JITMathIC was misusing maxJumpReplacementSize

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2016-09-01  Saam Barati  <sbarati@apple.com>

        JITMathIC was misusing maxJumpReplacementSize
        https://bugs.webkit.org/show_bug.cgi?id=161356
        <rdar://problem/28065560>

        Reviewed by Benjamin Poulain.

        JITMathIC was assuming that maxJumpReplacementSize is the size
        you'd get if you emitted a patchableJump() using the macro assembler.
        This is not true, however. It happens to be true on arm64, x86 and x86-64,
        however, it is not true on armv7. This patch introduces an alternative to
        maxJumpReplacementSize called patchableJumpSize, and switches JITMathIC
        to use that number instead.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::patchableJumpSize):
        (JSC::ARM64Assembler::maxJumpReplacementSize): Deleted.
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::patchableJumpSize):
        (JSC::ARMv7Assembler::maxJumpReplacementSize): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::patchableJumpSize):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::patchableJumpSize):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::patchableJumpSize):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::patchableJumpSize):
        (JSC::X86Assembler::maxJumpReplacementSize): Deleted.
        * jit/JITMathIC.h:
        (JSC::JITMathIC::generateInline):

2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add initiator parameter to module pipeline
        https://bugs.webkit.org/show_bug.cgi?id=161470

        Reviewed by Saam Barati.

        The fetching semantics of the <script type="module"> tag has per module-tag context.
        For example, "nonce", "crossorigin" etc. attributes are shared in the fetching requests
        issued from the module-tag. To transfer this information, we add a new parameter "initiator"
        to the module loader pipeline. We are planning to transfer information by this parameter.

        At the same time, we also perform some clean up.

        - Use arrow function in ModuleLoaderPrototype.js.
        - Rename "ResolveDependencies" to "Satisfy" to align to the loader spec.

        * builtins/ModuleLoaderPrototype.js:
        (newRegistryEntry):
        (commitInstantiated):
        (requestFetch):
        (requestTranslate):
        (requestInstantiate):
        (requestSatisfy):
        (requestInstantiateAll):
        (requestLink):
        (moduleEvaluation):
        (provide):
        (loadAndEvaluateModule):
        (requestResolveDependencies.): Deleted.
        (requestResolveDependencies): Deleted.
        (requestReady): Deleted.
        (link): Deleted.
        (loadModule): Deleted.
        (linkAndEvaluateModule): Deleted.
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * jsc.cpp:
        (GlobalObject::moduleLoaderResolve):
        (GlobalObject::moduleLoaderFetch):
        * runtime/Completion.cpp:
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        (JSC::linkAndEvaluateModule):
        * runtime/Completion.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::resolve):
        (JSC::JSModuleLoader::fetch):
        (JSC::JSModuleLoader::translate):
        (JSC::JSModuleLoader::instantiate):
        (JSC::JSModuleLoader::evaluate):
        * runtime/JSModuleLoader.h:
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeResolve):
        (JSC::moduleLoaderPrototypeFetch):
        (JSC::moduleLoaderPrototypeTranslate):
        (JSC::moduleLoaderPrototypeInstantiate):
        (JSC::moduleLoaderPrototypeEvaluate):

2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] linking and evaluating the modules are done in a sync manner
        https://bugs.webkit.org/show_bug.cgi?id=161467

        Reviewed by Saam Barati.

        While the fetching and the other stages are done in an asynchronous manner,
        linking and evaluating are done in a sync manner.
        Just return the result value and do not wrap them with the internal promise.

        * builtins/ModuleLoaderPrototype.js:
        (linkAndEvaluateModule):
        * runtime/Completion.cpp:
        (JSC::linkAndEvaluateModule):
        * runtime/Completion.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        * runtime/JSModuleLoader.h:

2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
        https://bugs.webkit.org/show_bug.cgi?id=161436

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionGetRandomSeed):
        (functionSetRandomSeed):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::weakRandom):
        (JSC::JSGlobalObject::weakRandomInteger): Deleted.

2016-08-31  Chris Dumez  <cdumez@apple.com>

        Object.getPrototypeOf() should return null cross-origin
        https://bugs.webkit.org/show_bug.cgi?id=161393

        Reviewed by Geoffrey Garen.

        Object.getPrototypeOf() should return null cross-origin:
        - https://html.spec.whatwg.org/#windowproxy-getprototypeof
        - https://html.spec.whatwg.org/#location-getprototypeof

        Firefox and Chrome return null. However, WebKit was returning undefined.

        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):

2016-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] AbstractValue can contain padding which is not zero-filled
        https://bugs.webkit.org/show_bug.cgi?id=161427

        Reviewed by Saam Barati.

        We checked that AbstractValue is zero-filled when initializing it to ensure
        that zero-filled memory can be used as the initialized AbstractValue.
        However, since the size of SpeculatedType becomes 64bit, AbstractValue can have
        padding now. And this padding is not ensured that it is initialized with zeros.
        So debug assertion fails when building with GCC.

        This patch changes the strategy. Instead of checking the initialized
        AbstractValue is zero-filled, we ensure that zero-filled AbstractValue can be
        considered to be equal to the initialized AbstractValue.

        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::ensureCanInitializeWithZeros):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::AbstractValue):

2016-08-31  Brady Eidson  <beidson@apple.com>

        WK2 Gamepad provider on iOS.
        https://bugs.webkit.org/show_bug.cgi?id=161412

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2016-08-30  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Some arith nodes are too pessimistic with the types supported on the fast path
        https://bugs.webkit.org/show_bug.cgi?id=161410

        Reviewed by Geoffrey Garen.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        DoubleRep is able to convert numbers, undefined, booleans and null.
        I was too pessimistic when I gated the double implementations
        on number-or-boolean speculation. We can just let DoubleRep convert
        the other cases as long as it is not a Cell.

2016-08-30  Chris Dumez  <cdumez@apple.com>

        Unreviewed, fix build after r205205.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):

2016-08-30  Chris Dumez  <cdumez@apple.com>

        Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object
        https://bugs.webkit.org/show_bug.cgi?id=161396

        Reviewed by Ryosuke Niwa.

        Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object:
        - https://html.spec.whatwg.org/#windowproxy-setprototypeof
        - https://html.spec.whatwg.org/#location-setprototypeof
        - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)

        Firefox and Chrome already throw. However, WebKit merely ignores the call and logs an error message.

        Note that technically, we should also throw in the same origin case.
        However, not all browsers agree on this yet so I haven't not changed
        the behavior for the same origin case.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):

2016-08-30  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Clean up the remaining compare nodes in FTLCapabilities
        https://bugs.webkit.org/show_bug.cgi?id=161400

        Reviewed by Geoffrey Garen.

        It looks like we implemented all the cases without realizing it.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compare):

2016-08-30  Mark Lam  <mark.lam@apple.com>

        Introduce the ThrowScope and force every throw site to instantiate a ThrowScope.
        https://bugs.webkit.org/show_bug.cgi?id=161171

        Reviewed by Filip Pizlo and Geoffrey Garen.

        This is the first step towards having a mechanism (using the ThrowScope) to
        verify that we're properly checking for exceptions in all the needed places.
        See comments at the top of ThrowScope.cpp for details on how the ThrowScope works.

        This patch only introduces the ThrowScope, and changes all throw sites to throw
        using a ThrowScope instance.  VM::throwException() functions are now private, and
        cannot be accessed directly.  All throws must now go through a ThrowScope.

        Verification is disabled for the moment until we can fix all the verification
        failures that will show up.

        I also did a smoke test of the ThrowScope mechanisms by running verification on
        the JSTests/stress/op-add-exceptions.js test with a local build with verification
        turned on.

        Performance is neutral on aggregate with this patch.

