[Win] Exception fuzz tests fail
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
2
3         [Win] Exception fuzz tests fail
4         https://bugs.webkit.org/show_bug.cgi?id=140928
5
6         Reviewed by Mark Lam.
7
8         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
9         The tests depend on the output to stdout being written in the correct order.
10
11         * runtime/ExceptionFuzz.cpp:
12         (JSC::doExceptionFuzzing):
13
14 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
15
16         Enable the <meter> element on iOS
17         https://bugs.webkit.org/show_bug.cgi?id=161714
18         rdar://problem/8978410
19
20         Reviewed by Tim Horton.
21
22         Define ENABLE_METER_ELEMENT unconditionally now.
23
24         * Configurations/FeatureDefines.xcconfig:
25
26 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
27
28         Modernize Debugger to use nullptr
29         https://bugs.webkit.org/show_bug.cgi?id=161718
30
31         Reviewed by Mark Lam.
32
33         * debugger/Debugger.cpp:
34         (JSC::Debugger::Debugger):
35         (JSC::Debugger::~Debugger):
36         (JSC::Debugger::detach):
37         (JSC::Debugger::stepOutOfFunction):
38         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
39         * debugger/Debugger.h:
40
41 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
42
43         Web Inspector: Remove always false case in Debugger
44         https://bugs.webkit.org/show_bug.cgi?id=161717
45
46         Reviewed by Brian Burg.
47
48         * debugger/Debugger.cpp:
49         (JSC::Debugger::didExecuteProgram):
50         We would have earlier returned a few statements ago if this case was true.
51         And we would have crashed in the previous statement if this case was true.
52
53 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
54
55         Unreviewed, build fix after r205569
56
57         Tweak CMakeLists.txt
58
59         * CMakeLists.txt:
60
61 2016-09-07  Mark Lam  <mark.lam@apple.com>
62
63         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
64         https://bugs.webkit.org/show_bug.cgi?id=161498
65
66         Reviewed by Geoffrey Garen.
67
68         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
69         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
70         introduced.
71
72         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
73         which is a more suitable name now.
74
75         Note: exception scope verification is still disabled by default.  There are still
76         many places that need to be fixed up or re-expressed in a way that is friendly
77         to the verification.  I'll address those in subsequent patches.
78
79         After this patch, the code will statically enforce that:
80         1. all calls to throwException() go through a ThrowScope.
81         2. all calls to clearException() go through a CatchScope.
82         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
83            or CatchScope.
84
85         A Summary of how to use ExceptionScopes
86         =======================================
87         1. If a function can throw a JS exception, it should declare a ThrowScope at the
88            top of the function (as early as possible).
89
90         2. If a function can clear JS exceptions, it should declare a CatchScope at the
91            top of the function (as early as possible).
92
93         Declaring a ThrowScope in a function means that the function may throw an exception
94         that its caller will have to handle.  Declaring a CatchScope in a function means
95         that the function intends to clear pending exceptions before returning to its
96         caller. 
97
98         For more details, see the notes below.
99         
100         Everything you may want to know about ExceptionScopes
101         =====================================================
102         ExceptionScope verification works to simulate exception throws and detect cases
103         where exception checks are missing.  The notes below will cover:
104
105             1. The VM::m_needExceptionCheck bit
106             2. ThrowScopes and CatchScopes
107             3. Verification of needed exception checks
108             3. Checking Exceptions
109             4. Simulating throws
110             5. Using ThrowScope::release()
111             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
112             7. Checking exceptions by checking callee results
113             8. Debugging verification errors
114
115         1. The VM::m_needExceptionCheck bit
116
117            The VM has a m_needExceptionCheck bit that indicates when an exception may be
118            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
119            throw.
120
121         2. ThrowScopes and CatchScopes
122
123            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
124
125            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
126            at the top of its function (as early as possible) e.g.
127  
128                 void foo(...)
129                 {
130                     auto scope = DECLARE_THROW_SCOPE(vm);
131                     ...
132                     throwException(exec, scope, ...);
133                 }
134
135            Note: by convention, every throw helper function must take a ThrowScope argument
136            instead of instantiating its own ThrowScope.  This allows the throw to be
137            attributed to the client code rather than the throw helper itself.
138
139            Every catch site (i.e. a site that calls clearException()) must declare a
140            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
141
142            If a function can both throw or clear exceptions, then the ThrowScope should
143            be declared first so that it can simulate a throw to the function's caller.
144
145            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
146            can be aware if there's an enclosing CatchScope between it and the point where
147            C++ code returns to JS code.  This is needed to determine if the ThrowScope
148            should simulate a re-throw or not.  See (4) below for more details on returning
149            to JS code.
150
151         3. Verification of needed exception checks
152
153            a. On construction, each ThrowScope and CatchScope will verify that
154               VM::m_needExceptionCheck is not set.
155  
156               This ensures that the caller of the current function has checked for exceptions
157               where needed before doing more work which lead to calling the current function.
158
159            b. On destruction, each ThrowScope and CatchScope will verify that
160               VM::m_needExceptionCheck is not set. This verification will be skipped if
161               the ThrowScope has been released (see (5) below).
162
163               This ensures that the function that owns this exception scope is not missing
164               any exception checks before returning.
165
166            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
167               is not already set, unless it's been ask to rethrow the same Exception object.
168
169         4. Simulating throws
170
171            Throws are simulated by setting the m_needExceptionCheck bit.
172
173            The bit will only be set in the ThrowScope destructor except when the ThrowScope
174            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
175            check for exceptions after a host C++ function returns to it.  However, they will
176            not clear the m_needExceptionCheck bit.
177
178            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
179            it will just skip the setting of the bit.
180
181            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
182            throwException methods.  This is because, in practice, we always return
183            immediately after throwing an exception.  It doesn't make sense to set the bit in
184            the throw just to have to clear it immediately after before we do verification in
185            the ThrowScope destructor.
186
187         5. Using ThrowScope::release()
188
189            Calling release() means that the scope is released from its obligation to
190            verify the VM::m_needExceptionCheck bit on destruction.
191
192            release() should only be used at the bottom of a function if:
193
194            a. This function is going to let its caller check and handle the exception, e.g.
195
196                 void foo(...)
197                 {
198                     auto scope = DECLARE_THROW_SCOPE(vm);
199                     auto result = goo(); // may throw.
200
201                     ... // Code that will are not affected by a pending exceptions.
202
203                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
204                     return result;
205                 }
206
207            b. This function is going to do a tail call that may throw.
208
209                 void foo(...)
210                 {
211                     auto scope = DECLARE_THROW_SCOPE(vm);
212                     ...
213                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
214                     return goo(); // may throw.
215                 }
216
217               release() should not be used in code paths that branch. For example:
218
219                 void foo(...)
220                 {
221                     auto scope = DECLARE_THROW_SCOPE(vm);
222
223                     auto result = goo1(); // may throw.
224                     scope.release(); // WRONG !!! Don't do this.
225                     if (result)
226                         return;
227
228                     result = goo2(); // may throw.
229                     ...
230                     return result;
231                 }
232
233             The above will result in a verification error in goo2()'s ThrowScope.  The
234             proper way to fix this verification is to do either (6) or (7) below.
235
236          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
237
238             ThrowScope/CatchScope::exception() returns the thrown Exception object if
239             there is one pending.  Else, it returns nullptr.
240
241             It also clears the m_needExceptionCheck bit thereby indicating that we've
242             satisfied the needed exception check.  For example,
243
244                 void foo(...)
245                 {
246                     auto scope = DECLARE_THROW_SCOPE(vm);
247
248                     auto result = goo1(); // may throw.
249                     if (scope.exception())
250                         return;
251
252                     result = goo2(); // may throw.
253                     ...
254                     return result;
255                 }
256
257             But sometimes, for optimization reasons, we may choose to test the result of
258             the callee function instead doing a load of the VM exception value.  See (7)
259             below.
260
261          7. Checking exceptions by checking callee results
262
263             This approach should only be applied when it makes a difference to performance.
264             If we need to do this, we should add an ASSERT() that invokes the scope's
265             exception() method to verify the result.  Since exception scope verification
266             is only done on DEBUG builds, this ASSERT will satisfy the verification
267             requirements without impacting performance.  For example,
268
269                 void foo(...)
270                 {
271                     auto scope = DECLARE_THROW_SCOPE(vm);
272
273                     bool failed = goo1(); // may throw.
274                     ASSERT(!!scope.exception() == failed)
275                     if (failed)
276                         return;
277
278                     result = goo2(); // may throw.
279                     ...
280                     return result;
281                 }
282
283          8. Debugging verification errors
284
285             a. When verification fails, you will see a message followed by an assertion
286                failure.  For example:
287
288             ERROR: Unchecked JS exception:
289                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
290                     (ExceptionScope::m_recursionDepth was ...)
291                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
292                     (ExceptionScope::m_recursionDepth was ...)
293                 [ backtrace here ]
294
295                The message tells you that failure was detected at in varargsSetup() at
296                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
297                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
298                line 1245 and it.
299
300                If that is insufficient information, you can ...
301
302             b. Dump simulated throws
303
304                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
305                back traces at each simulated throw.
306
307             c. Narrowing down the source of a simulated throw
308
309                Another technique for narrowing down the source of simulated throws is by
310                further dividing a function to smaller regions by separating each region
311                with additional local throw scopes.  For example,
312
313                 ... // Region 1
314                 { auto scope = DECLARE_THROW_SCOPE(vm); }
315                 ... // Region 2
316                 { auto scope = DECLARE_THROW_SCOPE(vm); }
317                 ... // Region 3
318
319         * API/APIUtils.h:
320         (handleExceptionIfNeeded):
321         * CMakeLists.txt:
322         * JavaScriptCore.xcodeproj/project.pbxproj:
323         * bindings/ScriptFunctionCall.cpp:
324         (Deprecated::ScriptFunctionCall::call):
325         * bindings/ScriptValue.cpp:
326         (Deprecated::ScriptValue::toString):
327         * debugger/Debugger.cpp:
328         (JSC::Debugger::pauseIfNeeded):
329         * debugger/DebuggerCallFrame.cpp:
330         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
331         * dfg/DFGOSRExitCompiler.cpp:
332         * dfg/DFGOperations.cpp:
333         (JSC::DFG::operationPutByValInternal):
334         * inspector/InjectedScriptManager.cpp:
335         (Inspector::InjectedScriptManager::createInjectedScript):
336         * inspector/JSGlobalObjectInspectorController.cpp:
337         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
338         * inspector/JSInjectedScriptHost.cpp:
339         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
340         (Inspector::JSInjectedScriptHost::getInternalProperties):
341         (Inspector::JSInjectedScriptHost::weakMapEntries):
342         (Inspector::JSInjectedScriptHost::weakSetEntries):
343         (Inspector::JSInjectedScriptHost::iteratorEntries):
344         * inspector/JSJavaScriptCallFrame.cpp:
345         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
346         * inspector/ScriptCallStackFactory.cpp:
347         (Inspector::extractSourceInformationFromException):
348         * interpreter/CachedCall.h:
349         (JSC::CachedCall::CachedCall):
350         * interpreter/CallFrame.h:
351         (JSC::ExecState::clearException): Deleted.
352         (JSC::ExecState::exception): Deleted.
353         (JSC::ExecState::hadException): Deleted.
354         (JSC::ExecState::lastException): Deleted.
355         (JSC::ExecState::clearLastException): Deleted.
356         * interpreter/Interpreter.cpp:
357         (JSC::eval):
358         (JSC::sizeOfVarargs):
359         (JSC::notifyDebuggerOfUnwinding):
360         (JSC::Interpreter::unwind):
361         (JSC::Interpreter::execute):
362         (JSC::Interpreter::executeCall):
363         (JSC::Interpreter::executeConstruct):
364         (JSC::Interpreter::prepareForRepeatCall):
365         (JSC::Interpreter::debug):
366         * interpreter/Interpreter.h:
367         (JSC::SuspendExceptionScope::SuspendExceptionScope):
368         * interpreter/ShadowChicken.cpp:
369         (JSC::ShadowChicken::functionsOnStack):
370         * jit/JITCode.cpp:
371         (JSC::JITCode::execute):
372         * jit/JITExceptions.cpp:
373         (JSC::genericUnwind):
374         * jit/JITOperations.cpp:
375         (JSC::getByVal):
376         * jsc.cpp:
377         (WTF::ImpureGetter::getOwnPropertySlot):
378         (GlobalObject::moduleLoaderResolve):
379         (GlobalObject::moduleLoaderFetch):
380         (functionCreateElement):
381         (functionRun):
382         (functionRunString):
383         (functionLoad):
384         (functionLoadString):
385         (functionReadFile):
386         (functionCheckSyntax):
387         (functionSetRandomSeed):
388         (functionLoadModule):
389         (functionCreateBuiltin):
390         (functionCheckModuleSyntax):
391         (functionGenerateHeapSnapshot):
392         (functionSamplingProfilerStackTraces):
393         (dumpException):
394         (checkUncaughtException):
395         (runWithScripts):
396         (runInteractive):
397         * llint/LLIntExceptions.cpp:
398         (JSC::LLInt::returnToThrow):
399         (JSC::LLInt::callToThrow):
400         * llint/LLIntSlowPaths.cpp:
401         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
402         * profiler/ProfilerBytecodeSequence.cpp:
403         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
404         * profiler/ProfilerCompilation.cpp:
405         (JSC::Profiler::Compilation::toJS):
406         * profiler/ProfilerDatabase.cpp:
407         (JSC::Profiler::Database::toJS):
408         * profiler/ProfilerOSRExitSite.cpp:
409         (JSC::Profiler::OSRExitSite::toJS):
410         * profiler/ProfilerOriginStack.cpp:
411         (JSC::Profiler::OriginStack::toJS):
412         * runtime/ArrayPrototype.cpp:
413         (JSC::speciesConstructArray):
414         (JSC::shift):
415         (JSC::unshift):
416         (JSC::arrayProtoFuncToString):
417         (JSC::arrayProtoFuncToLocaleString):
418         (JSC::slowJoin):
419         (JSC::fastJoin):
420         (JSC::arrayProtoFuncJoin):
421         (JSC::arrayProtoFuncPop):
422         (JSC::arrayProtoFuncPush):
423         (JSC::arrayProtoFuncReverse):
424         (JSC::arrayProtoFuncShift):
425         (JSC::arrayProtoFuncSlice):
426         (JSC::arrayProtoFuncSplice):
427         (JSC::arrayProtoFuncUnShift):
428         (JSC::arrayProtoFuncIndexOf):
429         (JSC::arrayProtoFuncLastIndexOf):
430         (JSC::moveElements):
431         (JSC::concatAppendOne):
432         (JSC::arrayProtoPrivateFuncConcatMemcpy):
433         * runtime/BooleanConstructor.cpp:
434         (JSC::constructWithBooleanConstructor):
435         * runtime/CallData.cpp:
436         (JSC::call):
437         * runtime/CatchScope.cpp: Added.
438         (JSC::CatchScope::CatchScope):
439         (JSC::CatchScope::~CatchScope):
440         * runtime/CatchScope.h: Added.
441         (JSC::CatchScope::clearException):
442         (JSC::CatchScope::CatchScope):
443         * runtime/CommonSlowPaths.cpp:
444         (JSC::SLOW_PATH_DECL):
445         * runtime/CommonSlowPaths.h:
446         (JSC::CommonSlowPaths::opIn):
447         * runtime/CommonSlowPathsExceptions.cpp:
448         (JSC::CommonSlowPaths::interpreterThrowInCaller):
449         * runtime/Completion.cpp:
450         (JSC::evaluate):
451         (JSC::rejectPromise):
452         (JSC::loadAndEvaluateModule):
453         (JSC::loadModule):
454         * runtime/ConsoleObject.cpp:
455         (JSC::consoleProtoFuncAssert):
456         (JSC::consoleProtoFuncProfile):
457         (JSC::consoleProtoFuncProfileEnd):
458         (JSC::consoleProtoFuncTakeHeapSnapshot):
459         (JSC::consoleProtoFuncTime):
460         (JSC::consoleProtoFuncTimeEnd):
461         * runtime/DateConstructor.cpp:
462         (JSC::constructDate):
463         (JSC::dateParse):
464         * runtime/DatePrototype.cpp:
465         (JSC::dateProtoFuncToPrimitiveSymbol):
466         (JSC::dateProtoFuncToJSON):
467         * runtime/ErrorConstructor.cpp:
468         (JSC::Interpreter::constructWithErrorConstructor):
469         * runtime/ErrorInstance.cpp:
470         (JSC::ErrorInstance::sanitizedToString):
471         * runtime/ErrorPrototype.cpp:
472         (JSC::errorProtoFuncToString):
473         * runtime/ExceptionEventLocation.cpp: Added.
474         (WTF::printInternal):
475         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
476         (JSC::ExceptionEventLocation::ExceptionEventLocation):
477         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
478         * runtime/ExceptionHelpers.h:
479         * runtime/ExceptionScope.cpp: Added.
480         (JSC::ExceptionScope::ExceptionScope):
481         (JSC::ExceptionScope::~ExceptionScope):
482         * runtime/ExceptionScope.h: Added.
483         (JSC::ExceptionScope::vm):
484         (JSC::ExceptionScope::recursionDepth):
485         (JSC::ExceptionScope::exception):
486         (JSC::ExceptionScope::ExceptionScope):
487         * runtime/FunctionConstructor.cpp:
488         (JSC::constructFunctionSkippingEvalEnabledCheck):
489         * runtime/FunctionPrototype.cpp:
490         (JSC::functionProtoFuncBind):
491         * runtime/GenericArgumentsInlines.h:
492         (JSC::GenericArguments<Type>::copyToArguments):
493         * runtime/GetterSetter.cpp:
494         (JSC::callGetter):
495         * runtime/InspectorInstrumentationObject.cpp:
496         (JSC::inspectorInstrumentationObjectLog):
497         * runtime/InternalFunction.cpp:
498         (JSC::InternalFunction::createSubclassStructure):
499         * runtime/IntlCollator.cpp:
500         (JSC::IntlCollator::initializeCollator):
501         (JSC::IntlCollator::createCollator):
502         (JSC::IntlCollator::resolvedOptions):
503         * runtime/IntlCollatorConstructor.cpp:
504         (JSC::constructIntlCollator):
505         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
506         * runtime/IntlCollatorPrototype.cpp:
507         (JSC::IntlCollatorFuncCompare):
508         (JSC::IntlCollatorPrototypeGetterCompare):
509         * runtime/IntlDateTimeFormat.cpp:
510         (JSC::toDateTimeOptionsAnyDate):
511         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
512         (JSC::IntlDateTimeFormat::resolvedOptions):
513         (JSC::IntlDateTimeFormat::format):
514         * runtime/IntlDateTimeFormatConstructor.cpp:
515         (JSC::constructIntlDateTimeFormat):
516         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
517         * runtime/IntlDateTimeFormatPrototype.cpp:
518         (JSC::IntlDateTimeFormatFuncFormatDateTime):
519         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
520         * runtime/IntlNumberFormat.cpp:
521         (JSC::IntlNumberFormat::initializeNumberFormat):
522         (JSC::IntlNumberFormat::createNumberFormat):
523         (JSC::IntlNumberFormat::resolvedOptions):
524         * runtime/IntlNumberFormatConstructor.cpp:
525         (JSC::constructIntlNumberFormat):
526         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
527         * runtime/IntlNumberFormatPrototype.cpp:
528         (JSC::IntlNumberFormatFuncFormatNumber):
529         (JSC::IntlNumberFormatPrototypeGetterFormat):
530         * runtime/IntlObject.cpp:
531         (JSC::intlBooleanOption):
532         (JSC::intlStringOption):
533         (JSC::intlNumberOption):
534         (JSC::canonicalizeLocaleList):
535         (JSC::supportedLocales):
536         * runtime/IntlObjectInlines.h:
537         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
538         * runtime/IteratorOperations.cpp:
539         (JSC::iteratorNext):
540         (JSC::iteratorStep):
541         (JSC::iteratorClose):
542         (JSC::iteratorForIterable):
543         * runtime/IteratorOperations.h:
544         (JSC::forEachInIterable):
545         * runtime/JSArray.cpp:
546         (JSC::JSArray::pop):
547         (JSC::JSArray::push):
548         (JSC::JSArray::copyToArguments):
549         * runtime/JSArrayBufferConstructor.cpp:
550         (JSC::constructArrayBuffer):
551         * runtime/JSArrayBufferPrototype.cpp:
552         (JSC::arrayBufferProtoFuncSlice):
553         * runtime/JSArrayInlines.h:
554         (JSC::getLength):
555         (JSC::toLength):
556         * runtime/JSBoundFunction.cpp:
557         (JSC::getBoundFunctionStructure):
558         (JSC::JSBoundFunction::create):
559         * runtime/JSCJSValue.cpp:
560         (JSC::JSValue::putToPrimitive):
561         (JSC::JSValue::putToPrimitiveByIndex):
562         (JSC::JSValue::toStringSlowCase):
563         * runtime/JSCJSValueInlines.h:
564         (JSC::toPreferredPrimitiveType):
565         (JSC::JSValue::getPropertySlot):
566         (JSC::JSValue::equalSlowCaseInline):
567         * runtime/JSDataViewPrototype.cpp:
568         (JSC::getData):
569         (JSC::setData):
570         * runtime/JSFunction.cpp:
571         (JSC::JSFunction::setFunctionName):
572         * runtime/JSGenericTypedArrayView.h:
573         (JSC::JSGenericTypedArrayView::setIndex):
574         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
575         (JSC::constructGenericTypedArrayViewFromIterator):
576         (JSC::constructGenericTypedArrayViewWithArguments):
577         (JSC::constructGenericTypedArrayView):
578         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
579         (JSC::speciesConstruct):
580         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
581         (JSC::genericTypedArrayViewProtoFuncIncludes):
582         (JSC::genericTypedArrayViewProtoFuncIndexOf):
583         (JSC::genericTypedArrayViewProtoFuncJoin):
584         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
585         (JSC::genericTypedArrayViewProtoFuncSlice):
586         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
587         * runtime/JSGlobalObject.h:
588         (JSC::constructEmptyArray):
589         (JSC::constructArray):
590         (JSC::constructArrayNegativeIndexed):
591         * runtime/JSGlobalObjectFunctions.cpp:
592         (JSC::globalFuncEval):
593         * runtime/JSJob.cpp:
594         (JSC::JSJobMicrotask::run):
595         * runtime/JSModuleEnvironment.cpp:
596         (JSC::JSModuleEnvironment::getOwnPropertySlot):
597         * runtime/JSModuleLoader.cpp:
598         (JSC::JSModuleLoader::fetch):
599         * runtime/JSModuleNamespaceObject.cpp:
600         (JSC::JSModuleNamespaceObject::finishCreation):
601         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
602         * runtime/JSModuleRecord.cpp:
603         (JSC::JSModuleRecord::instantiateDeclarations):
604         * runtime/JSONObject.cpp:
605         (JSC::Stringifier::Stringifier):
606         (JSC::Stringifier::stringify):
607         (JSC::Stringifier::toJSON):
608         (JSC::Stringifier::appendStringifiedValue):
609         (JSC::Stringifier::Holder::appendNextProperty):
610         (JSC::Walker::walk):
611         (JSC::JSONProtoFuncParse):
612         * runtime/JSObject.cpp:
613         (JSC::ordinarySetSlow):
614         (JSC::JSObject::setPrototypeWithCycleCheck):
615         (JSC::callToPrimitiveFunction):
616         (JSC::JSObject::ordinaryToPrimitive):
617         (JSC::JSObject::defaultHasInstance):
618         (JSC::JSObject::getPropertyNames):
619         (JSC::JSObject::toNumber):
620         (JSC::JSObject::toString):
621         (JSC::JSObject::defineOwnNonIndexProperty):
622         (JSC::JSObject::getGenericPropertyNames):
623         (JSC::JSObject::getMethod):
624         * runtime/JSObjectInlines.h:
625         (JSC::createListFromArrayLike):
626         (JSC::JSObject::getPropertySlot):
627         (JSC::JSObject::getNonIndexPropertySlot):
628         * runtime/JSPromiseConstructor.cpp:
629         (JSC::constructPromise):
630         * runtime/JSPropertyNameEnumerator.h:
631         (JSC::propertyNameEnumerator):
632         * runtime/JSPropertyNameIterator.cpp:
633         (JSC::JSPropertyNameIterator::create):
634         * runtime/JSScope.cpp:
635         (JSC::isUnscopable):
636         (JSC::JSScope::resolve):
637         * runtime/JSString.cpp:
638         (JSC::JSString::equalSlowCase):
639         * runtime/JSStringJoiner.cpp:
640         (JSC::JSStringJoiner::join):
641         * runtime/LiteralParser.cpp:
642         (JSC::LiteralParser<CharType>::parse):
643         * runtime/MapConstructor.cpp:
644         (JSC::constructMap):
645         * runtime/MathObject.cpp:
646         (JSC::mathProtoFuncClz32):
647         (JSC::mathProtoFuncHypot):
648         (JSC::mathProtoFuncIMul):
649         * runtime/ModuleLoaderPrototype.cpp:
650         (JSC::moduleLoaderPrototypeParseModule):
651         (JSC::moduleLoaderPrototypeRequestedModules):
652         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
653         * runtime/NativeErrorConstructor.cpp:
654         (JSC::Interpreter::constructWithNativeErrorConstructor):
655         * runtime/NumberConstructor.cpp:
656         (JSC::constructWithNumberConstructor):
657         * runtime/ObjectConstructor.cpp:
658         (JSC::constructObject):
659         (JSC::objectConstructorGetPrototypeOf):
660         (JSC::objectConstructorSetPrototypeOf):
661         (JSC::objectConstructorGetOwnPropertyDescriptor):
662         (JSC::objectConstructorGetOwnPropertyDescriptors):
663         (JSC::objectConstructorGetOwnPropertyNames):
664         (JSC::objectConstructorGetOwnPropertySymbols):
665         (JSC::objectConstructorKeys):
666         (JSC::ownEnumerablePropertyKeys):
667         (JSC::toPropertyDescriptor):
668         (JSC::objectConstructorDefineProperty):
669         (JSC::defineProperties):
670         (JSC::objectConstructorSeal):
671         (JSC::objectConstructorFreeze):
672         (JSC::objectConstructorIsSealed):
673         (JSC::objectConstructorIsFrozen):
674         (JSC::objectConstructorIsExtensible):
675         (JSC::ownPropertyKeys):
676         * runtime/ObjectConstructor.h:
677         (JSC::constructObjectFromPropertyDescriptor):
678         * runtime/ObjectPrototype.cpp:
679         (JSC::objectProtoFuncHasOwnProperty):
680         (JSC::objectProtoFuncIsPrototypeOf):
681         (JSC::objectProtoFuncDefineGetter):
682         (JSC::objectProtoFuncDefineSetter):
683         (JSC::objectProtoFuncLookupGetter):
684         (JSC::objectProtoFuncLookupSetter):
685         (JSC::objectProtoFuncPropertyIsEnumerable):
686         (JSC::objectProtoFuncToLocaleString):
687         (JSC::objectProtoFuncToString):
688         * runtime/Operations.cpp:
689         (JSC::jsAddSlowCase):
690         * runtime/Options.h:
691         * runtime/PropertyDescriptor.cpp:
692         (JSC::PropertyDescriptor::slowGetterSetter):
693         * runtime/ProxyConstructor.cpp:
694         (JSC::makeRevocableProxy):
695         * runtime/ProxyObject.cpp:
696         (JSC::ProxyObject::toStringName):
697         (JSC::performProxyGet):
698         (JSC::ProxyObject::performGet):
699         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
700         (JSC::ProxyObject::performHasProperty):
701         (JSC::ProxyObject::performPut):
702         (JSC::ProxyObject::putByIndexCommon):
703         (JSC::performProxyCall):
704         (JSC::performProxyConstruct):
705         (JSC::ProxyObject::performDelete):
706         (JSC::ProxyObject::performPreventExtensions):
707         (JSC::ProxyObject::performIsExtensible):
708         (JSC::ProxyObject::performDefineOwnProperty):
709         (JSC::ProxyObject::performGetOwnPropertyNames):
710         (JSC::ProxyObject::performSetPrototype):
711         (JSC::ProxyObject::performGetPrototype):
712         * runtime/ReflectObject.cpp:
713         (JSC::reflectObjectConstruct):
714         (JSC::reflectObjectDefineProperty):
715         (JSC::reflectObjectGet):
716         (JSC::reflectObjectGetOwnPropertyDescriptor):
717         (JSC::reflectObjectIsExtensible):
718         (JSC::reflectObjectPreventExtensions):
719         (JSC::reflectObjectSet):
720         (JSC::reflectObjectSetPrototypeOf):
721         * runtime/RegExpConstructor.cpp:
722         (JSC::toFlags):
723         (JSC::regExpCreate):
724         (JSC::constructRegExp):
725         * runtime/RegExpConstructor.h:
726         (JSC::isRegExp):
727         * runtime/RegExpObject.cpp:
728         (JSC::collectMatches):
729         (JSC::RegExpObject::matchGlobal):
730         * runtime/RegExpPrototype.cpp:
731         (JSC::regExpProtoFuncCompile):
732         (JSC::flagsString):
733         (JSC::regExpProtoFuncToString):
734         (JSC::regExpProtoGetterFlags):
735         (JSC::regExpProtoFuncSearchFast):
736         (JSC::regExpProtoFuncSplitFast):
737         * runtime/SetConstructor.cpp:
738         (JSC::constructSet):
739         * runtime/StringConstructor.cpp:
740         (JSC::stringFromCodePoint):
741         (JSC::constructWithStringConstructor):
742         * runtime/StringObject.cpp:
743         (JSC::StringObject::defineOwnProperty):
744         * runtime/StringPrototype.cpp:
745         (JSC::replaceUsingRegExpSearch):
746         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
747         (JSC::replaceUsingStringSearch):
748         (JSC::replace):
749         (JSC::stringProtoFuncReplaceUsingRegExp):
750         (JSC::stringProtoFuncReplaceUsingStringSearch):
751         (JSC::stringProtoFuncCodePointAt):
752         (JSC::stringProtoFuncSlice):
753         (JSC::stringProtoFuncSplitFast):
754         (JSC::stringProtoFuncSubstr):
755         (JSC::stringProtoFuncSubstring):
756         (JSC::stringProtoFuncLocaleCompare):
757         (JSC::toLocaleCase):
758         (JSC::stringProtoFuncBig):
759         (JSC::stringProtoFuncSmall):
760         (JSC::stringProtoFuncBlink):
761         (JSC::stringProtoFuncBold):
762         (JSC::stringProtoFuncFixed):
763         (JSC::stringProtoFuncItalics):
764         (JSC::stringProtoFuncStrike):
765         (JSC::stringProtoFuncSub):
766         (JSC::stringProtoFuncSup):
767         (JSC::stringProtoFuncFontcolor):
768         (JSC::stringProtoFuncFontsize):
769         (JSC::stringProtoFuncAnchor):
770         (JSC::stringProtoFuncLink):
771         (JSC::trimString):
772         (JSC::stringProtoFuncStartsWith):
773         (JSC::stringProtoFuncEndsWith):
774         (JSC::stringIncludesImpl):
775         (JSC::stringProtoFuncIncludes):
776         (JSC::builtinStringIncludesInternal):
777         (JSC::stringProtoFuncNormalize):
778         * runtime/SymbolConstructor.cpp:
779         (JSC::symbolConstructorFor):
780         * runtime/TemplateRegistry.cpp:
781         (JSC::TemplateRegistry::getTemplateObject):
782         * runtime/ThrowScope.cpp:
783         (JSC::ThrowScope::ThrowScope):
784         (JSC::ThrowScope::~ThrowScope):
785         (JSC::ThrowScope::throwException):
786         (JSC::ThrowScope::simulateThrow):
787         (JSC::ThrowScope::printIfNeedCheck): Deleted.
788         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
789         * runtime/ThrowScope.h:
790         (JSC::ThrowScope::release):
791         (JSC::ThrowScope::ThrowScope):
792         (JSC::ThrowScope::throwException):
793         (JSC::ThrowScope::vm): Deleted.
794         (JSC::ThrowScope::exception): Deleted.
795         * runtime/ThrowScopeLocation.h: Removed.
796         * runtime/VM.cpp:
797         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
798         * runtime/VM.h:
799         (JSC::VM::exception):
800         (JSC::VM::clearException):
801         (JSC::VM::setException): Deleted.
802         * runtime/WeakMapConstructor.cpp:
803         (JSC::constructWeakMap):
804         * runtime/WeakSetConstructor.cpp:
805         (JSC::constructWeakSet):
806         * tools/JSDollarVMPrototype.cpp:
807         (JSC::functionPrint):
808
809 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
810
811         [INTL] some valid language tags cause errors in Intl constructors
812         https://bugs.webkit.org/show_bug.cgi?id=161672
813
814         Reviewed by Mark Lam.
815
816         Fix private use tag parsing to match spec, allowing single character parts.
817         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
818
819         ```
820         privateuse    = "x" 1*("-" (1*8alphanum))
821         ```
822
823         * runtime/IntlObject.cpp:
824         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
825
826 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
827
828         [JSC] Remove a couple of useless forward declaration
829         https://bugs.webkit.org/show_bug.cgi?id=161676
830
831         Reviewed by Mark Lam.
832
833         JITMathICForwards.h should take care of declarating the Math ICs.
834
835         * bytecode/CodeBlock.h:
836         * jit/JITOperations.h:
837
838 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
839
840         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
841         https://bugs.webkit.org/show_bug.cgi?id=161706
842
843         Reviewed by Geoffrey Garen.
844         
845         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
846         have to do something different.
847
848         * jit/AssemblyHelpers.h:
849         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
850
851 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
852
853         Unreviewed CMake build fix after r205552
854
855         * CMakeLists.txt:
856
857 2016-09-03  Keith Miller  <keith_miller@apple.com>
858
859         Add support for WASM Loops and Branches
860         https://bugs.webkit.org/show_bug.cgi?id=161569
861
862         Reviewed by Benjamin Poulain.
863
864         This patch adds support for loops and branches to WASM. In order
865         to support loops, we needed to change the way the B3IRGenerator
866         tracked control information. Now, the control data holds three
867         pieces of information: The continuation block, the loop branch
868         target, and variables exiting the block. Whenever we branch to
869         some control point we first check if it is a loop by checking that
870         the loop branch target is non-null. If the branch is not targeting
871         a loop, we map the stack values to the associated B3 variables for
872         that stack slot.
873
874         Another interesting thing of note is that we now only allocate the
875         continuation basic block lazily. This is beneficial when the
876         continuation would just fall through to another block anyway. For
877         example, in code like: (block ... (block (add 1 2) end) end) the
878         continuation for the inner block just falls through to the outer
879         block's continuation so we don't need an extra block.
880
881         * B3CallingConventions.cpp:
882         (JSC::B3::jscCallingConvention): Deleted.
883         * B3CallingConventions.h:
884         (JSC::B3::CallingConvention::CallingConvention): Deleted.
885         (JSC::B3::CallingConvention::iterate): Deleted.
886         (JSC::B3::nextJSCOffset): Deleted.
887         * JavaScriptCore.xcodeproj/project.pbxproj:
888         * b3/B3Type.h:
889         * testWASM.cpp:
890         (runWASMTests):
891         * wasm/WASMB3IRGenerator.cpp:
892         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
893         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
894         (JSC::WASM::B3IRGenerator::LazyBlock::get):
895         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
896         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
897         (JSC::WASM::B3IRGenerator::ControlData::dump):
898         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
899         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
900         (JSC::WASM::B3IRGenerator::addLocal):
901         (JSC::WASM::B3IRGenerator::addArguments):
902         (JSC::WASM::B3IRGenerator::setLocal):
903         (JSC::WASM::B3IRGenerator::addBlock):
904         (JSC::WASM::B3IRGenerator::addLoop):
905         (JSC::WASM::B3IRGenerator::endBlock):
906         (JSC::WASM::B3IRGenerator::addReturn):
907         (JSC::WASM::B3IRGenerator::addBranch):
908         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
909         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
910         (JSC::WASM::B3IRGenerator::controlDataForLevel):
911         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
912         (JSC::WASM::parseAndCompile):
913         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
914         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
915         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
916         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
917         (JSC::WASM::jscCallingConvention):
918         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
919         (JSC::WASM::CallingConvention::CallingConvention):
920         (JSC::WASM::CallingConvention::iterate):
921         (JSC::WASM::nextJSCOffset):
922         * wasm/WASMFormat.h:
923         (JSC::WASM::toB3Type):
924         (JSC::WASM::isValueType):
925         * wasm/WASMFunctionParser.h:
926         (JSC::WASM::FunctionParser<Context>::parse):
927         (JSC::WASM::FunctionParser<Context>::parseExpression):
928         * wasm/WASMModuleParser.cpp:
929         (JSC::WASM::ModuleParser::parseFunctionTypes):
930         * wasm/WASMOps.h:
931
932 2016-09-07  Youenn Fablet  <youenn@apple.com>
933
934         [Streams API] Separate compile flag for ReadableStream and WritableStream
935         https://bugs.webkit.org/show_bug.cgi?id=161044
936
937         Reviewed by Alex Christensen.
938
939         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
940         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
941
942         * Configurations/FeatureDefines.xcconfig:
943         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
944         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
945         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
946
947 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
948
949         Fix the ENABLE(WEBASSEMBLY) build on Linux
950         https://bugs.webkit.org/show_bug.cgi?id=161685
951
952         Unreviewed buildfix.
953
954         * wasm/JSWASMModule.cpp:
955
956 2016-09-06  Saam Barati  <sbarati@apple.com>
957
958         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
959         https://bugs.webkit.org/show_bug.cgi?id=161558
960
961         Reviewed by Benjamin Poulain.
962
963         ProxyObject had ObjectPrototype as its direct prototype.
964         This could lead to infinite loops when doing a getDirectPrototype()
965         loop.
966
967         Fixing this bug revealed another bug, which I made when implementing Proxy.
968         We should not special case "__proto__" in get and set for Proxy Object's
969         hooks. "__proto__" should just go through the normal set and get path.
970
971         * runtime/JSGlobalObject.cpp:
972         (JSC::JSGlobalObject::init):
973         * runtime/ProxyObject.cpp:
974         (JSC::performProxyGet):
975         (JSC::ProxyObject::put):
976
977 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
978
979         Make JSC::PrivateName copyable
980         https://bugs.webkit.org/show_bug.cgi?id=161666
981
982         Reviewed by Ryosuke Niwa.
983
984         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
985         And since the custom copy constructor deletes the default move constructor, we explcitly define
986         it by `= default;`.
987
988         * runtime/PrivateName.h:
989         (JSC::PrivateName::PrivateName):
990
991 2016-09-06  Daniel Bates  <dabates@apple.com>
992
993         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
994         https://bugs.webkit.org/show_bug.cgi?id=161296
995
996         Reviewed by Dan Bernstein.
997
998         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
999         with the iOS 10 beta SDK.
1000
1001         * Configurations/Base.xcconfig:
1002
1003 2016-09-06  Saam Barati  <sbarati@apple.com>
1004
1005         Unreviewed build fix for 32-bit platforms after r205520.
1006
1007         * dfg/DFGSpeculativeJIT.h:
1008         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1009
1010 2016-09-06  Saam Barati  <sbarati@apple.com>
1011
1012         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1013         https://bugs.webkit.org/show_bug.cgi?id=160870
1014
1015         Reviewed by Darin Adler.
1016
1017         Credit goes to Jonathan Bedard for finding this bug using the undefined
1018         behavior sanitizer.
1019
1020         The rule for MaterializeNewObject inside AI was assuming that the graph
1021         is in SSA form. This used to be true when MaterializeNewObject was only
1022         inserted by the allocation sinking phase. However, Filip added more uses
1023         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1024         the bug by using the structure set inside the Node's OpInfo rather than
1025         generating it from m_phiChildren inside AI.
1026
1027         * dfg/DFGAbstractInterpreterInlines.h:
1028         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1029
1030 2016-09-06  Saam Barati  <sbarati@apple.com>
1031
1032         Make JSMap and JSSet faster
1033         https://bugs.webkit.org/show_bug.cgi?id=160989
1034
1035         Reviewed by Filip Pizlo.
1036
1037         This patch revamps how we implement Map and Set. It uses
1038         a new hash map implementation. The hash map uses linear
1039         probing and it uses Wang's 64 bit hash function for JSValues
1040         that aren't strings. Strings use StringImpl's hash function.
1041         The reason I wanted to roll our own HashTable is twofold:
1042         I didn't want to inline WTF::HashMap's implementation into our
1043         JIT, since that seems error prone and unmaintainable. Also, I wanted
1044         a different structure for hash map buckets where buckets also exist in
1045         a linked list.
1046
1047         The reason for making buckets part of a linked list is that iteration
1048         is now simple. Iteration works by just traversing a linked list.
1049         This design also allows for a simple implementation when doing iteration
1050         while the hash table is mutating. Whenever we remove a bucket from
1051         the hash table, it is removed from the list, meaning items in the
1052         list don't point to it. However, the removed bucket will still point
1053         to things that are either in the list, or have also been removed.
1054         e.g, from a removed bucket, you can always follow pointers until you
1055         either find an item in the list, or you find the tail of the list.
1056         This is a really nice property because it means that a Map or Set
1057         does not need to reason about the all the iterators that point
1058         into its list. Also, whenever we add items to the Map or Set, we
1059         hijack the tail as the new item, and make the new item point to a newly
1060         created tail. This means that any iterator that pointed to the "tail" now
1061         points to non-tail items. This makes the implementation of adding things
1062         to the Map/Set while iterating easy.
1063
1064         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1065         into intrinsics in the DFG. The IR can now reason about hash map
1066         operations and can even do CSE over Wang's hash function, hash map
1067         bucket lookups, hash map bucket loads, and testing if a key is in
1068         the hash table. This makes code patterns for Map like so, super fast
1069         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1070
1071         ```
1072         function getKeyIfPresent(map, key) {
1073             if (map.has(key))
1074                 return map.get(key);
1075         }
1076         ```
1077
1078         This patch is roughly an 8% speedup on ES6SampleBench.
1079
1080
1081         * CMakeLists.txt:
1082         * JavaScriptCore.xcodeproj/project.pbxproj:
1083         * assembler/MacroAssemblerARM64.h:
1084         (JSC::MacroAssemblerARM64::not64):
1085         * bytecode/SpeculatedType.cpp:
1086         (JSC::speculationFromClassInfo):
1087         * bytecode/SpeculatedType.h:
1088         * dfg/DFGAbstractInterpreterInlines.h:
1089         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1090         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1091         * dfg/DFGByteCodeParser.cpp:
1092         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1093         * dfg/DFGClobberize.h:
1094         (JSC::DFG::clobberize):
1095         * dfg/DFGDoesGC.cpp:
1096         (JSC::DFG::doesGC):
1097         * dfg/DFGEdge.h:
1098         (JSC::DFG::Edge::shift):
1099         (JSC::DFG::Edge::makeWord):
1100         * dfg/DFGFixupPhase.cpp:
1101         (JSC::DFG::FixupPhase::fixupNode):
1102         * dfg/DFGHeapLocation.cpp:
1103         (WTF::printInternal):
1104         * dfg/DFGHeapLocation.h:
1105         * dfg/DFGNode.h:
1106         (JSC::DFG::Node::hasHeapPrediction):
1107         * dfg/DFGNodeType.h:
1108         * dfg/DFGOperations.cpp:
1109         * dfg/DFGOperations.h:
1110         * dfg/DFGPredictionPropagationPhase.cpp:
1111         * dfg/DFGSafeToExecute.h:
1112         (JSC::DFG::SafeToExecuteEdge::operator()):
1113         (JSC::DFG::safeToExecute):
1114         * dfg/DFGSpeculativeJIT.cpp:
1115         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1116         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1117         (JSC::DFG::SpeculativeJIT::speculate):
1118         * dfg/DFGSpeculativeJIT.h:
1119         (JSC::DFG::SpeculativeJIT::callOperation):
1120         * dfg/DFGSpeculativeJIT32_64.cpp:
1121         (JSC::DFG::SpeculativeJIT::compile):
1122         * dfg/DFGSpeculativeJIT64.cpp:
1123         (JSC::DFG::SpeculativeJIT::compile):
1124         * dfg/DFGUseKind.cpp:
1125         (WTF::printInternal):
1126         * dfg/DFGUseKind.h:
1127         (JSC::DFG::typeFilterFor):
1128         (JSC::DFG::isCell):
1129         * ftl/FTLAbstractHeapRepository.h:
1130         * ftl/FTLCapabilities.cpp:
1131         (JSC::FTL::canCompile):
1132         * ftl/FTLLowerDFGToB3.cpp:
1133         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1134         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1135         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1136         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1137         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1138         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1139         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1140         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1141         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1142         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1143         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1144         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1145         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1146         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1147         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1148         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1149         * jit/AssemblyHelpers.cpp:
1150         (JSC::AssemblyHelpers::wangsInt64Hash):
1151         * jit/AssemblyHelpers.h:
1152         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1153         * jit/JITOperations.h:
1154         * parser/ModuleAnalyzer.cpp:
1155         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1156         * runtime/HashMapImpl.cpp: Added.
1157         (JSC::HashMapBucket<Data>::visitChildren):
1158         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1159         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1160         * runtime/HashMapImpl.h: Added.
1161         (JSC::HashMapBucket::selectStructure):
1162         (JSC::HashMapBucket::createStructure):
1163         (JSC::HashMapBucket::create):
1164         (JSC::HashMapBucket::HashMapBucket):
1165         (JSC::HashMapBucket::setNext):
1166         (JSC::HashMapBucket::setPrev):
1167         (JSC::HashMapBucket::setKey):
1168         (JSC::HashMapBucket::setValue):
1169         (JSC::HashMapBucket::key):
1170         (JSC::HashMapBucket::value):
1171         (JSC::HashMapBucket::next):
1172         (JSC::HashMapBucket::prev):
1173         (JSC::HashMapBucket::deleted):
1174         (JSC::HashMapBucket::setDeleted):
1175         (JSC::HashMapBucket::offsetOfKey):
1176         (JSC::HashMapBucket::offsetOfValue):
1177         (JSC::HashMapBuffer::allocationSize):
1178         (JSC::HashMapBuffer::buffer):
1179         (JSC::HashMapBuffer::create):
1180         (JSC::areKeysEqual):
1181         (JSC::normalizeMapKey):
1182         (JSC::jsMapHash):
1183         (JSC::HashMapImpl::selectStructure):
1184         (JSC::HashMapImpl::createStructure):
1185         (JSC::HashMapImpl::create):
1186         (JSC::HashMapImpl::HashMapImpl):
1187         (JSC::HashMapImpl::buffer):
1188         (JSC::HashMapImpl::finishCreation):
1189         (JSC::HashMapImpl::emptyValue):
1190         (JSC::HashMapImpl::isEmpty):
1191         (JSC::HashMapImpl::deletedValue):
1192         (JSC::HashMapImpl::isDeleted):
1193         (JSC::HashMapImpl::findBucket):
1194         (JSC::HashMapImpl::get):
1195         (JSC::HashMapImpl::has):
1196         (JSC::HashMapImpl::add):
1197         (JSC::HashMapImpl::remove):
1198         (JSC::HashMapImpl::size):
1199         (JSC::HashMapImpl::clear):
1200         (JSC::HashMapImpl::bufferSizeInBytes):
1201         (JSC::HashMapImpl::offsetOfBuffer):
1202         (JSC::HashMapImpl::offsetOfCapacity):
1203         (JSC::HashMapImpl::head):
1204         (JSC::HashMapImpl::tail):
1205         (JSC::HashMapImpl::approximateSize):
1206         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1207         (JSC::HashMapImpl::rehash):
1208         (JSC::HashMapImpl::makeAndSetNewBuffer):
1209         * runtime/Intrinsic.h:
1210         * runtime/JSCJSValue.h:
1211         * runtime/JSCJSValueInlines.h:
1212         (JSC::sameValue):
1213         * runtime/JSGlobalObject.cpp:
1214         (JSC::JSGlobalObject::init):
1215         * runtime/JSMap.cpp:
1216         (JSC::JSMap::destroy): Deleted.
1217         (JSC::JSMap::estimatedSize): Deleted.
1218         (JSC::JSMap::visitChildren): Deleted.
1219         (JSC::JSMap::copyBackingStore): Deleted.
1220         (JSC::JSMap::has): Deleted.
1221         (JSC::JSMap::size): Deleted.
1222         (JSC::JSMap::get): Deleted.
1223         (JSC::JSMap::set): Deleted.
1224         (JSC::JSMap::clear): Deleted.
1225         (JSC::JSMap::remove): Deleted.
1226         * runtime/JSMap.h:
1227         (JSC::JSMap::createStructure):
1228         (JSC::JSMap::create):
1229         (JSC::JSMap::get):
1230         (JSC::JSMap::set):
1231         (JSC::JSMap::JSMap):
1232         (JSC::JSMap::Entry::key): Deleted.
1233         (JSC::JSMap::Entry::value): Deleted.
1234         (JSC::JSMap::Entry::visitChildren): Deleted.
1235         (JSC::JSMap::Entry::setKey): Deleted.
1236         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1237         (JSC::JSMap::Entry::setValue): Deleted.
1238         (JSC::JSMap::Entry::clear): Deleted.
1239         * runtime/JSMapIterator.cpp:
1240         (JSC::JSMapIterator::finishCreation):
1241         (JSC::JSMapIterator::visitChildren):
1242         (JSC::JSMapIterator::clone):
1243         * runtime/JSMapIterator.h:
1244         (JSC::JSMapIterator::advanceIter):
1245         (JSC::JSMapIterator::next):
1246         (JSC::JSMapIterator::nextKeyValue):
1247         (JSC::JSMapIterator::JSMapIterator):
1248         (JSC::JSMapIterator::setIterator):
1249         (JSC::JSMapIterator::finish): Deleted.
1250         (JSC::JSMapIterator::iteratorData): Deleted.
1251         * runtime/JSModuleLoader.cpp:
1252         (JSC::JSModuleLoader::finishCreation):
1253         * runtime/JSModuleLoader.h:
1254         (JSC::JSModuleLoader::create):
1255         * runtime/JSModuleRecord.cpp:
1256         (JSC::JSModuleRecord::finishCreation):
1257         * runtime/JSModuleRecord.h:
1258         (JSC::JSModuleRecord::create):
1259         * runtime/JSSet.cpp:
1260         (JSC::JSSet::destroy): Deleted.
1261         (JSC::JSSet::estimatedSize): Deleted.
1262         (JSC::JSSet::visitChildren): Deleted.
1263         (JSC::JSSet::copyBackingStore): Deleted.
1264         (JSC::JSSet::has): Deleted.
1265         (JSC::JSSet::size): Deleted.
1266         (JSC::JSSet::add): Deleted.
1267         (JSC::JSSet::clear): Deleted.
1268         (JSC::JSSet::remove): Deleted.
1269         * runtime/JSSet.h:
1270         (JSC::JSSet::createStructure):
1271         (JSC::JSSet::create):
1272         (JSC::JSSet::add):
1273         (JSC::JSSet::JSSet):
1274         (JSC::JSSet::Entry::key): Deleted.
1275         (JSC::JSSet::Entry::value): Deleted.
1276         (JSC::JSSet::Entry::visitChildren): Deleted.
1277         (JSC::JSSet::Entry::setKey): Deleted.
1278         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1279         (JSC::JSSet::Entry::setValue): Deleted.
1280         (JSC::JSSet::Entry::clear): Deleted.
1281         * runtime/JSSetIterator.cpp:
1282         (JSC::JSSetIterator::finishCreation):
1283         (JSC::JSSetIterator::visitChildren):
1284         (JSC::JSSetIterator::clone):
1285         * runtime/JSSetIterator.h:
1286         (JSC::JSSetIterator::advanceIter):
1287         (JSC::JSSetIterator::next):
1288         (JSC::JSSetIterator::JSSetIterator):
1289         (JSC::JSSetIterator::setIterator):
1290         (JSC::JSSetIterator::finish): Deleted.
1291         (JSC::JSSetIterator::iteratorData): Deleted.
1292         * runtime/JSType.h:
1293         * runtime/MapBase.cpp: Added.
1294         (JSC::MapBase<HashMapBucketType>::visitChildren):
1295         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1296         * runtime/MapBase.h: Added.
1297         (JSC::MapBase::size):
1298         (JSC::MapBase::has):
1299         (JSC::MapBase::clear):
1300         (JSC::MapBase::remove):
1301         (JSC::MapBase::findBucket):
1302         (JSC::MapBase::offsetOfHashMapImpl):
1303         (JSC::MapBase::impl):
1304         (JSC::MapBase::finishCreation):
1305         (JSC::MapBase::MapBase):
1306         * runtime/MapConstructor.cpp:
1307         (JSC::constructMap):
1308         * runtime/MapIteratorPrototype.cpp:
1309         (JSC::MapIteratorPrototypeFuncNext):
1310         * runtime/MapPrototype.cpp:
1311         (JSC::MapPrototype::finishCreation):
1312         (JSC::getMap):
1313         (JSC::privateFuncIsMap):
1314         (JSC::privateFuncMapIteratorNext):
1315         * runtime/PropertyDescriptor.cpp:
1316         (JSC::sameValue): Deleted.
1317         * runtime/PropertyDescriptor.h:
1318         * runtime/SetConstructor.cpp:
1319         (JSC::constructSet):
1320         * runtime/SetIteratorPrototype.cpp:
1321         (JSC::SetIteratorPrototypeFuncNext):
1322         * runtime/SetPrototype.cpp:
1323         (JSC::SetPrototype::finishCreation):
1324         (JSC::getSet):
1325         (JSC::privateFuncSetIteratorNext):
1326         * runtime/VM.cpp:
1327         (JSC::VM::VM):
1328         * runtime/VM.h:
1329
1330 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1331
1332         [JSC] Make ArithClz32 work with Cell arguments
1333         https://bugs.webkit.org/show_bug.cgi?id=161369
1334
1335         Reviewed by Geoffrey Garen.
1336
1337         ArithClz32 was already working with all primitive types
1338         thanks to the magic of ValueToInt32.
1339         This patch adds support for cell arguments through a function
1340         call.
1341
1342         * dfg/DFGAbstractInterpreterInlines.h:
1343         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1344         * dfg/DFGClobberize.h:
1345         (JSC::DFG::clobberize):
1346         * dfg/DFGFixupPhase.cpp:
1347         (JSC::DFG::FixupPhase::fixupNode):
1348         * dfg/DFGNodeType.h:
1349         * dfg/DFGOperations.cpp:
1350         * dfg/DFGOperations.h:
1351         * dfg/DFGSpeculativeJIT.cpp:
1352         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1353         * dfg/DFGSpeculativeJIT.h:
1354         (JSC::DFG::SpeculativeJIT::callOperation):
1355         * ftl/FTLLowerDFGToB3.cpp:
1356         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1357
1358 2016-09-06  Mark Lam  <mark.lam@apple.com>
1359
1360         Gardening: change to use old header guard to appease Win EWS.
1361
1362         Not reviewed.
1363
1364         * runtime/AuxiliaryBarrier.h:
1365
1366 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1367
1368         Unreviewed, rolling out r205494.
1369         https://bugs.webkit.org/show_bug.cgi?id=161646
1370
1371         This change broke the Windows build (Requested by ryanhaddad
1372         on #webkit).
1373
1374         Reverted changeset:
1375
1376         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1377         https://bugs.webkit.org/show_bug.cgi?id=161100
1378         http://trac.webkit.org/changeset/205494
1379
1380 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1381
1382         Unreviewed, rolling out r205504.
1383         https://bugs.webkit.org/show_bug.cgi?id=161645
1384
1385         Broke the iOS device build (Requested by ryanhaddad on
1386         #webkit).
1387
1388         Reverted changeset:
1389
1390         "Make JSMap and JSSet faster"
1391         https://bugs.webkit.org/show_bug.cgi?id=160989
1392         http://trac.webkit.org/changeset/205504
1393
1394 2016-09-06  Saam Barati  <sbarati@apple.com>
1395
1396         Make JSMap and JSSet faster
1397         https://bugs.webkit.org/show_bug.cgi?id=160989
1398
1399         Reviewed by Filip Pizlo.
1400
1401         This patch revamps how we implement Map and Set. It uses
1402         a new hash map implementation. The hash map uses linear
1403         probing and it uses Wang's 64 bit hash function for JSValues
1404         that aren't strings. Strings use StringImpl's hash function.
1405         The reason I wanted to roll our own HashTable is twofold:
1406         I didn't want to inline WTF::HashMap's implementation into our
1407         JIT, since that seems error prone and unmaintainable. Also, I wanted
1408         a different structure for hash map buckets where buckets also exist in
1409         a linked list.
1410
1411         The reason for making buckets part of a linked list is that iteration
1412         is now simple. Iteration works by just traversing a linked list.
1413         This design also allows for a simple implementation when doing iteration
1414         while the hash table is mutating. Whenever we remove a bucket from
1415         the hash table, it is removed from the list, meaning items in the
1416         list don't point to it. However, the removed bucket will still point
1417         to things that are either in the list, or have also been removed.
1418         e.g, from a removed bucket, you can always follow pointers until you
1419         either find an item in the list, or you find the tail of the list.
1420         This is a really nice property because it means that a Map or Set
1421         does not need to reason about the all the iterators that point
1422         into its list. Also, whenever we add items to the Map or Set, we
1423         hijack the tail as the new item, and make the new item point to a newly
1424         created tail. This means that any iterator that pointed to the "tail" now
1425         points to non-tail items. This makes the implementation of adding things
1426         to the Map/Set while iterating easy.
1427
1428         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1429         into intrinsics in the DFG. The IR can now reason about hash map
1430         operations and can even do CSE over Wang's hash function, hash map
1431         bucket lookups, hash map bucket loads, and testing if a key is in
1432         the hash table. This makes code patterns for Map like so, super fast
1433         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1434
1435         ```
1436         function getKeyIfPresent(map, key) {
1437             if (map.has(key))
1438                 return map.get(key);
1439         }
1440         ```
1441
1442         This patch is roughly an 8% speedup on ES6SampleBench.
1443
1444         * CMakeLists.txt:
1445         * JavaScriptCore.xcodeproj/project.pbxproj:
1446         * bytecode/SpeculatedType.cpp:
1447         (JSC::speculationFromClassInfo):
1448         * bytecode/SpeculatedType.h:
1449         * dfg/DFGAbstractInterpreterInlines.h:
1450         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1451         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1452         * dfg/DFGByteCodeParser.cpp:
1453         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1454         * dfg/DFGClobberize.h:
1455         (JSC::DFG::clobberize):
1456         * dfg/DFGDoesGC.cpp:
1457         (JSC::DFG::doesGC):
1458         * dfg/DFGEdge.h:
1459         (JSC::DFG::Edge::shift):
1460         (JSC::DFG::Edge::makeWord):
1461         * dfg/DFGFixupPhase.cpp:
1462         (JSC::DFG::FixupPhase::fixupNode):
1463         * dfg/DFGHeapLocation.cpp:
1464         (WTF::printInternal):
1465         * dfg/DFGHeapLocation.h:
1466         * dfg/DFGNode.h:
1467         (JSC::DFG::Node::hasHeapPrediction):
1468         * dfg/DFGNodeType.h:
1469         * dfg/DFGOperations.cpp:
1470         * dfg/DFGOperations.h:
1471         * dfg/DFGPredictionPropagationPhase.cpp:
1472         * dfg/DFGSafeToExecute.h:
1473         (JSC::DFG::SafeToExecuteEdge::operator()):
1474         (JSC::DFG::safeToExecute):
1475         * dfg/DFGSpeculativeJIT.cpp:
1476         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1477         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1478         (JSC::DFG::SpeculativeJIT::speculate):
1479         * dfg/DFGSpeculativeJIT.h:
1480         (JSC::DFG::SpeculativeJIT::callOperation):
1481         * dfg/DFGSpeculativeJIT32_64.cpp:
1482         (JSC::DFG::SpeculativeJIT::compile):
1483         * dfg/DFGSpeculativeJIT64.cpp:
1484         (JSC::DFG::SpeculativeJIT::compile):
1485         * dfg/DFGUseKind.cpp:
1486         (WTF::printInternal):
1487         * dfg/DFGUseKind.h:
1488         (JSC::DFG::typeFilterFor):
1489         (JSC::DFG::isCell):
1490         * ftl/FTLAbstractHeapRepository.h:
1491         * ftl/FTLCapabilities.cpp:
1492         (JSC::FTL::canCompile):
1493         * ftl/FTLLowerDFGToB3.cpp:
1494         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1495         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1496         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1497         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1498         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1499         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1500         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1501         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1502         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1503         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1504         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1505         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1506         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1507         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1508         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1509         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1510         * jit/AssemblyHelpers.cpp:
1511         (JSC::AssemblyHelpers::wangsInt64Hash):
1512         * jit/AssemblyHelpers.h:
1513         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1514         * jit/JITOperations.h:
1515         * parser/ModuleAnalyzer.cpp:
1516         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1517         * runtime/HashMapImpl.cpp: Added.
1518         (JSC::HashMapBucket<Data>::visitChildren):
1519         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1520         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1521         * runtime/HashMapImpl.h: Added.
1522         (JSC::HashMapBucket::selectStructure):
1523         (JSC::HashMapBucket::createStructure):
1524         (JSC::HashMapBucket::create):
1525         (JSC::HashMapBucket::HashMapBucket):
1526         (JSC::HashMapBucket::setNext):
1527         (JSC::HashMapBucket::setPrev):
1528         (JSC::HashMapBucket::setKey):
1529         (JSC::HashMapBucket::setValue):
1530         (JSC::HashMapBucket::key):
1531         (JSC::HashMapBucket::value):
1532         (JSC::HashMapBucket::next):
1533         (JSC::HashMapBucket::prev):
1534         (JSC::HashMapBucket::deleted):
1535         (JSC::HashMapBucket::setDeleted):
1536         (JSC::HashMapBucket::offsetOfKey):
1537         (JSC::HashMapBucket::offsetOfValue):
1538         (JSC::HashMapBuffer::allocationSize):
1539         (JSC::HashMapBuffer::buffer):
1540         (JSC::HashMapBuffer::create):
1541         (JSC::areKeysEqual):
1542         (JSC::normalizeMapKey):
1543         (JSC::jsMapHash):
1544         (JSC::HashMapImpl::selectStructure):
1545         (JSC::HashMapImpl::createStructure):
1546         (JSC::HashMapImpl::create):
1547         (JSC::HashMapImpl::HashMapImpl):
1548         (JSC::HashMapImpl::buffer):
1549         (JSC::HashMapImpl::finishCreation):
1550         (JSC::HashMapImpl::emptyValue):
1551         (JSC::HashMapImpl::isEmpty):
1552         (JSC::HashMapImpl::deletedValue):
1553         (JSC::HashMapImpl::isDeleted):
1554         (JSC::HashMapImpl::findBucket):
1555         (JSC::HashMapImpl::get):
1556         (JSC::HashMapImpl::has):
1557         (JSC::HashMapImpl::add):
1558         (JSC::HashMapImpl::remove):
1559         (JSC::HashMapImpl::size):
1560         (JSC::HashMapImpl::clear):
1561         (JSC::HashMapImpl::bufferSizeInBytes):
1562         (JSC::HashMapImpl::offsetOfBuffer):
1563         (JSC::HashMapImpl::offsetOfCapacity):
1564         (JSC::HashMapImpl::head):
1565         (JSC::HashMapImpl::tail):
1566         (JSC::HashMapImpl::approximateSize):
1567         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1568         (JSC::HashMapImpl::rehash):
1569         (JSC::HashMapImpl::makeAndSetNewBuffer):
1570         * runtime/Intrinsic.h:
1571         * runtime/JSCJSValue.h:
1572         * runtime/JSCJSValueInlines.h:
1573         (JSC::sameValue):
1574         * runtime/JSGlobalObject.cpp:
1575         (JSC::JSGlobalObject::init):
1576         * runtime/JSMap.cpp:
1577         (JSC::JSMap::destroy): Deleted.
1578         (JSC::JSMap::estimatedSize): Deleted.
1579         (JSC::JSMap::visitChildren): Deleted.
1580         (JSC::JSMap::copyBackingStore): Deleted.
1581         (JSC::JSMap::has): Deleted.
1582         (JSC::JSMap::size): Deleted.
1583         (JSC::JSMap::get): Deleted.
1584         (JSC::JSMap::set): Deleted.
1585         (JSC::JSMap::clear): Deleted.
1586         (JSC::JSMap::remove): Deleted.
1587         * runtime/JSMap.h:
1588         (JSC::JSMap::createStructure):
1589         (JSC::JSMap::create):
1590         (JSC::JSMap::get):
1591         (JSC::JSMap::set):
1592         (JSC::JSMap::JSMap):
1593         (JSC::JSMap::Entry::key): Deleted.
1594         (JSC::JSMap::Entry::value): Deleted.
1595         (JSC::JSMap::Entry::visitChildren): Deleted.
1596         (JSC::JSMap::Entry::setKey): Deleted.
1597         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1598         (JSC::JSMap::Entry::setValue): Deleted.
1599         (JSC::JSMap::Entry::clear): Deleted.
1600         * runtime/JSMapIterator.cpp:
1601         (JSC::JSMapIterator::finishCreation):
1602         (JSC::JSMapIterator::visitChildren):
1603         (JSC::JSMapIterator::clone):
1604         * runtime/JSMapIterator.h:
1605         (JSC::JSMapIterator::advanceIter):
1606         (JSC::JSMapIterator::next):
1607         (JSC::JSMapIterator::nextKeyValue):
1608         (JSC::JSMapIterator::JSMapIterator):
1609         (JSC::JSMapIterator::setIterator):
1610         (JSC::JSMapIterator::finish): Deleted.
1611         (JSC::JSMapIterator::iteratorData): Deleted.
1612         * runtime/JSModuleLoader.cpp:
1613         (JSC::JSModuleLoader::finishCreation):
1614         * runtime/JSModuleLoader.h:
1615         (JSC::JSModuleLoader::create):
1616         * runtime/JSModuleRecord.cpp:
1617         (JSC::JSModuleRecord::finishCreation):
1618         * runtime/JSModuleRecord.h:
1619         (JSC::JSModuleRecord::create):
1620         * runtime/JSSet.cpp:
1621         (JSC::JSSet::destroy): Deleted.
1622         (JSC::JSSet::estimatedSize): Deleted.
1623         (JSC::JSSet::visitChildren): Deleted.
1624         (JSC::JSSet::copyBackingStore): Deleted.
1625         (JSC::JSSet::has): Deleted.
1626         (JSC::JSSet::size): Deleted.
1627         (JSC::JSSet::add): Deleted.
1628         (JSC::JSSet::clear): Deleted.
1629         (JSC::JSSet::remove): Deleted.
1630         * runtime/JSSet.h:
1631         (JSC::JSSet::createStructure):
1632         (JSC::JSSet::create):
1633         (JSC::JSSet::add):
1634         (JSC::JSSet::JSSet):
1635         (JSC::JSSet::Entry::key): Deleted.
1636         (JSC::JSSet::Entry::value): Deleted.
1637         (JSC::JSSet::Entry::visitChildren): Deleted.
1638         (JSC::JSSet::Entry::setKey): Deleted.
1639         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1640         (JSC::JSSet::Entry::setValue): Deleted.
1641         (JSC::JSSet::Entry::clear): Deleted.
1642         * runtime/JSSetIterator.cpp:
1643         (JSC::JSSetIterator::finishCreation):
1644         (JSC::JSSetIterator::visitChildren):
1645         (JSC::JSSetIterator::clone):
1646         * runtime/JSSetIterator.h:
1647         (JSC::JSSetIterator::advanceIter):
1648         (JSC::JSSetIterator::next):
1649         (JSC::JSSetIterator::JSSetIterator):
1650         (JSC::JSSetIterator::setIterator):
1651         (JSC::JSSetIterator::finish): Deleted.
1652         (JSC::JSSetIterator::iteratorData): Deleted.
1653         * runtime/JSType.h:
1654         * runtime/MapBase.cpp: Added.
1655         (JSC::MapBase<HashMapBucketType>::visitChildren):
1656         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1657         * runtime/MapBase.h: Added.
1658         (JSC::MapBase::size):
1659         (JSC::MapBase::has):
1660         (JSC::MapBase::clear):
1661         (JSC::MapBase::remove):
1662         (JSC::MapBase::findBucket):
1663         (JSC::MapBase::offsetOfHashMapImpl):
1664         (JSC::MapBase::impl):
1665         (JSC::MapBase::finishCreation):
1666         (JSC::MapBase::MapBase):
1667         * runtime/MapConstructor.cpp:
1668         (JSC::constructMap):
1669         * runtime/MapIteratorPrototype.cpp:
1670         (JSC::MapIteratorPrototypeFuncNext):
1671         * runtime/MapPrototype.cpp:
1672         (JSC::MapPrototype::finishCreation):
1673         (JSC::getMap):
1674         (JSC::privateFuncIsMap):
1675         (JSC::privateFuncMapIteratorNext):
1676         * runtime/PropertyDescriptor.cpp:
1677         (JSC::sameValue): Deleted.
1678         * runtime/PropertyDescriptor.h:
1679         * runtime/SetConstructor.cpp:
1680         (JSC::constructSet):
1681         * runtime/SetIteratorPrototype.cpp:
1682         (JSC::SetIteratorPrototypeFuncNext):
1683         * runtime/SetPrototype.cpp:
1684         (JSC::SetPrototype::finishCreation):
1685         (JSC::getSet):
1686         (JSC::privateFuncSetIteratorNext):
1687         * runtime/VM.cpp:
1688         (JSC::VM::VM):
1689         * runtime/VM.h:
1690
1691 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
1692
1693         Typed arrays should use MarkedSpace instead of CopiedSpace
1694         https://bugs.webkit.org/show_bug.cgi?id=161100
1695
1696         Reviewed by Geoffrey Garen.
1697         
1698         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
1699         
1700         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
1701         everything that typed arrays want.
1702
1703         * dfg/DFGOperations.cpp:
1704         (JSC::DFG::newTypedArrayWithSize):
1705         * dfg/DFGOperations.h:
1706         (JSC::DFG::operationNewTypedArrayWithSizeForType):
1707         * dfg/DFGSpeculativeJIT.cpp:
1708         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1709         * dfg/DFGSpeculativeJIT.h:
1710         (JSC::DFG::SpeculativeJIT::callOperation):
1711         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
1712         * ftl/FTLLowerDFGToB3.cpp:
1713         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1714         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
1715         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
1716         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
1717         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
1718         * heap/CopyToken.h:
1719         * heap/SlotVisitor.cpp:
1720         (JSC::SlotVisitor::markAuxiliary):
1721         * jit/JITOperations.h:
1722         * runtime/JSArrayBufferView.cpp:
1723         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1724         (JSC::JSArrayBufferView::JSArrayBufferView):
1725         * runtime/JSArrayBufferView.h:
1726         * runtime/JSGenericTypedArrayView.h:
1727         * runtime/JSGenericTypedArrayViewInlines.h:
1728         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
1729         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
1730         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1731         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
1732
1733 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
1734
1735         Silence GCC warning spam introduced in r205462
1736
1737         Rubber-stamped by Filip Pizlo.
1738
1739         * bytecode/Opcode.h:
1740         (JSC::padOpcodeName):
1741
1742 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
1743
1744         Heap::isMarked() should use concurrent lazy flipping
1745         https://bugs.webkit.org/show_bug.cgi?id=161613
1746
1747         Reviewed by Michael Catanzaro.
1748         
1749         I found out about this race condition via
1750         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
1751         
1752         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
1753         phase. So, they need to lazy-flip in a non-racy way.
1754
1755         * heap/HeapInlines.h:
1756         (JSC::Heap::isLive):
1757         (JSC::Heap::isMarked):
1758
1759 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
1760
1761         Unreviewed, reset generator test results after the butterflies.
1762
1763         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1764         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1765         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1766         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1767         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1768         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1769         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1770         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1771         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1772         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1773         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1774         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1775         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1776         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1777
1778 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
1779
1780         Unreviewed, fix cloop build.
1781
1782         * bytecode/SuperSampler.cpp:
1783
1784 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
1785
1786         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
1787         https://bugs.webkit.org/show_bug.cgi?id=160125
1788
1789         Reviewed by Geoffrey Garen and Keith Miller.
1790
1791         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
1792         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
1793         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
1794         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
1795         to get rid of copied space. This change moves copied space's biggest client over to marked
1796         space.
1797         
1798         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
1799         allocation path. This is a fairly mechanical change, but it caused performance regressions
1800         everywhere, so this change also fixes MarkedSpace's performance issues.
1801         
1802         At a high level the mechanical changes are:
1803         
1804         - We use AuxiliaryBarrier instead of CopyBarrier.
1805         
1806         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
1807           CheckedBoolean stuff, since it's so much more trouble than it's worth.
1808         
1809         - The JITs have to emit inlined marked space allocations instead of inline copy space
1810           allocations.
1811         
1812         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
1813           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
1814           space doesn't.
1815         
1816         That's about 1/3 of this change. But this led to performance problems, which I fixed with
1817         optimizations that amounted to a major MarkedSpace rewrite:
1818         
1819         - MarkedSpace always causes internal fragmentation for array allocations because the vector
1820           length we choose when we resize usually leads to a cell size that doesn't correspond to any
1821           size class. I got around this by making array allocations usually round up vectorLength to
1822           the maximum allowed by the size class that we would have allocated in. Also,
1823           ensureLengthSlow() and friends first make sure that the requested length can't just be
1824           fulfilled with the current allocation size. This safeguard means that not every array
1825           allocation has to do size class queries. For example, the fast path of new Array(length)
1826           never does any size class queries, under the assumption that (1) the speed gained from
1827           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
1828           size class query, is too small to offset the speed lost by doing the query on every
1829           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
1830           likely.
1831         
1832         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
1833           changes MarkedSpace size classes to use a linear progression for very small sizes followed
1834           by a geometric progression that naturally transitions to a hyperbolic progression. We want
1835           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
1836           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
1837           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
1838           size (80 bytes), we proceed using a geometric progression, but round up each size to
1839           minimize slop at the end of the block. This naturally causes the geometric progression to
1840           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
1841           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
1842         
1843         - Large allocations caused massive internal fragmentation, since the smallest large
1844           allocation had to use exactly blockSize, and the largest small allocation used
1845           blockSize / 2. The next size up - the first large allocation size to require two blocks -
1846           also had 50% internal fragmentation. This is because we required large allocations to be
1847           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
1848           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
1849           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
1850           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
1851           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
1852           out great since (1) typed arrays won't use large allocations anyway since they have their
1853           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
1854           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
1855           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
1856           rare as possible; for example, ExecState::vm() skips the check because we know that callees
1857           must be small allocations. It's also possible to use template tricks to do one check for
1858           cell container kind, and then invoke a function specialized for MarkedBlock or a function
1859           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
1860           that get used from functions that are template-specialized like this. That's mostly to
1861           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
1862           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
1863           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
1864           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
1865           cutoff for large allocations is runtime-configurable, so long as you don't choose something
1866           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
1867           that the MarkedBlock size classes end up being:
1868           
1869           16, 32, 48, 64, 80, 112, 160, 224, 320
1870           
1871           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
1872           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
1873           size classes you end up with by doing --dumpSizeClasses=true.
1874         
1875         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
1876           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
1877           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
1878           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
1879           side, for better locality during a sequential walk. It's no longer necessary to scan
1880           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
1881           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
1882           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
1883           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
1884           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
1885           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
1886           together, these optimizations allowed me to reduce block size to 16KB without losing much
1887           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
1888           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
1889           progression on membuster. That's not possible yet, since there is still enough per-block
1890           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
1891           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
1892         
1893         - Even after all of that, copying butterflies was still faster because it allowed us to skip
1894           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
1895           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
1896           larger than O(live), especially in an eden collection. Copying satisfies this premise while
1897           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
1898           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
1899           that we walk the block to build a free list. This means walking dead space. The new
1900           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
1901           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
1902           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
1903           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
1904           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
1905           is completely empty, which is the common case because of the generational hypothesis: the
1906           number of objects that survive an eden collection is a tiny fraction of the number of
1907           objects that had been allocated, and this fraction is so small that there are typically
1908           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
1909           win over tip-of-tree.
1910         
1911         - FTL now shares the same allocation fast paths as everything else, which is great, because
1912           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
1913           control flow, since it won't be able to improve the machine code we write ourselves. GC
1914           fast paths are best written in assembly. So, I've empowered B3 to have even better support
1915           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
1916           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
1917           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
1918           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
1919           ability to constant-fold some allocator logic (in case we first assume that we're doing a
1920           variable-length allocation but then realize that the length is known). I think it makes
1921           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
1922           since this makes lowering easier (you can constant fold during lowering more easily) and it
1923           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
1924           constant-fold this code. That would require allowing loads to be constant-folded, which is
1925           doable but hella tricky.
1926         
1927         - It used to be that if a logical object allocation required two physical allocations (first
1928           the butterfly and then the cell), then the JIT would emit the code in such a way that a
1929           failure in the second fast path would cause us to forget the successful first physical
1930           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
1931           register to storing either the butterfly or null, because the butterfly register is anyway
1932           going to be free inside the first allocation. The only overhead here is zeroing the
1933           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
1934           path, which can then either allocate a butterfly or not. So now we never waste a successful
1935           allocation. This patch implements such a solution both in DFG (where it's easy to do this
1936           since we control registers already) and in FTL (where it's annoying, because mutable
1937           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
1938           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
1939           one version of this patch, this wastage would resonate with some Kraken benchmark: the
1940           benchmark would always allocate N small things followed by one bigger thing. The problem
1941           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
1942           the JSObject size class, which both the small and big thing shared for their cell, could
1943           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
1944           it allocated the big thing. So, it would end up having to allocate the big thing's large
1945           butterfly twice, every single time! Ouch!
1946         
1947         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
1948           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
1949           of the allocator to initialize the object to whatever state they need. It used to be that
1950           we would just use a dumb loop. I initially changed this so that we would end up in memset
1951           for large allocations, but this didn't actually help performance that much. I got a much
1952           better result by playing with different memsets written in assembly. First I wrote one
1953           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
1954           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
1955           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
1956           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
1957           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
1958           of stores (if the size is known), but those paths in the JIT won't trigger for
1959           NewArrayWithSize() if the size is large, since that takes us to the
1960           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
1961           optimizations here are all in JSArray::create() - that's the hot place for large arrays
1962           that need to be filled with holes.
1963         
1964         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
1965         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
1966         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
1967         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
1968         difference, but take the hit for now because it's a crazy corner case. By comparison, the
1969         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
1970         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
1971         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
1972         marking barrier and we simply won't need a copying barrier. This change gets us there for
1973         the purposes of our benchmarks, since the remaining clients of copied space are not very
1974         important. On the other hand, if we keep copying, then getting barrier-ready would mean
1975         adding back the copy barrier, which costs more perf.
1976         
1977         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
1978         typed arrays and a few other weird things over to Aux MarkedSpace.
1979         
1980         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
1981         and CellContainer meant that I had to include those files from everywhere. Fortunately,
1982         just including JSCInlines.h (instead of manually including the files that includes) is
1983         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
1984         that we were already basically doing. In places where JSCInlines.h would be too much, I just
1985         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
1986         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
1987         meant having to manually include HeapInlines.h from the places that previously got it
1988         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
1989         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
1990         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
1991         made it impossible to include it from outside JSC. This was a lot of work, but it was
1992         necessary to get the patch to build on all ports. It's also a net win. There were many places
1993         in WebCore that were transitively including a *ton* of JSC headers just because of the
1994         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
1995         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
1996
1997         * API/JSManagedValue.mm:
1998         (-[JSManagedValue initWithValue:]):
1999         * API/JSTypedArray.cpp:
2000         * API/ObjCCallbackFunction.mm:
2001         * API/tests/testapi.mm:
2002         (testObjectiveCAPI):
2003         (testWeakValue): Deleted.
2004         * CMakeLists.txt:
2005         * JavaScriptCore.xcodeproj/project.pbxproj:
2006         * Scripts/builtins/builtins_generate_combined_implementation.py:
2007         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2008         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2009         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2010         * Scripts/builtins/builtins_generate_separate_implementation.py:
2011         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2012         * assembler/AbstractMacroAssembler.h:
2013         (JSC::AbstractMacroAssembler::JumpList::link):
2014         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2015         * assembler/MacroAssembler.h:
2016         * assembler/MacroAssemblerARM64.h:
2017         (JSC::MacroAssemblerARM64::add32):
2018         * assembler/MacroAssemblerCodeRef.cpp: Added.
2019         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2020         (JSC::MacroAssemblerCodePtr::dumpWithName):
2021         (JSC::MacroAssemblerCodePtr::dump):
2022         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2023         (JSC::MacroAssemblerCodeRef::dump):
2024         * assembler/MacroAssemblerCodeRef.h:
2025         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2026         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2027         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2028         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2029         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2030         * b3/B3BasicBlock.cpp:
2031         (JSC::B3::BasicBlock::appendBoolConstant):
2032         * b3/B3BasicBlock.h:
2033         * b3/B3DuplicateTails.cpp:
2034         * b3/B3StackmapGenerationParams.h:
2035         * b3/testb3.cpp:
2036         (JSC::B3::testPatchpointTerminalReturnValue):
2037         (JSC::B3::run):
2038         * bindings/ScriptValue.cpp:
2039         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2040         * bytecode/BytecodeBasicBlock.cpp:
2041         * bytecode/BytecodeLivenessAnalysis.cpp:
2042         * bytecode/BytecodeUseDef.h:
2043         * bytecode/CallLinkInfo.cpp:
2044         (JSC::CallLinkInfo::callTypeFor):
2045         * bytecode/CallLinkInfo.h:
2046         (JSC::CallLinkInfo::callTypeFor): Deleted.
2047         * bytecode/CallLinkStatus.cpp:
2048         * bytecode/CodeBlock.cpp:
2049         (JSC::CodeBlock::finishCreation):
2050         (JSC::CodeBlock::clearLLIntGetByIdCache):
2051         (JSC::CodeBlock::predictedMachineCodeSize):
2052         * bytecode/CodeBlock.h:
2053         (JSC::CodeBlock::jitCodeMap): Deleted.
2054         (JSC::clearLLIntGetByIdCache): Deleted.
2055         * bytecode/ExecutionCounter.h:
2056         * bytecode/Instruction.h:
2057         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2058         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2059         * bytecode/ObjectAllocationProfile.h:
2060         (JSC::ObjectAllocationProfile::isNull):
2061         (JSC::ObjectAllocationProfile::initialize):
2062         * bytecode/Opcode.h:
2063         (JSC::padOpcodeName):
2064         * bytecode/PolymorphicAccess.cpp:
2065         (JSC::AccessCase::generateImpl):
2066         (JSC::PolymorphicAccess::regenerate):
2067         * bytecode/PolymorphicAccess.h:
2068         * bytecode/PreciseJumpTargets.cpp:
2069         * bytecode/StructureStubInfo.cpp:
2070         * bytecode/StructureStubInfo.h:
2071         * bytecode/UnlinkedCodeBlock.cpp:
2072         (JSC::UnlinkedCodeBlock::vm): Deleted.
2073         * bytecode/UnlinkedCodeBlock.h:
2074         * bytecode/UnlinkedInstructionStream.cpp:
2075         * bytecode/UnlinkedInstructionStream.h:
2076         * dfg/DFGOperations.cpp:
2077         * dfg/DFGSpeculativeJIT.cpp:
2078         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2079         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2080         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2081         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2082         * dfg/DFGSpeculativeJIT.h:
2083         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2084         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2085         * dfg/DFGSpeculativeJIT32_64.cpp:
2086         (JSC::DFG::SpeculativeJIT::compile):
2087         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2088         * dfg/DFGSpeculativeJIT64.cpp:
2089         (JSC::DFG::SpeculativeJIT::compile):
2090         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2091         * dfg/DFGStrengthReductionPhase.cpp:
2092         (JSC::DFG::StrengthReductionPhase::handleNode):
2093         * ftl/FTLAbstractHeapRepository.h:
2094         * ftl/FTLCompile.cpp:
2095         * ftl/FTLJITFinalizer.cpp:
2096         * ftl/FTLLowerDFGToB3.cpp:
2097         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2098         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2099         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2100         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2101         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2102         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2103         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2104         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2105         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2106         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2107         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2108         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2109         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2110         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2111         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2112         * ftl/FTLOutput.cpp:
2113         (JSC::FTL::Output::constBool):
2114         (JSC::FTL::Output::add):
2115         (JSC::FTL::Output::shl):
2116         (JSC::FTL::Output::aShr):
2117         (JSC::FTL::Output::lShr):
2118         (JSC::FTL::Output::zeroExt):
2119         (JSC::FTL::Output::equal):
2120         (JSC::FTL::Output::notEqual):
2121         (JSC::FTL::Output::above):
2122         (JSC::FTL::Output::aboveOrEqual):
2123         (JSC::FTL::Output::below):
2124         (JSC::FTL::Output::belowOrEqual):
2125         (JSC::FTL::Output::greaterThan):
2126         (JSC::FTL::Output::greaterThanOrEqual):
2127         (JSC::FTL::Output::lessThan):
2128         (JSC::FTL::Output::lessThanOrEqual):
2129         (JSC::FTL::Output::select):
2130         (JSC::FTL::Output::appendSuccessor):
2131         (JSC::FTL::Output::addIncomingToPhi):
2132         * ftl/FTLOutput.h:
2133         * ftl/FTLValueFromBlock.h:
2134         (JSC::FTL::ValueFromBlock::operator bool):
2135         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2136         * ftl/FTLWeightedTarget.h:
2137         (JSC::FTL::WeightedTarget::frequentedBlock):
2138         * heap/CellContainer.h: Added.
2139         (JSC::CellContainer::CellContainer):
2140         (JSC::CellContainer::operator bool):
2141         (JSC::CellContainer::isMarkedBlock):
2142         (JSC::CellContainer::isLargeAllocation):
2143         (JSC::CellContainer::markedBlock):
2144         (JSC::CellContainer::largeAllocation):
2145         * heap/CellContainerInlines.h: Added.
2146         (JSC::CellContainer::isMarked):
2147         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2148         (JSC::CellContainer::noteMarked):
2149         (JSC::CellContainer::cellSize):
2150         (JSC::CellContainer::weakSet):
2151         (JSC::CellContainer::flipIfNecessary):
2152         * heap/ConservativeRoots.cpp:
2153         (JSC::ConservativeRoots::ConservativeRoots):
2154         (JSC::ConservativeRoots::~ConservativeRoots):
2155         (JSC::ConservativeRoots::grow):
2156         (JSC::ConservativeRoots::genericAddPointer):
2157         (JSC::ConservativeRoots::genericAddSpan):
2158         * heap/ConservativeRoots.h:
2159         (JSC::ConservativeRoots::roots):
2160         * heap/CopyToken.h:
2161         * heap/FreeList.cpp: Added.
2162         (JSC::FreeList::dump):
2163         * heap/FreeList.h: Added.
2164         (JSC::FreeList::FreeList):
2165         (JSC::FreeList::list):
2166         (JSC::FreeList::bump):
2167         (JSC::FreeList::operator==):
2168         (JSC::FreeList::operator!=):
2169         (JSC::FreeList::operator bool):
2170         (JSC::FreeList::allocationWillFail):
2171         (JSC::FreeList::allocationWillSucceed):
2172         * heap/GCTypeMap.h: Added.
2173         (JSC::GCTypeMap::operator[]):
2174         * heap/Heap.cpp:
2175         (JSC::Heap::Heap):
2176         (JSC::Heap::lastChanceToFinalize):
2177         (JSC::Heap::finalizeUnconditionalFinalizers):
2178         (JSC::Heap::markRoots):
2179         (JSC::Heap::copyBackingStores):
2180         (JSC::Heap::gatherStackRoots):
2181         (JSC::Heap::gatherJSStackRoots):
2182         (JSC::Heap::gatherScratchBufferRoots):
2183         (JSC::Heap::clearLivenessData):
2184         (JSC::Heap::visitSmallStrings):
2185         (JSC::Heap::visitConservativeRoots):
2186         (JSC::Heap::removeDeadCompilerWorklistEntries):
2187         (JSC::Heap::gatherExtraHeapSnapshotData):
2188         (JSC::Heap::removeDeadHeapSnapshotNodes):
2189         (JSC::Heap::visitProtectedObjects):
2190         (JSC::Heap::visitArgumentBuffers):
2191         (JSC::Heap::visitException):
2192         (JSC::Heap::visitStrongHandles):
2193         (JSC::Heap::visitHandleStack):
2194         (JSC::Heap::visitSamplingProfiler):
2195         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2196         (JSC::Heap::converge):
2197         (JSC::Heap::visitWeakHandles):
2198         (JSC::Heap::updateObjectCounts):
2199         (JSC::Heap::clearUnmarkedExecutables):
2200         (JSC::Heap::deleteUnmarkedCompiledCode):
2201         (JSC::Heap::collectAllGarbage):
2202         (JSC::Heap::collect):
2203         (JSC::Heap::collectWithoutAnySweep):
2204         (JSC::Heap::collectImpl):
2205         (JSC::Heap::suspendCompilerThreads):
2206         (JSC::Heap::willStartCollection):
2207         (JSC::Heap::flushOldStructureIDTables):
2208         (JSC::Heap::flushWriteBarrierBuffer):
2209         (JSC::Heap::stopAllocation):
2210         (JSC::Heap::prepareForMarking):
2211         (JSC::Heap::reapWeakHandles):
2212         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2213         (JSC::Heap::sweepArrayBuffers):
2214         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2215         (JSC::MarkedBlockSnapshotFunctor::operator()):
2216         (JSC::Heap::snapshotMarkedSpace):
2217         (JSC::Heap::deleteSourceProviderCaches):
2218         (JSC::Heap::notifyIncrementalSweeper):
2219         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2220         (JSC::Heap::resetAllocators):
2221         (JSC::Heap::updateAllocationLimits):
2222         (JSC::Heap::didFinishCollection):
2223         (JSC::Heap::resumeCompilerThreads):
2224         (JSC::Zombify::visit):
2225         (JSC::Heap::forEachCodeBlockImpl):
2226         * heap/Heap.h:
2227         (JSC::Heap::allocatorForObjectWithoutDestructor):
2228         (JSC::Heap::allocatorForObjectWithDestructor):
2229         (JSC::Heap::allocatorForAuxiliaryData):
2230         (JSC::Heap::jitStubRoutines):
2231         (JSC::Heap::codeBlockSet):
2232         (JSC::Heap::storageAllocator): Deleted.
2233         * heap/HeapCell.h:
2234         (JSC::HeapCell::isZapped): Deleted.
2235         * heap/HeapCellInlines.h: Added.
2236         (JSC::HeapCell::isLargeAllocation):
2237         (JSC::HeapCell::cellContainer):
2238         (JSC::HeapCell::markedBlock):
2239         (JSC::HeapCell::largeAllocation):
2240         (JSC::HeapCell::heap):
2241         (JSC::HeapCell::vm):
2242         (JSC::HeapCell::cellSize):
2243         (JSC::HeapCell::allocatorAttributes):
2244         (JSC::HeapCell::destructionMode):
2245         (JSC::HeapCell::cellKind):
2246         * heap/HeapInlines.h:
2247         (JSC::Heap::heap):
2248         (JSC::Heap::isLive):
2249         (JSC::Heap::isMarked):
2250         (JSC::Heap::testAndSetMarked):
2251         (JSC::Heap::setMarked):
2252         (JSC::Heap::cellSize):
2253         (JSC::Heap::forEachCodeBlock):
2254         (JSC::Heap::allocateObjectOfType):
2255         (JSC::Heap::subspaceForObjectOfType):
2256         (JSC::Heap::allocatorForObjectOfType):
2257         (JSC::Heap::allocateAuxiliary):
2258         (JSC::Heap::tryAllocateAuxiliary):
2259         (JSC::Heap::tryReallocateAuxiliary):
2260         (JSC::Heap::isPointerGCObject): Deleted.
2261         (JSC::Heap::isValueGCObject): Deleted.
2262         * heap/HeapOperation.cpp: Added.
2263         (WTF::printInternal):
2264         * heap/HeapOperation.h:
2265         * heap/HeapUtil.h: Added.
2266         (JSC::HeapUtil::findGCObjectPointersForMarking):
2267         (JSC::HeapUtil::isPointerGCObjectJSCell):
2268         (JSC::HeapUtil::isValueGCObject):
2269         * heap/IncrementalSweeper.cpp:
2270         (JSC::IncrementalSweeper::sweepNextBlock):
2271         * heap/IncrementalSweeper.h:
2272         * heap/LargeAllocation.cpp: Added.
2273         (JSC::LargeAllocation::tryCreate):
2274         (JSC::LargeAllocation::LargeAllocation):
2275         (JSC::LargeAllocation::lastChanceToFinalize):
2276         (JSC::LargeAllocation::shrink):
2277         (JSC::LargeAllocation::visitWeakSet):
2278         (JSC::LargeAllocation::reapWeakSet):
2279         (JSC::LargeAllocation::flip):
2280         (JSC::LargeAllocation::isEmpty):
2281         (JSC::LargeAllocation::sweep):
2282         (JSC::LargeAllocation::destroy):
2283         (JSC::LargeAllocation::dump):
2284         * heap/LargeAllocation.h: Added.
2285         (JSC::LargeAllocation::fromCell):
2286         (JSC::LargeAllocation::cell):
2287         (JSC::LargeAllocation::isLargeAllocation):
2288         (JSC::LargeAllocation::heap):
2289         (JSC::LargeAllocation::vm):
2290         (JSC::LargeAllocation::weakSet):
2291         (JSC::LargeAllocation::clearNewlyAllocated):
2292         (JSC::LargeAllocation::isNewlyAllocated):
2293         (JSC::LargeAllocation::isMarked):
2294         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2295         (JSC::LargeAllocation::isLive):
2296         (JSC::LargeAllocation::hasValidCell):
2297         (JSC::LargeAllocation::cellSize):
2298         (JSC::LargeAllocation::aboveLowerBound):
2299         (JSC::LargeAllocation::belowUpperBound):
2300         (JSC::LargeAllocation::contains):
2301         (JSC::LargeAllocation::attributes):
2302         (JSC::LargeAllocation::flipIfNecessary):
2303         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2304         (JSC::LargeAllocation::testAndSetMarked):
2305         (JSC::LargeAllocation::setMarked):
2306         (JSC::LargeAllocation::clearMarked):
2307         (JSC::LargeAllocation::noteMarked):
2308         (JSC::LargeAllocation::headerSize):
2309         * heap/MarkedAllocator.cpp:
2310         (JSC::MarkedAllocator::MarkedAllocator):
2311         (JSC::MarkedAllocator::isPagedOut):
2312         (JSC::MarkedAllocator::retire):
2313         (JSC::MarkedAllocator::filterNextBlock):
2314         (JSC::MarkedAllocator::setNextBlockToSweep):
2315         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2316         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2317         (JSC::MarkedAllocator::allocateSlowCase):
2318         (JSC::MarkedAllocator::tryAllocateSlowCase):
2319         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2320         (JSC::blockHeaderSize):
2321         (JSC::MarkedAllocator::blockSizeForBytes):
2322         (JSC::MarkedAllocator::tryAllocateBlock):
2323         (JSC::MarkedAllocator::addBlock):
2324         (JSC::MarkedAllocator::removeBlock):
2325         (JSC::MarkedAllocator::stopAllocating):
2326         (JSC::MarkedAllocator::reset):
2327         (JSC::MarkedAllocator::lastChanceToFinalize):
2328         (JSC::MarkedAllocator::setFreeList):
2329         (JSC::isListPagedOut): Deleted.
2330         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2331         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2332         (JSC::MarkedAllocator::tryAllocate): Deleted.
2333         (JSC::MarkedAllocator::allocateBlock): Deleted.
2334         * heap/MarkedAllocator.h:
2335         (JSC::MarkedAllocator::takeLastActiveBlock):
2336         (JSC::MarkedAllocator::offsetOfFreeList):
2337         (JSC::MarkedAllocator::offsetOfCellSize):
2338         (JSC::MarkedAllocator::tryAllocate):
2339         (JSC::MarkedAllocator::allocate):
2340         (JSC::MarkedAllocator::forEachBlock):
2341         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2342         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2343         (JSC::MarkedAllocator::init): Deleted.
2344         (JSC::MarkedAllocator::stopAllocating): Deleted.
2345         * heap/MarkedBlock.cpp:
2346         (JSC::MarkedBlock::tryCreate):
2347         (JSC::MarkedBlock::Handle::Handle):
2348         (JSC::MarkedBlock::Handle::~Handle):
2349         (JSC::MarkedBlock::MarkedBlock):
2350         (JSC::MarkedBlock::Handle::specializedSweep):
2351         (JSC::MarkedBlock::Handle::sweep):
2352         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2353         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2354         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2355         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2356         (JSC::SetNewlyAllocatedFunctor::operator()):
2357         (JSC::MarkedBlock::Handle::stopAllocating):
2358         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2359         (JSC::MarkedBlock::Handle::resumeAllocating):
2360         (JSC::MarkedBlock::Handle::zap):
2361         (JSC::MarkedBlock::Handle::forEachFreeCell):
2362         (JSC::MarkedBlock::flipIfNecessary):
2363         (JSC::MarkedBlock::Handle::flipIfNecessary):
2364         (JSC::MarkedBlock::flipIfNecessarySlow):
2365         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2366         (JSC::MarkedBlock::clearMarks):
2367         (JSC::MarkedBlock::assertFlipped):
2368         (JSC::MarkedBlock::needsFlip):
2369         (JSC::MarkedBlock::Handle::needsFlip):
2370         (JSC::MarkedBlock::Handle::willRemoveBlock):
2371         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2372         (JSC::MarkedBlock::markCount):
2373         (JSC::MarkedBlock::Handle::isEmpty):
2374         (JSC::MarkedBlock::clearHasAnyMarked):
2375         (JSC::MarkedBlock::noteMarkedSlow):
2376         (WTF::printInternal):
2377         (JSC::MarkedBlock::create): Deleted.
2378         (JSC::MarkedBlock::destroy): Deleted.
2379         (JSC::MarkedBlock::callDestructor): Deleted.
2380         (JSC::MarkedBlock::specializedSweep): Deleted.
2381         (JSC::MarkedBlock::sweep): Deleted.
2382         (JSC::MarkedBlock::sweepHelper): Deleted.
2383         (JSC::MarkedBlock::stopAllocating): Deleted.
2384         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2385         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2386         (JSC::MarkedBlock::resumeAllocating): Deleted.
2387         (JSC::MarkedBlock::didRetireBlock): Deleted.
2388         * heap/MarkedBlock.h:
2389         (JSC::MarkedBlock::VoidFunctor::returnValue):
2390         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2391         (JSC::MarkedBlock::CountFunctor::count):
2392         (JSC::MarkedBlock::CountFunctor::returnValue):
2393         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2394         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2395         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2396         (JSC::MarkedBlock::Handle::state):
2397         (JSC::MarkedBlock::needsDestruction):
2398         (JSC::MarkedBlock::handle):
2399         (JSC::MarkedBlock::Handle::block):
2400         (JSC::MarkedBlock::firstAtom):
2401         (JSC::MarkedBlock::atoms):
2402         (JSC::MarkedBlock::isAtomAligned):
2403         (JSC::MarkedBlock::Handle::cellAlign):
2404         (JSC::MarkedBlock::blockFor):
2405         (JSC::MarkedBlock::Handle::allocator):
2406         (JSC::MarkedBlock::Handle::heap):
2407         (JSC::MarkedBlock::Handle::vm):
2408         (JSC::MarkedBlock::vm):
2409         (JSC::MarkedBlock::Handle::weakSet):
2410         (JSC::MarkedBlock::weakSet):
2411         (JSC::MarkedBlock::Handle::shrink):
2412         (JSC::MarkedBlock::Handle::visitWeakSet):
2413         (JSC::MarkedBlock::Handle::reapWeakSet):
2414         (JSC::MarkedBlock::Handle::cellSize):
2415         (JSC::MarkedBlock::cellSize):
2416         (JSC::MarkedBlock::Handle::attributes):
2417         (JSC::MarkedBlock::attributes):
2418         (JSC::MarkedBlock::Handle::needsDestruction):
2419         (JSC::MarkedBlock::Handle::destruction):
2420         (JSC::MarkedBlock::Handle::cellKind):
2421         (JSC::MarkedBlock::Handle::markCount):
2422         (JSC::MarkedBlock::Handle::size):
2423         (JSC::MarkedBlock::atomNumber):
2424         (JSC::MarkedBlock::flipIfNecessary):
2425         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2426         (JSC::MarkedBlock::Handle::flipIfNecessary):
2427         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2428         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2429         (JSC::MarkedBlock::assertFlipped):
2430         (JSC::MarkedBlock::Handle::assertFlipped):
2431         (JSC::MarkedBlock::isMarked):
2432         (JSC::MarkedBlock::testAndSetMarked):
2433         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2434         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2435         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2436         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2437         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2438         (JSC::MarkedBlock::Handle::isLive):
2439         (JSC::MarkedBlock::isAtom):
2440         (JSC::MarkedBlock::Handle::isLiveCell):
2441         (JSC::MarkedBlock::Handle::forEachCell):
2442         (JSC::MarkedBlock::Handle::forEachLiveCell):
2443         (JSC::MarkedBlock::Handle::forEachDeadCell):
2444         (JSC::MarkedBlock::Handle::needsSweeping):
2445         (JSC::MarkedBlock::Handle::isAllocated):
2446         (JSC::MarkedBlock::Handle::isMarked):
2447         (JSC::MarkedBlock::Handle::isFreeListed):
2448         (JSC::MarkedBlock::hasAnyMarked):
2449         (JSC::MarkedBlock::noteMarked):
2450         (WTF::MarkedBlockHash::hash):
2451         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2452         (JSC::MarkedBlock::allocator): Deleted.
2453         (JSC::MarkedBlock::heap): Deleted.
2454         (JSC::MarkedBlock::shrink): Deleted.
2455         (JSC::MarkedBlock::visitWeakSet): Deleted.
2456         (JSC::MarkedBlock::reapWeakSet): Deleted.
2457         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2458         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2459         (JSC::MarkedBlock::markCount): Deleted.
2460         (JSC::MarkedBlock::isEmpty): Deleted.
2461         (JSC::MarkedBlock::destruction): Deleted.
2462         (JSC::MarkedBlock::cellKind): Deleted.
2463         (JSC::MarkedBlock::size): Deleted.
2464         (JSC::MarkedBlock::capacity): Deleted.
2465         (JSC::MarkedBlock::setMarked): Deleted.
2466         (JSC::MarkedBlock::clearMarked): Deleted.
2467         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2468         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2469         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2470         (JSC::MarkedBlock::isLive): Deleted.
2471         (JSC::MarkedBlock::isLiveCell): Deleted.
2472         (JSC::MarkedBlock::forEachCell): Deleted.
2473         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2474         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2475         (JSC::MarkedBlock::needsSweeping): Deleted.
2476         (JSC::MarkedBlock::isAllocated): Deleted.
2477         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2478         * heap/MarkedSpace.cpp:
2479         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2480         (JSC::MarkedSpace::MarkedSpace):
2481         (JSC::MarkedSpace::~MarkedSpace):
2482         (JSC::MarkedSpace::lastChanceToFinalize):
2483         (JSC::MarkedSpace::allocate):
2484         (JSC::MarkedSpace::tryAllocate):
2485         (JSC::MarkedSpace::allocateLarge):
2486         (JSC::MarkedSpace::tryAllocateLarge):
2487         (JSC::MarkedSpace::sweep):
2488         (JSC::MarkedSpace::sweepLargeAllocations):
2489         (JSC::MarkedSpace::zombifySweep):
2490         (JSC::MarkedSpace::resetAllocators):
2491         (JSC::MarkedSpace::visitWeakSets):
2492         (JSC::MarkedSpace::reapWeakSets):
2493         (JSC::MarkedSpace::stopAllocating):
2494         (JSC::MarkedSpace::prepareForMarking):
2495         (JSC::MarkedSpace::resumeAllocating):
2496         (JSC::MarkedSpace::isPagedOut):
2497         (JSC::MarkedSpace::freeBlock):
2498         (JSC::MarkedSpace::freeOrShrinkBlock):
2499         (JSC::MarkedSpace::shrink):
2500         (JSC::MarkedSpace::clearNewlyAllocated):
2501         (JSC::VerifyMarked::operator()):
2502         (JSC::MarkedSpace::flip):
2503         (JSC::MarkedSpace::objectCount):
2504         (JSC::MarkedSpace::size):
2505         (JSC::MarkedSpace::capacity):
2506         (JSC::MarkedSpace::addActiveWeakSet):
2507         (JSC::MarkedSpace::didAddBlock):
2508         (JSC::MarkedSpace::didAllocateInBlock):
2509         (JSC::MarkedSpace::forEachAllocator): Deleted.
2510         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
2511         (JSC::MarkedSpace::clearMarks): Deleted.
2512         * heap/MarkedSpace.h:
2513         (JSC::MarkedSpace::sizeClassToIndex):
2514         (JSC::MarkedSpace::indexToSizeClass):
2515         (JSC::MarkedSpace::version):
2516         (JSC::MarkedSpace::blocksWithNewObjects):
2517         (JSC::MarkedSpace::largeAllocations):
2518         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
2519         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
2520         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
2521         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
2522         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
2523         (JSC::MarkedSpace::forEachLiveCell):
2524         (JSC::MarkedSpace::forEachDeadCell):
2525         (JSC::MarkedSpace::allocatorFor):
2526         (JSC::MarkedSpace::destructorAllocatorFor):
2527         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2528         (JSC::MarkedSpace::allocateWithoutDestructor):
2529         (JSC::MarkedSpace::allocateWithDestructor):
2530         (JSC::MarkedSpace::allocateAuxiliary):
2531         (JSC::MarkedSpace::tryAllocateAuxiliary):
2532         (JSC::MarkedSpace::forEachBlock):
2533         (JSC::MarkedSpace::forEachAllocator):
2534         (JSC::MarkedSpace::optimalSizeFor):
2535         (JSC::MarkedSpace::didAddBlock): Deleted.
2536         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
2537         (JSC::MarkedSpace::objectCount): Deleted.
2538         (JSC::MarkedSpace::size): Deleted.
2539         (JSC::MarkedSpace::capacity): Deleted.
2540         * heap/SlotVisitor.cpp:
2541         (JSC::SlotVisitor::SlotVisitor):
2542         (JSC::SlotVisitor::didStartMarking):
2543         (JSC::SlotVisitor::reset):
2544         (JSC::SlotVisitor::append):
2545         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2546         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2547         (JSC::SlotVisitor::appendToMarkStack):
2548         (JSC::SlotVisitor::markAuxiliary):
2549         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
2550         (JSC::SlotVisitor::visitChildren):
2551         * heap/SlotVisitor.h:
2552         * heap/WeakBlock.cpp:
2553         (JSC::WeakBlock::create):
2554         (JSC::WeakBlock::WeakBlock):
2555         (JSC::WeakBlock::visit):
2556         (JSC::WeakBlock::reap):
2557         * heap/WeakBlock.h:
2558         (JSC::WeakBlock::disconnectContainer):
2559         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
2560         * heap/WeakSet.cpp:
2561         (JSC::WeakSet::~WeakSet):
2562         (JSC::WeakSet::sweep):
2563         (JSC::WeakSet::shrink):
2564         (JSC::WeakSet::addAllocator):
2565         * heap/WeakSet.h:
2566         (JSC::WeakSet::container):
2567         (JSC::WeakSet::setContainer):
2568         (JSC::WeakSet::WeakSet):
2569         (JSC::WeakSet::visit):
2570         (JSC::WeakSet::shrink): Deleted.
2571         * heap/WeakSetInlines.h:
2572         (JSC::WeakSet::allocate):
2573         * inspector/InjectedScriptManager.cpp:
2574         * inspector/JSGlobalObjectInspectorController.cpp:
2575         * inspector/JSJavaScriptCallFrame.cpp:
2576         * inspector/ScriptDebugServer.cpp:
2577         * inspector/agents/InspectorDebuggerAgent.cpp:
2578         * interpreter/CachedCall.h:
2579         (JSC::CachedCall::CachedCall):
2580         * interpreter/Interpreter.cpp:
2581         (JSC::loadVarargs):
2582         (JSC::StackFrame::sourceID): Deleted.
2583         (JSC::StackFrame::sourceURL): Deleted.
2584         (JSC::StackFrame::functionName): Deleted.
2585         (JSC::StackFrame::computeLineAndColumn): Deleted.
2586         (JSC::StackFrame::toString): Deleted.
2587         * interpreter/Interpreter.h:
2588         (JSC::StackFrame::isNative): Deleted.
2589         * jit/AssemblyHelpers.h:
2590         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2591         (JSC::AssemblyHelpers::emitAllocate):
2592         (JSC::AssemblyHelpers::emitAllocateJSCell):
2593         (JSC::AssemblyHelpers::emitAllocateJSObject):
2594         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
2595         (JSC::AssemblyHelpers::emitAllocateVariableSized):
2596         * jit/GCAwareJITStubRoutine.cpp:
2597         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
2598         * jit/JIT.cpp:
2599         (JSC::JIT::compileCTINativeCall):
2600         (JSC::JIT::link):
2601         * jit/JIT.h:
2602         (JSC::JIT::compileCTINativeCall): Deleted.
2603         * jit/JITExceptions.cpp:
2604         (JSC::genericUnwind):
2605         * jit/JITExceptions.h:
2606         * jit/JITOpcodes.cpp:
2607         (JSC::JIT::emit_op_new_object):
2608         (JSC::JIT::emitSlow_op_new_object):
2609         (JSC::JIT::emit_op_create_this):
2610         (JSC::JIT::emitSlow_op_create_this):
2611         * jit/JITOpcodes32_64.cpp:
2612         (JSC::JIT::emit_op_new_object):
2613         (JSC::JIT::emitSlow_op_new_object):
2614         (JSC::JIT::emit_op_create_this):
2615         (JSC::JIT::emitSlow_op_create_this):
2616         * jit/JITOperations.cpp:
2617         * jit/JITOperations.h:
2618         * jit/JITPropertyAccess.cpp:
2619         (JSC::JIT::emitWriteBarrier):
2620         * jit/JITThunks.cpp:
2621         * jit/JITThunks.h:
2622         * jsc.cpp:
2623         (functionDescribeArray):
2624         (main):
2625         * llint/LLIntData.cpp:
2626         (JSC::LLInt::Data::performAssertions):
2627         * llint/LLIntExceptions.cpp:
2628         * llint/LLIntThunks.cpp:
2629         * llint/LLIntThunks.h:
2630         * llint/LowLevelInterpreter.asm:
2631         * llint/LowLevelInterpreter.cpp:
2632         * llint/LowLevelInterpreter32_64.asm:
2633         * llint/LowLevelInterpreter64.asm:
2634         * parser/ModuleAnalyzer.cpp:
2635         * parser/NodeConstructors.h:
2636         * parser/Nodes.h:
2637         * profiler/ProfilerBytecode.cpp:
2638         * profiler/ProfilerBytecode.h:
2639         * profiler/ProfilerBytecodeSequence.cpp:
2640         * runtime/ArrayConventions.h:
2641         (JSC::indexingHeaderForArrayStorage):
2642         (JSC::baseIndexingHeaderForArrayStorage):
2643         (JSC::indexingHeaderForArray): Deleted.
2644         (JSC::baseIndexingHeaderForArray): Deleted.
2645         * runtime/ArrayPrototype.cpp:
2646         (JSC::arrayProtoFuncSplice):
2647         (JSC::concatAppendOne):
2648         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2649         * runtime/ArrayStorage.h:
2650         (JSC::ArrayStorage::vectorLength):
2651         (JSC::ArrayStorage::totalSizeFor):
2652         (JSC::ArrayStorage::totalSize):
2653         (JSC::ArrayStorage::availableVectorLength):
2654         (JSC::ArrayStorage::optimalVectorLength):
2655         (JSC::ArrayStorage::sizeFor): Deleted.
2656         * runtime/AuxiliaryBarrier.h: Added.
2657         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
2658         (JSC::AuxiliaryBarrier::clear):
2659         (JSC::AuxiliaryBarrier::get):
2660         (JSC::AuxiliaryBarrier::slot):
2661         (JSC::AuxiliaryBarrier::operator bool):
2662         (JSC::AuxiliaryBarrier::setWithoutBarrier):
2663         * runtime/AuxiliaryBarrierInlines.h: Added.
2664         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
2665         (JSC::AuxiliaryBarrier<T>::set):
2666         * runtime/Butterfly.h:
2667         * runtime/ButterflyInlines.h:
2668         (JSC::Butterfly::availableContiguousVectorLength):
2669         (JSC::Butterfly::optimalContiguousVectorLength):
2670         (JSC::Butterfly::createUninitialized):
2671         (JSC::Butterfly::growArrayRight):
2672         * runtime/ClonedArguments.cpp:
2673         (JSC::ClonedArguments::createEmpty):
2674         * runtime/CommonSlowPathsExceptions.cpp:
2675         * runtime/CommonSlowPathsExceptions.h:
2676         * runtime/DataView.cpp:
2677         * runtime/DirectArguments.h:
2678         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2679         * runtime/Error.cpp:
2680         * runtime/Error.h:
2681         * runtime/ErrorInstance.cpp:
2682         * runtime/ErrorInstance.h:
2683         * runtime/Exception.cpp:
2684         * runtime/Exception.h:
2685         * runtime/GeneratorFrame.cpp:
2686         * runtime/GeneratorPrototype.cpp:
2687         * runtime/InternalFunction.cpp:
2688         (JSC::InternalFunction::InternalFunction):
2689         * runtime/IntlCollator.cpp:
2690         * runtime/IntlCollatorConstructor.cpp:
2691         * runtime/IntlCollatorPrototype.cpp:
2692         * runtime/IntlDateTimeFormat.cpp:
2693         * runtime/IntlDateTimeFormatConstructor.cpp:
2694         * runtime/IntlDateTimeFormatPrototype.cpp:
2695         * runtime/IntlNumberFormat.cpp:
2696         * runtime/IntlNumberFormatConstructor.cpp:
2697         * runtime/IntlNumberFormatPrototype.cpp:
2698         * runtime/IntlObject.cpp:
2699         * runtime/IteratorPrototype.cpp:
2700         * runtime/JSArray.cpp:
2701         (JSC::JSArray::tryCreateUninitialized):
2702         (JSC::JSArray::setLengthWritable):
2703         (JSC::JSArray::unshiftCountSlowCase):
2704         (JSC::JSArray::setLengthWithArrayStorage):
2705         (JSC::JSArray::appendMemcpy):
2706         (JSC::JSArray::setLength):
2707         (JSC::JSArray::pop):
2708         (JSC::JSArray::push):
2709         (JSC::JSArray::fastSlice):
2710         (JSC::JSArray::shiftCountWithArrayStorage):
2711         (JSC::JSArray::shiftCountWithAnyIndexingType):
2712         (JSC::JSArray::unshiftCountWithArrayStorage):
2713         (JSC::JSArray::fillArgList):
2714         (JSC::JSArray::copyToArguments):
2715         * runtime/JSArray.h:
2716         (JSC::createContiguousArrayButterfly):
2717         (JSC::createArrayButterfly):
2718         (JSC::JSArray::create):
2719         (JSC::JSArray::tryCreateUninitialized): Deleted.
2720         * runtime/JSArrayBufferView.h:
2721         * runtime/JSCInlines.h:
2722         * runtime/JSCJSValue.cpp:
2723         (JSC::JSValue::dumpInContextAssumingStructure):
2724         * runtime/JSCallee.cpp:
2725         (JSC::JSCallee::JSCallee):
2726         * runtime/JSCell.cpp:
2727         (JSC::JSCell::estimatedSize):
2728         * runtime/JSCell.h:
2729         (JSC::JSCell::cellStateOffset): Deleted.
2730         * runtime/JSCellInlines.h:
2731         (JSC::ExecState::vm):
2732         (JSC::JSCell::classInfo):
2733         (JSC::JSCell::callDestructor):
2734         (JSC::JSCell::vm): Deleted.
2735         * runtime/JSFunction.cpp:
2736         (JSC::JSFunction::create):
2737         (JSC::JSFunction::allocateAndInitializeRareData):
2738         (JSC::JSFunction::initializeRareData):
2739         (JSC::JSFunction::getOwnPropertySlot):
2740         (JSC::JSFunction::put):
2741         (JSC::JSFunction::deleteProperty):
2742         (JSC::JSFunction::defineOwnProperty):
2743         (JSC::JSFunction::setFunctionName):
2744         (JSC::JSFunction::reifyLength):
2745         (JSC::JSFunction::reifyName):
2746         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2747         (JSC::JSFunction::reifyBoundNameIfNeeded):
2748         * runtime/JSFunction.h:
2749         * runtime/JSFunctionInlines.h:
2750         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2751         (JSC::JSFunction::JSFunction):
2752         * runtime/JSGenericTypedArrayViewInlines.h:
2753         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2754         * runtime/JSInternalPromise.cpp:
2755         * runtime/JSInternalPromiseConstructor.cpp:
2756         * runtime/JSInternalPromiseDeferred.cpp:
2757         * runtime/JSInternalPromisePrototype.cpp:
2758         * runtime/JSJob.cpp:
2759         * runtime/JSMapIterator.cpp:
2760         * runtime/JSModuleNamespaceObject.cpp:
2761         * runtime/JSModuleRecord.cpp:
2762         * runtime/JSObject.cpp:
2763         (JSC::JSObject::visitButterfly):
2764         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
2765         (JSC::JSObject::createInitialIndexedStorage):
2766         (JSC::JSObject::createInitialUndecided):
2767         (JSC::JSObject::createInitialInt32):
2768         (JSC::JSObject::createInitialDouble):
2769         (JSC::JSObject::createInitialContiguous):
2770         (JSC::JSObject::createArrayStorage):
2771         (JSC::JSObject::createInitialArrayStorage):
2772         (JSC::JSObject::convertUndecidedToInt32):
2773         (JSC::JSObject::convertUndecidedToContiguous):
2774         (JSC::JSObject::convertUndecidedToArrayStorage):
2775         (JSC::JSObject::convertInt32ToDouble):
2776         (JSC::JSObject::convertInt32ToArrayStorage):
2777         (JSC::JSObject::convertDoubleToArrayStorage):
2778         (JSC::JSObject::convertContiguousToArrayStorage):
2779         (JSC::JSObject::putByIndexBeyondVectorLength):
2780         (JSC::JSObject::putDirectIndexBeyondVectorLength):
2781         (JSC::JSObject::getNewVectorLength):
2782         (JSC::JSObject::increaseVectorLength):
2783         (JSC::JSObject::ensureLengthSlow):
2784         (JSC::JSObject::growOutOfLineStorage):
2785         (JSC::JSObject::copyButterfly): Deleted.
2786         (JSC::JSObject::copyBackingStore): Deleted.
2787         * runtime/JSObject.h:
2788         (JSC::JSObject::globalObject):
2789         (JSC::JSObject::putDirectInternal):
2790         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
2791         * runtime/JSObjectInlines.h:
2792         * runtime/JSPromise.cpp:
2793         * runtime/JSPromiseConstructor.cpp:
2794         * runtime/JSPromiseDeferred.cpp:
2795         * runtime/JSPromisePrototype.cpp:
2796         * runtime/JSPropertyNameIterator.cpp:
2797         * runtime/JSScope.cpp:
2798         (JSC::JSScope::resolve):
2799         * runtime/JSScope.h:
2800         (JSC::JSScope::globalObject):
2801         (JSC::JSScope::vm): Deleted.
2802         * runtime/JSSetIterator.cpp:
2803         * runtime/JSStringIterator.cpp:
2804         * runtime/JSTemplateRegistryKey.cpp:
2805         * runtime/JSTypedArrayViewConstructor.cpp:
2806         * runtime/JSTypedArrayViewPrototype.cpp:
2807         * runtime/JSWeakMap.cpp:
2808         * runtime/JSWeakSet.cpp:
2809         * runtime/MapConstructor.cpp:
2810         * runtime/MapIteratorPrototype.cpp:
2811         * runtime/MapPrototype.cpp:
2812         * runtime/NativeErrorConstructor.cpp:
2813         * runtime/NativeStdFunctionCell.cpp:
2814         * runtime/Operations.h:
2815         (JSC::scribbleFreeCells):
2816         (JSC::scribble):
2817         * runtime/Options.h:
2818         * runtime/PropertyTable.cpp:
2819         * runtime/ProxyConstructor.cpp:
2820         * runtime/ProxyObject.cpp:
2821         * runtime/ProxyRevoke.cpp:
2822         * runtime/RegExp.cpp:
2823         (JSC::RegExp::match):
2824         (JSC::RegExp::matchConcurrently):
2825         (JSC::RegExp::matchCompareWithInterpreter):
2826         * runtime/RegExp.h:
2827         * runtime/RegExpConstructor.h:
2828         * runtime/RegExpInlines.h:
2829         (JSC::RegExp::matchInline):
2830         * runtime/RegExpMatchesArray.h:
2831         (JSC::tryCreateUninitializedRegExpMatchesArray):
2832         (JSC::createRegExpMatchesArray):
2833         * runtime/RegExpPrototype.cpp:
2834         (JSC::genericSplit):
2835         * runtime/RuntimeType.cpp:
2836         * runtime/SamplingProfiler.cpp:
2837         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2838         * runtime/SetConstructor.cpp:
2839         * runtime/SetIteratorPrototype.cpp:
2840         * runtime/SetPrototype.cpp:
2841         * runtime/StackFrame.cpp: Added.
2842         (JSC::StackFrame::sourceID):
2843         (JSC::StackFrame::sourceURL):
2844         (JSC::StackFrame::functionName):
2845         (JSC::StackFrame::computeLineAndColumn):
2846         (JSC::StackFrame::toString):
2847         * runtime/StackFrame.h: Added.
2848         (JSC::StackFrame::isNative):
2849         * runtime/StringConstructor.cpp:
2850         * runtime/StringIteratorPrototype.cpp:
2851         * runtime/StructureInlines.h:
2852         (JSC::Structure::propertyTable):
2853         * runtime/TemplateRegistry.cpp:
2854         * runtime/TestRunnerUtils.cpp:
2855         (JSC::finalizeStatsAtEndOfTesting):
2856         * runtime/TestRunnerUtils.h:
2857         * runtime/TypeProfilerLog.cpp:
2858         * runtime/TypeSet.cpp:
2859         * runtime/VM.cpp:
2860         (JSC::VM::VM):
2861         (JSC::VM::ensureStackCapacityForCLoop):
2862         (JSC::VM::isSafeToRecurseSoftCLoop):
2863         * runtime/VM.h:
2864         * runtime/VMEntryScope.h:
2865         * runtime/VMInlines.h:
2866         (JSC::VM::ensureStackCapacityFor):
2867         (JSC::VM::isSafeToRecurseSoft):
2868         * runtime/WeakMapConstructor.cpp:
2869         * runtime/WeakMapData.cpp:
2870         * runtime/WeakMapPrototype.cpp:
2871         * runtime/WeakSetConstructor.cpp:
2872         * runtime/WeakSetPrototype.cpp:
2873         * testRegExp.cpp:
2874         (testOneRegExp):
2875         * tools/JSDollarVM.cpp:
2876         * tools/JSDollarVMPrototype.cpp:
2877         (JSC::JSDollarVMPrototype::isInObjectSpace):
2878
2879 2016-09-04  Commit Queue  <commit-queue@webkit.org>
2880
2881         Unreviewed, rolling out r205415.
2882         https://bugs.webkit.org/show_bug.cgi?id=161573
2883
2884         Many bots see inspector test failures, rolling out now and
2885         investigating later. (Requested by brrian on #webkit).
2886
2887         Reverted changeset:
2888
2889         "Web Inspector: unify Main.html and Test.html sources and
2890         generate different copies with the preprocessor"
2891         https://bugs.webkit.org/show_bug.cgi?id=161212
2892         http://trac.webkit.org/changeset/205415
2893
2894 2016-09-01  Brian Burg  <bburg@apple.com>
2895
2896         Web Inspector: unify Main.html and Test.html sources and generate different copies with the preprocessor
2897         https://bugs.webkit.org/show_bug.cgi?id=161212
2898         <rdar://problem/28017961>
2899
2900         Reviewed by Joseph Pecoraro.
2901
2902         * CMakeLists.txt: Remove some unnecessary MAKE_DIRECTORY commands.
2903
2904 2016-09-03  Joseph Pecoraro  <pecoraro@apple.com>
2905
2906         Use ASCIILiteral in some more places
2907         https://bugs.webkit.org/show_bug.cgi?id=161557
2908
2909         Reviewed by Darin Adler.
2910
2911         * runtime/TypeSet.h:
2912         (JSC::StructureShape::setConstructorName):
2913
2914 2016-09-01  Michael Saboff  <msaboff@apple.com>
2915
2916         Import Chakra tests to JSC
2917         https://bugs.webkit.org/show_bug.cgi?id=154697
2918
2919         Reviewed by Saam Barati.
2920
2921         Added --dumpException option to jsc command line utility to dump uncaught exception
2922         text even for the last exception that matches --exception.  This is used to
2923         check the exception text for a text that is expected to end on an exception.
2924         Chakra has several tests of this form and does the same thing when such a test
2925         ends with an exception.  Tests that rely on this behavior have had their expected
2926         output updated for JSC specific text.
2927
2928         * jsc.cpp:
2929
2930 2016-09-02  Benjamin Poulain  <bpoulain@apple.com>
2931
2932         [JSC] Remove some more useless cases from FTL Capabilities
2933         https://bugs.webkit.org/show_bug.cgi?id=161466
2934
2935         Reviewed by Geoffrey Garen.
2936
2937         Some cases do not make sense:
2938         -In: Fixup only generate CellUse.
2939         -PutByIdXXX: same.
2940         -GetIndexedPropertyStorage: those cases are the only ones supported
2941          by DFG. We would have crashed in SpeculativeJIT if other modes
2942          were generated.
2943
2944         * ftl/FTLCapabilities.cpp:
2945         (JSC::FTL::canCompile):
2946         * ftl/FTLLowerDFGToB3.cpp:
2947         (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
2948         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2949         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2950
2951 2016-09-02  Chris Dumez  <cdumez@apple.com>
2952
2953         Unreviewed, roll out r205354 because it caused JSC test failures
2954
2955         * jsc.cpp:
2956         * runtime/JSGlobalObject.cpp:
2957         * runtime/JSGlobalObject.h:
2958         (JSC::JSGlobalObject::allowsAccessFrom):
2959         (JSC::JSGlobalObject::setDebugger): Deleted.
2960         * runtime/JSGlobalObjectFunctions.cpp:
2961         (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
2962         (JSC::GlobalFuncProtoGetterFunctor::result):
2963         (JSC::GlobalFuncProtoGetterFunctor::operator()):
2964         (JSC::globalFuncProtoGetter):
2965         (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
2966         (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
2967         (JSC::GlobalFuncProtoSetterFunctor::operator()):
2968         (JSC::checkProtoSetterAccessAllowed):
2969         (JSC::globalFuncProtoSetter):
2970         * runtime/JSGlobalObjectFunctions.h:
2971         * runtime/JSObject.cpp:
2972         (JSC::JSObject::setPrototypeWithCycleCheck):
2973         (JSC::JSObject::allowsAccessFrom):
2974         * runtime/JSObject.h:
2975         * runtime/JSProxy.cpp:
2976         * runtime/JSProxy.h:
2977         * runtime/ObjectConstructor.cpp:
2978         (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
2979         (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
2980         (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
2981         (JSC::objectConstructorGetPrototypeOf):
2982         (JSC::objectConstructorSetPrototypeOf):
2983         * runtime/ObjectConstructor.h:
2984         * runtime/ReflectObject.cpp:
2985         (JSC::reflectObjectGetPrototypeOf):
2986         (JSC::reflectObjectSetPrototypeOf):
2987
2988 2016-09-02  Caio Lima  <ticaiolima@gmail.com>
2989
2990         Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
2991         https://bugs.webkit.org/show_bug.cgi?id=160802
2992
2993         Reviewed by Saam Barati.
2994
2995         This patch is fixing a broken mechanism of MathIC that avoids allocate
2996         a register to LHS or RHS if one of these operands are proven as valid
2997         constant for JIT*Generator. In previous implementation, even if the
2998         JIT*Generator was not using an operand register because it was proven as a
2999         constant, compileMathIC and emitICFast were allocating a register for
3000         it. This was broken because mathIC->isLeftOperandValidConstant and
3001         mathIC->isLeftOperandValidConstant were being called before its Generator be
3002         properly initialized. We changed this mechanism to enable Generators write
3003         their validConstant rules using static methods isLeftOperandValidConstant(SnippetOperand)
3004         and isRightOperandValidConstant(SnippetOperand).
3005
3006         * dfg/DFGSpeculativeJIT.cpp:
3007         (JSC::DFG::SpeculativeJIT::compileMathIC):
3008         * jit/JITAddGenerator.h:
3009         (JSC::JITAddGenerator::JITAddGenerator):
3010         (JSC::JITAddGenerator::isLeftOperandValidConstant):
3011         (JSC::JITAddGenerator::isRightOperandValidConstant):
3012         * jit/JITArithmetic.cpp:
3013         (JSC::JIT::emitMathICFast):
3014         * jit/JITMathIC.h:
3015         * jit/JITMulGenerator.h:
3016         (JSC::JITMulGenerator::JITMulGenerator):
3017         (JSC::JITMulGenerator::isLeftOperandValidConstant):
3018         (JSC::JITMulGenerator::isRightOperandValidConstant):
3019         * jit/JITSubGenerator.h:
3020         (JSC::JITSubGenerator::isLeftOperandValidConstant):
3021         (JSC::JITSubGenerator::isRightOperandValidConstant):
3022
3023 2016-09-02  JF Bastien  <jfbastien@apple.com>
3024
3025         GetByValWithThis: fix opInfo in DFG creation
3026         https://bugs.webkit.org/show_bug.cgi?id=161541
3027
3028         Reviewed by Saam Barati.
3029
3030         super-get-by-val-with-this-monomorphic might be 1.0148x faster after this change.
3031
3032         * dfg/DFGByteCodeParser.cpp:
3033         (JSC::DFG::ByteCodeParser::parseBlock): fix OpInfo
3034
3035 2016-09-02  Chris Dumez  <cdumez@apple.com>
3036
3037         Object.preventExtensions() should throw cross-origin
3038         https://bugs.webkit.org/show_bug.cgi?id=161486
3039
3040         Reviewed by Geoffrey Garen.
3041
3042         Update JSProxy to forward preventExtensions() calls to its target.
3043
3044         * runtime/JSProxy.cpp:
3045         (JSC::JSProxy::preventExtensions):
3046         * runtime/JSProxy.h:
3047
3048 2016-09-02  Chris Dumez  <cdumez@apple.com>
3049
3050         Align proto getter / setter behavior with other browsers
3051         https://bugs.webkit.org/show_bug.cgi?id=161455
3052
3053         Reviewed by Mark Lam.
3054
3055         Drop allowsAccessFrom from the methodTable and delegate cross-origin
3056         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
3057         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
3058
3059         * jsc.cpp:
3060         * runtime/JSGlobalObject.cpp:
3061         * runtime/JSGlobalObject.h:
3062         * runtime/JSGlobalObjectFunctions.cpp:
3063         (JSC::globalFuncProtoGetter):
3064         (JSC::globalFuncProtoSetter):
3065         (JSC::globalFuncBuiltinLog): Deleted.
3066         * runtime/JSGlobalObjectFunctions.h:
3067         * runtime/JSObject.h:
3068         (JSC::JSObject::getArrayLength): Deleted.
3069         * runtime/JSProxy.cpp:
3070         (JSC::JSProxy::setPrototype):
3071         (JSC::JSProxy::getPrototype):
3072         * runtime/JSProxy.h:
3073         * runtime/ObjectConstructor.cpp:
3074         (JSC::objectConstructorGetPrototypeOf):
3075         (JSC::objectConstructorSetPrototypeOf):
3076         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
3077         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
3078         * runtime/ObjectConstructor.h:
3079         * runtime/ReflectObject.cpp:
3080         (JSC::reflectObjectGetPrototypeOf):
3081         (JSC::reflectObjectSetPrototypeOf):
3082
3083         * runtime/JSObject.cpp:
3084         (JSC::JSObject::setPrototypeWithCycleCheck):
3085         Comment out check added in r197648. This check was added to match
3086         the latest EcmaScript spec:
3087         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
3088         This check allowed for [[Prototype]] chain cycles if the prototype
3089         chain includes objects that do not use the ordinary object definitions
3090         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
3091         The issue is that the rest of our code base does not properly handle
3092         such cycles and we can end up in infinite loops. This became obvious
3093         because this patch updates Window / Location so that they no longer
3094         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
3095         comment out this check, I get an infinite loop in
3096         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
3097         called from JSObject::setPrototypeDirect(), when running the following
3098         layout test:
3099         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
3100         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
3101         issue.
3102
3103 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3104
3105         Add toJS for JSC::PrivateName
3106         https://bugs.webkit.org/show_bug.cgi?id=161522
3107
3108         Reviewed by Ryosuke Niwa.
3109
3110         Add the export annotation.
3111         And we perform refactoring RefPtr<SymbolImpl> => Ref<SymbolImpl> for PrivateName,
3112         since PrivateName never holds null SymbolImpl pointer. And along with this change,
3113         we changed SymbolImpl* to SymbolImpl& in PrivateName::uid() callers.
3114
3115         * runtime/Completion.cpp:
3116         (JSC::createSymbolForEntryPointModule):
3117         * runtime/IdentifierInlines.h:
3118         (JSC::Identifier::fromUid):
3119         * runtime/JSFunction.cpp:
3120         (JSC::JSFunction::setFunctionName):
3121         * runtime/PrivateName.h:
3122         (JSC::PrivateName::PrivateName):
3123         (JSC::PrivateName::uid): Ugly const_cast. But const annotation is meaningless for SymbolImpl.
3124         StringImpl should be observed as an immutable object. (Of course, its hash members etc. are mutable.
3125         But most of the users (One of the exceptions is the concurrent JIT compiling thread!) should not care about this.)
3126         (JSC::PrivateName::operator==):
3127         (JSC::PrivateName::operator!=):
3128         * runtime/PropertyName.h:
3129         (JSC::PropertyName::PropertyName):
3130         * runtime/Symbol.cpp:
3131         (JSC::Symbol::finishCreation):
3132         * runtime/Symbol.h:
3133         * runtime/SymbolConstructor.cpp:
3134         (JSC::symbolConstructorKeyFor):
3135
3136 2016-09-01  Dan Bernstein  <mitz@apple.com>
3137
3138         Build fix.
3139
3140         * Configurations/FeatureDefines.xcconfig:
3141
3142 2016-09-01  JF Bastien  <jfbastien@apple.com>
3143
3144         jsc: fix cmake build missing symbol getPropertySlot
3145         https://bugs.webkit.org/show_bug.cgi?id=161521
3146
3147         Reviewed by Saam Barati.
3148
3149         * runtime/IntlDateTimeFormat.cpp: include JSCInlines.h
3150         * runtime/IntlNumberFormat.cpp: include JSCInlines.h
3151
3152 2016-09-01  JF Bastien  <jfbastien@apple.com>
3153
3154         jsc: provide printErr()
3155         https://bugs.webkit.org/show_bug.cgi?id=161513
3156
3157         Reviewed by Mark Lam.
3158
3159         * jsc.cpp:
3160         (GlobalObject::finishCreation):
3161         (printInternal): renamed from functionPrint, add error checking
3162         (functionPrintStdOut): punt to printInternal
3163         (functionPrintStdErr): punt to printInternal
3164         (functionPrint): Deleted.
3165
3166 2016-09-01  Mark Lam  <mark.lam@apple.com>
3167
3168         Move some JSObject and JSArray inline functions to their respective Inlines.h files.
3169         https://bugs.webkit.org/show_bug.cgi?id=161499
3170
3171         Reviewed by Saam Barati.
3172
3173         This is just a refactoring patch to move some inline functions to their Inlines.h
3174         files.  This will be needed to enable https://bugs.webkit.org/show_bug.cgi?id=161498
3175         later.
3176
3177         * bindings/ScriptValue.cpp:
3178         * interpreter/Interpreter.cpp:
3179         * runtime/IntlDateTimeFormatPrototype.cpp:
3180         * runtime/IntlNumberFormatPrototype.cpp:
3181         * runtime/JSArray.cpp:
3182         * runtime/JSArray.h:
3183         (JSC::getLength): Deleted.
3184         (JSC::toLength): Deleted.
3185         * runtime/JSArrayInlines.h:
3186         (JSC::JSArray::mergeIndexingTypeForCopying):
3187         (JSC::JSArray::canFastCopy):
3188         (JSC::getLength):
3189         (JSC::toLength):
3190         * runtime/JSInternalPromise.cpp:
3191         * runtime/JSInternalPromiseDeferred.cpp:
3192         * runtime/JSJob.cpp:
3193         * runtime/JSModuleRecord.cpp:
3194         * runtime/JSObject.h:
3195         (JSC::JSObject::getPropertySlot): Deleted.
3196         (JSC::JSObject::getNonIndexPropertySlot): Deleted.
3197         * runtime/JSObjectInlines.h:
3198         (JSC::JSObject::getPropertySlot):
3199         (JSC::JSObject::getNonIndexPropertySlot):
3200         * runtime/JSPromiseDeferred.cpp:
3201         * runtime/JSTypedArrayViewPrototype.cpp:
3202         * runtime/MapConstructor.cpp:
3203         * runtime/SamplingProfiler.cpp:
3204         * runtime/SetConstructor.cpp:
3205         * runtime/WeakMapConstructor.cpp:
3206         * runtime/WeakSetConstructor.cpp:
3207
3208 2016-09-01  JF Bastien  <jfbastien@apple.com>
3209
3210         GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types
3211         https://bugs.webkit.org/show_bug.cgi?id=160922
3212
3213         Reviewed by Keith Miller.
3214
3215         Add value profiling to GetBy{Id,Val}WithThis.
3216
3217         * bytecode/BytecodeList.json:
3218         * bytecode/CodeBlock.cpp:
3219         (JSC::CodeBlock::dumpBytecode):
3220         (JSC::CodeBlock::finishCreation):
3221         * bytecompiler/BytecodeGenerator.cpp:
3222         (JSC::BytecodeGenerator::emitGetById):
3223         (JSC::BytecodeGenerator::emitGetByVal):
3224         * dfg/DFGByteCodeParser.cpp:
3225         (JSC::DFG::ByteCodeParser::parseBlock):
3226         * dfg/DFGNode.h:
3227         (JSC::DFG::Node::hasHeapPrediction):
3228         * dfg/DFGPredictionPropagationPhase.cpp:
3229         * llint/LowLevelInterpreter.asm:
3230         * runtime/CommonSlowPaths.cpp:
3231         (JSC::SLOW_PATH_DECL):
3232
3233 2016-09-01  Keith Miller  <keith_miller@apple.com>
3234
3235         WASM functions should be able to use arguments
3236         https://bugs.webkit.org/show_bug.cgi?id=161471
3237
3238         Reviewed by Benjamin Poulain.
3239
3240         This patch does a couple of changes:
3241
3242         1) Adds a new Calling Convention class for B3. This class is used to make it easy to specify the calling convention of a function. In particular it knows which arguments are in registers and which ones should be on the stack. For now, nothing uses the argument registers, in the future we will use these for WASM and/or JS. Additonally, it knows the callee save registers for any given function. The main advantage of this class is that it makes it easy to iterate over the arguments of your function without having to worry about the details of the calling convention you are using.
3243
3244         2) Makes the WASM calling convention the same as the JS one. Currently, the CodeBlock, CodeOrigin, and Callee are all 0. Since they have no value. Additionally, since we call into WASM from C++ through vmEntryToJavaScript, if there are no arguments to the callee we insert a null pointer as the first argument.
3245
3246         3) Since WASM expects the arguments to be mapped to function locals we map the argument stack slots to variables immediately after the function prologue.
3247
3248         * B3CallingConventions.cpp: Copied from Source/JavaScriptCore/llint/LLIntThunks.h.
3249         (JSC::B3::jscCallingConvention):
3250         * B3CallingConventions.h: Added.
3251         (JSC::B3::CallingConvention::CallingConvention):
3252         (JSC::B3::CallingConvention::iterate):
3253         (JSC::B3::nextJSCOffset):
3254         * JavaScriptCore.xcodeproj/project.pbxproj:
3255         * interpreter/ProtoCallFrame.h:
3256         * llint/LLIntThunks.cpp:
3257         (JSC::vmEntryToWASM):
3258         * llint/LLIntThunks.h:
3259         * testWASM.cpp:
3260         (invoke):
3261         (box):
3262         (runWASMTests):
3263         * wasm/WASMB3IRGenerator.cpp:
3264         (JSC::WASM::B3IRGenerator::addLocal):
3265         (JSC::WASM::B3IRGenerator::addArguments):
3266         (JSC::WASM::B3IRGenerator::getLocal):
3267         * wasm/WASMFormat.h:
3268         * wasm/WASMFunctionParser.h:
3269         (JSC::WASM::FunctionParser<Context>::FunctionParser):
3270         (JSC::WASM::FunctionParser<Context>::parseExpression):
3271         * wasm/WASMModuleParser.cpp:
3272         (JSC::WASM::ModuleParser::parseFunctionTypes):
3273         (JSC::WASM::ModuleParser::parseFunctionSignatures):
3274         * wasm/WASMModuleParser.h:
3275         * wasm/WASMOps.h:
3276
3277 2016-09-01  Keith Miller  <keith_miller@apple.com>
3278
3279         Rename WASM classes dropping the WASM prefix
3280         https://bugs.webkit.org/show_bug.cgi?id=161500
3281
3282         Reviewed by Mark Lam.
3283
3284         Having to write WASM::WASMModule seems silly. Also, this patch
3285         merges WASMFunctionReturnType and WASMValueType into one type
3286         that is a typedef of B3::Type. Using B3::Type as the WASM
3287         primitive type makes it trivial to convert a Vector of WASM
3288         types into a Vector of B3 types.
3289
3290         * b3/B3Type.h:
3291         * wasm/JSWASMModule.h:
3292         (JSC::JSWASMModule::signatures):
3293         (JSC::JSWASMModule::functionImports):
3294         (JSC::JSWASMModule::functionImportSignatures):
3295         (JSC::JSWASMModule::globalVariableTypes):
3296         (JSC::JSWASMModule::functionDeclarations):
3297         (JSC::JSWASMModule::functionPointerTables):
3298         * wasm/WASMB3IRGenerator.cpp:
3299         (JSC::WASM::toB3Op):
3300         (JSC::WASM::B3IRGenerator::addLocal):
3301     &n