d0c5828b052aa557a1fe8564ccfaf43b06c6a79d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-09  Saam Barati  <sbarati@apple.com>
2
3         Make hasOwnProperty ALWAYS_INLINE
4         https://bugs.webkit.org/show_bug.cgi?id=161775
5
6         Reviewed by Ryosuke Niwa.
7
8         Speedometer spends around 2.5% of its time in hasOwnProperty.
9         Let's reduce the overhead of calling that function by marking
10         it as inline. Also, it's likely that the function will call into
11         JSObject::getOwnPropertySlot. I added a check to see if that's
12         the function we're calling, if it is, we do a direct call instead
13         of an indirect call.
14
15         * runtime/JSObject.cpp:
16         (JSC::JSObject::hasOwnProperty): Deleted.
17         * runtime/JSObjectInlines.h:
18         (JSC::JSObject::hasOwnProperty):
19
20 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
21
22         HashMapImpl needs to m_buffer.clear() in its constructor
23         https://bugs.webkit.org/show_bug.cgi?id=161796
24
25         Reviewed by Keith Miller.
26         
27         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
28         itself. That seemed like a good idea because maybe sometimes the user knows better how to
29         initialize it. But, it's not worth it if it's a constant source of bugs.
30         
31         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
32         m_value.
33
34         * runtime/AuxiliaryBarrier.h:
35         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
36         * runtime/DirectArguments.cpp:
37         (JSC::DirectArguments::DirectArguments):
38
39 2016-09-09  Youenn Fablet  <youenn@apple.com>
40
41         ASSERTION FAILED: promise.inherits(JSPromise::info())
42         https://bugs.webkit.org/show_bug.cgi?id=161632
43         <rdar://problem/28184743>
44
45         Reviewed by Mark Lam.
46
47         * runtime/JSPromiseDeferred.cpp:
48         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
49
50 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
51
52         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
53         https://bugs.webkit.org/show_bug.cgi?id=161760
54
55         Reviewed by Mark Lam.
56         
57         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
58         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
59         
60         This introduces three unnecessary overheads:
61         
62         - isLive() is not called by marking, so that change was not necessary.
63         
64         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
65           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
66           isMarked().
67         
68         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
69           return false if the flip is necessary.
70         
71         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
72         during marking.
73         
74         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
75         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
76         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
77         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
78         thing.
79
80         * bytecode/CodeBlock.cpp:
81         (JSC::CodeBlock::visitWeakly):
82         (JSC::CodeBlock::shouldJettisonDueToOldAge):
83         (JSC::shouldMarkTransition):
84         (JSC::CodeBlock::propagateTransitions):
85         (JSC::CodeBlock::determineLiveness):
86         * bytecode/PolymorphicAccess.cpp:
87         (JSC::AccessCase::propagateTransitions):
88         * heap/Heap.h:
89         * heap/HeapInlines.h:
90         (JSC::Heap::isLive):
91         (JSC::Heap::isMarked):
92         (JSC::Heap::isMarkedConcurrently):
93         * heap/MarkedBlock.cpp:
94         (JSC::MarkedBlock::flipIfNecessarySlow):
95         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
96         (JSC::MarkedBlock::needsFlip):
97         * heap/MarkedBlock.h:
98         (JSC::MarkedBlock::needsFlip):
99         (JSC::MarkedBlock::flipIfNecessary):
100         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
101         * heap/SlotVisitor.cpp:
102         (JSC::SlotVisitor::appendToMarkStack):
103         (JSC::SlotVisitor::markAuxiliary):
104         (JSC::SlotVisitor::visitChildren):
105         * runtime/Structure.cpp:
106         (JSC::Structure::isCheapDuringGC):
107         (JSC::Structure::markIfCheap):
108
109 2016-09-08  Saam Barati  <sbarati@apple.com>
110
111         We should inline operationConvertJSValueToBoolean into JIT code
112         https://bugs.webkit.org/show_bug.cgi?id=161729
113
114         Reviewed by Filip Pizlo.
115
116         This patch introduces an AssemblyHelpers emitter function
117         that replaces operationConvertJSValueToBoolean. This operation
118         was showing up when I was doing performance analysis for the
119         speedometer benchmark. I saw that it was spending about 1% of
120         its time in this function. Hopefully this patch can help us speedup
121         up speedometer by a little bit.
122
123         * dfg/DFGSpeculativeJIT32_64.cpp:
124         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
125         (JSC::DFG::SpeculativeJIT::emitBranch):
126         * dfg/DFGSpeculativeJIT64.cpp:
127         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
128         (JSC::DFG::SpeculativeJIT::emitBranch):
129         * jit/AssemblyHelpers.cpp:
130         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
131         * jit/AssemblyHelpers.h:
132         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
133         * jit/JIT.cpp:
134         (JSC::JIT::privateCompileSlowCases):
135         * jit/JIT.h:
136         * jit/JITOpcodes.cpp:
137         (JSC::JIT::emit_op_jfalse):
138         (JSC::JIT::emit_op_jtrue):
139         (JSC::JIT::emitSlow_op_jfalse): Deleted.
140         (JSC::JIT::emitSlow_op_jtrue): Deleted.
141         * jit/JITOpcodes32_64.cpp:
142         (JSC::JIT::emit_op_jfalse):
143         (JSC::JIT::emit_op_jtrue):
144         (JSC::JIT::emitSlow_op_jfalse): Deleted.
145         (JSC::JIT::emitSlow_op_jtrue): Deleted.
146         * jit/JITOperations.cpp:
147         * jit/JITOperations.h:
148
149 2016-09-08  Chris Dumez  <cdumez@apple.com>
150
151         Align proto getter / setter behavior with other browsers
152         https://bugs.webkit.org/show_bug.cgi?id=161455
153
154         Reviewed by Saam Barati.
155
156         Drop allowsAccessFrom from the methodTable and delegate cross-origin
157         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
158         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
159
160         * jsc.cpp:
161         * runtime/JSGlobalObject.cpp:
162         * runtime/JSGlobalObject.h:
163         * runtime/JSGlobalObjectFunctions.cpp:
164         (JSC::globalFuncProtoGetter):
165         (JSC::globalFuncProtoSetter):
166         (JSC::globalFuncBuiltinLog): Deleted.
167         * runtime/JSGlobalObjectFunctions.h:
168         * runtime/JSObject.cpp:
169         (JSC::JSObject::setPrototypeWithCycleCheck):
170         Remove check added in r197648. This check was added to match
171         the latest EcmaScript spec:
172         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
173         This check allowed for [[Prototype]] chain cycles if the prototype
174         chain includes objects that do not use the ordinary object definitions
175         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
176         The issue is that the rest of our code base does not properly handle
177         such cycles and we can end up in infinite loops. This became obvious
178         because this patch updates Window / Location so that they no longer
179         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
180         remove this check, I get an infinite loop in
181         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
182         called from JSObject::setPrototypeDirect(), when running the following
183         layout test:
184         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
185         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
186         issue.
187
188         * runtime/JSObject.h:
189         (JSC::JSObject::getArrayLength): Deleted.
190         * runtime/JSProxy.cpp:
191         (JSC::JSProxy::setPrototype):
192         (JSC::JSProxy::getPrototype):
193         * runtime/JSProxy.h:
194         * runtime/ObjectConstructor.cpp:
195         (JSC::objectConstructorGetPrototypeOf):
196         (JSC::objectConstructorSetPrototypeOf):
197         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
198         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
199         * runtime/ObjectConstructor.h:
200         * runtime/ReflectObject.cpp:
201         (JSC::reflectObjectGetPrototypeOf):
202         (JSC::reflectObjectSetPrototypeOf):
203
204 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
205
206         Remove CopiedSpace and use MarkedSpace instead
207         https://bugs.webkit.org/show_bug.cgi?id=159658
208
209         Reviewed by Keith Miller.
210         
211         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
212         is a simple change.
213         
214         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
215         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
216         
217         The rest of this patch is deleting CopiedSpace.
218
219         * API/JSObjectRef.cpp:
220         * CMakeLists.txt:
221         * JavaScriptCore.xcodeproj/project.pbxproj:
222         * dfg/DFGOperations.cpp:
223         * heap/ConservativeRoots.cpp:
224         (JSC::ConservativeRoots::genericAddPointer):
225         * heap/CopiedAllocator.h: Removed.
226         * heap/CopiedBlock.cpp: Removed.
227         * heap/CopiedBlock.h: Removed.
228         * heap/CopiedBlockInlines.h: Removed.
229         * heap/CopiedSpace.cpp: Removed.
230         * heap/CopiedSpace.h: Removed.
231         * heap/CopiedSpaceInlines.h: Removed.
232         * heap/CopyBarrier.h: Removed.
233         * heap/CopyToken.h: Removed.
234         * heap/CopyVisitor.cpp: Removed.
235         * heap/CopyVisitor.h: Removed.
236         * heap/CopyVisitorInlines.h: Removed.
237         * heap/CopyWorkList.h: Removed.
238         * heap/Heap.cpp:
239         (JSC::Heap::Heap):
240         (JSC::Heap::isPagedOut):
241         (JSC::Heap::updateObjectCounts):
242         (JSC::Heap::size):
243         (JSC::Heap::capacity):
244         (JSC::Heap::collectImpl):
245         (JSC::Heap::stopAllocation):
246         (JSC::Heap::updateAllocationLimits):
247         (JSC::Heap::copyBackingStores): Deleted.
248         (JSC::Heap::threadBytesCopied): Deleted.
249         * heap/Heap.h:
250         (JSC::Heap::objectSpace):
251         (JSC::Heap::allocatorForAuxiliaryData):
252         (JSC::Heap::storageSpace): Deleted.
253         (JSC::Heap::storageAllocator): Deleted.
254         * heap/HeapCellInlines.h:
255         * heap/HeapInlines.h:
256         (JSC::Heap::tryAllocateStorage): Deleted.
257         (JSC::Heap::tryReallocateStorage): Deleted.
258         * heap/HeapVerifier.cpp:
259         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
260         (JSC::HeapVerifier::reportObject):
261         (JSC::getButterflyDetails): Deleted.
262         * heap/SlotVisitor.cpp:
263         (JSC::SlotVisitor::copyLater): Deleted.
264         * heap/SlotVisitor.h:
265         * jit/AssemblyHelpers.h:
266         * jit/JITOpcodes.cpp:
267         * jsc.cpp:
268         * runtime/ArrayConstructor.cpp:
269         * runtime/ArrayPrototype.cpp:
270         * runtime/Butterfly.h:
271         * runtime/ButterflyInlines.h:
272         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
273         * runtime/ClassInfo.h:
274         * runtime/DirectArguments.cpp:
275         (JSC::DirectArguments::visitChildren):
276         (JSC::DirectArguments::overrideThings):
277         (JSC::DirectArguments::copyBackingStore): Deleted.
278         * runtime/DirectArguments.h:
279         * runtime/JSArray.cpp:
280         * runtime/JSCell.cpp:
281         (JSC::JSCell::copyBackingStore): Deleted.
282         * runtime/JSCell.h:
283         * runtime/JSLexicalEnvironment.h:
284         * runtime/JSObject.cpp:
285         * runtime/JSTypedArrays.cpp:
286         * runtime/LiteralParser.cpp:
287         * runtime/ObjectConstructor.cpp:
288         * runtime/RegExpObject.cpp:
289         * runtime/StringPrototype.cpp:
290         * runtime/WeakMapData.cpp:
291         * tools/JSDollarVMPrototype.cpp:
292         (JSC::JSDollarVMPrototype::isInStorageSpace):
293
294 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
295
296         Heap version should be 32-bit
297         https://bugs.webkit.org/show_bug.cgi?id=161751
298
299         Reviewed by Mark Lam.
300         
301         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
302         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
303         easy to handle.
304
305         * heap/CellContainer.h:
306         * heap/CellContainerInlines.h:
307         (JSC::CellContainer::flipIfNecessary):
308         * heap/ConservativeRoots.cpp:
309         (JSC::ConservativeRoots::genericAddPointer):
310         (JSC::ConservativeRoots::genericAddSpan):
311         * heap/ConservativeRoots.h:
312         * heap/Heap.h:
313         * heap/HeapInlines.h:
314         (JSC::Heap::testAndSetMarked):
315         * heap/HeapUtil.h:
316         (JSC::HeapUtil::findGCObjectPointersForMarking):
317         * heap/MarkedBlock.cpp:
318         (JSC::MarkedBlock::MarkedBlock):
319         * heap/MarkedBlock.h:
320         (JSC::MarkedBlock::flipIfNecessary):
321         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
322         (JSC::MarkedBlock::Handle::flipIfNecessary):
323         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
324         * heap/MarkedSpace.cpp:
325         (JSC::MarkedSpace::flip):
326         * heap/MarkedSpace.h:
327         (JSC::MarkedSpace::version):
328         * heap/SlotVisitor.cpp:
329         (JSC::SlotVisitor::SlotVisitor):
330         * heap/SlotVisitor.h:
331
332 2016-09-08  Mark Lam  <mark.lam@apple.com>
333
334         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
335         https://bugs.webkit.org/show_bug.cgi?id=161724
336
337         Reviewed by Filip Pizlo.
338
339         ARM architectures support ternary sub instructions.  We should make use of them
340         in emitAllocateWithNonNullAllocator().
341
342         * assembler/MacroAssemblerARM.h:
343         (JSC::MacroAssemblerARM::sub32):
344         * assembler/MacroAssemblerARM64.h:
345         (JSC::MacroAssemblerARM64::sub32):
346         * assembler/MacroAssemblerARMv7.h:
347         (JSC::MacroAssemblerARMv7::sub32):
348         * assembler/MacroAssemblerSH4.h:
349         (JSC::MacroAssemblerSH4::sub32):
350         * assembler/MacroAssemblerX86Common.h:
351         (JSC::MacroAssemblerX86Common::sub32):
352         * b3/air/AirOpcode.opcodes:
353         * b3/testb3.cpp:
354         (JSC::B3::testTernarySubInstructionSelection):
355         (JSC::B3::run):
356         * jit/AssemblyHelpers.h:
357         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
358
359 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
360
361         Move JSMap/JSSet over to Auxiliary MarkedSpace
362         https://bugs.webkit.org/show_bug.cgi?id=161744
363
364         Reviewed by Saam Barati.
365         
366         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
367         
368         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
369         speak of CopiedSpace.
370         
371         This is a purely mechanical change.
372
373         * JavaScriptCore.xcodeproj/project.pbxproj:
374         * heap/CopyToken.h:
375         * runtime/HashMapImpl.cpp:
376         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
377         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
378         * runtime/HashMapImpl.h:
379         (JSC::HashMapBuffer::create):
380         * runtime/JSMapIterator.cpp:
381         * runtime/JSMapIterator.h:
382         * runtime/JSSetIterator.cpp:
383         * runtime/JSSetIterator.h:
384         * runtime/MapBase.cpp:
385         * runtime/MapData.h: Removed.
386         * runtime/MapDataInlines.h: Removed.
387         * runtime/MapPrototype.cpp:
388         * runtime/SetConstructor.cpp:
389         * runtime/SetPrototype.cpp:
390         * runtime/VM.cpp:
391
392 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
393
394         Typed arrays should use MarkedSpace instead of CopiedSpace
395         https://bugs.webkit.org/show_bug.cgi?id=161100
396
397         Reviewed by Geoffrey Garen.
398         
399         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
400         
401         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
402         everything that typed arrays want.
403
404         * dfg/DFGOperations.cpp:
405         (JSC::DFG::newTypedArrayWithSize):
406         * dfg/DFGOperations.h:
407         (JSC::DFG::operationNewTypedArrayWithSizeForType):
408         * dfg/DFGSpeculativeJIT.cpp:
409         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
410         * dfg/DFGSpeculativeJIT.h:
411         (JSC::DFG::SpeculativeJIT::callOperation):
412         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
413         * ftl/FTLLowerDFGToB3.cpp:
414         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
415         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
416         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
417         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
418         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
419         * heap/CopyToken.h:
420         * heap/SlotVisitor.cpp:
421         (JSC::SlotVisitor::markAuxiliary):
422         * jit/JITOperations.h:
423         * runtime/JSArrayBufferView.cpp:
424         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
425         (JSC::JSArrayBufferView::JSArrayBufferView):
426         * runtime/JSArrayBufferView.h:
427         * runtime/JSGenericTypedArrayView.h:
428         * runtime/JSGenericTypedArrayViewInlines.h:
429         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
430         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
431         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
432         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
433
434 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
435
436         [Win64] Compile fixes.
437         https://bugs.webkit.org/show_bug.cgi?id=161682
438
439         Reviewed by Brent Fulgham.
440
441         * dfg/DFGSpeculativeJIT64.cpp:
442         (JSC::DFG::SpeculativeJIT::emitCall):
443         * jit/JITCall.cpp:
444         (JSC::JIT::compileOpCall):
445         * runtime/ArrayConventions.cpp:
446         (JSC::clearArrayMemset):
447
448 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
449
450         [Win] Exception fuzz tests fail
451         https://bugs.webkit.org/show_bug.cgi?id=140928
452
453         Reviewed by Mark Lam.
454
455         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
456         The tests depend on the output to stdout being written in the correct order.
457
458         * runtime/ExceptionFuzz.cpp:
459         (JSC::doExceptionFuzzing):
460
461 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
462
463         Enable the <meter> element on iOS
464         https://bugs.webkit.org/show_bug.cgi?id=161714
465         rdar://problem/8978410
466
467         Reviewed by Tim Horton.
468
469         Define ENABLE_METER_ELEMENT unconditionally now.
470
471         * Configurations/FeatureDefines.xcconfig:
472
473 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
474
475         Modernize Debugger to use nullptr
476         https://bugs.webkit.org/show_bug.cgi?id=161718
477
478         Reviewed by Mark Lam.
479
480         * debugger/Debugger.cpp:
481         (JSC::Debugger::Debugger):
482         (JSC::Debugger::~Debugger):
483         (JSC::Debugger::detach):
484         (JSC::Debugger::stepOutOfFunction):
485         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
486         * debugger/Debugger.h:
487
488 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
489
490         Web Inspector: Remove always false case in Debugger
491         https://bugs.webkit.org/show_bug.cgi?id=161717
492
493         Reviewed by Brian Burg.
494
495         * debugger/Debugger.cpp:
496         (JSC::Debugger::didExecuteProgram):
497         We would have earlier returned a few statements ago if this case was true.
498         And we would have crashed in the previous statement if this case was true.
499
500 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
501
502         Unreviewed, build fix after r205569
503
504         Tweak CMakeLists.txt
505
506         * CMakeLists.txt:
507
508 2016-09-07  Mark Lam  <mark.lam@apple.com>
509
510         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
511         https://bugs.webkit.org/show_bug.cgi?id=161498
512
513         Reviewed by Geoffrey Garen.
514
515         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
516         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
517         introduced.
518
519         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
520         which is a more suitable name now.
521
522         Note: exception scope verification is still disabled by default.  There are still
523         many places that need to be fixed up or re-expressed in a way that is friendly
524         to the verification.  I'll address those in subsequent patches.
525
526         After this patch, the code will statically enforce that:
527         1. all calls to throwException() go through a ThrowScope.
528         2. all calls to clearException() go through a CatchScope.
529         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
530            or CatchScope.
531
532         A Summary of how to use ExceptionScopes
533         =======================================
534         1. If a function can throw a JS exception, it should declare a ThrowScope at the
535            top of the function (as early as possible).
536
537         2. If a function can clear JS exceptions, it should declare a CatchScope at the
538            top of the function (as early as possible).
539
540         Declaring a ThrowScope in a function means that the function may throw an exception
541         that its caller will have to handle.  Declaring a CatchScope in a function means
542         that the function intends to clear pending exceptions before returning to its
543         caller. 
544
545         For more details, see the notes below.
546         
547         Everything you may want to know about ExceptionScopes
548         =====================================================
549         ExceptionScope verification works to simulate exception throws and detect cases
550         where exception checks are missing.  The notes below will cover:
551
552             1. The VM::m_needExceptionCheck bit
553             2. ThrowScopes and CatchScopes
554             3. Verification of needed exception checks
555             3. Checking Exceptions
556             4. Simulating throws
557             5. Using ThrowScope::release()
558             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
559             7. Checking exceptions by checking callee results
560             8. Debugging verification errors
561
562         1. The VM::m_needExceptionCheck bit
563
564            The VM has a m_needExceptionCheck bit that indicates when an exception may be
565            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
566            throw.
567
568         2. ThrowScopes and CatchScopes
569
570            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
571
572            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
573            at the top of its function (as early as possible) e.g.
574  
575                 void foo(...)
576                 {
577                     auto scope = DECLARE_THROW_SCOPE(vm);
578                     ...
579                     throwException(exec, scope, ...);
580                 }
581
582            Note: by convention, every throw helper function must take a ThrowScope argument
583            instead of instantiating its own ThrowScope.  This allows the throw to be
584            attributed to the client code rather than the throw helper itself.
585
586            Every catch site (i.e. a site that calls clearException()) must declare a
587            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
588
589            If a function can both throw or clear exceptions, then the ThrowScope should
590            be declared first so that it can simulate a throw to the function's caller.
591
592            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
593            can be aware if there's an enclosing CatchScope between it and the point where
594            C++ code returns to JS code.  This is needed to determine if the ThrowScope
595            should simulate a re-throw or not.  See (4) below for more details on returning
596            to JS code.
597
598         3. Verification of needed exception checks
599
600            a. On construction, each ThrowScope and CatchScope will verify that
601               VM::m_needExceptionCheck is not set.
602  
603               This ensures that the caller of the current function has checked for exceptions
604               where needed before doing more work which lead to calling the current function.
605
606            b. On destruction, each ThrowScope and CatchScope will verify that
607               VM::m_needExceptionCheck is not set. This verification will be skipped if
608               the ThrowScope has been released (see (5) below).
609
610               This ensures that the function that owns this exception scope is not missing
611               any exception checks before returning.
612
613            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
614               is not already set, unless it's been ask to rethrow the same Exception object.
615
616         4. Simulating throws
617
618            Throws are simulated by setting the m_needExceptionCheck bit.
619
620            The bit will only be set in the ThrowScope destructor except when the ThrowScope
621            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
622            check for exceptions after a host C++ function returns to it.  However, they will
623            not clear the m_needExceptionCheck bit.
624
625            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
626            it will just skip the setting of the bit.
627
628            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
629            throwException methods.  This is because, in practice, we always return
630            immediately after throwing an exception.  It doesn't make sense to set the bit in
631            the throw just to have to clear it immediately after before we do verification in
632            the ThrowScope destructor.
633
634         5. Using ThrowScope::release()
635
636            Calling release() means that the scope is released from its obligation to
637            verify the VM::m_needExceptionCheck bit on destruction.
638
639            release() should only be used at the bottom of a function if:
640
641            a. This function is going to let its caller check and handle the exception, e.g.
642
643                 void foo(...)
644                 {
645                     auto scope = DECLARE_THROW_SCOPE(vm);
646                     auto result = goo(); // may throw.
647
648                     ... // Code that will are not affected by a pending exceptions.
649
650                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
651                     return result;
652                 }
653
654            b. This function is going to do a tail call that may throw.
655
656                 void foo(...)
657                 {
658                     auto scope = DECLARE_THROW_SCOPE(vm);
659                     ...
660                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
661                     return goo(); // may throw.
662                 }
663
664               release() should not be used in code paths that branch. For example:
665
666                 void foo(...)
667                 {
668                     auto scope = DECLARE_THROW_SCOPE(vm);
669
670                     auto result = goo1(); // may throw.
671                     scope.release(); // WRONG !!! Don't do this.
672                     if (result)
673                         return;
674
675                     result = goo2(); // may throw.
676                     ...
677                     return result;
678                 }
679
680             The above will result in a verification error in goo2()'s ThrowScope.  The
681             proper way to fix this verification is to do either (6) or (7) below.
682
683          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
684
685             ThrowScope/CatchScope::exception() returns the thrown Exception object if
686             there is one pending.  Else, it returns nullptr.
687
688             It also clears the m_needExceptionCheck bit thereby indicating that we've
689             satisfied the needed exception check.  For example,
690
691                 void foo(...)
692                 {
693                     auto scope = DECLARE_THROW_SCOPE(vm);
694
695                     auto result = goo1(); // may throw.
696                     if (scope.exception())
697                         return;
698
699                     result = goo2(); // may throw.
700                     ...
701                     return result;
702                 }
703
704             But sometimes, for optimization reasons, we may choose to test the result of
705             the callee function instead doing a load of the VM exception value.  See (7)
706             below.
707
708          7. Checking exceptions by checking callee results
709
710             This approach should only be applied when it makes a difference to performance.
711             If we need to do this, we should add an ASSERT() that invokes the scope's
712             exception() method to verify the result.  Since exception scope verification
713             is only done on DEBUG builds, this ASSERT will satisfy the verification
714             requirements without impacting performance.  For example,
715
716                 void foo(...)
717                 {
718                     auto scope = DECLARE_THROW_SCOPE(vm);
719
720                     bool failed = goo1(); // may throw.
721                     ASSERT(!!scope.exception() == failed)
722                     if (failed)
723                         return;
724
725                     result = goo2(); // may throw.
726                     ...
727                     return result;
728                 }
729
730          8. Debugging verification errors
731
732             a. When verification fails, you will see a message followed by an assertion
733                failure.  For example:
734
735             ERROR: Unchecked JS exception:
736                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
737                     (ExceptionScope::m_recursionDepth was ...)
738                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
739                     (ExceptionScope::m_recursionDepth was ...)
740                 [ backtrace here ]
741
742                The message tells you that failure was detected at in varargsSetup() at
743                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
744                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
745                line 1245 and it.
746
747                If that is insufficient information, you can ...
748
749             b. Dump simulated throws
750
751                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
752                back traces at each simulated throw.
753
754             c. Narrowing down the source of a simulated throw
755
756                Another technique for narrowing down the source of simulated throws is by
757                further dividing a function to smaller regions by separating each region
758                with additional local throw scopes.  For example,
759
760                 ... // Region 1
761                 { auto scope = DECLARE_THROW_SCOPE(vm); }
762                 ... // Region 2
763                 { auto scope = DECLARE_THROW_SCOPE(vm); }
764                 ... // Region 3
765
766         * API/APIUtils.h:
767         (handleExceptionIfNeeded):
768         * CMakeLists.txt:
769         * JavaScriptCore.xcodeproj/project.pbxproj:
770         * bindings/ScriptFunctionCall.cpp:
771         (Deprecated::ScriptFunctionCall::call):
772         * bindings/ScriptValue.cpp:
773         (Deprecated::ScriptValue::toString):
774         * debugger/Debugger.cpp:
775         (JSC::Debugger::pauseIfNeeded):
776         * debugger/DebuggerCallFrame.cpp:
777         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
778         * dfg/DFGOSRExitCompiler.cpp:
779         * dfg/DFGOperations.cpp:
780         (JSC::DFG::operationPutByValInternal):
781         * inspector/InjectedScriptManager.cpp:
782         (Inspector::InjectedScriptManager::createInjectedScript):
783         * inspector/JSGlobalObjectInspectorController.cpp:
784         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
785         * inspector/JSInjectedScriptHost.cpp:
786         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
787         (Inspector::JSInjectedScriptHost::getInternalProperties):
788         (Inspector::JSInjectedScriptHost::weakMapEntries):
789         (Inspector::JSInjectedScriptHost::weakSetEntries):
790         (Inspector::JSInjectedScriptHost::iteratorEntries):
791         * inspector/JSJavaScriptCallFrame.cpp:
792         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
793         * inspector/ScriptCallStackFactory.cpp:
794         (Inspector::extractSourceInformationFromException):
795         * interpreter/CachedCall.h:
796         (JSC::CachedCall::CachedCall):
797         * interpreter/CallFrame.h:
798         (JSC::ExecState::clearException): Deleted.
799         (JSC::ExecState::exception): Deleted.
800         (JSC::ExecState::hadException): Deleted.
801         (JSC::ExecState::lastException): Deleted.
802         (JSC::ExecState::clearLastException): Deleted.
803         * interpreter/Interpreter.cpp:
804         (JSC::eval):
805         (JSC::sizeOfVarargs):
806         (JSC::notifyDebuggerOfUnwinding):
807         (JSC::Interpreter::unwind):
808         (JSC::Interpreter::execute):
809         (JSC::Interpreter::executeCall):
810         (JSC::Interpreter::executeConstruct):
811         (JSC::Interpreter::prepareForRepeatCall):
812         (JSC::Interpreter::debug):
813         * interpreter/Interpreter.h:
814         (JSC::SuspendExceptionScope::SuspendExceptionScope):
815         * interpreter/ShadowChicken.cpp:
816         (JSC::ShadowChicken::functionsOnStack):
817         * jit/JITCode.cpp:
818         (JSC::JITCode::execute):
819         * jit/JITExceptions.cpp:
820         (JSC::genericUnwind):
821         * jit/JITOperations.cpp:
822         (JSC::getByVal):
823         * jsc.cpp:
824         (WTF::ImpureGetter::getOwnPropertySlot):
825         (GlobalObject::moduleLoaderResolve):
826         (GlobalObject::moduleLoaderFetch):
827         (functionCreateElement):
828         (functionRun):
829         (functionRunString):
830         (functionLoad):
831         (functionLoadString):
832         (functionReadFile):
833         (functionCheckSyntax):
834         (functionSetRandomSeed):
835         (functionLoadModule):
836         (functionCreateBuiltin):
837         (functionCheckModuleSyntax):
838         (functionGenerateHeapSnapshot):
839         (functionSamplingProfilerStackTraces):
840         (dumpException):
841         (checkUncaughtException):
842         (runWithScripts):
843         (runInteractive):
844         * llint/LLIntExceptions.cpp:
845         (JSC::LLInt::returnToThrow):
846         (JSC::LLInt::callToThrow):
847         * llint/LLIntSlowPaths.cpp:
848         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
849         * profiler/ProfilerBytecodeSequence.cpp:
850         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
851         * profiler/ProfilerCompilation.cpp:
852         (JSC::Profiler::Compilation::toJS):
853         * profiler/ProfilerDatabase.cpp:
854         (JSC::Profiler::Database::toJS):
855         * profiler/ProfilerOSRExitSite.cpp:
856         (JSC::Profiler::OSRExitSite::toJS):
857         * profiler/ProfilerOriginStack.cpp:
858         (JSC::Profiler::OriginStack::toJS):
859         * runtime/ArrayPrototype.cpp:
860         (JSC::speciesConstructArray):
861         (JSC::shift):
862         (JSC::unshift):
863         (JSC::arrayProtoFuncToString):
864         (JSC::arrayProtoFuncToLocaleString):
865         (JSC::slowJoin):
866         (JSC::fastJoin):
867         (JSC::arrayProtoFuncJoin):
868         (JSC::arrayProtoFuncPop):
869         (JSC::arrayProtoFuncPush):
870         (JSC::arrayProtoFuncReverse):
871         (JSC::arrayProtoFuncShift):
872         (JSC::arrayProtoFuncSlice):
873         (JSC::arrayProtoFuncSplice):
874         (JSC::arrayProtoFuncUnShift):
875         (JSC::arrayProtoFuncIndexOf):
876         (JSC::arrayProtoFuncLastIndexOf):
877         (JSC::moveElements):
878         (JSC::concatAppendOne):
879         (JSC::arrayProtoPrivateFuncConcatMemcpy):
880         * runtime/BooleanConstructor.cpp:
881         (JSC::constructWithBooleanConstructor):
882         * runtime/CallData.cpp:
883         (JSC::call):
884         * runtime/CatchScope.cpp: Added.
885         (JSC::CatchScope::CatchScope):
886         (JSC::CatchScope::~CatchScope):
887         * runtime/CatchScope.h: Added.
888         (JSC::CatchScope::clearException):
889         (JSC::CatchScope::CatchScope):
890         * runtime/CommonSlowPaths.cpp:
891         (JSC::SLOW_PATH_DECL):
892         * runtime/CommonSlowPaths.h:
893         (JSC::CommonSlowPaths::opIn):
894         * runtime/CommonSlowPathsExceptions.cpp:
895         (JSC::CommonSlowPaths::interpreterThrowInCaller):
896         * runtime/Completion.cpp:
897         (JSC::evaluate):
898         (JSC::rejectPromise):
899         (JSC::loadAndEvaluateModule):
900         (JSC::loadModule):
901         * runtime/ConsoleObject.cpp:
902         (JSC::consoleProtoFuncAssert):
903         (JSC::consoleProtoFuncProfile):
904         (JSC::consoleProtoFuncProfileEnd):
905         (JSC::consoleProtoFuncTakeHeapSnapshot):
906         (JSC::consoleProtoFuncTime):
907         (JSC::consoleProtoFuncTimeEnd):
908         * runtime/DateConstructor.cpp:
909         (JSC::constructDate):
910         (JSC::dateParse):
911         * runtime/DatePrototype.cpp:
912         (JSC::dateProtoFuncToPrimitiveSymbol):
913         (JSC::dateProtoFuncToJSON):
914         * runtime/ErrorConstructor.cpp:
915         (JSC::Interpreter::constructWithErrorConstructor):
916         * runtime/ErrorInstance.cpp:
917         (JSC::ErrorInstance::sanitizedToString):
918         * runtime/ErrorPrototype.cpp:
919         (JSC::errorProtoFuncToString):
920         * runtime/ExceptionEventLocation.cpp: Added.
921         (WTF::printInternal):
922         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
923         (JSC::ExceptionEventLocation::ExceptionEventLocation):
924         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
925         * runtime/ExceptionHelpers.h:
926         * runtime/ExceptionScope.cpp: Added.
927         (JSC::ExceptionScope::ExceptionScope):
928         (JSC::ExceptionScope::~ExceptionScope):
929         * runtime/ExceptionScope.h: Added.
930         (JSC::ExceptionScope::vm):
931         (JSC::ExceptionScope::recursionDepth):
932         (JSC::ExceptionScope::exception):
933         (JSC::ExceptionScope::ExceptionScope):
934         * runtime/FunctionConstructor.cpp:
935         (JSC::constructFunctionSkippingEvalEnabledCheck):
936         * runtime/FunctionPrototype.cpp:
937         (JSC::functionProtoFuncBind):
938         * runtime/GenericArgumentsInlines.h:
939         (JSC::GenericArguments<Type>::copyToArguments):
940         * runtime/GetterSetter.cpp:
941         (JSC::callGetter):
942         * runtime/InspectorInstrumentationObject.cpp:
943         (JSC::inspectorInstrumentationObjectLog):
944         * runtime/InternalFunction.cpp:
945         (JSC::InternalFunction::createSubclassStructure):
946         * runtime/IntlCollator.cpp:
947         (JSC::IntlCollator::initializeCollator):
948         (JSC::IntlCollator::createCollator):
949         (JSC::IntlCollator::resolvedOptions):
950         * runtime/IntlCollatorConstructor.cpp:
951         (JSC::constructIntlCollator):
952         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
953         * runtime/IntlCollatorPrototype.cpp:
954         (JSC::IntlCollatorFuncCompare):
955         (JSC::IntlCollatorPrototypeGetterCompare):
956         * runtime/IntlDateTimeFormat.cpp:
957         (JSC::toDateTimeOptionsAnyDate):
958         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
959         (JSC::IntlDateTimeFormat::resolvedOptions):
960         (JSC::IntlDateTimeFormat::format):
961         * runtime/IntlDateTimeFormatConstructor.cpp:
962         (JSC::constructIntlDateTimeFormat):
963         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
964         * runtime/IntlDateTimeFormatPrototype.cpp:
965         (JSC::IntlDateTimeFormatFuncFormatDateTime):
966         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
967         * runtime/IntlNumberFormat.cpp:
968         (JSC::IntlNumberFormat::initializeNumberFormat):
969         (JSC::IntlNumberFormat::createNumberFormat):
970         (JSC::IntlNumberFormat::resolvedOptions):
971         * runtime/IntlNumberFormatConstructor.cpp:
972         (JSC::constructIntlNumberFormat):
973         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
974         * runtime/IntlNumberFormatPrototype.cpp:
975         (JSC::IntlNumberFormatFuncFormatNumber):
976         (JSC::IntlNumberFormatPrototypeGetterFormat):
977         * runtime/IntlObject.cpp:
978         (JSC::intlBooleanOption):
979         (JSC::intlStringOption):
980         (JSC::intlNumberOption):
981         (JSC::canonicalizeLocaleList):
982         (JSC::supportedLocales):
983         * runtime/IntlObjectInlines.h:
984         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
985         * runtime/IteratorOperations.cpp:
986         (JSC::iteratorNext):
987         (JSC::iteratorStep):
988         (JSC::iteratorClose):
989         (JSC::iteratorForIterable):
990         * runtime/IteratorOperations.h:
991         (JSC::forEachInIterable):
992         * runtime/JSArray.cpp:
993         (JSC::JSArray::pop):
994         (JSC::JSArray::push):
995         (JSC::JSArray::copyToArguments):
996         * runtime/JSArrayBufferConstructor.cpp:
997         (JSC::constructArrayBuffer):
998         * runtime/JSArrayBufferPrototype.cpp:
999         (JSC::arrayBufferProtoFuncSlice):
1000         * runtime/JSArrayInlines.h:
1001         (JSC::getLength):
1002         (JSC::toLength):
1003         * runtime/JSBoundFunction.cpp:
1004         (JSC::getBoundFunctionStructure):
1005         (JSC::JSBoundFunction::create):
1006         * runtime/JSCJSValue.cpp:
1007         (JSC::JSValue::putToPrimitive):
1008         (JSC::JSValue::putToPrimitiveByIndex):
1009         (JSC::JSValue::toStringSlowCase):
1010         * runtime/JSCJSValueInlines.h:
1011         (JSC::toPreferredPrimitiveType):
1012         (JSC::JSValue::getPropertySlot):
1013         (JSC::JSValue::equalSlowCaseInline):
1014         * runtime/JSDataViewPrototype.cpp:
1015         (JSC::getData):
1016         (JSC::setData):
1017         * runtime/JSFunction.cpp:
1018         (JSC::JSFunction::setFunctionName):
1019         * runtime/JSGenericTypedArrayView.h:
1020         (JSC::JSGenericTypedArrayView::setIndex):
1021         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1022         (JSC::constructGenericTypedArrayViewFromIterator):
1023         (JSC::constructGenericTypedArrayViewWithArguments):
1024         (JSC::constructGenericTypedArrayView):
1025         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1026         (JSC::speciesConstruct):
1027         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1028         (JSC::genericTypedArrayViewProtoFuncIncludes):
1029         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1030         (JSC::genericTypedArrayViewProtoFuncJoin):
1031         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1032         (JSC::genericTypedArrayViewProtoFuncSlice):
1033         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1034         * runtime/JSGlobalObject.h:
1035         (JSC::constructEmptyArray):
1036         (JSC::constructArray):
1037         (JSC::constructArrayNegativeIndexed):
1038         * runtime/JSGlobalObjectFunctions.cpp:
1039         (JSC::globalFuncEval):
1040         * runtime/JSJob.cpp:
1041         (JSC::JSJobMicrotask::run):
1042         * runtime/JSModuleEnvironment.cpp:
1043         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1044         * runtime/JSModuleLoader.cpp:
1045         (JSC::JSModuleLoader::fetch):
1046         * runtime/JSModuleNamespaceObject.cpp:
1047         (JSC::JSModuleNamespaceObject::finishCreation):
1048         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1049         * runtime/JSModuleRecord.cpp:
1050         (JSC::JSModuleRecord::instantiateDeclarations):
1051         * runtime/JSONObject.cpp:
1052         (JSC::Stringifier::Stringifier):
1053         (JSC::Stringifier::stringify):
1054         (JSC::Stringifier::toJSON):
1055         (JSC::Stringifier::appendStringifiedValue):
1056         (JSC::Stringifier::Holder::appendNextProperty):
1057         (JSC::Walker::walk):
1058         (JSC::JSONProtoFuncParse):
1059         * runtime/JSObject.cpp:
1060         (JSC::ordinarySetSlow):
1061         (JSC::JSObject::setPrototypeWithCycleCheck):
1062         (JSC::callToPrimitiveFunction):
1063         (JSC::JSObject::ordinaryToPrimitive):
1064         (JSC::JSObject::defaultHasInstance):
1065         (JSC::JSObject::getPropertyNames):
1066         (JSC::JSObject::toNumber):
1067         (JSC::JSObject::toString):
1068         (JSC::JSObject::defineOwnNonIndexProperty):
1069         (JSC::JSObject::getGenericPropertyNames):
1070         (JSC::JSObject::getMethod):
1071         * runtime/JSObjectInlines.h:
1072         (JSC::createListFromArrayLike):
1073         (JSC::JSObject::getPropertySlot):
1074         (JSC::JSObject::getNonIndexPropertySlot):
1075         * runtime/JSPromiseConstructor.cpp:
1076         (JSC::constructPromise):
1077         * runtime/JSPropertyNameEnumerator.h:
1078         (JSC::propertyNameEnumerator):
1079         * runtime/JSPropertyNameIterator.cpp:
1080         (JSC::JSPropertyNameIterator::create):
1081         * runtime/JSScope.cpp:
1082         (JSC::isUnscopable):
1083         (JSC::JSScope::resolve):
1084         * runtime/JSString.cpp:
1085         (JSC::JSString::equalSlowCase):
1086         * runtime/JSStringJoiner.cpp:
1087         (JSC::JSStringJoiner::join):
1088         * runtime/LiteralParser.cpp:
1089         (JSC::LiteralParser<CharType>::parse):
1090         * runtime/MapConstructor.cpp:
1091         (JSC::constructMap):
1092         * runtime/MathObject.cpp:
1093         (JSC::mathProtoFuncClz32):
1094         (JSC::mathProtoFuncHypot):
1095         (JSC::mathProtoFuncIMul):
1096         * runtime/ModuleLoaderPrototype.cpp:
1097         (JSC::moduleLoaderPrototypeParseModule):
1098         (JSC::moduleLoaderPrototypeRequestedModules):
1099         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1100         * runtime/NativeErrorConstructor.cpp:
1101         (JSC::Interpreter::constructWithNativeErrorConstructor):
1102         * runtime/NumberConstructor.cpp:
1103         (JSC::constructWithNumberConstructor):
1104         * runtime/ObjectConstructor.cpp:
1105         (JSC::constructObject):
1106         (JSC::objectConstructorGetPrototypeOf):
1107         (JSC::objectConstructorSetPrototypeOf):
1108         (JSC::objectConstructorGetOwnPropertyDescriptor):
1109         (JSC::objectConstructorGetOwnPropertyDescriptors):
1110         (JSC::objectConstructorGetOwnPropertyNames):
1111         (JSC::objectConstructorGetOwnPropertySymbols):
1112         (JSC::objectConstructorKeys):
1113         (JSC::ownEnumerablePropertyKeys):
1114         (JSC::toPropertyDescriptor):
1115         (JSC::objectConstructorDefineProperty):
1116         (JSC::defineProperties):
1117         (JSC::objectConstructorSeal):
1118         (JSC::objectConstructorFreeze):
1119         (JSC::objectConstructorIsSealed):
1120         (JSC::objectConstructorIsFrozen):
1121         (JSC::objectConstructorIsExtensible):
1122         (JSC::ownPropertyKeys):
1123         * runtime/ObjectConstructor.h:
1124         (JSC::constructObjectFromPropertyDescriptor):
1125         * runtime/ObjectPrototype.cpp:
1126         (JSC::objectProtoFuncHasOwnProperty):
1127         (JSC::objectProtoFuncIsPrototypeOf):
1128         (JSC::objectProtoFuncDefineGetter):
1129         (JSC::objectProtoFuncDefineSetter):
1130         (JSC::objectProtoFuncLookupGetter):
1131         (JSC::objectProtoFuncLookupSetter):
1132         (JSC::objectProtoFuncPropertyIsEnumerable):
1133         (JSC::objectProtoFuncToLocaleString):
1134         (JSC::objectProtoFuncToString):
1135         * runtime/Operations.cpp:
1136         (JSC::jsAddSlowCase):
1137         * runtime/Options.h:
1138         * runtime/PropertyDescriptor.cpp:
1139         (JSC::PropertyDescriptor::slowGetterSetter):
1140         * runtime/ProxyConstructor.cpp:
1141         (JSC::makeRevocableProxy):
1142         * runtime/ProxyObject.cpp:
1143         (JSC::ProxyObject::toStringName):
1144         (JSC::performProxyGet):
1145         (JSC::ProxyObject::performGet):
1146         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1147         (JSC::ProxyObject::performHasProperty):
1148         (JSC::ProxyObject::performPut):
1149         (JSC::ProxyObject::putByIndexCommon):
1150         (JSC::performProxyCall):
1151         (JSC::performProxyConstruct):
1152         (JSC::ProxyObject::performDelete):
1153         (JSC::ProxyObject::performPreventExtensions):
1154         (JSC::ProxyObject::performIsExtensible):
1155         (JSC::ProxyObject::performDefineOwnProperty):
1156         (JSC::ProxyObject::performGetOwnPropertyNames):
1157         (JSC::ProxyObject::performSetPrototype):
1158         (JSC::ProxyObject::performGetPrototype):
1159         * runtime/ReflectObject.cpp:
1160         (JSC::reflectObjectConstruct):
1161         (JSC::reflectObjectDefineProperty):
1162         (JSC::reflectObjectGet):
1163         (JSC::reflectObjectGetOwnPropertyDescriptor):
1164         (JSC::reflectObjectIsExtensible):
1165         (JSC::reflectObjectPreventExtensions):
1166         (JSC::reflectObjectSet):
1167         (JSC::reflectObjectSetPrototypeOf):
1168         * runtime/RegExpConstructor.cpp:
1169         (JSC::toFlags):
1170         (JSC::regExpCreate):
1171         (JSC::constructRegExp):
1172         * runtime/RegExpConstructor.h:
1173         (JSC::isRegExp):
1174         * runtime/RegExpObject.cpp:
1175         (JSC::collectMatches):
1176         (JSC::RegExpObject::matchGlobal):
1177         * runtime/RegExpPrototype.cpp:
1178         (JSC::regExpProtoFuncCompile):
1179         (JSC::flagsString):
1180         (JSC::regExpProtoFuncToString):
1181         (JSC::regExpProtoGetterFlags):
1182         (JSC::regExpProtoFuncSearchFast):
1183         (JSC::regExpProtoFuncSplitFast):
1184         * runtime/SetConstructor.cpp:
1185         (JSC::constructSet):
1186         * runtime/StringConstructor.cpp:
1187         (JSC::stringFromCodePoint):
1188         (JSC::constructWithStringConstructor):
1189         * runtime/StringObject.cpp:
1190         (JSC::StringObject::defineOwnProperty):
1191         * runtime/StringPrototype.cpp:
1192         (JSC::replaceUsingRegExpSearch):
1193         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1194         (JSC::replaceUsingStringSearch):
1195         (JSC::replace):
1196         (JSC::stringProtoFuncReplaceUsingRegExp):
1197         (JSC::stringProtoFuncReplaceUsingStringSearch):
1198         (JSC::stringProtoFuncCodePointAt):
1199         (JSC::stringProtoFuncSlice):
1200         (JSC::stringProtoFuncSplitFast):
1201         (JSC::stringProtoFuncSubstr):
1202         (JSC::stringProtoFuncSubstring):
1203         (JSC::stringProtoFuncLocaleCompare):
1204         (JSC::toLocaleCase):
1205         (JSC::stringProtoFuncBig):
1206         (JSC::stringProtoFuncSmall):
1207         (JSC::stringProtoFuncBlink):
1208         (JSC::stringProtoFuncBold):
1209         (JSC::stringProtoFuncFixed):
1210         (JSC::stringProtoFuncItalics):
1211         (JSC::stringProtoFuncStrike):
1212         (JSC::stringProtoFuncSub):
1213         (JSC::stringProtoFuncSup):
1214         (JSC::stringProtoFuncFontcolor):
1215         (JSC::stringProtoFuncFontsize):
1216         (JSC::stringProtoFuncAnchor):
1217         (JSC::stringProtoFuncLink):
1218         (JSC::trimString):
1219         (JSC::stringProtoFuncStartsWith):
1220         (JSC::stringProtoFuncEndsWith):
1221         (JSC::stringIncludesImpl):
1222         (JSC::stringProtoFuncIncludes):
1223         (JSC::builtinStringIncludesInternal):
1224         (JSC::stringProtoFuncNormalize):
1225         * runtime/SymbolConstructor.cpp:
1226         (JSC::symbolConstructorFor):
1227         * runtime/TemplateRegistry.cpp:
1228         (JSC::TemplateRegistry::getTemplateObject):
1229         * runtime/ThrowScope.cpp:
1230         (JSC::ThrowScope::ThrowScope):
1231         (JSC::ThrowScope::~ThrowScope):
1232         (JSC::ThrowScope::throwException):
1233         (JSC::ThrowScope::simulateThrow):
1234         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1235         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1236         * runtime/ThrowScope.h:
1237         (JSC::ThrowScope::release):
1238         (JSC::ThrowScope::ThrowScope):
1239         (JSC::ThrowScope::throwException):
1240         (JSC::ThrowScope::vm): Deleted.
1241         (JSC::ThrowScope::exception): Deleted.
1242         * runtime/ThrowScopeLocation.h: Removed.
1243         * runtime/VM.cpp:
1244         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1245         * runtime/VM.h:
1246         (JSC::VM::exception):
1247         (JSC::VM::clearException):
1248         (JSC::VM::setException): Deleted.
1249         * runtime/WeakMapConstructor.cpp:
1250         (JSC::constructWeakMap):
1251         * runtime/WeakSetConstructor.cpp:
1252         (JSC::constructWeakSet):
1253         * tools/JSDollarVMPrototype.cpp:
1254         (JSC::functionPrint):
1255
1256 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1257
1258         [INTL] some valid language tags cause errors in Intl constructors
1259         https://bugs.webkit.org/show_bug.cgi?id=161672
1260
1261         Reviewed by Mark Lam.
1262
1263         Fix private use tag parsing to match spec, allowing single character parts.
1264         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1265
1266         ```
1267         privateuse    = "x" 1*("-" (1*8alphanum))
1268         ```
1269
1270         * runtime/IntlObject.cpp:
1271         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1272
1273 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1274
1275         [JSC] Remove a couple of useless forward declaration
1276         https://bugs.webkit.org/show_bug.cgi?id=161676
1277
1278         Reviewed by Mark Lam.
1279
1280         JITMathICForwards.h should take care of declarating the Math ICs.
1281
1282         * bytecode/CodeBlock.h:
1283         * jit/JITOperations.h:
1284
1285 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1286
1287         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1288         https://bugs.webkit.org/show_bug.cgi?id=161706
1289
1290         Reviewed by Geoffrey Garen.
1291         
1292         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1293         have to do something different.
1294
1295         * jit/AssemblyHelpers.h:
1296         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1297
1298 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1299
1300         Unreviewed CMake build fix after r205552
1301
1302         * CMakeLists.txt:
1303
1304 2016-09-03  Keith Miller  <keith_miller@apple.com>
1305
1306         Add support for WASM Loops and Branches
1307         https://bugs.webkit.org/show_bug.cgi?id=161569
1308
1309         Reviewed by Benjamin Poulain.
1310
1311         This patch adds support for loops and branches to WASM. In order
1312         to support loops, we needed to change the way the B3IRGenerator
1313         tracked control information. Now, the control data holds three
1314         pieces of information: The continuation block, the loop branch
1315         target, and variables exiting the block. Whenever we branch to
1316         some control point we first check if it is a loop by checking that
1317         the loop branch target is non-null. If the branch is not targeting
1318         a loop, we map the stack values to the associated B3 variables for
1319         that stack slot.
1320
1321         Another interesting thing of note is that we now only allocate the
1322         continuation basic block lazily. This is beneficial when the
1323         continuation would just fall through to another block anyway. For
1324         example, in code like: (block ... (block (add 1 2) end) end) the
1325         continuation for the inner block just falls through to the outer
1326         block's continuation so we don't need an extra block.
1327
1328         * B3CallingConventions.cpp:
1329         (JSC::B3::jscCallingConvention): Deleted.
1330         * B3CallingConventions.h:
1331         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1332         (JSC::B3::CallingConvention::iterate): Deleted.
1333         (JSC::B3::nextJSCOffset): Deleted.
1334         * JavaScriptCore.xcodeproj/project.pbxproj:
1335         * b3/B3Type.h:
1336         * testWASM.cpp:
1337         (runWASMTests):
1338         * wasm/WASMB3IRGenerator.cpp:
1339         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1340         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1341         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1342         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1343         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1344         (JSC::WASM::B3IRGenerator::ControlData::dump):
1345         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1346         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1347         (JSC::WASM::B3IRGenerator::addLocal):
1348         (JSC::WASM::B3IRGenerator::addArguments):
1349         (JSC::WASM::B3IRGenerator::setLocal):
1350         (JSC::WASM::B3IRGenerator::addBlock):
1351         (JSC::WASM::B3IRGenerator::addLoop):
1352         (JSC::WASM::B3IRGenerator::endBlock):
1353         (JSC::WASM::B3IRGenerator::addReturn):
1354         (JSC::WASM::B3IRGenerator::addBranch):
1355         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1356         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1357         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1358         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1359         (JSC::WASM::parseAndCompile):
1360         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1361         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1362         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1363         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1364         (JSC::WASM::jscCallingConvention):
1365         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1366         (JSC::WASM::CallingConvention::CallingConvention):
1367         (JSC::WASM::CallingConvention::iterate):
1368         (JSC::WASM::nextJSCOffset):
1369         * wasm/WASMFormat.h:
1370         (JSC::WASM::toB3Type):
1371         (JSC::WASM::isValueType):
1372         * wasm/WASMFunctionParser.h:
1373         (JSC::WASM::FunctionParser<Context>::parse):
1374         (JSC::WASM::FunctionParser<Context>::parseExpression):
1375         * wasm/WASMModuleParser.cpp:
1376         (JSC::WASM::ModuleParser::parseFunctionTypes):
1377         * wasm/WASMOps.h:
1378
1379 2016-09-07  Youenn Fablet  <youenn@apple.com>
1380
1381         [Streams API] Separate compile flag for ReadableStream and WritableStream
1382         https://bugs.webkit.org/show_bug.cgi?id=161044
1383
1384         Reviewed by Alex Christensen.
1385
1386         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1387         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1388
1389         * Configurations/FeatureDefines.xcconfig:
1390         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1391         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1392         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1393
1394 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1395
1396         Fix the ENABLE(WEBASSEMBLY) build on Linux
1397         https://bugs.webkit.org/show_bug.cgi?id=161685
1398
1399         Unreviewed buildfix.
1400
1401         * wasm/JSWASMModule.cpp:
1402
1403 2016-09-06  Saam Barati  <sbarati@apple.com>
1404
1405         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1406         https://bugs.webkit.org/show_bug.cgi?id=161558
1407
1408         Reviewed by Benjamin Poulain.
1409
1410         ProxyObject had ObjectPrototype as its direct prototype.
1411         This could lead to infinite loops when doing a getDirectPrototype()
1412         loop.
1413
1414         Fixing this bug revealed another bug, which I made when implementing Proxy.
1415         We should not special case "__proto__" in get and set for Proxy Object's
1416         hooks. "__proto__" should just go through the normal set and get path.
1417
1418         * runtime/JSGlobalObject.cpp:
1419         (JSC::JSGlobalObject::init):
1420         * runtime/ProxyObject.cpp:
1421         (JSC::performProxyGet):
1422         (JSC::ProxyObject::put):
1423
1424 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1425
1426         Make JSC::PrivateName copyable
1427         https://bugs.webkit.org/show_bug.cgi?id=161666
1428
1429         Reviewed by Ryosuke Niwa.
1430
1431         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1432         And since the custom copy constructor deletes the default move constructor, we explcitly define
1433         it by `= default;`.
1434
1435         * runtime/PrivateName.h:
1436         (JSC::PrivateName::PrivateName):
1437
1438 2016-09-06  Daniel Bates  <dabates@apple.com>
1439
1440         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1441         https://bugs.webkit.org/show_bug.cgi?id=161296
1442
1443         Reviewed by Dan Bernstein.
1444
1445         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1446         with the iOS 10 beta SDK.
1447
1448         * Configurations/Base.xcconfig:
1449
1450 2016-09-06  Saam Barati  <sbarati@apple.com>
1451
1452         Unreviewed build fix for 32-bit platforms after r205520.
1453
1454         * dfg/DFGSpeculativeJIT.h:
1455         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1456
1457 2016-09-06  Saam Barati  <sbarati@apple.com>
1458
1459         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1460         https://bugs.webkit.org/show_bug.cgi?id=160870
1461
1462         Reviewed by Darin Adler.
1463
1464         Credit goes to Jonathan Bedard for finding this bug using the undefined
1465         behavior sanitizer.
1466
1467         The rule for MaterializeNewObject inside AI was assuming that the graph
1468         is in SSA form. This used to be true when MaterializeNewObject was only
1469         inserted by the allocation sinking phase. However, Filip added more uses
1470         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1471         the bug by using the structure set inside the Node's OpInfo rather than
1472         generating it from m_phiChildren inside AI.
1473
1474         * dfg/DFGAbstractInterpreterInlines.h:
1475         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1476
1477 2016-09-06  Saam Barati  <sbarati@apple.com>
1478
1479         Make JSMap and JSSet faster
1480         https://bugs.webkit.org/show_bug.cgi?id=160989
1481
1482         Reviewed by Filip Pizlo.
1483
1484         This patch revamps how we implement Map and Set. It uses
1485         a new hash map implementation. The hash map uses linear
1486         probing and it uses Wang's 64 bit hash function for JSValues
1487         that aren't strings. Strings use StringImpl's hash function.
1488         The reason I wanted to roll our own HashTable is twofold:
1489         I didn't want to inline WTF::HashMap's implementation into our
1490         JIT, since that seems error prone and unmaintainable. Also, I wanted
1491         a different structure for hash map buckets where buckets also exist in
1492         a linked list.
1493
1494         The reason for making buckets part of a linked list is that iteration
1495         is now simple. Iteration works by just traversing a linked list.
1496         This design also allows for a simple implementation when doing iteration
1497         while the hash table is mutating. Whenever we remove a bucket from
1498         the hash table, it is removed from the list, meaning items in the
1499         list don't point to it. However, the removed bucket will still point
1500         to things that are either in the list, or have also been removed.
1501         e.g, from a removed bucket, you can always follow pointers until you
1502         either find an item in the list, or you find the tail of the list.
1503         This is a really nice property because it means that a Map or Set
1504         does not need to reason about the all the iterators that point
1505         into its list. Also, whenever we add items to the Map or Set, we
1506         hijack the tail as the new item, and make the new item point to a newly
1507         created tail. This means that any iterator that pointed to the "tail" now
1508         points to non-tail items. This makes the implementation of adding things
1509         to the Map/Set while iterating easy.
1510
1511         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1512         into intrinsics in the DFG. The IR can now reason about hash map
1513         operations and can even do CSE over Wang's hash function, hash map
1514         bucket lookups, hash map bucket loads, and testing if a key is in
1515         the hash table. This makes code patterns for Map like so, super fast
1516         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1517
1518         ```
1519         function getKeyIfPresent(map, key) {
1520             if (map.has(key))
1521                 return map.get(key);
1522         }
1523         ```
1524
1525         This patch is roughly an 8% speedup on ES6SampleBench.
1526
1527
1528         * CMakeLists.txt:
1529         * JavaScriptCore.xcodeproj/project.pbxproj:
1530         * assembler/MacroAssemblerARM64.h:
1531         (JSC::MacroAssemblerARM64::not64):
1532         * bytecode/SpeculatedType.cpp:
1533         (JSC::speculationFromClassInfo):
1534         * bytecode/SpeculatedType.h:
1535         * dfg/DFGAbstractInterpreterInlines.h:
1536         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1537         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1538         * dfg/DFGByteCodeParser.cpp:
1539         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1540         * dfg/DFGClobberize.h:
1541         (JSC::DFG::clobberize):
1542         * dfg/DFGDoesGC.cpp:
1543         (JSC::DFG::doesGC):
1544         * dfg/DFGEdge.h:
1545         (JSC::DFG::Edge::shift):
1546         (JSC::DFG::Edge::makeWord):
1547         * dfg/DFGFixupPhase.cpp:
1548         (JSC::DFG::FixupPhase::fixupNode):
1549         * dfg/DFGHeapLocation.cpp:
1550         (WTF::printInternal):
1551         * dfg/DFGHeapLocation.h:
1552         * dfg/DFGNode.h:
1553         (JSC::DFG::Node::hasHeapPrediction):
1554         * dfg/DFGNodeType.h:
1555         * dfg/DFGOperations.cpp:
1556         * dfg/DFGOperations.h:
1557         * dfg/DFGPredictionPropagationPhase.cpp:
1558         * dfg/DFGSafeToExecute.h:
1559         (JSC::DFG::SafeToExecuteEdge::operator()):
1560         (JSC::DFG::safeToExecute):
1561         * dfg/DFGSpeculativeJIT.cpp:
1562         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1563         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1564         (JSC::DFG::SpeculativeJIT::speculate):
1565         * dfg/DFGSpeculativeJIT.h:
1566         (JSC::DFG::SpeculativeJIT::callOperation):
1567         * dfg/DFGSpeculativeJIT32_64.cpp:
1568         (JSC::DFG::SpeculativeJIT::compile):
1569         * dfg/DFGSpeculativeJIT64.cpp:
1570         (JSC::DFG::SpeculativeJIT::compile):
1571         * dfg/DFGUseKind.cpp:
1572         (WTF::printInternal):
1573         * dfg/DFGUseKind.h:
1574         (JSC::DFG::typeFilterFor):
1575         (JSC::DFG::isCell):
1576         * ftl/FTLAbstractHeapRepository.h:
1577         * ftl/FTLCapabilities.cpp:
1578         (JSC::FTL::canCompile):
1579         * ftl/FTLLowerDFGToB3.cpp:
1580         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1581         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1582         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1583         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1584         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1585         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1586         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1587         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1588         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1589         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1590         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1591         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1592         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1593         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1594         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1595         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1596         * jit/AssemblyHelpers.cpp:
1597         (JSC::AssemblyHelpers::wangsInt64Hash):
1598         * jit/AssemblyHelpers.h:
1599         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1600         * jit/JITOperations.h:
1601         * parser/ModuleAnalyzer.cpp:
1602         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1603         * runtime/HashMapImpl.cpp: Added.
1604         (JSC::HashMapBucket<Data>::visitChildren):
1605         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1606         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1607         * runtime/HashMapImpl.h: Added.
1608         (JSC::HashMapBucket::selectStructure):
1609         (JSC::HashMapBucket::createStructure):
1610         (JSC::HashMapBucket::create):
1611         (JSC::HashMapBucket::HashMapBucket):
1612         (JSC::HashMapBucket::setNext):
1613         (JSC::HashMapBucket::setPrev):
1614         (JSC::HashMapBucket::setKey):
1615         (JSC::HashMapBucket::setValue):
1616         (JSC::HashMapBucket::key):
1617         (JSC::HashMapBucket::value):
1618         (JSC::HashMapBucket::next):
1619         (JSC::HashMapBucket::prev):
1620         (JSC::HashMapBucket::deleted):
1621         (JSC::HashMapBucket::setDeleted):
1622         (JSC::HashMapBucket::offsetOfKey):
1623         (JSC::HashMapBucket::offsetOfValue):
1624         (JSC::HashMapBuffer::allocationSize):
1625         (JSC::HashMapBuffer::buffer):
1626         (JSC::HashMapBuffer::create):
1627         (JSC::areKeysEqual):
1628         (JSC::normalizeMapKey):
1629         (JSC::jsMapHash):
1630         (JSC::HashMapImpl::selectStructure):
1631         (JSC::HashMapImpl::createStructure):
1632         (JSC::HashMapImpl::create):
1633         (JSC::HashMapImpl::HashMapImpl):
1634         (JSC::HashMapImpl::buffer):
1635         (JSC::HashMapImpl::finishCreation):
1636         (JSC::HashMapImpl::emptyValue):
1637         (JSC::HashMapImpl::isEmpty):
1638         (JSC::HashMapImpl::deletedValue):
1639         (JSC::HashMapImpl::isDeleted):
1640         (JSC::HashMapImpl::findBucket):
1641         (JSC::HashMapImpl::get):
1642         (JSC::HashMapImpl::has):
1643         (JSC::HashMapImpl::add):
1644         (JSC::HashMapImpl::remove):
1645         (JSC::HashMapImpl::size):
1646         (JSC::HashMapImpl::clear):
1647         (JSC::HashMapImpl::bufferSizeInBytes):
1648         (JSC::HashMapImpl::offsetOfBuffer):
1649         (JSC::HashMapImpl::offsetOfCapacity):
1650         (JSC::HashMapImpl::head):
1651         (JSC::HashMapImpl::tail):
1652         (JSC::HashMapImpl::approximateSize):
1653         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1654         (JSC::HashMapImpl::rehash):
1655         (JSC::HashMapImpl::makeAndSetNewBuffer):
1656         * runtime/Intrinsic.h:
1657         * runtime/JSCJSValue.h:
1658         * runtime/JSCJSValueInlines.h:
1659         (JSC::sameValue):
1660         * runtime/JSGlobalObject.cpp:
1661         (JSC::JSGlobalObject::init):
1662         * runtime/JSMap.cpp:
1663         (JSC::JSMap::destroy): Deleted.
1664         (JSC::JSMap::estimatedSize): Deleted.
1665         (JSC::JSMap::visitChildren): Deleted.
1666         (JSC::JSMap::copyBackingStore): Deleted.
1667         (JSC::JSMap::has): Deleted.
1668         (JSC::JSMap::size): Deleted.
1669         (JSC::JSMap::get): Deleted.
1670         (JSC::JSMap::set): Deleted.
1671         (JSC::JSMap::clear): Deleted.
1672         (JSC::JSMap::remove): Deleted.
1673         * runtime/JSMap.h:
1674         (JSC::JSMap::createStructure):
1675         (JSC::JSMap::create):
1676         (JSC::JSMap::get):
1677         (JSC::JSMap::set):
1678         (JSC::JSMap::JSMap):
1679         (JSC::JSMap::Entry::key): Deleted.
1680         (JSC::JSMap::Entry::value): Deleted.
1681         (JSC::JSMap::Entry::visitChildren): Deleted.
1682         (JSC::JSMap::Entry::setKey): Deleted.
1683         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1684         (JSC::JSMap::Entry::setValue): Deleted.
1685         (JSC::JSMap::Entry::clear): Deleted.
1686         * runtime/JSMapIterator.cpp:
1687         (JSC::JSMapIterator::finishCreation):
1688         (JSC::JSMapIterator::visitChildren):
1689         (JSC::JSMapIterator::clone):
1690         * runtime/JSMapIterator.h:
1691         (JSC::JSMapIterator::advanceIter):
1692         (JSC::JSMapIterator::next):
1693         (JSC::JSMapIterator::nextKeyValue):
1694         (JSC::JSMapIterator::JSMapIterator):
1695         (JSC::JSMapIterator::setIterator):
1696         (JSC::JSMapIterator::finish): Deleted.
1697         (JSC::JSMapIterator::iteratorData): Deleted.
1698         * runtime/JSModuleLoader.cpp:
1699         (JSC::JSModuleLoader::finishCreation):
1700         * runtime/JSModuleLoader.h:
1701         (JSC::JSModuleLoader::create):
1702         * runtime/JSModuleRecord.cpp:
1703         (JSC::JSModuleRecord::finishCreation):
1704         * runtime/JSModuleRecord.h:
1705         (JSC::JSModuleRecord::create):
1706         * runtime/JSSet.cpp:
1707         (JSC::JSSet::destroy): Deleted.
1708         (JSC::JSSet::estimatedSize): Deleted.
1709         (JSC::JSSet::visitChildren): Deleted.
1710         (JSC::JSSet::copyBackingStore): Deleted.
1711         (JSC::JSSet::has): Deleted.
1712         (JSC::JSSet::size): Deleted.
1713         (JSC::JSSet::add): Deleted.
1714         (JSC::JSSet::clear): Deleted.
1715         (JSC::JSSet::remove): Deleted.
1716         * runtime/JSSet.h:
1717         (JSC::JSSet::createStructure):
1718         (JSC::JSSet::create):
1719         (JSC::JSSet::add):
1720         (JSC::JSSet::JSSet):
1721         (JSC::JSSet::Entry::key): Deleted.
1722         (JSC::JSSet::Entry::value): Deleted.
1723         (JSC::JSSet::Entry::visitChildren): Deleted.
1724         (JSC::JSSet::Entry::setKey): Deleted.
1725         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1726         (JSC::JSSet::Entry::setValue): Deleted.
1727         (JSC::JSSet::Entry::clear): Deleted.
1728         * runtime/JSSetIterator.cpp:
1729         (JSC::JSSetIterator::finishCreation):
1730         (JSC::JSSetIterator::visitChildren):
1731         (JSC::JSSetIterator::clone):
1732         * runtime/JSSetIterator.h:
1733         (JSC::JSSetIterator::advanceIter):
1734         (JSC::JSSetIterator::next):
1735         (JSC::JSSetIterator::JSSetIterator):
1736         (JSC::JSSetIterator::setIterator):
1737         (JSC::JSSetIterator::finish): Deleted.
1738         (JSC::JSSetIterator::iteratorData): Deleted.
1739         * runtime/JSType.h:
1740         * runtime/MapBase.cpp: Added.
1741         (JSC::MapBase<HashMapBucketType>::visitChildren):
1742         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1743         * runtime/MapBase.h: Added.
1744         (JSC::MapBase::size):
1745         (JSC::MapBase::has):
1746         (JSC::MapBase::clear):
1747         (JSC::MapBase::remove):
1748         (JSC::MapBase::findBucket):
1749         (JSC::MapBase::offsetOfHashMapImpl):
1750         (JSC::MapBase::impl):
1751         (JSC::MapBase::finishCreation):
1752         (JSC::MapBase::MapBase):
1753         * runtime/MapConstructor.cpp:
1754         (JSC::constructMap):
1755         * runtime/MapIteratorPrototype.cpp:
1756         (JSC::MapIteratorPrototypeFuncNext):
1757         * runtime/MapPrototype.cpp:
1758         (JSC::MapPrototype::finishCreation):
1759         (JSC::getMap):
1760         (JSC::privateFuncIsMap):
1761         (JSC::privateFuncMapIteratorNext):
1762         * runtime/PropertyDescriptor.cpp:
1763         (JSC::sameValue): Deleted.
1764         * runtime/PropertyDescriptor.h:
1765         * runtime/SetConstructor.cpp:
1766         (JSC::constructSet):
1767         * runtime/SetIteratorPrototype.cpp:
1768         (JSC::SetIteratorPrototypeFuncNext):
1769         * runtime/SetPrototype.cpp:
1770         (JSC::SetPrototype::finishCreation):
1771         (JSC::getSet):
1772         (JSC::privateFuncSetIteratorNext):
1773         * runtime/VM.cpp:
1774         (JSC::VM::VM):
1775         * runtime/VM.h:
1776
1777 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1778
1779         [JSC] Make ArithClz32 work with Cell arguments
1780         https://bugs.webkit.org/show_bug.cgi?id=161369
1781
1782         Reviewed by Geoffrey Garen.
1783
1784         ArithClz32 was already working with all primitive types
1785         thanks to the magic of ValueToInt32.
1786         This patch adds support for cell arguments through a function
1787         call.
1788
1789         * dfg/DFGAbstractInterpreterInlines.h:
1790         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1791         * dfg/DFGClobberize.h:
1792         (JSC::DFG::clobberize):
1793         * dfg/DFGFixupPhase.cpp:
1794         (JSC::DFG::FixupPhase::fixupNode):
1795         * dfg/DFGNodeType.h:
1796         * dfg/DFGOperations.cpp:
1797         * dfg/DFGOperations.h:
1798         * dfg/DFGSpeculativeJIT.cpp:
1799         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1800         * dfg/DFGSpeculativeJIT.h:
1801         (JSC::DFG::SpeculativeJIT::callOperation):
1802         * ftl/FTLLowerDFGToB3.cpp:
1803         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1804
1805 2016-09-06  Mark Lam  <mark.lam@apple.com>
1806
1807         Gardening: change to use old header guard to appease Win EWS.
1808
1809         Not reviewed.
1810
1811         * runtime/AuxiliaryBarrier.h:
1812
1813 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1814
1815         Unreviewed, rolling out r205494.
1816         https://bugs.webkit.org/show_bug.cgi?id=161646
1817
1818         This change broke the Windows build (Requested by ryanhaddad
1819         on #webkit).
1820
1821         Reverted changeset:
1822
1823         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1824         https://bugs.webkit.org/show_bug.cgi?id=161100
1825         http://trac.webkit.org/changeset/205494
1826
1827 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1828
1829         Unreviewed, rolling out r205504.
1830         https://bugs.webkit.org/show_bug.cgi?id=161645
1831
1832         Broke the iOS device build (Requested by ryanhaddad on
1833         #webkit).
1834
1835         Reverted changeset:
1836
1837         "Make JSMap and JSSet faster"
1838         https://bugs.webkit.org/show_bug.cgi?id=160989
1839         http://trac.webkit.org/changeset/205504
1840
1841 2016-09-06  Saam Barati  <sbarati@apple.com>
1842
1843         Make JSMap and JSSet faster
1844         https://bugs.webkit.org/show_bug.cgi?id=160989
1845
1846         Reviewed by Filip Pizlo.
1847
1848         This patch revamps how we implement Map and Set. It uses
1849         a new hash map implementation. The hash map uses linear
1850         probing and it uses Wang's 64 bit hash function for JSValues
1851         that aren't strings. Strings use StringImpl's hash function.
1852         The reason I wanted to roll our own HashTable is twofold:
1853         I didn't want to inline WTF::HashMap's implementation into our
1854         JIT, since that seems error prone and unmaintainable. Also, I wanted
1855         a different structure for hash map buckets where buckets also exist in
1856         a linked list.
1857
1858         The reason for making buckets part of a linked list is that iteration
1859         is now simple. Iteration works by just traversing a linked list.
1860         This design also allows for a simple implementation when doing iteration
1861         while the hash table is mutating. Whenever we remove a bucket from
1862         the hash table, it is removed from the list, meaning items in the
1863         list don't point to it. However, the removed bucket will still point
1864         to things that are either in the list, or have also been removed.
1865         e.g, from a removed bucket, you can always follow pointers until you
1866         either find an item in the list, or you find the tail of the list.
1867         This is a really nice property because it means that a Map or Set
1868         does not need to reason about the all the iterators that point
1869         into its list. Also, whenever we add items to the Map or Set, we
1870         hijack the tail as the new item, and make the new item point to a newly
1871         created tail. This means that any iterator that pointed to the "tail" now
1872         points to non-tail items. This makes the implementation of adding things
1873         to the Map/Set while iterating easy.
1874
1875         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1876         into intrinsics in the DFG. The IR can now reason about hash map
1877         operations and can even do CSE over Wang's hash function, hash map
1878         bucket lookups, hash map bucket loads, and testing if a key is in
1879         the hash table. This makes code patterns for Map like so, super fast
1880         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1881
1882         ```
1883         function getKeyIfPresent(map, key) {
1884             if (map.has(key))
1885                 return map.get(key);
1886         }
1887         ```
1888
1889         This patch is roughly an 8% speedup on ES6SampleBench.
1890
1891         * CMakeLists.txt:
1892         * JavaScriptCore.xcodeproj/project.pbxproj:
1893         * bytecode/SpeculatedType.cpp:
1894         (JSC::speculationFromClassInfo):
1895         * bytecode/SpeculatedType.h:
1896         * dfg/DFGAbstractInterpreterInlines.h:
1897         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1898         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1899         * dfg/DFGByteCodeParser.cpp:
1900         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1901         * dfg/DFGClobberize.h:
1902         (JSC::DFG::clobberize):
1903         * dfg/DFGDoesGC.cpp:
1904         (JSC::DFG::doesGC):
1905         * dfg/DFGEdge.h:
1906         (JSC::DFG::Edge::shift):
1907         (JSC::DFG::Edge::makeWord):
1908         * dfg/DFGFixupPhase.cpp:
1909         (JSC::DFG::FixupPhase::fixupNode):
1910         * dfg/DFGHeapLocation.cpp:
1911         (WTF::printInternal):
1912         * dfg/DFGHeapLocation.h:
1913         * dfg/DFGNode.h:
1914         (JSC::DFG::Node::hasHeapPrediction):
1915         * dfg/DFGNodeType.h:
1916         * dfg/DFGOperations.cpp:
1917         * dfg/DFGOperations.h:
1918         * dfg/DFGPredictionPropagationPhase.cpp:
1919         * dfg/DFGSafeToExecute.h:
1920         (JSC::DFG::SafeToExecuteEdge::operator()):
1921         (JSC::DFG::safeToExecute):
1922         * dfg/DFGSpeculativeJIT.cpp:
1923         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1924         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1925         (JSC::DFG::SpeculativeJIT::speculate):
1926         * dfg/DFGSpeculativeJIT.h:
1927         (JSC::DFG::SpeculativeJIT::callOperation):
1928         * dfg/DFGSpeculativeJIT32_64.cpp:
1929         (JSC::DFG::SpeculativeJIT::compile):
1930         * dfg/DFGSpeculativeJIT64.cpp:
1931         (JSC::DFG::SpeculativeJIT::compile):
1932         * dfg/DFGUseKind.cpp:
1933         (WTF::printInternal):
1934         * dfg/DFGUseKind.h:
1935         (JSC::DFG::typeFilterFor):
1936         (JSC::DFG::isCell):
1937         * ftl/FTLAbstractHeapRepository.h:
1938         * ftl/FTLCapabilities.cpp:
1939         (JSC::FTL::canCompile):
1940         * ftl/FTLLowerDFGToB3.cpp:
1941         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1942         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1943         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1944         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1945         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1946         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1947         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1948         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1949         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1950         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1951         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1952         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1953         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1954         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1955         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1956         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1957         * jit/AssemblyHelpers.cpp:
1958         (JSC::AssemblyHelpers::wangsInt64Hash):
1959         * jit/AssemblyHelpers.h:
1960         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1961         * jit/JITOperations.h:
1962         * parser/ModuleAnalyzer.cpp:
1963         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1964         * runtime/HashMapImpl.cpp: Added.
1965         (JSC::HashMapBucket<Data>::visitChildren):
1966         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1967         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1968         * runtime/HashMapImpl.h: Added.
1969         (JSC::HashMapBucket::selectStructure):
1970         (JSC::HashMapBucket::createStructure):
1971         (JSC::HashMapBucket::create):
1972         (JSC::HashMapBucket::HashMapBucket):
1973         (JSC::HashMapBucket::setNext):
1974         (JSC::HashMapBucket::setPrev):
1975         (JSC::HashMapBucket::setKey):
1976         (JSC::HashMapBucket::setValue):
1977         (JSC::HashMapBucket::key):
1978         (JSC::HashMapBucket::value):
1979         (JSC::HashMapBucket::next):
1980         (JSC::HashMapBucket::prev):
1981         (JSC::HashMapBucket::deleted):
1982         (JSC::HashMapBucket::setDeleted):
1983         (JSC::HashMapBucket::offsetOfKey):
1984         (JSC::HashMapBucket::offsetOfValue):
1985         (JSC::HashMapBuffer::allocationSize):
1986         (JSC::HashMapBuffer::buffer):
1987         (JSC::HashMapBuffer::create):
1988         (JSC::areKeysEqual):
1989         (JSC::normalizeMapKey):
1990         (JSC::jsMapHash):
1991         (JSC::HashMapImpl::selectStructure):
1992         (JSC::HashMapImpl::createStructure):
1993         (JSC::HashMapImpl::create):
1994         (JSC::HashMapImpl::HashMapImpl):
1995         (JSC::HashMapImpl::buffer):
1996         (JSC::HashMapImpl::finishCreation):
1997         (JSC::HashMapImpl::emptyValue):
1998         (JSC::HashMapImpl::isEmpty):
1999         (JSC::HashMapImpl::deletedValue):
2000         (JSC::HashMapImpl::isDeleted):
2001         (JSC::HashMapImpl::findBucket):
2002         (JSC::HashMapImpl::get):
2003         (JSC::HashMapImpl::has):
2004         (JSC::HashMapImpl::add):
2005         (JSC::HashMapImpl::remove):
2006         (JSC::HashMapImpl::size):
2007         (JSC::HashMapImpl::clear):
2008         (JSC::HashMapImpl::bufferSizeInBytes):
2009         (JSC::HashMapImpl::offsetOfBuffer):
2010         (JSC::HashMapImpl::offsetOfCapacity):
2011         (JSC::HashMapImpl::head):
2012         (JSC::HashMapImpl::tail):
2013         (JSC::HashMapImpl::approximateSize):
2014         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2015         (JSC::HashMapImpl::rehash):
2016         (JSC::HashMapImpl::makeAndSetNewBuffer):
2017         * runtime/Intrinsic.h:
2018         * runtime/JSCJSValue.h:
2019         * runtime/JSCJSValueInlines.h:
2020         (JSC::sameValue):
2021         * runtime/JSGlobalObject.cpp:
2022         (JSC::JSGlobalObject::init):
2023         * runtime/JSMap.cpp:
2024         (JSC::JSMap::destroy): Deleted.
2025         (JSC::JSMap::estimatedSize): Deleted.
2026         (JSC::JSMap::visitChildren): Deleted.
2027         (JSC::JSMap::copyBackingStore): Deleted.
2028         (JSC::JSMap::has): Deleted.
2029         (JSC::JSMap::size): Deleted.
2030         (JSC::JSMap::get): Deleted.
2031         (JSC::JSMap::set): Deleted.
2032         (JSC::JSMap::clear): Deleted.
2033         (JSC::JSMap::remove): Deleted.
2034         * runtime/JSMap.h:
2035         (JSC::JSMap::createStructure):
2036         (JSC::JSMap::create):
2037         (JSC::JSMap::get):
2038         (JSC::JSMap::set):
2039         (JSC::JSMap::JSMap):
2040         (JSC::JSMap::Entry::key): Deleted.
2041         (JSC::JSMap::Entry::value): Deleted.
2042         (JSC::JSMap::Entry::visitChildren): Deleted.
2043         (JSC::JSMap::Entry::setKey): Deleted.
2044         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2045         (JSC::JSMap::Entry::setValue): Deleted.
2046         (JSC::JSMap::Entry::clear): Deleted.
2047         * runtime/JSMapIterator.cpp:
2048         (JSC::JSMapIterator::finishCreation):
2049         (JSC::JSMapIterator::visitChildren):
2050         (JSC::JSMapIterator::clone):
2051         * runtime/JSMapIterator.h:
2052         (JSC::JSMapIterator::advanceIter):
2053         (JSC::JSMapIterator::next):
2054         (JSC::JSMapIterator::nextKeyValue):
2055         (JSC::JSMapIterator::JSMapIterator):
2056         (JSC::JSMapIterator::setIterator):
2057         (JSC::JSMapIterator::finish): Deleted.
2058         (JSC::JSMapIterator::iteratorData): Deleted.
2059         * runtime/JSModuleLoader.cpp:
2060         (JSC::JSModuleLoader::finishCreation):
2061         * runtime/JSModuleLoader.h:
2062         (JSC::JSModuleLoader::create):
2063         * runtime/JSModuleRecord.cpp:
2064         (JSC::JSModuleRecord::finishCreation):
2065         * runtime/JSModuleRecord.h:
2066         (JSC::JSModuleRecord::create):
2067         * runtime/JSSet.cpp:
2068         (JSC::JSSet::destroy): Deleted.
2069         (JSC::JSSet::estimatedSize): Deleted.
2070         (JSC::JSSet::visitChildren): Deleted.
2071         (JSC::JSSet::copyBackingStore): Deleted.
2072         (JSC::JSSet::has): Deleted.
2073         (JSC::JSSet::size): Deleted.
2074         (JSC::JSSet::add): Deleted.
2075         (JSC::JSSet::clear): Deleted.
2076         (JSC::JSSet::remove): Deleted.
2077         * runtime/JSSet.h:
2078         (JSC::JSSet::createStructure):
2079         (JSC::JSSet::create):
2080         (JSC::JSSet::add):
2081         (JSC::JSSet::JSSet):
2082         (JSC::JSSet::Entry::key): Deleted.
2083         (JSC::JSSet::Entry::value): Deleted.
2084         (JSC::JSSet::Entry::visitChildren): Deleted.
2085         (JSC::JSSet::Entry::setKey): Deleted.
2086         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2087         (JSC::JSSet::Entry::setValue): Deleted.
2088         (JSC::JSSet::Entry::clear): Deleted.
2089         * runtime/JSSetIterator.cpp:
2090         (JSC::JSSetIterator::finishCreation):
2091         (JSC::JSSetIterator::visitChildren):
2092         (JSC::JSSetIterator::clone):
2093         * runtime/JSSetIterator.h:
2094         (JSC::JSSetIterator::advanceIter):
2095         (JSC::JSSetIterator::next):
2096         (JSC::JSSetIterator::JSSetIterator):
2097         (JSC::JSSetIterator::setIterator):
2098         (JSC::JSSetIterator::finish): Deleted.
2099         (JSC::JSSetIterator::iteratorData): Deleted.
2100         * runtime/JSType.h:
2101         * runtime/MapBase.cpp: Added.
2102         (JSC::MapBase<HashMapBucketType>::visitChildren):
2103         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2104         * runtime/MapBase.h: Added.
2105         (JSC::MapBase::size):
2106         (JSC::MapBase::has):
2107         (JSC::MapBase::clear):
2108         (JSC::MapBase::remove):
2109         (JSC::MapBase::findBucket):
2110         (JSC::MapBase::offsetOfHashMapImpl):
2111         (JSC::MapBase::impl):
2112         (JSC::MapBase::finishCreation):
2113         (JSC::MapBase::MapBase):
2114         * runtime/MapConstructor.cpp:
2115         (JSC::constructMap):
2116         * runtime/MapIteratorPrototype.cpp:
2117         (JSC::MapIteratorPrototypeFuncNext):
2118         * runtime/MapPrototype.cpp:
2119         (JSC::MapPrototype::finishCreation):
2120         (JSC::getMap):
2121         (JSC::privateFuncIsMap):
2122         (JSC::privateFuncMapIteratorNext):
2123         * runtime/PropertyDescriptor.cpp:
2124         (JSC::sameValue): Deleted.
2125         * runtime/PropertyDescriptor.h:
2126         * runtime/SetConstructor.cpp:
2127         (JSC::constructSet):
2128         * runtime/SetIteratorPrototype.cpp:
2129         (JSC::SetIteratorPrototypeFuncNext):
2130         * runtime/SetPrototype.cpp:
2131         (JSC::SetPrototype::finishCreation):
2132         (JSC::getSet):
2133         (JSC::privateFuncSetIteratorNext):
2134         * runtime/VM.cpp:
2135         (JSC::VM::VM):
2136         * runtime/VM.h:
2137
2138 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2139
2140         Typed arrays should use MarkedSpace instead of CopiedSpace
2141         https://bugs.webkit.org/show_bug.cgi?id=161100
2142
2143         Reviewed by Geoffrey Garen.
2144         
2145         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2146         
2147         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2148         everything that typed arrays want.
2149
2150         * dfg/DFGOperations.cpp:
2151         (JSC::DFG::newTypedArrayWithSize):
2152         * dfg/DFGOperations.h:
2153         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2154         * dfg/DFGSpeculativeJIT.cpp:
2155         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2156         * dfg/DFGSpeculativeJIT.h:
2157         (JSC::DFG::SpeculativeJIT::callOperation):
2158         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2159         * ftl/FTLLowerDFGToB3.cpp:
2160         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2161         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2162         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2163         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2164         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2165         * heap/CopyToken.h:
2166         * heap/SlotVisitor.cpp:
2167         (JSC::SlotVisitor::markAuxiliary):
2168         * jit/JITOperations.h:
2169         * runtime/JSArrayBufferView.cpp:
2170         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2171         (JSC::JSArrayBufferView::JSArrayBufferView):
2172         * runtime/JSArrayBufferView.h:
2173         * runtime/JSGenericTypedArrayView.h:
2174         * runtime/JSGenericTypedArrayViewInlines.h:
2175         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2176         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2177         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2178         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2179
2180 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2181
2182         Silence GCC warning spam introduced in r205462
2183
2184         Rubber-stamped by Filip Pizlo.
2185
2186         * bytecode/Opcode.h:
2187         (JSC::padOpcodeName):
2188
2189 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2190
2191         Heap::isMarked() should use concurrent lazy flipping
2192         https://bugs.webkit.org/show_bug.cgi?id=161613
2193
2194         Reviewed by Michael Catanzaro.
2195         
2196         I found out about this race condition via
2197         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2198         
2199         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2200         phase. So, they need to lazy-flip in a non-racy way.
2201
2202         * heap/HeapInlines.h:
2203         (JSC::Heap::isLive):
2204         (JSC::Heap::isMarked):
2205
2206 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2207
2208         Unreviewed, reset generator test results after the butterflies.
2209
2210         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2211         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2212         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2213         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2214         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2215         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2216         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2217         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2218         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2219         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2220         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2221         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2222         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2223         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2224
2225 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2226
2227         Unreviewed, fix cloop build.
2228
2229         * bytecode/SuperSampler.cpp:
2230
2231 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2232
2233         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2234         https://bugs.webkit.org/show_bug.cgi?id=160125
2235
2236         Reviewed by Geoffrey Garen and Keith Miller.
2237
2238         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2239         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2240         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2241         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2242         to get rid of copied space. This change moves copied space's biggest client over to marked
2243         space.
2244         
2245         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2246         allocation path. This is a fairly mechanical change, but it caused performance regressions
2247         everywhere, so this change also fixes MarkedSpace's performance issues.
2248         
2249         At a high level the mechanical changes are:
2250         
2251         - We use AuxiliaryBarrier instead of CopyBarrier.
2252         
2253         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2254           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2255         
2256         - The JITs have to emit inlined marked space allocations instead of inline copy space
2257           allocations.
2258         
2259         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2260           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2261           space doesn't.
2262         
2263         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2264         optimizations that amounted to a major MarkedSpace rewrite:
2265         
2266         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2267           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2268           size class. I got around this by making array allocations usually round up vectorLength to
2269           the maximum allowed by the size class that we would have allocated in. Also,
2270           ensureLengthSlow() and friends first make sure that the requested length can't just be
2271           fulfilled with the current allocation size. This safeguard means that not every array
2272           allocation has to do size class queries. For example, the fast path of new Array(length)
2273           never does any size class queries, under the assumption that (1) the speed gained from
2274           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2275           size class query, is too small to offset the speed lost by doing the query on every
2276           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2277           likely.
2278         
2279         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2280           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2281           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2282           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2283           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2284           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2285           size (80 bytes), we proceed using a geometric progression, but round up each size to
2286           minimize slop at the end of the block. This naturally causes the geometric progression to
2287           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2288           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2289         
2290         - Large allocations caused massive internal fragmentation, since the smallest large
2291           allocation had to use exactly blockSize, and the largest small allocation used
2292           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2293           also had 50% internal fragmentation. This is because we required large allocations to be
2294           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2295           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2296           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2297           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2298           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2299           out great since (1) typed arrays won't use large allocations anyway since they have their
2300           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2301           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2302           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2303           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2304           must be small allocations. It's also possible to use template tricks to do one check for
2305           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2306           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2307           that get used from functions that are template-specialized like this. That's mostly to
2308           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2309           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2310           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2311           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2312           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2313           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2314           that the MarkedBlock size classes end up being:
2315           
2316           16, 32, 48, 64, 80, 112, 160, 224, 320
2317           
2318           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2319           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2320           size classes you end up with by doing --dumpSizeClasses=true.
2321         
2322         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2323           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2324           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2325           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2326           side, for better locality during a sequential walk. It's no longer necessary to scan
2327           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2328           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2329           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2330           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2331           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2332           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2333           together, these optimizations allowed me to reduce block size to 16KB without losing much
2334           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2335           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2336           progression on membuster. That's not possible yet, since there is still enough per-block
2337           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2338           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2339         
2340         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2341           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2342           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2343           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2344           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2345           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2346           that we walk the block to build a free list. This means walking dead space. The new
2347           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2348           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2349           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2350           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2351           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2352           is completely empty, which is the common case because of the generational hypothesis: the
2353           number of objects that survive an eden collection is a tiny fraction of the number of
2354           objects that had been allocated, and this fraction is so small that there are typically
2355           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2356           win over tip-of-tree.
2357         
2358         - FTL now shares the same allocation fast paths as everything else, which is great, because
2359           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2360           control flow, since it won't be able to improve the machine code we write ourselves. GC
2361           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2362           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2363           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2364           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2365           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2366           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2367           variable-length allocation but then realize that the length is known). I think it makes
2368           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2369           since this makes lowering easier (you can constant fold during lowering more easily) and it
2370           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2371           constant-fold this code. That would require allowing loads to be constant-folded, which is
2372           doable but hella tricky.
2373         
2374         - It used to be that if a logical object allocation required two physical allocations (first
2375           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2376           failure in the second fast path would cause us to forget the successful first physical
2377           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2378           register to storing either the butterfly or null, because the butterfly register is anyway
2379           going to be free inside the first allocation. The only overhead here is zeroing the
2380           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2381           path, which can then either allocate a butterfly or not. So now we never waste a successful
2382           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2383           since we control registers already) and in FTL (where it's annoying, because mutable
2384           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2385           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2386           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2387           benchmark would always allocate N small things followed by one bigger thing. The problem
2388           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2389           the JSObject size class, which both the small and big thing shared for their cell, could
2390           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2391           it allocated the big thing. So, it would end up having to allocate the big thing's large
2392           butterfly twice, every single time! Ouch!
2393         
2394         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2395           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2396           of the allocator to initialize the object to whatever state they need. It used to be that
2397           we would just use a dumb loop. I initially changed this so that we would end up in memset
2398           for large allocations, but this didn't actually help performance that much. I got a much
2399           better result by playing with different memsets written in assembly. First I wrote one
2400           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2401           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2402           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2403           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2404           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2405           of stores (if the size is known), but those paths in the JIT won't trigger for
2406           NewArrayWithSize() if the size is large, since that takes us to the
2407           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2408           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2409           that need to be filled with holes.
2410         
2411         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2412         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2413         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2414         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2415         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2416         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2417         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2418         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2419         marking barrier and we simply won't need a copying barrier. This change gets us there for
2420         the purposes of our benchmarks, since the remaining clients of copied space are not very
2421         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2422         adding back the copy barrier, which costs more perf.
2423         
2424         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2425         typed arrays and a few other weird things over to Aux MarkedSpace.
2426         
2427         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2428         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2429         just including JSCInlines.h (instead of manually including the files that includes) is
2430         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2431         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2432         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2433         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2434         meant having to manually include HeapInlines.h from the places that previously got it
2435         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2436         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2437         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2438         made it impossible to include it from outside JSC. This was a lot of work, but it was
2439         necessary to get the patch to build on all ports. It's also a net win. There were many places
2440         in WebCore that were transitively including a *ton* of JSC headers just because of the
2441         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2442         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2443
2444         * API/JSManagedValue.mm:
2445         (-[JSManagedValue initWithValue:]):
2446         * API/JSTypedArray.cpp:
2447         * API/ObjCCallbackFunction.mm:
2448         * API/tests/testapi.mm:
2449         (testObjectiveCAPI):
2450         (testWeakValue): Deleted.
2451         * CMakeLists.txt:
2452         * JavaScriptCore.xcodeproj/project.pbxproj:
2453         * Scripts/builtins/builtins_generate_combined_implementation.py:
2454         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2455         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2456         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2457         * Scripts/builtins/builtins_generate_separate_implementation.py:
2458         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2459         * assembler/AbstractMacroAssembler.h:
2460         (JSC::AbstractMacroAssembler::JumpList::link):
2461         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2462         * assembler/MacroAssembler.h:
2463         * assembler/MacroAssemblerARM64.h:
2464         (JSC::MacroAssemblerARM64::add32):
2465         * assembler/MacroAssemblerCodeRef.cpp: Added.
2466         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2467         (JSC::MacroAssemblerCodePtr::dumpWithName):
2468         (JSC::MacroAssemblerCodePtr::dump):
2469         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2470         (JSC::MacroAssemblerCodeRef::dump):
2471         * assembler/MacroAssemblerCodeRef.h:
2472         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2473         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2474         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2475         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2476         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2477         * b3/B3BasicBlock.cpp:
2478         (JSC::B3::BasicBlock::appendBoolConstant):
2479         * b3/B3BasicBlock.h:
2480         * b3/B3DuplicateTails.cpp:
2481         * b3/B3StackmapGenerationParams.h:
2482         * b3/testb3.cpp:
2483         (JSC::B3::testPatchpointTerminalReturnValue):
2484         (JSC::B3::run):
2485         * bindings/ScriptValue.cpp:
2486         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2487         * bytecode/BytecodeBasicBlock.cpp:
2488         * bytecode/BytecodeLivenessAnalysis.cpp:
2489         * bytecode/BytecodeUseDef.h:
2490         * bytecode/CallLinkInfo.cpp:
2491         (JSC::CallLinkInfo::callTypeFor):
2492         * bytecode/CallLinkInfo.h:
2493         (JSC::CallLinkInfo::callTypeFor): Deleted.
2494         * bytecode/CallLinkStatus.cpp:
2495         * bytecode/CodeBlock.cpp:
2496         (JSC::CodeBlock::finishCreation):
2497         (JSC::CodeBlock::clearLLIntGetByIdCache):
2498         (JSC::CodeBlock::predictedMachineCodeSize):
2499         * bytecode/CodeBlock.h:
2500         (JSC::CodeBlock::jitCodeMap): Deleted.
2501         (JSC::clearLLIntGetByIdCache): Deleted.
2502         * bytecode/ExecutionCounter.h:
2503         * bytecode/Instruction.h:
2504         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2505         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2506         * bytecode/ObjectAllocationProfile.h:
2507         (JSC::ObjectAllocationProfile::isNull):
2508         (JSC::ObjectAllocationProfile::initialize):
2509         * bytecode/Opcode.h:
2510         (JSC::padOpcodeName):
2511         * bytecode/PolymorphicAccess.cpp:
2512         (JSC::AccessCase::generateImpl):
2513         (JSC::PolymorphicAccess::regenerate):
2514         * bytecode/PolymorphicAccess.h:
2515         * bytecode/PreciseJumpTargets.cpp:
2516         * bytecode/StructureStubInfo.cpp:
2517         * bytecode/StructureStubInfo.h:
2518         * bytecode/UnlinkedCodeBlock.cpp:
2519         (JSC::UnlinkedCodeBlock::vm): Deleted.
2520         * bytecode/UnlinkedCodeBlock.h:
2521         * bytecode/UnlinkedInstructionStream.cpp:
2522         * bytecode/UnlinkedInstructionStream.h:
2523         * dfg/DFGOperations.cpp:
2524         * dfg/DFGSpeculativeJIT.cpp:
2525         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2526         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2527         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2528         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2529         * dfg/DFGSpeculativeJIT.h:
2530         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2531         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2532         * dfg/DFGSpeculativeJIT32_64.cpp:
2533         (JSC::DFG::SpeculativeJIT::compile):
2534         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2535         * dfg/DFGSpeculativeJIT64.cpp:
2536         (JSC::DFG::SpeculativeJIT::compile):
2537         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2538         * dfg/DFGStrengthReductionPhase.cpp:
2539         (JSC::DFG::StrengthReductionPhase::handleNode):
2540         * ftl/FTLAbstractHeapRepository.h:
2541         * ftl/FTLCompile.cpp:
2542         * ftl/FTLJITFinalizer.cpp:
2543         * ftl/FTLLowerDFGToB3.cpp:
2544         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2545         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2546         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2547         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2548         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2549         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2550         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2551         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2552         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2553         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2554         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2555         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2556         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2557         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2558         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2559         * ftl/FTLOutput.cpp:
2560         (JSC::FTL::Output::constBool):
2561         (JSC::FTL::Output::add):
2562         (JSC::FTL::Output::shl):
2563         (JSC::FTL::Output::aShr):
2564         (JSC::FTL::Output::lShr):
2565         (JSC::FTL::Output::zeroExt):
2566         (JSC::FTL::Output::equal):
2567         (JSC::FTL::Output::notEqual):
2568         (JSC::FTL::Output::above):
2569         (JSC::FTL::Output::aboveOrEqual):
2570         (JSC::FTL::Output::below):
2571         (JSC::FTL::Output::belowOrEqual):
2572         (JSC::FTL::Output::greaterThan):
2573         (JSC::FTL::Output::greaterThanOrEqual):
2574         (JSC::FTL::Output::lessThan):
2575         (JSC::FTL::Output::lessThanOrEqual):
2576         (JSC::FTL::Output::select):
2577         (JSC::FTL::Output::appendSuccessor):
2578         (JSC::FTL::Output::addIncomingToPhi):
2579         * ftl/FTLOutput.h:
2580         * ftl/FTLValueFromBlock.h:
2581         (JSC::FTL::ValueFromBlock::operator bool):
2582         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2583         * ftl/FTLWeightedTarget.h:
2584         (JSC::FTL::WeightedTarget::frequentedBlock):
2585         * heap/CellContainer.h: Added.
2586         (JSC::CellContainer::CellContainer):
2587         (JSC::CellContainer::operator bool):
2588         (JSC::CellContainer::isMarkedBlock):
2589         (JSC::CellContainer::isLargeAllocation):
2590         (JSC::CellContainer::markedBlock):
2591         (JSC::CellContainer::largeAllocation):
2592         * heap/CellContainerInlines.h: Added.
2593         (JSC::CellContainer::isMarked):
2594         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2595         (JSC::CellContainer::noteMarked):
2596         (JSC::CellContainer::cellSize):
2597         (JSC::CellContainer::weakSet):
2598         (JSC::CellContainer::flipIfNecessary):
2599         * heap/ConservativeRoots.cpp:
2600         (JSC::ConservativeRoots::ConservativeRoots):
2601         (JSC::ConservativeRoots::~ConservativeRoots):
2602         (JSC::ConservativeRoots::grow):
2603         (JSC::ConservativeRoots::genericAddPointer):
2604         (JSC::ConservativeRoots::genericAddSpan):
2605         * heap/ConservativeRoots.h:
2606         (JSC::ConservativeRoots::roots):
2607         * heap/CopyToken.h:
2608         * heap/FreeList.cpp: Added.
2609         (JSC::FreeList::dump):
2610         * heap/FreeList.h: Added.
2611         (JSC::FreeList::FreeList):
2612         (JSC::FreeList::list):
2613         (JSC::FreeList::bump):
2614         (JSC::FreeList::operator==):
2615         (JSC::FreeList::operator!=):
2616         (JSC::FreeList::operator bool):
2617         (JSC::FreeList::allocationWillFail):
2618         (JSC::FreeList::allocationWillSucceed):
2619         * heap/GCTypeMap.h: Added.
2620         (JSC::GCTypeMap::operator[]):
2621         * heap/Heap.cpp:
2622         (JSC::Heap::Heap):
2623         (JSC::Heap::lastChanceToFinalize):
2624         (JSC::Heap::finalizeUnconditionalFinalizers):
2625         (JSC::Heap::markRoots):
2626         (JSC::Heap::copyBackingStores):
2627         (JSC::Heap::gatherStackRoots):
2628         (JSC::Heap::gatherJSStackRoots):
2629         (JSC::Heap::gatherScratchBufferRoots):
2630         (JSC::Heap::clearLivenessData):
2631         (JSC::Heap::visitSmallStrings):
2632         (JSC::Heap::visitConservativeRoots):
2633         (JSC::Heap::removeDeadCompilerWorklistEntries):
2634         (JSC::Heap::gatherExtraHeapSnapshotData):
2635         (JSC::Heap::removeDeadHeapSnapshotNodes):
2636         (JSC::Heap::visitProtectedObjects):
2637         (JSC::Heap::visitArgumentBuffers):
2638         (JSC::Heap::visitException):
2639         (JSC::Heap::visitStrongHandles):
2640         (JSC::Heap::visitHandleStack):
2641         (JSC::Heap::visitSamplingProfiler):
2642         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2643         (JSC::Heap::converge):
2644         (JSC::Heap::visitWeakHandles):
2645         (JSC::Heap::updateObjectCounts):
2646         (JSC::Heap::clearUnmarkedExecutables):
2647         (JSC::Heap::deleteUnmarkedCompiledCode):
2648         (JSC::Heap::collectAllGarbage):
2649         (JSC::Heap::collect):
2650         (JSC::Heap::collectWithoutAnySweep):
2651         (JSC::Heap::collectImpl):
2652         (JSC::Heap::suspendCompilerThreads):
2653         (JSC::Heap::willStartCollection):
2654         (JSC::Heap::flushOldStructureIDTables):
2655         (JSC::Heap::flushWriteBarrierBuffer):
2656         (JSC::Heap::stopAllocation):
2657         (JSC::Heap::prepareForMarking):
2658         (JSC::Heap::reapWeakHandles):
2659         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2660         (JSC::Heap::sweepArrayBuffers):
2661         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2662         (JSC::MarkedBlockSnapshotFunctor::operator()):
2663         (JSC::Heap::snapshotMarkedSpace):
2664         (JSC::Heap::deleteSourceProviderCaches):
2665         (JSC::Heap::notifyIncrementalSweeper):
2666         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2667         (JSC::Heap::resetAllocators):
2668         (JSC::Heap::updateAllocationLimits):
2669         (JSC::Heap::didFinishCollection):
2670         (JSC::Heap::resumeCompilerThreads):
2671         (JSC::Zombify::visit):
2672         (JSC::Heap::forEachCodeBlockImpl):
2673         * heap/Heap.h:
2674         (JSC::Heap::allocatorForObjectWithoutDestructor):
2675         (JSC::Heap::allocatorForObjectWithDestructor):
2676         (JSC::Heap::allocatorForAuxiliaryData):
2677         (JSC::Heap::jitStubRoutines):
2678         (JSC::Heap::codeBlockSet):
2679         (JSC::Heap::storageAllocator): Deleted.
2680         * heap/HeapCell.h:
2681         (JSC::HeapCell::isZapped): Deleted.
2682         * heap/HeapCellInlines.h: Added.
2683         (JSC::HeapCell::isLargeAllocation):
2684         (JSC::HeapCell::cellContainer):
2685         (JSC::HeapCell::markedBlock):
2686         (JSC::HeapCell::largeAllocation):
2687         (JSC::HeapCell::heap):
2688         (JSC::HeapCell::vm):
2689         (JSC::HeapCell::cellSize):
2690         (JSC::HeapCell::allocatorAttributes):
2691         (JSC::HeapCell::destructionMode):
2692         (JSC::HeapCell::cellKind):
2693         * heap/HeapInlines.h:
2694         (JSC::Heap::heap):
2695         (JSC::Heap::isLive):
2696         (JSC::Heap::isMarked):
2697         (JSC::Heap::testAndSetMarked):
2698         (JSC::Heap::setMarked):
2699         (JSC::Heap::cellSize):
2700         (JSC::Heap::forEachCodeBlock):
2701         (JSC::Heap::allocateObjectOfType):
2702         (JSC::Heap::subspaceForObjectOfType):
2703         (JSC::Heap::allocatorForObjectOfType):
2704         (JSC::Heap::allocateAuxiliary):
2705         (JSC::Heap::tryAllocateAuxiliary):
2706         (JSC::Heap::tryReallocateAuxiliary):
2707         (JSC::Heap::isPointerGCObject): Deleted.
2708         (JSC::Heap::isValueGCObject): Deleted.
2709         * heap/HeapOperation.cpp: Added.
2710         (WTF::printInternal):
2711         * heap/HeapOperation.h:
2712         * heap/HeapUtil.h: Added.
2713         (JSC::HeapUtil::findGCObjectPointersForMarking):
2714         (JSC::HeapUtil::isPointerGCObjectJSCell):
2715         (JSC::HeapUtil::isValueGCObject):
2716         * heap/IncrementalSweeper.cpp:
2717         (JSC::IncrementalSweeper::sweepNextBlock):
2718         * heap/IncrementalSweeper.h:
2719         * heap/LargeAllocation.cpp: Added.
2720         (JSC::LargeAllocation::tryCreate):
2721         (JSC::LargeAllocation::LargeAllocation):
2722         (JSC::LargeAllocation::lastChanceToFinalize):
2723         (JSC::LargeAllocation::shrink):
2724         (JSC::LargeAllocation::visitWeakSet):
2725         (JSC::LargeAllocation::reapWeakSet):
2726         (JSC::LargeAllocation::flip):
2727         (JSC::LargeAllocation::isEmpty):
2728         (JSC::LargeAllocation::sweep):
2729         (JSC::LargeAllocation::destroy):
2730         (JSC::LargeAllocation::dump):
2731         * heap/LargeAllocation.h: Added.
2732         (JSC::LargeAllocation::fromCell):
2733         (JSC::LargeAllocation::cell):
2734         (JSC::LargeAllocation::isLargeAllocation):
2735         (JSC::LargeAllocation::heap):
2736         (JSC::LargeAllocation::vm):
2737         (JSC::LargeAllocation::weakSet):
2738         (JSC::LargeAllocation::clearNewlyAllocated):
2739         (JSC::LargeAllocation::isNewlyAllocated):
2740         (JSC::LargeAllocation::isMarked):
2741         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2742         (JSC::LargeAllocation::isLive):
2743         (JSC::LargeAllocation::hasValidCell):
2744         (JSC::LargeAllocation::cellSize):
2745         (JSC::LargeAllocation::aboveLowerBound):
2746         (JSC::LargeAllocation::belowUpperBound):
2747         (JSC::LargeAllocation::contains):
2748         (JSC::LargeAllocation::attributes):
2749         (JSC::LargeAllocation::flipIfNecessary):
2750         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2751         (JSC::LargeAllocation::testAndSetMarked):
2752         (JSC::LargeAllocation::setMarked):
2753         (JSC::LargeAllocation::clearMarked):
2754         (JSC::LargeAllocation::noteMarked):
2755         (JSC::LargeAllocation::headerSize):
2756         * heap/MarkedAllocator.cpp:
2757         (JSC::MarkedAllocator::MarkedAllocator):
2758         (JSC::MarkedAllocator::isPagedOut):
2759         (JSC::MarkedAllocator::retire):
2760         (JSC::MarkedAllocator::filterNextBlock):
2761         (JSC::MarkedAllocator::setNextBlockToSweep):
2762         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2763         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2764         (JSC::MarkedAllocator::allocateSlowCase):
2765         (JSC::MarkedAllocator::tryAllocateSlowCase):
2766         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2767         (JSC::blockHeaderSize):
2768         (JSC::MarkedAllocator::blockSizeForBytes):
2769         (JSC::MarkedAllocator::tryAllocateBlock):
2770         (JSC::MarkedAllocator::addBlock):
2771         (JSC::MarkedAllocator::removeBlock):
2772         (JSC::MarkedAllocator::stopAllocating):
2773         (JSC::MarkedAllocator::reset):
2774         (JSC::MarkedAllocator::lastChanceToFinalize):
2775         (JSC::MarkedAllocator::setFreeList):
2776         (JSC::isListPagedOut): Deleted.
2777         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2778         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2779         (JSC::MarkedAllocator::tryAllocate): Deleted.
2780         (JSC::MarkedAllocator::allocateBlock): Deleted.
2781         * heap/MarkedAllocator.h:
2782         (JSC::MarkedAllocator::takeLastActiveBlock):
2783         (JSC::MarkedAllocator::offsetOfFreeList):
2784         (JSC::MarkedAllocator::offsetOfCellSize):
2785         (JSC::MarkedAllocator::tryAllocate):
2786         (JSC::MarkedAllocator::allocate):
2787         (JSC::MarkedAllocator::forEachBlock):
2788         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2789         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2790         (JSC::MarkedAllocator::init): Deleted.
2791         (JSC::MarkedAllocator::stopAllocating): Deleted.
2792         * heap/MarkedBlock.cpp:
2793         (JSC::MarkedBlock::tryCreate):
2794         (JSC::MarkedBlock::Handle::Handle):
2795         (JSC::MarkedBlock::Handle::~Handle):
2796         (JSC::MarkedBlock::MarkedBlock):
2797         (JSC::MarkedBlock::Handle::specializedSweep):
2798         (JSC::MarkedBlock::Handle::sweep):
2799         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2800         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2801         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2802         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2803         (JSC::SetNewlyAllocatedFunctor::operator()):
2804         (JSC::MarkedBlock::Handle::stopAllocating):
2805         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2806         (JSC::MarkedBlock::Handle::resumeAllocating):
2807         (JSC::MarkedBlock::Handle::zap):
2808         (JSC::MarkedBlock::Handle::forEachFreeCell):
2809         (JSC::MarkedBlock::flipIfNecessary):
2810         (JSC::MarkedBlock::Handle::flipIfNecessary):
2811         (JSC::MarkedBlock::flipIfNecessarySlow):
2812         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2813         (JSC::MarkedBlock::clearMarks):
2814         (JSC::MarkedBlock::assertFlipped):
2815         (JSC::MarkedBlock::needsFlip):
2816         (JSC::MarkedBlock::Handle::needsFlip):
2817         (JSC::MarkedBlock::Handle::willRemoveBlock):
2818         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2819         (JSC::MarkedBlock::markCount):
2820         (JSC::MarkedBlock::Handle::isEmpty):
2821         (JSC::MarkedBlock::clearHasAnyMarked):
2822         (JSC::MarkedBlock::noteMarkedSlow):
2823         (WTF::printInternal):
2824         (JSC::MarkedBlock::create): Deleted.
2825         (JSC::MarkedBlock::destroy): Deleted.
2826         (JSC::MarkedBlock::callDestructor): Deleted.
2827         (JSC::MarkedBlock::specializedSweep): Deleted.
2828         (JSC::MarkedBlock::sweep): Deleted.
2829         (JSC::MarkedBlock::sweepHelper): Deleted.
2830         (JSC::MarkedBlock::stopAllocating): Deleted.
2831         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2832         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2833         (JSC::MarkedBlock::resumeAllocating): Deleted.
2834         (JSC::MarkedBlock::didRetireBlock): Deleted.
2835         * heap/MarkedBlock.h:
2836         (JSC::MarkedBlock::VoidFunctor::returnValue):
2837         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2838         (JSC::MarkedBlock::CountFunctor::count):
2839         (JSC::MarkedBlock::CountFunctor::returnValue):
2840         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2841         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2842         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2843         (JSC::MarkedBlock::Handle::state):
2844         (JSC::MarkedBlock::needsDestruction):
2845         (JSC::MarkedBlock::handle):
2846         (JSC::MarkedBlock::Handle::block):
2847         (JSC::MarkedBlock::firstAtom):
2848         (JSC::MarkedBlock::atoms):
2849         (JSC::MarkedBlock::isAtomAligned):
2850         (JSC::MarkedBlock::Handle::cellAlign):
2851         (JSC::MarkedBlock::blockFor):
2852         (JSC::MarkedBlock::Handle::allocator):
2853         (JSC::MarkedBlock::Handle::heap):
2854         (JSC::MarkedBlock::Handle::vm):
2855         (JSC::MarkedBlock::vm):
2856         (JSC::MarkedBlock::Handle::weakSet):
2857         (JSC::MarkedBlock::weakSet):
2858         (JSC::MarkedBlock::Handle::shrink):
2859         (JSC::MarkedBlock::Handle::visitWeakSet):
2860         (JSC::MarkedBlock::Handle::reapWeakSet):
2861         (JSC::MarkedBlock::Handle::cellSize):
2862         (JSC::MarkedBlock::cellSize):
2863         (JSC::MarkedBlock::Handle::attributes):
2864         (JSC::MarkedBlock::attributes):
2865         (JSC::MarkedBlock::Handle::needsDestruction):
2866         (JSC::MarkedBlock::Handle::destruction):
2867         (JSC::MarkedBlock::Handle::cellKind):
2868         (JSC::MarkedBlock::Handle::markCount):
2869         (JSC::MarkedBlock::Handle::size):
2870         (JSC::MarkedBlock::atomNumber):
2871         (JSC::MarkedBlock::flipIfNecessary):
2872         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2873         (JSC::MarkedBlock::Handle::flipIfNecessary):
2874         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2875         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2876         (JSC::MarkedBlock::assertFlipped):
2877         (JSC::MarkedBlock::Handle::assertFlipped):
2878         (JSC::MarkedBlock::isMarked):
2879         (JSC::MarkedBlock::testAndSetMarked):
2880         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2881         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2882         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2883         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2884         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2885         (JSC::MarkedBlock::Handle::isLive):
2886         (JSC::MarkedBlock::isAtom):
2887         (JSC::MarkedBlock::Handle::isLiveCell):
2888         (JSC::MarkedBlock::Handle::forEachCell):
2889         (JSC::MarkedBlock::Handle::forEachLiveCell):
2890         (JSC::MarkedBlock::Handle::forEachDeadCell):
2891         (JSC::MarkedBlock::Handle::needsSweeping):
2892         (JSC::MarkedBlock::Handle::isAllocated):
2893         (JSC::MarkedBlock::Handle::isMarked):
2894         (JSC::MarkedBlock::Handle::isFreeListed):
2895         (JSC::MarkedBlock::hasAnyMarked):
2896         (JSC::MarkedBlock::noteMarked):
2897         (WTF::MarkedBlockHash::hash):
2898         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2899         (JSC::MarkedBlock::allocator): Deleted.
2900         (JSC::MarkedBlock::heap): Deleted.
2901         (JSC::MarkedBlock::shrink): Deleted.
2902         (JSC::MarkedBlock::visitWeakSet): Deleted.
2903         (JSC::MarkedBlock::reapWeakSet): Deleted.
2904         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2905         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2906         (JSC::MarkedBlock::markCount): Deleted.
2907         (JSC::MarkedBlock::isEmpty): Deleted.
2908         (JSC::MarkedBlock::destruction): Deleted.
2909         (JSC::MarkedBlock::cellKind): Deleted.
2910         (JSC::MarkedBlock::size): Deleted.
2911         (JSC::MarkedBlock::capacity): Deleted.
2912         (JSC::MarkedBlock::setMarked): Deleted.
2913         (JSC::MarkedBlock::clearMarked): Deleted.
2914         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2915         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2916         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2917         (JSC::MarkedBlock::isLive): Deleted.
2918         (JSC::MarkedBlock::isLiveCell): Deleted.
2919         (JSC::MarkedBlock::forEachCell): Deleted.
2920         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2921         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2922         (JSC::MarkedBlock::needsSweeping): Deleted.
2923         (JSC::MarkedBlock::isAllocated): Deleted.
2924         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2925         * heap/MarkedSpace.cpp:
2926         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2927         (JSC::MarkedSpace::MarkedSpace):
2928         (JSC::MarkedSpace::~MarkedSpace):
2929         (JSC::MarkedSpace::lastChanceToFinalize):
2930         (JSC::MarkedSpace::allocate):
2931         (JSC::MarkedSpace::tryAllocate):
2932         (JSC::MarkedSpace::allocateLarge):
2933         (JSC::MarkedSpace::tryAllocateLarge):
2934         (JSC::MarkedSpace::sweep):
2935         (JSC::MarkedSpace::sweepLargeAllocations):
2936         (JSC::MarkedSpace::zombifySweep):
2937         (JSC::MarkedSpace::resetAllocators):
2938         (JSC::MarkedSpace::visitWeakSets):
2939         (JSC::MarkedSpace::reapWeakSets):
2940         (JSC::MarkedSpace::stopAllocating):
2941         (JSC::MarkedSpace::prepareForMarking):
2942         (JSC::MarkedSpace::resumeAllocating):
2943         (JSC::MarkedSpace::isPagedOut):
2944         (JSC::MarkedSpace::freeBlock):
2945         (JSC::MarkedSpace::freeOrShrinkBlock):
2946         (JSC::MarkedSpace::shrink):
2947         (JSC::MarkedSpace::clearNewlyAllocated):
2948         (JSC::VerifyMarked::operator()):
2949         (JSC::MarkedSpace::flip):
2950         (JSC::MarkedSpace::objectCount):
2951         (JSC::MarkedSpace::size):
2952         (JSC::MarkedSpace::capacity):
2953         (JSC::MarkedSpace::addActiveWeakSet):
2954         (JSC::MarkedSpace::didAddBlock):
2955         (JSC::MarkedSpace::didAllocateInBlock):
2956         (JSC::MarkedSpace::forEachAllocator): Deleted.
2957         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
2958         (JSC::MarkedSpace::clearMarks): Deleted.
2959         * heap/MarkedSpace.h:
2960         (JSC::MarkedSpace::sizeClassToIndex):
2961         (JSC::MarkedSpace::indexToSizeClass):
2962         (JSC::MarkedSpace::version):
2963         (JSC::MarkedSpace::blocksWithNewObjects):
2964         (JSC::MarkedSpace::largeAllocations):
2965         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
2966         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
2967         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
2968         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
2969         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
2970         (JSC::MarkedSpace::forEachLiveCell):
2971         (JSC::MarkedSpace::forEachDeadCell):
2972         (JSC::MarkedSpace::allocatorFor):
2973         (JSC::MarkedSpace::destructorAllocatorFor):
2974         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2975         (JSC::MarkedSpace::allocateWithoutDestructor):
2976         (JSC::MarkedSpace::allocateWithDestructor):
2977         (JSC::MarkedSpace::allocateAuxiliary):
2978         (JSC::MarkedSpace::tryAllocateAuxiliary):
2979         (JSC::MarkedSpace::forEachBlock):
2980         (JSC::MarkedSpace::forEachAllocator):
2981         (JSC::MarkedSpace::optimalSizeFor):
2982         (JSC::MarkedSpace::didAddBlock): Deleted.
2983         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
2984         (JSC::MarkedSpace::objectCount): Deleted.
2985         (JSC::MarkedSpace::size): Deleted.
2986         (JSC::MarkedSpace::capacity): Deleted.
2987         * heap/SlotVisitor.cpp:
2988         (JSC::SlotVisitor::SlotVisitor):
2989         (JSC::SlotVisitor::didStartMarking):
2990         (JSC::SlotVisitor::reset):
2991         (JSC::SlotVisitor::append):
2992         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2993         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2994         (JSC::SlotVisitor::appendToMarkStack):
2995         (JSC::SlotVisitor::markAuxiliary):
2996         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
2997         (JSC::SlotVisitor::visitChildren):
2998         * heap/SlotVisitor.h:
2999         * heap/WeakBlock.cpp:
3000         (JSC::WeakBlock::create):
3001         (JSC::WeakBlock::WeakBlock):
3002         (JSC::WeakBlock::visit):
3003         (JSC::WeakBlock::reap):
3004         * heap/WeakBlock.h:
3005         (JSC::WeakBlock::disconnectContainer):
3006         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3007         * heap/WeakSet.cpp:
3008         (JSC::WeakSet::~WeakSet):
3009         (JSC::WeakSet::sweep):
3010         (JSC::WeakSet::shrink):
3011         (JSC::WeakSet::addAllocator):
3012         * heap/WeakSet.h:
3013         (JSC::WeakSet::container):
3014         (JSC::WeakSet::setContainer):
3015         (JSC::WeakSet::WeakSet):
3016         (JSC::WeakSet::visit):
3017         (JSC::WeakSet::shrink): Deleted.
3018         * heap/WeakSetInlines.h:
3019         (JSC::WeakSet::allocate):
3020         * inspector/InjectedScriptManager.cpp:
3021         * inspector/JSGlobalObjectInspectorController.cpp:
3022         * inspector/JSJavaScriptCallFrame.cpp:
3023         * inspector/ScriptDebugServer.cpp:
3024         * inspector/agents/InspectorDebuggerAgent.cpp:
3025         * interpreter/CachedCall.h:
3026         (JSC::CachedCall::CachedCall):
3027         * interpreter/Interpreter.cpp:
3028         (JSC::loadVarargs):
3029         (JSC::StackFrame::sourceID): Deleted.
3030         (JSC::StackFrame::sourceURL): Deleted.
3031         (JSC::StackFrame::functionName): Deleted.
3032         (JSC::StackFrame::computeLineAndColumn): Deleted.
3033         (JSC::StackFrame::toString): Deleted.
3034         * interpreter/Interpreter.h:
3035         (JSC::StackFrame::isNative): Deleted.
3036         * jit/AssemblyHelpers.h:
3037         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3038         (JSC::AssemblyHelpers::emitAllocate):
3039         (JSC::AssemblyHelpers::emitAllocateJSCell):
3040         (JSC::AssemblyHelpers::emitAllocateJSObject):
3041         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3042         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3043         * jit/GCAwareJITStubRoutine.cpp:
3044         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3045         * jit/JIT.cpp:
3046         (JSC::JIT::compileCTINativeCall):
3047         (JSC::JIT::link):
3048         * jit/JIT.h:
3049         (JSC::JIT::compileCTINativeCall): Deleted.
3050         * jit/JITExceptions.cpp:
3051         (JSC::genericUnwind):
3052         * jit/JITExceptions.h:
3053         * jit/JITOpcodes.cpp:
3054         (JSC::JIT::emit_op_new_object):
3055         (JSC::JIT::emitSlow_op_new_object):
3056         (JSC::JIT::emit_op_create_this):
3057         (JSC::JIT::emitSlow_op_create_this):
3058         * jit/JITOpcodes32_64.cpp:
3059         (JSC::JIT::emit_op_new_object):
3060         (JSC::JIT::emitSlow_op_new_object):
3061         (JSC::JIT::emit_op_create_this):
3062         (JSC::JIT::emitSlow_op_create_this):
3063         * jit/JITOperations.cpp:
3064         * jit/JITOperations.h:
3065         * jit/JITPropertyAccess.cpp:
3066         (JSC::JIT::emitWriteBarrier):
3067         * jit/JITThunks.cpp:
3068         * jit/JITThunks.h:
3069         * jsc.cpp:
3070         (functionDescribeArray):
3071         (main):
3072         * llint/LLIntData.cpp:
3073         (JSC::LLInt::Data::performAssertions):
3074         * llint/LLIntExceptions.cpp:
3075         * llint/LLIntThunks.cpp:
3076         * llint/LLIntThunks.h:
3077         * llint/LowLevelInterpreter.asm:
3078         * llint/LowLevelInterpreter.cpp:
3079         * llint/LowLevelInterpreter32_64.asm:
3080         * llint/LowLevelInterpreter64.asm:
3081         * parser/ModuleAnalyzer.cpp:
3082         * parser/NodeConstructors.h:
3083         * parser/Nodes.h:
3084         * profiler/ProfilerBytecode.cpp:
3085         * profiler/ProfilerBytecode.h:
3086         * profiler/ProfilerBytecodeSequence.cpp:
3087         * runtime/ArrayConventions.h:
3088         (JSC::indexingHeaderForArrayStorage):
3089         (JSC::baseIndexingHeaderForArrayStorage):
3090         (JSC::indexingHeaderForArray): Deleted.
3091         (JSC::baseIndexingHeaderForArray): Deleted.
3092         * runtime/ArrayPrototype.cpp:
3093         (JSC::arrayProtoFuncSplice):
3094         (JSC::concatAppendOne):
3095         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3096         * runtime/ArrayStorage.h:
3097         (JSC::ArrayStorage::vectorLength):
3098         (JSC::ArrayStorage::totalSizeFor):
3099         (JSC::ArrayStorage::totalSize):
3100         (JSC::ArrayStorage::availableVectorLength):
3101         (JSC::ArrayStorage::optimalVectorLength):
3102         (JSC::ArrayStorage::sizeFor): Deleted.
3103         * runtime/AuxiliaryBarrier.h: Added.
3104         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3105         (JSC::AuxiliaryBarrier::clear):
3106         (JSC::AuxiliaryBarrier::get):
3107         (JSC::AuxiliaryBarrier::slot):
3108         (JSC::AuxiliaryBarrier::operator bool):
3109         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3110         * runtime/AuxiliaryBarrierInlines.h: Added.
3111         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3112         (JSC::AuxiliaryBarrier<T>::set):
3113         * runtime/Butterfly.h:
3114         * runtime/ButterflyInlines.h:
3115         (JSC::Butterfly::availableContiguousVectorLength):
3116         (JSC::Butterfly::optimalContiguousVectorLength):
3117         (JSC::Butterfly::createUninitialized):
3118         (JSC::Butterfly::growArrayRight):
3119         * runtime/ClonedArguments.cpp:
3120         (JSC::ClonedArguments::createEmpty):
3121         * runtime/CommonSlowPathsExceptions.cpp:
3122         * runtime/CommonSlowPathsExceptions.h:
3123         * runtime/DataView.cpp:
3124         * runtime/DirectArguments.h:
3125         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3126         * runtime/Error.cpp:
3127         * runtime/Error.h:
3128         * runtime/ErrorInstance.cpp:
3129         * runtime/ErrorInstance.h:
3130         * runtime/Exception.cpp:
3131         * runtime/Exception.h:
3132         * runtime/GeneratorFrame.cpp:
3133         * runtime/GeneratorPrototype.cpp:
3134         * runtime/InternalFunction.cpp:
3135         (JSC::InternalFunction::InternalFunction):
3136         * runtime/IntlCollator.cpp:
3137         * runtime/IntlCollatorConstructor.cpp:
3138         * runtime/IntlCollatorPrototype.cpp:
3139         * runtime/IntlDateTimeFormat.cpp:
3140         * runtime/IntlDateTimeFormatConstructor.cpp:
3141         * runtime/IntlDateTimeFormatPrototype.cpp:
3142         * runtime/IntlNumberFormat.cpp:
3143         * runtime/IntlNumberFormatConstructor.cpp:
3144         * runtime/IntlNumberFormatPrototype.cpp:
3145         * runtime/IntlObject.cpp:
3146         * runtime/IteratorPrototype.cpp:
3147         * runtime/JSArray.cpp:
3148         (JSC::JSArray::tryCreateUninitialized):
3149         (JSC::JSArray::setLengthWritable):
3150         (JSC::JSArray::unshiftCountSlowCase):
3151         (JSC::JSArray::setLengthWithArrayStorage):
3152         (JSC::JSArray::appendMemcpy):
3153         (JSC::JSArray::setLength):
3154         (JSC::JSArray::pop):
3155         (JSC::JSArray::push):
3156         (JSC::JSArray::fastSlice):
3157         (JSC::JSArray::shiftCountWithArrayStorage):
3158         (JSC::JSArray::shiftCountWithAnyIndexingType):
3159         (JSC::JSArray::unshiftCountWithArrayStorage):
3160         (JSC::JSArray::fillArgList):
3161         (JSC::JSArray::copyToArguments):
3162         * runtime/JSArray.h:
3163         (JSC::createContiguousArrayButterfly):
3164         (JSC::createArrayButterfly):
3165         (JSC::JSArray::create):
3166         (JSC::JSArray::tryCreateUninitialized): Deleted.
3167         * runtime/JSArrayBufferView.h:
3168         * runtime/JSCInlines.h:
3169         * runtime/JSCJSValue.cpp:
3170         (JSC::JSValue::dumpInContextAssumingStructure):
3171         * runtime/JSCallee.cpp:
3172         (JSC::JSCallee::JSCallee):
3173         * runtime/JSCell.cpp:
3174         (JSC::JSCell::estimatedSize):
3175         * runtime/JSCell.h:
3176         (JSC::JSCell::cellStateOffset): Deleted.
3177         * runtime/JSCellInlines.h:
3178         (JSC::ExecState::vm):
3179         (JSC::JSCell::classInfo):
3180         (JSC::JSCell::callDestructor):
3181         (JSC::JSCell::vm): Deleted.
3182         * runtime/JSFunction.cpp:
3183         (JSC::JSFunction::create):
3184         (JSC::JSFunction::allocateAndInitializeRareData):
3185         (JSC::JSFunction::initializeRareData):
3186         (JSC::JSFunction::getOwnPropertySlot):
3187         (JSC::JSFunction::put):
3188         (JSC::JSFunction::deleteProperty):
3189         (JSC::JSFunction::defineOwnProperty):
3190         (JSC::JSFunction::setFunctionName):
3191         (JSC::JSFunction::reifyLength):
3192         (JSC::JSFunction::reifyName):
3193         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3194         (JSC::JSFunction::reifyBoundNameIfNeeded):
3195         * runtime/JSFunction.h:
3196         * runtime/JSFunctionInlines.h:
3197         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3198         (JSC::JSFunction::JSFunction):
3199         * runtime/JSGenericTypedArrayViewInlines.h:
3200         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3201         * runtime/JSInternalPromise.cpp:
3202         * runtime/JSInternalPromiseConstructor.cpp:
3203         * runtime/JSInternalPromiseDeferred.cpp:
3204         * runtime/JSInternalPromisePrototype.cpp:
3205         * runtime/JSJob.cpp:
3206         * runtime/JSMapIterator.cpp:
3207         * runtime/JSModuleNamespaceObject.cpp:
3208         * runtime/JSModuleRecord.cpp:
3209         * runtime/JSObject.cpp:
3210         (JSC::JSObject::visitButterfly):
3211         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3212         (JSC::JSObject::createInitialIndexedStorage):
3213         (JSC::JSObject::createInitialUndecided):
3214         (JSC::JSObject::createInitialInt32):
3215         (JSC::JSObject::createInitialDouble):
3216         (JSC::JSObject::createInitialContiguous):
3217         (JSC::JSObject::createArrayStorage):
3218         (JSC::JSObject::createInitialArrayStorage):
3219         (JSC::JSObject::convertUndecidedToInt32):
3220         (JSC::JSObject::convertUndecidedToContiguous):
3221         (JSC::JSObject::convertUndecidedToArrayStorage):
3222         (JSC::JSObject::convertInt32ToDouble):
3223         (JSC::JSObject::convertInt32ToArrayStorage):
3224         (JSC::JSObject::convertDoubleToArrayStorage):
3225         (JSC::JSObject::convertContiguousToArrayStorage):
3226         (JSC::JSObject::putByIndexBeyondVectorLength):
3227         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3228         (JSC::JSObject::getNewVectorLength):
3229         (JSC::JSObject::increaseVectorLength):
3230         (JSC::JSObject::ensureLengthSlow):
3231         (JSC::JSObject::growOutOfLineStorage):
3232         (JSC::JSObject::copyButterfly): Deleted.
3233         (JSC::JSObject::copyBackingStore): Deleted.
3234         * runtime/JSObject.h:
3235         (JSC::JSObject::globalObject):
3236         (JSC::JSObject::putDirectInternal):
3237         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
3238         * runtime/JSObjectInlines.h:
3239         * runtime/JSPromise.cpp:
3240         * runtime/JSPromiseConstructor.cpp:
3241         * runtime/JSPromiseDeferred.cpp:
3242         * runtime/JSPromisePrototype.cpp:
3243         * runtime/JSPropertyNameIterator.cpp:
3244         * runtime/JSScope.cpp:
3245         (JSC::JSScope::resolve):
3246         * runtime/JSScope.h:
3247         (JSC::JSScope::globalObject):
3248         (JSC::JSScope::vm): Deleted.
3249         * runtime/JSSetIterator.cpp:
3250         * runtime/JSStringIterator.cpp:
3251         * runtime/JSTemplateRegistryKey.cpp:
3252         * runtime/JSTypedArrayViewConstructor.cpp:
3253         * runtime/JSTypedArrayViewPrototype.cpp:
3254         * runtime/JSWeakMap.cpp:
3255         * runtime/JSWeakSet.cpp:
3256         * runtime/MapConstructor.cpp:
3257         * runtime/MapIteratorPrototype.cpp:
3258         * runtime/MapPrototype.cpp:
3259         * runtime/NativeErrorConstructor.cpp:
3260         * runtime/NativeStdFunctionCell.cpp:
3261         * runtime/Operations.h:
3262         (JSC::scribbleFreeCells):
3263         (JSC::scribble):
3264         * runtime/Options.h:
3265         * runtime/PropertyTable.cpp:
3266         * runtime/ProxyConstructor.cpp:
3267         * runtime/ProxyObject.cpp:
3268         * runtime/ProxyRevoke.cpp:
3269         * runtime/RegExp.cpp:
3270         (JSC::RegExp::match):
3271         (JSC::RegExp::matchConcurrently):
3272         (JSC::RegExp::matchCompareWithInterpreter):
3273         * runtime/RegExp.h:
3274         * runtime/RegExpConstructor.h:
3275         * runtime/RegExpInlines.h:
3276         (JSC::RegExp::matchInline):
3277         * runtime/RegExpMatchesArray.h:
3278         (JSC::tryCreateUninitializedRegExpMatchesArray):
3279         (JSC::createRegExpMatchesArray):
3280         * runtime/RegExpPrototype.cpp:
3281         (JSC::genericSplit):
3282         * runtime/RuntimeType.cpp:
3283         * runtime/SamplingProfiler.cpp:
3284         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3285         * runtime/SetConstructor.cpp:
3286         * runtime/SetIteratorPrototype.cpp:
3287         * runtime/SetPrototype.cpp:
3288         * runtime/StackFrame.cpp: Added.
3289         (JSC::StackFrame::sourceID):
3290         (JSC::StackFrame::sourceURL):
3291         (JSC::StackFrame::functionName):
3292         (JSC::StackFrame::computeLineAndColumn):
3293         (JSC::StackFrame::toString):
3294         * runtime/StackFrame.h: Added.
3295         (JSC::StackFrame::isNative):
3296         * runtime/StringConstructor.cpp:
3297         * runtime/StringIteratorPrototype.cpp:
3298         * runtime/StructureInlines.h:
3299         (JSC::Structure::propertyTable):
3300         * runtime/TemplateRegistry.cpp:
3301         * runtime/TestRunnerUtils.cpp:
3302         (JSC::finalizeStatsAtEndOfTesting):
3303         * runtime/TestRunnerUtils.h: