviewed by Geoffrey Garen.
114
115         I started a true fix for this in
116         https://bugs.webkit.org/show_bug.cgi?id=161979, however the fix
117         for this issue is not sustainable. Since the scope of this issue
118         is just limited to the static const ClassInfo member it is
119         simpler to just pragma out this warning. This works because
120         COMDAT will, AFAIK, pick the actual specialization.  If, in the
121         future, we want to expose these classes to WebCore we will need to
122         do what we do for JSGenericTypedArrayViews and create a custom
123         info() function with a switch.
124
125         This patch also fixes a bunch of weak external symbols due to one of:
126         1) out of line template member definitions functions not being marked inline.
127         2) inline member functions definitions being marked as exported.
128         3) missing header file includes for forward function declarations.
129
130         * API/JSCallbackObject.h:
131         * b3/B3ValueInlines.h:
132         (JSC::B3::Value::as):
133         * runtime/HashMapImpl.h:
134         * runtime/JSCJSValue.h:
135         (JSC::toUInt32): Deleted.
136         * runtime/JSGenericTypedArrayView.h:
137         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
138         * runtime/JSGenericTypedArrayViewConstructor.h:
139         * runtime/JSGenericTypedArrayViewPrototype.h:
140         * runtime/MathCommon.h:
141         (JSC::toUInt32):
142         * runtime/TypedArrayAdaptors.h:
143         * runtime/VM.h:
144         (JSC::VM::watchdog):
145         (JSC::VM::heapProfiler):
146         (JSC::VM::samplingProfiler):
147
148 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
149
150         test262: TypedArray constructors length should be 3 and configurable
151         https://bugs.webkit.org/show_bug.cgi?id=161955
152
153         Reviewed by Mark Lam.
154
155         https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
156         Unless otherwise specified, the length property of a built-in Function
157         object has the attributes:
158         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
159
160         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
161         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
162
163 2016-09-14  Benjamin Poulain  <bpoulain@apple.com>
164
165         [JSC] Make the rounding-related nodes support any type
166         https://bugs.webkit.org/show_bug.cgi?id=161895
167
168         Reviewed by Geoffrey Garen.
169
170         This patch changes ArithRound, ArithFloor, ArithCeil and ArithTrunc
171         to support polymorphic input without exiting on entry.
172
173         * dfg/DFGAbstractInterpreterInlines.h:
174         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
175         * dfg/DFGByteCodeParser.cpp:
176         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
177         The 4 functions ignore any input past the first argument. It is okay
178         to use the nodes with the first argument and let the Phantoms keep
179         the remaining arguments live.
180
181         * dfg/DFGClobberize.h:
182         (JSC::DFG::clobberize):
183         * dfg/DFGFixupPhase.cpp:
184         (JSC::DFG::FixupPhase::fixupNode):
185         Our fixup had the issue we have seen on previous nodes: unaryArithShouldSpeculateInt32()
186         prevents us from picking a good type if we do not see any double.
187
188         * dfg/DFGNodeType.h:
189         * dfg/DFGOperations.cpp:
190         * dfg/DFGOperations.h:
191         * dfg/DFGPredictionPropagationPhase.cpp:
192         Prediction propagation of those nodes are fully determined
193         from their flags and results's prediction. They are moved
194         to the invariant processing.
195
196         * dfg/DFGSpeculativeJIT.cpp:
197         (JSC::DFG::SpeculativeJIT::compileArithRounding):
198         * ftl/FTLLowerDFGToB3.cpp:
199         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
200         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
201         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
202         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
203
204 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
205
206         Remove Heap::setMarked()
207
208         Rubber stamped by Keith Miller.
209         
210         Nobody uses this function.
211
212         * heap/Heap.h:
213         * heap/HeapInlines.h:
214         (JSC::Heap::setMarked): Deleted.
215         * heap/LargeAllocation.h:
216         (JSC::LargeAllocation::testAndSetMarked):
217         (JSC::LargeAllocation::setMarked): Deleted.
218         * heap/MarkedBlock.h:
219
220 2016-09-14  Mark Lam  <mark.lam@apple.com>
221
222         Use Options::validateExceptionChecks() instead of VM::m_verifyExceptionEvents.
223         https://bugs.webkit.org/show_bug.cgi?id=161975
224
225         Reviewed by Keith Miller.
226
227         This makes it less burdensome (no longer needs a rebuild to enable checks) to do
228         incremental work towards enabling checks all the time.
229
230         * runtime/Options.h:
231         * runtime/VM.cpp:
232         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
233         * runtime/VM.h:
234
235 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
236
237         TaggedTemplateString function calls should emit tail position calls
238         https://bugs.webkit.org/show_bug.cgi?id=161948
239
240         Reviewed by Yusuke Suzuki.
241
242         * bytecompiler/NodesCodegen.cpp:
243         (JSC::TaggedTemplateNode::emitBytecode):
244         The tagged template string function call can be a tail call:
245         https://tc39.github.io/ecma262/#sec-tagged-templates-runtime-semantics-evaluation
246
247 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
248
249         test262: Array.prototype.slice should always set length
250         https://bugs.webkit.org/show_bug.cgi?id=161953
251
252         Reviewed by Mark Lam.
253
254         * runtime/ArrayPrototype.cpp:
255         (JSC::arrayProtoFuncSplice):
256
257 2016-09-13  Michael Saboff  <msaboff@apple.com>
258
259         Promises aren't resolved properly when making a ObjC API callback
260         https://bugs.webkit.org/show_bug.cgi?id=161929
261
262         Reviewed by Geoffrey Garen.
263
264         When we go to call out to an Objective C function registered via the API,
265         we first drop all JSC locks to make the call.  As part of dropping the locks,
266         we drain the microtask queue that is used among other things for handling deferred
267         promise resolution.  The DropAllLocks scope class that drops the locks while in
268         scope, resets the current thread's AtomicStringTable to the default table.  This
269         is wrong for two reasons, first it happens before we drain the microtask queue and
270         second it isn't needed as JSLock::willReleaseLock() restores the current thread's
271         AtomicStringTable to the table before the lock was acquired.
272
273         In fact, the manipulation of the current thread's AtomicStringTable is already 
274         properly handled as a stack in JSLock::didAcquireLock() and willReleaseLock().
275         Therefore the manipulation of the AtomicStringTable in DropAllLocks constructor
276         and destructor should be removed.
277
278         * API/tests/testapi.mm:
279         (testObjectiveCAPIMain): Added a new test.
280         * runtime/JSLock.cpp:
281         (JSC::JSLock::DropAllLocks::DropAllLocks):
282         (JSC::JSLock::DropAllLocks::~DropAllLocks):
283
284 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
285
286         Remove Heap::isLive()
287         https://bugs.webkit.org/show_bug.cgi?id=161933
288
289         Reviewed by Mark Lam.
290         
291         Before I put any more effort into maintaining this weird function, I decided to check how it
292         was used. It turns out it's not.
293
294         * heap/Heap.h:
295         * heap/HeapInlines.h:
296         (JSC::Heap::isLive): Deleted.
297
298 2016-09-13  Mark Lam  <mark.lam@apple.com>
299
300         DFG NewArrayBuffer node should watch for "have a bad time" state change.
301         https://bugs.webkit.org/show_bug.cgi?id=161927
302         <rdar://problem/27995222>
303
304         Reviewed by Geoffrey Garen.
305
306         * dfg/DFGFixupPhase.cpp:
307         (JSC::DFG::FixupPhase::fixupNode):
308
309 2016-09-13  JF Bastien  <jfbastien@apple.com>
310
311         Support jsc shell builtin `read`
312         https://bugs.webkit.org/show_bug.cgi?id=161662
313
314         Reviewed by Keith Miller.
315
316         The jsc shell currently supports a `readFile` method which returns
317         a string. SpiderMonkey's js shell and V8's d8 shell both support
318         similar file-to-string functions, as well as a
319         binary-file-to-Uint8Array function. jsc should support a similar
320         binary file method to simplify testing, including testing of
321         WebAssembly blobs.
322
323         Emscripten's shell.js (which is also used for some WebAssembly
324         things) has a polyfill [1] for a builtin called `read`. jsc should
325         therefore have a builtin with the same name if we want things to
326         "Just Work".
327
328           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
329
330         * jsc.cpp:
331         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
332         (functionReadFile): support binary files, as per SpiderMonkey.
333         * runtime/Error.h:
334         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
335         * runtime/JSTypedArrays.cpp:
336         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
337         * runtime/JSTypedArrays.h: expose private export.
338
339 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
340
341         ES6: Classes: Should be allowed to create a static method with name "arguments"
342         https://bugs.webkit.org/show_bug.cgi?id=152985
343
344         Reviewed by Keith Miller.
345
346         Current patch covered 16.2 Forbidden Extensions - first topic 
347         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
348         should not have own properties named "caller" or "arguments".
349         Also added possibility to declare static methods and getters with 
350         name 'arguments' and 'caller' for classes. i.e.:
351         class A { static arguments() { return 'value'; } }
352         A.arguments() === 'value';
353         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
354         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
355         property from Lazy to common because it necessary to use execState during init of the accessors 
356         properties.
357
358         * runtime/Executable.h:
359         * runtime/FunctionPrototype.cpp:
360         (JSC::FunctionPrototype::initRestrictedProperties):
361         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
362         * runtime/FunctionPrototype.h:
363         * runtime/JSFunction.cpp:
364         (JSC::JSFunction::getOwnPropertySlot):
365         (JSC::JSFunction::getOwnNonIndexPropertyNames):
366         (JSC::JSFunction::put):
367         (JSC::JSFunction::deleteProperty):
368         (JSC::JSFunction::defineOwnProperty):
369         * runtime/JSGlobalObject.cpp:
370         (JSC::JSGlobalObject::init):
371         (JSC::JSGlobalObject::visitChildren):
372         * runtime/JSGlobalObject.h:
373         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
374
375 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
376
377         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
378         https://bugs.webkit.org/show_bug.cgi?id=161869
379
380         Reviewed by Saam Barati.
381         
382         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
383         empty" hook, which will set a bit in the markingNotEmpty bitvector.
384         
385         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
386         If anyone else does it but they aren't marking new objects, then this prevents
387         flipIfNecessary() from triggering when the first object is marked, which means we won't
388         always detect when a block became non-empty.
389         
390         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
391         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
392         knows that it can trigger something like noteMarked(). The only places that were using
393         flipIfNecessary() should have been using needsFlip() anyway.
394
395         * heap/CellContainer.h:
396         * heap/CellContainerInlines.h:
397         (JSC::CellContainer::needsFlip):
398         * heap/Heap.cpp:
399         (JSC::Heap::markRoots):
400         (JSC::Heap::beginMarking):
401         (JSC::Heap::endMarking):
402         (JSC::Heap::clearLivenessData): Deleted.
403         (JSC::Heap::converge): Deleted.
404         (JSC::Heap::resetVisitors): Deleted.
405         * heap/Heap.h:
406         * heap/HeapInlines.h:
407         (JSC::Heap::testAndSetMarked):
408         * heap/LargeAllocation.h:
409         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
410         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
411         * heap/MarkedBlock.cpp:
412         (JSC::MarkedBlock::flipIfNecessarySlow):
413         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
414         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
415         * heap/MarkedBlock.h:
416         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
417         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
418         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
419         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
420         * heap/MarkedSpace.h:
421         (JSC::MarkedSpace::isMarking):
422         (JSC::MarkedSpace::setIsMarking):
423         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
424         * heap/SlotVisitor.cpp:
425         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
426         * heap/WeakBlock.cpp:
427         (JSC::WeakBlock::visit):
428
429 2016-09-12  Saam Barati  <sbarati@apple.com>
430
431         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
432         https://bugs.webkit.org/show_bug.cgi?id=161640
433
434         Reviewed by Geoffrey Garen.
435
436         HashMapImpl now takes into account m_deleteCount in its load factor.
437         It now knows how to rehash to either decrease its capacity, stay at
438         the same capacity, or increase its capacity. The reason we can sometimes
439         stay at the same capacity is that we can reduce the load factor enough
440         by rehashing that growing isn't warranted. The reason for this is that
441         anytime we rehash, we remove all deleted sentinels from the buffer.
442         Therefore, staying at the same same capacity, when there are deleted entries,
443         can still reduce the load factor because it removes all deleted sentinels.
444
445         * runtime/HashMapImpl.h:
446         (JSC::HashMapBuffer::create):
447         (JSC::HashMapBuffer::reset):
448         (JSC::HashMapImpl::HashMapImpl):
449         (JSC::HashMapImpl::add):
450         (JSC::HashMapImpl::remove):
451         (JSC::HashMapImpl::size):
452         (JSC::HashMapImpl::clear):
453         (JSC::HashMapImpl::approximateSize):
454         (JSC::HashMapImpl::shouldRehashAfterAdd):
455         (JSC::HashMapImpl::shouldShrink):
456         (JSC::HashMapImpl::rehash):
457         (JSC::HashMapImpl::checkConsistency):
458         (JSC::HashMapImpl::makeAndSetNewBuffer):
459         (JSC::HashMapImpl::assertBufferIsEmpty):
460
461 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
462
463         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
464         https://bugs.webkit.org/show_bug.cgi?id=161671
465
466         Reviewed by Geoffrey Garen.
467
468         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
469         it gets a butterfly with its length.
470         When we were querying that length, we were generating a generic GetById with inline cache.
471
472         This patch adds the missing bits to treat Undecided like the other types with storage.
473
474         * dfg/DFGArrayMode.cpp:
475         (JSC::DFG::canBecomeGetArrayLength):
476         (JSC::DFG::ArrayMode::refine):
477         * dfg/DFGArrayMode.h:
478         (JSC::DFG::ArrayMode::usesButterfly):
479         (JSC::DFG::ArrayMode::lengthNeedsStorage):
480         * dfg/DFGClobberize.h:
481         (JSC::DFG::clobberize):
482         * dfg/DFGFixupPhase.cpp:
483         (JSC::DFG::FixupPhase::checkArray):
484         * dfg/DFGSpeculativeJIT.cpp:
485         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
486         * ftl/FTLCapabilities.cpp:
487         (JSC::FTL::canCompile):
488         * ftl/FTLLowerDFGToB3.cpp:
489         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
490
491 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
492
493         [DFG][FTL] Add ArithTan
494         https://bugs.webkit.org/show_bug.cgi?id=161857
495
496         Reviewed by Filip Pizlo.
497
498         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
499         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
500
501         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
502         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
503         The microbenchmark shows the 9% perf improvement.
504
505             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
506
507         * dfg/DFGAbstractInterpreterInlines.h:
508         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
509         * dfg/DFGByteCodeParser.cpp:
510         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
511         * dfg/DFGClobberize.h:
512         (JSC::DFG::clobberize):
513         * dfg/DFGDoesGC.cpp:
514         (JSC::DFG::doesGC):
515         * dfg/DFGFixupPhase.cpp:
516         (JSC::DFG::FixupPhase::fixupNode):
517         * dfg/DFGNodeType.h:
518         * dfg/DFGOperations.cpp:
519         * dfg/DFGOperations.h:
520         * dfg/DFGPredictionPropagationPhase.cpp:
521         * dfg/DFGSafeToExecute.h:
522         (JSC::DFG::safeToExecute):
523         * dfg/DFGSpeculativeJIT.cpp:
524         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
525         (JSC::DFG::SpeculativeJIT::compileArithCos):
526         (JSC::DFG::SpeculativeJIT::compileArithTan):
527         (JSC::DFG::SpeculativeJIT::compileArithSin):
528         (JSC::DFG::SpeculativeJIT::compileArithLog):
529         * dfg/DFGSpeculativeJIT.h:
530         * dfg/DFGSpeculativeJIT32_64.cpp:
531         (JSC::DFG::SpeculativeJIT::compile):
532         * dfg/DFGSpeculativeJIT64.cpp:
533         (JSC::DFG::SpeculativeJIT::compile):
534         * ftl/FTLCapabilities.cpp:
535         (JSC::FTL::canCompile):
536         * ftl/FTLLowerDFGToB3.cpp:
537         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
538         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
539         * ftl/FTLOutput.cpp:
540         (JSC::FTL::Output::doubleTan):
541         * ftl/FTLOutput.h:
542         * runtime/Intrinsic.h:
543         * runtime/MathObject.cpp:
544         (JSC::MathObject::finishCreation):
545
546 2016-09-12  Saam Barati  <sbarati@apple.com>
547
548         MapHash should do constant folding when it has a constant argument and its legal to hash that value
549         https://bugs.webkit.org/show_bug.cgi?id=161639
550
551         Reviewed by Filip Pizlo.
552
553         We now constant fold the MapHash node. We're careful to not resolve
554         ropes from the compiler thread, and to only hash strings if they're
555         not too large. The microbenchmark I added runs about 12% faster with
556         this patch.
557
558         * dfg/DFGAbstractInterpreterInlines.h:
559         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
560         * runtime/HashMapImpl.h:
561         (JSC::wangsInt64Hash):
562         (JSC::jsMapHash):
563         (JSC::concurrentJSMapHash):
564
565 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
566
567         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
568         https://bugs.webkit.org/show_bug.cgi?id=161849
569
570         Reviewed by Saam Barati.
571         
572         This is a fairly obvious change. This turns a loop that would query each bit individually
573         into a loop that will process a word at a time. I would expect a very tiny progression in
574         DFG compile times.
575         
576         This also gave me an opportunity to test and fix the new FastBitVector functionality.
577
578         * dfg/DFGForAllKills.h:
579         (JSC::DFG::forAllKilledOperands):
580
581 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
582
583         FastBitVector should have efficient and easy-to-use vector-vector operations
584         https://bugs.webkit.org/show_bug.cgi?id=161847
585
586         Reviewed by Saam Barati.
587         
588         Adapt existing users of FastBitVector to the new API.
589
590         * bytecode/BytecodeLivenessAnalysis.cpp:
591         (JSC::BytecodeLivenessAnalysis::computeKills):
592         (JSC::BytecodeLivenessAnalysis::dumpResults):
593         * bytecode/BytecodeLivenessAnalysisInlines.h:
594         (JSC::operandThatIsNotAlwaysLiveIsLive):
595         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
596         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
597         * bytecode/CodeBlock.cpp:
598         (JSC::CodeBlock::validate):
599         * dfg/DFGByteCodeParser.cpp:
600         (JSC::DFG::ByteCodeParser::flushForTerminal):
601         * dfg/DFGForAllKills.h:
602         (JSC::DFG::forAllKilledOperands):
603         * dfg/DFGGraph.h:
604         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
605         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
606         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
607         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
608         * dfg/DFGNaturalLoops.cpp:
609         (JSC::DFG::NaturalLoops::NaturalLoops):
610         * dfg/DFGPlan.cpp:
611         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
612
613 2016-09-10  Chris Dumez  <cdumez@apple.com>
614
615         parseHTMLInteger() should take a StringView in parameter
616         https://bugs.webkit.org/show_bug.cgi?id=161669
617
618         Reviewed by Ryosuke Niwa.
619
620         * runtime/DateConversion.cpp:
621         (JSC::formatDateTime):
622         Explicitly construct a String from the const WCHAR* on Windows because
623         it is ambiguous otherwise now that there is a StringBuilder::append()
624         overload taking an AtomicString in.
625
626 2016-09-08  Keith Miller  <keith_miller@apple.com>
627
628         WASM should support if-then-else
629         https://bugs.webkit.org/show_bug.cgi?id=161778
630
631         Reviewed by Michael Saboff.
632
633         This patch makes some major changes to the way that the WASM
634         function parser works. First, the control stack has been moved
635         from the parser's context to the parser itself. This simplifies
636         the way that the parser works and allows us to make the decoder
637         iterative rather than recursive. Since the control stack has been
638         moved to the parser, any context operation that refers to some
639         block now receives that block by reference.
640
641         For any if block, regardless of whether or not it is an
642         if-then-else or not, we will allocate both the entire control flow
643         diamond. This is not a major issue in the if-then case since B3
644         will immediately cleanup these blocks. In order to support if-then
645         and if-then-else we needed to be able to distinguish what the type
646         of the top block on the control stack is. This will be necessary
647         when validating the else opcode in the future. In the B3 IR
648         generator we decide to the type of the block strictly by the
649         shape.
650
651         Currently, if blocks don't handle passed and returned stack values
652         correctly. I plan to fix this when I add support for the block
653         signatures. See: https://github.com/WebAssembly/design/pull/765
654
655         * testWASM.cpp:
656         (runWASMTests):
657         * wasm/WASMB3IRGenerator.cpp:
658         (dumpProcedure):
659         (JSC::WASM::parseAndCompile):
660         * wasm/WASMB3IRGenerator.h:
661         * wasm/WASMFunctionParser.h:
662         (JSC::WASM::FunctionParser<Context>::parseBlock):
663         (JSC::WASM::FunctionParser<Context>::parseExpression):
664         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
665         * wasm/WASMOps.h:
666
667 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
668
669         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
670         https://bugs.webkit.org/show_bug.cgi?id=161801
671
672         Reviewed by Keith Miller.
673         
674         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
675         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
676         that is to call initializeMainThread().
677
678         * jsc.cpp:
679         (jscmain):
680
681 2016-09-09  Saam Barati  <sbarati@apple.com>
682
683         Make hasOwnProperty ALWAYS_INLINE
684         https://bugs.webkit.org/show_bug.cgi?id=161775
685
686         Reviewed by Ryosuke Niwa.
687
688         Speedometer spends around 2.5% of its time in hasOwnProperty.
689         Let's reduce the overhead of calling that function by marking
690         it as inline. Also, it's likely that the function will call into
691         JSObject::getOwnPropertySlot. I added a check to see if that's
692         the function we're calling, if it is, we do a direct call instead
693         of an indirect call.
694
695         * runtime/JSObject.cpp:
696         (JSC::JSObject::hasOwnProperty): Deleted.
697         * runtime/JSObjectInlines.h:
698         (JSC::JSObject::hasOwnProperty):
699
700 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
701
702         HashMapImpl needs to m_buffer.clear() in its constructor
703         https://bugs.webkit.org/show_bug.cgi?id=161796
704
705         Reviewed by Keith Miller.
706         
707         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
708         itself. That seemed like a good idea because maybe sometimes the user knows better how to
709         initialize it. But, it's not worth it if it's a constant source of bugs.
710         
711         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
712         m_value.
713
714         * runtime/AuxiliaryBarrier.h:
715         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
716         * runtime/DirectArguments.cpp:
717         (JSC::DirectArguments::DirectArguments):
718
719 2016-09-09  Youenn Fablet  <youenn@apple.com>
720
721         ASSERTION FAILED: promise.inherits(JSPromise::info())
722         https://bugs.webkit.org/show_bug.cgi?id=161632
723         <rdar://problem/28184743>
724
725         Reviewed by Mark Lam.
726
727         * runtime/JSPromiseDeferred.cpp:
728         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
729
730 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
731
732         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
733         https://bugs.webkit.org/show_bug.cgi?id=161760
734
735         Reviewed by Mark Lam.
736         
737         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
738         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
739         
740         This introduces three unnecessary overheads:
741         
742         - isLive() is not called by marking, so that change was not necessary.
743         
744         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
745           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
746           isMarked().
747         
748         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
749           return false if the flip is necessary.
750         
751         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
752         during marking.
753         
754         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
755         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
756         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
757         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
758         thing.
759
760         * bytecode/CodeBlock.cpp:
761         (JSC::CodeBlock::visitWeakly):
762         (JSC::CodeBlock::shouldJettisonDueToOldAge):
763         (JSC::shouldMarkTransition):
764         (JSC::CodeBlock::propagateTransitions):
765         (JSC::CodeBlock::determineLiveness):
766         * bytecode/PolymorphicAccess.cpp:
767         (JSC::AccessCase::propagateTransitions):
768         * heap/Heap.h:
769         * heap/HeapInlines.h:
770         (JSC::Heap::isLive):
771         (JSC::Heap::isMarked):
772         (JSC::Heap::isMarkedConcurrently):
773         * heap/MarkedBlock.cpp:
774         (JSC::MarkedBlock::flipIfNecessarySlow):
775         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
776         (JSC::MarkedBlock::needsFlip):
777         * heap/MarkedBlock.h:
778         (JSC::MarkedBlock::needsFlip):
779         (JSC::MarkedBlock::flipIfNecessary):
780         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
781         * heap/SlotVisitor.cpp:
782         (JSC::SlotVisitor::appendToMarkStack):
783         (JSC::SlotVisitor::markAuxiliary):
784         (JSC::SlotVisitor::visitChildren):
785         * runtime/Structure.cpp:
786         (JSC::Structure::isCheapDuringGC):
787         (JSC::Structure::markIfCheap):
788
789 2016-09-08  Saam Barati  <sbarati@apple.com>
790
791         We should inline operationConvertJSValueToBoolean into JIT code
792         https://bugs.webkit.org/show_bug.cgi?id=161729
793
794         Reviewed by Filip Pizlo.
795
796         This patch introduces an AssemblyHelpers emitter function
797         that replaces operationConvertJSValueToBoolean. This operation
798         was showing up when I was doing performance analysis for the
799         speedometer benchmark. I saw that it was spending about 1% of
800         its time in this function. Hopefully this patch can help us speedup
801         up speedometer by a little bit.
802
803         * dfg/DFGSpeculativeJIT32_64.cpp:
804         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
805         (JSC::DFG::SpeculativeJIT::emitBranch):
806         * dfg/DFGSpeculativeJIT64.cpp:
807         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
808         (JSC::DFG::SpeculativeJIT::emitBranch):
809         * jit/AssemblyHelpers.cpp:
810         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
811         * jit/AssemblyHelpers.h:
812         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
813         * jit/JIT.cpp:
814         (JSC::JIT::privateCompileSlowCases):
815         * jit/JIT.h:
816         * jit/JITOpcodes.cpp:
817         (JSC::JIT::emit_op_jfalse):
818         (JSC::JIT::emit_op_jtrue):
819         (JSC::JIT::emitSlow_op_jfalse): Deleted.
820         (JSC::JIT::emitSlow_op_jtrue): Deleted.
821         * jit/JITOpcodes32_64.cpp:
822         (JSC::JIT::emit_op_jfalse):
823         (JSC::JIT::emit_op_jtrue):
824         (JSC::JIT::emitSlow_op_jfalse): Deleted.
825         (JSC::JIT::emitSlow_op_jtrue): Deleted.
826         * jit/JITOperations.cpp:
827         * jit/JITOperations.h:
828
829 2016-09-08  Chris Dumez  <cdumez@apple.com>
830
831         Align proto getter / setter behavior with other browsers
832         https://bugs.webkit.org/show_bug.cgi?id=161455
833
834         Reviewed by Saam Barati.
835
836         Drop allowsAccessFrom from the methodTable and delegate cross-origin
837         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
838         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
839
840         * jsc.cpp:
841         * runtime/JSGlobalObject.cpp:
842         * runtime/JSGlobalObject.h:
843         * runtime/JSGlobalObjectFunctions.cpp:
844         (JSC::globalFuncProtoGetter):
845         (JSC::globalFuncProtoSetter):
846         (JSC::globalFuncBuiltinLog): Deleted.
847         * runtime/JSGlobalObjectFunctions.h:
848         * runtime/JSObject.cpp:
849         (JSC::JSObject::setPrototypeWithCycleCheck):
850         Remove check added in r197648. This check was added to match
851         the latest EcmaScript spec:
852         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
853         This check allowed for [[Prototype]] chain cycles if the prototype
854         chain includes objects that do not use the ordinary object definitions
855         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
856         The issue is that the rest of our code base does not properly handle
857         such cycles and we can end up in infinite loops. This became obvious
858         because this patch updates Window / Location so that they no longer
859         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
860         remove this check, I get an infinite loop in
861         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
862         called from JSObject::setPrototypeDirect(), when running the following
863         layout test:
864         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
865         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
866         issue.
867
868         * runtime/JSObject.h:
869         (JSC::JSObject::getArrayLength): Deleted.
870         * runtime/JSProxy.cpp:
871         (JSC::JSProxy::setPrototype):
872         (JSC::JSProxy::getPrototype):
873         * runtime/JSProxy.h:
874         * runtime/ObjectConstructor.cpp:
875         (JSC::objectConstructorGetPrototypeOf):
876         (JSC::objectConstructorSetPrototypeOf):
877         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
878         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
879         * runtime/ObjectConstructor.h:
880         * runtime/ReflectObject.cpp:
881         (JSC::reflectObjectGetPrototypeOf):
882         (JSC::reflectObjectSetPrototypeOf):
883
884 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
885
886         Remove CopiedSpace and use MarkedSpace instead
887         https://bugs.webkit.org/show_bug.cgi?id=159658
888
889         Reviewed by Keith Miller.
890         
891         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
892         is a simple change.
893         
894         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
895         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
896         
897         The rest of this patch is deleting CopiedSpace.
898
899         * API/JSObjectRef.cpp:
900         * CMakeLists.txt:
901         * JavaScriptCore.xcodeproj/project.pbxproj:
902         * dfg/DFGOperations.cpp:
903         * heap/ConservativeRoots.cpp:
904         (JSC::ConservativeRoots::genericAddPointer):
905         * heap/CopiedAllocator.h: Removed.
906         * heap/CopiedBlock.cpp: Removed.
907         * heap/CopiedBlock.h: Removed.
908         * heap/CopiedBlockInlines.h: Removed.
909         * heap/CopiedSpace.cpp: Removed.
910         * heap/CopiedSpace.h: Removed.
911         * heap/CopiedSpaceInlines.h: Removed.
912         * heap/CopyBarrier.h: Removed.
913         * heap/CopyToken.h: Removed.
914         * heap/CopyVisitor.cpp: Removed.
915         * heap/CopyVisitor.h: Removed.
916         * heap/CopyVisitorInlines.h: Removed.
917         * heap/CopyWorkList.h: Removed.
918         * heap/Heap.cpp:
919         (JSC::Heap::Heap):
920         (JSC::Heap::isPagedOut):
921         (JSC::Heap::updateObjectCounts):
922         (JSC::Heap::size):
923         (JSC::Heap::capacity):
924         (JSC::Heap::collectImpl):
925         (JSC::Heap::stopAllocation):
926         (JSC::Heap::updateAllocationLimits):
927         (JSC::Heap::copyBackingStores): Deleted.
928         (JSC::Heap::threadBytesCopied): Deleted.
929         * heap/Heap.h:
930         (JSC::Heap::objectSpace):
931         (JSC::Heap::allocatorForAuxiliaryData):
932         (JSC::Heap::storageSpace): Deleted.
933         (JSC::Heap::storageAllocator): Deleted.
934         * heap/HeapCellInlines.h:
935         * heap/HeapInlines.h:
936         (JSC::Heap::tryAllocateStorage): Deleted.
937         (JSC::Heap::tryReallocateStorage): Deleted.
938         * heap/HeapVerifier.cpp:
939         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
940         (JSC::HeapVerifier::reportObject):
941         (JSC::getButterflyDetails): Deleted.
942         * heap/SlotVisitor.cpp:
943         (JSC::SlotVisitor::copyLater): Deleted.
944         * heap/SlotVisitor.h:
945         * jit/AssemblyHelpers.h:
946         * jit/JITOpcodes.cpp:
947         * jsc.cpp:
948         * runtime/ArrayConstructor.cpp:
949         * runtime/ArrayPrototype.cpp:
950         * runtime/Butterfly.h:
951         * runtime/ButterflyInlines.h:
952         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
953         * runtime/ClassInfo.h:
954         * runtime/DirectArguments.cpp:
955         (JSC::DirectArguments::visitChildren):
956         (JSC::DirectArguments::overrideThings):
957         (JSC::DirectArguments::copyBackingStore): Deleted.
958         * runtime/DirectArguments.h:
959         * runtime/JSArray.cpp:
960         * runtime/JSCell.cpp:
961         (JSC::JSCell::copyBackingStore): Deleted.
962         * runtime/JSCell.h:
963         * runtime/JSLexicalEnvironment.h:
964         * runtime/JSObject.cpp:
965         * runtime/JSTypedArrays.cpp:
966         * runtime/LiteralParser.cpp:
967         * runtime/ObjectConstructor.cpp:
968         * runtime/RegExpObject.cpp:
969         * runtime/StringPrototype.cpp:
970         * runtime/WeakMapData.cpp:
971         * tools/JSDollarVMPrototype.cpp:
972         (JSC::JSDollarVMPrototype::isInStorageSpace):
973
974 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
975
976         Heap version should be 32-bit
977         https://bugs.webkit.org/show_bug.cgi?id=161751
978
979         Reviewed by Mark Lam.
980         
981         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
982         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
983         easy to handle.
984
985         * heap/CellContainer.h:
986         * heap/CellContainerInlines.h:
987         (JSC::CellContainer::flipIfNecessary):
988         * heap/ConservativeRoots.cpp:
989         (JSC::ConservativeRoots::genericAddPointer):
990         (JSC::ConservativeRoots::genericAddSpan):
991         * heap/ConservativeRoots.h:
992         * heap/Heap.h:
993         * heap/HeapInlines.h:
994         (JSC::Heap::testAndSetMarked):
995         * heap/HeapUtil.h:
996         (JSC::HeapUtil::findGCObjectPointersForMarking):
997         * heap/MarkedBlock.cpp:
998         (JSC::MarkedBlock::MarkedBlock):
999         * heap/MarkedBlock.h:
1000         (JSC::MarkedBlock::flipIfNecessary):
1001         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
1002         (JSC::MarkedBlock::Handle::flipIfNecessary):
1003         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
1004         * heap/MarkedSpace.cpp:
1005         (JSC::MarkedSpace::flip):
1006         * heap/MarkedSpace.h:
1007         (JSC::MarkedSpace::version):
1008         * heap/SlotVisitor.cpp:
1009         (JSC::SlotVisitor::SlotVisitor):
1010         * heap/SlotVisitor.h:
1011
1012 2016-09-08  Mark Lam  <mark.lam@apple.com>
1013
1014         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
1015         https://bugs.webkit.org/show_bug.cgi?id=161724
1016
1017         Reviewed by Filip Pizlo.
1018
1019         ARM architectures support ternary sub instructions.  We should make use of them
1020         in emitAllocateWithNonNullAllocator().
1021
1022         * assembler/MacroAssemblerARM.h:
1023         (JSC::MacroAssemblerARM::sub32):
1024         * assembler/MacroAssemblerARM64.h:
1025         (JSC::MacroAssemblerARM64::sub32):
1026         * assembler/MacroAssemblerARMv7.h:
1027         (JSC::MacroAssemblerARMv7::sub32):
1028         * assembler/MacroAssemblerSH4.h:
1029         (JSC::MacroAssemblerSH4::sub32):
1030         * assembler/MacroAssemblerX86Common.h:
1031         (JSC::MacroAssemblerX86Common::sub32):
1032         * b3/air/AirOpcode.opcodes:
1033         * b3/testb3.cpp:
1034         (JSC::B3::testTernarySubInstructionSelection):
1035         (JSC::B3::run):
1036         * jit/AssemblyHelpers.h:
1037         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1038
1039 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
1040
1041         Move JSMap/JSSet over to Auxiliary MarkedSpace
1042         https://bugs.webkit.org/show_bug.cgi?id=161744
1043
1044         Reviewed by Saam Barati.
1045         
1046         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
1047         
1048         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
1049         speak of CopiedSpace.
1050         
1051         This is a purely mechanical change.
1052
1053         * JavaScriptCore.xcodeproj/project.pbxproj:
1054         * heap/CopyToken.h:
1055         * runtime/HashMapImpl.cpp:
1056         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1057         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
1058         * runtime/HashMapImpl.h:
1059         (JSC::HashMapBuffer::create):
1060         * runtime/JSMapIterator.cpp:
1061         * runtime/JSMapIterator.h:
1062         * runtime/JSSetIterator.cpp:
1063         * runtime/JSSetIterator.h:
1064         * runtime/MapBase.cpp:
1065         * runtime/MapData.h: Removed.
1066         * runtime/MapDataInlines.h: Removed.
1067         * runtime/MapPrototype.cpp:
1068         * runtime/SetConstructor.cpp:
1069         * runtime/SetPrototype.cpp:
1070         * runtime/VM.cpp:
1071
1072 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
1073
1074         Typed arrays should use MarkedSpace instead of CopiedSpace
1075         https://bugs.webkit.org/show_bug.cgi?id=161100
1076
1077         Reviewed by Geoffrey Garen.
1078         
1079         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
1080         
1081         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
1082         everything that typed arrays want.
1083
1084         * dfg/DFGOperations.cpp:
1085         (JSC::DFG::newTypedArrayWithSize):
1086         * dfg/DFGOperations.h:
1087         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1088         * dfg/DFGSpeculativeJIT.cpp:
1089         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1090         * dfg/DFGSpeculativeJIT.h:
1091         (JSC::DFG::SpeculativeJIT::callOperation):
1092         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
1093         * ftl/FTLLowerDFGToB3.cpp:
1094         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1095         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1096         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
1097         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
1098         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
1099         * heap/CopyToken.h:
1100         * heap/SlotVisitor.cpp:
1101         (JSC::SlotVisitor::markAuxiliary):
1102         * jit/JITOperations.h:
1103         * runtime/JSArrayBufferView.cpp:
1104         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1105         (JSC::JSArrayBufferView::JSArrayBufferView):
1106         * runtime/JSArrayBufferView.h:
1107         * runtime/JSGenericTypedArrayView.h:
1108         * runtime/JSGenericTypedArrayViewInlines.h:
1109         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
1110         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1111         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1112         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
1113
1114 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
1115
1116         [Win64] Compile fixes.
1117         https://bugs.webkit.org/show_bug.cgi?id=161682
1118
1119         Reviewed by Brent Fulgham.
1120
1121         * dfg/DFGSpeculativeJIT64.cpp:
1122         (JSC::DFG::SpeculativeJIT::emitCall):
1123         * jit/JITCall.cpp:
1124         (JSC::JIT::compileOpCall):
1125         * runtime/ArrayConventions.cpp:
1126         (JSC::clearArrayMemset):
1127
1128 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
1129
1130         [Win] Exception fuzz tests fail
1131         https://bugs.webkit.org/show_bug.cgi?id=140928
1132
1133         Reviewed by Mark Lam.
1134
1135         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
1136         The tests depend on the output to stdout being written in the correct order.
1137
1138         * runtime/ExceptionFuzz.cpp:
1139         (JSC::doExceptionFuzzing):
1140
1141 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
1142
1143         Enable the <meter> element on iOS
1144         https://bugs.webkit.org/show_bug.cgi?id=161714
1145         rdar://problem/8978410
1146
1147         Reviewed by Tim Horton.
1148
1149         Define ENABLE_METER_ELEMENT unconditionally now.
1150
1151         * Configurations/FeatureDefines.xcconfig:
1152
1153 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
1154
1155         Modernize Debugger to use nullptr
1156         https://bugs.webkit.org/show_bug.cgi?id=161718
1157
1158         Reviewed by Mark Lam.
1159
1160         * debugger/Debugger.cpp:
1161         (JSC::Debugger::Debugger):
1162         (JSC::Debugger::~Debugger):
1163         (JSC::Debugger::detach):
1164         (JSC::Debugger::stepOutOfFunction):
1165         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
1166         * debugger/Debugger.h:
1167
1168 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
1169
1170         Web Inspector: Remove always false case in Debugger
1171         https://bugs.webkit.org/show_bug.cgi?id=161717
1172
1173         Reviewed by Brian Burg.
1174
1175         * debugger/Debugger.cpp:
1176         (JSC::Debugger::didExecuteProgram):
1177         We would have earlier returned a few statements ago if this case was true.
1178         And we would have crashed in the previous statement if this case was true.
1179
1180 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1181
1182         Unreviewed, build fix after r205569
1183
1184         Tweak CMakeLists.txt
1185
1186         * CMakeLists.txt:
1187
1188 2016-09-07  Mark Lam  <mark.lam@apple.com>
1189
1190         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
1191         https://bugs.webkit.org/show_bug.cgi?id=161498
1192
1193         Reviewed by Geoffrey Garen.
1194
1195         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
1196         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
1197         introduced.
1198
1199         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
1200         which is a more suitable name now.
1201
1202         Note: exception scope verification is still disabled by default.  There are still
1203         many places that need to be fixed up or re-expressed in a way that is friendly
1204         to the verification.  I'll address those in subsequent patches.
1205
1206         After this patch, the code will statically enforce that:
1207         1. all calls to throwException() go through a ThrowScope.
1208         2. all calls to clearException() go through a CatchScope.
1209         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
1210            or CatchScope.
1211
1212         A Summary of how to use ExceptionScopes
1213         =======================================
1214         1. If a function can throw a JS exception, it should declare a ThrowScope at the
1215            top of the function (as early as possible).
1216
1217         2. If a function can clear JS exceptions, it should declare a CatchScope at the
1218            top of the function (as early as possible).
1219
1220         Declaring a ThrowScope in a function means that the function may throw an exception
1221         that its caller will have to handle.  Declaring a CatchScope in a function means
1222         that the function intends to clear pending exceptions before returning to its
1223         caller. 
1224
1225         For more details, see the notes below.
1226         
1227         Everything you may want to know about ExceptionScopes
1228         =====================================================
1229         ExceptionScope verification works to simulate exception throws and detect cases
1230         where exception checks are missing.  The notes below will cover:
1231
1232             1. The VM::m_needExceptionCheck bit
1233             2. ThrowScopes and CatchScopes
1234             3. Verification of needed exception checks
1235             3. Checking Exceptions
1236             4. Simulating throws
1237             5. Using ThrowScope::release()
1238             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1239             7. Checking exceptions by checking callee results
1240             8. Debugging verification errors
1241
1242         1. The VM::m_needExceptionCheck bit
1243
1244            The VM has a m_needExceptionCheck bit that indicates when an exception may be
1245            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
1246            throw.
1247
1248         2. ThrowScopes and CatchScopes
1249
1250            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
1251
1252            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
1253            at the top of its function (as early as possible) e.g.
1254  
1255                 void foo(...)
1256                 {
1257                     auto scope = DECLARE_THROW_SCOPE(vm);
1258                     ...
1259                     throwException(exec, scope, ...);
1260                 }
1261
1262            Note: by convention, every throw helper function must take a ThrowScope argument
1263            instead of instantiating its own ThrowScope.  This allows the throw to be
1264            attributed to the client code rather than the throw helper itself.
1265
1266            Every catch site (i.e. a site that calls clearException()) must declare a
1267            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
1268
1269            If a function can both throw or clear exceptions, then the ThrowScope should
1270            be declared first so that it can simulate a throw to the function's caller.
1271
1272            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
1273            can be aware if there's an enclosing CatchScope between it and the point where
1274            C++ code returns to JS code.  This is needed to determine if the ThrowScope
1275            should simulate a re-throw or not.  See (4) below for more details on returning
1276            to JS code.
1277
1278         3. Verification of needed exception checks
1279
1280            a. On construction, each ThrowScope and CatchScope will verify that
1281               VM::m_needExceptionCheck is not set.
1282  
1283               This ensures that the caller of the current function has checked for exceptions
1284               where needed before doing more work which lead to calling the current function.
1285
1286            b. On destruction, each ThrowScope and CatchScope will verify that
1287               VM::m_needExceptionCheck is not set. This verification will be skipped if
1288               the ThrowScope has been released (see (5) below).
1289
1290               This ensures that the function that owns this exception scope is not missing
1291               any exception checks before returning.
1292
1293            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
1294               is not already set, unless it's been ask to rethrow the same Exception object.
1295
1296         4. Simulating throws
1297
1298            Throws are simulated by setting the m_needExceptionCheck bit.
1299
1300            The bit will only be set in the ThrowScope destructor except when the ThrowScope
1301            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
1302            check for exceptions after a host C++ function returns to it.  However, they will
1303            not clear the m_needExceptionCheck bit.
1304
1305            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
1306            it will just skip the setting of the bit.
1307
1308            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
1309            throwException methods.  This is because, in practice, we always return
1310            immediately after throwing an exception.  It doesn't make sense to set the bit in
1311            the throw just to have to clear it immediately after before we do verification in
1312            the ThrowScope destructor.
1313
1314         5. Using ThrowScope::release()
1315
1316            Calling release() means that the scope is released from its obligation to
1317            verify the VM::m_needExceptionCheck bit on destruction.
1318
1319            release() should only be used at the bottom of a function if:
1320
1321            a. This function is going to let its caller check and handle the exception, e.g.
1322
1323                 void foo(...)
1324                 {
1325                     auto scope = DECLARE_THROW_SCOPE(vm);
1326                     auto result = goo(); // may throw.
1327
1328                     ... // Code that will are not affected by a pending exceptions.
1329
1330                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1331                     return result;
1332                 }
1333
1334            b. This function is going to do a tail call that may throw.
1335
1336                 void foo(...)
1337                 {
1338                     auto scope = DECLARE_THROW_SCOPE(vm);
1339                     ...
1340                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
1341                     return goo(); // may throw.
1342                 }
1343
1344               release() should not be used in code paths that branch. For example:
1345
1346                 void foo(...)
1347                 {
1348                     auto scope = DECLARE_THROW_SCOPE(vm);
1349
1350                     auto result = goo1(); // may throw.
1351                     scope.release(); // WRONG !!! Don't do this.
1352                     if (result)
1353                         return;
1354
1355                     result = goo2(); // may throw.
1356                     ...
1357                     return result;
1358                 }
1359
1360             The above will result in a verification error in goo2()'s ThrowScope.  The
1361             proper way to fix this verification is to do either (6) or (7) below.
1362
1363          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
1364
1365             ThrowScope/CatchScope::exception() returns the thrown Exception object if
1366             there is one pending.  Else, it returns nullptr.
1367
1368             It also clears the m_needExceptionCheck bit thereby indicating that we've
1369             satisfied the needed exception check.  For example,
1370
1371                 void foo(...)
1372                 {
1373                     auto scope = DECLARE_THROW_SCOPE(vm);
1374
1375                     auto result = goo1(); // may throw.
1376                     if (scope.exception())
1377                         return;
1378
1379                     result = goo2(); // may throw.
1380                     ...
1381                     return result;
1382                 }
1383
1384             But sometimes, for optimization reasons, we may choose to test the result of
1385             the callee function instead doing a load of the VM exception value.  See (7)
1386             below.
1387
1388          7. Checking exceptions by checking callee results
1389
1390             This approach should only be applied when it makes a difference to performance.
1391             If we need to do this, we should add an ASSERT() that invokes the scope's
1392             exception() method to verify the result.  Since exception scope verification
1393             is only done on DEBUG builds, this ASSERT will satisfy the verification
1394             requirements without impacting performance.  For example,
1395
1396                 void foo(...)
1397                 {
1398                     auto scope = DECLARE_THROW_SCOPE(vm);
1399
1400                     bool failed = goo1(); // may throw.
1401                     ASSERT(!!scope.exception() == failed)
1402                     if (failed)
1403                         return;
1404
1405                     result = goo2(); // may throw.
1406                     ...
1407                     return result;
1408                 }
1409
1410          8. Debugging verification errors
1411
1412             a. When verification fails, you will see a message followed by an assertion
1413                failure.  For example:
1414
1415             ERROR: Unchecked JS exception:
1416                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
1417                     (ExceptionScope::m_recursionDepth was ...)
1418                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
1419                     (ExceptionScope::m_recursionDepth was ...)
1420                 [ backtrace here ]
1421
1422                The message tells you that failure was detected at in varargsSetup() at
1423                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
1424                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
1425                line 1245 and it.
1426
1427                If that is insufficient information, you can ...
1428
1429             b. Dump simulated throws
1430
1431                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
1432                back traces at each simulated throw.
1433
1434             c. Narrowing down the source of a simulated throw
1435
1436                Another technique for narrowing down the source of simulated throws is by
1437                further dividing a function to smaller regions by separating each region
1438                with additional local throw scopes.  For example,
1439
1440                 ... // Region 1
1441                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1442                 ... // Region 2
1443                 { auto scope = DECLARE_THROW_SCOPE(vm); }
1444                 ... // Region 3
1445
1446         * API/APIUtils.h:
1447         (handleExceptionIfNeeded):
1448         * CMakeLists.txt:
1449         * JavaScriptCore.xcodeproj/project.pbxproj:
1450         * bindings/ScriptFunctionCall.cpp:
1451         (Deprecated::ScriptFunctionCall::call):
1452         * bindings/ScriptValue.cpp:
1453         (Deprecated::ScriptValue::toString):
1454         * debugger/Debugger.cpp:
1455         (JSC::Debugger::pauseIfNeeded):
1456         * debugger/DebuggerCallFrame.cpp:
1457         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1458         * dfg/DFGOSRExitCompiler.cpp:
1459         * dfg/DFGOperations.cpp:
1460         (JSC::DFG::operationPutByValInternal):
1461         * inspector/InjectedScriptManager.cpp:
1462         (Inspector::InjectedScriptManager::createInjectedScript):
1463         * inspector/JSGlobalObjectInspectorController.cpp:
1464         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1465         * inspector/JSInjectedScriptHost.cpp:
1466         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1467         (Inspector::JSInjectedScriptHost::getInternalProperties):
1468         (Inspector::JSInjectedScriptHost::weakMapEntries):
1469         (Inspector::JSInjectedScriptHost::weakSetEntries):
1470         (Inspector::JSInjectedScriptHost::iteratorEntries):
1471         * inspector/JSJavaScriptCallFrame.cpp:
1472         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1473         * inspector/ScriptCallStackFactory.cpp:
1474         (Inspector::extractSourceInformationFromException):
1475         * interpreter/CachedCall.h:
1476         (JSC::CachedCall::CachedCall):
1477         * interpreter/CallFrame.h:
1478         (JSC::ExecState::clearException): Deleted.
1479         (JSC::ExecState::exception): Deleted.
1480         (JSC::ExecState::hadException): Deleted.
1481         (JSC::ExecState::lastException): Deleted.
1482         (JSC::ExecState::clearLastException): Deleted.
1483         * interpreter/Interpreter.cpp:
1484         (JSC::eval):
1485         (JSC::sizeOfVarargs):
1486         (JSC::notifyDebuggerOfUnwinding):
1487         (JSC::Interpreter::unwind):
1488         (JSC::Interpreter::execute):
1489         (JSC::Interpreter::executeCall):
1490         (JSC::Interpreter::executeConstruct):
1491         (JSC::Interpreter::prepareForRepeatCall):
1492         (JSC::Interpreter::debug):
1493         * interpreter/Interpreter.h:
1494         (JSC::SuspendExceptionScope::SuspendExceptionScope):
1495         * interpreter/ShadowChicken.cpp:
1496         (JSC::ShadowChicken::functionsOnStack):
1497         * jit/JITCode.cpp:
1498         (JSC::JITCode::execute):
1499         * jit/JITExceptions.cpp:
1500         (JSC::genericUnwind):
1501         * jit/JITOperations.cpp:
1502         (JSC::getByVal):
1503         * jsc.cpp:
1504         (WTF::ImpureGetter::getOwnPropertySlot):
1505         (GlobalObject::moduleLoaderResolve):
1506         (GlobalObject::moduleLoaderFetch):
1507         (functionCreateElement):
1508         (functionRun):
1509         (functionRunString):
1510         (functionLoad):
1511         (functionLoadString):
1512         (functionReadFile):
1513         (functionCheckSyntax):
1514         (functionSetRandomSeed):
1515         (functionLoadModule):
1516         (functionCreateBuiltin):
1517         (functionCheckModuleSyntax):
1518         (functionGenerateHeapSnapshot):
1519         (functionSamplingProfilerStackTraces):
1520         (dumpException):
1521         (checkUncaughtException):
1522         (runWithScripts):
1523         (runInteractive):
1524         * llint/LLIntExceptions.cpp:
1525         (JSC::LLInt::returnToThrow):
1526         (JSC::LLInt::callToThrow):
1527         * llint/LLIntSlowPaths.cpp:
1528         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1529         * profiler/ProfilerBytecodeSequence.cpp:
1530         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
1531         * profiler/ProfilerCompilation.cpp:
1532         (JSC::Profiler::Compilation::toJS):
1533         * profiler/ProfilerDatabase.cpp:
1534         (JSC::Profiler::Database::toJS):
1535         * profiler/ProfilerOSRExitSite.cpp:
1536         (JSC::Profiler::OSRExitSite::toJS):
1537         * profiler/ProfilerOriginStack.cpp:
1538         (JSC::Profiler::OriginStack::toJS):
1539         * runtime/ArrayPrototype.cpp:
1540         (JSC::speciesConstructArray):
1541         (JSC::shift):
1542         (JSC::unshift):
1543         (JSC::arrayProtoFuncToString):
1544         (JSC::arrayProtoFuncToLocaleString):
1545         (JSC::slowJoin):
1546         (JSC::fastJoin):
1547         (JSC::arrayProtoFuncJoin):
1548         (JSC::arrayProtoFuncPop):
1549         (JSC::arrayProtoFuncPush):
1550         (JSC::arrayProtoFuncReverse):
1551         (JSC::arrayProtoFuncShift):
1552         (JSC::arrayProtoFuncSlice):
1553         (JSC::arrayProtoFuncSplice):
1554         (JSC::arrayProtoFuncUnShift):
1555         (JSC::arrayProtoFuncIndexOf):
1556         (JSC::arrayProtoFuncLastIndexOf):
1557         (JSC::moveElements):
1558         (JSC::concatAppendOne):
1559         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1560         * runtime/BooleanConstructor.cpp:
1561         (JSC::constructWithBooleanConstructor):
1562         * runtime/CallData.cpp:
1563         (JSC::call):
1564         * runtime/CatchScope.cpp: Added.
1565         (JSC::CatchScope::CatchScope):
1566         (JSC::CatchScope::~CatchScope):
1567         * runtime/CatchScope.h: Added.
1568         (JSC::CatchScope::clearException):
1569         (JSC::CatchScope::CatchScope):
1570         * runtime/CommonSlowPaths.cpp:
1571         (JSC::SLOW_PATH_DECL):
1572         * runtime/CommonSlowPaths.h:
1573         (JSC::CommonSlowPaths::opIn):
1574         * runtime/CommonSlowPathsExceptions.cpp:
1575         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1576         * runtime/Completion.cpp:
1577         (JSC::evaluate):
1578         (JSC::rejectPromise):
1579         (JSC::loadAndEvaluateModule):
1580         (JSC::loadModule):
1581         * runtime/ConsoleObject.cpp:
1582         (JSC::consoleProtoFuncAssert):
1583         (JSC::consoleProtoFuncProfile):
1584         (JSC::consoleProtoFuncProfileEnd):
1585         (JSC::consoleProtoFuncTakeHeapSnapshot):
1586         (JSC::consoleProtoFuncTime):
1587         (JSC::consoleProtoFuncTimeEnd):
1588         * runtime/DateConstructor.cpp:
1589         (JSC::constructDate):
1590         (JSC::dateParse):
1591         * runtime/DatePrototype.cpp:
1592         (JSC::dateProtoFuncToPrimitiveSymbol):
1593         (JSC::dateProtoFuncToJSON):
1594         * runtime/ErrorConstructor.cpp:
1595         (JSC::Interpreter::constructWithErrorConstructor):
1596         * runtime/ErrorInstance.cpp:
1597         (JSC::ErrorInstance::sanitizedToString):
1598         * runtime/ErrorPrototype.cpp:
1599         (JSC::errorProtoFuncToString):
1600         * runtime/ExceptionEventLocation.cpp: Added.
1601         (WTF::printInternal):
1602         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
1603         (JSC::ExceptionEventLocation::ExceptionEventLocation):
1604         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
1605         * runtime/ExceptionHelpers.h:
1606         * runtime/ExceptionScope.cpp: Added.
1607         (JSC::ExceptionScope::ExceptionScope):
1608         (JSC::ExceptionScope::~ExceptionScope):
1609         * runtime/ExceptionScope.h: Added.
1610         (JSC::ExceptionScope::vm):
1611         (JSC::ExceptionScope::recursionDepth):
1612         (JSC::ExceptionScope::exception):
1613         (JSC::ExceptionScope::ExceptionScope):
1614         * runtime/FunctionConstructor.cpp:
1615         (JSC::constructFunctionSkippingEvalEnabledCheck):
1616         * runtime/FunctionPrototype.cpp:
1617         (JSC::functionProtoFuncBind):
1618         * runtime/GenericArgumentsInlines.h:
1619         (JSC::GenericArguments<Type>::copyToArguments):
1620         * runtime/GetterSetter.cpp:
1621         (JSC::callGetter):
1622         * runtime/InspectorInstrumentationObject.cpp:
1623         (JSC::inspectorInstrumentationObjectLog):
1624         * runtime/InternalFunction.cpp:
1625         (JSC::InternalFunction::createSubclassStructure):
1626         * runtime/IntlCollator.cpp:
1627         (JSC::IntlCollator::initializeCollator):
1628         (JSC::IntlCollator::createCollator):
1629         (JSC::IntlCollator::resolvedOptions):
1630         * runtime/IntlCollatorConstructor.cpp:
1631         (JSC::constructIntlCollator):
1632         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1633         * runtime/IntlCollatorPrototype.cpp:
1634         (JSC::IntlCollatorFuncCompare):
1635         (JSC::IntlCollatorPrototypeGetterCompare):
1636         * runtime/IntlDateTimeFormat.cpp:
1637         (JSC::toDateTimeOptionsAnyDate):
1638         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1639         (JSC::IntlDateTimeFormat::resolvedOptions):
1640         (JSC::IntlDateTimeFormat::format):
1641         * runtime/IntlDateTimeFormatConstructor.cpp:
1642         (JSC::constructIntlDateTimeFormat):
1643         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1644         * runtime/IntlDateTimeFormatPrototype.cpp:
1645         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1646         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1647         * runtime/IntlNumberFormat.cpp:
1648         (JSC::IntlNumberFormat::initializeNumberFormat):
1649         (JSC::IntlNumberFormat::createNumberFormat):
1650         (JSC::IntlNumberFormat::resolvedOptions):
1651         * runtime/IntlNumberFormatConstructor.cpp:
1652         (JSC::constructIntlNumberFormat):
1653         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1654         * runtime/IntlNumberFormatPrototype.cpp:
1655         (JSC::IntlNumberFormatFuncFormatNumber):
1656         (JSC::IntlNumberFormatPrototypeGetterFormat):
1657         * runtime/IntlObject.cpp:
1658         (JSC::intlBooleanOption):
1659         (JSC::intlStringOption):
1660         (JSC::intlNumberOption):
1661         (JSC::canonicalizeLocaleList):
1662         (JSC::supportedLocales):
1663         * runtime/IntlObjectInlines.h:
1664         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1665         * runtime/IteratorOperations.cpp:
1666         (JSC::iteratorNext):
1667         (JSC::iteratorStep):
1668         (JSC::iteratorClose):
1669         (JSC::iteratorForIterable):
1670         * runtime/IteratorOperations.h:
1671         (JSC::forEachInIterable):
1672         * runtime/JSArray.cpp:
1673         (JSC::JSArray::pop):
1674         (JSC::JSArray::push):
1675         (JSC::JSArray::copyToArguments):
1676         * runtime/JSArrayBufferConstructor.cpp:
1677         (JSC::constructArrayBuffer):
1678         * runtime/JSArrayBufferPrototype.cpp:
1679         (JSC::arrayBufferProtoFuncSlice):
1680         * runtime/JSArrayInlines.h:
1681         (JSC::getLength):
1682         (JSC::toLength):
1683         * runtime/JSBoundFunction.cpp:
1684         (JSC::getBoundFunctionStructure):
1685         (JSC::JSBoundFunction::create):
1686         * runtime/JSCJSValue.cpp:
1687         (JSC::JSValue::putToPrimitive):
1688         (JSC::JSValue::putToPrimitiveByIndex):
1689         (JSC::JSValue::toStringSlowCase):
1690         * runtime/JSCJSValueInlines.h:
1691         (JSC::toPreferredPrimitiveType):
1692         (JSC::JSValue::getPropertySlot):
1693         (JSC::JSValue::equalSlowCaseInline):
1694         * runtime/JSDataViewPrototype.cpp:
1695         (JSC::getData):
1696         (JSC::setData):
1697         * runtime/JSFunction.cpp:
1698         (JSC::JSFunction::setFunctionName):
1699         * runtime/JSGenericTypedArrayView.h:
1700         (JSC::JSGenericTypedArrayView::setIndex):
1701         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1702         (JSC::constructGenericTypedArrayViewFromIterator):
1703         (JSC::constructGenericTypedArrayViewWithArguments):
1704         (JSC::constructGenericTypedArrayView):
1705         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1706         (JSC::speciesConstruct):
1707         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1708         (JSC::genericTypedArrayViewProtoFuncIncludes):
1709         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1710         (JSC::genericTypedArrayViewProtoFuncJoin):
1711         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1712         (JSC::genericTypedArrayViewProtoFuncSlice):
1713         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1714         * runtime/JSGlobalObject.h:
1715         (JSC::constructEmptyArray):
1716         (JSC::constructArray):
1717         (JSC::constructArrayNegativeIndexed):
1718         * runtime/JSGlobalObjectFunctions.cpp:
1719         (JSC::globalFuncEval):
1720         * runtime/JSJob.cpp:
1721         (JSC::JSJobMicrotask::run):
1722         * runtime/JSModuleEnvironment.cpp:
1723         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1724         * runtime/JSModuleLoader.cpp:
1725         (JSC::JSModuleLoader::fetch):
1726         * runtime/JSModuleNamespaceObject.cpp:
1727         (JSC::JSModuleNamespaceObject::finishCreation):
1728         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1729         * runtime/JSModuleRecord.cpp:
1730         (JSC::JSModuleRecord::instantiateDeclarations):
1731         * runtime/JSONObject.cpp:
1732         (JSC::Stringifier::Stringifier):
1733         (JSC::Stringifier::stringify):
1734         (JSC::Stringifier::toJSON):
1735         (JSC::Stringifier::appendStringifiedValue):
1736         (JSC::Stringifier::Holder::appendNextProperty):
1737         (JSC::Walker::walk):
1738         (JSC::JSONProtoFuncParse):
1739         * runtime/JSObject.cpp:
1740         (JSC::ordinarySetSlow):
1741         (JSC::JSObject::setPrototypeWithCycleCheck):
1742         (JSC::callToPrimitiveFunction):
1743         (JSC::JSObject::ordinaryToPrimitive):
1744         (JSC::JSObject::defaultHasInstance):
1745         (JSC::JSObject::getPropertyNames):
1746         (JSC::JSObject::toNumber):
1747         (JSC::JSObject::toString):
1748         (JSC::JSObject::defineOwnNonIndexProperty):
1749         (JSC::JSObject::getGenericPropertyNames):
1750         (JSC::JSObject::getMethod):
1751         * runtime/JSObjectInlines.h:
1752         (JSC::createListFromArrayLike):
1753         (JSC::JSObject::getPropertySlot):
1754         (JSC::JSObject::getNonIndexPropertySlot):
1755         * runtime/JSPromiseConstructor.cpp:
1756         (JSC::constructPromise):
1757         * runtime/JSPropertyNameEnumerator.h:
1758         (JSC::propertyNameEnumerator):
1759         * runtime/JSPropertyNameIterator.cpp:
1760         (JSC::JSPropertyNameIterator::create):
1761         * runtime/JSScope.cpp:
1762         (JSC::isUnscopable):
1763         (JSC::JSScope::resolve):
1764         * runtime/JSString.cpp:
1765         (JSC::JSString::equalSlowCase):
1766         * runtime/JSStringJoiner.cpp:
1767         (JSC::JSStringJoiner::join):
1768         * runtime/LiteralParser.cpp:
1769         (JSC::LiteralParser<CharType>::parse):
1770         * runtime/MapConstructor.cpp:
1771         (JSC::constructMap):
1772         * runtime/MathObject.cpp:
1773         (JSC::mathProtoFuncClz32):
1774         (JSC::mathProtoFuncHypot):
1775         (JSC::mathProtoFuncIMul):
1776         * runtime/ModuleLoaderPrototype.cpp:
1777         (JSC::moduleLoaderPrototypeParseModule):
1778         (JSC::moduleLoaderPrototypeRequestedModules):
1779         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1780         * runtime/NativeErrorConstructor.cpp:
1781         (JSC::Interpreter::constructWithNativeErrorConstructor):
1782         * runtime/NumberConstructor.cpp:
1783         (JSC::constructWithNumberConstructor):
1784         * runtime/ObjectConstructor.cpp:
1785         (JSC::constructObject):
1786         (JSC::objectConstructorGetPrototypeOf):
1787         (JSC::objectConstructorSetPrototypeOf):
1788         (JSC::objectConstructorGetOwnPropertyDescriptor):
1789         (JSC::objectConstructorGetOwnPropertyDescriptors):
1790         (JSC::objectConstructorGetOwnPropertyNames):
1791         (JSC::objectConstructorGetOwnPropertySymbols):
1792         (JSC::objectConstructorKeys):
1793         (JSC::ownEnumerablePropertyKeys):
1794         (JSC::toPropertyDescriptor):
1795         (JSC::objectConstructorDefineProperty):
1796         (JSC::defineProperties):
1797         (JSC::objectConstructorSeal):
1798         (JSC::objectConstructorFreeze):
1799         (JSC::objectConstructorIsSealed):
1800         (JSC::objectConstructorIsFrozen):
1801         (JSC::objectConstructorIsExtensible):
1802         (JSC::ownPropertyKeys):
1803         * runtime/ObjectConstructor.h:
1804         (JSC::constructObjectFromPropertyDescriptor):
1805         * runtime/ObjectPrototype.cpp:
1806         (JSC::objectProtoFuncHasOwnProperty):
1807         (JSC::objectProtoFuncIsPrototypeOf):
1808         (JSC::objectProtoFuncDefineGetter):
1809         (JSC::objectProtoFuncDefineSetter):
1810         (JSC::objectProtoFuncLookupGetter):
1811         (JSC::objectProtoFuncLookupSetter):
1812         (JSC::objectProtoFuncPropertyIsEnumerable):
1813         (JSC::objectProtoFuncToLocaleString):
1814         (JSC::objectProtoFuncToString):
1815         * runtime/Operations.cpp:
1816         (JSC::jsAddSlowCase):
1817         * runtime/Options.h:
1818         * runtime/PropertyDescriptor.cpp:
1819         (JSC::PropertyDescriptor::slowGetterSetter):
1820         * runtime/ProxyConstructor.cpp:
1821         (JSC::makeRevocableProxy):
1822         * runtime/ProxyObject.cpp:
1823         (JSC::ProxyObject::toStringName):
1824         (JSC::performProxyGet):
1825         (JSC::ProxyObject::performGet):
1826         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1827         (JSC::ProxyObject::performHasProperty):
1828         (JSC::ProxyObject::performPut):
1829         (JSC::ProxyObject::putByIndexCommon):
1830         (JSC::performProxyCall):
1831         (JSC::performProxyConstruct):
1832         (JSC::ProxyObject::performDelete):
1833         (JSC::ProxyObject::performPreventExtensions):
1834         (JSC::ProxyObject::performIsExtensible):
1835         (JSC::ProxyObject::performDefineOwnProperty):
1836         (JSC::ProxyObject::performGetOwnPropertyNames):
1837         (JSC::ProxyObject::performSetPrototype):
1838         (JSC::ProxyObject::performGetPrototype):
1839         * runtime/ReflectObject.cpp:
1840         (JSC::reflectObjectConstruct):
1841         (JSC::reflectObjectDefineProperty):
1842         (JSC::reflectObjectGet):
1843         (JSC::reflectObjectGetOwnPropertyDescriptor):
1844         (JSC::reflectObjectIsExtensible):
1845         (JSC::reflectObjectPreventExtensions):
1846         (JSC::reflectObjectSet):
1847         (JSC::reflectObjectSetPrototypeOf):
1848         * runtime/RegExpConstructor.cpp:
1849         (JSC::toFlags):
1850         (JSC::regExpCreate):
1851         (JSC::constructRegExp):
1852         * runtime/RegExpConstructor.h:
1853         (JSC::isRegExp):
1854         * runtime/RegExpObject.cpp:
1855         (JSC::collectMatches):
1856         (JSC::RegExpObject::matchGlobal):
1857         * runtime/RegExpPrototype.cpp:
1858         (JSC::regExpProtoFuncCompile):
1859         (JSC::flagsString):
1860         (JSC::regExpProtoFuncToString):
1861         (JSC::regExpProtoGetterFlags):
1862         (JSC::regExpProtoFuncSearchFast):
1863         (JSC::regExpProtoFuncSplitFast):
1864         * runtime/SetConstructor.cpp:
1865         (JSC::constructSet):
1866         * runtime/StringConstructor.cpp:
1867         (JSC::stringFromCodePoint):
1868         (JSC::constructWithStringConstructor):
1869         * runtime/StringObject.cpp:
1870         (JSC::StringObject::defineOwnProperty):
1871         * runtime/StringPrototype.cpp:
1872         (JSC::replaceUsingRegExpSearch):
1873         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1874         (JSC::replaceUsingStringSearch):
1875         (JSC::replace):
1876         (JSC::stringProtoFuncReplaceUsingRegExp):
1877         (JSC::stringProtoFuncReplaceUsingStringSearch):
1878         (JSC::stringProtoFuncCodePointAt):
1879         (JSC::stringProtoFuncSlice):
1880         (JSC::stringProtoFuncSplitFast):
1881         (JSC::stringProtoFuncSubstr):
1882         (JSC::stringProtoFuncSubstring):
1883         (JSC::stringProtoFuncLocaleCompare):
1884         (JSC::toLocaleCase):
1885         (JSC::stringProtoFuncBig):
1886         (JSC::stringProtoFuncSmall):
1887         (JSC::stringProtoFuncBlink):
1888         (JSC::stringProtoFuncBold):
1889         (JSC::stringProtoFuncFixed):
1890         (JSC::stringProtoFuncItalics):
1891         (JSC::stringProtoFuncStrike):
1892         (JSC::stringProtoFuncSub):
1893         (JSC::stringProtoFuncSup):
1894         (JSC::stringProtoFuncFontcolor):
1895         (JSC::stringProtoFuncFontsize):
1896         (JSC::stringProtoFuncAnchor):
1897         (JSC::stringProtoFuncLink):
1898         (JSC::trimString):
1899         (JSC::stringProtoFuncStartsWith):
1900         (JSC::stringProtoFuncEndsWith):
1901         (JSC::stringIncludesImpl):
1902         (JSC::stringProtoFuncIncludes):
1903         (JSC::builtinStringIncludesInternal):
1904         (JSC::stringProtoFuncNormalize):
1905         * runtime/SymbolConstructor.cpp:
1906         (JSC::symbolConstructorFor):
1907         * runtime/TemplateRegistry.cpp:
1908         (JSC::TemplateRegistry::getTemplateObject):
1909         * runtime/ThrowScope.cpp:
1910         (JSC::ThrowScope::ThrowScope):
1911         (JSC::ThrowScope::~ThrowScope):
1912         (JSC::ThrowScope::throwException):
1913         (JSC::ThrowScope::simulateThrow):
1914         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1915         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1916         * runtime/ThrowScope.h:
1917         (JSC::ThrowScope::release):
1918         (JSC::ThrowScope::ThrowScope):
1919         (JSC::ThrowScope::throwException):
1920         (JSC::ThrowScope::vm): Deleted.
1921         (JSC::ThrowScope::exception): Deleted.
1922         * runtime/ThrowScopeLocation.h: Removed.
1923         * runtime/VM.cpp:
1924         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1925         * runtime/VM.h:
1926         (JSC::VM::exception):
1927         (JSC::VM::clearException):
1928         (JSC::VM::setException): Deleted.
1929         * runtime/WeakMapConstructor.cpp:
1930         (JSC::constructWeakMap):
1931         * runtime/WeakSetConstructor.cpp:
1932         (JSC::constructWeakSet):
1933         * tools/JSDollarVMPrototype.cpp:
1934         (JSC::functionPrint):
1935
1936 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1937
1938         [INTL] some valid language tags cause errors in Intl constructors
1939         https://bugs.webkit.org/show_bug.cgi?id=161672
1940
1941         Reviewed by Mark Lam.
1942
1943         Fix private use tag parsing to match spec, allowing single character parts.
1944         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1945
1946         ```
1947         privateuse    = "x" 1*("-" (1*8alphanum))
1948         ```
1949
1950         * runtime/IntlObject.cpp:
1951         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1952
1953 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1954
1955         [JSC] Remove a couple of useless forward declaration
1956         https://bugs.webkit.org/show_bug.cgi?id=161676
1957
1958         Reviewed by Mark Lam.
1959
1960         JITMathICForwards.h should take care of declarating the Math ICs.
1961
1962         * bytecode/CodeBlock.h:
1963         * jit/JITOperations.h:
1964
1965 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1966
1967         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1968         https://bugs.webkit.org/show_bug.cgi?id=161706
1969
1970         Reviewed by Geoffrey Garen.
1971         
1972         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1973         have to do something different.
1974
1975         * jit/AssemblyHelpers.h:
1976         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1977
1978 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1979
1980         Unreviewed CMake build fix after r205552
1981
1982         * CMakeLists.txt:
1983
1984 2016-09-03  Keith Miller  <keith_miller@apple.com>
1985
1986         Add support for WASM Loops and Branches
1987         https://bugs.webkit.org/show_bug.cgi?id=161569
1988
1989         Reviewed by Benjamin Poulain.
1990
1991         This patch adds support for loops and branches to WASM. In order
1992         to support loops, we needed to change the way the B3IRGenerator
1993         tracked control information. Now, the control data holds three
1994         pieces of information: The continuation block, the loop branch
1995         target, and variables exiting the block. Whenever we branch to
1996         some control point we first check if it is a loop by checking that
1997         the loop branch target is non-null. If the branch is not targeting
1998         a loop, we map the stack values to the associated B3 variables for
1999         that stack slot.
2000
2001         Another interesting thing of note is that we now only allocate the
2002         continuation basic block lazily. This is beneficial when the
2003         continuation would just fall through to another block anyway. For
2004         example, in code like: (block ... (block (add 1 2) end) end) the
2005         continuation for the inner block just falls through to the outer
2006         block's continuation so we don't need an extra block.
2007
2008         * B3CallingConventions.cpp:
2009         (JSC::B3::jscCallingConvention): Deleted.
2010         * B3CallingConventions.h:
2011         (JSC::B3::CallingConvention::CallingConvention): Deleted.
2012         (JSC::B3::CallingConvention::iterate): Deleted.
2013         (JSC::B3::nextJSCOffset): Deleted.
2014         * JavaScriptCore.xcodeproj/project.pbxproj:
2015         * b3/B3Type.h:
2016         * testWASM.cpp:
2017         (runWASMTests):
2018         * wasm/WASMB3IRGenerator.cpp:
2019         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
2020         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
2021         (JSC::WASM::B3IRGenerator::LazyBlock::get):
2022         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
2023         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
2024         (JSC::WASM::B3IRGenerator::ControlData::dump):
2025         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
2026         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
2027         (JSC::WASM::B3IRGenerator::addLocal):
2028         (JSC::WASM::B3IRGenerator::addArguments):
2029         (JSC::WASM::B3IRGenerator::setLocal):
2030         (JSC::WASM::B3IRGenerator::addBlock):
2031         (JSC::WASM::B3IRGenerator::addLoop):
2032         (JSC::WASM::B3IRGenerator::endBlock):
2033         (JSC::WASM::B3IRGenerator::addReturn):
2034         (JSC::WASM::B3IRGenerator::addBranch):
2035         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
2036         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
2037         (JSC::WASM::B3IRGenerator::controlDataForLevel):
2038         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
2039         (JSC::WASM::parseAndCompile):
2040         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
2041         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
2042         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
2043         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
2044         (JSC::WASM::jscCallingConvention):
2045         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
2046         (JSC::WASM::CallingConvention::CallingConvention):
2047         (JSC::WASM::CallingConvention::iterate):
2048         (JSC::WASM::nextJSCOffset):
2049         * wasm/WASMFormat.h:
2050         (JSC::WASM::toB3Type):
2051         (JSC::WASM::isValueType):
2052         * wasm/WASMFunctionParser.h:
2053         (JSC::WASM::FunctionParser<Context>::parse):
2054         (JSC::WASM::FunctionParser<Context>::parseExpression):
2055         * wasm/WASMModuleParser.cpp:
2056         (JSC::WASM::ModuleParser::parseFunctionTypes):
2057         * wasm/WASMOps.h:
2058
2059 2016-09-07  Youenn Fablet  <youenn@apple.com>
2060
2061         [Streams API] Separate compile flag for ReadableStream and WritableStream
2062         https://bugs.webkit.org/show_bug.cgi?id=161044
2063
2064         Reviewed by Alex Christensen.
2065
2066         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
2067         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
2068
2069         * Configurations/FeatureDefines.xcconfig:
2070         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
2071         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2072         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2073
2074 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
2075
2076         Fix the ENABLE(WEBASSEMBLY) build on Linux
2077         https://bugs.webkit.org/show_bug.cgi?id=161685
2078
2079         Unreviewed buildfix.
2080
2081         * wasm/JSWASMModule.cpp:
2082
2083 2016-09-06  Saam Barati  <sbarati@apple.com>
2084
2085         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
2086         https://bugs.webkit.org/show_bug.cgi?id=161558
2087
2088         Reviewed by Benjamin Poulain.
2089
2090         ProxyObject had ObjectPrototype as its direct prototype.
2091         This could lead to infinite loops when doing a getDirectPrototype()
2092         loop.
2093
2094         Fixing this bug revealed another bug, which I made when implementing Proxy.
2095         We should not special case "__proto__" in get and set for Proxy Object's
2096         hooks. "__proto__" should just go through the normal set and get path.
2097
2098         * runtime/JSGlobalObject.cpp:
2099         (JSC::JSGlobalObject::init):
2100         * runtime/ProxyObject.cpp:
2101         (JSC::performProxyGet):
2102         (JSC::ProxyObject::put):
2103
2104 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2105
2106         Make JSC::PrivateName copyable
2107         https://bugs.webkit.org/show_bug.cgi?id=161666
2108
2109         Reviewed by Ryosuke Niwa.
2110
2111         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
2112         And since the custom copy constructor deletes the default move constructor, we explcitly define
2113         it by `= default;`.
2114
2115         * runtime/PrivateName.h:
2116         (JSC::PrivateName::PrivateName):
2117
2118 2016-09-06  Daniel Bates  <dabates@apple.com>
2119
2120         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
2121         https://bugs.webkit.org/show_bug.cgi?id=161296
2122
2123         Reviewed by Dan Bernstein.
2124
2125         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
2126         with the iOS 10 beta SDK.
2127
2128         * Configurations/Base.xcconfig:
2129
2130 2016-09-06  Saam Barati  <sbarati@apple.com>
2131
2132         Unreviewed build fix for 32-bit platforms after r205520.
2133
2134         * dfg/DFGSpeculativeJIT.h:
2135         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
2136
2137 2016-09-06  Saam Barati  <sbarati@apple.com>
2138
2139         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
2140         https://bugs.webkit.org/show_bug.cgi?id=160870
2141
2142         Reviewed by Darin Adler.
2143
2144         Credit goes to Jonathan Bedard for finding this bug using the undefined
2145         behavior sanitizer.
2146
2147         The rule for MaterializeNewObject inside AI was assuming that the graph
2148         is in SSA form. This used to be true when MaterializeNewObject was only
2149         inserted by the allocation sinking phase. However, Filip added more uses
2150         of MaterializeNewObject in his RegExp constant folding patch. This fixes
2151         the bug by using the structure set inside the Node's OpInfo rather than
2152         generating it from m_phiChildren inside AI.
2153
2154         * dfg/DFGAbstractInterpreterInlines.h:
2155         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2156
2157 2016-09-06  Saam Barati  <sbarati@apple.com>
2158
2159         Make JSMap and JSSet faster
2160         https://bugs.webkit.org/show_bug.cgi?id=160989
2161
2162         Reviewed by Filip Pizlo.
2163
2164         This patch revamps how we implement Map and Set. It uses
2165         a new hash map implementation. The hash map uses linear
2166         probing and it uses Wang's 64 bit hash function for JSValues
2167         that aren't strings. Strings use StringImpl's hash function.
2168         The reason I wanted to roll our own HashTable is twofold:
2169         I didn't want to inline WTF::HashMap's implementation into our
2170         JIT, since that seems error prone and unmaintainable. Also, I wanted
2171         a different structure for hash map buckets where buckets also exist in
2172         a linked list.
2173
2174         The reason for making buckets part of a linked list is that iteration
2175         is now simple. Iteration works by just traversing a linked list.
2176         This design also allows for a simple implementation when doing iteration
2177         while the hash table is mutating. Whenever we remove a bucket from
2178         the hash table, it is removed from the list, meaning items in the
2179         list don't point to it. However, the removed bucket will still point
2180         to things that are either in the list, or have also been removed.
2181         e.g, from a removed bucket, you can always follow pointers until you
2182         either find an item in the list, or you find the tail of the list.
2183         This is a really nice property because it means that a Map or Set
2184         does not need to reason about the all the iterators that point
2185         into its list. Also, whenever we add items to the Map or Set, we
2186         hijack the tail as the new item, and make the new item point to a newly
2187         created tail. This means that any iterator that pointed to the "tail" now
2188         points to non-tail items. This makes the implementation of adding things
2189         to the Map/Set while iterating easy.
2190
2191         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2192         into intrinsics in the DFG. The IR can now reason about hash map
2193         operations and can even do CSE over Wang's hash function, hash map
2194         bucket lookups, hash map bucket loads, and testing if a key is in
2195         the hash table. This makes code patterns for Map like so, super fast
2196         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2197
2198         ```
2199         function getKeyIfPresent(map, key) {
2200             if (map.has(key))
2201                 return map.get(key);
2202         }
2203         ```
2204
2205         This patch is roughly an 8% speedup on ES6SampleBench.
2206
2207
2208         * CMakeLists.txt:
2209         * JavaScriptCore.xcodeproj/project.pbxproj:
2210         * assembler/MacroAssemblerARM64.h:
2211         (JSC::MacroAssemblerARM64::not64):
2212         * bytecode/SpeculatedType.cpp:
2213         (JSC::speculationFromClassInfo):
2214         * bytecode/SpeculatedType.h:
2215         * dfg/DFGAbstractInterpreterInlines.h:
2216         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2217         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2218         * dfg/DFGByteCodeParser.cpp:
2219         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2220         * dfg/DFGClobberize.h:
2221         (JSC::DFG::clobberize):
2222         * dfg/DFGDoesGC.cpp:
2223         (JSC::DFG::doesGC):
2224         * dfg/DFGEdge.h:
2225         (JSC::DFG::Edge::shift):
2226         (JSC::DFG::Edge::makeWord):
2227         * dfg/DFGFixupPhase.cpp:
2228         (JSC::DFG::FixupPhase::fixupNode):
2229         * dfg/DFGHeapLocation.cpp:
2230         (WTF::printInternal):
2231         * dfg/DFGHeapLocation.h:
2232         * dfg/DFGNode.h:
2233         (JSC::DFG::Node::hasHeapPrediction):
2234         * dfg/DFGNodeType.h:
2235         * dfg/DFGOperations.cpp:
2236         * dfg/DFGOperations.h:
2237         * dfg/DFGPredictionPropagationPhase.cpp:
2238         * dfg/DFGSafeToExecute.h:
2239         (JSC::DFG::SafeToExecuteEdge::operator()):
2240         (JSC::DFG::safeToExecute):
2241         * dfg/DFGSpeculativeJIT.cpp:
2242         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2243         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2244         (JSC::DFG::SpeculativeJIT::speculate):
2245         * dfg/DFGSpeculativeJIT.h:
2246         (JSC::DFG::SpeculativeJIT::callOperation):
2247         * dfg/DFGSpeculativeJIT32_64.cpp:
2248         (JSC::DFG::SpeculativeJIT::compile):
2249         * dfg/DFGSpeculativeJIT64.cpp:
2250         (JSC::DFG::SpeculativeJIT::compile):
2251         * dfg/DFGUseKind.cpp:
2252         (WTF::printInternal):
2253         * dfg/DFGUseKind.h:
2254         (JSC::DFG::typeFilterFor):
2255         (JSC::DFG::isCell):
2256         * ftl/FTLAbstractHeapRepository.h:
2257         * ftl/FTLCapabilities.cpp:
2258         (JSC::FTL::canCompile):
2259         * ftl/FTLLowerDFGToB3.cpp:
2260         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2261         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2262         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2263         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2264         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2265         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2266         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2267         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2268         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2269         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2270         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2271         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2272         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2273         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2274         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2275         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2276         * jit/AssemblyHelpers.cpp:
2277         (JSC::AssemblyHelpers::wangsInt64Hash):
2278         * jit/AssemblyHelpers.h:
2279         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2280         * jit/JITOperations.h:
2281         * parser/ModuleAnalyzer.cpp:
2282         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2283         * runtime/HashMapImpl.cpp: Added.
2284         (JSC::HashMapBucket<Data>::visitChildren):
2285         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2286         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2287         * runtime/HashMapImpl.h: Added.
2288         (JSC::HashMapBucket::selectStructure):
2289         (JSC::HashMapBucket::createStructure):
2290         (JSC::HashMapBucket::create):
2291         (JSC::HashMapBucket::HashMapBucket):
2292         (JSC::HashMapBucket::setNext):
2293         (JSC::HashMapBucket::setPrev):
2294         (JSC::HashMapBucket::setKey):
2295         (JSC::HashMapBucket::setValue):
2296         (JSC::HashMapBucket::key):
2297         (JSC::HashMapBucket::value):
2298         (JSC::HashMapBucket::next):
2299         (JSC::HashMapBucket::prev):
2300         (JSC::HashMapBucket::deleted):
2301         (JSC::HashMapBucket::setDeleted):
2302         (JSC::HashMapBucket::offsetOfKey):
2303         (JSC::HashMapBucket::offsetOfValue):
2304         (JSC::HashMapBuffer::allocationSize):
2305         (JSC::HashMapBuffer::buffer):
2306         (JSC::HashMapBuffer::create):
2307         (JSC::areKeysEqual):
2308         (JSC::normalizeMapKey):
2309         (JSC::jsMapHash):
2310         (JSC::HashMapImpl::selectStructure):
2311         (JSC::HashMapImpl::createStructure):
2312         (JSC::HashMapImpl::create):
2313         (JSC::HashMapImpl::HashMapImpl):
2314         (JSC::HashMapImpl::buffer):
2315         (JSC::HashMapImpl::finishCreation):
2316         (JSC::HashMapImpl::emptyValue):
2317         (JSC::HashMapImpl::isEmpty):
2318         (JSC::HashMapImpl::deletedValue):
2319         (JSC::HashMapImpl::isDeleted):
2320         (JSC::HashMapImpl::findBucket):
2321         (JSC::HashMapImpl::get):
2322         (JSC::HashMapImpl::has):
2323         (JSC::HashMapImpl::add):
2324         (JSC::HashMapImpl::remove):
2325         (JSC::HashMapImpl::size):
2326         (JSC::HashMapImpl::clear):
2327         (JSC::HashMapImpl::bufferSizeInBytes):
2328         (JSC::HashMapImpl::offsetOfBuffer):
2329         (JSC::HashMapImpl::offsetOfCapacity):
2330         (JSC::HashMapImpl::head):
2331         (JSC::HashMapImpl::tail):
2332         (JSC::HashMapImpl::approximateSize):
2333         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2334         (JSC::HashMapImpl::rehash):
2335         (JSC::HashMapImpl::makeAndSetNewBuffer):
2336         * runtime/Intrinsic.h:
2337         * runtime/JSCJSValue.h:
2338         * runtime/JSCJSValueInlines.h:
2339         (JSC::sameValue):
2340         * runtime/JSGlobalObject.cpp:
2341         (JSC::JSGlobalObject::init):
2342         * runtime/JSMap.cpp:
2343         (JSC::JSMap::destroy): Deleted.
2344         (JSC::JSMap::estimatedSize): Deleted.
2345         (JSC::JSMap::visitChildren): Deleted.
2346         (JSC::JSMap::copyBackingStore): Deleted.
2347         (JSC::JSMap::has): Deleted.
2348         (JSC::JSMap::size): Deleted.
2349         (JSC::JSMap::get): Deleted.
2350         (JSC::JSMap::set): Deleted.
2351         (JSC::JSMap::clear): Deleted.
2352         (JSC::JSMap::remove): Deleted.
2353         * runtime/JSMap.h:
2354         (JSC::JSMap::createStructure):
2355         (JSC::JSMap::create):
2356         (JSC::JSMap::get):
2357         (JSC::JSMap::set):
2358         (JSC::JSMap::JSMap):
2359         (JSC::JSMap::Entry::key): Deleted.
2360         (JSC::JSMap::Entry::value): Deleted.
2361         (JSC::JSMap::Entry::visitChildren): Deleted.
2362         (JSC::JSMap::Entry::setKey): Deleted.
2363         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2364         (JSC::JSMap::Entry::setValue): Deleted.
2365         (JSC::JSMap::Entry::clear): Deleted.
2366         * runtime/JSMapIterator.cpp:
2367         (JSC::JSMapIterator::finishCreation):
2368         (JSC::JSMapIterator::visitChildren):
2369         (JSC::JSMapIterator::clone):
2370         * runtime/JSMapIterator.h:
2371         (JSC::JSMapIterator::advanceIter):
2372         (JSC::JSMapIterator::next):
2373         (JSC::JSMapIterator::nextKeyValue):
2374         (JSC::JSMapIterator::JSMapIterator):
2375         (JSC::JSMapIterator::setIterator):
2376         (JSC::JSMapIterator::finish): Deleted.
2377         (JSC::JSMapIterator::iteratorData): Deleted.
2378         * runtime/JSModuleLoader.cpp:
2379         (JSC::JSModuleLoader::finishCreation):
2380         * runtime/JSModuleLoader.h:
2381         (JSC::JSModuleLoader::create):
2382         * runtime/JSModuleRecord.cpp:
2383         (JSC::JSModuleRecord::finishCreation):
2384         * runtime/JSModuleRecord.h:
2385         (JSC::JSModuleRecord::create):
2386         * runtime/JSSet.cpp:
2387         (JSC::JSSet::destroy): Deleted.
2388         (JSC::JSSet::estimatedSize): Deleted.
2389         (JSC::JSSet::visitChildren): Deleted.
2390         (JSC::JSSet::copyBackingStore): Deleted.
2391         (JSC::JSSet::has): Deleted.
2392         (JSC::JSSet::size): Deleted.
2393         (JSC::JSSet::add): Deleted.
2394         (JSC::JSSet::clear): Deleted.
2395         (JSC::JSSet::remove): Deleted.
2396         * runtime/JSSet.h:
2397         (JSC::JSSet::createStructure):
2398         (JSC::JSSet::create):
2399         (JSC::JSSet::add):
2400         (JSC::JSSet::JSSet):
2401         (JSC::JSSet::Entry::key): Deleted.
2402         (JSC::JSSet::Entry::value): Deleted.
2403         (JSC::JSSet::Entry::visitChildren): Deleted.
2404         (JSC::JSSet::Entry::setKey): Deleted.
2405         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2406         (JSC::JSSet::Entry::setValue): Deleted.
2407         (JSC::JSSet::Entry::clear): Deleted.
2408         * runtime/JSSetIterator.cpp:
2409         (JSC::JSSetIterator::finishCreation):
2410         (JSC::JSSetIterator::visitChildren):
2411         (JSC::JSSetIterator::clone):
2412         * runtime/JSSetIterator.h:
2413         (JSC::JSSetIterator::advanceIter):
2414         (JSC::JSSetIterator::next):
2415         (JSC::JSSetIterator::JSSetIterator):
2416         (JSC::JSSetIterator::setIterator):
2417         (JSC::JSSetIterator::finish): Deleted.
2418         (JSC::JSSetIterator::iteratorData): Deleted.
2419         * runtime/JSType.h:
2420         * runtime/MapBase.cpp: Added.
2421         (JSC::MapBase<HashMapBucketType>::visitChildren):
2422         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2423         * runtime/MapBase.h: Added.
2424         (JSC::MapBase::size):
2425         (JSC::MapBase::has):
2426         (JSC::MapBase::clear):
2427         (JSC::MapBase::remove):
2428         (JSC::MapBase::findBucket):
2429         (JSC::MapBase::offsetOfHashMapImpl):
2430         (JSC::MapBase::impl):
2431         (JSC::MapBase::finishCreation):
2432         (JSC::MapBase::MapBase):
2433         * runtime/MapConstructor.cpp:
2434         (JSC::constructMap):
2435         * runtime/MapIteratorPrototype.cpp:
2436         (JSC::MapIteratorPrototypeFuncNext):
2437         * runtime/MapPrototype.cpp:
2438         (JSC::MapPrototype::finishCreation):
2439         (JSC::getMap):
2440         (JSC::privateFuncIsMap):
2441         (JSC::privateFuncMapIteratorNext):
2442         * runtime/PropertyDescriptor.cpp:
2443         (JSC::sameValue): Deleted.
2444         * runtime/PropertyDescriptor.h:
2445         * runtime/SetConstructor.cpp:
2446         (JSC::constructSet):
2447         * runtime/SetIteratorPrototype.cpp:
2448         (JSC::SetIteratorPrototypeFuncNext):
2449         * runtime/SetPrototype.cpp:
2450         (JSC::SetPrototype::finishCreation):
2451         (JSC::getSet):
2452         (JSC::privateFuncSetIteratorNext):
2453         * runtime/VM.cpp:
2454         (JSC::VM::VM):
2455         * runtime/VM.h:
2456
2457 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
2458
2459         [JSC] Make ArithClz32 work with Cell arguments
2460         https://bugs.webkit.org/show_bug.cgi?id=161369
2461
2462         Reviewed by Geoffrey Garen.
2463
2464         ArithClz32 was already working with all primitive types
2465         thanks to the magic of ValueToInt32.
2466         This patch adds support for cell arguments through a function
2467         call.
2468
2469         * dfg/DFGAbstractInterpreterInlines.h:
2470         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2471         * dfg/DFGClobberize.h:
2472         (JSC::DFG::clobberize):
2473         * dfg/DFGFixupPhase.cpp:
2474         (JSC::DFG::FixupPhase::fixupNode):
2475         * dfg/DFGNodeType.h:
2476         * dfg/DFGOperations.cpp:
2477         * dfg/DFGOperations.h:
2478         * dfg/DFGSpeculativeJIT.cpp:
2479         (JSC::DFG::SpeculativeJIT::compileArithClz32):
2480         * dfg/DFGSpeculativeJIT.h:
2481         (JSC::DFG::SpeculativeJIT::callOperation):
2482         * ftl/FTLLowerDFGToB3.cpp:
2483         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
2484
2485 2016-09-06  Mark Lam  <mark.lam@apple.com>
2486
2487         Gardening: change to use old header guard to appease Win EWS.
2488
2489         Not reviewed.
2490
2491         * runtime/AuxiliaryBarrier.h:
2492
2493 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2494
2495         Unreviewed, rolling out r205494.
2496         https://bugs.webkit.org/show_bug.cgi?id=161646
2497
2498         This change broke the Windows build (Requested by ryanhaddad
2499         on #webkit).
2500
2501         Reverted changeset:
2502
2503         "Typed arrays should use MarkedSpace instead of CopiedSpace"
2504         https://bugs.webkit.org/show_bug.cgi?id=161100
2505         http://trac.webkit.org/changeset/205494
2506
2507 2016-09-06  Commit Queue  <commit-queue@webkit.org>
2508
2509         Unreviewed, rolling out r205504.
2510         https://bugs.webkit.org/show_bug.cgi?id=161645
2511
2512         Broke the iOS device build (Requested by ryanhaddad on
2513         #webkit).
2514
2515         Reverted changeset:
2516
2517         "Make JSMap and JSSet faster"
2518         https://bugs.webkit.org/show_bug.cgi?id=160989
2519         http://trac.webkit.org/changeset/205504
2520
2521 2016-09-06  Saam Barati  <sbarati@apple.com>
2522
2523         Make JSMap and JSSet faster
2524         https://bugs.webkit.org/show_bug.cgi?id=160989
2525
2526         Reviewed by Filip Pizlo.
2527
2528         This patch revamps how we implement Map and Set. It uses
2529         a new hash map implementation. The hash map uses linear
2530         probing and it uses Wang's 64 bit hash function for JSValues
2531         that aren't strings. Strings use StringImpl's hash function.
2532         The reason I wanted to roll our own HashTable is twofold:
2533         I didn't want to inline WTF::HashMap's implementation into our
2534         JIT, since that seems error prone and unmaintainable. Also, I wanted
2535         a different structure for hash map buckets where buckets also exist in
2536         a linked list.
2537
2538         The reason for making buckets part of a linked list is that iteration
2539         is now simple. Iteration works by just traversing a linked list.
2540         This design also allows for a simple implementation when doing iteration
2541         while the hash table is mutating. Whenever we remove a bucket from
2542         the hash table, it is removed from the list, meaning items in the
2543         list don't point to it. However, the removed bucket will still point
2544         to things that are either in the list, or have also been removed.
2545         e.g, from a removed bucket, you can always follow pointers until you
2546         either find an item in the list, or you find the tail of the list.
2547         This is a really nice property because it means that a Map or Set
2548         does not need to reason about the all the iterators that point
2549         into its list. Also, whenever we add items to the Map or Set, we
2550         hijack the tail as the new item, and make the new item point to a newly
2551         created tail. This means that any iterator that pointed to the "tail" now
2552         points to non-tail items. This makes the implementation of adding things
2553         to the Map/Set while iterating easy.
2554
2555         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
2556         into intrinsics in the DFG. The IR can now reason about hash map
2557         operations and can even do CSE over Wang's hash function, hash map
2558         bucket lookups, hash map bucket loads, and testing if a key is in
2559         the hash table. This makes code patterns for Map like so, super fast
2560         in the FTL, since we will only be doing a single hash and hash bucket lookup:
2561
2562         ```
2563         function getKeyIfPresent(map, key) {
2564             if (map.has(key))
2565                 return map.get(key);
2566         }
2567         ```
2568
2569         This patch is roughly an 8% speedup on ES6SampleBench.
2570
2571         * CMakeLists.txt:
2572         * JavaScriptCore.xcodeproj/project.pbxproj:
2573         * bytecode/SpeculatedType.cpp:
2574         (JSC::speculationFromClassInfo):
2575         * bytecode/SpeculatedType.h:
2576         * dfg/DFGAbstractInterpreterInlines.h:
2577         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2578         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
2579         * dfg/DFGByteCodeParser.cpp:
2580         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2581         * dfg/DFGClobberize.h:
2582         (JSC::DFG::clobberize):
2583         * dfg/DFGDoesGC.cpp:
2584         (JSC::DFG::doesGC):
2585         * dfg/DFGEdge.h:
2586         (JSC::DFG::Edge::shift):
2587         (JSC::DFG::Edge::makeWord):
2588         * dfg/DFGFixupPhase.cpp:
2589         (JSC::DFG::FixupPhase::fixupNode):
2590         * dfg/DFGHeapLocation.cpp:
2591         (WTF::printInternal):
2592         * dfg/DFGHeapLocation.h:
2593         * dfg/DFGNode.h:
2594         (JSC::DFG::Node::hasHeapPrediction):
2595         * dfg/DFGNodeType.h:
2596         * dfg/DFGOperations.cpp:
2597         * dfg/DFGOperations.h:
2598         * dfg/DFGPredictionPropagationPhase.cpp:
2599         * dfg/DFGSafeToExecute.h:
2600         (JSC::DFG::SafeToExecuteEdge::operator()):
2601         (JSC::DFG::safeToExecute):
2602         * dfg/DFGSpeculativeJIT.cpp:
2603         (JSC::DFG::SpeculativeJIT::speculateMapObject):
2604         (JSC::DFG::SpeculativeJIT::speculateSetObject):
2605         (JSC::DFG::SpeculativeJIT::speculate):
2606         * dfg/DFGSpeculativeJIT.h:
2607         (JSC::DFG::SpeculativeJIT::callOperation):
2608         * dfg/DFGSpeculativeJIT32_64.cpp:
2609         (JSC::DFG::SpeculativeJIT::compile):
2610         * dfg/DFGSpeculativeJIT64.cpp:
2611         (JSC::DFG::SpeculativeJIT::compile):
2612         * dfg/DFGUseKind.cpp:
2613         (WTF::printInternal):
2614         * dfg/DFGUseKind.h:
2615         (JSC::DFG::typeFilterFor):
2616         (JSC::DFG::isCell):
2617         * ftl/FTLAbstractHeapRepository.h:
2618         * ftl/FTLCapabilities.cpp:
2619         (JSC::FTL::canCompile):
2620         * ftl/FTLLowerDFGToB3.cpp:
2621         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2622         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
2623         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2624         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
2625         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
2626         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
2627         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
2628         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
2629         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2630         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
2631         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
2632         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
2633         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
2634         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
2635         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
2636         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
2637         * jit/AssemblyHelpers.cpp:
2638         (JSC::AssemblyHelpers::wangsInt64Hash):
2639         * jit/AssemblyHelpers.h:
2640         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2641         * jit/JITOperations.h:
2642         * parser/ModuleAnalyzer.cpp:
2643         (JSC::ModuleAnalyzer::ModuleAnalyzer):
2644         * runtime/HashMapImpl.cpp: Added.
2645         (JSC::HashMapBucket<Data>::visitChildren):
2646         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2647         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
2648         * runtime/HashMapImpl.h: Added.
2649         (JSC::HashMapBucket::selectStructure):
2650         (JSC::HashMapBucket::createStructure):
2651         (JSC::HashMapBucket::create):
2652         (JSC::HashMapBucket::HashMapBucket):
2653         (JSC::HashMapBucket::setNext):
2654         (JSC::HashMapBucket::setPrev):
2655         (JSC::HashMapBucket::setKey):
2656         (JSC::HashMapBucket::setValue):
2657         (JSC::HashMapBucket::key):
2658         (JSC::HashMapBucket::value):
2659         (JSC::HashMapBucket::next):
2660         (JSC::HashMapBucket::prev):
2661         (JSC::HashMapBucket::deleted):
2662         (JSC::HashMapBucket::setDeleted):
2663         (JSC::HashMapBucket::offsetOfKey):
2664         (JSC::HashMapBucket::offsetOfValue):
2665         (JSC::HashMapBuffer::allocationSize):
2666         (JSC::HashMapBuffer::buffer):
2667         (JSC::HashMapBuffer::create):
2668         (JSC::areKeysEqual):
2669         (JSC::normalizeMapKey):
2670         (JSC::jsMapHash):
2671         (JSC::HashMapImpl::selectStructure):
2672         (JSC::HashMapImpl::createStructure):
2673         (JSC::HashMapImpl::create):
2674         (JSC::HashMapImpl::HashMapImpl):
2675         (JSC::HashMapImpl::buffer):
2676         (JSC::HashMapImpl::finishCreation):
2677         (JSC::HashMapImpl::emptyValue):
2678         (JSC::HashMapImpl::isEmpty):
2679         (JSC::HashMapImpl::deletedValue):
2680         (JSC::HashMapImpl::isDeleted):
2681         (JSC::HashMapImpl::findBucket):
2682         (JSC::HashMapImpl::get):
2683         (JSC::HashMapImpl::has):
2684         (JSC::HashMapImpl::add):
2685         (JSC::HashMapImpl::remove):
2686         (JSC::HashMapImpl::size):
2687         (JSC::HashMapImpl::clear):
2688         (JSC::HashMapImpl::bufferSizeInBytes):
2689         (JSC::HashMapImpl::offsetOfBuffer):
2690         (JSC::HashMapImpl::offsetOfCapacity):
2691         (JSC::HashMapImpl::head):
2692         (JSC::HashMapImpl::tail):
2693         (JSC::HashMapImpl::approximateSize):
2694         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2695         (JSC::HashMapImpl::rehash):
2696         (JSC::HashMapImpl::makeAndSetNewBuffer):
2697         * runtime/Intrinsic.h:
2698         * runtime/JSCJSValue.h:
2699         * runtime/JSCJSValueInlines.h:
2700         (JSC::sameValue):
2701         * runtime/JSGlobalObject.cpp:
2702         (JSC::JSGlobalObject::init):
2703         * runtime/JSMap.cpp:
2704         (JSC::JSMap::destroy): Deleted.
2705         (JSC::JSMap::estimatedSize): Deleted.
2706         (JSC::JSMap::visitChildren): Deleted.
2707         (JSC::JSMap::copyBackingStore): Deleted.
2708         (JSC::JSMap::has): Deleted.
2709         (JSC::JSMap::size): Deleted.
2710         (JSC::JSMap::get): Deleted.
2711         (JSC::JSMap::set): Deleted.
2712         (JSC::JSMap::clear): Deleted.
2713         (JSC::JSMap::remove): Deleted.
2714         * runtime/JSMap.h:
2715         (JSC::JSMap::createStructure):
2716         (JSC::JSMap::create):
2717         (JSC::JSMap::get):
2718         (JSC::JSMap::set):
2719         (JSC::JSMap::JSMap):
2720         (JSC::JSMap::Entry::key): Deleted.
2721         (JSC::JSMap::Entry::value): Deleted.
2722         (JSC::JSMap::Entry::visitChildren): Deleted.
2723         (JSC::JSMap::Entry::setKey): Deleted.
2724         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2725         (JSC::JSMap::Entry::setValue): Deleted.
2726         (JSC::JSMap::Entry::clear): Deleted.
2727         * runtime/JSMapIterator.cpp:
2728         (JSC::JSMapIterator::finishCreation):
2729         (JSC::JSMapIterator::visitChildren):
2730         (JSC::JSMapIterator::clone):
2731         * runtime/JSMapIterator.h:
2732         (JSC::JSMapIterator::advanceIter):
2733         (JSC::JSMapIterator::next):
2734         (JSC::JSMapIterator::nextKeyValue):
2735         (JSC::JSMapIterator::JSMapIterator):
2736         (JSC::JSMapIterator::setIterator):
2737         (JSC::JSMapIterator::finish): Deleted.
2738         (JSC::JSMapIterator::iteratorData): Deleted.
2739         * runtime/JSModuleLoader.cpp:
2740         (JSC::JSModuleLoader::finishCreation):
2741         * runtime/JSModuleLoader.h:
2742         (JSC::JSModuleLoader::create):
2743         * runtime/JSModuleRecord.cpp:
2744         (JSC::JSModuleRecord::finishCreation):
2745         * runtime/JSModuleRecord.h:
2746         (JSC::JSModuleRecord::create):
2747         * runtime/JSSet.cpp:
2748         (JSC::JSSet::destroy): Deleted.
2749         (JSC::JSSet::estimatedSize): Deleted.
2750         (JSC::JSSet::visitChildren): Deleted.
2751         (JSC::JSSet::copyBackingStore): Deleted.
2752         (JSC::JSSet::has): Deleted.
2753         (JSC::JSSet::size): Deleted.
2754         (JSC::JSSet::add): Deleted.
2755         (JSC::JSSet::clear): Deleted.
2756         (JSC::JSSet::remove): Deleted.
2757         * runtime/JSSet.h:
2758         (JSC::JSSet::createStructure):
2759         (JSC::JSSet::create):
2760         (JSC::JSSet::add):
2761         (JSC::JSSet::JSSet):
2762         (JSC::JSSet::Entry::key): Deleted.
2763         (JSC::JSSet::Entry::value): Deleted.
2764         (JSC::JSSet::Entry::visitChildren): Deleted.
2765         (JSC::JSSet::Entry::setKey): Deleted.
2766         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2767         (JSC::JSSet::Entry::setValue): Deleted.
2768         (JSC::JSSet::Entry::clear): Deleted.
2769         * runtime/JSSetIterator.cpp:
2770         (JSC::JSSetIterator::finishCreation):
2771         (JSC::JSSetIterator::visitChildren):
2772         (JSC::JSSetIterator::clone):
2773         * runtime/JSSetIterator.h:
2774         (JSC::JSSetIterator::advanceIter):
2775         (JSC::JSSetIterator::next):
2776         (JSC::JSSetIterator::JSSetIterator):
2777         (JSC::JSSetIterator::setIterator):
2778         (JSC::JSSetIterator::finish): Deleted.
2779         (JSC::JSSetIterator::iteratorData): Deleted.
2780         * runtime/JSType.h:
2781         * runtime/MapBase.cpp: Added.
2782         (JSC::MapBase<HashMapBucketType>::visitChildren):
2783         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2784         * runtime/MapBase.h: Added.
2785         (JSC::MapBase::size):
2786         (JSC::MapBase::has):
2787         (JSC::MapBase::clear):
2788         (JSC::MapBase::remove):
2789         (JSC::MapBase::findBucket):
2790         (JSC::MapBase::offsetOfHashMapImpl):
2791         (JSC::MapBase::impl):
2792         (JSC::MapBase::finishCreation):
2793         (JSC::MapBase::MapBase):
2794         * runtime/MapConstructor.cpp:
2795         (JSC::constructMap):
2796         * runtime/MapIteratorPrototype.cpp:
2797         (JSC::MapIteratorPrototypeFuncNext):
2798         * runtime/MapPrototype.cpp:
2799         (JSC::MapPrototype::finishCreation):
2800         (JSC::getMap):
2801         (JSC::privateFuncIsMap):
2802         (JSC::privateFuncMapIteratorNext):
2803         * runtime/PropertyDescriptor.cpp:
2804         (JSC::sameValue): Deleted.
2805         * runtime/PropertyDescriptor.h:
2806         * runtime/SetConstructor.cpp:
2807         (JSC::constructSet):
2808         * runtime/SetIteratorPrototype.cpp:
2809         (JSC::SetIteratorPrototypeFuncNext):
2810         * runtime/SetPrototype.cpp:
2811         (JSC::SetPrototype::finishCreation):
2812         (JSC::getSet):
2813         (JSC::privateFuncSetIteratorNext):
2814         * runtime/VM.cpp:
2815         (JSC::VM::VM):
2816         * runtime/VM.h:
2817
2818 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2819
2820         Typed arrays should use MarkedSpace instead of CopiedSpace
2821         https://bugs.webkit.org/show_bug.cgi?id=161100
2822
2823         Reviewed by Geoffrey Garen.
2824         
2825         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2826         
2827         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2828         everything that typed arrays want.
2829
2830         * dfg/DFGOperations.cpp:
2831         (JSC::DFG::newTypedArrayWithSize):
2832         * dfg/DFGOperations.h:
2833         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2834         * dfg/DFGSpeculativeJIT.cpp:
2835         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2836         * dfg/DFGSpeculativeJIT.h:
2837         (JSC::DFG::SpeculativeJIT::callOperation):
2838         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2839         * ftl/FTLLowerDFGToB3.cpp:
2840         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2841         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2842         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2843         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2844         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2845         * heap/CopyToken.h:
2846         * heap/SlotVisitor.cpp:
2847         (JSC::SlotVisitor::markAuxiliary):
2848         * jit/JITOperations.h:
2849         * runtime/JSArrayBufferView.cpp:
2850         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2851         (JSC::JSArrayBufferView::JSArrayBufferView):
2852         * runtime/JSArrayBufferView.h:
2853         * runtime/JSGenericTypedArrayView.h:
2854         * runtime/JSGenericTypedArrayViewInlines.h:
2855         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2856         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2857         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2858         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2859
2860 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2861
2862         Silence GCC warning spam introduced in r205462
2863
2864         Rubber-stamped by Filip Pizlo.
2865
2866         * bytecode/Opcode.h:
2867         (JSC::padOpcodeName):
2868
2869 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2870
2871         Heap::isMarked() should use concurrent lazy flipping
2872         https://bugs.webkit.org/show_bug.cgi?id=161613
2873
2874         Reviewed by Michael Catanzaro.
2875         
2876         I found out about this race condition via
2877         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2878         
2879         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2880         phase. So, they need to lazy-flip in a non-racy way.
2881
2882         * heap/HeapInlines.h:
2883         (JSC::Heap::isLive):
2884         (JSC::Heap::isMarked):
2885
2886 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2887
2888         Unreviewed, reset generator test results after the butterflies.
2889
2890         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2891         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2892         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2893         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2894         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2895         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2896         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2897         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2898         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2899         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2900         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2901         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2902         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2903         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2904
2905 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2906
2907         Unreviewed, fix cloop build.
2908
2909         * bytecode/SuperSampler.cpp:
2910
2911 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2912
2913         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2914         https://bugs.webkit.org/show_bug.cgi?id=160125
2915
2916         Reviewed by Geoffrey Garen and Keith Miller.
2917
2918         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2919         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2920         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2921         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2922         to get rid of copied space. This change moves copied space's biggest client over to marked
2923         space.
2924         
2925         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2926         allocation path. This is a fairly mechanical change, but it caused performance regressions
2927         everywhere, so this change also fixes MarkedSpace's performance issues.
2928         
2929         At a high level the mechanical changes are:
2930         
2931         - We use AuxiliaryBarrier instead of CopyBarrier.
2932         
2933         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2934           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2935         
2936         - The JITs have to emit inlined marked space allocations instead of inline copy space
2937           allocations.
2938         
2939         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2940           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2941           space doesn't.
2942         
2943         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2944         optimizations that amounted to a major MarkedSpace rewrite:
2945         
2946         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2947           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2948           size class. I got around this by making array allocations usually round up vectorLength to
2949           the maximum allowed by the size class that we would have allocated in. Also,
2950           ensureLengthSlow() and friends first make sure that the requested length can't just be
2951           fulfilled with the current allocation size. This safeguard means that not every array
2952           allocation has to do size class queries. For example, the fast path of new Array(length)
2953           never does any size class queries, under the assumption that (1) the speed gained from
2954           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2955           size class query, is too small to offset the speed lost by doing the query on every
2956           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2957           likely.
2958         
2959         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2960           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2961           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2962           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2963           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2964           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2965           size (80 bytes), we proceed using a geometric progression, but round up each size to
2966           minimize slop at the end of the block. This naturally causes the geometric progression to
2967           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2968           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2969         
2970         - Large allocations caused massive internal fragmentation, since the smallest large
2971           allocation had to use exactly blockSize, and the largest small allocation used
2972           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2973           also had 50% internal fragmentation. This is because we required large allocations to be
2974           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2975           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2976           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2977           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2978           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2979           out great since (1) typed arrays won't use large allocations anyway since they have their
2980           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2981           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2982           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2983           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2984           must be small allocations. It's also possible to use template tricks to do one check for
2985           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2986           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2987           that get used from functions that are template-specialized like this. That's mostly to
2988           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2989           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2990           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2991           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2992           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2993           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2994           that the MarkedBlock size classes end up being:
2995           
2996           16, 32, 48, 64, 80, 112, 160, 224, 320
2997           
2998           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2999           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
3000           size classes you end up with by doing --dumpSizeClasses=true.
3001         
3002         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
3003           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
3004           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
3005           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
3006           side, for better locality during a sequential walk. It's no longer necessary to scan
3007           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
3008           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
3009           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
3010           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
3011           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
3012           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
3013           together, these optimizations allowed me to reduce block size to 16KB without losing much
3014           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
3015           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
3016           progression on membuster. That's not possible yet, since there is still enough per-block
3017           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
3018           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
3019         
3020         - Even after all of that, copying butterflies was still faster because it allowed us to skip
3021           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
3022           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
3023           larger than O(live), especially in an eden collection. Copying satisfies this premise while
3024           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
3025           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
3026           that we walk the block to build a free list. This means walking dead space. The new
3027           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
3028           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
3029           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
3030           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
3031           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
3032           is completely empty, which is the common case because of the generational hypothesis: the
3033           number of objects that survive an eden collection is a tiny fraction of the number of
3034           objects that had been allocated, and this fraction is so small that there are typically
3035           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
3036           win over tip-of-tree.
3037         
3038         - FTL now shares the same allocation fast paths as everything else, which is great, because
3039           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
3040           control flow, since it won't be able to improve the machine code we write ourselves. GC
3041           fast paths are best written in assembly. So, I've empowered B3 to have even better support
3042           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
3043           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
3044           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
3045           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
3046           ability to constant-fold some allocator logic (in case we first assume that we're doing a
3047           variable-length allocation but then realize that the length is known). I think it makes
3048           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
3049           since this makes lowering easier (you can constant fold during lowering more easily) and it
3050           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
3051           constant-fold this code. That would require allowing loads to be constant-folded, which is
3052           doable but hella tricky.
3053         
3054         - It used to be that if a logical object allocation required two physical allocations (first
3055           the butterfly and then the cell), then the JIT would emit the code in such a way that a
3056           failure in the second fast path would cause us to forget the successful first physical
3057           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
3058           register to storing either the butterfly or null, because the butterfly register is anyway
3059           going to be free inside the first allocation. The only overhead here is zeroing the
3060           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
3061           path, which can then either allocate a butterfly or not. So now we never waste a successful
3062           allocation. This patch implements such a solution both in DFG (where it's easy to do this
3063           since we control registers already) and in FTL (where it's annoying, because mutable
3064           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
3065           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
3066           one version of this patch, this wastage would resonate with some Kraken benchmark: the
3067           benchmark would always allocate N small things followed by one bigger thing. The problem
3068           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
3069           the JSObject size class, which both the small and big thing shared for their cell, could
3070           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
3071           it allocated the big thing. So, it would end up having to allocate the big thing's large
3072           butterfly twice, every single time! Ouch!
3073         
3074         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
3075           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
3076           of the allocator to initialize the object to whatever state they need. It used to be that
3077           we would just use a dumb loop. I initially changed this so that we would end up in memset
3078           for large allocations, but this didn't actually help performance that much. I got a much
3079           better result by playing with different memsets written in assembly. First I wrote one
3080           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
3081           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
3082           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
3083           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
3084           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
3085           of stores (if the size is known), but those paths in the JIT won't trigger for
3086           NewArrayWithSize() if the size is large, since that takes us to the
3087           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
3088           optimizations here are all in JSArray::create() - that's the hot place for large arrays
3089           that need to be filled with holes.
3090         
3091         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
3092         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
3093         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
3094         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
3095         difference, but take the hit for now because it's a crazy corner case. By comparison, the
3096         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
3097         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
3098         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
3099         marking barrier and we simply won't need a copying barrier. This change gets us there for
3100         the purposes of our benchmarks, since the remaining clients of copied space are not very
3101         important. On the other hand, if we keep copying, then getting barrier-ready would mean
3102         adding back the copy barrier, which costs more perf.
3103         
3104         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
3105         typed arrays and a few other weird things over to Aux MarkedSpace.
3106         
3107         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
3108         and CellContainer meant that I had to include those files from everywhere. Fortunately,
3109         just including JSCInlines.h (instead of manually including the files that includes) is
3110         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
3111         that we were already basically doing. In places where JSCInlines.h would be too much, I just
3112         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
3113         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
3114         meant having to manually include HeapInlines.h from the places that previously got it
3115         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
3116         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
3117         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
3118         made it impossible to include it from outside JSC. This was a lot of work, but it was
3119         necessary to get the patch to build on all ports. It's also a net win. There were many places
3120         in WebCore that were transitively including a *ton* of JSC headers just because of the
3121         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
3122         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
3123
3124         * API/JSManagedValue.mm:
3125         (-[JSManagedValue initWithValue:]):
3126         * API/JSTypedArray.cpp:
3127         * API/ObjCCallbackFunction.mm:
3128         * API/tests/testapi.mm:
3129         (testObjectiveCAPI):
3130         (testWeakValue): Deleted.
3131         * CMakeLists.txt:
3132         * JavaScriptCore.xcodeproj/project.pbxproj:
3133         * Scripts/builtins/builtins_generate_combined_implementation.py:
3134         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
3135         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
3136         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
3137         * Scripts/builtins/builtins_generate_separate_implementation.py:
3138         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
3139         * assembler/AbstractMacroAssembler.h:
3140         (JSC::AbstractMacroAssembler::JumpList::link):
3141         (JSC::AbstractMacroAssembler::JumpList::linkTo):
3142         * assembler/MacroAssembler.h:
3143         * assembler/MacroAssemblerARM64.h:
3144         (JSC::MacroAssemblerARM64::add32):
3145         * assembler/MacroAssemblerCodeRef.cpp: Added.
3146         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
3147         (JSC::MacroAssemblerCodePtr::dumpWithName):
3148         (JSC::MacroAssemblerCodePtr::dump):
3149         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
3150         (JSC::MacroAssemblerCodeRef::dump):
3151         * assembler/MacroAssemblerCodeRef.h:
3152         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
3153         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
3154         (JSC::MacroAssemblerCodePtr::dump): Deleted.
3155         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
3156         (JSC::MacroAssemblerCodeRef::dump): Deleted.
3157         * b3/B3BasicBlock.cpp:
3158         (JSC::B3::BasicBlock::appendBoolConstant):
3159         * b3/B3BasicBlock.h:
3160         * b3/B3DuplicateTails.cpp:
3161         * b3/B3StackmapGenerationParams.h:
3162         * b3/testb3.cpp:
3163         (JSC::B3::testPatchpointTerminalReturnValue):
3164         (JSC::B3::run):
3165         * bindings/ScriptValue.cpp:
3166         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3167         * bytecode/BytecodeBasicBlock.cpp:
3168         * bytecode/BytecodeLivenessAnalysis.cpp:
3169         * bytecode/BytecodeUseDef.h:
3170         * bytecode/CallLinkInfo.cpp:
3171         (JSC::CallLinkInfo::callTypeFor):
3172         * bytecode/CallLinkInfo.h:
3173         (JSC::CallLinkInfo::callTypeFor): Deleted.
3174         * bytecode/CallLinkStatus.cpp:
3175         * bytecode/CodeBlock.cpp:
3176         (JSC::CodeBlock::finishCreation):
3177         (JSC::CodeBlock::clearLLIntGetByIdCache):
3178         (JSC::CodeBlock::predictedMachineCodeSize):
3179         * bytecode/CodeBlock.h:
3180         (JSC::CodeBlock::jitCodeMap): Deleted.
3181         (JSC::clearLLIntGetByIdCache): Deleted.
3182         * bytecode/ExecutionCounter.h:
3183         * bytecode/Instruction.h:
3184         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3185         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3186         * bytecode/ObjectAllocationProfile.h:
3187         (JSC::ObjectAllocationProfile::isNull):
3188         (JSC::ObjectAllocationProfile::initialize):
3189         * bytecode/Opcode.h:
3190         (JSC::padOpcodeName):
3191         * bytecode/PolymorphicAccess.cpp:
3192         (JSC::AccessCase::generateImpl):
3193         (JSC::PolymorphicAccess::regenerate):
3194         * bytecode/PolymorphicAccess.h:
3195         * bytecode/PreciseJumpTargets.cpp:
3196         * bytecode/StructureStubInfo.cpp:
3197         * bytecode/StructureStubInfo.h:
3198         * bytecode/UnlinkedCodeBlock.cpp:
3199         (JSC::UnlinkedCodeBlock::vm): Deleted.
3200         * bytecode/UnlinkedCodeBlock.h:
3201         * bytecode/UnlinkedInstructionStream.cpp:
3202         * bytecode/UnlinkedInstructionStream.h:
3203         * dfg/DFGOperations.cpp:
3204         * dfg/DFGSpeculativeJIT.cpp:
3205         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3206         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3207         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3208         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3209         * dfg/DFGSpeculativeJIT.h:
3210         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
3211         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3212         * dfg/DFGSpeculativeJIT32_64.cpp:
3213         (JSC::DFG::SpeculativeJIT::compile):
3214         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3215         * dfg/DFGSpeculativeJIT64.cpp:
3216         (JSC::DFG::SpeculativeJIT::compile):
3217         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3218         * dfg/DFGStrengthReductionPhase.cpp:
3219         (JSC::DFG::StrengthReductionPhase::handleNode):
3220         * ftl/FTLAbstractHeapRepository.h:
3221         * ftl/FTLCompile.cpp:
3222         * ftl/FTLJITFinalizer.cpp:
3223         * ftl/FTLLowerDFGToB3.cpp:
3224         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
3225         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
3226         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
3227         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
3228         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3229         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3230         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
3231         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3232         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3233         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
3234         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3235         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3236         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
3237         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3238         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
3239         * ftl/FTLOutput.cpp:
3240         (JSC::FTL::Output::constBool):
3241         (JSC::FTL::Output::add):
3242         (JSC::FTL::Output::shl):
3243         (JSC::FTL::Output::aShr):
3244         (JSC::FTL::Output::lShr):
3245         (JSC::FTL::Output::zeroExt):
3246         (JSC::FTL::Output::equal):
3247         (JSC::FTL::Output::notEqual):
3248         (JSC::FTL::Output::above):
3249         (JSC::FTL::Output::aboveOrEqual):
3250         (JSC::FTL::Output::below):
3251         (JSC::FTL::Output::belowOrEqual):
3252         (JSC::FTL::Output::greaterThan):
3253         (JSC::FTL::Output::greaterThanOrEqual):
3254         (JSC::FTL::Output::lessThan):
3255         (JSC::FTL::Output::lessThanOrEqual):
3256         (JSC::FTL::Output::select):
3257         (JSC::FTL::Output::appendSuccessor):
3258         (JSC::FTL::Output::addIncomingToPhi):
3259         * ftl/FTLOutput.h:
3260         * ftl/FTLValueFromBlock.h:
3261         (JSC::FTL::ValueFromBlock::operator bool):
3262         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
3263         * ftl/FTLWeightedTarget.h:
3264         (JSC::FTL::WeightedTarget::frequentedBlock):
3265         * heap/CellContainer.h: Added.
3266         (JSC::CellContainer::CellContainer):
3267         (JSC::CellContainer::operator bool):
3268         (JSC::CellContainer::isMarkedBlock):
3269         (JSC::CellContainer::isLargeAllocation):
3270         (JSC::CellContainer::markedBlock):
3271         (JSC::CellContainer::largeAllocation):
3272         * heap/CellContainerInlines.h: Added.
3273         (JSC::CellContainer::isMarked):
3274         (JSC::CellContainer::isMarkedOrNewlyAllocated):
3275         (JSC::CellContainer::noteMarked):
3276         (JSC::CellContainer::cellSize):
3277         (JSC::CellContainer::weakSet):
3278         (JSC::CellContainer::flipIfNecessary):
3279         * heap/ConservativeRoots.cpp:
3280         (JSC::ConservativeRoots::ConservativeRoots):
3281         (JSC::ConservativeRoots::~ConservativeRoots):
3282         (JSC::ConservativeRoots::grow):
3283         (JSC::ConservativeRoots::genericAddPointer):
3284         (JSC::ConservativeRoots::genericAddSpan):
3285         * heap/ConservativeRoots.h:
3286         (JSC::ConservativeRoots::roots):
3287         * heap/CopyToken.h:
3288         * heap/FreeList.cpp: Added.
3289         (JSC::FreeList::dump):
3290         * heap/FreeList.h: Added.
3291         (JSC::FreeList::FreeList):
3292         (JSC::FreeList::list):
3293         (JSC::FreeList::bump):
3294         (JSC::FreeList::operator==):
3295         (JSC::FreeList::operator!=):
3296         (JSC::FreeList::operator bool):
3297         (JSC::FreeList::allocationWillFail):
3298         (JSC::FreeList::allocationWillSucceed):
3299         * heap/GCTypeMap.h: Added.
3300         (JSC::GCTypeMap::operator[]):
3301         * heap/Heap.cpp:
3302         (JSC::Heap::Heap):
3303         (JSC::Heap::lastChanceToFinalize):
3304         (JSC::Heap::finalizeUnconditionalFinalizers):
3305         (JSC::Heap::markRoots):
3306         (JSC::Heap::copyBackingStores):
3307         (JSC::Heap::gatherStackRoots):
3308         (JSC::Heap::gatherJSStackRoots):
3309         (JSC::Heap::gatherScratchBufferRoots):
3310         (JSC::Heap::clearLivenessData):
3311         (JSC::Heap::visitSmallStrings):
3312         (JSC::Heap::visitConservativeRoots):
3313         (JSC::Heap::removeDeadCompilerWorklistEntries):
3314         (JSC::Heap::gatherExtraHeapSnapshotData):
3315         (JSC::Heap::removeDeadHeapSnapshotNodes):
3316         (JSC::Heap::visitProtectedObjects):
3317         (JSC::Heap::visitArgumentBuffers):
3318         (JSC::Heap::visitException):
3319         (JSC::Heap::visitStrongHandles):
3320         (JSC::Heap::visitHandleStack):
3321         (JSC::Heap::visitSamplingProfiler):
3322         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
3323         (JSC::Heap::converge):
3324         (JSC::Heap::visitWeakHandles):
3325         (JSC::Heap::updateObjectCounts):
3326         (JSC::Heap::clearUnmarkedExecutables):
3327         (JSC::Heap::deleteUnmarkedCompiledCode):
3328         (JSC::Heap::collectAllGarbage):
3329         (JSC::Heap::collect):
3330         (JSC::Heap::collectWithoutAnySweep):
3331         (JSC::Heap::collectImpl):
3332         (JSC::Heap::suspendCompilerThreads):
3333         (JSC::Heap::willStartCollection):
3334         (JSC::Heap::flushOldStructureIDTables):
3335         (JSC::Heap::flushWriteBarrierBuffer):
3336         (JSC::Heap::stopAllocation):
3337         (JSC::Heap::prepareForMarking):
3338         (JSC::Heap::reapWeakHandles):
3339         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
3340         (JSC::Heap::sweepArrayBuffers):
3341         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
3342         (JSC::MarkedBlockSnapshotFunctor::operator()):
3343         (JSC::Heap::snapshotMarkedSpace):
3344         (JSC::Heap::deleteSourceProviderCaches):
3345         (JSC::Heap::notifyIncrementalSweeper):
3346         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
3347         (JSC::Heap::resetAllocators):
3348         (JSC::Heap::updateAllocationLimits):
3349         (JSC::Heap::didFinishCollection):
3350         (JSC::Heap::resumeCompilerThreads):
3351         (JSC::Zombify::visit):
3352         (JSC::Heap::forEachCodeBlockImpl):
3353         * heap/Heap.h:
3354         (JSC::Heap::allocatorForObjectWithoutDestructor):
3355         (JSC::Heap::allocatorForObjectWithDestructor):
3356         (JSC::Heap::allocatorForAuxiliaryData):
3357         (JSC::Heap::jitStubRoutines):
3358         (JSC::Heap::codeBlockSet):
3359         (JSC::Heap::storageAllocator): Deleted.
3360         * heap/HeapCell.h:
3361         (JSC::HeapCell::isZapped): Deleted.
3362         * heap/HeapCellInlines.h: Added.
3363         (JSC::HeapCell::isLargeAllocation):
3364         (JSC::HeapCell::cellContainer):
3365         (JSC::HeapCell::markedBlock):
3366         (JSC::HeapCell::largeAllocation):
3367         (JSC::HeapCell::heap):
3368         (JSC::HeapCell::vm):
3369         (JSC::HeapCell::cellSize):
3370         (JSC::HeapCell::allocatorAttributes):
3371         (JSC::HeapCell::destructionMode):
3372         (JSC::HeapCell::cellKind):
3373         * heap/HeapInlines.h:
3374         (JSC::Heap::heap):
3375         (JSC::Heap::isLive):
3376         (JSC::Heap::isMarked):
3377         (JSC::Heap::testAndSetMarked):
3378         (JSC::Heap::setMarked):
3379         (JSC::Heap::cellSize):
3380         (JSC::Heap::forEachCodeBlock):
3381         (JSC::Heap::allocateObjectOfType):
3382         (JSC::Heap::subspaceForObjectOfType):
3383         (JSC::Heap::allocatorForObjectOfType):
3384         (JSC::Heap::allocateAuxiliary):
3385         (JSC::Heap::tryAllocateAuxiliary):
3386         (JSC::Heap::tryReallocateAuxiliary):
3387         (JSC::Heap::isPointerGCObject): Deleted.
3388         (JSC::Heap::isValueGCObject): Deleted.
3389         * heap/HeapOperation.cpp: Added.
3390         (WTF::printInternal):
3391         * heap/HeapOperation.h:
3392         * heap/HeapUtil.h: Added.
3393         (JSC::HeapUtil::findGCObjectPointersForMarking):
3394         (JSC::HeapUtil::isPointerGCObjectJSCell):
3395         (JSC::HeapUtil::isValueGCObject):
3396         * heap/IncrementalSweeper.cpp:
3397         (JSC::IncrementalSweeper::sweepNextBlock):
3398         * heap/IncrementalSweeper.h:
3399         * heap/LargeAllocation.cpp: Added.
3400         (JSC::LargeAllocation::tryCreate):
3401         (JSC::LargeAllocation::LargeAllocation):
3402         (JSC::LargeAllocation::lastChanceToFinalize):
3403         (JSC::LargeAllocation::shrink):
3404         (JSC::LargeAllocation::visitWeakSet):
3405         (JSC::LargeAllocation::reapWeakSet):
3406         (JSC::LargeAllocation::flip):
3407         (JSC::LargeAllocation::isEmpty):
3408         (JSC::LargeAllocation::sweep):
3409         (JSC::LargeAllocation::destroy):
3410         (JSC::LargeAllocation::dump):
3411         * heap/LargeAllocation.h: Added.
3412         (JSC::LargeAllocation::fromCell):
3413         (JSC::LargeAllocation::cell):
3414         (JSC::LargeAllocation::isLargeAllocation):
3415         (JSC::LargeAllocation::heap):
3416         (JSC::LargeAllocation::vm):
3417         (JSC::LargeAllocation::weakSet):
3418         (JSC::LargeAllocation::clearNewlyAllocated):
3419         (JSC::LargeAllocation::isNewlyAllocated):
3420         (JSC::LargeAllocation::isMarked):
3421         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3422         (JSC::LargeAllocation::isLive):
3423         (JSC::LargeAllocation::hasValidCell):
3424         (JSC::LargeAllocation::cellSize):
3425         (JSC::LargeAllocation::aboveLowerBound):
3426         (JSC::LargeAllocation::belowUpperBound):
3427         (JSC::LargeAllocation::contains):
3428         (JSC::LargeAllocation::attributes):
3429         (JSC::LargeAllocation::flipIfNecessary):
3430         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
3431         (JSC::LargeAllocation::testAndSetMarked):
3432         (JSC::LargeAllocation::setMarked):
3433         (JSC::LargeAllocation::clearMarked):
3434         (JSC::LargeAllocation::noteMarked):
3435         (JSC::LargeAllocation::headerSize):
3436         * heap/MarkedAllocator.cpp:
3437         (JSC::MarkedAllocator::MarkedAllocator):
3438         (JSC::MarkedAllocator::isPagedOut):
3439         (JSC::MarkedAllocator::retire):
3440         (JSC::MarkedAllocator::filterNextBlock):
3441         (JSC::MarkedAllocator::setNextBlockToSweep):
3442         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3443         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3444         (JSC::MarkedAllocator::allocateSlowCase):
3445         (JSC::MarkedAllocator::tryAllocateSlowCase):
3446         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3447         (JSC::blockHeaderSize):
3448         (JSC::MarkedAllocator::blockSizeForBytes):
3449         (JSC::MarkedAllocator::tryAllocateBlock):
3450         (JSC::MarkedAllocator::addBlock):
3451         (JSC::MarkedAllocator::removeBlock):
3452         (JSC::MarkedAllocator::stopAllocating):
3453         (JSC::MarkedAllocator::reset):
3454         (JSC::MarkedAllocator::lastChanceToFinalize):
3455         (JSC::MarkedAllocator::setFreeList):
3456         (JSC::isListPagedOut): Deleted.
3457         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3458         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3459         (JSC::MarkedAllocator::tryAllocate): Deleted.
3460         (JSC::MarkedAllocator::allocateBlock): Deleted.
3461         * heap/MarkedAllocator.h:
3462         (JSC::MarkedAllocator::takeLastActiveBlock):
3463         (JSC::MarkedAllocator::offsetOfFreeList):
3464         (JSC::MarkedAllocator::offsetOfCellSize):
3465         (JSC::MarkedAllocator::tryAllocate):
3466         (JSC::MarkedAllocator::allocate):
3467         (JSC::MarkedAllocator::forEachBlock):
3468         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3469         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3470         (JSC::MarkedAllocator::init): Deleted.
3471         (JSC::MarkedAllocator::stopAllocating): Deleted.
3472         * heap/MarkedBlock.cpp:
3473         (JSC::MarkedBlock::tryCreate):
3474         (JSC::MarkedBlock::Handle::Handle):
3475         (JSC::MarkedBlock::Handle::~Handle):
3476         (JSC::MarkedBlock::MarkedBlock):
3477         (JSC::MarkedBlock::Handle::specializedSweep):
3478         (JSC::MarkedBlock::Handle::sweep):
3479         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
3480         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
3481         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
3482         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
3483         (JSC::SetNewlyAllocatedFunctor::operator()):
3484         (JSC::MarkedBlock::Handle::stopAllocating):
3485         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3486         (JSC::MarkedBlock::Handle::resumeAllocating):
3487         (JSC::MarkedBlock::Handle::zap):
3488         (JSC::MarkedBlock::Handle::forEachFreeCell):
3489         (JSC::MarkedBlock::flipIfNecessary):
3490         (JSC::MarkedBlock::Handle::flipIfNecessary):
3491         (JSC::MarkedBlock::flipIfNecessarySlow):
3492         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
3493         (JSC::MarkedBlock::clearMarks):
3494         (JSC::MarkedBlock::assertFlipped):
3495         (JSC::MarkedBlock::needsFlip):
3496         (JSC::MarkedBlock::Handle::needsFlip):
3497         (JSC::MarkedBlock::Handle::willRemoveBlock):
3498         (JSC::MarkedBlock::Handle::didConsumeFreeList):
3499         (JSC::MarkedBlock::markCount):
3500         (JSC::MarkedBlock::Handle::isEmpty):
3501         (JSC::MarkedBlock::clearHasAnyMarked):
3502         (JSC::MarkedBlock::noteMarkedSlow):
3503         (WTF::printInternal):
3504         (JSC::MarkedBlock::create): Deleted.
3505         (JSC::MarkedBlock::destroy): Deleted.
3506         (JSC::MarkedBlock::callDestructor): Deleted.
3507         (JSC::MarkedBlock::specializedSweep): Deleted.
3508         (JSC::MarkedBlock::sweep): Deleted.
3509         (JSC::MarkedBlock::sweepHelper): Deleted.
3510         (JSC::MarkedBlock::stopAllocating): Deleted.
3511         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
3512         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
3513         (JSC::MarkedBlock::resumeAllocating): Deleted.
3514         (JSC::MarkedBlock::didRetireBlock): Deleted.
3515         * heap/MarkedBlock.h:
3516         (JSC::MarkedBlock::VoidFunctor::returnValue):
3517         (JSC::MarkedBlock::CountFunctor::CountFunctor):
3518         (JSC::MarkedBlock::CountFunctor::count):
3519         (JSC::MarkedBlock::CountFunctor::returnValue):
3520         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
3521         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
3522         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
3523         (JSC::MarkedBlock::Handle::state):
3524         (JSC::MarkedBlock::needsDestruction):
3525         (JSC::MarkedBlock::handle):
3526         (JSC::MarkedBlock::Handle::block):
3527         (JSC::MarkedBlock::firstAtom):
3528         (JSC::MarkedBlock::atoms):
3529         (JSC::MarkedBlock::isAtomAligned):
3530         (JSC::MarkedBlock::Handle::cellAlign):
3531         (JSC::MarkedBlock::blockFor):
3532         (JSC::MarkedBlock::Handle::allocator):
3533         (JSC::MarkedBlock::Handle::heap):
3534         (JSC::MarkedBlock::Handle::vm):
3535         (JSC::MarkedBlock::vm):
3536         (JSC::MarkedBlock::Handle::weakSet):
3537         (JSC::MarkedBlock::weakSet):
3538         (JSC::MarkedBlock::Handle::shrink):
3539         (JSC::MarkedBlock::Handle::visitWeakSet):
3540         (JSC::MarkedBlock::Handle::reapWeakSet):
3541         (JSC::MarkedBlock::Handle::cellSize):
3542         (JSC::MarkedBlock::cellSize):
3543         (JSC::MarkedBlock::Handle::attributes):
3544         (JSC::MarkedBlock::attributes):
3545         (JSC::MarkedBlock::Handle::needsDestruction):
3546         (JSC::MarkedBlock::Handle::destruction):
3547         (JSC::MarkedBlock::Handle::cellKind):
3548         (JSC::MarkedBlock::Handle::markCount):
3549         (JSC::MarkedBlock::Handle::size):
3550         (JSC::MarkedBlock::atomNumber):
3551         (JSC::MarkedBlock::flipIfNecessary):
3552         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
3553         (JSC::MarkedBlock::Handle::flipIfNecessary):
3554         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
3555         (JSC::MarkedBlock::Handle::flipForEdenCollection):
3556         (JSC::MarkedBlock::assertFlipped):
3557         (JSC::MarkedBlock::Handle::assertFlipped):
3558         (JSC::MarkedBlock::isMarked):
3559         (JSC::MarkedBlock::testAndSetMarked):
3560         (JSC::MarkedBlock::Handle::isNewlyAllocated):
3561         (JSC::MarkedBlock::Handle::setNewlyAllocated):
3562         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
3563         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
3564         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
3565         (JSC::MarkedBlock::Handle::isLive):
3566         (JSC::MarkedBlock::isAtom):
3567         (JSC::MarkedBlock::Handle::isLiveCell):
3568         (JSC::MarkedBlock::Handle::forEachCell):
3569         (JSC::MarkedBlock::Handle::forEachLiveCell):
3570         (JSC::MarkedBlock::Handle::forEachDeadCell):
3571         (JSC::MarkedBlock::Handle::needsSweeping):
3572         (JSC::MarkedBlock::Handle::isAllocated):
3573         (JSC::MarkedBlock::Handle::isMarked):
3574         (JSC::MarkedBlock::Handle::isFreeListed):
3575         (JSC::MarkedBlock::hasAnyMarked):
3576         (JSC::MarkedBlock::noteMarked):
3577         (WTF::MarkedBlockHash::hash):
3578         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
3579         (JSC::MarkedBlock::allocator): Deleted.
3580         (JSC::MarkedBlock::heap): Deleted.
3581         (JSC::MarkedBlock::shrink): Deleted.
3582         (JSC::MarkedBlock::visitWeakSet): Deleted.
3583         (JSC::MarkedBlock::reapWeakSet): Deleted.
3584         (JSC::MarkedBlock::willRemoveBlock): Deleted.
3585         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
3586         (JSC::MarkedBlock::markCount): Deleted.
3587         (JSC::MarkedBlock::isEmpty): Deleted.
3588         (JSC::MarkedBlock::destruction): Deleted.
3589         (JSC::MarkedBlock::cellKind): Deleted.
3590         (JSC::MarkedBlock::size): Deleted.
3591         (JSC::MarkedBlock::capacity): Deleted.
3592         (JSC::MarkedBlock::setMarked): Deleted.
3593         (JSC::MarkedBlock::clearMarked): Deleted.
3594         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
3595         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
3596         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
3597         (JSC::MarkedBlock::isLive): Deleted.
3598         (JSC::MarkedBlock::isLiveCell): Deleted.
3599         (JSC::MarkedBlock::forEachCell): Deleted.
3600         (JSC::MarkedBlock::forEachLiveCell): Deleted.
3601         (JSC::MarkedBlock::forEachDeadCell): Deleted.
3602         (JSC::MarkedBlock::needsSweeping): Deleted.
3603         (JSC::MarkedBlock::isAllocated): Deleted.
3604         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
3605         * heap/MarkedSpace.cpp:
3606         (JSC::MarkedSpace::initializeSizeClassForStepSize):
3607         (JSC::MarkedSpace::MarkedSpace):
3608         (JSC::MarkedSpace::~MarkedSpace):
3609         (JSC::MarkedSpace::lastChanceToFinalize):
3610         (JSC::MarkedSpace::allocate):
3611         (JSC::MarkedSpace::tryAllocate):
3612         (JSC::MarkedSpace::allocateLarge):
3613         (JSC::MarkedSpace::tryAllocateLarge):
3614         (JSC::MarkedSpace::sweep):
3615         (JSC::MarkedSpace::sweepLargeAllocations):
3616         (JSC::MarkedSpace::zombifySweep):
3617         (JSC::MarkedSpace::resetAllocators):
3618         (JSC::MarkedSpace::visitWeakSets):
3619         (JSC::MarkedSpace::reapWeakSets):
3620         (JSC::MarkedSpace::stopAllocating):
3621         (JSC::MarkedSpace::prepareForMarking):
3622         (JSC::MarkedSpace::resumeAllocating):
3623         (JSC::MarkedSpace::isPagedOut):
3624         (JSC::MarkedSpace::freeBlock):
3625         (JSC::MarkedSpace::freeOrShrinkBlock):
3626         (JSC::MarkedSpace::shrink):
3627         (JSC::MarkedSpace::clearNewlyAllocated):
3628         (JSC::VerifyMarked::operator()):
3629         (JSC::MarkedSpace::flip):
3630         (JSC::MarkedSpace::objectCount):
3631         (JSC::MarkedSpace::size):
3632         (JSC::MarkedSpace::capacity):
3633         (JSC::MarkedSpace::addActiveWeakSet):
3634         (JSC::MarkedSpace::didAddBlock):
3635         (JSC::MarkedSpace::didAllocateInBlock):
3636         (JSC::MarkedSpace::forEachAllocator): Deleted.
3637         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
3638         (JSC::MarkedSpace::clearMarks): Deleted.
3639         * heap/MarkedSpace.h:
3640         (JSC::MarkedSpace::sizeClassToIndex):
3641         (JSC::MarkedSpace::indexToSizeClass):
3642         (JSC::MarkedSpace::version):
3643         (JSC::MarkedSpace::blocksWithNewObjects):
3644         (JSC::MarkedSpace::largeAllocations):
3645         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
3646         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
3647         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
3648         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
3649         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
3650         (JSC::MarkedSpace::forEachLiveCell):
3651         (JSC::MarkedSpace::forEachDeadCell):
3652         (JSC::MarkedSpace::allocatorFor):
3653         (JSC::MarkedSpace::destructorAllocatorFor):
3654         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3655         (JSC::MarkedSpace::allocateWithoutDestructor):
3656         (JSC::MarkedSpace::allocateWithDestructor):
3657         (JSC::MarkedSpace::allocateAuxiliary):
3658         (JSC::MarkedSpace::tryAllocateAuxiliary):
3659         (JSC::MarkedSpace::forEachBlock):
3660         (JSC::MarkedSpace::forEachAllocator):
3661         (JSC::MarkedSpace::optimalSizeFor):
3662         (JSC::MarkedSpace::didAddBlock): Deleted.
3663         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
3664         (JSC::MarkedSpace::objectCount): Deleted.
3665         (JSC::MarkedSpace::size): Deleted.
3666         (JSC::MarkedSpace::capacity): Deleted.
3667         * heap/SlotVisitor.cpp:
3668         (JSC::SlotVisitor::SlotVisitor):
3669         (JSC::SlotVisitor::didStartMarking):
3670         (JSC::SlotVisitor::reset):
3671         (JSC::SlotVisitor::append):
3672         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3673         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3674         (JSC::SlotVisitor::appendToMarkStack):
3675         (JSC::SlotVisitor::markAuxiliary):
3676         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3677         (JSC::SlotVisitor::visitChildren):
3678         * heap/SlotVisitor.h:
3679         * heap/WeakBlock.cpp:
3680         (JSC::WeakBlock::create):
3681         (JSC::WeakBlock::WeakBlock):
3682         (JSC::WeakBlock::visit):
3683         (JSC::WeakBlock::reap):
3684         * heap/WeakBlock.h:
3685         (JSC::WeakBlock::disconnectContainer):
3686         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3687         * heap/WeakSet.cpp:
3688         (JSC::WeakSet::~WeakSet):
3689         (JSC::WeakSet::sweep):
3690         (JSC::WeakSet::shrink):
3691         (JSC::WeakSet::addAllocator):
3692         * heap/WeakSet.h:
3693         (JSC::WeakSet::container):
3694         (JSC::WeakSet::setContainer):
3695         (JSC::WeakSet::WeakSet):
3696         (JSC::WeakSet::visit):
3697         (JSC::WeakSet::shrink): Deleted.
3698         * heap/WeakSetInlines.h:
3699         (JSC::WeakSet::allocate):
3700         * inspector/InjectedScriptManager.cpp:
3701         * inspector/JSGlobalObjectInspectorController.cpp:
3702         * inspector/JSJavaScriptCallFrame.cpp:
3703         * inspector/ScriptDebugServer.cpp:
3704         * inspector/agents/InspectorDebuggerAgent.cpp:
3705         * interpreter/CachedCall.h:
3706         (JSC::CachedCall::CachedCall):
3707         * interpreter/Interpreter.cpp:
3708         (JSC::loadVarargs):
3709         (JSC::StackFrame::sourceID): Deleted.
3710         (JSC::StackFrame::sourceURL): Deleted.
3711         (JSC::StackFrame::functionName): Deleted.
3712         (JSC::StackFrame::computeLineAndColumn): Deleted.
3713         (JSC::StackFrame::toString): Deleted.
3714         * interpreter/Interpreter.h:
3715         (JSC::StackFrame::isNative): Deleted.
3716         * jit/AssemblyHelpers.h:
3717         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3718         (JSC::AssemblyHelpers::emitAllocate):
3719         (JSC::AssemblyHelpers::emitAllocateJSCell):
3720         (JSC::AssemblyHelpers::emitAllocateJSObject):
3721         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3722         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3723         * jit/GCAwareJITStubRoutine.cpp:
3724         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3725         * jit/JIT.cpp:
3726         (JSC::JIT::compileCTINativeCall):
3727         (JSC::JIT::link):
3728         * jit/JIT.h:
3729         (JSC::JIT::compileCTINativeCall): Deleted.
3730         * jit/JITExceptions.cpp:
3731         (JSC::genericUnwind):
3732         * jit/JITExceptions.h:
3733         * jit/JITOpcodes.cpp:
3734         (JSC::JIT::emit_op_new_object):
3735         (JSC::JIT::emitSlow_op_new_object):
3736         (JSC::JIT::emit_op_create_this):
3737         (JSC::JIT::emitSlow_op_create_this):
3738         * jit/JITOpcodes32_64.cpp:
3739         (JSC::JIT::emit_op_new_object):
3740         (JSC::JIT::emitSlow_op_new_object):
3741         (JSC::JIT::emit_op_create_this):
3742         (JSC::JIT::emitSlow_op_create_this):
3743         * jit/JITOperations.cpp:
3744         * jit/JITOperations.h:
3745         * jit/JITPropertyAccess.cpp:
3746         (JSC::JIT::emitWriteBarrier):
3747         * jit/JITThunks.cpp:
3748         * jit/JITThunks.h:
3749         * jsc.cpp:
3750         (functionDescribeArray):
3751         (main):
3752         * llint/LLIntData.cpp:
3753         (JSC::LLInt::Data::performAssertions):
3754         * llint/LLIntExceptions.cpp:
3755         * llint/LLIntThunks.cpp:
3756         * llint/LLIntThunks.h:
3757         * llint/LowLevelInterpreter.asm:
3758         * llint/LowLevelInterpreter.cpp:
3759         * llint/LowLevelInterpreter32_64.asm:
3760         * llint/LowLevelInterpreter64.asm:
3761         * parser/ModuleAnalyzer.cpp:
3762         * parser/NodeConstructors.h:
3763         * parser/Nodes.h:
3764         * profiler/ProfilerBytecode.cpp:
3765         * profiler/ProfilerBytecode.h:
3766         * profiler/ProfilerBytecodeSequence.cpp:
3767         * runtime/ArrayConventions.h:
3768         (JSC::indexingHeaderForArrayStorage):
3769         (JSC::baseIndexingHeaderForArrayStorage):
3770         (JSC::indexingHeaderForArray): Deleted.
3771         (JSC::baseIndexingHeaderForArray): Deleted.
3772         * runtime/ArrayPrototype.cpp:
3773         (JSC::arrayProtoFuncSplice):
3774         (JSC::concatAppendOne):
3775         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3776         * runtime/ArrayStorage.h:
3777         (JSC::ArrayStorage::vectorLength):
3778         (JSC::ArrayStorage::totalSizeFor):
3779         (JSC::ArrayStorage::totalSize):
3780         (JSC::ArrayStorage::availableVectorLength):
3781         (JSC::ArrayStorage::optimalVectorLength):
3782         (JSC::ArrayStorage::sizeFor): Deleted.
3783         * runtime/AuxiliaryBarrier.h: Added.
3784         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3785         (JSC::AuxiliaryBarrier::clear):
3786         (JSC::AuxiliaryBarrier::get):
3787         (JSC::AuxiliaryBarrier::slot):
3788         (JSC::AuxiliaryBarrier::operator bool):
3789         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3790         * runtime/AuxiliaryBarrierInlines.h: Added.
3791         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3792         (JSC::AuxiliaryBarrier<T>::set):
3793         * runtime/Butterfly.h:
3794         * runtime/ButterflyInlines.h:
3795         (JSC::Butterfly::availableContiguousVectorLength):
3796         (JSC::Butterfly::optimalContiguousVectorLength):
3797         (JSC::Butterfly::createUninitialized):
3798         (JSC::Butterfly::growArrayRight):
3799         * runtime/ClonedArguments.cpp:
3800         (JSC::ClonedArguments::createEmpty):
3801         * runtime/CommonSlowPathsExceptions.cpp:
3802         * runtime/CommonSlowPathsExceptions.h:
3803         * runtime/DataView.cpp:
3804         * runtime/DirectArguments.h:
3805         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3806         * runtime/Error.cpp:
3807         * runtime/Error.h:
3808         * runtime/ErrorInstance.cpp:
3809         * runtime/ErrorInstance.h:
3810         * runtime/Exception.cpp:
3811         * runtime/Exception.h:
3812         * runtime/GeneratorFrame.cpp:
3813         * runtime/GeneratorPrototype.cpp:
3814         * runtime/InternalFunction.cpp:
3815         (JSC::InternalFunction::InternalFunction):
3816         * runtime/IntlCollator.cpp:
3817         * runtime/IntlCollatorConstructor.cpp:
3818         * runtime/IntlCollatorPrototype.cpp:
3819         * runtime/IntlDateTimeFormat.cpp:
3820         * runtime/IntlDateTimeFormatConstructor.cpp:
3821         * runtime/IntlDateTimeFormatPrototype.cpp:
3822         * runtime/IntlNumberFormat.cpp:
3823         * runtime/IntlNumberFormatConstructor.cpp:
3824         * runtime/IntlNumberFormatPrototype.cpp:
3825         * runtime/IntlObject.cpp:
3826         * runtime/IteratorPrototype.cpp:
3827         * runtime/JSArray.cpp:
3828         (JSC::JSArray::tryCreateUninitialized):
3829         (JSC::JSArray::setLengthWritable):
3830         (JSC::JSArray::unshiftCountSlowCase):
3831         (JSC::JSArray::setLengthWithArrayStorage):
3832         (JSC::JSArray::appendMemcpy):
3833         (JSC::JSArray::setLength):
3834         (JSC::JSArray::pop):
3835         (JSC::JSArray::push):
3836         (JSC::JSArray::fastSlice):
3837         (JSC::JSArray::shiftCountWithArrayStorage):
3838         (JSC::JSArray::shiftCountWithAnyIndexingType):
3839         (JSC::JSArray::unshiftCountWithArrayStorage):
3840         (JSC::JSArray::fillArgList):
3841         (JSC::JSArray::copyToArguments):
3842         * runtime/JSArray.h:
3843         (JSC::createContiguousArrayButterfly):
3844         (JSC::createArrayButterfly):
3845         (JSC::JSArray::create):
3846         (JSC::JSArray::tryCreateUninitialized): Deleted.
3847         * runtime/JSArrayBufferView.h:
3848         * runtime/JSCInlines.h:
3849         * runtime/JSCJSValue.cpp: