d076f35c73c36c493242833474084428e9594f06
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-01  Saam Barati  <sbarati@apple.com>
2
3         JITMathIC was misusing maxJumpReplacementSize
4         https://bugs.webkit.org/show_bug.cgi?id=161356
5         <rdar://problem/28065560>
6
7         Reviewed by Benjamin Poulain.
8
9         JITMathIC was assuming that maxJumpReplacementSize is the size
10         you'd get if you emitted a patchableJump() using the macro assembler.
11         This is not true, however. It happens to be true on arm64, x86 and x86-64,
12         however, it is not true on armv7. This patch introduces an alternative to
13         maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
14         to use that number instead.
15
16         * assembler/ARM64Assembler.h:
17         (JSC::ARM64Assembler::patchableJumpSize):
18         (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
19         * assembler/ARMv7Assembler.h:
20         (JSC::ARMv7Assembler::patchableJumpSize):
21         (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
22         * assembler/MacroAssemblerARM64.h:
23         (JSC::MacroAssemblerARM64::patchableJumpSize):
24         * assembler/MacroAssemblerARMv7.h:
25         (JSC::MacroAssemblerARMv7::patchableJumpSize):
26         * assembler/MacroAssemblerX86Common.h:
27         (JSC::MacroAssemblerX86Common::patchableJumpSize):
28         * assembler/X86Assembler.h:
29         (JSC::X86Assembler::patchableJumpSize):
30         (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
31         * jit/JITMathIC.h:
32         (JSC::JITMathIC::generateInline):
33
34 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
35
36         [JSC] Add initiator parameter to module pipeline
37         https://bugs.webkit.org/show_bug.cgi?id=161470
38
39         Reviewed by Saam Barati.
40
41         The fetching semantics of the <script type="module"> tag has per module-tag context.
42         For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
43         issued from the module-tag. To transfer this information, we add a new parameter "initiator"
44         to the module loader pipeline. We are planning to transfer information by this parameter.
45
46         At the same time, we also perform some clean up.
47
48         - Use arrow function in ModuleLoaderPrototype.js.
49         - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.
50
51         * builtins/ModuleLoaderPrototype.js:
52         (newRegistryEntry):
53         (commitInstantiated):
54         (requestFetch):
55         (requestTranslate):
56         (requestInstantiate):
57         (requestSatisfy):
58         (requestInstantiateAll):
59         (requestLink):
60         (moduleEvaluation):
61         (provide):
62         (loadAndEvaluateModule):
63         (requestResolveDependencies.): Deleted.
64         (requestResolveDependencies): Deleted.
65         (requestReady): Deleted.
66         (link): Deleted.
67         (loadModule): Deleted.
68         (linkAndEvaluateModule): Deleted.
69         * bytecode/BytecodeIntrinsicRegistry.cpp:
70         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
71         * bytecode/BytecodeIntrinsicRegistry.h:
72         * jsc.cpp:
73         (GlobalObject::moduleLoaderResolve):
74         (GlobalObject::moduleLoaderFetch):
75         * runtime/Completion.cpp:
76         (JSC::loadAndEvaluateModule):
77         (JSC::loadModule):
78         (JSC::linkAndEvaluateModule):
79         * runtime/Completion.h:
80         * runtime/JSGlobalObject.h:
81         * runtime/JSModuleLoader.cpp:
82         (JSC::JSModuleLoader::loadAndEvaluateModule):
83         (JSC::JSModuleLoader::loadModule):
84         (JSC::JSModuleLoader::linkAndEvaluateModule):
85         (JSC::JSModuleLoader::resolve):
86         (JSC::JSModuleLoader::fetch):
87         (JSC::JSModuleLoader::translate):
88         (JSC::JSModuleLoader::instantiate):
89         (JSC::JSModuleLoader::evaluate):
90         * runtime/JSModuleLoader.h:
91         * runtime/ModuleLoaderPrototype.cpp:
92         (JSC::moduleLoaderPrototypeResolve):
93         (JSC::moduleLoaderPrototypeFetch):
94         (JSC::moduleLoaderPrototypeTranslate):
95         (JSC::moduleLoaderPrototypeInstantiate):
96         (JSC::moduleLoaderPrototypeEvaluate):
97
98 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
99
100         [JSC] linking and evaluating the modules are done in a sync manner
101         https://bugs.webkit.org/show_bug.cgi?id=161467
102
103         Reviewed by Saam Barati.
104
105         While the fetching and the other stages are done in an asynchronous manner,
106         linking and evaluating are done in a sync manner.
107         Just return the result value and do not wrap them with the internal promise.
108
109         * builtins/ModuleLoaderPrototype.js:
110         (linkAndEvaluateModule):
111         * runtime/Completion.cpp:
112         (JSC::linkAndEvaluateModule):
113         * runtime/Completion.h:
114         * runtime/JSModuleLoader.cpp:
115         (JSC::JSModuleLoader::linkAndEvaluateModule):
116         * runtime/JSModuleLoader.h:
117
118 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
119
120         stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
121         https://bugs.webkit.org/show_bug.cgi?id=161436
122
123         Reviewed by Filip Pizlo.
124
125         * jsc.cpp:
126         (GlobalObject::finishCreation):
127         (functionGetRandomSeed):
128         (functionSetRandomSeed):
129         * runtime/JSGlobalObject.h:
130         (JSC::JSGlobalObject::weakRandom):
131         (JSC::JSGlobalObject::weakRandomInteger): Deleted.
132
133 2016-08-31  Chris Dumez  <cdumez@apple.com>
134
135         Object.getPrototypeOf() should return null cross-origin
136         https://bugs.webkit.org/show_bug.cgi?id=161393
137
138         Reviewed by Geoffrey Garen.
139
140         Object.getPrototypeOf() should return null cross-origin:
141         - https://html.spec.whatwg.org/#windowproxy-getprototypeof
142         - https://html.spec.whatwg.org/#location-getprototypeof
143
144         Firefox and Chrome return null. However, WebKit was returning undefined.
145
146         * runtime/ObjectConstructor.cpp:
147         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
148
149 2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
150
151         [JSC] AbstractValue can contain padding which is not zero-filled
152         https://bugs.webkit.org/show_bug.cgi?id=161427
153
154         Reviewed by Saam Barati.
155
156         We checked that AbstractValue is zero-filled when initializing it to ensure
157         that zero-filled memory can be used as the initialized AbstractValue.
158         However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
159         padding now. And this padding is not ensured that it is initialized with zeros.
160         So debug assertion fails when building with GCC.
161
162         This patch changes the strategy. Instead of checking the initialized
163         AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
164         considered to be equal to the initialized AbstractValue.
165
166         * dfg/DFGAbstractValue.cpp:
167         (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
168         * dfg/DFGAbstractValue.h:
169         (JSC::DFG::AbstractValue::AbstractValue):
170
171 2016-08-31  Brady Eidson  <beidson@apple.com>
172
173         WK2 Gamepad provider on iOS.
174         https://bugs.webkit.org/show_bug.cgi?id=161412
175
176         Reviewed by Tim Horton.
177
178         * Configurations/FeatureDefines.xcconfig:
179
180 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
181
182         [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
183         https://bugs.webkit.org/show_bug.cgi?id=161410
184
185         Reviewed by Geoffrey Garen.
186
187         * dfg/DFGFixupPhase.cpp:
188         (JSC::DFG::FixupPhase::fixupNode):
189         DoubleRep is able to convert numbers, undefined, booleans and null.
190         I was too pessimistic when I gated the double implementations
191         on number-or-boolean speculation. We can just let DoubleRep convert
192         the other cases as long as it is not a Cell.
193
194 2016-08-30  Chris Dumez  <cdumez@apple.com>
195
196         Unreviewed, fix build after r205205.
197
198         * runtime/ObjectConstructor.cpp:
199         (JSC::objectConstructorSetPrototypeOf):
200
201 2016-08-30  Chris Dumez  <cdumez@apple.com>
202
203         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
204         https://bugs.webkit.org/show_bug.cgi?id=161396
205
206         Reviewed by Ryosuke Niwa.
207
208         Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
209         - https://html.spec.whatwg.org/#windowproxy-setprototypeof
210         - https://html.spec.whatwg.org/#location-setprototypeof
211         - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
212
213         Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.
214
215         Note that technically, we should also throw in the same origin case.
216         However, not all browsers agree on this yet so I haven't not changed
217         the behavior for the same origin case.
218
219         * runtime/ObjectConstructor.cpp:
220         (JSC::objectConstructorSetPrototypeOf):
221
222 2016-08-30  Benjamin Poulain  <bpoulain@apple.com>
223
224         [JSC] Clean up the remaining compare nodes in FTLCapabilities
225         https://bugs.webkit.org/show_bug.cgi?id=161400
226
227         Reviewed by Geoffrey Garen.
228
229         It looks like we implemented all the cases without realizing it.
230
231         * ftl/FTLCapabilities.cpp:
232         (JSC::FTL::canCompile):
233         * ftl/FTLLowerDFGToB3.cpp:
234         (JSC::FTL::DFG::LowerDFGToB3::compare):
235
236 2016-08-30  Mark Lam  <mark.lam@apple.com>
237
238         Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
239         https://bugs.webkit.org/show_bug.cgi?id=161171
240
241         Reviewed by Filip Pizlo and Geoffrey Garen.
242
243         This is the first step towards having a mechanism (using the ThrowScope) to
244         verify that we're properly checking for exceptions in all the needed places.
245         See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.
246
247         This patch only introduces the ThrowScope, and changes all throw sites to throw
248         using a ThrowScope instance.  VM::throwException() functions are now private, and
249         cannot be accessed directly.  All throws must now go through a ThrowScope.
250
251         Verification is disabled for the moment until we can fix all the verification
252         failures that will show up.
253
254         I also did a smoke test of the ThrowScope mechanisms by running verification on
255         the JSTests/stress/op-add-exceptions.js test with a local build with verification
256         turned on.
257
258         Performance is neutral on aggregate with this patch.
259
260         Misc other changes:
261         - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
262         - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.
263
264         * API/APICallbackFunction.h:
265         (JSC::APICallbackFunction::call):
266         (JSC::APICallbackFunction::construct):
267         * API/JSCallbackObjectFunctions.h:
268         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
269         (JSC::JSCallbackObject<Parent>::defaultValue):
270         (JSC::JSCallbackObject<Parent>::put):
271         (JSC::JSCallbackObject<Parent>::putByIndex):
272         (JSC::JSCallbackObject<Parent>::deleteProperty):
273         (JSC::JSCallbackObject<Parent>::construct):
274         (JSC::JSCallbackObject<Parent>::customHasInstance):
275         (JSC::JSCallbackObject<Parent>::call):
276         (JSC::JSCallbackObject<Parent>::getStaticValue):
277         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
278         (JSC::JSCallbackObject<Parent>::callbackGetter):
279         * API/JSTypedArray.cpp:
280         (createTypedArray):
281         * CMakeLists.txt:
282         * JavaScriptCore.xcodeproj/project.pbxproj:
283         * dfg/DFGOperations.cpp:
284         (JSC::DFG::newTypedArrayWithSize):
285         * inspector/JSInjectedScriptHost.cpp:
286         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
287         * inspector/JSInjectedScriptHostPrototype.cpp:
288         (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
289         (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
290         (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
291         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
292         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
293         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
294         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
295         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
296         (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
297         (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
298         (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
299         (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
300         * inspector/JSJavaScriptCallFrame.cpp:
301         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
302         * inspector/JSJavaScriptCallFramePrototype.cpp:
303         (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
304         (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
305         (Inspector::jsJavaScriptCallFrameAttributeCaller):
306         (Inspector::jsJavaScriptCallFrameAttributeSourceID):
307         (Inspector::jsJavaScriptCallFrameAttributeLine):
308         (Inspector::jsJavaScriptCallFrameAttributeColumn):
309         (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
310         (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
311         (Inspector::jsJavaScriptCallFrameAttributeThisObject):
312         (Inspector::jsJavaScriptCallFrameAttributeType):
313         (Inspector::jsJavaScriptCallFrameIsTailDeleted):
314         * interpreter/CachedCall.h:
315         (JSC::CachedCall::CachedCall):
316         * interpreter/Interpreter.cpp:
317         (JSC::eval):
318         (JSC::sizeOfVarargs):
319         (JSC::sizeFrameForForwardArguments):
320         (JSC::sizeFrameForVarargs):
321         (JSC::Interpreter::execute):
322         (JSC::Interpreter::executeCall):
323         (JSC::Interpreter::executeConstruct):
324         (JSC::Interpreter::prepareForRepeatCall):
325         * jit/JITOperations.cpp:
326         * jsc.cpp:
327         (WTF::CustomGetter::customGetter):
328         (WTF::RuntimeArray::lengthGetter):
329         (functionCreateElement):
330         (functionRun):
331         (functionRunString):
332         (functionLoad):
333         (functionLoadString):
334         (functionReadFile):
335         (functionCheckSyntax):
336         (functionTransferArrayBuffer):
337         (functionLoadModule):
338         (functionCheckModuleSyntax):
339         (functionSamplingProfilerStackTraces):
340         * llint/LLIntSlowPaths.cpp:
341         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
342         (JSC::LLInt::getByVal):
343         (JSC::LLInt::handleHostCall):
344         (JSC::LLInt::setUpCall):
345         (JSC::LLInt::llint_throw_stack_overflow_error):
346         * runtime/ArrayConstructor.cpp:
347         (JSC::constructArrayWithSizeQuirk):
348         * runtime/ArrayConstructor.h:
349         (JSC::isArray):
350         * runtime/ArrayPrototype.cpp:
351         (JSC::shift):
352         (JSC::unshift):
353         (JSC::arrayProtoFuncToString):
354         (JSC::arrayProtoFuncPop):
355         (JSC::arrayProtoFuncReverse):
356         (JSC::arrayProtoFuncSplice):
357         (JSC::concatAppendOne):
358         (JSC::arrayProtoPrivateFuncConcatMemcpy):
359         * runtime/BooleanPrototype.cpp:
360         (JSC::booleanProtoFuncToString):
361         (JSC::booleanProtoFuncValueOf):
362         * runtime/CommonSlowPaths.cpp:
363         * runtime/CommonSlowPaths.h:
364         (JSC::CommonSlowPaths::opIn):
365         * runtime/CommonSlowPathsExceptions.cpp:
366         (JSC::CommonSlowPaths::interpreterThrowInCaller):
367         * runtime/ConstructData.cpp:
368         (JSC::construct):
369         * runtime/DatePrototype.cpp:
370         (JSC::formateDateInstance):
371         (JSC::dateProtoFuncToISOString):
372         (JSC::dateProtoFuncToLocaleString):
373         (JSC::dateProtoFuncToLocaleDateString):
374         (JSC::dateProtoFuncToLocaleTimeString):
375         (JSC::dateProtoFuncToPrimitiveSymbol):
376         (JSC::dateProtoFuncGetTime):
377         (JSC::dateProtoFuncGetFullYear):
378         (JSC::dateProtoFuncGetUTCFullYear):
379         (JSC::dateProtoFuncGetMonth):
380         (JSC::dateProtoFuncGetUTCMonth):
381         (JSC::dateProtoFuncGetDate):
382         (JSC::dateProtoFuncGetUTCDate):
383         (JSC::dateProtoFuncGetDay):
384         (JSC::dateProtoFuncGetUTCDay):
385         (JSC::dateProtoFuncGetHours):
386         (JSC::dateProtoFuncGetUTCHours):
387         (JSC::dateProtoFuncGetMinutes):
388         (JSC::dateProtoFuncGetUTCMinutes):
389         (JSC::dateProtoFuncGetSeconds):
390         (JSC::dateProtoFuncGetUTCSeconds):
391         (JSC::dateProtoFuncGetMilliSeconds):
392         (JSC::dateProtoFuncGetUTCMilliseconds):
393         (JSC::dateProtoFuncGetTimezoneOffset):
394         (JSC::dateProtoFuncSetTime):
395         (JSC::setNewValueFromTimeArgs):
396         (JSC::setNewValueFromDateArgs):
397         (JSC::dateProtoFuncSetYear):
398         (JSC::dateProtoFuncGetYear):
399         (JSC::dateProtoFuncToJSON):
400         * runtime/Error.cpp:
401         (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
402         (JSC::throwTypeError):
403         (JSC::throwSyntaxError):
404         * runtime/Error.h:
405         (JSC::throwRangeError):
406         (JSC::throwVMError):
407         (JSC::throwVMTypeError):
408         (JSC::throwVMRangeError):
409         (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
410         (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
411         * runtime/ErrorPrototype.cpp:
412         (JSC::errorProtoFuncToString):
413         * runtime/ExceptionFuzz.cpp:
414         (JSC::doExceptionFuzzing):
415         * runtime/ExceptionHelpers.cpp:
416         (JSC::throwOutOfMemoryError):
417         (JSC::throwStackOverflowError):
418         (JSC::throwTerminatedExecutionException):
419         * runtime/ExceptionHelpers.h:
420         * runtime/Executable.cpp:
421         (JSC::ScriptExecutable::newCodeBlockFor):
422         (JSC::EvalExecutable::create):
423         * runtime/FunctionConstructor.cpp:
424         (JSC::constructFunction):
425         (JSC::constructFunctionSkippingEvalEnabledCheck):
426         * runtime/FunctionPrototype.cpp:
427         (JSC::functionProtoFuncToString):
428         (JSC::functionProtoFuncBind):
429         * runtime/GetterSetter.cpp:
430         (JSC::callSetter):
431         * runtime/IntlCollator.cpp:
432         (JSC::IntlCollator::compareStrings):
433         * runtime/IntlCollatorPrototype.cpp:
434         (JSC::IntlCollatorPrototypeGetterCompare):
435         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
436         * runtime/IntlDateTimeFormat.cpp:
437         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
438         (JSC::IntlDateTimeFormat::format):
439         * runtime/IntlDateTimeFormatPrototype.cpp:
440         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
441         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
442         * runtime/IntlNumberFormat.cpp:
443         (JSC::IntlNumberFormat::initializeNumberFormat):
444         (JSC::IntlNumberFormat::formatNumber):
445         * runtime/IntlNumberFormatPrototype.cpp:
446         (JSC::IntlNumberFormatPrototypeGetterFormat):
447         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
448         * runtime/IntlObject.cpp:
449         (JSC::intlStringOption):
450         (JSC::intlNumberOption):
451         (JSC::canonicalizeLocaleList):
452         (JSC::lookupSupportedLocales):
453         * runtime/IteratorOperations.cpp:
454         (JSC::iteratorNext):
455         (JSC::iteratorClose):
456         (JSC::createIteratorResultObject):
457         (JSC::iteratorForIterable):
458         * runtime/JSArray.cpp:
459         (JSC::JSArray::defineOwnProperty):
460         (JSC::JSArray::put):
461         (JSC::JSArray::appendMemcpy):
462         (JSC::JSArray::setLength):
463         (JSC::JSArray::pop):
464         (JSC::JSArray::push):
465         (JSC::JSArray::unshiftCountWithArrayStorage):
466         (JSC::JSArray::unshiftCountWithAnyIndexingType):
467         * runtime/JSArrayBufferConstructor.cpp:
468         (JSC::constructArrayBuffer):
469         (JSC::callArrayBuffer):
470         * runtime/JSArrayBufferPrototype.cpp:
471         (JSC::arrayBufferProtoFuncSlice):
472         * runtime/JSCInlines.h:
473         * runtime/JSCJSValue.cpp:
474         (JSC::JSValue::toObjectSlowCase):
475         (JSC::JSValue::synthesizePrototype):
476         (JSC::JSValue::putToPrimitive):
477         (JSC::JSValue::putToPrimitiveByIndex):
478         (JSC::JSValue::toStringSlowCase):
479         * runtime/JSCJSValueInlines.h:
480         (JSC::toPreferredPrimitiveType):
481         (JSC::JSValue::requireObjectCoercible):
482         * runtime/JSDataView.cpp:
483         (JSC::JSDataView::create):
484         * runtime/JSDataViewPrototype.cpp:
485         (JSC::getData):
486         (JSC::setData):
487         (JSC::dataViewProtoGetterBuffer):
488         (JSC::dataViewProtoGetterByteLength):
489         (JSC::dataViewProtoGetterByteOffset):
490         * runtime/JSFunction.cpp:
491         (JSC::callHostFunctionAsConstructor):
492         (JSC::JSFunction::callerGetter):
493         (JSC::JSFunction::put):
494         (JSC::JSFunction::defineOwnProperty):
495         * runtime/JSGenericTypedArrayView.h:
496         (JSC::JSGenericTypedArrayView::setIndex):
497         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
498         (JSC::constructGenericTypedArrayViewFromIterator):
499         (JSC::constructGenericTypedArrayViewWithArguments):
500         (JSC::constructGenericTypedArrayView):
501         (JSC::callGenericTypedArrayView):
502         * runtime/JSGenericTypedArrayViewInlines.h:
503         (JSC::JSGenericTypedArrayView<Adaptor>::create):
504         (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
505         (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
506         (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
507         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
508         (JSC::speciesConstruct):
509         (JSC::genericTypedArrayViewProtoFuncSet):
510         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
511         (JSC::genericTypedArrayViewProtoFuncIncludes):
512         (JSC::genericTypedArrayViewProtoFuncIndexOf):
513         (JSC::genericTypedArrayViewProtoFuncJoin):
514         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
515         (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
516         (JSC::genericTypedArrayViewProtoGetterFuncLength):
517         (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
518         (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
519         (JSC::genericTypedArrayViewProtoFuncReverse):
520         (JSC::genericTypedArrayViewPrivateFuncSort):
521         (JSC::genericTypedArrayViewProtoFuncSlice):
522         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
523         * runtime/JSGlobalObject.cpp:
524         (JSC::JSGlobalObject::createEvalCodeBlock):
525         (JSC::JSGlobalObject::createModuleProgramCodeBlock):
526         * runtime/JSGlobalObjectFunctions.cpp:
527         (JSC::encode):
528         (JSC::decode):
529         (JSC::globalFuncEval):
530         (JSC::globalFuncThrowTypeError):
531         (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
532         (JSC::globalFuncProtoGetter):
533         (JSC::globalFuncProtoSetter):
534         * runtime/JSModuleEnvironment.cpp:
535         (JSC::JSModuleEnvironment::put):
536         * runtime/JSModuleNamespaceObject.cpp:
537         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
538         (JSC::JSModuleNamespaceObject::put):
539         (JSC::JSModuleNamespaceObject::putByIndex):
540         (JSC::JSModuleNamespaceObject::defineOwnProperty):
541         (JSC::moduleNamespaceObjectSymbolIterator):
542         * runtime/JSModuleRecord.cpp:
543         (JSC::JSModuleRecord::getModuleNamespace):
544         (JSC::JSModuleRecord::link):
545         (JSC::JSModuleRecord::instantiateDeclarations):
546         * runtime/JSONObject.cpp:
547         (JSC::Stringifier::appendStringifiedValue):
548         (JSC::Walker::walk):
549         (JSC::JSONProtoFuncParse):
550         (JSC::JSONProtoFuncStringify):
551         * runtime/JSObject.cpp:
552         (JSC::JSObject::setPrototypeWithCycleCheck):
553         (JSC::callToPrimitiveFunction):
554         (JSC::JSObject::ordinaryToPrimitive):
555         (JSC::JSObject::hasInstance):
556         (JSC::JSObject::defaultHasInstance):
557         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
558         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
559         (JSC::validateAndApplyPropertyDescriptor):
560         (JSC::JSObject::getMethod):
561         * runtime/JSObject.h:
562         (JSC::createListFromArrayLike): Deleted.
563         * runtime/JSObjectInlines.h:
564         (JSC::createListFromArrayLike):
565         (JSC::JSObject::putInline):
566         * runtime/JSPromiseConstructor.cpp:
567         (JSC::constructPromise):
568         (JSC::callPromise):
569         * runtime/JSPropertyNameIterator.cpp:
570         (JSC::propertyNameIteratorFuncNext):
571         * runtime/JSString.cpp:
572         (JSC::JSRopeString::outOfMemory):
573         * runtime/JSStringBuilder.h:
574         (JSC::JSStringBuilder::build):
575         (JSC::jsMakeNontrivialString):
576         * runtime/JSStringJoiner.cpp:
577         (JSC::JSStringJoiner::joinedLength):
578         (JSC::JSStringJoiner::join):
579         * runtime/JSStringJoiner.h:
580         (JSC::JSStringJoiner::JSStringJoiner):
581         * runtime/JSSymbolTableObject.h:
582         (JSC::symbolTablePut):
583         * runtime/JSTypedArrayViewConstructor.cpp:
584         (JSC::constructTypedArrayView):
585         * runtime/JSTypedArrayViewPrototype.cpp:
586         (JSC::typedArrayViewPrivateFuncLength):
587         (JSC::typedArrayViewPrivateFuncSort):
588         (JSC::typedArrayViewProtoFuncSet):
589         (JSC::typedArrayViewProtoFuncCopyWithin):
590         (JSC::typedArrayViewProtoFuncIncludes):
591         (JSC::typedArrayViewProtoFuncLastIndexOf):
592         (JSC::typedArrayViewProtoFuncIndexOf):
593         (JSC::typedArrayViewProtoFuncJoin):
594         (JSC::typedArrayViewProtoGetterFuncBuffer):
595         (JSC::typedArrayViewProtoGetterFuncLength):
596         (JSC::typedArrayViewProtoGetterFuncByteLength):
597         (JSC::typedArrayViewProtoGetterFuncByteOffset):
598         (JSC::typedArrayViewProtoFuncReverse):
599         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
600         (JSC::typedArrayViewProtoFuncSlice):
601         * runtime/MapConstructor.cpp:
602         (JSC::callMap):
603         (JSC::constructMap):
604         * runtime/MapDataInlines.h:
605         (JSC::JSIterator>::ensureSpaceForAppend):
606         * runtime/MapIteratorPrototype.cpp:
607         (JSC::MapIteratorPrototypeFuncNext):
608         * runtime/MapPrototype.cpp:
609         (JSC::getMap):
610         (JSC::mapProtoFuncValues):
611         (JSC::mapProtoFuncEntries):
612         (JSC::mapProtoFuncKeys):
613         * runtime/ModuleLoaderPrototype.cpp:
614         (JSC::moduleLoaderPrototypeParseModule):
615         * runtime/NullSetterFunction.cpp:
616         (JSC::callReturnUndefined):
617         * runtime/NumberPrototype.cpp:
618         (JSC::numberProtoFuncToExponential):
619         (JSC::numberProtoFuncToFixed):
620         (JSC::numberProtoFuncToPrecision):
621         (JSC::numberProtoFuncToString):
622         (JSC::numberProtoFuncToLocaleString):
623         (JSC::numberProtoFuncValueOf):
624         * runtime/ObjectConstructor.cpp:
625         (JSC::objectConstructorSetPrototypeOf):
626         (JSC::toPropertyDescriptor):
627         (JSC::objectConstructorDefineProperty):
628         (JSC::objectConstructorDefineProperties):
629         (JSC::objectConstructorCreate):
630         * runtime/ObjectPrototype.cpp:
631         (JSC::objectProtoFuncDefineGetter):
632         (JSC::objectProtoFuncDefineSetter):
633         (JSC::objectProtoFuncToString):
634         * runtime/Operations.h:
635         (JSC::jsString):
636         (JSC::jsStringFromRegisterArray):
637         (JSC::jsStringFromArguments):
638         * runtime/ProxyConstructor.cpp:
639         (JSC::makeRevocableProxy):
640         (JSC::proxyRevocableConstructorThrowError):
641         (JSC::constructProxyObject):
642         (JSC::callProxy):
643         * runtime/ProxyObject.cpp:
644         (JSC::ProxyObject::finishCreation):
645         (JSC::performProxyGet):
646         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
647         (JSC::ProxyObject::performHasProperty):
648         (JSC::ProxyObject::getOwnPropertySlotCommon):
649         (JSC::ProxyObject::performPut):
650         (JSC::performProxyCall):
651         (JSC::performProxyConstruct):
652         (JSC::ProxyObject::performDelete):
653         (JSC::ProxyObject::performPreventExtensions):
654         (JSC::ProxyObject::performIsExtensible):
655         (JSC::ProxyObject::performDefineOwnProperty):
656         (JSC::ProxyObject::performGetOwnPropertyNames):
657         (JSC::ProxyObject::performSetPrototype):
658         (JSC::ProxyObject::performGetPrototype):
659         * runtime/ReflectObject.cpp:
660         (JSC::reflectObjectConstruct):
661         (JSC::reflectObjectDefineProperty):
662         (JSC::reflectObjectEnumerate):
663         (JSC::reflectObjectGet):
664         (JSC::reflectObjectGetOwnPropertyDescriptor):
665         (JSC::reflectObjectGetPrototypeOf):
666         (JSC::reflectObjectIsExtensible):
667         (JSC::reflectObjectOwnKeys):
668         (JSC::reflectObjectPreventExtensions):
669         (JSC::reflectObjectSet):
670         (JSC::reflectObjectSetPrototypeOf):
671         * runtime/RegExpConstructor.cpp:
672         (JSC::toFlags):
673         (JSC::regExpCreate):
674         * runtime/RegExpObject.cpp:
675         (JSC::collectMatches):
676         * runtime/RegExpObject.h:
677         (JSC::RegExpObject::setLastIndex):
678         * runtime/RegExpPrototype.cpp:
679         (JSC::regExpProtoFuncTestFast):
680         (JSC::regExpProtoFuncExec):
681         (JSC::regExpProtoFuncMatchFast):
682         (JSC::regExpProtoFuncCompile):
683         (JSC::regExpProtoFuncToString):
684         (JSC::regExpProtoGetterGlobal):
685         (JSC::regExpProtoGetterIgnoreCase):
686         (JSC::regExpProtoGetterMultiline):
687         (JSC::regExpProtoGetterSticky):
688         (JSC::regExpProtoGetterUnicode):
689         (JSC::regExpProtoGetterFlags):
690         (JSC::regExpProtoGetterSource):
691         (JSC::regExpProtoFuncSplitFast):
692         * runtime/Reject.h:
693         (JSC::reject):
694         * runtime/SetConstructor.cpp:
695         (JSC::callSet):
696         (JSC::constructSet):
697         * runtime/SetIteratorPrototype.cpp:
698         (JSC::SetIteratorPrototypeFuncNext):
699         * runtime/SetPrototype.cpp:
700         (JSC::getSet):
701         (JSC::setProtoFuncValues):
702         (JSC::setProtoFuncEntries):
703         * runtime/SparseArrayValueMap.cpp:
704         (JSC::SparseArrayValueMap::putEntry):
705         (JSC::SparseArrayEntry::put):
706         * runtime/StringConstructor.cpp:
707         (JSC::stringFromCodePoint):
708         * runtime/StringObject.cpp:
709         (JSC::StringObject::put):
710         (JSC::StringObject::putByIndex):
711         * runtime/StringPrototype.cpp:
712         (JSC::jsSpliceSubstrings):
713         (JSC::jsSpliceSubstringsWithSeparators):
714         (JSC::repeatCharacter):
715         (JSC::replace):
716         (JSC::stringProtoFuncToString):
717         (JSC::stringProtoFuncCharAt):
718         (JSC::stringProtoFuncCharCodeAt):
719         (JSC::stringProtoFuncCodePointAt):
720         (JSC::stringProtoFuncConcat):
721         (JSC::stringProtoFuncIndexOf):
722         (JSC::stringProtoFuncLastIndexOf):
723         (JSC::stringProtoFuncSlice):
724         (JSC::stringProtoFuncSubstr):
725         (JSC::stringProtoFuncSubstring):
726         (JSC::stringProtoFuncToLowerCase):
727         (JSC::stringProtoFuncToUpperCase):
728         (JSC::stringProtoFuncLocaleCompare):
729         (JSC::toLocaleCase):
730         (JSC::stringProtoFuncBig):
731         (JSC::stringProtoFuncSmall):
732         (JSC::stringProtoFuncBlink):
733         (JSC::stringProtoFuncBold):
734         (JSC::stringProtoFuncFixed):
735         (JSC::stringProtoFuncItalics):
736         (JSC::stringProtoFuncStrike):
737         (JSC::stringProtoFuncSub):
738         (JSC::stringProtoFuncSup):
739         (JSC::stringProtoFuncFontcolor):
740         (JSC::stringProtoFuncFontsize):
741         (JSC::stringProtoFuncAnchor):
742         (JSC::stringProtoFuncLink):
743         (JSC::trimString):
744         (JSC::stringProtoFuncStartsWith):
745         (JSC::stringProtoFuncEndsWith):
746         (JSC::stringProtoFuncIncludes):
747         (JSC::stringProtoFuncIterator):
748         (JSC::normalize):
749         (JSC::stringProtoFuncNormalize):
750         * runtime/StringRecursionChecker.cpp:
751         (JSC::StringRecursionChecker::throwStackOverflowError):
752         * runtime/Symbol.cpp:
753         (JSC::Symbol::toNumber):
754         * runtime/SymbolConstructor.cpp:
755         (JSC::symbolConstructorKeyFor):
756         * runtime/SymbolPrototype.cpp:
757         (JSC::symbolProtoFuncToString):
758         (JSC::symbolProtoFuncValueOf):
759         * runtime/ThrowScope.cpp: Added.
760         (JSC::ThrowScope::ThrowScope):
761         (JSC::ThrowScope::~ThrowScope):
762         (JSC::ThrowScope::throwException):
763         (JSC::ThrowScope::printIfNeedCheck):
764         (JSC::ThrowScope::simulateThrow):
765         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
766         * runtime/ThrowScope.h: Added.
767         (JSC::ThrowScope::vm):
768         (JSC::ThrowScope::exception):
769         (JSC::ThrowScope::release):
770         (JSC::ThrowScope::ThrowScope):
771         (JSC::ThrowScope::throwException):
772         (JSC::throwException):
773         * runtime/ThrowScopeLocation.h: Added.
774         (JSC::ThrowScopeLocation::ThrowScopeLocation):
775         * runtime/VM.h:
776         * runtime/VMEntryScope.h:
777         (JSC::VMEntryScope::vm):
778         * runtime/WeakMapConstructor.cpp:
779         (JSC::callWeakMap):
780         (JSC::constructWeakMap):
781         * runtime/WeakMapPrototype.cpp:
782         (JSC::getWeakMapData):
783         (JSC::protoFuncWeakMapSet):
784         * runtime/WeakSetConstructor.cpp:
785         (JSC::callWeakSet):
786         (JSC::constructWeakSet):
787         * runtime/WeakSetPrototype.cpp:
788         (JSC::getWeakMapData):
789         (JSC::protoFuncWeakSetAdd):
790
791 2016-08-30  Alex Christensen  <achristensen@webkit.org>
792
793         Fix WebInspectorUI in internal Windows build
794         https://bugs.webkit.org/show_bug.cgi?id=161221
795         rdar://problem/28019023
796
797         Reviewed by Brent Fulgham and Joseph Pecoraro.
798
799         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
800
801 2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>
802
803         REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
804         https://bugs.webkit.org/show_bug.cgi?id=161263
805         <rdar://problem/28035849>
806
807         Reviewed by Matt Baker.
808
809         * inspector/InjectedScriptSource.js:
810         (InjectedScript.prototype._propertyDescriptors):
811         Previously we only took the "numeric index fast path" if an object was
812         array like with length > 100. When we dropped the length check we
813         ended up breaking our display of Array prototype, because [].__proto__
814         is an array instance. Get it back by just doing a check of length > 0.
815         We may want to address this differently in the future by knowing if
816         we are getting properties for a prototype or not.
817
818 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
819
820         [JSC] Clean up FTL Capabilities for CompareEq
821         https://bugs.webkit.org/show_bug.cgi?id=161353
822
823         Reviewed by Geoffrey Garen.
824
825         It looks like we already have code for every case.
826         This patch removes the tests from FTLCapabilities
827         and move the generic case last as usual.
828
829         * ftl/FTLCapabilities.cpp:
830         (JSC::FTL::canCompile):
831         * ftl/FTLLowerDFGToB3.cpp:
832         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
833
834 2016-08-29  Keith Miller  <keith_miller@apple.com>
835
836         Fix toStringName for Proxies and add support for normal instances
837         https://bugs.webkit.org/show_bug.cgi?id=161275
838
839         Reviewed by Saam Barati.
840
841         toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
842         Additionally, there are a couple of other classes that need to return "Object" for their
843         toStringName. Since this isn't tested by test262 I will propose a new test there.
844
845         * runtime/ClassInfo.h:
846         * runtime/JSArrayBufferView.cpp:
847         (JSC::JSArrayBufferView::toStringName):
848         * runtime/JSArrayBufferView.h:
849         * runtime/JSCell.cpp:
850         (JSC::JSCell::toStringName):
851         * runtime/JSCell.h:
852         * runtime/JSMap.cpp:
853         (JSC::JSMap::toStringName):
854         * runtime/JSMap.h:
855         * runtime/JSObject.cpp:
856         (JSC::JSObject::toStringName):
857         * runtime/JSObject.h:
858         * runtime/JSSet.cpp:
859         (JSC::JSSet::destroy):
860         (JSC::JSSet::toStringName):
861         * runtime/JSSet.h:
862         * runtime/JSWeakMap.cpp:
863         (JSC::JSWeakMap::toStringName):
864         * runtime/JSWeakMap.h:
865         * runtime/JSWeakSet.cpp:
866         (JSC::JSWeakSet::toStringName):
867         * runtime/JSWeakSet.h:
868         * runtime/ObjectPrototype.cpp:
869         (JSC::objectProtoFuncToString):
870         * runtime/ProxyObject.cpp:
871         (JSC::ProxyObject::toStringName):
872         * runtime/ProxyObject.h:
873         * runtime/SymbolObject.cpp:
874         (JSC::SymbolObject::toStringName):
875         * runtime/SymbolObject.h:
876         (JSC::SymbolObject::internalValue):
877
878 2016-08-29  Youenn Fablet  <youenn@apple.com>
879
880         [Fetch API] Response cloning should structureClone when teeing Response stream
881         https://bugs.webkit.org/show_bug.cgi?id=161147
882
883         Reviewed by Darin Adler.
884
885         * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
886         * runtime/JSArrayBufferConstructor.cpp:
887         (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
888         * runtime/JSDataView.h: Exporting create method.
889
890 2016-08-29  Benjamin Poulain  <bpoulain@apple.com>
891
892         [JSC] Improve ArithAbs with polymorphic input
893         https://bugs.webkit.org/show_bug.cgi?id=161286
894
895         Reviewed by Saam Barati.
896
897         This is similar to the previous patches: if we have polymorphic
898         input, do a function call.
899
900         I also discovered a few problems with the tests and fixed them:
901         -I forgot to add NodeMustGenerate to the previous nodes I changed.
902          They could have been eliminated by DCE.
903         -ArithAbs was always exiting if the input types do not include numbers.
904          The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
905          instead of isInt32OrBooleanSpeculation(). The test of
906          isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
907          contains double or int52. If we were in that case, we were always speculating
908          Int32. That always fails and we were recompiling the same code over and over.
909
910         * dfg/DFGAbstractInterpreterInlines.h:
911         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
912         Now that we have toNumberFromPrimitive(), we can improve constant folding here :)
913
914         * dfg/DFGClobberize.h:
915         (JSC::DFG::clobberize):
916         * dfg/DFGFixupPhase.cpp:
917         (JSC::DFG::FixupPhase::fixupNode):
918         * dfg/DFGNode.h:
919         (JSC::DFG::Node::hasResult):
920         (JSC::DFG::Node::hasHeapPrediction):
921         (JSC::DFG::Node::hasInt32Result): Deleted.
922         The accessor hasInt32Result() was unused.
923
924         * dfg/DFGNodeType.h:
925         * dfg/DFGOperations.cpp:
926         * dfg/DFGOperations.h:
927         * dfg/DFGPredictionPropagationPhase.cpp:
928         * dfg/DFGSpeculativeJIT.cpp:
929         (JSC::DFG::SpeculativeJIT::compileArithAbs):
930         * dfg/DFGSpeculativeJIT.h:
931         * dfg/DFGSpeculativeJIT32_64.cpp:
932         (JSC::DFG::SpeculativeJIT::compile):
933         * dfg/DFGSpeculativeJIT64.cpp:
934         (JSC::DFG::SpeculativeJIT::compile):
935         * ftl/FTLLowerDFGToB3.cpp:
936         (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
937
938 2016-08-28  Saam Barati  <sbarati@apple.com>
939
940         Make SpeculatedType a 64-bit integer
941         https://bugs.webkit.org/show_bug.cgi?id=161268
942
943         Reviewed by Filip Pizlo and Benjamin Poulain.
944
945         I'm going to introduce two new types into this and we only
946         have room for one in 32-bits. So, this patch widens SpeculatedType
947         to 64 bits. This also pulls this information through the DFG where
948         we needed to change DFGNode to support this.
949
950         * bytecode/SpeculatedType.h:
951         * dfg/DFGNode.cpp:
952         (JSC::DFG::Node::convertToPutHint):
953         (JSC::DFG::Node::promotedLocationDescriptor):
954         * dfg/DFGNode.h:
955         (JSC::DFG::Node::Node):
956         (JSC::DFG::Node::convertToCheckStructure):
957         (JSC::DFG::Node::constant):
958         (JSC::DFG::Node::convertToConstant):
959         (JSC::DFG::Node::convertToConstantStoragePointer):
960         (JSC::DFG::Node::convertToPutStack):
961         (JSC::DFG::Node::convertToGetStack):
962         (JSC::DFG::Node::convertToGetByOffset):
963         (JSC::DFG::Node::convertToMultiGetByOffset):
964         (JSC::DFG::Node::convertToPutByOffset):
965         (JSC::DFG::Node::convertToMultiPutByOffset):
966         (JSC::DFG::Node::convertToPhantomNewObject):
967         (JSC::DFG::Node::convertToPhantomNewFunction):
968         (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
969         (JSC::DFG::Node::convertToPhantomCreateActivation):
970         (JSC::DFG::Node::convertToGetLocal):
971         (JSC::DFG::Node::lazyJSValue):
972         (JSC::DFG::Node::initializationValueForActivation):
973         (JSC::DFG::Node::tryGetVariableAccessData):
974         (JSC::DFG::Node::variableAccessData):
975         (JSC::DFG::Node::unlinkedLocal):
976         (JSC::DFG::Node::unlinkedMachineLocal):
977         (JSC::DFG::Node::stackAccessData):
978         (JSC::DFG::Node::phi):
979         (JSC::DFG::Node::identifierNumber):
980         (JSC::DFG::Node::getPutInfo):
981         (JSC::DFG::Node::accessorAttributes):
982         (JSC::DFG::Node::newArrayBufferData):
983         (JSC::DFG::Node::indexingType):
984         (JSC::DFG::Node::typedArrayType):
985         (JSC::DFG::Node::inlineCapacity):
986         (JSC::DFG::Node::scopeOffset):
987         (JSC::DFG::Node::capturedArgumentsOffset):
988         (JSC::DFG::Node::variablePointer):
989         (JSC::DFG::Node::callVarargsData):
990         (JSC::DFG::Node::loadVarargsData):
991         (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
992         (JSC::DFG::Node::targetBlock):
993         (JSC::DFG::Node::branchData):
994         (JSC::DFG::Node::switchData):
995         (JSC::DFG::Node::getHeapPrediction):
996         (JSC::DFG::Node::cellOperand):
997         (JSC::DFG::Node::watchpointSet):
998         (JSC::DFG::Node::storagePointer):
999         (JSC::DFG::Node::uidOperand):
1000         (JSC::DFG::Node::typeInfoOperand):
1001         (JSC::DFG::Node::transition):
1002         (JSC::DFG::Node::structureSet):
1003         (JSC::DFG::Node::structure):
1004         (JSC::DFG::Node::storageAccessData):
1005         (JSC::DFG::Node::multiGetByOffsetData):
1006         (JSC::DFG::Node::multiPutByOffsetData):
1007         (JSC::DFG::Node::objectMaterializationData):
1008         (JSC::DFG::Node::arrayMode):
1009         (JSC::DFG::Node::arithMode):
1010         (JSC::DFG::Node::arithRoundingMode):
1011         (JSC::DFG::Node::setArithRoundingMode):
1012         (JSC::DFG::Node::executionCounter):
1013         (JSC::DFG::Node::typeLocation):
1014         (JSC::DFG::Node::basicBlockLocation):
1015         (JSC::DFG::Node::numberOfArgumentsToSkip):
1016         (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
1017         (JSC::DFG::Node::OpInfoWrapper::operator=):
1018         * dfg/DFGOpInfo.h:
1019         (JSC::DFG::OpInfo::OpInfo):
1020         * dfg/DFGPromotedHeapLocation.h:
1021         (JSC::DFG::PromotedLocationDescriptor::imm1):
1022         (JSC::DFG::PromotedLocationDescriptor::imm2):
1023
1024 2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>
1025
1026         Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
1027         https://bugs.webkit.org/show_bug.cgi?id=161120
1028
1029         Reviewed by Darin Adler.
1030
1031         * inspector/JSGlobalObjectInspectorController.cpp:
1032
1033 2016-08-26  Sam Weinig  <sam@webkit.org>
1034
1035         Remove support for ENABLE_LEGACY_WEB_AUDIO
1036         https://bugs.webkit.org/show_bug.cgi?id=161262
1037
1038         Reviewed by Anders Carlsson.
1039
1040         * Configurations/FeatureDefines.xcconfig:
1041         Remove ENABLE_LEGACY_WEB_AUDIO
1042
1043 2016-08-26  Benjamin Poulain  <benjamin@webkit.org>
1044
1045         [JSC] Implement CompareStrictEq(String, Untyped) in FTL
1046         https://bugs.webkit.org/show_bug.cgi?id=161229
1047
1048         Reviewed by Geoffrey Garen.
1049
1050         Add (String, Untyped) uses to FTL CompareStrictEq.
1051         This was the last use type not implemented, the node is fully
1052         supported by FTL after this patch.
1053
1054         * ftl/FTLCapabilities.cpp:
1055         (JSC::FTL::canCompile):
1056         * ftl/FTLLowerDFGToB3.cpp:
1057         (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
1058         (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):
1059
1060         (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
1061         Remove the type checks when possible.
1062
1063 2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>
1064
1065         Web Inspector: Frontend should have access to Resource Timing information
1066         https://bugs.webkit.org/show_bug.cgi?id=160095
1067
1068         Reviewed by Alex Christensen.
1069
1070         Rename ResourceTiming property.
1071
1072         * inspector/protocol/Network.json:
1073         Rename navigationStart to startTime so it's applicable
1074         for all resources and not just the main resource.
1075
1076 2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>
1077
1078         Web Inspector: Provide a way to clear an IndexedDB object store
1079         https://bugs.webkit.org/show_bug.cgi?id=161167
1080         <rdar://problem/27996932>
1081
1082         Reviewed by Brian Burg.
1083
1084         * inspector/protocol/IndexedDB.json:
1085         Cleanup the protocol file.
1086
1087 2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>
1088
1089         Web Inspector: Some CSS selectors in the UI aren't escaped
1090         https://bugs.webkit.org/show_bug.cgi?id=151378
1091
1092         Reviewed by Joseph Pecoraro.
1093
1094         Change ElementData from sending a className string to using an array of
1095         classes, allowing for proper escaping of each class value.
1096
1097         * inspector/protocol/OverlayTypes.json:
1098
1099 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
1100
1101         Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
1102         https://bugs.webkit.org/show_bug.cgi?id=161213
1103         <rdar://problem/28017986>
1104
1105         Reviewed by Brian Burg.
1106
1107         * inspector/agents/InspectorHeapAgent.cpp:
1108         (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
1109         Don't take a final snapshot when disconnecting.
1110
1111         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1112         (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
1113         (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
1114         * inspector/agents/InspectorScriptProfilerAgent.h:
1115         * runtime/SamplingProfiler.h:
1116         Don't process samples when disconnecting.
1117
1118 2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>
1119
1120         Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
1121         https://bugs.webkit.org/show_bug.cgi?id=161027
1122         <rdar://problem/27871349>
1123
1124         Reviewed by Mark Lam.
1125
1126         For JSContext inspection, when a frontend connects keep the target alive.
1127         This means ref'ing the JSGlobalObject / VM when the first frontend
1128         connects and deref'ing when the last frontend disconnects.
1129
1130         * inspector/JSGlobalObjectInspectorController.h:
1131         * inspector/JSGlobalObjectInspectorController.cpp:
1132         (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
1133         (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
1134         Now that frontends keep the global object alive, when the global object
1135         is destroyed that must mean that no frontends exist. Remove the now
1136         stale code path.
1137
1138         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
1139         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
1140         Ref the target when the first frontend connects, deref when the last disconnects.
1141
1142 2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1143
1144         [ES6] newPromiseCapabilities should check the given argument is constructor
1145         https://bugs.webkit.org/show_bug.cgi?id=161226
1146
1147         Reviewed by Mark Lam.
1148
1149         Use @isConstructor.
1150
1151         * builtins/PromiseOperations.js:
1152
1153 2016-08-25  Keith Miller  <keith_miller@apple.com>
1154
1155         toString called on proxies returns incorrect tag
1156         https://bugs.webkit.org/show_bug.cgi?id=161111
1157
1158         Reviewed by Benjamin Poulain.
1159
1160         This patch adds a new Method table function toStringName. This function
1161         is used by Object.prototype.toString to create the string tag that it
1162         inserts. Right now it only changes the stringification of proxy objects.
1163         In future patches I plan to make it work for other classes of objects as
1164         well.
1165
1166         * runtime/ClassInfo.h:
1167         * runtime/JSCell.cpp:
1168         (JSC::JSCell::toStringName):
1169         * runtime/JSCell.h:
1170         * runtime/JSObject.cpp:
1171         (JSC::JSObject::toStringName):
1172         * runtime/JSObject.h:
1173         * runtime/ObjectPrototype.cpp:
1174         (JSC::objectProtoFuncToString):
1175         * runtime/ProxyObject.cpp:
1176         (JSC::ProxyObject::toStringName):
1177         * runtime/ProxyObject.h:
1178
1179 2016-08-26  Csaba Osztrogon√°c  <ossy@webkit.org>
1180
1181         Fix the ENABLE(WEBASSEMBLY) build on Linux
1182         https://bugs.webkit.org/show_bug.cgi?id=161197
1183
1184         Reviewed by Mark Lam.
1185
1186         * CMakeLists.txt:
1187         * b3/B3Common.cpp:
1188         (JSC::B3::shouldDumpIR):
1189         * shell/CMakeLists.txt:
1190         * wasm/JSWASMModule.h:
1191         * wasm/WASMB3IRGenerator.cpp:
1192         (JSC::WASM::toB3Op):
1193         * wasm/WASMB3IRGenerator.h:
1194         * wasm/WASMFormat.h:
1195         * wasm/WASMFunctionParser.h:
1196         * wasm/WASMModuleParser.cpp:
1197         (JSC::WASM::WASMModuleParser::parseFunctionTypes):
1198         * wasm/WASMModuleParser.h:
1199         * wasm/WASMParser.h:
1200         * wasm/WASMPlan.cpp:
1201         * wasm/WASMPlan.h:
1202         * wasm/WASMSections.cpp:
1203
1204 2016-08-26  Per Arne Vollan  <pvollan@apple.com>
1205
1206         [Win] Compile fix.
1207         https://bugs.webkit.org/show_bug.cgi?id=161235
1208
1209         Reviewed by Brent Fulgham.
1210
1211         YarrPattern::errorMessage has inconsistent dll linkage.
1212
1213         * yarr/YarrPattern.h:
1214
1215 2016-08-25  Alex Christensen  <achristensen@webkit.org>
1216
1217         CMake build fix.
1218
1219         * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
1220         This is needed for the internal Windows build.
1221
1222 2016-08-25  Benjamin Poulain  <bpoulain@apple.com>
1223
1224         [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
1225         https://bugs.webkit.org/show_bug.cgi?id=161181
1226
1227         Reviewed by Geoffrey Garen.
1228
1229         All the nodes are doing the exact same thing with a single
1230         difference: how to process constants. I made that into a separate
1231         function called from each node.
1232
1233         I also generalized the constant-to-number code of DoubleRep
1234         to make it available for all those nodes.
1235
1236         * dfg/DFGAbstractInterpreter.h:
1237         * dfg/DFGAbstractInterpreterInlines.h:
1238         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1239         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
1240         * runtime/JSCJSValue.cpp:
1241         (JSC::JSValue::toNumberFromPrimitive):
1242         * runtime/JSCJSValue.h:
1243
1244 2016-08-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1245
1246         [DFG][FTL] Implement ES6 Generators in DFG / FTL
1247         https://bugs.webkit.org/show_bug.cgi?id=152723
1248
1249         Reviewed by Filip Pizlo.
1250
1251         This patch introduces DFG and FTL support for ES6 generators.
1252         ES6 generator is compiled by the BytecodeGenerator. But at the last phase, BytecodeGenerator performs "generatorification" onto the unlinked code.
1253         In BytecodeGenerator phase, we just emit op_yield for each yield point. And we don't emit any generator related switch, save, and resume sequences
1254         here. Those are emitted by the generatorification phase.
1255
1256         So the graph is super simple! Before the generatorification, the graph looks like this.
1257
1258              op_enter -> ...... -> op_yield -> ..... -> op_yield -> ...
1259
1260         Roughly speaking, in the generatorification phase, we turn out which variables should be saved and resumed at each op_yield.
1261         This is done by liveness analysis. After that, we convert op_yield to the sequence of "op_put_to_scope", "op_ret", and "op_get_from_scope".
1262         op_put_to_scope and op_get_from_scope sequences are corresponding to the save and resume sequences. We set up the scope for the generator frame and
1263         perform op_put_to_scope and op_get_from_scope onto it. The live registers are saved and resumed over the generator's next() calls by using this
1264         special generator frame scope. And we also set up the global switch for the generator.
1265
1266         In the generatorification phase,
1267
1268         1. We construct the BytecodeGraph from the unlinked instructions. This constructs the basic blocks, and it is used in the subsequent analysis.
1269         2. We perform the analysis onto the unlinked code. We extract the live variables at each op_yield.
1270         3. We insert the get_from_scope and put_to_scope at each op_yield. Which registers should be saved and resumed is offered by (2).
1271            Then, clip the op_yield themselves. And we also insert the switch_imm. The jump targets of this switch are just after this op_switch_imm and each op_yield point.
1272
1273         One interesting point is the try-range. We split the try-range at the op_yield point in BytecodeGenerator phase.
1274         This drops the hacky thing that is introduced in [1].
1275         If the try-range covers the resume sequences, the exception handler's use-registers are incorrectly transferred to the entry block.
1276         For example,
1277
1278             handler uses r2
1279                                                              try-range
1280             label:(entry block can jump here)                 ^
1281                 r1 = get_from_scope # resume sequence starts  | use r2 is transferred to the entry block!
1282                 r2 = get_from_scope                           |
1283                 starts usual sequences                        |
1284                 ...                                           |
1285
1286         Handler's r2 use should be considered at the `r1 = get_from_scope` point.
1287         Previously, we handle this edge case by treating op_resume specially in the liveness analysis[1].
1288         To drop this workaround, we split the try-range not to cover this resume sequence.
1289
1290             handler uses r2
1291                                                              try-range
1292             label:(entry block can jump here)
1293                 r1 = get_from_scope # resume sequence starts
1294                 r2 = get_from_scope
1295                 starts usual sequences                        ^ try-range should start from here.
1296                 ...                                           |
1297
1298         OK. Let's show the detailed example.
1299
1300             1. First, there is the normal bytecode sequence. Here, | represents the offsets, and [] represents the bytecodes.
1301
1302                 bytecodes   | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
1303                 try-range   <----------------------------------->
1304
1305             2. When we emit the op_yield in the bytecode generator, we carefully split the try-range.
1306
1307                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
1308                 try-range   <----------->            <----------------->
1309
1310             3. And in the generatorification phase, we insert the switch's jump target and save & resume sequences. And we also drop op_yield.
1311
1312                         Insert save seq  Insert resume seq
1313                         before op_yield. after op_yield's point.
1314                                        v v
1315                 bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
1316                 try-range   <----------->     ^      <----------------->
1317                                         ^     |
1318                              Jump to here.    Drop this op_yield.
1319
1320             4. The final layout is the following.
1321
1322                 bytecodes   | [ ] | [ ][save seq][op_ret] | [resume seq] | [ ] | [ ] | [ ] |
1323                 try-range   <----------------------------->               <---------------->
1324                                                           ^
1325                                               Jump to here.
1326
1327         The rewriting done by the BytecodeRewriter is executed in a batch manner. Since these modification changes the basic blocks and size of unlinked instructions,
1328         BytecodeRewriter also performs the offset adjustment for UnlinkedCodeBlock. So, this rewriting is performed onto the BytecodeGraph rather than BytecodeBasicBlock.
1329         The reason why we take this design is simple: we don't want to newly create the basic blocks and opcodes for this early phase like DFG. Instead, we perform the
1330         modification and adjustment to the unlinked instructions and UnlinkedCodeBlock in a in-place manner.
1331
1332         Bytecode rewriting functionality is offered by BytecodeRewriter. BytecodeRewriter allows us to insert any bytecodes to any places
1333         in a in-place manner. BytecodeRewriter handles the original bytecode offsets as labels. And you can insert bytecodes before and after
1334         these labels. You can also insert any jumps to any places. When you insert jumps, you need to specify jump target with this labels.
1335         These labels (original bytecode offsets) are automatically converted to the appropriate offsets by BytecodeRewriter.
1336
1337         After that phase, the data flow of the generator-saved-and-resumed-registers are explicitly represented by the get_from_scope and put_to_scope.
1338         And the switch is inserted to represent the actual control flow for the generator. And op_yield is removed. Since we use the existing bytecodes (op_switch_imm, op_put_to_scope
1339         op_ret, and op_get_from_scope), DFG and FTL changes are not necessary. This patch also drops data structures and implementations for the old generator,
1340         op_resume, op_save implementations and GeneratorFrame.
1341
1342         Note that this patch does not leverage the recent multi entrypoints support in B3. After this patch is introduced, we will submit a new patch that leverages the multi
1343         entrypoints for generator's resume and sees the performance gain.
1344
1345         Microbenchmarks related to generators show up to 2.9x improvements.
1346
1347                                                         Baseline                  Patched
1348
1349             generator-fib                          102.0116+-3.2880     ^     34.9670+-0.2221        ^ definitely 2.9174x faster
1350             generator-sunspider-access-nsieve        5.8596+-0.0371     ^      4.9051+-0.0720        ^ definitely 1.1946x faster
1351             generator-with-several-types           332.1478+-4.2425     ^    124.6642+-2.4826        ^ definitely 2.6643x faster
1352
1353             <geometric>                             58.2998+-0.7758     ^     27.7425+-0.2577        ^ definitely 2.1015x faster
1354
1355         In ES6SampleBench's Basic, we can observe 41% improvement (Macbook Pro).
1356
1357             Baseline:
1358                 Geometric Mean Result: 133.55 ms +- 4.49 ms
1359
1360                 Benchmark    First Iteration        Worst 2%               Steady State
1361                 Air          54.03 ms +- 7.51 ms    29.06 ms +- 3.13 ms    2276.59 ms +- 61.17 ms
1362                 Basic        30.18 ms +- 1.86 ms    18.85 ms +- 0.45 ms    2851.16 ms +- 41.87 ms
1363
1364             Patched:
1365                 Geometric Mean Result: 121.78 ms +- 3.96 ms
1366
1367                 Benchmark    First Iteration        Worst 2%               Steady State
1368                 Air          52.09 ms +- 6.89 ms    29.59 ms +- 3.16 ms    2239.90 ms +- 54.60 ms
1369                 Basic        29.28 ms +- 1.46 ms    16.26 ms +- 0.66 ms    2025.15 ms +- 38.56 ms
1370
1371         [1]: https://bugs.webkit.org/show_bug.cgi?id=159281
1372
1373         * CMakeLists.txt:
1374         * JavaScriptCore.xcodeproj/project.pbxproj:
1375         * builtins/GeneratorPrototype.js:
1376         (globalPrivate.generatorResume):
1377         * bytecode/BytecodeBasicBlock.cpp:
1378         (JSC::BytecodeBasicBlock::shrinkToFit):
1379         (JSC::BytecodeBasicBlock::computeImpl):
1380         (JSC::BytecodeBasicBlock::compute):
1381         (JSC::isBranch): Deleted.
1382         (JSC::isUnconditionalBranch): Deleted.
1383         (JSC::isTerminal): Deleted.
1384         (JSC::isThrow): Deleted.
1385         (JSC::linkBlocks): Deleted.
1386         (JSC::computeBytecodeBasicBlocks): Deleted.
1387         * bytecode/BytecodeBasicBlock.h:
1388         (JSC::BytecodeBasicBlock::isEntryBlock):
1389         (JSC::BytecodeBasicBlock::isExitBlock):
1390         (JSC::BytecodeBasicBlock::leaderOffset):
1391         (JSC::BytecodeBasicBlock::totalLength):
1392         (JSC::BytecodeBasicBlock::offsets):
1393         (JSC::BytecodeBasicBlock::successors):
1394         (JSC::BytecodeBasicBlock::index):
1395         (JSC::BytecodeBasicBlock::addSuccessor):
1396         (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
1397         (JSC::BytecodeBasicBlock::addLength):
1398         (JSC::BytecodeBasicBlock::leaderBytecodeOffset): Deleted.
1399         (JSC::BytecodeBasicBlock::totalBytecodeLength): Deleted.
1400         (JSC::BytecodeBasicBlock::bytecodeOffsets): Deleted.
1401         (JSC::BytecodeBasicBlock::addBytecodeLength): Deleted.
1402         * bytecode/BytecodeGeneratorification.cpp: Added.
1403         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1404         (JSC::BytecodeGeneratorification::graph):
1405         (JSC::BytecodeGeneratorification::yields):
1406         (JSC::BytecodeGeneratorification::enterPoint):
1407         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1408         (JSC::GeneratorLivenessAnalysis::GeneratorLivenessAnalysis):
1409         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset):
1410         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset):
1411         (JSC::GeneratorLivenessAnalysis::run):
1412         (JSC::BytecodeGeneratorification::run):
1413         (JSC::performGeneratorification):
1414         * bytecode/BytecodeGeneratorification.h: Copied from Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysisInlines.h.
1415         * bytecode/BytecodeGraph.h: Added.
1416         (JSC::BytecodeGraph::codeBlock):
1417         (JSC::BytecodeGraph::instructions):
1418         (JSC::BytecodeGraph::basicBlocksInReverseOrder):
1419         (JSC::BytecodeGraph::blockContainsBytecodeOffset):
1420         (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
1421         (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
1422         (JSC::BytecodeGraph::size):
1423         (JSC::BytecodeGraph::at):
1424         (JSC::BytecodeGraph::operator[]):
1425         (JSC::BytecodeGraph::begin):
1426         (JSC::BytecodeGraph::end):
1427         (JSC::BytecodeGraph::first):
1428         (JSC::BytecodeGraph::last):
1429         (JSC::BytecodeGraph<Block>::BytecodeGraph):
1430         * bytecode/BytecodeList.json:
1431         * bytecode/BytecodeLivenessAnalysis.cpp:
1432         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
1433         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset):
1434         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset):
1435         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1436         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1437         (JSC::BytecodeLivenessAnalysis::computeKills):
1438         (JSC::BytecodeLivenessAnalysis::dumpResults):
1439         (JSC::BytecodeLivenessAnalysis::compute):
1440         (JSC::isValidRegisterForLiveness): Deleted.
1441         (JSC::getLeaderOffsetForBasicBlock): Deleted.
1442         (JSC::findBasicBlockWithLeaderOffset): Deleted.
1443         (JSC::blockContainsBytecodeOffset): Deleted.
1444         (JSC::findBasicBlockForBytecodeOffset): Deleted.
1445         (JSC::stepOverInstruction): Deleted.
1446         (JSC::computeLocalLivenessForBytecodeOffset): Deleted.
1447         (JSC::computeLocalLivenessForBlock): Deleted.
1448         (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Deleted.
1449         * bytecode/BytecodeLivenessAnalysis.h:
1450         * bytecode/BytecodeLivenessAnalysisInlines.h:
1451         (JSC::isValidRegisterForLiveness):
1452         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1453         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset):
1454         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock):
1455         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset):
1456         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
1457         * bytecode/BytecodeRewriter.cpp: Added.
1458         (JSC::BytecodeRewriter::applyModification):
1459         (JSC::BytecodeRewriter::execute):
1460         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1461         (JSC::BytecodeRewriter::insertImpl):
1462         (JSC::BytecodeRewriter::adjustJumpTarget):
1463         * bytecode/BytecodeRewriter.h: Added.
1464         (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
1465         (JSC::BytecodeRewriter::InsertionPoint::operator<):
1466         (JSC::BytecodeRewriter::InsertionPoint::operator==):
1467         (JSC::BytecodeRewriter::Insertion::length):
1468         (JSC::BytecodeRewriter::Fragment::Fragment):
1469         (JSC::BytecodeRewriter::Fragment::appendInstruction):
1470         (JSC::BytecodeRewriter::BytecodeRewriter):
1471         (JSC::BytecodeRewriter::insertFragmentBefore):
1472         (JSC::BytecodeRewriter::insertFragmentAfter):
1473         (JSC::BytecodeRewriter::removeBytecode):
1474         (JSC::BytecodeRewriter::graph):
1475         (JSC::BytecodeRewriter::adjustAbsoluteOffset):
1476         (JSC::BytecodeRewriter::adjustJumpTarget):
1477         (JSC::BytecodeRewriter::calculateDifference):
1478         * bytecode/BytecodeUseDef.h:
1479         (JSC::computeUsesForBytecodeOffset):
1480         (JSC::computeDefsForBytecodeOffset):
1481         * bytecode/CodeBlock.cpp:
1482         (JSC::CodeBlock::dumpBytecode):
1483         (JSC::CodeBlock::finishCreation):
1484         (JSC::CodeBlock::handlerForIndex):
1485         (JSC::CodeBlock::shrinkToFit):
1486         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1487         (JSC::CodeBlock::livenessAnalysisSlow):
1488         * bytecode/CodeBlock.h:
1489         (JSC::CodeBlock::isConstantRegisterIndex):
1490         (JSC::CodeBlock::livenessAnalysis):
1491         (JSC::CodeBlock::liveCalleeLocalsAtYield): Deleted.
1492         * bytecode/HandlerInfo.h:
1493         (JSC::HandlerInfoBase::handlerForIndex):
1494         * bytecode/Opcode.h:
1495         (JSC::isBranch):
1496         (JSC::isUnconditionalBranch):
1497         (JSC::isTerminal):
1498         (JSC::isThrow):
1499         * bytecode/PreciseJumpTargets.cpp:
1500         (JSC::getJumpTargetsForBytecodeOffset):
1501         (JSC::computePreciseJumpTargetsInternal):
1502         (JSC::computePreciseJumpTargets):
1503         (JSC::recomputePreciseJumpTargets):
1504         (JSC::findJumpTargetsForBytecodeOffset):
1505         * bytecode/PreciseJumpTargets.h:
1506         * bytecode/PreciseJumpTargetsInlines.h: Added.
1507         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1508         * bytecode/UnlinkedCodeBlock.cpp:
1509         (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset):
1510         (JSC::UnlinkedCodeBlock::handlerForIndex):
1511         (JSC::UnlinkedCodeBlock::applyModification):
1512         * bytecode/UnlinkedCodeBlock.h:
1513         (JSC::UnlinkedStringJumpTable::offsetForValue):
1514         (JSC::UnlinkedCodeBlock::numCalleeLocals):
1515         * bytecode/VirtualRegister.h:
1516         * bytecompiler/BytecodeGenerator.cpp:
1517         (JSC::BytecodeGenerator::generate):
1518         (JSC::BytecodeGenerator::BytecodeGenerator):
1519         (JSC::BytecodeGenerator::emitComplexPopScopes):
1520         (JSC::prepareJumpTableForStringSwitch):
1521         (JSC::BytecodeGenerator::emitYieldPoint):
1522         (JSC::BytecodeGenerator::emitSave): Deleted.
1523         (JSC::BytecodeGenerator::emitResume): Deleted.
1524         (JSC::BytecodeGenerator::emitGeneratorStateLabel): Deleted.
1525         (JSC::BytecodeGenerator::beginGenerator): Deleted.
1526         (JSC::BytecodeGenerator::endGenerator): Deleted.
1527         * bytecompiler/BytecodeGenerator.h:
1528         (JSC::BytecodeGenerator::generatorStateRegister):
1529         (JSC::BytecodeGenerator::generatorValueRegister):
1530         (JSC::BytecodeGenerator::generatorResumeModeRegister):
1531         (JSC::BytecodeGenerator::generatorFrameRegister):
1532         * bytecompiler/NodesCodegen.cpp:
1533         (JSC::FunctionNode::emitBytecode):
1534         * dfg/DFGOperations.cpp:
1535         * interpreter/Interpreter.cpp:
1536         (JSC::findExceptionHandler):
1537         (JSC::GetCatchHandlerFunctor::operator()):
1538         (JSC::UnwindFunctor::operator()):
1539         * interpreter/Interpreter.h:
1540         * interpreter/InterpreterInlines.h: Copied from Source/JavaScriptCore/bytecode/PreciseJumpTargets.h.
1541         (JSC::Interpreter::getOpcodeID):
1542         * jit/JIT.cpp:
1543         (JSC::JIT::privateCompileMainPass):
1544         * jit/JIT.h:
1545         * jit/JITOpcodes.cpp:
1546         (JSC::JIT::emit_op_save): Deleted.
1547         (JSC::JIT::emit_op_resume): Deleted.
1548         * llint/LowLevelInterpreter.asm:
1549         * parser/Parser.cpp:
1550         (JSC::Parser<LexerType>::parseInner):
1551         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
1552         (JSC::Parser<LexerType>::createGeneratorParameters):
1553         * parser/Parser.h:
1554         * runtime/CommonSlowPaths.cpp:
1555         (JSC::SLOW_PATH_DECL): Deleted.
1556         * runtime/CommonSlowPaths.h:
1557         * runtime/GeneratorFrame.cpp: Removed.
1558         (JSC::GeneratorFrame::GeneratorFrame): Deleted.
1559         (JSC::GeneratorFrame::finishCreation): Deleted.
1560         (JSC::GeneratorFrame::createStructure): Deleted.
1561         (JSC::GeneratorFrame::create): Deleted.
1562         (JSC::GeneratorFrame::save): Deleted.
1563         (JSC::GeneratorFrame::resume): Deleted.
1564         (JSC::GeneratorFrame::visitChildren): Deleted.
1565         * runtime/GeneratorFrame.h: Removed.
1566         (JSC::GeneratorFrame::locals): Deleted.
1567         (JSC::GeneratorFrame::localAt): Deleted.
1568         (JSC::GeneratorFrame::offsetOfLocals): Deleted.
1569         (JSC::GeneratorFrame::allocationSizeForLocals): Deleted.
1570         * runtime/JSGeneratorFunction.h:
1571         * runtime/VM.cpp:
1572         (JSC::VM::VM):
1573         * runtime/VM.h:
1574
1575 2016-08-25  JF Bastien  <jfbastien@apple.com>
1576
1577         TryGetById should have a ValueProfile so that it can predict its output type
1578         https://bugs.webkit.org/show_bug.cgi?id=160921
1579
1580         Reviewed by Saam Barati.
1581
1582         Add a ValueProfile to TryGetById, and make sure DFG picks it up.
1583
1584         A microbenchmark for perfectly predicted computation shows a 20%
1585         runtime reduction with no hit if the prediction goes polymorphic.
1586
1587         * bytecode/BytecodeList.json:
1588         * bytecode/CodeBlock.cpp:
1589         (JSC::CodeBlock::dumpBytecode):
1590         (JSC::CodeBlock::finishCreation):
1591         * bytecompiler/BytecodeGenerator.cpp:
1592         (JSC::BytecodeGenerator::emitTryGetById):
1593         * dfg/DFGByteCodeParser.cpp:
1594         (JSC::DFG::ByteCodeParser::parseBlock):
1595         * dfg/DFGNode.h:
1596         (JSC::DFG::Node::hasHeapPrediction):
1597         * dfg/DFGPredictionPropagationPhase.cpp:
1598         * dfg/DFGSpeculativeJIT32_64.cpp:
1599         (JSC::DFG::SpeculativeJIT::compile):
1600         * dfg/DFGSpeculativeJIT64.cpp:
1601         (JSC::DFG::SpeculativeJIT::compile):
1602         * jit/JITPropertyAccess.cpp:
1603         (JSC::JIT::emit_op_try_get_by_id):
1604         * jit/JITPropertyAccess32_64.cpp:
1605         (JSC::JIT::emit_op_try_get_by_id):
1606         * llint/LLIntSlowPaths.cpp:
1607         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1608         * llint/LowLevelInterpreter.asm:
1609
1610 2016-08-25  Csaba Osztrogon√°c  <ossy@webkit.org>
1611
1612         generate-js-builtins.py should generate platform independent files
1613         https://bugs.webkit.org/show_bug.cgi?id=161196
1614
1615         Reviewed by Mark Lam.
1616
1617         * Scripts/generate-js-builtins.py: Files should be processed in fixed order.
1618
1619 2016-08-25  Caio Lima  <ticaiolima@gmail.com>
1620
1621         NewRegexp should not prevent inlining
1622         https://bugs.webkit.org/show_bug.cgi?id=154808
1623
1624         Reviewed by Geoffrey Garen.
1625
1626         In this patch we are changing the current mechanism used to represent
1627         RegExp in NewRegexp nodes. We are changing the use of a index
1628         pointing to RegExp in
1629         CodeBlock->m_unlinkedCodeBlock->m_rareData->m_regexps as the operand of
1630         NewRegexp node to RegExp address as the operand. To make sure that RegExp* is
1631         pointing to a valid object, we are using m_graph.freezeStrong
1632         mechanism.
1633
1634         * dfg/DFGByteCodeParser.cpp:
1635         (JSC::DFG::ByteCodeParser::parseBlock):
1636         * dfg/DFGCapabilities.cpp:
1637         (JSC::DFG::capabilityLevel):
1638         * dfg/DFGNode.h:
1639         (JSC::DFG::Node::hasCellOperand):
1640         (JSC::DFG::Node::hasRegexpIndex): Deleted.
1641         (JSC::DFG::Node::regexpIndex): Deleted.
1642         * dfg/DFGSpeculativeJIT32_64.cpp:
1643         (JSC::DFG::SpeculativeJIT::compile):
1644         * dfg/DFGSpeculativeJIT64.cpp:
1645         (JSC::DFG::SpeculativeJIT::compile):
1646         * dfg/DFGStrengthReductionPhase.cpp:
1647         (JSC::DFG::StrengthReductionPhase::handleNode):
1648         * ftl/FTLLowerDFGToB3.cpp:
1649         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
1650
1651 2016-08-24  Benjamin Poulain  <benjamin@webkit.org>
1652
1653         [JSC] Make FRound work with any type
1654         https://bugs.webkit.org/show_bug.cgi?id=161129
1655
1656         Reviewed by Geoffrey Garen.
1657
1658         Math.fround() does nothing with arguments past the first one
1659         (https://tc39.github.io/ecma262/#sec-math.fround).
1660         We can unify ArithFRound with the other single-input intrinsics.
1661
1662         Everything else is same old: if the input type is not a number,
1663         be pessimistic about everything and do a C call.
1664
1665         * dfg/DFGAbstractInterpreterInlines.h:
1666         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1667         * dfg/DFGByteCodeParser.cpp:
1668         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1669         * dfg/DFGClobberize.h:
1670         (JSC::DFG::clobberize):
1671         * dfg/DFGFixupPhase.cpp:
1672         (JSC::DFG::FixupPhase::fixupNode):
1673         * dfg/DFGNodeType.h:
1674         * dfg/DFGOperations.cpp:
1675         * dfg/DFGOperations.h:
1676         * dfg/DFGSpeculativeJIT.cpp:
1677         (JSC::DFG::SpeculativeJIT::compileArithFRound):
1678         * dfg/DFGSpeculativeJIT.h:
1679         * dfg/DFGSpeculativeJIT32_64.cpp:
1680         (JSC::DFG::SpeculativeJIT::compile):
1681         * dfg/DFGSpeculativeJIT64.cpp:
1682         (JSC::DFG::SpeculativeJIT::compile):
1683         * ftl/FTLLowerDFGToB3.cpp:
1684         (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
1685
1686 2016-08-24  Andreas Kling  <akling@apple.com>
1687
1688         Shrink DFG::OSRExit a bit.
1689         <https://webkit.org/b/161169>
1690
1691         Reviewed by Geoffrey Garen.
1692
1693         Rearrange the members of OSRExitBase and DFG::OSRExit to save 16 bytes per instance.
1694
1695         * dfg/DFGOSRExit.cpp:
1696         (JSC::DFG::OSRExit::OSRExit):
1697         * dfg/DFGOSRExit.h:
1698         * dfg/DFGOSRExitBase.h:
1699         (JSC::DFG::OSRExitBase::OSRExitBase):
1700
1701 2016-08-24  Ryan Haddad  <ryanhaddad@apple.com>
1702
1703         Rebaseline builtins-generator-tests since r204854 was rolled out.
1704
1705         Unreviewed test gardening.
1706
1707         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1708         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1709         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1710         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1711         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1712         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1713         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1714         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1715         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1716         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1717         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1718         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1719         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1720         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1721
1722 2016-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1723
1724         [JSC] Move generic data structures out of B3
1725         https://bugs.webkit.org/show_bug.cgi?id=161155
1726
1727         Reviewed by Saam Barati.
1728
1729         Move B3's good generic data structures to WTF.
1730         They can be used for the other kind of basic blocks and nodes.
1731         For example, the generator patch[1] will make BytecodeBasicBlock usable with these structures.
1732
1733         [1]: https://bugs.webkit.org/show_bug.cgi?id=152723
1734
1735         * JavaScriptCore.xcodeproj/project.pbxproj:
1736         * b3/B3BasicBlockUtils.h:
1737         * b3/B3BlockWorklist.h:
1738         * b3/B3CFG.h:
1739         * b3/B3DuplicateTails.cpp:
1740         * b3/B3FixSSA.cpp:
1741         * b3/B3FixSSA.h:
1742         * b3/B3IndexMap.h:
1743         (JSC::B3::IndexMap::IndexMap): Deleted.
1744         (JSC::B3::IndexMap::resize): Deleted.
1745         (JSC::B3::IndexMap::clear): Deleted.
1746         (JSC::B3::IndexMap::size): Deleted.
1747         (JSC::B3::IndexMap::operator[]): Deleted.
1748         * b3/B3IndexSet.h:
1749         (JSC::B3::IndexSet::IndexSet): Deleted.
1750         (JSC::B3::IndexSet::add): Deleted.
1751         (JSC::B3::IndexSet::addAll): Deleted.
1752         (JSC::B3::IndexSet::remove): Deleted.
1753         (JSC::B3::IndexSet::contains): Deleted.
1754         (JSC::B3::IndexSet::size): Deleted.
1755         (JSC::B3::IndexSet::isEmpty): Deleted.
1756         (JSC::B3::IndexSet::Iterable::Iterable): Deleted.
1757         (JSC::B3::IndexSet::Iterable::iterator::iterator): Deleted.
1758         (JSC::B3::IndexSet::Iterable::iterator::operator*): Deleted.
1759         (JSC::B3::IndexSet::Iterable::iterator::operator++): Deleted.
1760         (JSC::B3::IndexSet::Iterable::iterator::operator==): Deleted.
1761         (JSC::B3::IndexSet::Iterable::iterator::operator!=): Deleted.
1762         (JSC::B3::IndexSet::Iterable::begin): Deleted.
1763         (JSC::B3::IndexSet::Iterable::end): Deleted.
1764         (JSC::B3::IndexSet::values): Deleted.
1765         (JSC::B3::IndexSet::indices): Deleted.
1766         (JSC::B3::IndexSet::dump): Deleted.
1767         * b3/B3LowerToAir.cpp:
1768         * b3/B3PhiChildren.h:
1769         * b3/B3Procedure.h:
1770         (JSC::B3::Procedure::iterator::iterator): Deleted.
1771         (JSC::B3::Procedure::iterator::operator*): Deleted.
1772         (JSC::B3::Procedure::iterator::operator++): Deleted.
1773         (JSC::B3::Procedure::iterator::operator==): Deleted.
1774         (JSC::B3::Procedure::iterator::operator!=): Deleted.
1775         (JSC::B3::Procedure::iterator::findNext): Deleted.
1776         * b3/B3ReduceDoubleToFloat.cpp:
1777         * b3/B3ReduceStrength.cpp:
1778         * b3/B3SSACalculator.h:
1779         * b3/B3UseCounts.h:
1780         * b3/air/AirCode.h:
1781         * b3/air/AirEliminateDeadCode.cpp:
1782         * b3/air/AirFixObviousSpills.cpp:
1783         * b3/air/AirFixPartialRegisterStalls.cpp:
1784         * b3/air/AirGenerate.cpp:
1785         * b3/air/AirGenerationContext.h:
1786         * b3/air/AirLiveness.h:
1787         * b3/air/AirSpillEverything.cpp:
1788
1789 2016-08-24  Filip Pizlo  <fpizlo@apple.com>
1790
1791         Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
1792
1793         * API/JSTypedArray.cpp:
1794         * API/ObjCCallbackFunction.mm:
1795         * CMakeLists.txt:
1796         * JavaScriptCore.xcodeproj/project.pbxproj:
1797         * Scripts/builtins/builtins_generate_combined_implementation.py:
1798         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
1799         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
1800         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
1801         * Scripts/builtins/builtins_generate_separate_implementation.py:
1802         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
1803         * assembler/AbstractMacroAssembler.h:
1804         (JSC::AbstractMacroAssembler::JumpList::link):
1805         (JSC::AbstractMacroAssembler::JumpList::linkTo):
1806         * assembler/MacroAssembler.h:
1807         * assembler/MacroAssemblerARM64.h:
1808         (JSC::MacroAssemblerARM64::add32):
1809         * assembler/MacroAssemblerCodeRef.cpp: Removed.
1810         * assembler/MacroAssemblerCodeRef.h:
1811         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
1812         (JSC::MacroAssemblerCodePtr::dumpWithName):
1813         (JSC::MacroAssemblerCodePtr::dump):
1814         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
1815         (JSC::MacroAssemblerCodeRef::dump):
1816         * b3/B3BasicBlock.cpp:
1817         (JSC::B3::BasicBlock::appendBoolConstant): Deleted.
1818         * b3/B3BasicBlock.h:
1819         * b3/B3DuplicateTails.cpp:
1820         * b3/B3StackmapGenerationParams.h:
1821         * b3/testb3.cpp:
1822         (JSC::B3::run):
1823         (JSC::B3::testPatchpointTerminalReturnValue): Deleted.
1824         * bindings/ScriptValue.cpp:
1825         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1826         * bytecode/BytecodeBasicBlock.cpp:
1827         * bytecode/BytecodeLivenessAnalysis.cpp:
1828         * bytecode/BytecodeUseDef.h:
1829         * bytecode/CallLinkInfo.cpp:
1830         (JSC::CallLinkInfo::callTypeFor): Deleted.
1831         * bytecode/CallLinkInfo.h:
1832         (JSC::CallLinkInfo::callTypeFor):
1833         * bytecode/CallLinkStatus.cpp:
1834         * bytecode/CodeBlock.cpp:
1835         (JSC::CodeBlock::finishCreation):
1836         (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
1837         * bytecode/CodeBlock.h:
1838         (JSC::CodeBlock::jitCodeMap):
1839         (JSC::clearLLIntGetByIdCache):
1840         * bytecode/Instruction.h:
1841         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1842         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1843         * bytecode/ObjectAllocationProfile.h:
1844         (JSC::ObjectAllocationProfile::isNull):
1845         (JSC::ObjectAllocationProfile::initialize):
1846         * bytecode/Opcode.h:
1847         (JSC::padOpcodeName):
1848         * bytecode/PolymorphicAccess.cpp:
1849         (JSC::AccessCase::generateImpl):
1850         (JSC::PolymorphicAccess::regenerate):
1851         * bytecode/PolymorphicAccess.h:
1852         * bytecode/PreciseJumpTargets.cpp:
1853         * bytecode/StructureStubInfo.cpp:
1854         * bytecode/StructureStubInfo.h:
1855         * bytecode/UnlinkedCodeBlock.cpp:
1856         (JSC::UnlinkedCodeBlock::vm):
1857         * bytecode/UnlinkedCodeBlock.h:
1858         * bytecode/UnlinkedInstructionStream.cpp:
1859         * bytecode/UnlinkedInstructionStream.h:
1860         * dfg/DFGOperations.cpp:
1861         * dfg/DFGSpeculativeJIT.cpp:
1862         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1863         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1864         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1865         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1866         * dfg/DFGSpeculativeJIT.h:
1867         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
1868         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1869         * dfg/DFGSpeculativeJIT32_64.cpp:
1870         (JSC::DFG::SpeculativeJIT::compile):
1871         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1872         * dfg/DFGSpeculativeJIT64.cpp:
1873         (JSC::DFG::SpeculativeJIT::compile):
1874         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1875         * dfg/DFGStrengthReductionPhase.cpp:
1876         (JSC::DFG::StrengthReductionPhase::handleNode):
1877         * ftl/FTLAbstractHeapRepository.h:
1878         * ftl/FTLCompile.cpp:
1879         * ftl/FTLJITFinalizer.cpp:
1880         * ftl/FTLLowerDFGToB3.cpp:
1881         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1882         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
1883         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
1884         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
1885         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1886         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1887         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1888         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1889         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
1890         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1891         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1892         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1893         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize): Deleted.
1894         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): Deleted.
1895         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): Deleted.
1896         * ftl/FTLOutput.cpp:
1897         (JSC::FTL::Output::constBool):
1898         (JSC::FTL::Output::add):
1899         (JSC::FTL::Output::shl):
1900         (JSC::FTL::Output::aShr):
1901         (JSC::FTL::Output::lShr):
1902         (JSC::FTL::Output::zeroExt):
1903         (JSC::FTL::Output::equal):
1904         (JSC::FTL::Output::notEqual):
1905         (JSC::FTL::Output::above):
1906         (JSC::FTL::Output::aboveOrEqual):
1907         (JSC::FTL::Output::below):
1908         (JSC::FTL::Output::belowOrEqual):
1909         (JSC::FTL::Output::greaterThan):
1910         (JSC::FTL::Output::greaterThanOrEqual):
1911         (JSC::FTL::Output::lessThan):
1912         (JSC::FTL::Output::lessThanOrEqual):
1913         (JSC::FTL::Output::select):
1914         (JSC::FTL::Output::addIncomingToPhi):
1915         (JSC::FTL::Output::appendSuccessor): Deleted.
1916         * ftl/FTLOutput.h:
1917         * ftl/FTLValueFromBlock.h:
1918         (JSC::FTL::ValueFromBlock::ValueFromBlock):
1919         (JSC::FTL::ValueFromBlock::operator bool): Deleted.
1920         * ftl/FTLWeightedTarget.h:
1921         (JSC::FTL::WeightedTarget::frequentedBlock): Deleted.
1922         * heap/CellContainer.h: Removed.
1923         * heap/CellContainerInlines.h: Removed.
1924         * heap/ConservativeRoots.cpp:
1925         (JSC::ConservativeRoots::ConservativeRoots):
1926         (JSC::ConservativeRoots::~ConservativeRoots):
1927         (JSC::ConservativeRoots::grow):
1928         (JSC::ConservativeRoots::genericAddPointer):
1929         (JSC::ConservativeRoots::genericAddSpan):
1930         * heap/ConservativeRoots.h:
1931         (JSC::ConservativeRoots::roots):
1932         * heap/CopyToken.h:
1933         * heap/FreeList.cpp: Removed.
1934         * heap/FreeList.h: Removed.
1935         * heap/Heap.cpp:
1936         (JSC::Heap::Heap):
1937         (JSC::Heap::lastChanceToFinalize):
1938         (JSC::Heap::finalizeUnconditionalFinalizers):
1939         (JSC::Heap::markRoots):
1940         (JSC::Heap::copyBackingStores):
1941         (JSC::Heap::gatherStackRoots):
1942         (JSC::Heap::gatherJSStackRoots):
1943         (JSC::Heap::gatherScratchBufferRoots):
1944         (JSC::Heap::clearLivenessData):
1945         (JSC::Heap::visitSmallStrings):
1946         (JSC::Heap::visitConservativeRoots):
1947         (JSC::Heap::removeDeadCompilerWorklistEntries):
1948         (JSC::Heap::gatherExtraHeapSnapshotData):
1949         (JSC::Heap::removeDeadHeapSnapshotNodes):
1950         (JSC::Heap::visitProtectedObjects):
1951         (JSC::Heap::visitArgumentBuffers):
1952         (JSC::Heap::visitException):
1953         (JSC::Heap::visitStrongHandles):
1954         (JSC::Heap::visitHandleStack):
1955         (JSC::Heap::visitSamplingProfiler):
1956         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
1957         (JSC::Heap::converge):
1958         (JSC::Heap::visitWeakHandles):
1959         (JSC::Heap::updateObjectCounts):
1960         (JSC::Heap::clearUnmarkedExecutables):
1961         (JSC::Heap::deleteUnmarkedCompiledCode):
1962         (JSC::Heap::collectAllGarbage):
1963         (JSC::Heap::collect):
1964         (JSC::Heap::collectImpl):
1965         (JSC::Heap::suspendCompilerThreads):
1966         (JSC::Heap::willStartCollection):
1967         (JSC::Heap::flushOldStructureIDTables):
1968         (JSC::Heap::flushWriteBarrierBuffer):
1969         (JSC::Heap::stopAllocation):
1970         (JSC::Heap::reapWeakHandles):
1971         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
1972         (JSC::Heap::sweepArrayBuffers):
1973         (JSC::Heap::snapshotMarkedSpace):
1974         (JSC::Heap::deleteSourceProviderCaches):
1975         (JSC::Heap::notifyIncrementalSweeper):
1976         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
1977         (JSC::Heap::resetAllocators):
1978         (JSC::Heap::updateAllocationLimits):
1979         (JSC::Heap::didFinishCollection):
1980         (JSC::Heap::resumeCompilerThreads):
1981         (JSC::Zombify::visit):
1982         (JSC::Heap::collectWithoutAnySweep): Deleted.
1983         (JSC::Heap::prepareForMarking): Deleted.
1984         (JSC::Heap::forEachCodeBlockImpl): Deleted.
1985         * heap/Heap.h:
1986         (JSC::Heap::allocatorForObjectWithoutDestructor):
1987         (JSC::Heap::allocatorForObjectWithDestructor):
1988         (JSC::Heap::storageAllocator):
1989         (JSC::Heap::jitStubRoutines):
1990         (JSC::Heap::codeBlockSet):
1991         (JSC::Heap::allocatorForAuxiliaryData): Deleted.
1992         * heap/HeapCell.h:
1993         (JSC::HeapCell::isZapped):
1994         * heap/HeapCellInlines.h: Removed.
1995         * heap/HeapInlines.h:
1996         (JSC::Heap::heap):
1997         (JSC::Heap::isLive):
1998         (JSC::Heap::isMarked):
1999         (JSC::Heap::testAndSetMarked):
2000         (JSC::Heap::setMarked):
2001         (JSC::Heap::forEachCodeBlock):
2002         (JSC::Heap::allocateObjectOfType):
2003         (JSC::Heap::subspaceForObjectOfType):
2004         (JSC::Heap::allocatorForObjectOfType):
2005         (JSC::Heap::isPointerGCObject):
2006         (JSC::Heap::isValueGCObject):
2007         (JSC::Heap::cellSize): Deleted.
2008         (JSC::Heap::allocateAuxiliary): Deleted.
2009         (JSC::Heap::tryAllocateAuxiliary): Deleted.
2010         (JSC::Heap::tryReallocateAuxiliary): Deleted.
2011         * heap/HeapUtil.h: Removed.
2012         * heap/LargeAllocation.cpp: Removed.
2013         * heap/LargeAllocation.h: Removed.
2014         * heap/MarkedAllocator.cpp:
2015         (JSC::MarkedAllocator::retire):
2016         (JSC::MarkedAllocator::tryAllocateHelper):
2017         (JSC::MarkedAllocator::tryPopFreeList):
2018         (JSC::MarkedAllocator::tryAllocate):
2019         (JSC::MarkedAllocator::allocateSlowCase):
2020         (JSC::MarkedAllocator::allocateBlock):
2021         (JSC::MarkedAllocator::addBlock):
2022         (JSC::MarkedAllocator::removeBlock):
2023         (JSC::MarkedAllocator::reset):
2024         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2025         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl): Deleted.
2026         (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
2027         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
2028         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
2029         (JSC::blockHeaderSize): Deleted.
2030         (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
2031         (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
2032         (JSC::MarkedAllocator::setFreeList): Deleted.
2033         * heap/MarkedAllocator.h:
2034         (JSC::MarkedAllocator::offsetOfFreeListHead):
2035         (JSC::MarkedAllocator::MarkedAllocator):
2036         (JSC::MarkedAllocator::init):
2037         (JSC::MarkedAllocator::allocate):
2038         (JSC::MarkedAllocator::stopAllocating):
2039         (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
2040         (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
2041         (JSC::MarkedAllocator::tryAllocate): Deleted.
2042         * heap/MarkedBlock.cpp:
2043         (JSC::MarkedBlock::create):
2044         (JSC::MarkedBlock::MarkedBlock):
2045         (JSC::MarkedBlock::callDestructor):
2046         (JSC::MarkedBlock::specializedSweep):
2047         (JSC::MarkedBlock::sweep):
2048         (JSC::MarkedBlock::sweepHelper):
2049         (JSC::MarkedBlock::stopAllocating):
2050         (JSC::MarkedBlock::clearMarksWithCollectionType):
2051         (JSC::MarkedBlock::resumeAllocating):
2052         (JSC::MarkedBlock::didRetireBlock):
2053         (JSC::MarkedBlock::tryCreate): Deleted.
2054         (JSC::MarkedBlock::sweepHelperSelectScribbleMode): Deleted.
2055         (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode): Deleted.
2056         (JSC::MarkedBlock::forEachFreeCell): Deleted.
2057         * heap/MarkedBlock.h:
2058         (JSC::MarkedBlock::FreeList::FreeList):
2059         (JSC::MarkedBlock::isEmpty):
2060         (JSC::MarkedBlock::setHasAnyMarked): Deleted.
2061         (JSC::MarkedBlock::hasAnyMarked): Deleted.
2062         (JSC::MarkedBlock::clearHasAnyMarked): Deleted.
2063         (JSC::MarkedBlock::cellAlign): Deleted.
2064         * heap/MarkedSpace.cpp:
2065         (JSC::MarkedSpace::MarkedSpace):
2066         (JSC::MarkedSpace::lastChanceToFinalize):
2067         (JSC::MarkedSpace::sweep):
2068         (JSC::MarkedSpace::zombifySweep):
2069         (JSC::MarkedSpace::resetAllocators):
2070         (JSC::MarkedSpace::visitWeakSets):
2071         (JSC::MarkedSpace::reapWeakSets):
2072         (JSC::MarkedSpace::forEachAllocator):
2073         (JSC::MarkedSpace::stopAllocating):
2074         (JSC::MarkedSpace::resumeAllocating):
2075         (JSC::MarkedSpace::isPagedOut):
2076         (JSC::MarkedSpace::shrink):
2077         (JSC::MarkedSpace::clearNewlyAllocated):
2078         (JSC::MarkedSpace::clearMarks):
2079         (JSC::MarkedSpace::initializeSizeClassForStepSize): Deleted.
2080         (JSC::MarkedSpace::allocate): Deleted.
2081         (JSC::MarkedSpace::tryAllocate): Deleted.
2082         (JSC::MarkedSpace::allocateLarge): Deleted.
2083         (JSC::MarkedSpace::tryAllocateLarge): Deleted.
2084         (JSC::MarkedSpace::sweepLargeAllocations): Deleted.
2085         (JSC::MarkedSpace::prepareForMarking): Deleted.
2086         (JSC::MarkedSpace::objectCount): Deleted.
2087         (JSC::MarkedSpace::size): Deleted.
2088         (JSC::MarkedSpace::capacity): Deleted.
2089         * heap/MarkedSpace.h:
2090         (JSC::MarkedSpace::blocksWithNewObjects):
2091         (JSC::MarkedSpace::forEachLiveCell):
2092         (JSC::MarkedSpace::forEachDeadCell):
2093         (JSC::MarkedSpace::allocatorFor):
2094         (JSC::MarkedSpace::destructorAllocatorFor):
2095         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2096         (JSC::MarkedSpace::allocateWithoutDestructor):
2097         (JSC::MarkedSpace::allocateWithDestructor):
2098         (JSC::MarkedSpace::allocateAuxiliary):
2099         (JSC::MarkedSpace::forEachBlock):
2100         (JSC::MarkedSpace::objectCount):
2101         (JSC::MarkedSpace::size):
2102         (JSC::MarkedSpace::capacity):
2103         (JSC::MarkedSpace::sizeClassToIndex): Deleted.
2104         (JSC::MarkedSpace::indexToSizeClass): Deleted.
2105         (JSC::MarkedSpace::largeAllocations): Deleted.
2106         (JSC::MarkedSpace::largeAllocationsNurseryOffset): Deleted.
2107         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection): Deleted.
2108         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin): Deleted.
2109         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd): Deleted.
2110         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
2111         (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
2112         (JSC::MarkedSpace::forEachAllocator): Deleted.
2113         (JSC::MarkedSpace::optimalSizeFor): Deleted.
2114         * heap/SlotVisitor.cpp:
2115         (JSC::SlotVisitor::didStartMarking):
2116         (JSC::SlotVisitor::reset):
2117         (JSC::SlotVisitor::append):
2118         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2119         (JSC::SlotVisitor::appendToMarkStack):
2120         (JSC::SlotVisitor::visitChildren):
2121         (JSC::SlotVisitor::appendJSCellOrAuxiliary): Deleted.
2122         (JSC::SlotVisitor::markAuxiliary): Deleted.
2123         (JSC::SlotVisitor::noteLiveAuxiliaryCell): Deleted.
2124         * heap/SlotVisitor.h:
2125         * heap/WeakBlock.cpp:
2126         (JSC::WeakBlock::create):
2127         (JSC::WeakBlock::WeakBlock):
2128         (JSC::WeakBlock::visit):
2129         (JSC::WeakBlock::reap):
2130         * heap/WeakBlock.h:
2131         (JSC::WeakBlock::disconnectMarkedBlock):
2132         (JSC::WeakBlock::disconnectContainer): Deleted.
2133         * heap/WeakSet.cpp:
2134         (JSC::WeakSet::sweep):
2135         (JSC::WeakSet::addAllocator):
2136         * heap/WeakSet.h:
2137         (JSC::WeakSet::WeakSet):
2138         * heap/WeakSetInlines.h:
2139         (JSC::WeakSet::allocate):
2140         * inspector/InjectedScriptManager.cpp:
2141         * inspector/JSGlobalObjectInspectorController.cpp:
2142         * inspector/JSJavaScriptCallFrame.cpp:
2143         * inspector/ScriptDebugServer.cpp:
2144         * inspector/agents/InspectorDebuggerAgent.cpp:
2145         * interpreter/CachedCall.h:
2146         (JSC::CachedCall::CachedCall):
2147         * interpreter/Interpreter.cpp:
2148         (JSC::StackFrame::sourceID):
2149         (JSC::StackFrame::sourceURL):
2150         (JSC::StackFrame::functionName):
2151         (JSC::loadVarargs):
2152         (JSC::StackFrame::computeLineAndColumn):
2153         (JSC::StackFrame::toString):
2154         * interpreter/Interpreter.h:
2155         (JSC::StackFrame::isNative):
2156         * jit/AssemblyHelpers.h:
2157         (JSC::AssemblyHelpers::emitAllocate):
2158         (JSC::AssemblyHelpers::emitAllocateJSCell):
2159         (JSC::AssemblyHelpers::emitAllocateJSObject):
2160         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2161         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2162         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
2163         * jit/GCAwareJITStubRoutine.cpp:
2164         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2165         * jit/JIT.cpp:
2166         (JSC::JIT::compileCTINativeCall): Deleted.
2167         * jit/JIT.h:
2168         (JSC::JIT::compileCTINativeCall):
2169         * jit/JITExceptions.cpp:
2170         (JSC::genericUnwind): Deleted.
2171         * jit/JITExceptions.h:
2172         * jit/JITOpcodes.cpp:
2173         (JSC::JIT::emit_op_new_object):
2174         (JSC::JIT::emitSlow_op_new_object):
2175         (JSC::JIT::emit_op_create_this):
2176         (JSC::JIT::emitSlow_op_create_this):
2177         * jit/JITOpcodes32_64.cpp:
2178         (JSC::JIT::emit_op_new_object):
2179         (JSC::JIT::emitSlow_op_new_object):
2180         (JSC::JIT::emit_op_create_this):
2181         (JSC::JIT::emitSlow_op_create_this):
2182         * jit/JITOperations.cpp:
2183         * jit/JITOperations.h:
2184         * jit/JITPropertyAccess.cpp:
2185         (JSC::JIT::emitWriteBarrier):
2186         * jit/JITThunks.cpp:
2187         * jit/JITThunks.h:
2188         * jsc.cpp:
2189         (functionDescribeArray):
2190         (main):
2191         * llint/LLIntData.cpp:
2192         (JSC::LLInt::Data::performAssertions):
2193         * llint/LLIntExceptions.cpp:
2194         * llint/LLIntThunks.cpp:
2195         * llint/LLIntThunks.h:
2196         * llint/LowLevelInterpreter.asm:
2197         * llint/LowLevelInterpreter.cpp:
2198         * llint/LowLevelInterpreter32_64.asm:
2199         * llint/LowLevelInterpreter64.asm:
2200         * parser/ModuleAnalyzer.cpp:
2201         * parser/NodeConstructors.h:
2202         * parser/Nodes.h:
2203         * profiler/ProfilerBytecode.cpp:
2204         * profiler/ProfilerBytecode.h:
2205         * profiler/ProfilerBytecodeSequence.cpp:
2206         * runtime/ArrayConventions.h:
2207         (JSC::indexingHeaderForArray):
2208         (JSC::baseIndexingHeaderForArray):
2209         (JSC::indexingHeaderForArrayStorage): Deleted.
2210         (JSC::baseIndexingHeaderForArrayStorage): Deleted.
2211         * runtime/ArrayPrototype.cpp:
2212         (JSC::arrayProtoFuncSplice):
2213         (JSC::concatAppendOne):
2214         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2215         * runtime/ArrayStorage.h:
2216         (JSC::ArrayStorage::vectorLength):
2217         (JSC::ArrayStorage::sizeFor):
2218         (JSC::ArrayStorage::totalSizeFor): Deleted.
2219         (JSC::ArrayStorage::totalSize): Deleted.
2220         (JSC::ArrayStorage::availableVectorLength): Deleted.
2221         (JSC::ArrayStorage::optimalVectorLength): Deleted.
2222         * runtime/AuxiliaryBarrier.h: Removed.
2223         * runtime/AuxiliaryBarrierInlines.h: Removed.
2224         * runtime/Butterfly.h:
2225         * runtime/ButterflyInlines.h:
2226         (JSC::Butterfly::createUninitialized):
2227         (JSC::Butterfly::growArrayRight):
2228         (JSC::Butterfly::availableContiguousVectorLength): Deleted.
2229         (JSC::Butterfly::optimalContiguousVectorLength): Deleted.
2230         * runtime/ClonedArguments.cpp:
2231         (JSC::ClonedArguments::createEmpty):
2232         * runtime/CommonSlowPathsExceptions.cpp:
2233         * runtime/CommonSlowPathsExceptions.h:
2234         * runtime/DataView.cpp:
2235         * runtime/DirectArguments.h:
2236         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2237         * runtime/Error.cpp:
2238         * runtime/Error.h:
2239         * runtime/ErrorInstance.cpp:
2240         * runtime/ErrorInstance.h:
2241         * runtime/Exception.cpp:
2242         * runtime/Exception.h:
2243         * runtime/GeneratorFrame.cpp:
2244         * runtime/GeneratorPrototype.cpp:
2245         * runtime/InternalFunction.cpp:
2246         (JSC::InternalFunction::InternalFunction):
2247         * runtime/IntlCollator.cpp:
2248         * runtime/IntlCollatorConstructor.cpp:
2249         * runtime/IntlCollatorPrototype.cpp:
2250         * runtime/IntlDateTimeFormat.cpp:
2251         * runtime/IntlDateTimeFormatConstructor.cpp:
2252         * runtime/IntlDateTimeFormatPrototype.cpp:
2253         * runtime/IntlNumberFormat.cpp:
2254         * runtime/IntlNumberFormatConstructor.cpp:
2255         * runtime/IntlNumberFormatPrototype.cpp:
2256         * runtime/IntlObject.cpp:
2257         * runtime/IteratorPrototype.cpp:
2258         * runtime/JSArray.cpp:
2259         (JSC::JSArray::setLengthWritable):
2260         (JSC::JSArray::unshiftCountSlowCase):
2261         (JSC::JSArray::setLengthWithArrayStorage):
2262         (JSC::JSArray::appendMemcpy):
2263         (JSC::JSArray::setLength):
2264         (JSC::JSArray::pop):
2265         (JSC::JSArray::push):
2266         (JSC::JSArray::fastSlice):
2267         (JSC::JSArray::shiftCountWithArrayStorage):
2268         (JSC::JSArray::shiftCountWithAnyIndexingType):
2269         (JSC::JSArray::unshiftCountWithArrayStorage):
2270         (JSC::JSArray::fillArgList):
2271         (JSC::JSArray::copyToArguments):
2272         (JSC::JSArray::tryCreateUninitialized): Deleted.
2273         * runtime/JSArray.h:
2274         (JSC::createContiguousArrayButterfly):
2275         (JSC::createArrayButterfly):
2276         (JSC::JSArray::create):
2277         (JSC::JSArray::tryCreateUninitialized):
2278         * runtime/JSArrayBufferView.h:
2279         * runtime/JSCInlines.h:
2280         * runtime/JSCJSValue.cpp:
2281         (JSC::JSValue::dumpInContextAssumingStructure):
2282         * runtime/JSCallee.cpp:
2283         (JSC::JSCallee::JSCallee):
2284         * runtime/JSCell.cpp:
2285         (JSC::JSCell::estimatedSize):
2286         * runtime/JSCell.h:
2287         (JSC::JSCell::cellStateOffset):
2288         * runtime/JSCellInlines.h:
2289         (JSC::JSCell::vm):
2290         (JSC::ExecState::vm):
2291         (JSC::JSCell::classInfo):
2292         (JSC::JSCell::callDestructor): Deleted.
2293         * runtime/JSFunction.cpp:
2294         (JSC::JSFunction::create):
2295         (JSC::JSFunction::allocateAndInitializeRareData):
2296         (JSC::JSFunction::initializeRareData):
2297         (JSC::JSFunction::getOwnPropertySlot):
2298         (JSC::JSFunction::put):
2299         (JSC::JSFunction::deleteProperty):
2300         (JSC::JSFunction::defineOwnProperty):
2301         (JSC::JSFunction::setFunctionName):
2302         (JSC::JSFunction::reifyLength):
2303         (JSC::JSFunction::reifyName):
2304         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2305         (JSC::JSFunction::reifyBoundNameIfNeeded):
2306         * runtime/JSFunction.h:
2307         * runtime/JSFunctionInlines.h:
2308         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2309         (JSC::JSFunction::JSFunction):
2310         * runtime/JSGenericTypedArrayViewInlines.h:
2311         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2312         * runtime/JSInternalPromise.cpp:
2313         * runtime/JSInternalPromiseConstructor.cpp:
2314         * runtime/JSInternalPromiseDeferred.cpp:
2315         * runtime/JSInternalPromisePrototype.cpp:
2316         * runtime/JSJob.cpp:
2317         * runtime/JSMapIterator.cpp:
2318         * runtime/JSModuleNamespaceObject.cpp:
2319         * runtime/JSModuleRecord.cpp:
2320         * runtime/JSObject.cpp:
2321         (JSC::JSObject::copyButterfly):
2322         (JSC::JSObject::visitButterfly):
2323         (JSC::JSObject::copyBackingStore):
2324         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2325         (JSC::JSObject::createInitialIndexedStorage):
2326         (JSC::JSObject::createInitialUndecided):
2327         (JSC::JSObject::createInitialInt32):
2328         (JSC::JSObject::createInitialDouble):
2329         (JSC::JSObject::createInitialContiguous):
2330         (JSC::JSObject::createArrayStorage):
2331         (JSC::JSObject::createInitialArrayStorage):
2332         (JSC::JSObject::convertUndecidedToInt32):
2333         (JSC::JSObject::convertUndecidedToContiguous):
2334         (JSC::JSObject::convertUndecidedToArrayStorage):
2335         (JSC::JSObject::convertInt32ToDouble):
2336         (JSC::JSObject::convertInt32ToArrayStorage):
2337         (JSC::JSObject::convertDoubleToArrayStorage):
2338         (JSC::JSObject::convertContiguousToArrayStorage):
2339         (JSC::JSObject::putByIndexBeyondVectorLength):
2340         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2341         (JSC::JSObject::getNewVectorLength):
2342         (JSC::JSObject::increaseVectorLength):
2343         (JSC::JSObject::ensureLengthSlow):
2344         (JSC::JSObject::growOutOfLineStorage):
2345         * runtime/JSObject.h:
2346         (JSC::JSObject::putDirectInternal):
2347         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
2348         (JSC::JSObject::globalObject): Deleted.
2349         * runtime/JSObjectInlines.h:
2350         * runtime/JSPromise.cpp:
2351         * runtime/JSPromiseConstructor.cpp:
2352         * runtime/JSPromiseDeferred.cpp:
2353         * runtime/JSPromisePrototype.cpp:
2354         * runtime/JSPropertyNameIterator.cpp:
2355         * runtime/JSScope.cpp:
2356         (JSC::JSScope::resolve):
2357         * runtime/JSScope.h:
2358         (JSC::JSScope::vm):
2359         (JSC::JSScope::globalObject): Deleted.
2360         * runtime/JSSetIterator.cpp:
2361         * runtime/JSStringIterator.cpp:
2362         * runtime/JSTemplateRegistryKey.cpp:
2363         * runtime/JSTypedArrayViewConstructor.cpp:
2364         * runtime/JSTypedArrayViewPrototype.cpp:
2365         * runtime/JSWeakMap.cpp:
2366         * runtime/JSWeakSet.cpp:
2367         * runtime/MapConstructor.cpp:
2368         * runtime/MapIteratorPrototype.cpp:
2369         * runtime/MapPrototype.cpp:
2370         * runtime/NativeErrorConstructor.cpp:
2371         * runtime/NativeStdFunctionCell.cpp:
2372         * runtime/Operations.h:
2373         (JSC::scribbleFreeCells): Deleted.
2374         (JSC::scribble): Deleted.
2375         * runtime/Options.h:
2376         * runtime/PropertyTable.cpp:
2377         * runtime/ProxyConstructor.cpp:
2378         * runtime/ProxyObject.cpp:
2379         * runtime/ProxyRevoke.cpp:
2380         * runtime/RegExp.cpp:
2381         (JSC::RegExp::match):
2382         (JSC::RegExp::matchConcurrently):
2383         (JSC::RegExp::matchCompareWithInterpreter):
2384         * runtime/RegExp.h:
2385         * runtime/RegExpConstructor.h:
2386         * runtime/RegExpInlines.h:
2387         (JSC::RegExp::matchInline):
2388         * runtime/RegExpMatchesArray.h:
2389         (JSC::tryCreateUninitializedRegExpMatchesArray):
2390         (JSC::createRegExpMatchesArray):
2391         * runtime/RegExpPrototype.cpp:
2392         (JSC::genericSplit):
2393         * runtime/RuntimeType.cpp:
2394         * runtime/SamplingProfiler.cpp:
2395         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2396         * runtime/SetConstructor.cpp:
2397         * runtime/SetIteratorPrototype.cpp:
2398         * runtime/SetPrototype.cpp:
2399         * runtime/StackFrame.cpp: Removed.
2400         * runtime/StackFrame.h: Removed.
2401         * runtime/StringConstructor.cpp:
2402         * runtime/StringIteratorPrototype.cpp:
2403         * runtime/TemplateRegistry.cpp:
2404         * runtime/TestRunnerUtils.cpp:
2405         (JSC::finalizeStatsAtEndOfTesting): Deleted.
2406         * runtime/TestRunnerUtils.h:
2407         * runtime/TypeProfilerLog.cpp:
2408         * runtime/TypeSet.cpp:
2409         * runtime/VM.cpp:
2410         (JSC::VM::ensureStackCapacityForCLoop): Deleted.
2411         (JSC::VM::isSafeToRecurseSoftCLoop): Deleted.
2412         * runtime/VM.h:
2413         * runtime/VMEntryScope.h:
2414         * runtime/VMInlines.h:
2415         (JSC::VM::ensureStackCapacityFor):
2416         (JSC::VM::isSafeToRecurseSoft):
2417         * runtime/WeakMapConstructor.cpp:
2418         * runtime/WeakMapData.cpp:
2419         * runtime/WeakMapPrototype.cpp:
2420         * runtime/WeakSetConstructor.cpp:
2421         * runtime/WeakSetPrototype.cpp:
2422         * testRegExp.cpp:
2423         (testOneRegExp):
2424         * tools/JSDollarVM.cpp:
2425         * tools/JSDollarVMPrototype.cpp:
2426         (JSC::JSDollarVMPrototype::isInObjectSpace):
2427
2428 2016-08-23  Filip Pizlo  <fpizlo@apple.com>
2429
2430         js/regress/put-by-id-transition-with-indexing-header.html and svg/carto.net/window.svg fail in debug after r204854
2431         https://bugs.webkit.org/show_bug.cgi?id=161115
2432
2433         Reviewed by Keith Miller.
2434         
2435         There were two small goofs.
2436
2437         * bytecode/ObjectAllocationProfile.h:
2438         (JSC::ObjectAllocationProfile::isNull): The new policy is that the allocator can be null. So now the way you tell if the profile is null is by checking the structure.
2439         * jit/JITOperations.cpp: This was using DeferGC, which is now definitely wrong. It forces the GC to happen when the structure and butterfly are mismatched. It's better for the GC to happen before we put the butterfly in the object.
2440
2441 2016-08-24  Filip Pizlo  <fpizlo@apple.com>
2442
2443         AssemblyHelpers::emitAllocateWithNonNullAllocator() crashes in the FTL on ARM64
2444         https://bugs.webkit.org/show_bug.cgi?id=161138
2445         rdar://problem/27985868
2446
2447         Reviewed by Saam Barati.
2448         
2449         The FTL expects that this method can be used with scratch registers disallowed, but it
2450         uses addPtr(Addr, Reg).
2451
2452         The solution is to only use addPtr(Addr, Reg) on x86.
2453
2454         * jit/AssemblyHelpers.h:
2455         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2456
2457 2016-08-24  Skachkov Oleksandr  <gskachkov@gmail.com>
2458
2459         [ES2016] Allow assignment in for-in head in not-strict mode
2460         https://bugs.webkit.org/show_bug.cgi?id=160955
2461
2462         Reviewed by Saam Barati.
2463
2464         This patch allow make assignment in for..in head in not-strict mode, 
2465         according to the spec https://tc39.github.io/ecma262/#sec-initializers-in-forin-statement-heads
2466
2467         * bytecompiler/NodesCodegen.cpp:
2468         (JSC::ForInNode::emitLoopHeader):
2469         (JSC::ForInNode::emitMultiLoopBytecode):
2470         * parser/Nodes.h:
2471         (JSC::ExpressionNode::isAssignResolveNode):
2472         (JSC::AssignResolveNode::identifier):
2473         (JSC::ExpressionNode::isResolveNode): Deleted.
2474         * parser/Parser.cpp:
2475         (JSC::Parser<LexerType>::parseForStatement):
2476
2477 2016-08-23  Saam Barati  <sbarati@apple.com>
2478
2479         It should be easy to run ES6SampleBench from the jsc shell
2480         https://bugs.webkit.org/show_bug.cgi?id=161085
2481
2482         Reviewed by Yusuke Suzuki.
2483
2484         This patch adds a new function called `runString` to the shell.
2485         It takes in a string, and executes it in a new global object.
2486         Then, it returns the global object it executed the code in.
2487         This allows the code to stash some kind of a result on the global,
2488         and then have the caller of `runString` extract the result.
2489
2490         * jsc.cpp:
2491         (GlobalObject::finishCreation):
2492         (functionRunString):
2493
2494 2016-08-23  Benjamin Poulain  <benjamin@webkit.org>
2495
2496         [JSC] Make ArithLog works with any type
2497         https://bugs.webkit.org/show_bug.cgi?id=161110
2498
2499         Reviewed by Geoffrey Garen.
2500
2501         Same old: if the type is not a number, assume the worst in every
2502         phase and generate a fallback function call.
2503
2504         * dfg/DFGAbstractInterpreterInlines.h:
2505         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2506         * dfg/DFGClobberize.h:
2507         (JSC::DFG::clobberize):
2508         * dfg/DFGFixupPhase.cpp:
2509         (JSC::DFG::FixupPhase::fixupNode):
2510         * dfg/DFGNodeType.h:
2511         * dfg/DFGOperations.cpp:
2512         * dfg/DFGOperations.h:
2513         * dfg/DFGSpeculativeJIT.cpp:
2514         (JSC::DFG::SpeculativeJIT::compileArithLog):
2515         * ftl/FTLLowerDFGToB3.cpp:
2516         (JSC::FTL::DFG::LowerDFGToB3::compileArithLog):
2517
2518 2016-08-23  Ryan Haddad  <ryanhaddad@apple.com>
2519
2520         Rebaseline builtins-generator-tests after r204854.
2521
2522         Unreviewed test gardening.
2523
2524         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2525         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2526         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2527         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2528         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2529         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2530         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2531         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2532         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2533         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2534         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2535         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2536         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2537         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2538
2539 2016-08-23  Keith Miller  <keith_miller@apple.com>
2540
2541         %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
2542         https://bugs.webkit.org/show_bug.cgi?id=161031
2543         <rdar://problem/27937019>
2544
2545         Reviewed by Geoffrey Garen.
2546
2547         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2548         (JSC::speciesConstruct):
2549         (JSC::genericTypedArrayViewProtoFuncSlice):
2550
2551 2016-08-23  Filip Pizlo  <fpizlo@apple.com>
2552
2553         REGRESSION(204854): ASan is unhappy
2554         https://bugs.webkit.org/show_bug.cgi?id=161109
2555
2556         Reviewed by Geoffrey Garen.
2557         
2558         I messed up RegExpConstructor: it ends up being a callee and a large allocation.
2559         
2560         This fixes it to not be a large allocation.
2561
2562         * dfg/DFGStrengthReductionPhase.cpp:
2563         (JSC::DFG::StrengthReductionPhase::handleNode):
2564         * runtime/InternalFunction.cpp:
2565         (JSC::InternalFunction::InternalFunction):
2566         * runtime/RegExp.cpp:
2567         (JSC::RegExp::match):
2568         (JSC::RegExp::matchConcurrently):
2569         (JSC::RegExp::matchCompareWithInterpreter):
2570         * runtime/RegExp.h:
2571         * runtime/RegExpConstructor.h:
2572         * runtime/RegExpInlines.h:
2573         (JSC::RegExp::matchInline):
2574         * runtime/RegExpPrototype.cpp:
2575         (JSC::genericSplit):
2576         * testRegExp.cpp:
2577         (testOneRegExp):
2578
2579 2016-08-23  Saam Barati  <sbarati@apple.com>
2580
2581         strict mode eval should not fire the var injection watch point
2582         https://bugs.webkit.org/show_bug.cgi?id=161104
2583
2584         Reviewed by Geoffrey Garen.
2585
2586         Strict mode eval can't do any variable injections. It was
2587         an oversight that we fired the var injection watchpoint when
2588         the eval is in strict mode.
2589
2590         * interpreter/Interpreter.cpp:
2591         (JSC::Interpreter::execute):
2592
2593 2016-07-24  Filip Pizlo  <fpizlo@apple.com>
2594
2595         Spilling of constant tmps should make it easier for the spill code optimizer to rematerialize the constant
2596         https://bugs.webkit.org/show_bug.cgi?id=160150
2597         
2598         Reviewed by Benjamin Poulain.
2599         
2600         When we spill in-place for admitsStack()==true, we prevent rematerialization if that
2601         argument doesn't also admit immediates (which it almost certainly won't do).  So, we
2602         prevent remat.
2603         
2604         This fixes the issue by avoiding in-place spilling for warm uses of constants. I don't
2605         know if this helps performance, but I do know that it make the codegen for
2606         bigswitch-indirect-symbol look a lot better. Prior to this change, the prolog would have
2607         a constant materialization for each symbol that function used, and then it would spill
2608         that constant. This removes all of that yucky code.
2609         
2610         This also changes how IRC detects constant Tmps. Previously we would say that a Tmp is a
2611         constant if the number of const defs was equal to the number of defs. But it's possible
2612         for each of the const defs to produce a different value. This is unlikely considering
2613         how B3->Air lowering works and how our SSA works - each def would have its own register.
2614         But, regardless, this picks a more precise way of detecting constants: the number of
2615         const defs must be 1 and the number of defs must be 1.
2616         
2617         * b3/air/AirIteratedRegisterCoalescing.cpp:
2618         
2619 2016-08-23  Filip Pizlo  <fpizlo@apple.com>
2620
2621         Unreviewed, fix CLoop build.
2622         
2623         This fixes the CLoop build while still ensuring that Interpreter.h is a project header.
2624
2625         * llint/LowLevelInterpreter.cpp:
2626         * runtime/VM.cpp:
2627         (JSC::VM::ensureStackCapacityForCLoop):
2628         (JSC::VM::isSafeToRecurseSoftCLoop):
2629         * runtime/VM.h:
2630         * runtime/VMInlines.h:
2631         (JSC::VM::ensureStackCapacityFor):
2632         (JSC::VM::isSafeToRecurseSoft):
2633
2634 2016-08-22  Filip Pizlo  <fpizlo@apple.com>
2635
2636         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2637         https://bugs.webkit.org/show_bug.cgi?id=160125
2638
2639         Reviewed by Geoffrey Garen.
2640
2641         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2642         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2643         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2644         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2645         to get rid of copied space. This change moves copied space's biggest client over to marked
2646         space.
2647         
2648         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2649         allocation path. This is a fairly mechanical change, but it caused performance regressions
2650         everywhere, so this change also fixes MarkedSpace's performance issues.
2651         
2652         At a high level the mechanical changes are:
2653         
2654         - We use AuxiliaryBarrier instead of CopyBarrier.
2655         
2656         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2657           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2658         
2659         - The JITs have to emit inlined marked space allocations instead of inline copy space
2660           allocations.
2661         
2662         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2663           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2664           space doesn't.
2665         
2666         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2667         optimizations that amounted to a major MarkedSpace rewrite:
2668         
2669         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2670           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2671           size class. I got around this by making array allocations usually round up vectorLength to
2672           the maximum allowed by the size class that we would have allocated in. Also,
2673           ensureLengthSlow() and friends first make sure that the requested length can't just be
2674           fulfilled with the current allocation size. This safeguard means that not every array
2675           allocation has to do size class queries. For example, the fast path of new Array(length)
2676           never does any size class queries, under the assumption that (1) the speed gained from
2677           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2678           size class query, is too small to offset the speed lost by doing the query on every
2679           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2680           likely.
2681         
2682         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2683           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2684           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2685           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2686           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2687           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2688           size (80 bytes), we proceed using a geometric progression, but round up each size to
2689           minimize slop at the end of the block. This naturally causes the geometric progression to
2690           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2691           can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2692         
2693         - Large allocations caused massive internal fragmentation, since the smallest large
2694           allocation had to use exactly blockSize, and the largest small allocation used
2695           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2696           also had 50% internal fragmentation. This is because we required large allocations to be
2697           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2698           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2699           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2700           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2701           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2702           out great since (1) typed arrays won't use large allocations anyway since they have their
2703           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2704           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2705           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2706           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2707           must be small allocations. It's also possible to use template tricks to do one check for
2708           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2709           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2710           that get used from functions that are template-specialized like this. That's mostly to
2711           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2712           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2713           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2714           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2715           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2716           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2717           that the MarkedBlock size classes end up being:
2718           
2719           16, 32, 48, 64, 80, 112, 160, 224, 320
2720           
2721           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2722           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2723           size classes you end up with by doing --dumpSizeClasses=true.
2724         
2725         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2726           of stuff in 16KB blocks is slower than allocating it in 64KB blocks. I got more speed from
2727           changing MarkedBlock::blockSize to 64KB. This would have been a space fail before, but now
2728           that we have LargeAllocation, it ends up being an overall win.
2729         
2730         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2731           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2732           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2733           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2734           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2735           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2736           that we walk the block to build a free list. This means walking dead space. The new
2737           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2738           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2739           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2740           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2741           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2742           is completely empty, which is the common case because of the generational hypothesis: the
2743           number of objects that survive an eden collection is a tiny fraction of the number of
2744           objects that had been allocated, and this fraction is so small that there are typically
2745           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2746           win over tip-of-tree.
2747         
2748         - FTL now shares the same allocation fast paths as everything else, which is great, because
2749           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2750           control flow, since it won't be able to improve the machine code we write ourselves. GC
2751           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2752           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2753           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2754           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2755           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2756           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2757           variable-length allocation but then realize that the length is known). I think it makes
2758           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2759           since this makes lowering easier (you can constant fold during lowering more easily) and it
2760           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2761           constant-fold this code. That would require allowing loads to be constant-folded, which is
2762           doable but hella tricky.
2763         
2764         All of this put together gives us neutral perf on JetStream, Speedometer, and PLT3. SunSpider
2765         sometimes gets penalized depending on how you run it. By comparison, the alternative approach
2766         of using a copy barrier would have cost us 1-2%. That's the real apples-to-apples comparison
2767         if your premise is that we should have a concurrent GC. After we finish removing copied
2768         space, we will be barrier-ready for concurrent GC: we already have a marking barrier and we
2769         simply won't need a copying barrier. This change gets us there for the purposes of our
2770         benchmarks, since the remaining clients of copied space are not very important. On the other
2771         hand, if we keep copying, then getting barrier-ready would mean adding back the copy barrier,
2772         which costs more perf.
2773         
2774         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2775         typed arrays and a few other weird things over to Aux MarkedSpace.
2776         
2777         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2778         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2779         just including JSCInlines.h (instead of manually including the files that includes) is
2780         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2781         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2782         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2783         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2784         meant having to manually include HeapInlines.h from the places that previously got it
2785         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2786         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2787         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2788         made it impossible to include it from outside JSC. This was a lot of work, but it was
2789         necessary to get the patch to build on all ports. It's also a net win. There were many places
2790         in WebCore that were transitively including a *ton* of JSC headers just because of the
2791         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2792         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2793
2794         * API/JSTypedArray.cpp:
2795         * API/ObjCCallbackFunction.mm:
2796         * CMakeLists.txt:
2797         * JavaScriptCore.xcodeproj/project.pbxproj:
2798         * Scripts/builtins/builtins_generate_combined_implementation.py:
2799         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2800         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2801         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2802         * Scripts/builtins/builtins_generate_separate_implementation.py:
2803         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2804         * assembler/AbstractMacroAssembler.h:
2805         (JSC::AbstractMacroAssembler::JumpList::JumpList):
2806         (JSC::AbstractMacroAssembler::JumpList::link):
2807         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2808         (JSC::AbstractMacroAssembler::JumpList::append):
2809         * assembler/MacroAssemblerARM64.h:
2810         (JSC::MacroAssemblerARM64::add32):
2811         * b3/B3BasicBlock.cpp:
2812         (JSC::B3::BasicBlock::appendIntConstant):
2813         (JSC::B3::BasicBlock::appendBoolConstant):
2814         (JSC::B3::BasicBlock::clearSuccessors):
2815         * b3/B3BasicBlock.h:
2816         * b3/B3DuplicateTails.cpp:
2817         * b3/B3StackmapGenerationParams.h:
2818         * b3/testb3.cpp:
2819         (JSC::B3::testBranchBitAndImmFusion):
2820         (JSC::B3::testPatchpointTerminalReturnValue):
2821         (JSC::B3::zero):
2822         (JSC::B3::run):
2823         * bindings/ScriptValue.cpp:
2824         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2825         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2826         * bytecode/ObjectAllocationProfile.h:
2827         (JSC::ObjectAllocationProfile::initialize):
2828         * bytecode/PolymorphicAccess.cpp:
2829         (JSC::AccessCase::generateImpl):
2830         * bytecode/StructureStubInfo.cpp:
2831         * dfg/DFGOperations.cpp:
2832         * dfg/DFGSpeculativeJIT.cpp:
2833         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2834         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2835         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2836         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2837         * dfg/DFGSpeculativeJIT.h:
2838         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2839         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2840         * dfg/DFGSpeculativeJIT32_64.cpp:
2841         (JSC::DFG::SpeculativeJIT::compile):
2842         * dfg/DFGSpeculativeJIT64.cpp:
2843         (JSC::DFG::SpeculativeJIT::compile):
2844         * dfg/DFGStrengthReductionPhase.cpp:
2845         (JSC::DFG::StrengthReductionPhase::handleNode):
2846         * ftl/FTLAbstractHeapRepository.h:
2847         * ftl/FTLCompile.cpp:
2848         * ftl/FTLJITFinalizer.cpp:
2849         * ftl/FTLLowerDFGToB3.cpp:
2850         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2851         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2852         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2853         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2854         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2855         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2856         (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
2857         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2858         (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
2859         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2860         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2861         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2862         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2863         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2864         * ftl/FTLOutput.cpp:
2865         (JSC::FTL::Output::constBool):
2866         (JSC::FTL::Output::constInt32):
2867         (JSC::FTL::Output::add):
2868         (JSC::FTL::Output::shl):
2869         (JSC::FTL::Output::aShr):
2870         (JSC::FTL::Output::lShr):
2871         (JSC::FTL::Output::zeroExt):
2872         (JSC::FTL::Output::equal):
2873         (JSC::FTL::Output::notEqual):
2874         (JSC::FTL::Output::above):
2875         (JSC::FTL::Output::aboveOrEqual):
2876         (JSC::FTL::Output::below):
2877         (JSC::FTL::Output::belowOrEqual):
2878         (JSC::FTL::Output::greaterThan):
2879         (JSC::FTL::Output::greaterThanOrEqual):
2880         (JSC::FTL::Output::lessThan):
2881         (JSC::FTL::Output::lessThanOrEqual):
2882         (JSC::FTL::Output::select):
2883         (JSC::FTL::Output::unreachable):
2884         (JSC::FTL::Output::appendSuccessor):
2885         (JSC::FTL::Output::speculate):
2886         (JSC::FTL::Output::addIncomingToPhi):
2887         * ftl/FTLOutput.h:
2888         * ftl/FTLValueFromBlock.h:
2889         (JSC::FTL::ValueFromBlock::ValueFromBlock):
2890         (JSC::FTL::ValueFromBlock::operator bool):
2891         (JSC::FTL::ValueFromBlock::value):
2892         (JSC::FTL::ValueFromBlock::block):
2893         * ftl/FTLWeightedTarget.h:
2894         (JSC::FTL::WeightedTarget::target):
2895         (JSC::FTL::WeightedTarget::weight):
2896         (JSC::FTL::WeightedTarget::frequentedBlock):
2897         * heap/CellContainer.h: Added.
2898         (JSC::CellContainer::CellContainer):
2899         (JSC::CellContainer::operator bool):
2900         (JSC::CellContainer::isMarkedBlock):
2901         (JSC::CellContainer::isLargeAllocation):
2902         (JSC::CellContainer::markedBlock):
2903         (JSC::CellContainer::largeAllocation):
2904         * heap/CellContainerInlines.h: Added.
2905         (JSC::CellContainer::isMarkedOrRetired):
2906         (JSC::CellContainer::isMarked):
2907         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2908         (JSC::CellContainer::setHasAnyMarked):
2909         (JSC::CellContainer::cellSize):
2910         (JSC::CellContainer::weakSet):
2911         * heap/ConservativeRoots.cpp:
2912         (JSC::ConservativeRoots::ConservativeRoots):
2913         (JSC::ConservativeRoots::~ConservativeRoots):
2914         (JSC::ConservativeRoots::grow):
2915         (JSC::ConservativeRoots::genericAddPointer):
2916         (JSC::ConservativeRoots::genericAddSpan):
2917         * heap/ConservativeRoots.h:
2918         (JSC::ConservativeRoots::size):
2919         (JSC::ConservativeRoots::roots):
2920         * heap/CopyToken.h:
2921         * heap/FreeList.cpp: Added.
2922         (JSC::FreeList::dump):
2923         * heap/FreeList.h: Added.
2924         (JSC::FreeList::FreeList):
2925         (JSC::FreeList::list):
2926         (JSC::FreeList::bump):
2927         (JSC::FreeList::operator==):
2928         (JSC::FreeList::operator!=):
2929         (JSC::FreeList::operator bool):
2930         * heap/Heap.cpp:
2931         (JSC::Heap::Heap):
2932         (JSC::Heap::finalizeUnconditionalFinalizers):
2933         (JSC::Heap::markRoots):
2934         (JSC::Heap::copyBackingStores):
2935         (JSC::Heap::gatherStackRoots):
2936         (JSC::Heap::gatherJSStackRoots):
2937         (JSC::Heap::gatherScratchBufferRoots):
2938         (JSC::Heap::clearLivenessData):
2939         (JSC::Heap::visitSmallStrings):
2940         (JSC::Heap::visitConservativeRoots):
2941         (JSC::Heap::removeDeadCompilerWorklistEntries):
2942         (JSC::Heap::gatherExtraHeapSnapshotData):
2943         (JSC::Heap::removeDeadHeapSnapshotNodes):
2944         (JSC::Heap::visitProtectedObjects):
2945         (JSC::Heap::visitArgumentBuffers):
2946         (JSC::Heap::visitException):
2947         (JSC::Heap::visitStrongHandles):
2948         (JSC::Heap::visitHandleStack):
2949         (JSC::Heap::visitSamplingProfiler):
2950         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2951         (JSC::Heap::converge):
2952         (JSC::Heap::visitWeakHandles):
2953         (JSC::Heap::updateObjectCounts):
2954         (JSC::Heap::clearUnmarkedExecutables):
2955         (JSC::Heap::deleteUnmarkedCompiledCode):
2956         (JSC::Heap::collectAllGarbage):
2957         (JSC::Heap::collect):
2958         (JSC::Heap::collectWithoutAnySweep):
2959         (JSC::Heap::collectImpl):
2960         (JSC::Heap::suspendCompilerThreads):
2961         (JSC::Heap::willStartCollection):
2962         (JSC::Heap::flushOldStructureIDTables):
2963         (JSC::Heap::flushWriteBarrierBuffer):
2964         (JSC::Heap::stopAllocation):
2965         (JSC::Heap::reapWeakHandles):
2966         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2967         (JSC::Heap::sweepArrayBuffers):
2968         (JSC::Heap::snapshotMarkedSpace):
2969         (JSC::Heap::deleteSourceProviderCaches):
2970         (JSC::Heap::notifyIncrementalSweeper):
2971         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2972         (JSC::Heap::resetAllocators):
2973         (JSC::Heap::updateAllocationLimits):
2974         (JSC::Heap::didFinishCollection):
2975         (JSC::Heap::resumeCompilerThreads):
2976         (JSC::Zombify::visit):
2977         * heap/Heap.h:
2978         (JSC::Heap::subspaceForObjectDestructor):
2979         (JSC::Heap::subspaceForAuxiliaryData):
2980         (JSC::Heap::allocatorForObjectWithoutDestructor):
2981         (JSC::Heap::allocatorForObjectWithDestructor):
2982         (JSC::Heap::allocatorForAuxiliaryData):
2983         (JSC::Heap::storageAllocator):
2984         * heap/HeapCell.h:
2985         (JSC::HeapCell::zap):
2986         (JSC::HeapCell::isZapped):
2987         * heap/HeapCellInlines.h: Added.
2988         (JSC::HeapCell::isLargeAllocation):
2989         (JSC::HeapCell::cellContainer):
2990         (JSC::HeapCell::markedBlock):
2991         (JSC::HeapCell::largeAllocation):
2992         (JSC::HeapCell::heap):
2993         (JSC::HeapCell::vm):
2994         (JSC::HeapCell::cellSize):
2995         (JSC::HeapCell::allocatorAttributes):
2996         (JSC::HeapCell::destructionMode):
2997         (JSC::HeapCell::cellKind):
2998         * heap/HeapInlines.h:
2999         (JSC::Heap::isCollecting):
3000         (JSC::Heap::heap):
3001         (JSC::Heap::isLive):
3002         (JSC::Heap::isMarked):
3003         (JSC::Heap::testAndSetMarked):
3004         (JSC::Heap::setMarked):
3005         (JSC::Heap::cellSize):
3006         (JSC::Heap::writeBarrier):
3007         (JSC::Heap::allocateWithoutDestructor):
3008         (JSC::Heap::allocateObjectOfType):
3009         (JSC::Heap::subspaceForObjectOfType):
3010         (JSC::Heap::allocatorForObjectOfType):
3011         (JSC::Heap::allocateAuxiliary):
3012         (JSC::Heap::tryAllocateAuxiliary):
3013         (JSC::Heap::tryReallocateAuxiliary):
3014         (JSC::Heap::tryAllocateStorage):
3015         (JSC::Heap::didFreeBlock):
3016         (JSC::Heap::isPointerGCObject): Deleted.
3017         (JSC::Heap::isValueGCObject): Deleted.
3018         * heap/HeapUtil.h: Added.
3019         (JSC::HeapUtil::findGCObjectPointersForMarking):
3020         (JSC::HeapUtil::isPointerGCObjectJSCell):
3021         (JSC::HeapUtil::isValueGCObject):
3022         * heap/LargeAllocation.cpp: Added.
3023         (JSC::LargeAllocation::tryCreate):
3024         (JSC::LargeAllocation::LargeAllocation):
3025         (JSC::LargeAllocation::lastChanceToFinalize):
3026         (JSC::LargeAllocation::shrink):
3027         (JSC::LargeAllocation::visitWeakSet):
3028         (JSC::LargeAllocation::reapWeakSet):
3029         (JSC::LargeAllocation::clearMarks):
3030         (JSC::LargeAllocation::clearMarksWithCollectionType):
3031         (JSC::LargeAllocation::isEmpty):
3032         (JSC::LargeAllocation::sweep):
3033         (JSC::LargeAllocation::destroy):
3034         (JSC::LargeAllocation::dump):
3035         * heap/LargeAllocation.h: Added.
3036         (JSC::LargeAllocation::fromCell):
3037         (JSC::LargeAllocation::cell):
3038         (JSC::LargeAllocation::isLargeAllocation):
3039         (JSC::LargeAllocation::heap):
3040         (JSC::LargeAllocation::vm):
3041         (JSC::LargeAllocation::weakSet):
3042         (JSC::LargeAllocation::clearNewlyAllocated):
3043         (JSC::LargeAllocation::isNewlyAllocated):
3044         (JSC::LargeAllocation::isMarked):
3045         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
3046         (JSC::LargeAllocation::isLive):
3047         (JSC::LargeAllocation::hasValidCell):
3048         (JSC::LargeAllocation::cellSize):
3049         (JSC::LargeAllocation::aboveLowerBound):
3050         (JSC::LargeAllocation::belowUpperBound):
3051         (JSC::LargeAllocation::contains):
3052         (JSC::LargeAllocation::attributes):
3053         (JSC::LargeAllocation::testAndSetMarked):
3054         (JSC::LargeAllocation::setMarked):
3055         (JSC::LargeAllocation::clearMarked):
3056         (JSC::LargeAllocation::setHasAnyMarked):
3057         (JSC::LargeAllocation::headerSize):
3058         * heap/MarkedAllocator.cpp:
3059         (JSC::MarkedAllocator::MarkedAllocator):
3060         (JSC::isListPagedOut):
3061         (JSC::MarkedAllocator::isPagedOut):
3062         (JSC::MarkedAllocator::retire):
3063         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
3064         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3065         (JSC::MarkedAllocator::allocateSlowCase):
3066         (JSC::MarkedAllocator::tryAllocateSlowCase):
3067         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3068         (JSC::blockHeaderSize):
3069         (JSC::MarkedAllocator::blockSizeForBytes):
3070         (JSC::MarkedAllocator::tryAllocateBlock):
3071         (JSC::MarkedAllocator::addBlock):
3072         (JSC::MarkedAllocator::removeBlock):
3073         (JSC::MarkedAllocator::reset):
3074         (JSC::MarkedAllocator::lastChanceToFinalize):
3075         (JSC::MarkedAllocator::setFreeList):
3076         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
3077         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
3078         (JSC::MarkedAllocator::tryAllocate): Deleted.
3079         (JSC::MarkedAllocator::allocateBlock): Deleted.
3080         * heap/MarkedAllocator.h:
3081         (JSC::MarkedAllocator::destruction):
3082         (JSC::MarkedAllocator::cellKind):
3083         (JSC::MarkedAllocator::heap):
3084         (JSC::MarkedAllocator::takeLastActiveBlock):
3085         (JSC::MarkedAllocator::offsetOfFreeList):
3086         (JSC::MarkedAllocator::offsetOfCellSize):
3087         (JSC::MarkedAllocator::tryAllocate):
3088         (JSC::MarkedAllocator::allocate):
3089         (JSC::MarkedAllocator::stopAllocating):
3090         (JSC::MarkedAllocator::resumeAllocating):
3091         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
3092         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
3093         (JSC::MarkedAllocator::init): Deleted.
3094         * heap/MarkedBlock.cpp:
3095         (JSC::MarkedBlock::tryCreate):
3096         (JSC::MarkedBlock::MarkedBlock):
3097         (JSC::MarkedBlock::specializedSweep):
3098         (JSC::MarkedBlock::sweep):
3099         (JSC::MarkedBlock::sweepHelperSelectResetMode):
3100         (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode):
3101         (JSC::MarkedBlock::stopAllocating):
3102         (JSC::MarkedBlock::clearMarksWithCollectionType):
3103         (JSC::MarkedBlock::lastChanceToFinalize):
3104         (JSC::MarkedBlock::resumeAllocating):
3105         (JSC::MarkedBlock::didRetireBlock):
3106         (JSC::MarkedBlock::forEachFreeCell):
3107         (JSC::MarkedBlock::create): Deleted.
3108         (JSC::MarkedBlock::callDestructor): Deleted.
3109         (JSC::MarkedBlock::sweepHelper): Deleted.
3110         * heap/MarkedBlock.h:
3111         (JSC::MarkedBlock::VoidFunctor::returnValue):
3112         (JSC::MarkedBlock::setHasAnyMarked):
3113         (JSC::MarkedBlock::hasAnyMarked):
3114         (JSC::MarkedBlock::clearHasAnyMarked):
3115         (JSC::MarkedBlock::firstAtom):
3116         (JSC::MarkedBlock::isAtomAligned):
3117         (JSC::MarkedBlock::cellAlign):
3118         (JSC::MarkedBlock::blockFor):
3119         (JSC::MarkedBlock::isEmpty):
3120         (JSC::MarkedBlock::cellSize):
3121         (JSC::MarkedBlock::isMarkedOrRetired):
3122         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
3123         * heap/MarkedSpace.cpp:
3124         (JSC::MarkedSpace::initializeSizeClassForStepSize):
3125         (JSC::MarkedSpace::MarkedSpace):
3126         (JSC::MarkedSpace::lastChanceToFinalize):
3127         (JSC::MarkedSpace::allocateLarge):
3128         (JSC::MarkedSpace::tryAllocateLarge):
3129         (JSC::MarkedSpace::sweep):
3130         (JSC::MarkedSpace::sweepABit):
3131         (JSC::MarkedSpace::sweepLargeAllocations):
3132         (JSC::MarkedSpace::zombifySweep):
3133         (JSC::MarkedSpace::resetAllocators):
3134         (JSC::MarkedSpace::visitWeakSets):
3135         (JSC::MarkedSpace::reapWeakSets):
3136         (JSC::MarkedSpace::stopAllocating):
3137         (JSC::MarkedSpace::resumeAllocating):
3138         (JSC::MarkedSpace::isPagedOut):
3139         (JSC::MarkedSpace::shrink):
3140         (JSC::MarkedSpace::clearNewlyAllocated):
3141         (JSC::MarkedSpace::clearMarks):
3142         (JSC::MarkedSpace::didFinishIterating):
3143         (JSC::MarkedSpace::objectCount):
3144         (JSC::MarkedSpace::size):
3145         (JSC::MarkedSpace::capacity):
3146         (JSC::MarkedSpace::forEachAllocator): Deleted.
3147         * heap/MarkedSpace.h:
3148         (JSC::MarkedSpace::sizeClassIndex):
3149         (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
3150         (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
3151         (JSC::MarkedSpace::subspaceForAuxiliaryData):
3152         (JSC::MarkedSpace::blocksWithNewObjects):
3153         (JSC::MarkedSpace::largeAllocations):
3154         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
3155         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
3156         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
3157         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
3158         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
3159         (JSC::MarkedSpace::forEachLiveCell):
3160         (JSC::MarkedSpace::forEachDeadCell):
3161         (JSC::MarkedSpace::allocatorFor):
3162         (JSC::MarkedSpace::destructorAllocatorFor):
3163         (JSC::MarkedSpace::auxiliaryAllocatorFor):
3164         (JSC::MarkedSpace::allocate):
3165         (JSC::MarkedSpace::tryAllocate):
3166         (JSC::MarkedSpace::allocateWithoutDestructor):
3167         (JSC::MarkedSpace::allocateWithDestructor):
3168         (JSC::MarkedSpace::allocateAuxiliary):
3169         (JSC::MarkedSpace::tryAllocateAuxiliary):
3170         (JSC::MarkedSpace::forEachBlock):
3171         (JSC::MarkedSpace::didAllocateInBlock):
3172         (JSC::MarkedSpace::forEachAllocator):
3173         (JSC::MarkedSpace::forEachSubspace):
3174         (JSC::MarkedSpace::optimalSizeFor):
3175         (JSC::MarkedSpace::objectCount): Deleted.
3176         (JSC::MarkedSpace::size): Deleted.
3177         (JSC::MarkedSpace::capacity): Deleted.
3178         * heap/SlotVisitor.cpp:
3179         (JSC::SlotVisitor::didStartMarking):
3180         (JSC::SlotVisitor::reset):
3181         (JSC::SlotVisitor::clearMarkStack):
3182         (JSC::SlotVisitor::append):
3183         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3184         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3185         (JSC::SlotVisitor::appendToMarkStack):
3186         (JSC::SlotVisitor::markAuxiliary):
3187         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3188         (JSC::SetCurrentCellScope::SetCurrentCellScope):
3189         (JSC::SlotVisitor::visitChildren):
3190         * heap/SlotVisitor.h:
3191         * heap/WeakBlock.cpp:
3192         (JSC::WeakBlock::create):
3193         (JSC::WeakBlock::destroy):
3194         (JSC::WeakBlock::WeakBlock):
3195         (JSC::WeakBlock::visit):
3196         (JSC::WeakBlock::reap):
3197         * heap/WeakBlock.h:
3198         (JSC::WeakBlock::disconnectContainer):
3199         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3200         * heap/WeakSet.cpp:
3201         (JSC::WeakSet::sweep):
3202         (JSC::WeakSet::addAllocator):
3203         * heap/WeakSet.h:
3204         (JSC::WeakSet::WeakSet):
3205         * heap/WeakSetInlines.h:
3206         (JSC::WeakSet::allocate):
3207         * inspector/InjectedScriptManager.cpp:
3208         * inspector/JSGlobalObjectInspectorController.cpp:
3209         * inspector/JSJavaScriptCallFrame.cpp:
3210         * inspector/ScriptDebugServer.cpp:
3211         * inspector/agents/InspectorDebuggerAgent.cpp:
3212         * interpreter/CachedCall.h:
3213         (JSC::CachedCall::CachedCall):
3214         * jit/AssemblyHelpers.h:
3215         (JSC::AssemblyHelpers::emitAllocate):
3216         (JSC::AssemblyHelpers::emitAllocateJSCell):
3217         (JSC::AssemblyHelpers::emitAllocateJSObject):
3218         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3219         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3220         * jit/JITOpcodes.cpp:
3221         (JSC::JIT::emit_op_new_object):
3222         (JSC::JIT::emit_op_create_this):
3223         * jit/JITOpcodes32_64.cpp:
3224         (JSC::JIT::emit_op_new_object):
3225         (JSC::JIT::emit_op_create_this):
3226         * jit/JITOperations.cpp:
3227         * jit/JITOperations.h:
3228         * jit/JITPropertyAccess.cpp:
3229         (JSC::JIT::emitWriteBarrier):
3230         * jsc.cpp:
3231         (functionDescribeArray):
3232         * llint/LLIntData.cpp:
3233         (JSC::LLInt::Data::performAssertions):
3234         * llint/LowLevelInterpreter.asm:
3235         * llint/LowLevelInterpreter32_64.asm:
3236         * llint/LowLevelInterpreter64.asm:
3237         * parser/ModuleAnalyzer.cpp:
3238         * runtime/ArrayConventions.h:
3239         (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
3240         (JSC::indexingHeaderForArrayStorage):
3241         (JSC::baseIndexingHeaderForArrayStorage):
3242         (JSC::indexingHeaderForArray): Deleted.
3243         (JSC::baseIndexingHeaderForArray): Deleted.
3244         * runtime/ArrayStorage.h:
3245         (JSC::ArrayStorage::length):
3246         (JSC::ArrayStorage::setLength):
3247         (JSC::ArrayStorage::vectorLength):
3248         (JSC::ArrayStorage::setVectorLength):
3249         (JSC::ArrayStorage::copyHeaderFromDuringGC):
3250         (JSC::ArrayStorage::sizeFor):
3251         (JSC::ArrayStorage::totalSizeFor):
3252         (JSC::ArrayStorage::totalSize):
3253         (JSC::ArrayStorage::availableVectorLength):
3254         (JSC::ArrayStorage::optimalVectorLength):
3255         * runtime/AuxiliaryBarrier.h: Added.
3256         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3257         (JSC::AuxiliaryBarrier::clear):
3258         (JSC::AuxiliaryBarrier::get):
3259         (JSC::AuxiliaryBarrier::slot):
3260         (JSC::AuxiliaryBarrier::operator bool):
3261         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3262         * runtime/AuxiliaryBarrierInlines.h: Added.
3263         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3264         (JSC::AuxiliaryBarrier<T>::set):
3265         * runtime/Butterfly.h:
3266         (JSC::Butterfly::fromBase):
3267         (JSC::Butterfly::fromPointer):
3268         * runtime/ButterflyInlines.h:
3269         (JSC::Butterfly::availableContiguousVectorLength):
3270         (JSC::Butterfly::optimalContiguousVectorLength):
3271         (JSC::Butterfly::createUninitialized):
3272         (JSC::Butterfly::growArrayRight):
3273         * runtime/ClonedArguments.cpp:
3274         (JSC::ClonedArguments::createEmpty):
3275         * runtime/DataView.cpp:
3276         * runtime/DirectArguments.h:
3277         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3278         * runtime/GeneratorFrame.cpp:
3279         * runtime/GeneratorPrototype.cpp:
3280         * runtime/IntlCollator.cpp:
3281         * runtime/IntlCollatorConstructor.cpp:
3282         * runtime/IntlCollatorPrototype.cpp:
3283         * runtime/IntlDateTimeFormat.cpp:
3284         * runtime/IntlDateTimeFormatConstructor.cpp:
3285         * runtime/IntlDateTimeFormatPrototype.cpp:
3286         * runtime/IntlNumberFormat.cpp:
3287         * runtime/IntlNumberFormatConstructor.cpp:
3288         * runtime/IntlNumberFormatPrototype.cpp:
3289         * runtime/JSArray.cpp:
3290         (JSC::createArrayButterflyInDictionaryIndexingMode):
3291         (JSC::JSArray::tryCreateUninitialized):
3292         (JSC::JSArray::setLengthWritable):
3293         (JSC::JSArray::unshiftCountSlowCase):
3294         (JSC::JSArray::setLengthWithArrayStorage):
3295         (JSC::JSArray::appendMemcpy):
3296         (JSC::JSArray::setLength):
3297         (JSC::JSArray::pop):
3298         (JSC::JSArray::push):
3299         (JSC::JSArray::fastSlice):
3300         (JSC::JSArray::shiftCountWithArrayStorage):
3301         (JSC::JSArray::shiftCountWithAnyIndexingType):
3302         (JSC::JSArray::unshiftCountWithArrayStorage):
3303         (JSC::JSArray::fillArgList):
3304         (JSC::JSArray::copyToArguments):
3305         * runtime/JSArray.h:
3306         (JSC::createContiguousArrayButterfly):
3307         (JSC::createArrayButterfly):
3308         (JSC::JSArray::create):
3309         (JSC::JSArray::tryCreateUninitialized): Deleted.
3310         * runtime/JSArrayBufferView.h:
3311         * runtime/JSCInlines.h:
3312         * runtime/JSCJSValue.cpp:
3313         * runtime/JSCallee.cpp:
3314         * runtime/JSCell.cpp:
3315         (JSC::JSCell::estimatedSize):
3316         (JSC::JSCell::copyBackingStore):
3317         * runtime/JSCell.h:
3318