        Misc other changes:
        - deleted the unused CALL_THROW() macro from LLIntSlowPaths.cpp.
        - moved createListFromArrayLike() from JSObject.h to JSObjectInlines.h.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        (JSC::APICallbackFunction::construct):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::defaultValue):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::putByIndex):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::construct):
        (JSC::JSCallbackObject<Parent>::customHasInstance):
        (JSC::JSCallbackObject<Parent>::call):
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * API/JSTypedArray.cpp:
        (createTypedArray):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
        (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
        (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
        (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
        (Inspector::jsJavaScriptCallFrameAttributeCaller):
        (Inspector::jsJavaScriptCallFrameAttributeSourceID):
        (Inspector::jsJavaScriptCallFrameAttributeLine):
        (Inspector::jsJavaScriptCallFrameAttributeColumn):
        (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
        (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
        (Inspector::jsJavaScriptCallFrameAttributeThisObject):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        (Inspector::jsJavaScriptCallFrameIsTailDeleted):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::sizeOfVarargs):
        (JSC::sizeFrameForForwardArguments):
        (JSC::sizeFrameForVarargs):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (WTF::CustomGetter::customGetter):
        (WTF::RuntimeArray::lengthGetter):
        (functionCreateElement):
        (functionRun):
        (functionRunString):
        (functionLoad):
        (functionLoadString):
        (functionReadFile):
        (functionCheckSyntax):
        (functionTransferArrayBuffer):
        (functionLoadModule):
        (functionCheckModuleSyntax):
        (functionSamplingProfilerStackTraces):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::llint_throw_stack_overflow_error):
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/ArrayConstructor.h:
        (JSC::isArray):
        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncSplice):
        (JSC::concatAppendOne):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        * runtime/BooleanPrototype.cpp:
        (JSC::booleanProtoFuncToString):
        (JSC::booleanProtoFuncValueOf):
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/ConstructData.cpp:
        (JSC::construct):
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncToLocaleString):
        (JSC::dateProtoFuncToLocaleDateString):
        (JSC::dateProtoFuncToLocaleTimeString):
        (JSC::dateProtoFuncToPrimitiveSymbol):
        (JSC::dateProtoFuncGetTime):
        (JSC::dateProtoFuncGetFullYear):
        (JSC::dateProtoFuncGetUTCFullYear):
        (JSC::dateProtoFuncGetMonth):
        (JSC::dateProtoFuncGetUTCMonth):
        (JSC::dateProtoFuncGetDate):
        (JSC::dateProtoFuncGetUTCDate):
        (JSC::dateProtoFuncGetDay):
        (JSC::dateProtoFuncGetUTCDay):
        (JSC::dateProtoFuncGetHours):
        (JSC::dateProtoFuncGetUTCHours):
        (JSC::dateProtoFuncGetMinutes):
        (JSC::dateProtoFuncGetUTCMinutes):
        (JSC::dateProtoFuncGetSeconds):
        (JSC::dateProtoFuncGetUTCSeconds):
        (JSC::dateProtoFuncGetMilliSeconds):
        (JSC::dateProtoFuncGetUTCMilliseconds):
        (JSC::dateProtoFuncGetTimezoneOffset):
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        (JSC::dateProtoFuncGetYear):
        (JSC::dateProtoFuncToJSON):
        * runtime/Error.cpp:
        (JSC::throwConstructorCannotBeCalledAsFunctionTypeError):
        (JSC::throwTypeError):
        (JSC::throwSyntaxError):
        * runtime/Error.h:
        (JSC::throwRangeError):
        (JSC::throwVMError):
        (JSC::throwVMTypeError):
        (JSC::throwVMRangeError):
        (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionFuzz.cpp:
        (JSC::doExceptionFuzzing):
        * runtime/ExceptionHelpers.cpp:
        (JSC::throwOutOfMemoryError):
        (JSC::throwStackOverflowError):
        (JSC::throwTerminatedExecutionException):
        * runtime/ExceptionHelpers.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::EvalExecutable::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        (JSC::functionProtoFuncBind):
        * runtime/GetterSetter.cpp:
        (JSC::callSetter):
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::compareStrings):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototypeGetterCompare):
        (JSC::IntlCollatorPrototypeFuncResolvedOptions):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::format):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::formatNumber):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObject.cpp:
        (JSC::intlStringOption):
        (JSC::intlNumberOption):
        (JSC::canonicalizeLocaleList):
        (JSC::lookupSupportedLocales):
        * runtime/IteratorOperations.cpp:
        (JSC::iteratorNext):
        (JSC::iteratorClose):
        (JSC::createIteratorResultObject):
        (JSC::iteratorForIterable):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::put):
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):
        (JSC::callArrayBuffer):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        * runtime/JSCInlines.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toObjectSlowCase):
        (JSC::JSValue::synthesizePrototype):
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::putToPrimitiveByIndex):
        (JSC::JSValue::toStringSlowCase):
        * runtime/JSCJSValueInlines.h:
        (JSC::toPreferredPrimitiveType):
        (JSC::JSValue::requireObjectCoercible):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        (JSC::dataViewProtoGetterBuffer):
        (JSC::dataViewProtoGetterByteLength):
        (JSC::dataViewProtoGetterByteOffset):
        * runtime/JSFunction.cpp:
        (JSC::callHostFunctionAsConstructor):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::setIndex):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewFromIterator):
        (JSC::constructGenericTypedArrayViewWithArguments):
        (JSC::constructGenericTypedArrayView):
        (JSC::callGenericTypedArrayView):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::create):
        (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
        (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
        (JSC::JSGenericTypedArrayView<Adaptor>::throwNeuteredTypedArrayTypeError):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncSet):
        (JSC::genericTypedArrayViewProtoFuncCopyWithin):
        (JSC::genericTypedArrayViewProtoFuncIncludes):
        (JSC::genericTypedArrayViewProtoFuncIndexOf):
        (JSC::genericTypedArrayViewProtoFuncJoin):
        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
        (JSC::genericTypedArrayViewProtoGetterFuncBuffer):
        (JSC::genericTypedArrayViewProtoGetterFuncLength):
        (JSC::genericTypedArrayViewProtoGetterFuncByteLength):
        (JSC::genericTypedArrayViewProtoGetterFuncByteOffset):
        (JSC::genericTypedArrayViewProtoFuncReverse):
        (JSC::genericTypedArrayViewPrivateFuncSort):
        (JSC::genericTypedArrayViewProtoFuncSlice):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        (JSC::JSGlobalObject::createModuleProgramCodeBlock):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncEval):
        (JSC::globalFuncThrowTypeError):
        (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::put):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
        (JSC::JSModuleNamespaceObject::put):
        (JSC::JSModuleNamespaceObject::putByIndex):
        (JSC::JSModuleNamespaceObject::defineOwnProperty):
        (JSC::moduleNamespaceObjectSymbolIterator):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::getModuleNamespace):
        (JSC::JSModuleRecord::link):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Walker::walk):
        (JSC::JSONProtoFuncParse):
        (JSC::JSONProtoFuncStringify):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::ordinaryToPrimitive):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::defaultHasInstance):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::validateAndApplyPropertyDescriptor):
        (JSC::JSObject::getMethod):
        * runtime/JSObject.h:
        (JSC::createListFromArrayLike): Deleted.
        * runtime/JSObjectInlines.h:
        (JSC::createListFromArrayLike):
        (JSC::JSObject::putInline):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise):
        (JSC::callPromise):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::propertyNameIteratorFuncNext):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::outOfMemory):
        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::build):
        (JSC::jsMakeNontrivialString):
        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::joinedLength):
        (JSC::JSStringJoiner::join):
        * runtime/JSStringJoiner.h:
        (JSC::JSStringJoiner::JSStringJoiner):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::constructTypedArrayView):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::typedArrayViewPrivateFuncLength):
        (JSC::typedArrayViewPrivateFuncSort):
        (JSC::typedArrayViewProtoFuncSet):
        (JSC::typedArrayViewProtoFuncCopyWithin):
        (JSC::typedArrayViewProtoFuncIncludes):
        (JSC::typedArrayViewProtoFuncLastIndexOf):
        (JSC::typedArrayViewProtoFuncIndexOf):
        (JSC::typedArrayViewProtoFuncJoin):
        (JSC::typedArrayViewProtoGetterFuncBuffer):
        (JSC::typedArrayViewProtoGetterFuncLength):
        (JSC::typedArrayViewProtoGetterFuncByteLength):
        (JSC::typedArrayViewProtoGetterFuncByteOffset):
        (JSC::typedArrayViewProtoFuncReverse):
        (JSC::typedArrayViewPrivateFuncSubarrayCreate):
        (JSC::typedArrayViewProtoFuncSlice):
        * runtime/MapConstructor.cpp:
        (JSC::callMap):
        (JSC::constructMap):
        * runtime/MapDataInlines.h:
        (JSC::JSIterator>::ensureSpaceForAppend):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototypeFuncNext):
        * runtime/MapPrototype.cpp:
        (JSC::getMap):
        (JSC::mapProtoFuncValues):
        (JSC::mapProtoFuncEntries):
        (JSC::mapProtoFuncKeys):
        * runtime/ModuleLoaderPrototype.cpp:
        (JSC::moduleLoaderPrototypeParseModule):
        * runtime/NullSetterFunction.cpp:
        (JSC::callReturnUndefined):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString):
        (JSC::numberProtoFuncValueOf):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):
        (JSC::toPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        (JSC::objectConstructorDefineProperties):
        (JSC::objectConstructorCreate):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncToString):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromRegisterArray):
        (JSC::jsStringFromArguments):
        * runtime/ProxyConstructor.cpp:
        (JSC::makeRevocableProxy):
        (JSC::proxyRevocableConstructorThrowError):
        (JSC::constructProxyObject):
        (JSC::callProxy):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::finishCreation):
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::getOwnPropertySlotCommon):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        (JSC::reflectObjectDefineProperty):
        (JSC::reflectObjectEnumerate):
        (JSC::reflectObjectGet):
        (JSC::reflectObjectGetOwnPropertyDescriptor):
        (JSC::reflectObjectGetPrototypeOf):
        (JSC::reflectObjectIsExtensible):
        (JSC::reflectObjectOwnKeys):
        (JSC::reflectObjectPreventExtensions):
        (JSC::reflectObjectSet):
        (JSC::reflectObjectSetPrototypeOf):
        * runtime/RegExpConstructor.cpp:
        (JSC::toFlags):
        (JSC::regExpCreate):
        * runtime/RegExpObject.cpp:
        (JSC::collectMatches):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncMatchFast):
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString):
        (JSC::regExpProtoGetterGlobal):
        (JSC::regExpProtoGetterIgnoreCase):
        (JSC::regExpProtoGetterMultiline):
        (JSC::regExpProtoGetterSticky):
        (JSC::regExpProtoGetterUnicode):
        (JSC::regExpProtoGetterFlags):
        (JSC::regExpProtoGetterSource):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/Reject.h:
        (JSC::reject):
        * runtime/SetConstructor.cpp:
        (JSC::callSet):
        (JSC::constructSet):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototypeFuncNext):
        * runtime/SetPrototype.cpp:
        (JSC::getSet):
        (JSC::setProtoFuncValues):
        (JSC::setProtoFuncEntries):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayEntry::put):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCodePoint):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        (JSC::StringObject::putByIndex):
        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::repeatCharacter):
        (JSC::replace):
        (JSC::stringProtoFuncToString):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncCodePointAt):
        (JSC::stringProtoFuncConcat):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::toLocaleCase):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::trimString):
        (JSC::stringProtoFuncStartsWith):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringProtoFuncIncludes):
        (JSC::stringProtoFuncIterator):
        (JSC::normalize):
        (JSC::stringProtoFuncNormalize):
        * runtime/StringRecursionChecker.cpp:
        (JSC::StringRecursionChecker::throwStackOverflowError):
        * runtime/Symbol.cpp:
        (JSC::Symbol::toNumber):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolPrototype.cpp:
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * runtime/ThrowScope.cpp: Added.
        (JSC::ThrowScope::ThrowScope):
        (JSC::ThrowScope::~ThrowScope):
        (JSC::ThrowScope::throwException):
        (JSC::ThrowScope::printIfNeedCheck):
        (JSC::ThrowScope::simulateThrow):
        (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied):
        * runtime/ThrowScope.h: Added.
        (JSC::ThrowScope::vm):
        (JSC::ThrowScope::exception):
        (JSC::ThrowScope::release):
        (JSC::ThrowScope::ThrowScope):
        (JSC::ThrowScope::throwException):
        (JSC::throwException):
        * runtime/ThrowScopeLocation.h: Added.
        (JSC::ThrowScopeLocation::ThrowScopeLocation):
        * runtime/VM.h:
        * runtime/VMEntryScope.h:
        (JSC::VMEntryScope::vm):
        * runtime/WeakMapConstructor.cpp:
        (JSC::callWeakMap):
        (JSC::constructWeakMap):
        * runtime/WeakMapPrototype.cpp:
        (JSC::getWeakMapData):
        (JSC::protoFuncWeakMapSet):
        * runtime/WeakSetConstructor.cpp:
        (JSC::callWeakSet):
        (JSC::constructWeakSet):
        * runtime/WeakSetPrototype.cpp:
        (JSC::getWeakMapData):
        (JSC::protoFuncWeakSetAdd):

2016-08-30  Alex Christensen  <achristensen@webkit.org>

        Fix WebInspectorUI in internal Windows build
        https://bugs.webkit.org/show_bug.cgi?id=161221
        rdar://problem/28019023

        Reviewed by Brent Fulgham and Joseph Pecoraro.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj:

2016-08-29  Joseph Pecoraro  <pecoraro@apple.com>

        REGRESSION(r202568): Web Inspector: Expanding Array Prototype in Console shows no properties
        https://bugs.webkit.org/show_bug.cgi?id=161263
        <rdar://problem/28035849>

        Reviewed by Matt Baker.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype._propertyDescriptors):
        Previously we only took the "numeric index fast path" if an object was
        array like with length > 100. When we dropped the length check we
        ended up breaking our display of Array prototype, because [].__proto__
        is an array instance. Get it back by just doing a check of length > 0.
        We may want to address this differently in the future by knowing if
        we are getting properties for a prototype or not.

2016-08-29  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Clean up FTL Capabilities for CompareEq
        https://bugs.webkit.org/show_bug.cgi?id=161353

        Reviewed by Geoffrey Garen.

        It looks like we already have code for every case.
        This patch removes the tests from FTLCapabilities
        and move the generic case last as usual.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):

2016-08-29  Keith Miller  <keith_miller@apple.com>

        Fix toStringName for Proxies and add support for normal instances
        https://bugs.webkit.org/show_bug.cgi?id=161275

        Reviewed by Saam Barati.

        toStringName on proxies needs to follow the chain of proxies until it finds a non-proxy target.
        Additionally, there are a couple of other classes that need to return "Object" for their
        toStringName. Since this isn't tested by test262 I will propose a new test there.

        * runtime/ClassInfo.h:
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::toStringName):
        * runtime/JSArrayBufferView.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toStringName):
        * runtime/JSCell.h:
        * runtime/JSMap.cpp:
        (JSC::JSMap::toStringName):
        * runtime/JSMap.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::toStringName):
        * runtime/JSObject.h:
        * runtime/JSSet.cpp:
        (JSC::JSSet::destroy):
        (JSC::JSSet::toStringName):
        * runtime/JSSet.h:
        * runtime/JSWeakMap.cpp:
        (JSC::JSWeakMap::toStringName):
        * runtime/JSWeakMap.h:
        * runtime/JSWeakSet.cpp:
        (JSC::JSWeakSet::toStringName):
        * runtime/JSWeakSet.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::toStringName):
        * runtime/ProxyObject.h:
        * runtime/SymbolObject.cpp:
        (JSC::SymbolObject::toStringName):
        * runtime/SymbolObject.h:
        (JSC::SymbolObject::internalValue):

2016-08-29  Youenn Fablet  <youenn@apple.com>

        [Fetch API] Response cloning should structureClone when teeing Response stream
        https://bugs.webkit.org/show_bug.cgi?id=161147

        Reviewed by Darin Adler.

        * builtins/BuiltinNames.h: Adding ArrayBuffer and isView identifiers.
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation): Adding @isView as private method.
        * runtime/JSDataView.h: Exporting create method.

2016-08-29  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Improve ArithAbs with polymorphic input
        https://bugs.webkit.org/show_bug.cgi?id=161286

        Reviewed by Saam Barati.

        This is similar to the previous patches: if we have polymorphic
        input, do a function call.

        I also discovered a few problems with the tests and fixed them:
        -I forgot to add NodeMustGenerate to the previous nodes I changed.
         They could have been eliminated by DCE.
        -ArithAbs was always exiting if the input types do not include numbers.
         The cause was the node was using isInt32OrBooleanSpeculationForArithmetic()
         instead of isInt32OrBooleanSpeculation(). The test of
         isInt32OrBooleanSpeculationForArithmetic() only verify the input does not
         contains double or int52. If we were in that case, we were always speculating
         Int32. That always fails and we were recompiling the same code over and over.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        Now that we have toNumberFromPrimitive(), we can improve constant folding here :)

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasInt32Result): Deleted.
        The accessor hasInt32Result() was unused.

        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithAbs):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):

2016-08-28  Saam Barati  <sbarati@apple.com>

        Make SpeculatedType a 64-bit integer
        https://bugs.webkit.org/show_bug.cgi?id=161268

        Reviewed by Filip Pizlo and Benjamin Poulain.

        I'm going to introduce two new types into this and we only
        have room for one in 32-bits. So, this patch widens SpeculatedType
        to 64 bits. This also pulls this information through the DFG where
        we needed to change DFGNode to support this.

        * bytecode/SpeculatedType.h:
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToPutHint):
        (JSC::DFG::Node::promotedLocationDescriptor):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::convertToCheckStructure):
        (JSC::DFG::Node::constant):
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::convertToConstantStoragePointer):
        (JSC::DFG::Node::convertToPutStack):
        (JSC::DFG::Node::convertToGetStack):
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::convertToMultiGetByOffset):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::convertToMultiPutByOffset):
        (JSC::DFG::Node::convertToPhantomNewObject):
        (JSC::DFG::Node::convertToPhantomNewFunction):
        (JSC::DFG::Node::convertToPhantomNewGeneratorFunction):
        (JSC::DFG::Node::convertToPhantomCreateActivation):
        (JSC::DFG::Node::convertToGetLocal):
        (JSC::DFG::Node::lazyJSValue):
        (JSC::DFG::Node::initializationValueForActivation):
        (JSC::DFG::Node::tryGetVariableAccessData):
        (JSC::DFG::Node::variableAccessData):
        (JSC::DFG::Node::unlinkedLocal):
        (JSC::DFG::Node::unlinkedMachineLocal):
        (JSC::DFG::Node::stackAccessData):
        (JSC::DFG::Node::phi):
        (JSC::DFG::Node::identifierNumber):
        (JSC::DFG::Node::getPutInfo):
        (JSC::DFG::Node::accessorAttributes):
        (JSC::DFG::Node::newArrayBufferData):
        (JSC::DFG::Node::indexingType):
        (JSC::DFG::Node::typedArrayType):
        (JSC::DFG::Node::inlineCapacity):
        (JSC::DFG::Node::scopeOffset):
        (JSC::DFG::Node::capturedArgumentsOffset):
        (JSC::DFG::Node::variablePointer):
        (JSC::DFG::Node::callVarargsData):
        (JSC::DFG::Node::loadVarargsData):
        (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
        (JSC::DFG::Node::targetBlock):
        (JSC::DFG::Node::branchData):
        (JSC::DFG::Node::switchData):
        (JSC::DFG::Node::getHeapPrediction):
        (JSC::DFG::Node::cellOperand):
        (JSC::DFG::Node::watchpointSet):
        (JSC::DFG::Node::storagePointer):
        (JSC::DFG::Node::uidOperand):
        (JSC::DFG::Node::typeInfoOperand):
        (JSC::DFG::Node::transition):
        (JSC::DFG::Node::structureSet):
        (JSC::DFG::Node::structure):
        (JSC::DFG::Node::storageAccessData):
        (JSC::DFG::Node::multiGetByOffsetData):
        (JSC::DFG::Node::multiPutByOffsetData):
        (JSC::DFG::Node::objectMaterializationData):
        (JSC::DFG::Node::arrayMode):
        (JSC::DFG::Node::arithMode):
        (JSC::DFG::Node::arithRoundingMode):
        (JSC::DFG::Node::setArithRoundingMode):
        (JSC::DFG::Node::executionCounter):
        (JSC::DFG::Node::typeLocation):
        (JSC::DFG::Node::basicBlockLocation):
        (JSC::DFG::Node::numberOfArgumentsToSkip):
        (JSC::DFG::Node::OpInfoWrapper::OpInfoWrapper):
        (JSC::DFG::Node::OpInfoWrapper::operator=):
        * dfg/DFGOpInfo.h:
        (JSC::DFG::OpInfo::OpInfo):
        * dfg/DFGPromotedHeapLocation.h:
        (JSC::DFG::PromotedLocationDescriptor::imm1):
        (JSC::DFG::PromotedLocationDescriptor::imm2):

2016-08-27  Don Olmstead  <don.olmstead@am.sony.com>

        Unused cxxabi.h include in JSGlobalObjectInspectorController.cpp
        https://bugs.webkit.org/show_bug.cgi?id=161120

        Reviewed by Darin Adler.

        * inspector/JSGlobalObjectInspectorController.cpp:

2016-08-26  Sam Weinig  <sam@webkit.org>

        Remove support for ENABLE_LEGACY_WEB_AUDIO
        https://bugs.webkit.org/show_bug.cgi?id=161262

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:
        Remove ENABLE_LEGACY_WEB_AUDIO

2016-08-26  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Implement CompareStrictEq(String, Untyped) in FTL
        https://bugs.webkit.org/show_bug.cgi?id=161229

        Reviewed by Geoffrey Garen.

        Add (String, Untyped) uses to FTL CompareStrictEq.
        This was the last use type not implemented, the node is fully
        supported by FTL after this patch.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringToUntypedStrictEquality):

        (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
        Remove the type checks when possible.

2016-08-26  Johan K. Jensen  <johan_jensen@apple.com>

        Web Inspector: Frontend should have access to Resource Timing information
        https://bugs.webkit.org/show_bug.cgi?id=160095

        Reviewed by Alex Christensen.

        Rename ResourceTiming property.

        * inspector/protocol/Network.json:
        Rename navigationStart to startTime so it's applicable
        for all resources and not just the main resource.

2016-08-25  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Provide a way to clear an IndexedDB object store
        https://bugs.webkit.org/show_bug.cgi?id=161167
        <rdar://problem/27996932>

        Reviewed by Brian Burg.

        * inspector/protocol/IndexedDB.json:
        Cleanup the protocol file.

2016-08-26  Devin Rousso  <dcrousso+webkit@gmail.com>

        Web Inspector: Some CSS selectors in the UI aren't escaped
        https://bugs.webkit.org/show_bug.cgi?id=151378

        Reviewed by Joseph Pecoraro.

        Change ElementData from sending a className string to using an array of
        classes, allowing for proper escaping of each class value.

        * inspector/protocol/OverlayTypes.json:

2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ScriptProfilerAgent and HeapAgent should do less work when frontend disconnects
        https://bugs.webkit.org/show_bug.cgi?id=161213
        <rdar://problem/28017986>

        Reviewed by Brian Burg.

        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
        Don't take a final snapshot when disconnecting.

        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorScriptProfilerAgent::stopSamplingWhenDisconnecting):
        * inspector/agents/InspectorScriptProfilerAgent.h:
        * runtime/SamplingProfiler.h:
        Don't process samples when disconnecting.

2016-08-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: HeapProfiler/ScriptProfiler do not destruct safely when JSContext is destroyed
        https://bugs.webkit.org/show_bug.cgi?id=161027
        <rdar://problem/27871349>

        Reviewed by Mark Lam.

        For JSContext inspection, when a frontend connects keep the target alive.
        This means ref'ing the JSGlobalObject / VM when the first frontend
        connects and deref'ing when the last frontend disconnects.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
        (Inspector::JSGlobalObjectInspectorController::disconnectAllFrontends): Deleted.
        Now that frontends keep the global object alive, when the global object
        is destroyed that must mean that no frontends exist. Remove the now
        stale code path.

        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        Ref the target when the first frontend connects, deref when the last disconnects.

2016-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [ES6] newPromiseCapabilities should check the given argument is constructor
        https://bugs.webkit.org/show_bug.cgi?id=161226

        Reviewed by Mark Lam.

        Use @isConstructor.

        * builtins/PromiseOperations.js:

2016-08-25  Keith Miller  <keith_miller@apple.com>

        toString called on proxies returns incorrect tag
        https://bugs.webkit.org/show_bug.cgi?id=161111

        Reviewed by Benjamin Poulain.

        This patch adds a new Method table function toStringName. This function
        is used by Object.prototype.toString to create the string tag that it
        inserts. Right now it only changes the stringification of proxy objects.
        In future patches I plan to make it work for other classes of objects as
        well.

        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toStringName):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::toStringName):
        * runtime/JSObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::toStringName):
        * runtime/ProxyObject.h:

2016-08-26  Csaba Osztrogonác  <ossy@webkit.org>

        Fix the ENABLE(WEBASSEMBLY) build on Linux
        https://bugs.webkit.org/show_bug.cgi?id=161197

        Reviewed by Mark Lam.

        * CMakeLists.txt:
        * b3/B3Common.cpp:
        (JSC::B3::shouldDumpIR):
        * shell/CMakeLists.txt:
        * wasm/JSWASMModule.h:
        * wasm/WASMB3IRGenerator.cpp:
        (JSC::WASM::toB3Op):
        * wasm/WASMB3IRGenerator.h:
        * wasm/WASMFormat.h:
        * wasm/WASMFunctionParser.h:
        * wasm/WASMModuleParser.cpp:
        (JSC::WASM::WASMModuleParser::parseFunctionTypes):
        * wasm/WASMModuleParser.h:
        * wasm/WASMParser.h:
        * wasm/WASMPlan.cpp:
        * wasm/WASMPlan.h:
        * wasm/WASMSections.cpp:

2016-08-26  Per Arne Vollan  <pvollan@apple.com>

        [Win] Compile fix.
        https://bugs.webkit.org/show_bug.cgi?id=161235

        Reviewed by Brent Fulgham.

        YarrPattern::errorMessage has inconsistent dll linkage.

        * yarr/YarrPattern.h:

2016-08-25  Alex Christensen  <achristensen@webkit.org>

        CMake build fix.

        * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Added.
        This is needed for the internal Windows build.

2016-08-25  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log
        https://bugs.webkit.org/show_bug.cgi?id=161181

        Reviewed by Geoffrey Garen.

        All the nodes are doing the exact same thing with a single
        difference: how to process constants. I made that into a separate
        function called from each node.

        I also generalized the constant-to-number code of DoubleRep
        to make it available for all those nodes.

        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeDoubleUnaryOpEffects):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toNumberFromPrimitive):
        * runtime/JSCJSValue.h:

2016-08-25  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Implement ES6 Generators in DFG / FTL
        https://bugs.webkit.org/show_bug.cgi?id=152723

        Reviewed by Filip Pizlo.

        This patch introduces DFG and FTL support for ES6 generators.
        ES6 generator is compiled by the BytecodeGenerator. But at the last phase, BytecodeGenerator performs "generatorification" onto the unlinked code.
        In BytecodeGenerator phase, we just emit op_yield for each yield point. And we don't emit any generator related switch, save, and resume sequences
        here. Those are emitted by the generatorification phase.

        So the graph is super simple! Before the generatorification, the graph looks like this.

             op_enter -> ...... -> op_yield -> ..... -> op_yield -> ...

        Roughly speaking, in the generatorification phase, we turn out which variables should be saved and resumed at each op_yield.
        This is done by liveness analysis. After that, we convert op_yield to the sequence of "op_put_to_scope", "op_ret", and "op_get_from_scope".
        op_put_to_scope and op_get_from_scope sequences are corresponding to the save and resume sequences. We set up the scope for the generator frame and
        perform op_put_to_scope and op_get_from_scope onto it. The live registers are saved and resumed over the generator's next() calls by using this
        special generator frame scope. And we also set up the global switch for the generator.

        In the generatorification phase,

        1. We construct the BytecodeGraph from the unlinked instructions. This constructs the basic blocks, and it is used in the subsequent analysis.
        2. We perform the analysis onto the unlinked code. We extract the live variables at each op_yield.
        3. We insert the get_from_scope and put_to_scope at each op_yield. Which registers should be saved and resumed is offered by (2).
           Then, clip the op_yield themselves. And we also insert the switch_imm. The jump targets of this switch are just after this op_switch_imm and each op_yield point.

        One interesting point is the try-range. We split the try-range at the op_yield point in BytecodeGenerator phase.
        This drops the hacky thing that is introduced in [1].
        If the try-range covers the resume sequences, the exception handler's use-registers are incorrectly transferred to the entry block.
        For example,

            handler uses r2
                                                             try-range
            label:(entry block can jump here)                 ^
                r1 = get_from_scope # resume sequence starts  | use r2 is transferred to the entry block!
                r2 = get_from_scope                           |
                starts usual sequences                        |
                ...                                           |

        Handler's r2 use should be considered at the `r1 = get_from_scope` point.
        Previously, we handle this edge case by treating op_resume specially in the liveness analysis[1].
        To drop this workaround, we split the try-range not to cover this resume sequence.

            handler uses r2
                                                             try-range
            label:(entry block can jump here)
                r1 = get_from_scope # resume sequence starts
                r2 = get_from_scope
                starts usual sequences                        ^ try-range should start from here.
                ...                                           |

        OK. Let's show the detailed example.

            1. First, there is the normal bytecode sequence. Here, | represents the offsets, and [] represents the bytecodes.

                bytecodes   | [ ] | [ ] | [ ] | [ ] | [ ] | [ ] |
                try-range   <----------------------------------->

            2. When we emit the op_yield in the bytecode generator, we carefully split the try-range.

                bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
                try-range   <----------->            <----------------->

            3. And in the generatorification phase, we insert the switch's jump target and save & resume sequences. And we also drop op_yield.

                        Insert save seq  Insert resume seq
                        before op_yield. after op_yield's point.
                                       v v
                bytecodes   | [ ] | [ ] | [op_yield] | [ ] | [ ] | [ ] |
                try-range   <----------->     ^      <----------------->
                                        ^     |
                             Jump to here.    Drop this op_yield.

            4. The final layout is the following.

                bytecodes   | [ ] | [ ][save seq][op_ret] | [resume seq] | [ ] | [ ] | [ ] |
                try-range   <----------------------------->               <---------------->
                                                          ^
                                              Jump to here.

        The rewriting done by the BytecodeRewriter is executed in a batch manner. Since these modification changes the basic blocks and size of unlinked instructions,
        BytecodeRewriter also performs the offset adjustment for UnlinkedCodeBlock. So, this rewriting is performed onto the BytecodeGraph rather than BytecodeBasicBlock.
        The reason why we take this design is simple: we don't want to newly create the basic blocks and opcodes for this early phase like DFG. Instead, we perform the
        modification and adjustment to the unlinked instructions and UnlinkedCodeBlock in a in-place manner.

        Bytecode rewriting functionality is offered by BytecodeRewriter. BytecodeRewriter allows us to insert any bytecodes to any places
        in a in-place manner. BytecodeRewriter handles the original bytecode offsets as labels. And you can insert bytecodes before and after
        these labels. You can also insert any jumps to any places. When you insert jumps, you need to specify jump target with this labels.
        These labels (original bytecode offsets) are automatically converted to the appropriate offsets by BytecodeRewriter.

        After that phase, the data flow of the generator-saved-and-resumed-registers are explicitly represented by the get_from_scope and put_to_scope.
        And the switch is inserted to represent the actual control flow for the generator. And op_yield is removed. Since we use the existing bytecodes (op_switch_imm, op_put_to_scope
        op_ret, and op_get_from_scope), DFG and FTL changes are not necessary. This patch also drops data structures and implementations for the old generator,
        op_resume, op_save implementations and GeneratorFrame.

        Note that this patch does not leverage the recent multi entrypoints support in B3. After this patch is introduced, we will submit a new patch that leverages the multi
        entrypoints for generator's resume and sees the performance gain.

        Microbenchmarks related to generators show up to 2.9x improvements.

                                                        Baseline                  Patched

            generator-fib                          102.0116+-3.2880     ^     34.9670+-0.2221        ^ definitely 2.9174x faster
            generator-sunspider-access-nsieve        5.8596+-0.0371     ^      4.9051+-0.0720        ^ definitely 1.1946x faster
            generator-with-several-types           332.1478+-4.2425     ^    124.6642+-2.4826        ^ definitely 2.6643x faster

            <geometric>                             58.2998+-0.7758     ^     27.7425+-0.2577        ^ definitely 2.1015x faster

        In ES6SampleBench's Basic, we can observe 41% improvement (Macbook Pro).

            Baseline:
                Geometric Mean Result: 133.55 ms +- 4.49 ms

                Benchmark    First Iteration        Worst 2%               Steady State
                Air          54.03 ms +- 7.51 ms    29.06 ms +- 3.13 ms    2276.59 ms +- 61.17 ms
                Basic        30.18 ms +- 1.86 ms    18.85 ms +- 0.45 ms    2851.16 ms +- 41.87 ms

            Patched:
                Geometric Mean Result: 121.78 ms +- 3.96 ms

                Benchmark    First Iteration        Worst 2%               Steady State
                Air          52.09 ms +- 6.89 ms    29.59 ms +- 3.16 ms    2239.90 ms +- 54.60 ms
                Basic        29.28 ms +- 1.46 ms    16.26 ms +- 0.66 ms    2025.15 ms +- 38.56 ms

        [1]: https://bugs.webkit.org/show_bug.cgi?id=159281

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/GeneratorPrototype.js:
        (globalPrivate.generatorResume):
        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::BytecodeBasicBlock::shrinkToFit):
        (JSC::BytecodeBasicBlock::computeImpl):
        (JSC::BytecodeBasicBlock::compute):
        (JSC::isBranch): Deleted.
        (JSC::isUnconditionalBranch): Deleted.
        (JSC::isTerminal): Deleted.
        (JSC::isThrow): Deleted.
        (JSC::linkBlocks): Deleted.
        (JSC::computeBytecodeBasicBlocks): Deleted.
        * bytecode/BytecodeBasicBlock.h:
        (JSC::BytecodeBasicBlock::isEntryBlock):
        (JSC::BytecodeBasicBlock::isExitBlock):
        (JSC::BytecodeBasicBlock::leaderOffset):
        (JSC::BytecodeBasicBlock::totalLength):
        (JSC::BytecodeBasicBlock::offsets):
        (JSC::BytecodeBasicBlock::successors):
        (JSC::BytecodeBasicBlock::index):
        (JSC::BytecodeBasicBlock::addSuccessor):
        (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
        (JSC::BytecodeBasicBlock::addLength):
        (JSC::BytecodeBasicBlock::leaderBytecodeOffset): Deleted.
        (JSC::BytecodeBasicBlock::totalBytecodeLength): Deleted.
        (JSC::BytecodeBasicBlock::bytecodeOffsets): Deleted.
        (JSC::BytecodeBasicBlock::addBytecodeLength): Deleted.
        * bytecode/BytecodeGeneratorification.cpp: Added.
        (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
        (JSC::BytecodeGeneratorification::graph):
        (JSC::BytecodeGeneratorification::yields):
        (JSC::BytecodeGeneratorification::enterPoint):
        (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
        (JSC::GeneratorLivenessAnalysis::GeneratorLivenessAnalysis):
        (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset):
        (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset):
        (JSC::GeneratorLivenessAnalysis::run):
        (JSC::BytecodeGeneratorification::run):
        (JSC::performGeneratorification):
        * bytecode/BytecodeGeneratorification.h: Copied from Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysisInlines.h.
        * bytecode/BytecodeGraph.h: Added.
        (JSC::BytecodeGraph::codeBlock):
        (JSC::BytecodeGraph::instructions):
        (JSC::BytecodeGraph::basicBlocksInReverseOrder):
        (JSC::BytecodeGraph::blockContainsBytecodeOffset):
        (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
        (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
        (JSC::BytecodeGraph::size):
        (JSC::BytecodeGraph::at):
        (JSC::BytecodeGraph::operator[]):
        (JSC::BytecodeGraph::begin):
        (JSC::BytecodeGraph::end):
        (JSC::BytecodeGraph::first):
        (JSC::BytecodeGraph::last):
        (JSC::BytecodeGraph<Block>::BytecodeGraph):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
        (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
        (JSC::BytecodeLivenessAnalysis::computeKills):
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        (JSC::BytecodeLivenessAnalysis::compute):
        (JSC::isValidRegisterForLiveness): Deleted.
        (JSC::getLeaderOffsetForBasicBlock): Deleted.
        (JSC::findBasicBlockWithLeaderOffset): Deleted.
        (JSC::blockContainsBytecodeOffset): Deleted.
        (JSC::findBasicBlockForBytecodeOffset): Deleted.
        (JSC::stepOverInstruction): Deleted.
        (JSC::computeLocalLivenessForBytecodeOffset): Deleted.
        (JSC::computeLocalLivenessForBlock): Deleted.
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Deleted.
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::isValidRegisterForLiveness):
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset):
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock):
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
        * bytecode/BytecodeRewriter.cpp: Added.
        (JSC::BytecodeRewriter::applyModification):
        (JSC::BytecodeRewriter::execute):
        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
        (JSC::BytecodeRewriter::insertImpl):
        (JSC::BytecodeRewriter::adjustJumpTarget):
        * bytecode/BytecodeRewriter.h: Added.
        (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
        (JSC::BytecodeRewriter::InsertionPoint::operator<):
        (JSC::BytecodeRewriter::InsertionPoint::operator==):
        (JSC::BytecodeRewriter::Insertion::length):
        (JSC::BytecodeRewriter::Fragment::Fragment):
        (JSC::BytecodeRewriter::Fragment::appendInstruction):
        (JSC::BytecodeRewriter::BytecodeRewriter):
        (JSC::BytecodeRewriter::insertFragmentBefore):
        (JSC::BytecodeRewriter::insertFragmentAfter):
        (JSC::BytecodeRewriter::removeBytecode):
        (JSC::BytecodeRewriter::graph):
        (JSC::BytecodeRewriter::adjustAbsoluteOffset):
        (JSC::BytecodeRewriter::adjustJumpTarget):
        (JSC::BytecodeRewriter::calculateDifference):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::handlerForIndex):
        (JSC::CodeBlock::shrinkToFit):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::livenessAnalysisSlow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::isConstantRegisterIndex):
        (JSC::CodeBlock::livenessAnalysis):
        (JSC::CodeBlock::liveCalleeLocalsAtYield): Deleted.
        * bytecode/HandlerInfo.h:
        (JSC::HandlerInfoBase::handlerForIndex):
        * bytecode/Opcode.h:
        (JSC::isBranch):
        (JSC::isUnconditionalBranch):
        (JSC::isTerminal):
        (JSC::isThrow):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargetsInternal):
        (JSC::computePreciseJumpTargets):
        (JSC::recomputePreciseJumpTargets):
        (JSC::findJumpTargetsForBytecodeOffset):
        * bytecode/PreciseJumpTargets.h:
        * bytecode/PreciseJumpTargetsInlines.h: Added.
        (JSC::extractStoredJumpTargetsForBytecodeOffset):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::handlerForBytecodeOffset):
        (JSC::UnlinkedCodeBlock::handlerForIndex):
        (JSC::UnlinkedCodeBlock::applyModification):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedStringJumpTable::offsetForValue):
        (JSC::UnlinkedCodeBlock::numCalleeLocals):
        * bytecode/VirtualRegister.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        (JSC::prepareJumpTableForStringSwitch):
        (JSC::BytecodeGenerator::emitYieldPoint):
        (JSC::BytecodeGenerator::emitSave): Deleted.
        (JSC::BytecodeGenerator::emitResume): Deleted.
        (JSC::BytecodeGenerator::emitGeneratorStateLabel): Deleted.
        (JSC::BytecodeGenerator::beginGenerator): Deleted.
        (JSC::BytecodeGenerator::endGenerator): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::generatorStateRegister):
        (JSC::BytecodeGenerator::generatorValueRegister):
        (JSC::BytecodeGenerator::generatorResumeModeRegister):
        (JSC::BytecodeGenerator::generatorFrameRegister):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionNode::emitBytecode):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::findExceptionHandler):
        (JSC::GetCatchHandlerFunctor::operator()):
        (JSC::UnwindFunctor::operator()):
        * interpreter/Interpreter.h:
        * interpreter/InterpreterInlines.h: Copied from Source/JavaScriptCore/bytecode/PreciseJumpTargets.h.
        (JSC::Interpreter::getOpcodeID):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_save): Deleted.
        (JSC::JIT::emit_op_resume): Deleted.
        * llint/LowLevelInterpreter.asm:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::createGeneratorParameters):
        * parser/Parser.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL): Deleted.
        * runtime/CommonSlowPaths.h:
        * runtime/GeneratorFrame.cpp: Removed.
        (JSC::GeneratorFrame::GeneratorFrame): Deleted.
        (JSC::GeneratorFrame::finishCreation): Deleted.
        (JSC::GeneratorFrame::createStructure): Deleted.
        (JSC::GeneratorFrame::create): Deleted.
        (JSC::GeneratorFrame::save): Deleted.
        (JSC::GeneratorFrame::resume): Deleted.
        (JSC::GeneratorFrame::visitChildren): Deleted.
        * runtime/GeneratorFrame.h: Removed.
        (JSC::GeneratorFrame::locals): Deleted.
        (JSC::GeneratorFrame::localAt): Deleted.
        (JSC::GeneratorFrame::offsetOfLocals): Deleted.
        (JSC::GeneratorFrame::allocationSizeForLocals): Deleted.
        * runtime/JSGeneratorFunction.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2016-08-25  JF Bastien  <jfbastien@apple.com>

        TryGetById should have a ValueProfile so that it can predict its output type
        https://bugs.webkit.org/show_bug.cgi?id=160921

        Reviewed by Saam Barati.

        Add a ValueProfile to TryGetById, and make sure DFG picks it up.

        A microbenchmark for perfectly predicted computation shows a 20%
        runtime reduction with no hit if the prediction goes polymorphic.

        * bytecode/BytecodeList.json:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitTryGetById):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_try_get_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_try_get_by_id):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:

2016-08-25  Csaba Osztrogonác  <ossy@webkit.org>

        generate-js-builtins.py should generate platform independent files
        https://bugs.webkit.org/show_bug.cgi?id=161196

        Reviewed by Mark Lam.

        * Scripts/generate-js-builtins.py: Files should be processed in fixed order.

2016-08-25  Caio Lima  <ticaiolima@gmail.com>

        NewRegexp should not prevent inlining
        https://bugs.webkit.org/show_bug.cgi?id=154808

        Reviewed by Geoffrey Garen.

        In this patch we are changing the current mechanism used to represent
        RegExp in NewRegexp nodes. We are changing the use of a index
        pointing to RegExp in
        CodeBlock->m_unlinkedCodeBlock->m_rareData->m_regexps as the operand of
        NewRegexp node to RegExp address as the operand. To make sure that RegExp* is
        pointing to a valid object, we are using m_graph.freezeStrong
        mechanism.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasCellOperand):
        (JSC::DFG::Node::hasRegexpIndex): Deleted.
        (JSC::DFG::Node::regexpIndex): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):

2016-08-24  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Make FRound work with any type
        https://bugs.webkit.org/show_bug.cgi?id=161129

        Reviewed by Geoffrey Garen.

        Math.fround() does nothing with arguments past the first one
        (https://tc39.github.io/ecma262/#sec-math.fround).
        We can unify ArithFRound with the other single-input intrinsics.

        Everything else is same old: if the input type is not a number,
        be pessimistic about everything and do a C call.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithFRound):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):

2016-08-24  Andreas Kling  <akling@apple.com>

        Shrink DFG::OSRExit a bit.
        <https://webkit.org/b/161169>

        Reviewed by Geoffrey Garen.

        Rearrange the members of OSRExitBase and DFG::OSRExit to save 16 bytes per instance.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::OSRExitBase):

2016-08-24  Ryan Haddad  <ryanhaddad@apple.com>

        Rebaseline builtins-generator-tests since r204854 was rolled out.

        Unreviewed test gardening.

        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:

2016-08-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Move generic data structures out of B3
        https://bugs.webkit.org/show_bug.cgi?id=161155

        Reviewed by Saam Barati.

        Move B3's good generic data structures to WTF.
        They can be used for the other kind of basic blocks and nodes.
        For example, the generator patch[1] will make BytecodeBasicBlock usable with these structures.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=152723

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3BasicBlockUtils.h:
        * b3/B3BlockWorklist.h:
        * b3/B3CFG.h:
        * b3/B3DuplicateTails.cpp:
        * b3/B3FixSSA.cpp:
        * b3/B3FixSSA.h:
        * b3/B3IndexMap.h:
        (JSC::B3::IndexMap::IndexMap): Deleted.
        (JSC::B3::IndexMap::resize): Deleted.
        (JSC::B3::IndexMap::clear): Deleted.
        (JSC::B3::IndexMap::size): Deleted.
        (JSC::B3::IndexMap::operator[]): Deleted.
        * b3/B3IndexSet.h:
        (JSC::B3::IndexSet::IndexSet): Deleted.
        (JSC::B3::IndexSet::add): Deleted.
        (JSC::B3::IndexSet::addAll): Deleted.
        (JSC::B3::IndexSet::remove): Deleted.
        (JSC::B3::IndexSet::contains): Deleted.
        (JSC::B3::IndexSet::size): Deleted.
        (JSC::B3::IndexSet::isEmpty): Deleted.
        (JSC::B3::IndexSet::Iterable::Iterable): Deleted.
        (JSC::B3::IndexSet::Iterable::iterator::iterator): Deleted.
        (JSC::B3::IndexSet::Iterable::iterator::operator*): Deleted.
        (JSC::B3::IndexSet::Iterable::iterator::operator++): Deleted.
        (JSC::B3::IndexSet::Iterable::iterator::operator==): Deleted.
        (JSC::B3::IndexSet::Iterable::iterator::operator!=): Deleted.
        (JSC::B3::IndexSet::Iterable::begin): Deleted.
        (JSC::B3::IndexSet::Iterable::end): Deleted.
        (JSC::B3::IndexSet::values): Deleted.
        (JSC::B3::IndexSet::indices): Deleted.
        (JSC::B3::IndexSet::dump): Deleted.
        * b3/B3LowerToAir.cpp:
        * b3/B3PhiChildren.h:
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::iterator::iterator): Deleted.
        (JSC::B3::Procedure::iterator::operator*): Deleted.
        (JSC::B3::Procedure::iterator::operator++): Deleted.
        (JSC::B3::Procedure::iterator::operator==): Deleted.
        (JSC::B3::Procedure::iterator::operator!=): Deleted.
        (JSC::B3::Procedure::iterator::findNext): Deleted.
        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/B3SSACalculator.h:
        * b3/B3UseCounts.h:
        * b3/air/AirCode.h:
        * b3/air/AirEliminateDeadCode.cpp:
        * b3/air/AirFixObviousSpills.cpp:
        * b3/air/AirFixPartialRegisterStalls.cpp:
        * b3/air/AirGenerate.cpp:
        * b3/air/AirGenerationContext.h:
        * b3/air/AirLiveness.h:
        * b3/air/AirSpillEverything.cpp:

2016-08-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.

        * API/JSTypedArray.cpp:
        * API/ObjCCallbackFunction.mm:
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/builtins/builtins_generate_combined_implementation.py:
        (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
        * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
        (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
        * Scripts/builtins/builtins_generate_separate_implementation.py:
        (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::link):
        (JSC::AbstractMacroAssembler::JumpList::linkTo):
        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add32):
        * assembler/MacroAssemblerCodeRef.cpp: Removed.
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (JSC::MacroAssemblerCodePtr::dumpWithName):
        (JSC::MacroAssemblerCodePtr::dump):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        (JSC::MacroAssemblerCodeRef::dump):
        * b3/B3BasicBlock.cpp:
        (JSC::B3::BasicBlock::appendBoolConstant): Deleted.
        * b3/B3BasicBlock.h:
        * b3/B3DuplicateTails.cpp:
        * b3/B3StackmapGenerationParams.h:
        * b3/testb3.cpp:
        (JSC::B3::run):
        (JSC::B3::testPatchpointTerminalReturnValue): Deleted.
        * bindings/ScriptValue.cpp:
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        * bytecode/BytecodeBasicBlock.cpp:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        * bytecode/BytecodeUseDef.h:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::callTypeFor): Deleted.
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        * bytecode/CallLinkStatus.cpp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::jitCodeMap):
        (JSC::clearLLIntGetByIdCache):
        * bytecode/Instruction.h:
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::isNull):
        (JSC::ObjectAllocationProfile::initialize):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        * bytecode/PreciseJumpTargets.cpp:
        * bytecode/StructureStubInfo.cpp:
        * bytecode/StructureStubInfo.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::vm):
        * bytecode/UnlinkedCodeBlock.h:
        * bytecode/UnlinkedInstructionStream.cpp:
        * bytecode/UnlinkedInstructionStream.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCompile.cpp:
        * ftl/FTLJITFinalizer.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
        (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): Deleted.
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::constBool):
        (JSC::FTL::Output::add):
        (JSC::FTL::Output::shl):
        (JSC::FTL::Output::aShr):
        (JSC::FTL::Output::lShr):
        (JSC::FTL::Output::zeroExt):
        (JSC::FTL::Output::equal):
        (JSC::FTL::Output::notEqual):
        (JSC::FTL::Output::above):
        (JSC::FTL::Output::aboveOrEqual):
        (JSC::FTL::Output::below):
        (JSC::FTL::Output::belowOrEqual):
        (JSC::FTL::Output::greaterThan):
        (JSC::FTL::Output::greaterThanOrEqual):
        (JSC::FTL::Output::lessThan):
        (JSC::FTL::Output::lessThanOrEqual):
        (JSC::FTL::Output::select):
        (JSC::FTL::Output::addIncomingToPhi):
        (JSC::FTL::Output::appendSuccessor): Deleted.
        * ftl/FTLOutput.h:
        * ftl/FTLValueFromBlock.h:
        (JSC::FTL::ValueFromBlock::ValueFromBlock):
        (JSC::FTL::ValueFromBlock::operator bool): Deleted.
        * ftl/FTLWeightedTarget.h:
        (JSC::FTL::WeightedTarget::frequentedBlock): Deleted.
        * heap/CellContainer.h: Removed.
        * heap/CellContainerInlines.h: Removed.
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::~ConservativeRoots):
        (JSC::ConservativeRoots::grow):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::genericAddSpan):
        * heap/ConservativeRoots.h:
        (JSC::ConservativeRoots::roots):
        * heap/CopyToken.h:
        * heap/FreeList.cpp: Removed.
        * heap/FreeList.h: Removed.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::gatherStackRoots):
        (JSC::Heap::gatherJSStackRoots):
        (JSC::Heap::gatherScratchBufferRoots):
        (JSC::Heap::clearLivenessData):
        (JSC::Heap::visitSmallStrings):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::removeDeadCompilerWorklistEntries):
        (JSC::Heap::gatherExtraHeapSnapshotData):
        (JSC::Heap::removeDeadHeapSnapshotNodes):
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitArgumentBuffers):
        (JSC::Heap::visitException):
        (JSC::Heap::visitStrongHandles):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::visitSamplingProfiler):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::converge):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::clearUnmarkedExecutables):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::collectImpl):
        (JSC::Heap::suspendCompilerThreads):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::flushOldStructureIDTables):
        (JSC::Heap::flushWriteBarrierBuffer):
        (JSC::Heap::stopAllocation):
        (JSC::Heap::reapWeakHandles):
        (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
        (JSC::Heap::sweepArrayBuffers):
        (JSC::Heap::snapshotMarkedSpace):
        (JSC::Heap::deleteSourceProviderCaches):
        (JSC::Heap::notifyIncrementalSweeper):
        (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
        (JSC::Heap::resetAllocators):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::resumeCompilerThreads):
        (JSC::Zombify::visit):
        (JSC::Heap::collectWithoutAnySweep): Deleted.
        (JSC::Heap::prepareForMarking): Deleted.
        (JSC::Heap::forEachCodeBlockImpl): Deleted.
        * heap/Heap.h:
        (JSC::Heap::allocatorForObjectWithoutDestructor):
        (JSC::Heap::allocatorForObjectWithDestructor):
        (JSC::Heap::storageAllocator):
        (JSC::Heap::jitStubRoutines):
        (JSC::Heap::codeBlockSet):
        (JSC::Heap::allocatorForAuxiliaryData): Deleted.
        * heap/HeapCell.h:
        (JSC::HeapCell::isZapped):
        * heap/HeapCellInlines.h: Removed.
        * heap/HeapInlines.h:
        (JSC::Heap::heap):
        (JSC::Heap::isLive):
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::setMarked):
        (JSC::Heap::forEachCodeBlock):
        (JSC::Heap::allocateObjectOfType):
        (JSC::Heap::subspaceForObjectOfType):
        (JSC::Heap::allocatorForObjectOfType):
        (JSC::Heap::isPointerGCObject):
        (JSC::Heap::isValueGCObject):
        (JSC::Heap::cellSize): Deleted.
        (JSC::Heap::allocateAuxiliary): Deleted.
        (JSC::Heap::tryAllocateAuxiliary): Deleted.
        (JSC::Heap::tryReallocateAuxiliary): Deleted.
        * heap/HeapUtil.h: Removed.
        * heap/LargeAllocation.cpp: Removed.
        * heap/LargeAllocation.h: Removed.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::retire):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryPopFreeList):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::MarkedAllocator): Deleted.
        (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl): Deleted.
        (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
        (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
        (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
        (JSC::blockHeaderSize): Deleted.
        (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
        (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
        (JSC::MarkedAllocator::setFreeList): Deleted.
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::offsetOfFreeListHead):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::init):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::stopAllocating):
        (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
        (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
        (JSC::MarkedAllocator::tryAllocate): Deleted.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelper):
        (JSC::MarkedBlock::stopAllocating):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::resumeAllocating):
        (JSC::MarkedBlock::didRetireBlock):
        (JSC::MarkedBlock::tryCreate): Deleted.
        (JSC::MarkedBlock::sweepHelperSelectScribbleMode): Deleted.
        (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode): Deleted.
        (JSC::MarkedBlock::forEachFreeCell): Deleted.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::FreeList::FreeList):
        (JSC::MarkedBlock::isEmpty):
        (JSC::MarkedBlock::setHasAnyMarked): Deleted.
        (JSC::MarkedBlock::hasAnyMarked): Deleted.
        (JSC::MarkedBlock::clearHasAnyMarked): Deleted.
        (JSC::MarkedBlock::cellAlign): Deleted.
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::lastChanceToFinalize):
        (JSC::MarkedSpace::sweep):
        (JSC::MarkedSpace::zombifySweep):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::visitWeakSets):
        (JSC::MarkedSpace::reapWeakSets):
        (JSC::MarkedSpace::forEachAllocator):
        (JSC::MarkedSpace::stopAllocating):
        (JSC::MarkedSpace::resumeAllocating):
        (JSC::MarkedSpace::isPagedOut):
        (JSC::MarkedSpace::shrink):
        (JSC::MarkedSpace::clearNewlyAllocated):
        (JSC::MarkedSpace::clearMarks):
        (JSC::MarkedSpace::initializeSizeClassForStepSize): Deleted.
        (JSC::MarkedSpace::allocate): Deleted.
        (JSC::MarkedSpace::tryAllocate): Deleted.
        (JSC::MarkedSpace::allocateLarge): Deleted.
        (JSC::MarkedSpace::tryAllocateLarge): Deleted.
        (JSC::MarkedSpace::sweepLargeAllocations): Deleted.
        (JSC::MarkedSpace::prepareForMarking): Deleted.
        (JSC::MarkedSpace::objectCount): Deleted.
        (JSC::MarkedSpace::size): Deleted.
        (JSC::MarkedSpace::capacity): Deleted.
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::blocksWithNewObjects):
        (JSC::MarkedSpace::forEachLiveCell):
        (JSC::MarkedSpace::forEachDeadCell):
        (JSC::MarkedSpace::allocatorFor):
        (JSC::MarkedSpace::destructorAllocatorFor):
        (JSC::MarkedSpace::auxiliaryAllocatorFor):
        (JSC::MarkedSpace::allocateWithoutDestructor):
        (JSC::MarkedSpace::allocateWithDestructor):
        (JSC::MarkedSpace::allocateAuxiliary):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::objectCount):
        (JSC::MarkedSpace::size):
        (JSC::MarkedSpace::capacity):
        (JSC::MarkedSpace::sizeClassToIndex): Deleted.
        (JSC::MarkedSpace::indexToSizeClass): Deleted.
        (JSC::MarkedSpace::largeAllocations): Deleted.
        (JSC::MarkedSpace::largeAllocationsNurseryOffset): Deleted.
        (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection): Deleted.
        (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin): Deleted.
        (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd): Deleted.
        (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
        (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
        (JSC::MarkedSpace::forEachAllocator): Deleted.
        (JSC::MarkedSpace::optimalSizeFor): Deleted.
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::reset):
        (JSC::SlotVisitor::append):
        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::appendJSCellOrAuxiliary): Deleted.
        (JSC::SlotVisitor::markAuxiliary): Deleted.
        (JSC::SlotVisitor::noteLiveAuxiliaryCell): Deleted.
        * heap/SlotVisitor.h:
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create):
        (JSC::WeakBlock::WeakBlock):
        (JSC::WeakBlock::visit):
        (JSC::WeakBlock::reap):
        * heap/WeakBlock.h:
        (JSC::WeakBlock::disconnectMarkedBlock):
        (JSC::WeakBlock::disconnectContainer): Deleted.
        * heap/WeakSet.cpp:
        (JSC::WeakSet::sweep):
        (JSC::WeakSet::addAllocator):
        * heap/WeakSet.h:
        (JSC::WeakSet::WeakSet):
        * heap/WeakSetInlines.h:
        (JSC::WeakSet::allocate):
        * inspector/InjectedScriptManager.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/ScriptDebugServer.cpp:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/Interpreter.cpp:
        (JSC::StackFrame::sourceID):
        (JSC::StackFrame::sourceURL):
        (JSC::StackFrame::functionName):
        (JSC::loadVarargs):
        (JSC::StackFrame::computeLineAndColumn):
        (JSC::StackFrame::toString):
        * interpreter/Interpreter.h:
        (JSC::StackFrame::isNative):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocate):
        (JSC::AssemblyHelpers::emitAllocateJSCell):
        (JSC::AssemblyHelpers::emitAllocateJSObject):
        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
        (JSC::AssemblyHelpers::emitAllocateVariableSized):
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        * jit/JIT.cpp:
        (JSC::JIT::compileCTINativeCall): Deleted.
        * jit/JIT.h:
        (JSC::JIT::compileCTINativeCall):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind): Deleted.
        * jit/JITExceptions.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):
        * jit/JITThunks.cpp:
        * jit/JITThunks.h:
        * jsc.cpp:
        (functionDescribeArray):
        (main):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntExceptions.cpp:
        * llint/LLIntThunks.cpp:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/ModuleAnalyzer.cpp:
        * parser/NodeConstructors.h:
        * parser/Nodes.h:
        * profiler/ProfilerBytecode.cpp:
        * profiler/ProfilerBytecode.h:
        * profiler/ProfilerBytecodeSequence.cpp:
        * runtime/ArrayConventions.h:
        (JSC::indexingHeaderForArray):
        (JSC::baseIndexingHeaderForArray):
        (JSC::indexingHeaderForArrayStorage): Deleted.
        (JSC::baseIndexingHeaderForArrayStorage): Deleted.
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):
        (JSC::concatAppendOne):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        * runtime/ArrayStorage.h:
        (JSC::ArrayStorage::vectorLength):
        (JSC::ArrayStorage::sizeFor):
        (JSC::ArrayStorage::totalSizeFor): Deleted.
        (JSC::ArrayStorage::totalSize): Deleted.
        (JSC::ArrayStorage::availableVectorLength): Deleted.
        (JSC::ArrayStorage::optimalVectorLength): Deleted.
        * runtime/AuxiliaryBarrier.h: Removed.
        * runtime/AuxiliaryBarrierInlines.h: Removed.
        * runtime/Butterfly.h:
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::availableContiguousVectorLength): Deleted.
        (JSC::Butterfly::optimalContiguousVectorLength): Deleted.
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):
        * runtime/CommonSlowPathsExceptions.cpp:
        * runtime/CommonSlowPathsExceptions.h:
        * runtime/DataView.cpp:
        * runtime/DirectArguments.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp:
        * runtime/Error.cpp:
        * runtime/Error.h:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorInstance.h:
        * runtime/Exception.cpp:
        * runtime/Exception.h:
        * runtime/GeneratorFrame.cpp:
        * runtime/GeneratorPrototype.cpp:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/IntlCollator.cpp:
        * runtime/IntlCollatorConstructor.cpp:
        * runtime/IntlCollatorPrototype.cpp:
        * runtime/IntlDateTimeFormat.cpp:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        * runtime/IntlNumberFormat.cpp:
        * runtime/IntlNumberFormatConstructor.cpp:
        * runtime/IntlNumberFormatPrototype.cpp:
        * runtime/IntlObject.cpp:
        * runtime/IteratorPrototype.cpp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::fastSlice):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        (JSC::JSArray::tryCreateUninitialized): Deleted.
        * runtime/JSArray.h:
        (JSC::createContiguousArrayButterfly):
        (JSC::createArrayButterfly):
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSArrayBufferView.h:
        * runtime/JSCInlines.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContextAssumingStructure):
        * runtime/JSCallee.cpp:
        (JSC::JSCallee::JSCallee):
        * runtime/JSCell.cpp:
        (JSC::JSCell::estimatedSize):
        * runtime/JSCell.h:
        (JSC::JSCell::cellStateOffset):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::vm):
        (JSC::ExecState::vm):
        (JSC::JSCell::classInfo):
        (JSC::JSCell::callDestructor): Deleted.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::allocateAndInitializeRareData):
        (JSC::JSFunction::initializeRareData):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::put):
        (JSC::JSFunction::deleteProperty):
        (JSC::JSFunction::defineOwnProperty):
        (JSC::JSFunction::setFunctionName):
        (JSC::JSFunction::reifyLength):
        (JSC::JSFunction::reifyName):
        (JSC::JSFunction::reifyLazyPropertyIfNeeded):
        (JSC::JSFunction::reifyBoundNameIfNeeded):
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
        (JSC::JSFunction::JSFunction):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
        * runtime/JSInternalPromise.cpp:
        * runtime/JSInternalPromiseConstructor.cpp:
        * runtime/JSInternalPromiseDeferred.cpp:
        * runtime/JSInternalPromisePrototype.cpp:
        * runtime/JSJob.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSModuleNamespaceObject.cpp:
        * runtime/JSModuleRecord.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::copyBackingStore):
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::createInitialArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::getNewVectorLength):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::growOutOfLineStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        (JSC::JSObject::globalObject): Deleted.
        * runtime/JSObjectInlines.h:
        * runtime/JSPromise.cpp:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSScope.cpp:
        (JSC::JSScope::resolve):
        * runtime/JSScope.h:
        (JSC::JSScope::vm):
        (JSC::JSScope::globalObject): Deleted.
        * runtime/JSSetIterator.cpp:
        * runtime/JSStringIterator.cpp:
        * runtime/JSTemplateRegistryKey.cpp:
        * runtime/JSTypedArrayViewConstructor.cpp:
        * runtime/JSTypedArrayViewPrototype.cpp:
        * runtime/JSWeakMap.cpp:
        * runtime/JSWeakSet.cpp:
        * runtime/MapConstructor.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeStdFunctionCell.cpp:
        * runtime/Operations.h:
        (JSC::scribbleFreeCells): Deleted.
        (JSC::scribble): Deleted.
        * runtime/Options.h:
        * runtime/PropertyTable.cpp:
        * runtime/ProxyConstructor.cpp:
        * runtime/ProxyObject.cpp:
        * runtime/ProxyRevoke.cpp:
        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
        (JSC::RegExp::matchConcurrently):
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/RegExp.h:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpInlines.h:
        (JSC::RegExp::matchInline):
        * runtime/RegExpMatchesArray.h:
        (JSC::tryCreateUninitializedRegExpMatchesArray):
        (JSC::createRegExpMatchesArray):
        * runtime/RegExpPrototype.cpp:
        (JSC::genericSplit):
        * runtime/RuntimeType.cpp:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        * runtime/SetConstructor.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/StackFrame.cpp: Removed.
        * runtime/StackFrame.h: Removed.
        * runtime/StringConstructor.cpp:
        * runtime/StringIteratorPrototype.cpp:
        * runtime/TemplateRegistry.cpp:
        * runtime/TestRunnerUtils.cpp:
        (JSC::finalizeStatsAtEndOfTesting): Deleted.
        * runtime/TestRunnerUtils.h:
        * runtime/TypeProfilerLog.cpp:
        * runtime/TypeSet.cpp:
        * runtime/VM.cpp:
        (JSC::VM::ensureStackCapacityForCLoop): Deleted.
        (JSC::VM::isSafeToRecurseSoftCLoop): Deleted.
        * runtime/VM.h:
        * runtime/VMEntryScope.h:
        * runtime/VMInlines.h:
        (JSC::VM::ensureStackCapacityFor):
        (JSC::VM::isSafeToRecurseSoft):
        * runtime/WeakMapConstructor.cpp:
        * runtime/WeakMapData.cpp:
        * runtime/WeakMapPrototype.cpp:
        * runtime/WeakSetConstructor.cpp:
        * runtime/WeakSetPrototype.cpp:
        * testRegExp.cpp:
        (testOneRegExp):
        * tools/JSDollarVM.cpp:
        * tools/JSDollarVMPrototype.cpp:
        (JSC::JSDollarVMPrototype::isInObjectSpace):

2016-08-23  Filip Pizlo  <fpizlo@apple.com>

        js/regress/put-by-id-transition-with-indexing-header.html and svg/carto.net/window.svg fail in debug after r204854
        https://bugs.webkit.org/show_bug.cgi?id=161115

        Reviewed by Keith Miller.
        
        There were two small goofs.

        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::isNull): The new policy is that the allocator can be null. So now the way you tell if the profile is null is by checking the structure.
        * jit/JITOperations.cpp: This was using DeferGC, which is now definitely wrong. It forces the GC to happen when the structure and butterfly are mismatched. It's better for the GC to happen before we put the butterfly in the object.

2016-08-24  Filip Pizlo  <fpizlo@apple.com>

        AssemblyHelpers::emitAllocateWithNonNullAllocator() crashes in the FTL on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=161138
        rdar://problem/27985868

        Reviewed by Saam Barati.
        
        The FTL expects that this method can be used with scratch registers disallowed, but it
        uses addPtr(Addr, Reg).

        The solution is to only use addPtr(Addr, Reg) on x86.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):

2016-08-24  Skachkov Oleksandr  <gskachkov@gmail.com>

        [ES2016] Allow assignment in for-in head in not-strict mode
        https://bugs.webkit.org/show_bug.cgi?id=160955

        Reviewed by Saam Barati.

        This patch allow make assignment in for..in head in not-strict mode, 
        according to the spec https://tc39.github.io/ecma262/#sec-initializers-in-forin-statement-heads

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForInNode::emitMultiLoopBytecode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isAssignResolveNode):
        (JSC::AssignResolveNode::identifier):
        (JSC::ExpressionNode::isResolveNode): Deleted.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):

2016-08-23  Saam Barati  <sbarati@apple.com>

        It should be easy to run ES6SampleBench from the jsc shell
        https://bugs.webkit.org/show_bug.cgi?id=161085

        Reviewed by Yusuke Suzuki.

        This patch adds a new function called `runString` to the shell.
        It takes in a string, and executes it in a new global object.
        Then, it returns the global object it executed the code in.
        This allows the code to stash some kind of a result on the global,
        and then have the caller of `runString` extract the result.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionRunString):

2016-08-23  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Make ArithLog works with any type
        https://bugs.webkit.org/show_bug.cgi?id=161110

        Reviewed by Geoffrey Garen.

        Same old: if the type is not a number, assume the worst in every
        phase and generate a fallback function call.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithLog):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithLog):

2016-08-23  Ryan Haddad  <ryanhaddad@apple.com>

        Rebaseline builtins-generator-tests after r204854.

        Unreviewed test gardening.

        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:

2016-08-23  Keith Miller  <keith_miller@apple.com>

        %TypedArray%.prototype.slice needs to check that the source and destination have not been detached.
        https://bugs.webkit.org/show_bug.cgi?id=161031
        <rdar://problem/27937019>

        Reviewed by Geoffrey Garen.

        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncSlice):

2016-08-23  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(204854): ASan is unhappy
        https://bugs.webkit.org/show_bug.cgi?id=161109

        Reviewed by Geoffrey Garen.
        
        I messed up RegExpConstructor: it ends up being a callee and a large allocation.
        
        This fixes it to not be a large allocation.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
        (JSC::RegExp::matchConcurrently):
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/RegExp.h:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpInlines.h:
        (JSC::RegExp::matchInline):
        * runtime/RegExpPrototype.cpp:
        (JSC::genericSplit):
        * testRegExp.cpp:
        (testOneRegExp):

2016-08-23  Saam Barati  <sbarati@apple.com>

        strict mode eval should not fire the var injection watch point
        https://bugs.webkit.org/show_bug.cgi?id=161104

        Reviewed by Geoffrey Garen.

        Strict mode eval can't do any variable injections. It was
        an oversight that we fired the var injection watchpoint when
        the eval is in strict mode.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2016-07-24  Filip Pizlo  <fpizlo@apple.com>

        Spilling of constant tmps should make it easier for the spill code optimizer to rematerialize the constant
        https://bugs.webkit.org/show_bug.cgi?id=160150
        
        Reviewed by Benjamin Poulain.
        
        When we spill in-place for admitsStack()==true, we prevent rematerialization if that
        argument doesn't also admit immediates (which it almost certainly won't do).  So, we
        prevent remat.
        
        This fixes the issue by avoiding in-place spilling for warm uses of constants. I don't
        know if this helps performance, but I do know that it make the codegen for
        bigswitch-indirect-symbol look a lot better. Prior to this change, the prolog would have
        a constant materialization for each symbol that function used, and then it would spill
        that constant. This removes all of that yucky code.
        
        This also changes how IRC detects constant Tmps. Previously we would say that a Tmp is a
        constant if the number of const defs was equal to the number of defs. But it's possible
        for each of the const defs to produce a different value. This is unlikely considering
        how B3->Air lowering works and how our SSA works - each def would have its own register.
        But, regardless, this picks a more precise way of detecting constants: the number of
        const defs must be 1 and the number of defs must be 1.
        
        * b3/air/AirIteratedRegisterCoalescing.cpp:
        
2016-08-23  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CLoop build.
        
        This fixes the CLoop build while still ensuring that Interpreter.h is a project header.

        * llint/LowLevelInterpreter.cpp:
        * runtime/VM.cpp:
        (JSC::VM::ensureStackCapacityForCLoop):
        (JSC::VM::isSafeToRecurseSoftCLoop):
        * runtime/VM.h:
        * runtime/VMInlines.h:
        (JSC::VM::ensureStackCapacityFor):
        (JSC::VM::isSafeToRecurseSoft):

2016-08-22  Filip Pizlo  <fpizlo@apple.com>

        Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
        https://bugs.webkit.org/show_bug.cgi?id=160125

        Reviewed by Geoffrey Garen.

        In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
        copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
        from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
        fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
        to get rid of copied space. This change moves copied space's biggest client over to marked
        space.
        
        Moving butterflies to marked space means having them use the new Auxiliary HeapCell
        allocation path. This is a fairly mechanical change, but it caused performance regressions
        everywhere, so this change also fixes MarkedSpace's performance issues.
        
        At a high level the mechanical changes are:
        
        - We use AuxiliaryBarrier instead of CopyBarrier.
        
        - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
          CheckedBoolean stuff, since it's so much more trouble than it's worth.
        
        - The JITs have to emit inlined marked space allocations instead of inline copy space
          allocations.
        
        - Everyone has to get used to zeroing their butterflies after allocation instead of relying
          on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
          space doesn't.
        
        That's about 1/3 of this change. But this led to performance problems, which I fixed with
        optimizations that amounted to a major MarkedSpace rewrite:
        
        - MarkedSpace always causes internal fragmentation for array allocations because the vector
          length we choose when we resize usually leads to a cell size that doesn't correspond to any
          size class. I got around this by making array allocations usually round up vectorLength to
          the maximum allowed by the size class that we would have allocated in. Also,
          ensureLengthSlow() and friends first make sure that the requested length can't just be
          fulfilled with the current allocation size. This safeguard means that not every array
          allocation has to do size class queries. For example, the fast path of new Array(length)
          never does any size class queries, under the assumption that (1) the speed gained from
          avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
          size class query, is too small to offset the speed lost by doing the query on every
          allocation and (2) new Array(length) is a pretty good hint that resizing is not very
          likely.
        
        - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
          changes MarkedSpace size classes to use a linear progression for very small sizes followed
          by a geometric progression that naturally transitions to a hyperbolic progression. We want
          hyperbolic sizes when we get close to blockSize: for example the largest size we want is
          payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
          next size down should be payloadSize / 3 rounded down, and so on. After the last precise
          size (80 bytes), we proceed using a geometric progression, but round up each size to
          minimize slop at the end of the block. This naturally causes the geometric progression to
          turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
          can be controlled with runtime options. I found that a base of 1.4 works pretty well.
        
        - Large allocations caused massive internal fragmentation, since the smallest large
          allocation had to use exactly blockSize, and the largest small allocation used
          blockSize / 2. The next size up - the first large allocation size to require two blocks -
          also had 50% internal fragmentation. This is because we required large allocations to be
          blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
          that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
          owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
          a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
          Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
          out great since (1) typed arrays won't use large allocations anyway since they have their
          own malloc fallback and (2) large array butterflies already have a 8 byte header, which
          means that the 8 byte base misalignment aligns the large array payload on a 16 byte
          boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
          rare as possible; for example, ExecState::vm() skips the check because we know that callees
          must be small allocations. It's also possible to use template tricks to do one check for
          cell container kind, and then invoke a function specialized for MarkedBlock or a function
          specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
          that get used from functions that are template-specialized like this. That's mostly to
          speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
          directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
          allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
          HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
          cutoff for large allocations is runtime-configurable, so long as you don't choose something
          so small that callees end up large. I found that 400 bytes is roughly optimal. This means
          that the MarkedBlock size classes end up being:
          
          16, 32, 48, 64, 80, 112, 160, 224, 320
          
          The next size class would have been 432, but that's above the 400 byte cutoff. All of this
          is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
          size classes you end up with by doing --dumpSizeClasses=true.
        
        - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
          of stuff in 16KB blocks is slower than allocating it in 64KB blocks. I got more speed from
          changing MarkedBlock::blockSize to 64KB. This would have been a space fail before, but now
          that we have LargeAllocation, it ends up being an overall win.
        
        - Even after all of that, copying butterflies was still faster because it allowed us to skip
          sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
          so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
          larger than O(live), especially in an eden collection. Copying satisfies this premise while
          mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
          MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
          that we walk the block to build a free list. This means walking dead space. The new
          allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
          The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
          pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
          we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
          quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
          is completely empty, which is the common case because of the generational hypothesis: the
          number of objects that survive an eden collection is a tiny fraction of the number of
          objects that had been allocated, and this fraction is so small that there are typically
          fewer than one survivors per MarkedBlock. This change was enough to make this change a net
          win over tip-of-tree.
        
        - FTL now shares the same allocation fast paths as everything else, which is great, because
          bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
          control flow, since it won't be able to improve the machine code we write ourselves. GC
          fast paths are best written in assembly. So, I've empowered B3 to have even better support
          for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
          So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
          AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
          size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
          ability to constant-fold some allocator logic (in case we first assume that we're doing a
          variable-length allocation but then realize that the length is known). I think it makes
          sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
          since this makes lowering easier (you can constant fold during lowering more easily) and it
          reduces the amount of malloc traffic. In the future, we could teach B3 how to better
          constant-fold this code. That would require allowing loads to be constant-folded, which is
          doable but hella tricky.
        
        All of this put together gives us neutral perf on JetStream, Speedometer, and PLT3. SunSpider
        sometimes gets penalized depending on how you run it. By comparison, the alternative approach
        of using a copy barrier would have cost us 1-2%. That's the real apples-to-apples comparison
        if your premise is that we should have a concurrent GC. After we finish removing copied
        space, we will be barrier-ready for concurrent GC: we already have a marking barrier and we
        simply won't need a copying barrier. This change gets us there for the purposes of our
        benchmarks, since the remaining clients of copied space are not very important. On the other
        hand, if we keep copying, then getting barrier-ready would mean adding back the copy barrier,
        which costs more perf.
        
        We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
        typed arrays and a few other weird things over to Aux MarkedSpace.
        
        This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
        and CellContainer meant that I had to include those files from everywhere. Fortunately,
        just including JSCInlines.h (instead of manually including the files that includes) is
        usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
        that we were already basically doing. In places where JSCInlines.h would be too much, I just
        included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
        JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
        meant having to manually include HeapInlines.h from the places that previously got it
        implicitly via JSObject.h. But that led to more problems for some reason: I started getting
        build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
        since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
        made it impossible to include it from outside JSC. This was a lot of work, but it was
        necessary to get the patch to build on all ports. It's also a net win. There were many places
        in WebCore that were transitively including a *ton* of JSC headers just because of the
        JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
        (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.

        * API/JSTypedArray.cpp:
        * API/ObjCCallbackFunction.mm:
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/builtins/builtins_generate_combined_implementation.py:
        (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
        * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
        (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
        * Scripts/builtins/builtins_generate_separate_implementation.py:
        (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::JumpList):
        (JSC::AbstractMacroAssembler::JumpList::link):
        (JSC::AbstractMacroAssembler::JumpList::linkTo):
        (JSC::AbstractMacroAssembler::JumpList::append):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add32):
        * b3/B3BasicBlock.cpp:
        (JSC::B3::BasicBlock::appendIntConstant):
        (JSC::B3::BasicBlock::appendBoolConstant):
        (JSC::B3::BasicBlock::clearSuccessors):
        * b3/B3BasicBlock.h:
        * b3/B3DuplicateTails.cpp:
        * b3/B3StackmapGenerationParams.h:
        * b3/testb3.cpp:
        (JSC::B3::testBranchBitAndImmFusion):
        (JSC::B3::testPatchpointTerminalReturnValue):
        (JSC::B3::zero):
        (JSC::B3::run):
        * bindings/ScriptValue.cpp:
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::initialize):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/StructureStubInfo.cpp:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCompile.cpp:
        * ftl/FTLJITFinalizer.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
        (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
        (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
        (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::constBool):
        (JSC::FTL::Output::constInt32):
        (JSC::FTL::Output::add):
        (JSC::FTL::Output::shl):
        (JSC::FTL::Output::aShr):
        (JSC::FTL::Output::lShr):
        (JSC::FTL::Output::zeroExt):
        (JSC::FTL::Output::equal):
        (JSC::FTL::Output::notEqual):
        (JSC::FTL::Output::above):
        (JSC::FTL::Output::aboveOrEqual):
        (JSC::FTL::Output::below):
        (JSC::FTL::Output::belowOrEqual):
        (JSC::FTL::Output::greaterThan):
        (JSC::FTL::Output::greaterThanOrEqual):
        (JSC::FTL::Output::lessThan):
        (JSC::FTL::Output::lessThanOrEqual):
        (JSC::FTL::Output::select):
        (JSC::FTL::Output::unreachable):
        (JSC::FTL::Output::appendSuccessor):
        (JSC::FTL::Output::speculate):
        (JSC::FTL::Output::addIncomingToPhi):
        * ftl/FTLOutput.h:
        * ftl/FTLValueFromBlock.h:
        (JSC::FTL::ValueFromBlock::ValueFromBlock):
        (JSC::FTL::ValueFromBlock::operator bool):
        (JSC::FTL::ValueFromBlock::value):
        (JSC::FTL::ValueFromBlock::block):
        * ftl/FTLWeightedTarget.h:
        (JSC::FTL::WeightedTarget::target):
        (JSC::FTL::WeightedTarget::weight):
        (JSC::FTL::WeightedTarget::frequentedBlock):
        * heap/CellContainer.h: Added.
        (JSC::CellContainer::CellContainer):
        (JSC::CellContainer::operator bool):
        (JSC::CellContainer::isMarkedBlock):
        (JSC::CellContainer::isLargeAllocation):
        (JSC::CellContainer::markedBlock):
        (JSC::CellContainer::largeAllocation):
        * heap/CellContainerInlines.h: Added.
        (JSC::CellContainer::isMarkedOrRetired):
        (JSC::CellContainer::isMarked):
        (JSC::CellContainer::isMarkedOrNewlyAllocated):
        (JSC::CellContainer::setHasAnyMarked):
        (JSC::CellContainer::cellSize):
        (JSC::CellContainer::weakSet):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::~ConservativeRoots):
        (JSC::ConservativeRoots::grow):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::genericAddSpan):
        * heap/ConservativeRoots.h:
        (JSC::ConservativeRoots::size):
        (JSC::ConservativeRoots::roots):
        * heap/CopyToken.h:
        * heap/FreeList.cpp: Added.
        (JSC::FreeList::dump):
        * heap/FreeList.h: Added.
        (JSC::FreeList::FreeList):
        (JSC::FreeList::list):
        (JSC::FreeList::bump):
        (JSC::FreeList::operator==):
        (JSC::FreeList::operator!=):
        (JSC::FreeList::operator bool):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::gatherStackRoots):
        (JSC::Heap::gatherJSStackRoots):
        (JSC::Heap::gatherScratchBufferRoots):
        (JSC::Heap::clearLivenessData):
        (JSC::Heap::visitSmallStrings):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::removeDeadCompilerWorklistEntries):
        (JSC::Heap::gatherExtraHeapSnapshotData):
        (JSC::Heap::removeDeadHeapSnapshotNodes):
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitArgumentBuffers):
        (JSC::Heap::visitException):
        (JSC::Heap::visitStrongHandles):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::visitSamplingProfiler):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::converge):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::clearUnmarkedExecutables):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::collectWithoutAnySweep):
        (JSC::Heap::collectImpl):
        (JSC::Heap::suspendCompilerThreads):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::flushOldStructureIDTables):
        (JSC::Heap::flushWriteBarrierBuffer):
        (JSC::Heap::stopAllocation):
        (JSC::Heap::reapWeakHandles):
        (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
        (JSC::Heap::sweepArrayBuffers):
        (JSC::Heap::snapshotMarkedSpace):
        (JSC::Heap::deleteSourceProviderCaches):
        (JSC::Heap::notifyIncrementalSweeper):
        (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
        (JSC::Heap::resetAllocators):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::resumeCompilerThreads):
        (JSC::Zombify::visit):
        * heap/Heap.h:
        (JSC::Heap::subspaceForObjectDestructor):
        (JSC::Heap::subspaceForAuxiliaryData):
        (JSC::Heap::allocatorForObjectWithoutDestructor):
        (JSC::Heap::allocatorForObjectWithDestructor):
        (JSC::Heap::allocatorForAuxiliaryData):
        (JSC::Heap::storageAllocator):
        * heap/HeapCell.h:
        (JSC::HeapCell::zap):
        (JSC::HeapCell::isZapped):
        * heap/HeapCellInlines.h: Added.
        (JSC::HeapCell::isLargeAllocation):
        (JSC::HeapCell::cellContainer):
        (JSC::HeapCell::markedBlock):
        (JSC::HeapCell::largeAllocation):
        (JSC::HeapCell::heap):
        (JSC::HeapCell::vm):
        (JSC::HeapCell::cellSize):
        (JSC::HeapCell::allocatorAttributes):
        (JSC::HeapCell::destructionMode):
        (JSC::HeapCell::cellKind):
        * heap/HeapInlines.h:
        (JSC::Heap::isCollecting):
        (JSC::Heap::heap):
        (JSC::Heap::isLive):
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::setMarked):
        (JSC::Heap::cellSize):
        (JSC::Heap::writeBarrier):
        (JSC::Heap::allocateWithoutDestructor):
        (JSC::Heap::allocateObjectOfType):
        (JSC::Heap::subspaceForObjectOfType):
        (JSC::Heap::allocatorForObjectOfType):
        (JSC::Heap::allocateAuxiliary):
        (JSC::Heap::tryAllocateAuxiliary):
        (JSC::Heap::tryReallocateAuxiliary):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::didFreeBlock):
        (JSC::Heap::isPointerGCObject): Deleted.
        (JSC::Heap::isValueGCObject): Deleted.
        * heap/HeapUtil.h: Added.
        (JSC::HeapUtil::findGCObjectPointersForMarking):
        (JSC::HeapUtil::isPointerGCObjectJSCell):
        (JSC::HeapUtil::isValueGCObject):
        * heap/LargeAllocation.cpp: Added.
        (JSC::LargeAllocation::tryCreate):
        (JSC::LargeAllocation::LargeAllocation):
        (JSC::LargeAllocation::lastChanceToFinalize):
        (JSC::LargeAllocation::shrink):
        (JSC::LargeAllocation::visitWeakSet):
        (JSC::LargeAllocation::reapWeakSet):
        (JSC::LargeAllocation::clearMarks):
        (JSC::LargeAllocation::clearMarksWithCollectionType):
        (JSC::LargeAllocation::isEmpty):
        (JSC::LargeAllocation::sweep):
        (JSC::LargeAllocation::destroy):
        (JSC::LargeAllocation::dump):
        * heap/LargeAllocation.h: Added.
        (JSC::LargeAllocation::fromCell):
        (JSC::LargeAllocation::cell):
        (JSC::LargeAllocation::isLargeAllocation):
        (JSC::LargeAllocation::heap):
        (JSC::LargeAllocation::vm):
        (JSC::LargeAllocation::weakSet):
        (JSC::LargeAllocation::clearNewlyAllocated):
        (JSC::LargeAllocation::isNewlyAllocated):
        (JSC::LargeAllocation::isMarked):
        (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
        (JSC::LargeAllocation::isLive):
        (JSC::LargeAllocation::hasValidCell):
        (JSC::LargeAllocation::cellSize):
        (JSC::LargeAllocation::aboveLowerBound):
        (JSC::LargeAllocation::belowUpperBound):
        (JSC::LargeAllocation::contains):
        (JSC::LargeAllocation::attributes):
        (JSC::LargeAllocation::testAndSetMarked):
        (JSC::LargeAllocation::setMarked):
        (JSC::LargeAllocation::clearMarked):
        (JSC::LargeAllocation::setHasAnyMarked):
        (JSC::LargeAllocation::headerSize):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::isListPagedOut):
        (JSC::MarkedAllocator::isPagedOut):
        (JSC::MarkedAllocator::retire):
        (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::tryAllocateSlowCase):
        (JSC::MarkedAllocator::allocateSlowCaseImpl):
        (JSC::blockHeaderSize):
        (JSC::MarkedAllocator::blockSizeForBytes):
        (JSC::MarkedAllocator::tryAllocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::lastChanceToFinalize):
        (JSC::MarkedAllocator::setFreeList):
        (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
        (JSC::MarkedAllocator::tryPopFreeList): Deleted.
        (JSC::MarkedAllocator::tryAllocate): Deleted.
        (JSC::MarkedAllocator::allocateBlock): Deleted.
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::destruction):
        (JSC::MarkedAllocator::cellKind):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::takeLastActiveBlock):
        (JSC::MarkedAllocator::offsetOfFreeList):
        (JSC::MarkedAllocator::offsetOfCellSize):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::stopAllocating):
        (JSC::MarkedAllocator::resumeAllocating):
        (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
        (JSC::MarkedAllocator::MarkedAllocator): Deleted.
        (JSC::MarkedAllocator::init): Deleted.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::tryCreate):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelperSelectResetMode):
        (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode):
        (JSC::MarkedBlock::stopAllocating):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::lastChanceToFinalize):
        (JSC::MarkedBlock::resumeAllocating):
        (JSC::MarkedBlock::didRetireBlock):
        (JSC::MarkedBlock::forEachFreeCell):
        (JSC::MarkedBlock::create): Deleted.
        (JSC::MarkedBlock::callDestructor): Deleted.
        (JSC::MarkedBlock::sweepHelper): Deleted.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::VoidFunctor::returnValue):
        (JSC::MarkedBlock::setHasAnyMarked):
        (JSC::MarkedBlock::hasAnyMarked):
        (JSC::MarkedBlock::clearHasAnyMarked):
        (JSC::MarkedBlock::firstAtom):
        (JSC::MarkedBlock::isAtomAligned):
        (JSC::MarkedBlock::cellAlign):
        (JSC::MarkedBlock::blockFor):
        (JSC::MarkedBlock::isEmpty):
        (JSC::MarkedBlock::cellSize):
        (JSC::MarkedBlock::isMarkedOrRetired):
        (JSC::MarkedBlock::FreeList::FreeList): Deleted.
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::initializeSizeClassForStepSize):
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::lastChanceToFinalize):
        (JSC::MarkedSpace::allocateLarge):
        (JSC::MarkedSpace::tryAllocateLarge):
        (JSC::MarkedSpace::sweep):
        (JSC::MarkedSpace::sweepABit):
        (JSC::MarkedSpace::sweepLargeAllocations):
        (JSC::MarkedSpace::zombifySweep):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::visitWeakSets):
        (JSC::MarkedSpace::reapWeakSets):
        (JSC::MarkedSpace::stopAllocating):
        (JSC::MarkedSpace::resumeAllocating):
        (JSC::MarkedSpace::isPagedOut):
        (JSC::MarkedSpace::shrink):
        (JSC::MarkedSpace::clearNewlyAllocated):
        (JSC::MarkedSpace::clearMarks):
        (JSC::MarkedSpace::didFinishIterating):
        (JSC::MarkedSpace::objectCount):
        (JSC::MarkedSpace::size):
        (JSC::MarkedSpace::capacity):
        (JSC::MarkedSpace::forEachAllocator): Deleted.
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::sizeClassIndex):
        (JSC::MarkedSpace::subspaceForObjectsWithDestructor):
        (JSC::MarkedSpace::subspaceForObjectsWithoutDestructor):
        (JSC::MarkedSpace::subspaceForAuxiliaryData):
        (JSC::MarkedSpace::blocksWithNewObjects):
        (JSC::MarkedSpace::largeAllocations):
        (JSC::MarkedSpace::largeAllocationsNurseryOffset):
        (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
        (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
        (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
        (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
        (JSC::MarkedSpace::forEachLiveCell):
        (JSC::MarkedSpace::forEachDeadCell):
        (JSC::MarkedSpace::allocatorFor):
        (JSC::MarkedSpace::destructorAllocatorFor):
        (JSC::MarkedSpace::auxiliaryAllocatorFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::tryAllocate):
        (JSC::MarkedSpace::allocateWithoutDestructor):
        (JSC::MarkedSpace::allocateWithDestructor):
        (JSC::MarkedSpace::allocateAuxiliary):
        (JSC::MarkedSpace::tryAllocateAuxiliary):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::didAllocateInBlock):
        (JSC::MarkedSpace::forEachAllocator):
        (JSC::MarkedSpace::forEachSubspace):
        (JSC::MarkedSpace::optimalSizeFor):
        (JSC::MarkedSpace::objectCount): Deleted.
        (JSC::MarkedSpace::size): Deleted.
        (JSC::MarkedSpace::capacity): Deleted.
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::reset):
        (JSC::SlotVisitor::clearMarkStack):
        (JSC::SlotVisitor::append):
        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::markAuxiliary):
        (JSC::SlotVisitor::noteLiveAuxiliaryCell):
        (JSC::SetCurrentCellScope::SetCurrentCellScope):
        (JSC::SlotVisitor::visitChildren):
        * heap/SlotVisitor.h:
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create):
        (JSC::WeakBlock::destroy):
        (JSC::WeakBlock::WeakBlock):
        (JSC::WeakBlock::visit):
        (JSC::WeakBlock::reap):
        * heap/WeakBlock.h:
        (JSC::WeakBlock::disconnectContainer):
        (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
        * heap/WeakSet.cpp:
        (JSC::WeakSet::sweep):
        (JSC::WeakSet::addAllocator):
        * heap/WeakSet.h:
        (JSC::WeakSet::WeakSet):
        * heap/WeakSetInlines.h:
        (JSC::WeakSet::allocate):
        * inspector/InjectedScriptManager.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/ScriptDebugServer.cpp:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocate):
        (JSC::AssemblyHelpers::emitAllocateJSCell):
        (JSC::AssemblyHelpers::emitAllocateJSObject):
        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
        (JSC::AssemblyHelpers::emitAllocateVariableSized):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_create_this):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):
        * jsc.cpp:
        (functionDescribeArray):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/ModuleAnalyzer.cpp:
        * runtime/ArrayConventions.h:
        (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
        (JSC::indexingHeaderForArrayStorage):
        (JSC::baseIndexingHeaderForArrayStorage):
        (JSC::indexingHeaderForArray): Deleted.
        (JSC::baseIndexingHeaderForArray): Deleted.
        * runtime/ArrayStorage.h:
        (JSC::ArrayStorage::length):
        (JSC::ArrayStorage::setLength):
        (JSC::ArrayStorage::vectorLength):
        (JSC::ArrayStorage::setVectorLength):
        (JSC::ArrayStorage::copyHeaderFromDuringGC):
        (JSC::ArrayStorage::sizeFor):
        (JSC::ArrayStorage::totalSizeFor):
        (JSC::ArrayStorage::totalSize):
        (JSC::ArrayStorage::availableVectorLength):
        (JSC::ArrayStorage::optimalVectorLength):
        * runtime/AuxiliaryBarrier.h: Added.
        (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
        (JSC::AuxiliaryBarrier::clear):
        (JSC::AuxiliaryBarrier::get):
        (JSC::AuxiliaryBarrier::slot):
        (JSC::AuxiliaryBarrier::operator bool):
        (JSC::AuxiliaryBarrier::setWithoutBarrier):
        * runtime/AuxiliaryBarrierInlines.h: Added.
        (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
        (JSC::AuxiliaryBarrier<T>::set):
        * runtime/Butterfly.h:
        (JSC::Butterfly::fromBase):
        (JSC::Butterfly::fromPointer):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::availableContiguousVectorLength):
        (JSC::Butterfly::optimalContiguousVectorLength):
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::growArrayRight):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):
        * runtime/DataView.cpp:
        * runtime/DirectArguments.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp:
        * runtime/GeneratorFrame.cpp:
        * runtime/GeneratorPrototype.cpp:
        * runtime/IntlCollator.cpp:
        * runtime/IntlCollatorConstructor.cpp:
        * runtime/IntlCollatorPrototype.cpp:
        * runtime/IntlDateTimeFormat.cpp:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        * runtime/IntlNumberFormat.cpp:
        * runtime/IntlNumberFormatConstructor.cpp:
        * runtime/IntlNumberFormatPrototype.cpp:
        * runtime/JSArray.cpp:
        (JSC::createArrayButterflyInDictionaryIndexingMode):
        (JSC::JSArray::tryCreateUninitialized):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::fastSlice):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h:
        (JSC::createContiguousArrayButterfly):
        (JSC::createArrayButterfly):
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized): Deleted.
        * runtime/JSArrayBufferView.h:
        * runtime/JSCInlines.h:
        * runtime/JSCJSValue.cpp:
        * runtime/JSCallee.cpp:
        * runtime/JSCell.cpp: