jsc.cpp should call initializeMainThread() to make sure that GC thread assertions...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
2
3         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
4         https://bugs.webkit.org/show_bug.cgi?id=161801
5
6         Reviewed by Keith Miller.
7         
8         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
9         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
10         that is to call initializeMainThread().
11
12         * jsc.cpp:
13         (jscmain):
14
15 2016-09-09  Saam Barati  <sbarati@apple.com>
16
17         Make hasOwnProperty ALWAYS_INLINE
18         https://bugs.webkit.org/show_bug.cgi?id=161775
19
20         Reviewed by Ryosuke Niwa.
21
22         Speedometer spends around 2.5% of its time in hasOwnProperty.
23         Let's reduce the overhead of calling that function by marking
24         it as inline. Also, it's likely that the function will call into
25         JSObject::getOwnPropertySlot. I added a check to see if that's
26         the function we're calling, if it is, we do a direct call instead
27         of an indirect call.
28
29         * runtime/JSObject.cpp:
30         (JSC::JSObject::hasOwnProperty): Deleted.
31         * runtime/JSObjectInlines.h:
32         (JSC::JSObject::hasOwnProperty):
33
34 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
35
36         HashMapImpl needs to m_buffer.clear() in its constructor
37         https://bugs.webkit.org/show_bug.cgi?id=161796
38
39         Reviewed by Keith Miller.
40         
41         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
42         itself. That seemed like a good idea because maybe sometimes the user knows better how to
43         initialize it. But, it's not worth it if it's a constant source of bugs.
44         
45         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
46         m_value.
47
48         * runtime/AuxiliaryBarrier.h:
49         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
50         * runtime/DirectArguments.cpp:
51         (JSC::DirectArguments::DirectArguments):
52
53 2016-09-09  Youenn Fablet  <youenn@apple.com>
54
55         ASSERTION FAILED: promise.inherits(JSPromise::info())
56         https://bugs.webkit.org/show_bug.cgi?id=161632
57         <rdar://problem/28184743>
58
59         Reviewed by Mark Lam.
60
61         * runtime/JSPromiseDeferred.cpp:
62         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
63
64 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
65
66         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
67         https://bugs.webkit.org/show_bug.cgi?id=161760
68
69         Reviewed by Mark Lam.
70         
71         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
72         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
73         
74         This introduces three unnecessary overheads:
75         
76         - isLive() is not called by marking, so that change was not necessary.
77         
78         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
79           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
80           isMarked().
81         
82         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
83           return false if the flip is necessary.
84         
85         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
86         during marking.
87         
88         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
89         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
90         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
91         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
92         thing.
93
94         * bytecode/CodeBlock.cpp:
95         (JSC::CodeBlock::visitWeakly):
96         (JSC::CodeBlock::shouldJettisonDueToOldAge):
97         (JSC::shouldMarkTransition):
98         (JSC::CodeBlock::propagateTransitions):
99         (JSC::CodeBlock::determineLiveness):
100         * bytecode/PolymorphicAccess.cpp:
101         (JSC::AccessCase::propagateTransitions):
102         * heap/Heap.h:
103         * heap/HeapInlines.h:
104         (JSC::Heap::isLive):
105         (JSC::Heap::isMarked):
106         (JSC::Heap::isMarkedConcurrently):
107         * heap/MarkedBlock.cpp:
108         (JSC::MarkedBlock::flipIfNecessarySlow):
109         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
110         (JSC::MarkedBlock::needsFlip):
111         * heap/MarkedBlock.h:
112         (JSC::MarkedBlock::needsFlip):
113         (JSC::MarkedBlock::flipIfNecessary):
114         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
115         * heap/SlotVisitor.cpp:
116         (JSC::SlotVisitor::appendToMarkStack):
117         (JSC::SlotVisitor::markAuxiliary):
118         (JSC::SlotVisitor::visitChildren):
119         * runtime/Structure.cpp:
120         (JSC::Structure::isCheapDuringGC):
121         (JSC::Structure::markIfCheap):
122
123 2016-09-08  Saam Barati  <sbarati@apple.com>
124
125         We should inline operationConvertJSValueToBoolean into JIT code
126         https://bugs.webkit.org/show_bug.cgi?id=161729
127
128         Reviewed by Filip Pizlo.
129
130         This patch introduces an AssemblyHelpers emitter function
131         that replaces operationConvertJSValueToBoolean. This operation
132         was showing up when I was doing performance analysis for the
133         speedometer benchmark. I saw that it was spending about 1% of
134         its time in this function. Hopefully this patch can help us speedup
135         up speedometer by a little bit.
136
137         * dfg/DFGSpeculativeJIT32_64.cpp:
138         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
139         (JSC::DFG::SpeculativeJIT::emitBranch):
140         * dfg/DFGSpeculativeJIT64.cpp:
141         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
142         (JSC::DFG::SpeculativeJIT::emitBranch):
143         * jit/AssemblyHelpers.cpp:
144         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
145         * jit/AssemblyHelpers.h:
146         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
147         * jit/JIT.cpp:
148         (JSC::JIT::privateCompileSlowCases):
149         * jit/JIT.h:
150         * jit/JITOpcodes.cpp:
151         (JSC::JIT::emit_op_jfalse):
152         (JSC::JIT::emit_op_jtrue):
153         (JSC::JIT::emitSlow_op_jfalse): Deleted.
154         (JSC::JIT::emitSlow_op_jtrue): Deleted.
155         * jit/JITOpcodes32_64.cpp:
156         (JSC::JIT::emit_op_jfalse):
157         (JSC::JIT::emit_op_jtrue):
158         (JSC::JIT::emitSlow_op_jfalse): Deleted.
159         (JSC::JIT::emitSlow_op_jtrue): Deleted.
160         * jit/JITOperations.cpp:
161         * jit/JITOperations.h:
162
163 2016-09-08  Chris Dumez  <cdumez@apple.com>
164
165         Align proto getter / setter behavior with other browsers
166         https://bugs.webkit.org/show_bug.cgi?id=161455
167
168         Reviewed by Saam Barati.
169
170         Drop allowsAccessFrom from the methodTable and delegate cross-origin
171         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
172         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
173
174         * jsc.cpp:
175         * runtime/JSGlobalObject.cpp:
176         * runtime/JSGlobalObject.h:
177         * runtime/JSGlobalObjectFunctions.cpp:
178         (JSC::globalFuncProtoGetter):
179         (JSC::globalFuncProtoSetter):
180         (JSC::globalFuncBuiltinLog): Deleted.
181         * runtime/JSGlobalObjectFunctions.h:
182         * runtime/JSObject.cpp:
183         (JSC::JSObject::setPrototypeWithCycleCheck):
184         Remove check added in r197648. This check was added to match
185         the latest EcmaScript spec:
186         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
187         This check allowed for [[Prototype]] chain cycles if the prototype
188         chain includes objects that do not use the ordinary object definitions
189         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
190         The issue is that the rest of our code base does not properly handle
191         such cycles and we can end up in infinite loops. This became obvious
192         because this patch updates Window / Location so that they no longer
193         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
194         remove this check, I get an infinite loop in
195         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
196         called from JSObject::setPrototypeDirect(), when running the following
197         layout test:
198         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
199         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
200         issue.
201
202         * runtime/JSObject.h:
203         (JSC::JSObject::getArrayLength): Deleted.
204         * runtime/JSProxy.cpp:
205         (JSC::JSProxy::setPrototype):
206         (JSC::JSProxy::getPrototype):
207         * runtime/JSProxy.h:
208         * runtime/ObjectConstructor.cpp:
209         (JSC::objectConstructorGetPrototypeOf):
210         (JSC::objectConstructorSetPrototypeOf):
211         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
212         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
213         * runtime/ObjectConstructor.h:
214         * runtime/ReflectObject.cpp:
215         (JSC::reflectObjectGetPrototypeOf):
216         (JSC::reflectObjectSetPrototypeOf):
217
218 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
219
220         Remove CopiedSpace and use MarkedSpace instead
221         https://bugs.webkit.org/show_bug.cgi?id=159658
222
223         Reviewed by Keith Miller.
224         
225         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
226         is a simple change.
227         
228         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
229         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
230         
231         The rest of this patch is deleting CopiedSpace.
232
233         * API/JSObjectRef.cpp:
234         * CMakeLists.txt:
235         * JavaScriptCore.xcodeproj/project.pbxproj:
236         * dfg/DFGOperations.cpp:
237         * heap/ConservativeRoots.cpp:
238         (JSC::ConservativeRoots::genericAddPointer):
239         * heap/CopiedAllocator.h: Removed.
240         * heap/CopiedBlock.cpp: Removed.
241         * heap/CopiedBlock.h: Removed.
242         * heap/CopiedBlockInlines.h: Removed.
243         * heap/CopiedSpace.cpp: Removed.
244         * heap/CopiedSpace.h: Removed.
245         * heap/CopiedSpaceInlines.h: Removed.
246         * heap/CopyBarrier.h: Removed.
247         * heap/CopyToken.h: Removed.
248         * heap/CopyVisitor.cpp: Removed.
249         * heap/CopyVisitor.h: Removed.
250         * heap/CopyVisitorInlines.h: Removed.
251         * heap/CopyWorkList.h: Removed.
252         * heap/Heap.cpp:
253         (JSC::Heap::Heap):
254         (JSC::Heap::isPagedOut):
255         (JSC::Heap::updateObjectCounts):
256         (JSC::Heap::size):
257         (JSC::Heap::capacity):
258         (JSC::Heap::collectImpl):
259         (JSC::Heap::stopAllocation):
260         (JSC::Heap::updateAllocationLimits):
261         (JSC::Heap::copyBackingStores): Deleted.
262         (JSC::Heap::threadBytesCopied): Deleted.
263         * heap/Heap.h:
264         (JSC::Heap::objectSpace):
265         (JSC::Heap::allocatorForAuxiliaryData):
266         (JSC::Heap::storageSpace): Deleted.
267         (JSC::Heap::storageAllocator): Deleted.
268         * heap/HeapCellInlines.h:
269         * heap/HeapInlines.h:
270         (JSC::Heap::tryAllocateStorage): Deleted.
271         (JSC::Heap::tryReallocateStorage): Deleted.
272         * heap/HeapVerifier.cpp:
273         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
274         (JSC::HeapVerifier::reportObject):
275         (JSC::getButterflyDetails): Deleted.
276         * heap/SlotVisitor.cpp:
277         (JSC::SlotVisitor::copyLater): Deleted.
278         * heap/SlotVisitor.h:
279         * jit/AssemblyHelpers.h:
280         * jit/JITOpcodes.cpp:
281         * jsc.cpp:
282         * runtime/ArrayConstructor.cpp:
283         * runtime/ArrayPrototype.cpp:
284         * runtime/Butterfly.h:
285         * runtime/ButterflyInlines.h:
286         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
287         * runtime/ClassInfo.h:
288         * runtime/DirectArguments.cpp:
289         (JSC::DirectArguments::visitChildren):
290         (JSC::DirectArguments::overrideThings):
291         (JSC::DirectArguments::copyBackingStore): Deleted.
292         * runtime/DirectArguments.h:
293         * runtime/JSArray.cpp:
294         * runtime/JSCell.cpp:
295         (JSC::JSCell::copyBackingStore): Deleted.
296         * runtime/JSCell.h:
297         * runtime/JSLexicalEnvironment.h:
298         * runtime/JSObject.cpp:
299         * runtime/JSTypedArrays.cpp:
300         * runtime/LiteralParser.cpp:
301         * runtime/ObjectConstructor.cpp:
302         * runtime/RegExpObject.cpp:
303         * runtime/StringPrototype.cpp:
304         * runtime/WeakMapData.cpp:
305         * tools/JSDollarVMPrototype.cpp:
306         (JSC::JSDollarVMPrototype::isInStorageSpace):
307
308 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
309
310         Heap version should be 32-bit
311         https://bugs.webkit.org/show_bug.cgi?id=161751
312
313         Reviewed by Mark Lam.
314         
315         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
316         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
317         easy to handle.
318
319         * heap/CellContainer.h:
320         * heap/CellContainerInlines.h:
321         (JSC::CellContainer::flipIfNecessary):
322         * heap/ConservativeRoots.cpp:
323         (JSC::ConservativeRoots::genericAddPointer):
324         (JSC::ConservativeRoots::genericAddSpan):
325         * heap/ConservativeRoots.h:
326         * heap/Heap.h:
327         * heap/HeapInlines.h:
328         (JSC::Heap::testAndSetMarked):
329         * heap/HeapUtil.h:
330         (JSC::HeapUtil::findGCObjectPointersForMarking):
331         * heap/MarkedBlock.cpp:
332         (JSC::MarkedBlock::MarkedBlock):
333         * heap/MarkedBlock.h:
334         (JSC::MarkedBlock::flipIfNecessary):
335         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
336         (JSC::MarkedBlock::Handle::flipIfNecessary):
337         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
338         * heap/MarkedSpace.cpp:
339         (JSC::MarkedSpace::flip):
340         * heap/MarkedSpace.h:
341         (JSC::MarkedSpace::version):
342         * heap/SlotVisitor.cpp:
343         (JSC::SlotVisitor::SlotVisitor):
344         * heap/SlotVisitor.h:
345
346 2016-09-08  Mark Lam  <mark.lam@apple.com>
347
348         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
349         https://bugs.webkit.org/show_bug.cgi?id=161724
350
351         Reviewed by Filip Pizlo.
352
353         ARM architectures support ternary sub instructions.  We should make use of them
354         in emitAllocateWithNonNullAllocator().
355
356         * assembler/MacroAssemblerARM.h:
357         (JSC::MacroAssemblerARM::sub32):
358         * assembler/MacroAssemblerARM64.h:
359         (JSC::MacroAssemblerARM64::sub32):
360         * assembler/MacroAssemblerARMv7.h:
361         (JSC::MacroAssemblerARMv7::sub32):
362         * assembler/MacroAssemblerSH4.h:
363         (JSC::MacroAssemblerSH4::sub32):
364         * assembler/MacroAssemblerX86Common.h:
365         (JSC::MacroAssemblerX86Common::sub32):
366         * b3/air/AirOpcode.opcodes:
367         * b3/testb3.cpp:
368         (JSC::B3::testTernarySubInstructionSelection):
369         (JSC::B3::run):
370         * jit/AssemblyHelpers.h:
371         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
372
373 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
374
375         Move JSMap/JSSet over to Auxiliary MarkedSpace
376         https://bugs.webkit.org/show_bug.cgi?id=161744
377
378         Reviewed by Saam Barati.
379         
380         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
381         
382         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
383         speak of CopiedSpace.
384         
385         This is a purely mechanical change.
386
387         * JavaScriptCore.xcodeproj/project.pbxproj:
388         * heap/CopyToken.h:
389         * runtime/HashMapImpl.cpp:
390         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
391         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
392         * runtime/HashMapImpl.h:
393         (JSC::HashMapBuffer::create):
394         * runtime/JSMapIterator.cpp:
395         * runtime/JSMapIterator.h:
396         * runtime/JSSetIterator.cpp:
397         * runtime/JSSetIterator.h:
398         * runtime/MapBase.cpp:
399         * runtime/MapData.h: Removed.
400         * runtime/MapDataInlines.h: Removed.
401         * runtime/MapPrototype.cpp:
402         * runtime/SetConstructor.cpp:
403         * runtime/SetPrototype.cpp:
404         * runtime/VM.cpp:
405
406 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
407
408         Typed arrays should use MarkedSpace instead of CopiedSpace
409         https://bugs.webkit.org/show_bug.cgi?id=161100
410
411         Reviewed by Geoffrey Garen.
412         
413         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
414         
415         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
416         everything that typed arrays want.
417
418         * dfg/DFGOperations.cpp:
419         (JSC::DFG::newTypedArrayWithSize):
420         * dfg/DFGOperations.h:
421         (JSC::DFG::operationNewTypedArrayWithSizeForType):
422         * dfg/DFGSpeculativeJIT.cpp:
423         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
424         * dfg/DFGSpeculativeJIT.h:
425         (JSC::DFG::SpeculativeJIT::callOperation):
426         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
427         * ftl/FTLLowerDFGToB3.cpp:
428         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
429         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
430         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
431         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
432         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
433         * heap/CopyToken.h:
434         * heap/SlotVisitor.cpp:
435         (JSC::SlotVisitor::markAuxiliary):
436         * jit/JITOperations.h:
437         * runtime/JSArrayBufferView.cpp:
438         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
439         (JSC::JSArrayBufferView::JSArrayBufferView):
440         * runtime/JSArrayBufferView.h:
441         * runtime/JSGenericTypedArrayView.h:
442         * runtime/JSGenericTypedArrayViewInlines.h:
443         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
444         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
445         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
446         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
447
448 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
449
450         [Win64] Compile fixes.
451         https://bugs.webkit.org/show_bug.cgi?id=161682
452
453         Reviewed by Brent Fulgham.
454
455         * dfg/DFGSpeculativeJIT64.cpp:
456         (JSC::DFG::SpeculativeJIT::emitCall):
457         * jit/JITCall.cpp:
458         (JSC::JIT::compileOpCall):
459         * runtime/ArrayConventions.cpp:
460         (JSC::clearArrayMemset):
461
462 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
463
464         [Win] Exception fuzz tests fail
465         https://bugs.webkit.org/show_bug.cgi?id=140928
466
467         Reviewed by Mark Lam.
468
469         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
470         The tests depend on the output to stdout being written in the correct order.
471
472         * runtime/ExceptionFuzz.cpp:
473         (JSC::doExceptionFuzzing):
474
475 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
476
477         Enable the <meter> element on iOS
478         https://bugs.webkit.org/show_bug.cgi?id=161714
479         rdar://problem/8978410
480
481         Reviewed by Tim Horton.
482
483         Define ENABLE_METER_ELEMENT unconditionally now.
484
485         * Configurations/FeatureDefines.xcconfig:
486
487 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
488
489         Modernize Debugger to use nullptr
490         https://bugs.webkit.org/show_bug.cgi?id=161718
491
492         Reviewed by Mark Lam.
493
494         * debugger/Debugger.cpp:
495         (JSC::Debugger::Debugger):
496         (JSC::Debugger::~Debugger):
497         (JSC::Debugger::detach):
498         (JSC::Debugger::stepOutOfFunction):
499         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
500         * debugger/Debugger.h:
501
502 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
503
504         Web Inspector: Remove always false case in Debugger
505         https://bugs.webkit.org/show_bug.cgi?id=161717
506
507         Reviewed by Brian Burg.
508
509         * debugger/Debugger.cpp:
510         (JSC::Debugger::didExecuteProgram):
511         We would have earlier returned a few statements ago if this case was true.
512         And we would have crashed in the previous statement if this case was true.
513
514 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
515
516         Unreviewed, build fix after r205569
517
518         Tweak CMakeLists.txt
519
520         * CMakeLists.txt:
521
522 2016-09-07  Mark Lam  <mark.lam@apple.com>
523
524         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
525         https://bugs.webkit.org/show_bug.cgi?id=161498
526
527         Reviewed by Geoffrey Garen.
528
529         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
530         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
531         introduced.
532
533         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
534         which is a more suitable name now.
535
536         Note: exception scope verification is still disabled by default.  There are still
537         many places that need to be fixed up or re-expressed in a way that is friendly
538         to the verification.  I'll address those in subsequent patches.
539
540         After this patch, the code will statically enforce that:
541         1. all calls to throwException() go through a ThrowScope.
542         2. all calls to clearException() go through a CatchScope.
543         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
544            or CatchScope.
545
546         A Summary of how to use ExceptionScopes
547         =======================================
548         1. If a function can throw a JS exception, it should declare a ThrowScope at the
549            top of the function (as early as possible).
550
551         2. If a function can clear JS exceptions, it should declare a CatchScope at the
552            top of the function (as early as possible).
553
554         Declaring a ThrowScope in a function means that the function may throw an exception
555         that its caller will have to handle.  Declaring a CatchScope in a function means
556         that the function intends to clear pending exceptions before returning to its
557         caller. 
558
559         For more details, see the notes below.
560         
561         Everything you may want to know about ExceptionScopes
562         =====================================================
563         ExceptionScope verification works to simulate exception throws and detect cases
564         where exception checks are missing.  The notes below will cover:
565
566             1. The VM::m_needExceptionCheck bit
567             2. ThrowScopes and CatchScopes
568             3. Verification of needed exception checks
569             3. Checking Exceptions
570             4. Simulating throws
571             5. Using ThrowScope::release()
572             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
573             7. Checking exceptions by checking callee results
574             8. Debugging verification errors
575
576         1. The VM::m_needExceptionCheck bit
577
578            The VM has a m_needExceptionCheck bit that indicates when an exception may be
579            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
580            throw.
581
582         2. ThrowScopes and CatchScopes
583
584            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
585
586            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
587            at the top of its function (as early as possible) e.g.
588  
589                 void foo(...)
590                 {
591                     auto scope = DECLARE_THROW_SCOPE(vm);
592                     ...
593                     throwException(exec, scope, ...);
594                 }
595
596            Note: by convention, every throw helper function must take a ThrowScope argument
597            instead of instantiating its own ThrowScope.  This allows the throw to be
598            attributed to the client code rather than the throw helper itself.
599
600            Every catch site (i.e. a site that calls clearException()) must declare a
601            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
602
603            If a function can both throw or clear exceptions, then the ThrowScope should
604            be declared first so that it can simulate a throw to the function's caller.
605
606            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
607            can be aware if there's an enclosing CatchScope between it and the point where
608            C++ code returns to JS code.  This is needed to determine if the ThrowScope
609            should simulate a re-throw or not.  See (4) below for more details on returning
610            to JS code.
611
612         3. Verification of needed exception checks
613
614            a. On construction, each ThrowScope and CatchScope will verify that
615               VM::m_needExceptionCheck is not set.
616  
617               This ensures that the caller of the current function has checked for exceptions
618               where needed before doing more work which lead to calling the current function.
619
620            b. On destruction, each ThrowScope and CatchScope will verify that
621               VM::m_needExceptionCheck is not set. This verification will be skipped if
622               the ThrowScope has been released (see (5) below).
623
624               This ensures that the function that owns this exception scope is not missing
625               any exception checks before returning.
626
627            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
628               is not already set, unless it's been ask to rethrow the same Exception object.
629
630         4. Simulating throws
631
632            Throws are simulated by setting the m_needExceptionCheck bit.
633
634            The bit will only be set in the ThrowScope destructor except when the ThrowScope
635            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
636            check for exceptions after a host C++ function returns to it.  However, they will
637            not clear the m_needExceptionCheck bit.
638
639            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
640            it will just skip the setting of the bit.
641
642            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
643            throwException methods.  This is because, in practice, we always return
644            immediately after throwing an exception.  It doesn't make sense to set the bit in
645            the throw just to have to clear it immediately after before we do verification in
646            the ThrowScope destructor.
647
648         5. Using ThrowScope::release()
649
650            Calling release() means that the scope is released from its obligation to
651            verify the VM::m_needExceptionCheck bit on destruction.
652
653            release() should only be used at the bottom of a function if:
654
655            a. This function is going to let its caller check and handle the exception, e.g.
656
657                 void foo(...)
658                 {
659                     auto scope = DECLARE_THROW_SCOPE(vm);
660                     auto result = goo(); // may throw.
661
662                     ... // Code that will are not affected by a pending exceptions.
663
664                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
665                     return result;
666                 }
667
668            b. This function is going to do a tail call that may throw.
669
670                 void foo(...)
671                 {
672                     auto scope = DECLARE_THROW_SCOPE(vm);
673                     ...
674                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
675                     return goo(); // may throw.
676                 }
677
678               release() should not be used in code paths that branch. For example:
679
680                 void foo(...)
681                 {
682                     auto scope = DECLARE_THROW_SCOPE(vm);
683
684                     auto result = goo1(); // may throw.
685                     scope.release(); // WRONG !!! Don't do this.
686                     if (result)
687                         return;
688
689                     result = goo2(); // may throw.
690                     ...
691                     return result;
692                 }
693
694             The above will result in a verification error in goo2()'s ThrowScope.  The
695             proper way to fix this verification is to do either (6) or (7) below.
696
697          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
698
699             ThrowScope/CatchScope::exception() returns the thrown Exception object if
700             there is one pending.  Else, it returns nullptr.
701
702             It also clears the m_needExceptionCheck bit thereby indicating that we've
703             satisfied the needed exception check.  For example,
704
705                 void foo(...)
706                 {
707                     auto scope = DECLARE_THROW_SCOPE(vm);
708
709                     auto result = goo1(); // may throw.
710                     if (scope.exception())
711                         return;
712
713                     result = goo2(); // may throw.
714                     ...
715                     return result;
716                 }
717
718             But sometimes, for optimization reasons, we may choose to test the result of
719             the callee function instead doing a load of the VM exception value.  See (7)
720             below.
721
722          7. Checking exceptions by checking callee results
723
724             This approach should only be applied when it makes a difference to performance.
725             If we need to do this, we should add an ASSERT() that invokes the scope's
726             exception() method to verify the result.  Since exception scope verification
727             is only done on DEBUG builds, this ASSERT will satisfy the verification
728             requirements without impacting performance.  For example,
729
730                 void foo(...)
731                 {
732                     auto scope = DECLARE_THROW_SCOPE(vm);
733
734                     bool failed = goo1(); // may throw.
735                     ASSERT(!!scope.exception() == failed)
736                     if (failed)
737                         return;
738
739                     result = goo2(); // may throw.
740                     ...
741                     return result;
742                 }
743
744          8. Debugging verification errors
745
746             a. When verification fails, you will see a message followed by an assertion
747                failure.  For example:
748
749             ERROR: Unchecked JS exception:
750                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
751                     (ExceptionScope::m_recursionDepth was ...)
752                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
753                     (ExceptionScope::m_recursionDepth was ...)
754                 [ backtrace here ]
755
756                The message tells you that failure was detected at in varargsSetup() at
757                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
758                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
759                line 1245 and it.
760
761                If that is insufficient information, you can ...
762
763             b. Dump simulated throws
764
765                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
766                back traces at each simulated throw.
767
768             c. Narrowing down the source of a simulated throw
769
770                Another technique for narrowing down the source of simulated throws is by
771                further dividing a function to smaller regions by separating each region
772                with additional local throw scopes.  For example,
773
774                 ... // Region 1
775                 { auto scope = DECLARE_THROW_SCOPE(vm); }
776                 ... // Region 2
777                 { auto scope = DECLARE_THROW_SCOPE(vm); }
778                 ... // Region 3
779
780         * API/APIUtils.h:
781         (handleExceptionIfNeeded):
782         * CMakeLists.txt:
783         * JavaScriptCore.xcodeproj/project.pbxproj:
784         * bindings/ScriptFunctionCall.cpp:
785         (Deprecated::ScriptFunctionCall::call):
786         * bindings/ScriptValue.cpp:
787         (Deprecated::ScriptValue::toString):
788         * debugger/Debugger.cpp:
789         (JSC::Debugger::pauseIfNeeded):
790         * debugger/DebuggerCallFrame.cpp:
791         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
792         * dfg/DFGOSRExitCompiler.cpp:
793         * dfg/DFGOperations.cpp:
794         (JSC::DFG::operationPutByValInternal):
795         * inspector/InjectedScriptManager.cpp:
796         (Inspector::InjectedScriptManager::createInjectedScript):
797         * inspector/JSGlobalObjectInspectorController.cpp:
798         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
799         * inspector/JSInjectedScriptHost.cpp:
800         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
801         (Inspector::JSInjectedScriptHost::getInternalProperties):
802         (Inspector::JSInjectedScriptHost::weakMapEntries):
803         (Inspector::JSInjectedScriptHost::weakSetEntries):
804         (Inspector::JSInjectedScriptHost::iteratorEntries):
805         * inspector/JSJavaScriptCallFrame.cpp:
806         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
807         * inspector/ScriptCallStackFactory.cpp:
808         (Inspector::extractSourceInformationFromException):
809         * interpreter/CachedCall.h:
810         (JSC::CachedCall::CachedCall):
811         * interpreter/CallFrame.h:
812         (JSC::ExecState::clearException): Deleted.
813         (JSC::ExecState::exception): Deleted.
814         (JSC::ExecState::hadException): Deleted.
815         (JSC::ExecState::lastException): Deleted.
816         (JSC::ExecState::clearLastException): Deleted.
817         * interpreter/Interpreter.cpp:
818         (JSC::eval):
819         (JSC::sizeOfVarargs):
820         (JSC::notifyDebuggerOfUnwinding):
821         (JSC::Interpreter::unwind):
822         (JSC::Interpreter::execute):
823         (JSC::Interpreter::executeCall):
824         (JSC::Interpreter::executeConstruct):
825         (JSC::Interpreter::prepareForRepeatCall):
826         (JSC::Interpreter::debug):
827         * interpreter/Interpreter.h:
828         (JSC::SuspendExceptionScope::SuspendExceptionScope):
829         * interpreter/ShadowChicken.cpp:
830         (JSC::ShadowChicken::functionsOnStack):
831         * jit/JITCode.cpp:
832         (JSC::JITCode::execute):
833         * jit/JITExceptions.cpp:
834         (JSC::genericUnwind):
835         * jit/JITOperations.cpp:
836         (JSC::getByVal):
837         * jsc.cpp:
838         (WTF::ImpureGetter::getOwnPropertySlot):
839         (GlobalObject::moduleLoaderResolve):
840         (GlobalObject::moduleLoaderFetch):
841         (functionCreateElement):
842         (functionRun):
843         (functionRunString):
844         (functionLoad):
845         (functionLoadString):
846         (functionReadFile):
847         (functionCheckSyntax):
848         (functionSetRandomSeed):
849         (functionLoadModule):
850         (functionCreateBuiltin):
851         (functionCheckModuleSyntax):
852         (functionGenerateHeapSnapshot):
853         (functionSamplingProfilerStackTraces):
854         (dumpException):
855         (checkUncaughtException):
856         (runWithScripts):
857         (runInteractive):
858         * llint/LLIntExceptions.cpp:
859         (JSC::LLInt::returnToThrow):
860         (JSC::LLInt::callToThrow):
861         * llint/LLIntSlowPaths.cpp:
862         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
863         * profiler/ProfilerBytecodeSequence.cpp:
864         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
865         * profiler/ProfilerCompilation.cpp:
866         (JSC::Profiler::Compilation::toJS):
867         * profiler/ProfilerDatabase.cpp:
868         (JSC::Profiler::Database::toJS):
869         * profiler/ProfilerOSRExitSite.cpp:
870         (JSC::Profiler::OSRExitSite::toJS):
871         * profiler/ProfilerOriginStack.cpp:
872         (JSC::Profiler::OriginStack::toJS):
873         * runtime/ArrayPrototype.cpp:
874         (JSC::speciesConstructArray):
875         (JSC::shift):
876         (JSC::unshift):
877         (JSC::arrayProtoFuncToString):
878         (JSC::arrayProtoFuncToLocaleString):
879         (JSC::slowJoin):
880         (JSC::fastJoin):
881         (JSC::arrayProtoFuncJoin):
882         (JSC::arrayProtoFuncPop):
883         (JSC::arrayProtoFuncPush):
884         (JSC::arrayProtoFuncReverse):
885         (JSC::arrayProtoFuncShift):
886         (JSC::arrayProtoFuncSlice):
887         (JSC::arrayProtoFuncSplice):
888         (JSC::arrayProtoFuncUnShift):
889         (JSC::arrayProtoFuncIndexOf):
890         (JSC::arrayProtoFuncLastIndexOf):
891         (JSC::moveElements):
892         (JSC::concatAppendOne):
893         (JSC::arrayProtoPrivateFuncConcatMemcpy):
894         * runtime/BooleanConstructor.cpp:
895         (JSC::constructWithBooleanConstructor):
896         * runtime/CallData.cpp:
897         (JSC::call):
898         * runtime/CatchScope.cpp: Added.
899         (JSC::CatchScope::CatchScope):
900         (JSC::CatchScope::~CatchScope):
901         * runtime/CatchScope.h: Added.
902         (JSC::CatchScope::clearException):
903         (JSC::CatchScope::CatchScope):
904         * runtime/CommonSlowPaths.cpp:
905         (JSC::SLOW_PATH_DECL):
906         * runtime/CommonSlowPaths.h:
907         (JSC::CommonSlowPaths::opIn):
908         * runtime/CommonSlowPathsExceptions.cpp:
909         (JSC::CommonSlowPaths::interpreterThrowInCaller):
910         * runtime/Completion.cpp:
911         (JSC::evaluate):
912         (JSC::rejectPromise):
913         (JSC::loadAndEvaluateModule):
914         (JSC::loadModule):
915         * runtime/ConsoleObject.cpp:
916         (JSC::consoleProtoFuncAssert):
917         (JSC::consoleProtoFuncProfile):
918         (JSC::consoleProtoFuncProfileEnd):
919         (JSC::consoleProtoFuncTakeHeapSnapshot):
920         (JSC::consoleProtoFuncTime):
921         (JSC::consoleProtoFuncTimeEnd):
922         * runtime/DateConstructor.cpp:
923         (JSC::constructDate):
924         (JSC::dateParse):
925         * runtime/DatePrototype.cpp:
926         (JSC::dateProtoFuncToPrimitiveSymbol):
927         (JSC::dateProtoFuncToJSON):
928         * runtime/ErrorConstructor.cpp:
929         (JSC::Interpreter::constructWithErrorConstructor):
930         * runtime/ErrorInstance.cpp:
931         (JSC::ErrorInstance::sanitizedToString):
932         * runtime/ErrorPrototype.cpp:
933         (JSC::errorProtoFuncToString):
934         * runtime/ExceptionEventLocation.cpp: Added.
935         (WTF::printInternal):
936         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
937         (JSC::ExceptionEventLocation::ExceptionEventLocation):
938         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
939         * runtime/ExceptionHelpers.h:
940         * runtime/ExceptionScope.cpp: Added.
941         (JSC::ExceptionScope::ExceptionScope):
942         (JSC::ExceptionScope::~ExceptionScope):
943         * runtime/ExceptionScope.h: Added.
944         (JSC::ExceptionScope::vm):
945         (JSC::ExceptionScope::recursionDepth):
946         (JSC::ExceptionScope::exception):
947         (JSC::ExceptionScope::ExceptionScope):
948         * runtime/FunctionConstructor.cpp:
949         (JSC::constructFunctionSkippingEvalEnabledCheck):
950         * runtime/FunctionPrototype.cpp:
951         (JSC::functionProtoFuncBind):
952         * runtime/GenericArgumentsInlines.h:
953         (JSC::GenericArguments<Type>::copyToArguments):
954         * runtime/GetterSetter.cpp:
955         (JSC::callGetter):
956         * runtime/InspectorInstrumentationObject.cpp:
957         (JSC::inspectorInstrumentationObjectLog):
958         * runtime/InternalFunction.cpp:
959         (JSC::InternalFunction::createSubclassStructure):
960         * runtime/IntlCollator.cpp:
961         (JSC::IntlCollator::initializeCollator):
962         (JSC::IntlCollator::createCollator):
963         (JSC::IntlCollator::resolvedOptions):
964         * runtime/IntlCollatorConstructor.cpp:
965         (JSC::constructIntlCollator):
966         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
967         * runtime/IntlCollatorPrototype.cpp:
968         (JSC::IntlCollatorFuncCompare):
969         (JSC::IntlCollatorPrototypeGetterCompare):
970         * runtime/IntlDateTimeFormat.cpp:
971         (JSC::toDateTimeOptionsAnyDate):
972         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
973         (JSC::IntlDateTimeFormat::resolvedOptions):
974         (JSC::IntlDateTimeFormat::format):
975         * runtime/IntlDateTimeFormatConstructor.cpp:
976         (JSC::constructIntlDateTimeFormat):
977         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
978         * runtime/IntlDateTimeFormatPrototype.cpp:
979         (JSC::IntlDateTimeFormatFuncFormatDateTime):
980         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
981         * runtime/IntlNumberFormat.cpp:
982         (JSC::IntlNumberFormat::initializeNumberFormat):
983         (JSC::IntlNumberFormat::createNumberFormat):
984         (JSC::IntlNumberFormat::resolvedOptions):
985         * runtime/IntlNumberFormatConstructor.cpp:
986         (JSC::constructIntlNumberFormat):
987         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
988         * runtime/IntlNumberFormatPrototype.cpp:
989         (JSC::IntlNumberFormatFuncFormatNumber):
990         (JSC::IntlNumberFormatPrototypeGetterFormat):
991         * runtime/IntlObject.cpp:
992         (JSC::intlBooleanOption):
993         (JSC::intlStringOption):
994         (JSC::intlNumberOption):
995         (JSC::canonicalizeLocaleList):
996         (JSC::supportedLocales):
997         * runtime/IntlObjectInlines.h:
998         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
999         * runtime/IteratorOperations.cpp:
1000         (JSC::iteratorNext):
1001         (JSC::iteratorStep):
1002         (JSC::iteratorClose):
1003         (JSC::iteratorForIterable):
1004         * runtime/IteratorOperations.h:
1005         (JSC::forEachInIterable):
1006         * runtime/JSArray.cpp:
1007         (JSC::JSArray::pop):
1008         (JSC::JSArray::push):
1009         (JSC::JSArray::copyToArguments):
1010         * runtime/JSArrayBufferConstructor.cpp:
1011         (JSC::constructArrayBuffer):
1012         * runtime/JSArrayBufferPrototype.cpp:
1013         (JSC::arrayBufferProtoFuncSlice):
1014         * runtime/JSArrayInlines.h:
1015         (JSC::getLength):
1016         (JSC::toLength):
1017         * runtime/JSBoundFunction.cpp:
1018         (JSC::getBoundFunctionStructure):
1019         (JSC::JSBoundFunction::create):
1020         * runtime/JSCJSValue.cpp:
1021         (JSC::JSValue::putToPrimitive):
1022         (JSC::JSValue::putToPrimitiveByIndex):
1023         (JSC::JSValue::toStringSlowCase):
1024         * runtime/JSCJSValueInlines.h:
1025         (JSC::toPreferredPrimitiveType):
1026         (JSC::JSValue::getPropertySlot):
1027         (JSC::JSValue::equalSlowCaseInline):
1028         * runtime/JSDataViewPrototype.cpp:
1029         (JSC::getData):
1030         (JSC::setData):
1031         * runtime/JSFunction.cpp:
1032         (JSC::JSFunction::setFunctionName):
1033         * runtime/JSGenericTypedArrayView.h:
1034         (JSC::JSGenericTypedArrayView::setIndex):
1035         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1036         (JSC::constructGenericTypedArrayViewFromIterator):
1037         (JSC::constructGenericTypedArrayViewWithArguments):
1038         (JSC::constructGenericTypedArrayView):
1039         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1040         (JSC::speciesConstruct):
1041         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
1042         (JSC::genericTypedArrayViewProtoFuncIncludes):
1043         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1044         (JSC::genericTypedArrayViewProtoFuncJoin):
1045         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1046         (JSC::genericTypedArrayViewProtoFuncSlice):
1047         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1048         * runtime/JSGlobalObject.h:
1049         (JSC::constructEmptyArray):
1050         (JSC::constructArray):
1051         (JSC::constructArrayNegativeIndexed):
1052         * runtime/JSGlobalObjectFunctions.cpp:
1053         (JSC::globalFuncEval):
1054         * runtime/JSJob.cpp:
1055         (JSC::JSJobMicrotask::run):
1056         * runtime/JSModuleEnvironment.cpp:
1057         (JSC::JSModuleEnvironment::getOwnPropertySlot):
1058         * runtime/JSModuleLoader.cpp:
1059         (JSC::JSModuleLoader::fetch):
1060         * runtime/JSModuleNamespaceObject.cpp:
1061         (JSC::JSModuleNamespaceObject::finishCreation):
1062         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
1063         * runtime/JSModuleRecord.cpp:
1064         (JSC::JSModuleRecord::instantiateDeclarations):
1065         * runtime/JSONObject.cpp:
1066         (JSC::Stringifier::Stringifier):
1067         (JSC::Stringifier::stringify):
1068         (JSC::Stringifier::toJSON):
1069         (JSC::Stringifier::appendStringifiedValue):
1070         (JSC::Stringifier::Holder::appendNextProperty):
1071         (JSC::Walker::walk):
1072         (JSC::JSONProtoFuncParse):
1073         * runtime/JSObject.cpp:
1074         (JSC::ordinarySetSlow):
1075         (JSC::JSObject::setPrototypeWithCycleCheck):
1076         (JSC::callToPrimitiveFunction):
1077         (JSC::JSObject::ordinaryToPrimitive):
1078         (JSC::JSObject::defaultHasInstance):
1079         (JSC::JSObject::getPropertyNames):
1080         (JSC::JSObject::toNumber):
1081         (JSC::JSObject::toString):
1082         (JSC::JSObject::defineOwnNonIndexProperty):
1083         (JSC::JSObject::getGenericPropertyNames):
1084         (JSC::JSObject::getMethod):
1085         * runtime/JSObjectInlines.h:
1086         (JSC::createListFromArrayLike):
1087         (JSC::JSObject::getPropertySlot):
1088         (JSC::JSObject::getNonIndexPropertySlot):
1089         * runtime/JSPromiseConstructor.cpp:
1090         (JSC::constructPromise):
1091         * runtime/JSPropertyNameEnumerator.h:
1092         (JSC::propertyNameEnumerator):
1093         * runtime/JSPropertyNameIterator.cpp:
1094         (JSC::JSPropertyNameIterator::create):
1095         * runtime/JSScope.cpp:
1096         (JSC::isUnscopable):
1097         (JSC::JSScope::resolve):
1098         * runtime/JSString.cpp:
1099         (JSC::JSString::equalSlowCase):
1100         * runtime/JSStringJoiner.cpp:
1101         (JSC::JSStringJoiner::join):
1102         * runtime/LiteralParser.cpp:
1103         (JSC::LiteralParser<CharType>::parse):
1104         * runtime/MapConstructor.cpp:
1105         (JSC::constructMap):
1106         * runtime/MathObject.cpp:
1107         (JSC::mathProtoFuncClz32):
1108         (JSC::mathProtoFuncHypot):
1109         (JSC::mathProtoFuncIMul):
1110         * runtime/ModuleLoaderPrototype.cpp:
1111         (JSC::moduleLoaderPrototypeParseModule):
1112         (JSC::moduleLoaderPrototypeRequestedModules):
1113         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
1114         * runtime/NativeErrorConstructor.cpp:
1115         (JSC::Interpreter::constructWithNativeErrorConstructor):
1116         * runtime/NumberConstructor.cpp:
1117         (JSC::constructWithNumberConstructor):
1118         * runtime/ObjectConstructor.cpp:
1119         (JSC::constructObject):
1120         (JSC::objectConstructorGetPrototypeOf):
1121         (JSC::objectConstructorSetPrototypeOf):
1122         (JSC::objectConstructorGetOwnPropertyDescriptor):
1123         (JSC::objectConstructorGetOwnPropertyDescriptors):
1124         (JSC::objectConstructorGetOwnPropertyNames):
1125         (JSC::objectConstructorGetOwnPropertySymbols):
1126         (JSC::objectConstructorKeys):
1127         (JSC::ownEnumerablePropertyKeys):
1128         (JSC::toPropertyDescriptor):
1129         (JSC::objectConstructorDefineProperty):
1130         (JSC::defineProperties):
1131         (JSC::objectConstructorSeal):
1132         (JSC::objectConstructorFreeze):
1133         (JSC::objectConstructorIsSealed):
1134         (JSC::objectConstructorIsFrozen):
1135         (JSC::objectConstructorIsExtensible):
1136         (JSC::ownPropertyKeys):
1137         * runtime/ObjectConstructor.h:
1138         (JSC::constructObjectFromPropertyDescriptor):
1139         * runtime/ObjectPrototype.cpp:
1140         (JSC::objectProtoFuncHasOwnProperty):
1141         (JSC::objectProtoFuncIsPrototypeOf):
1142         (JSC::objectProtoFuncDefineGetter):
1143         (JSC::objectProtoFuncDefineSetter):
1144         (JSC::objectProtoFuncLookupGetter):
1145         (JSC::objectProtoFuncLookupSetter):
1146         (JSC::objectProtoFuncPropertyIsEnumerable):
1147         (JSC::objectProtoFuncToLocaleString):
1148         (JSC::objectProtoFuncToString):
1149         * runtime/Operations.cpp:
1150         (JSC::jsAddSlowCase):
1151         * runtime/Options.h:
1152         * runtime/PropertyDescriptor.cpp:
1153         (JSC::PropertyDescriptor::slowGetterSetter):
1154         * runtime/ProxyConstructor.cpp:
1155         (JSC::makeRevocableProxy):
1156         * runtime/ProxyObject.cpp:
1157         (JSC::ProxyObject::toStringName):
1158         (JSC::performProxyGet):
1159         (JSC::ProxyObject::performGet):
1160         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1161         (JSC::ProxyObject::performHasProperty):
1162         (JSC::ProxyObject::performPut):
1163         (JSC::ProxyObject::putByIndexCommon):
1164         (JSC::performProxyCall):
1165         (JSC::performProxyConstruct):
1166         (JSC::ProxyObject::performDelete):
1167         (JSC::ProxyObject::performPreventExtensions):
1168         (JSC::ProxyObject::performIsExtensible):
1169         (JSC::ProxyObject::performDefineOwnProperty):
1170         (JSC::ProxyObject::performGetOwnPropertyNames):
1171         (JSC::ProxyObject::performSetPrototype):
1172         (JSC::ProxyObject::performGetPrototype):
1173         * runtime/ReflectObject.cpp:
1174         (JSC::reflectObjectConstruct):
1175         (JSC::reflectObjectDefineProperty):
1176         (JSC::reflectObjectGet):
1177         (JSC::reflectObjectGetOwnPropertyDescriptor):
1178         (JSC::reflectObjectIsExtensible):
1179         (JSC::reflectObjectPreventExtensions):
1180         (JSC::reflectObjectSet):
1181         (JSC::reflectObjectSetPrototypeOf):
1182         * runtime/RegExpConstructor.cpp:
1183         (JSC::toFlags):
1184         (JSC::regExpCreate):
1185         (JSC::constructRegExp):
1186         * runtime/RegExpConstructor.h:
1187         (JSC::isRegExp):
1188         * runtime/RegExpObject.cpp:
1189         (JSC::collectMatches):
1190         (JSC::RegExpObject::matchGlobal):
1191         * runtime/RegExpPrototype.cpp:
1192         (JSC::regExpProtoFuncCompile):
1193         (JSC::flagsString):
1194         (JSC::regExpProtoFuncToString):
1195         (JSC::regExpProtoGetterFlags):
1196         (JSC::regExpProtoFuncSearchFast):
1197         (JSC::regExpProtoFuncSplitFast):
1198         * runtime/SetConstructor.cpp:
1199         (JSC::constructSet):
1200         * runtime/StringConstructor.cpp:
1201         (JSC::stringFromCodePoint):
1202         (JSC::constructWithStringConstructor):
1203         * runtime/StringObject.cpp:
1204         (JSC::StringObject::defineOwnProperty):
1205         * runtime/StringPrototype.cpp:
1206         (JSC::replaceUsingRegExpSearch):
1207         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1208         (JSC::replaceUsingStringSearch):
1209         (JSC::replace):
1210         (JSC::stringProtoFuncReplaceUsingRegExp):
1211         (JSC::stringProtoFuncReplaceUsingStringSearch):
1212         (JSC::stringProtoFuncCodePointAt):
1213         (JSC::stringProtoFuncSlice):
1214         (JSC::stringProtoFuncSplitFast):
1215         (JSC::stringProtoFuncSubstr):
1216         (JSC::stringProtoFuncSubstring):
1217         (JSC::stringProtoFuncLocaleCompare):
1218         (JSC::toLocaleCase):
1219         (JSC::stringProtoFuncBig):
1220         (JSC::stringProtoFuncSmall):
1221         (JSC::stringProtoFuncBlink):
1222         (JSC::stringProtoFuncBold):
1223         (JSC::stringProtoFuncFixed):
1224         (JSC::stringProtoFuncItalics):
1225         (JSC::stringProtoFuncStrike):
1226         (JSC::stringProtoFuncSub):
1227         (JSC::stringProtoFuncSup):
1228         (JSC::stringProtoFuncFontcolor):
1229         (JSC::stringProtoFuncFontsize):
1230         (JSC::stringProtoFuncAnchor):
1231         (JSC::stringProtoFuncLink):
1232         (JSC::trimString):
1233         (JSC::stringProtoFuncStartsWith):
1234         (JSC::stringProtoFuncEndsWith):
1235         (JSC::stringIncludesImpl):
1236         (JSC::stringProtoFuncIncludes):
1237         (JSC::builtinStringIncludesInternal):
1238         (JSC::stringProtoFuncNormalize):
1239         * runtime/SymbolConstructor.cpp:
1240         (JSC::symbolConstructorFor):
1241         * runtime/TemplateRegistry.cpp:
1242         (JSC::TemplateRegistry::getTemplateObject):
1243         * runtime/ThrowScope.cpp:
1244         (JSC::ThrowScope::ThrowScope):
1245         (JSC::ThrowScope::~ThrowScope):
1246         (JSC::ThrowScope::throwException):
1247         (JSC::ThrowScope::simulateThrow):
1248         (JSC::ThrowScope::printIfNeedCheck): Deleted.
1249         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
1250         * runtime/ThrowScope.h:
1251         (JSC::ThrowScope::release):
1252         (JSC::ThrowScope::ThrowScope):
1253         (JSC::ThrowScope::throwException):
1254         (JSC::ThrowScope::vm): Deleted.
1255         (JSC::ThrowScope::exception): Deleted.
1256         * runtime/ThrowScopeLocation.h: Removed.
1257         * runtime/VM.cpp:
1258         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1259         * runtime/VM.h:
1260         (JSC::VM::exception):
1261         (JSC::VM::clearException):
1262         (JSC::VM::setException): Deleted.
1263         * runtime/WeakMapConstructor.cpp:
1264         (JSC::constructWeakMap):
1265         * runtime/WeakSetConstructor.cpp:
1266         (JSC::constructWeakSet):
1267         * tools/JSDollarVMPrototype.cpp:
1268         (JSC::functionPrint):
1269
1270 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
1271
1272         [INTL] some valid language tags cause errors in Intl constructors
1273         https://bugs.webkit.org/show_bug.cgi?id=161672
1274
1275         Reviewed by Mark Lam.
1276
1277         Fix private use tag parsing to match spec, allowing single character parts.
1278         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
1279
1280         ```
1281         privateuse    = "x" 1*("-" (1*8alphanum))
1282         ```
1283
1284         * runtime/IntlObject.cpp:
1285         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
1286
1287 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
1288
1289         [JSC] Remove a couple of useless forward declaration
1290         https://bugs.webkit.org/show_bug.cgi?id=161676
1291
1292         Reviewed by Mark Lam.
1293
1294         JITMathICForwards.h should take care of declarating the Math ICs.
1295
1296         * bytecode/CodeBlock.h:
1297         * jit/JITOperations.h:
1298
1299 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
1300
1301         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
1302         https://bugs.webkit.org/show_bug.cgi?id=161706
1303
1304         Reviewed by Geoffrey Garen.
1305         
1306         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
1307         have to do something different.
1308
1309         * jit/AssemblyHelpers.h:
1310         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1311
1312 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1313
1314         Unreviewed CMake build fix after r205552
1315
1316         * CMakeLists.txt:
1317
1318 2016-09-03  Keith Miller  <keith_miller@apple.com>
1319
1320         Add support for WASM Loops and Branches
1321         https://bugs.webkit.org/show_bug.cgi?id=161569
1322
1323         Reviewed by Benjamin Poulain.
1324
1325         This patch adds support for loops and branches to WASM. In order
1326         to support loops, we needed to change the way the B3IRGenerator
1327         tracked control information. Now, the control data holds three
1328         pieces of information: The continuation block, the loop branch
1329         target, and variables exiting the block. Whenever we branch to
1330         some control point we first check if it is a loop by checking that
1331         the loop branch target is non-null. If the branch is not targeting
1332         a loop, we map the stack values to the associated B3 variables for
1333         that stack slot.
1334
1335         Another interesting thing of note is that we now only allocate the
1336         continuation basic block lazily. This is beneficial when the
1337         continuation would just fall through to another block anyway. For
1338         example, in code like: (block ... (block (add 1 2) end) end) the
1339         continuation for the inner block just falls through to the outer
1340         block's continuation so we don't need an extra block.
1341
1342         * B3CallingConventions.cpp:
1343         (JSC::B3::jscCallingConvention): Deleted.
1344         * B3CallingConventions.h:
1345         (JSC::B3::CallingConvention::CallingConvention): Deleted.
1346         (JSC::B3::CallingConvention::iterate): Deleted.
1347         (JSC::B3::nextJSCOffset): Deleted.
1348         * JavaScriptCore.xcodeproj/project.pbxproj:
1349         * b3/B3Type.h:
1350         * testWASM.cpp:
1351         (runWASMTests):
1352         * wasm/WASMB3IRGenerator.cpp:
1353         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
1354         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
1355         (JSC::WASM::B3IRGenerator::LazyBlock::get):
1356         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
1357         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
1358         (JSC::WASM::B3IRGenerator::ControlData::dump):
1359         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
1360         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
1361         (JSC::WASM::B3IRGenerator::addLocal):
1362         (JSC::WASM::B3IRGenerator::addArguments):
1363         (JSC::WASM::B3IRGenerator::setLocal):
1364         (JSC::WASM::B3IRGenerator::addBlock):
1365         (JSC::WASM::B3IRGenerator::addLoop):
1366         (JSC::WASM::B3IRGenerator::endBlock):
1367         (JSC::WASM::B3IRGenerator::addReturn):
1368         (JSC::WASM::B3IRGenerator::addBranch):
1369         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
1370         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
1371         (JSC::WASM::B3IRGenerator::controlDataForLevel):
1372         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
1373         (JSC::WASM::parseAndCompile):
1374         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
1375         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
1376         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
1377         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
1378         (JSC::WASM::jscCallingConvention):
1379         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
1380         (JSC::WASM::CallingConvention::CallingConvention):
1381         (JSC::WASM::CallingConvention::iterate):
1382         (JSC::WASM::nextJSCOffset):
1383         * wasm/WASMFormat.h:
1384         (JSC::WASM::toB3Type):
1385         (JSC::WASM::isValueType):
1386         * wasm/WASMFunctionParser.h:
1387         (JSC::WASM::FunctionParser<Context>::parse):
1388         (JSC::WASM::FunctionParser<Context>::parseExpression):
1389         * wasm/WASMModuleParser.cpp:
1390         (JSC::WASM::ModuleParser::parseFunctionTypes):
1391         * wasm/WASMOps.h:
1392
1393 2016-09-07  Youenn Fablet  <youenn@apple.com>
1394
1395         [Streams API] Separate compile flag for ReadableStream and WritableStream
1396         https://bugs.webkit.org/show_bug.cgi?id=161044
1397
1398         Reviewed by Alex Christensen.
1399
1400         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
1401         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
1402
1403         * Configurations/FeatureDefines.xcconfig:
1404         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
1405         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1406         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
1407
1408 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
1409
1410         Fix the ENABLE(WEBASSEMBLY) build on Linux
1411         https://bugs.webkit.org/show_bug.cgi?id=161685
1412
1413         Unreviewed buildfix.
1414
1415         * wasm/JSWASMModule.cpp:
1416
1417 2016-09-06  Saam Barati  <sbarati@apple.com>
1418
1419         ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__"
1420         https://bugs.webkit.org/show_bug.cgi?id=161558
1421
1422         Reviewed by Benjamin Poulain.
1423
1424         ProxyObject had ObjectPrototype as its direct prototype.
1425         This could lead to infinite loops when doing a getDirectPrototype()
1426         loop.
1427
1428         Fixing this bug revealed another bug, which I made when implementing Proxy.
1429         We should not special case "__proto__" in get and set for Proxy Object's
1430         hooks. "__proto__" should just go through the normal set and get path.
1431
1432         * runtime/JSGlobalObject.cpp:
1433         (JSC::JSGlobalObject::init):
1434         * runtime/ProxyObject.cpp:
1435         (JSC::performProxyGet):
1436         (JSC::ProxyObject::put):
1437
1438 2016-09-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1439
1440         Make JSC::PrivateName copyable
1441         https://bugs.webkit.org/show_bug.cgi?id=161666
1442
1443         Reviewed by Ryosuke Niwa.
1444
1445         Define the custom copy constructor to make PrivateName copyable while using Ref<SymbolImpl>.
1446         And since the custom copy constructor deletes the default move constructor, we explcitly define
1447         it by `= default;`.
1448
1449         * runtime/PrivateName.h:
1450         (JSC::PrivateName::PrivateName):
1451
1452 2016-09-06  Daniel Bates  <dabates@apple.com>
1453
1454         [iOS] Build fails in JSCLLIntOffsetsExtractor - Ad Hoc code signing is not allowed with SDK 'Simulator - iOS 10.0'
1455         https://bugs.webkit.org/show_bug.cgi?id=161296
1456
1457         Reviewed by Dan Bernstein.
1458
1459         Allow ad-hoc code signing when building JavaScriptCore command line tools for simulator
1460         with the iOS 10 beta SDK.
1461
1462         * Configurations/Base.xcconfig:
1463
1464 2016-09-06  Saam Barati  <sbarati@apple.com>
1465
1466         Unreviewed build fix for 32-bit platforms after r205520.
1467
1468         * dfg/DFGSpeculativeJIT.h:
1469         (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
1470
1471 2016-09-06  Saam Barati  <sbarati@apple.com>
1472
1473         Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
1474         https://bugs.webkit.org/show_bug.cgi?id=160870
1475
1476         Reviewed by Darin Adler.
1477
1478         Credit goes to Jonathan Bedard for finding this bug using the undefined
1479         behavior sanitizer.
1480
1481         The rule for MaterializeNewObject inside AI was assuming that the graph
1482         is in SSA form. This used to be true when MaterializeNewObject was only
1483         inserted by the allocation sinking phase. However, Filip added more uses
1484         of MaterializeNewObject in his RegExp constant folding patch. This fixes
1485         the bug by using the structure set inside the Node's OpInfo rather than
1486         generating it from m_phiChildren inside AI.
1487
1488         * dfg/DFGAbstractInterpreterInlines.h:
1489         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1490
1491 2016-09-06  Saam Barati  <sbarati@apple.com>
1492
1493         Make JSMap and JSSet faster
1494         https://bugs.webkit.org/show_bug.cgi?id=160989
1495
1496         Reviewed by Filip Pizlo.
1497
1498         This patch revamps how we implement Map and Set. It uses
1499         a new hash map implementation. The hash map uses linear
1500         probing and it uses Wang's 64 bit hash function for JSValues
1501         that aren't strings. Strings use StringImpl's hash function.
1502         The reason I wanted to roll our own HashTable is twofold:
1503         I didn't want to inline WTF::HashMap's implementation into our
1504         JIT, since that seems error prone and unmaintainable. Also, I wanted
1505         a different structure for hash map buckets where buckets also exist in
1506         a linked list.
1507
1508         The reason for making buckets part of a linked list is that iteration
1509         is now simple. Iteration works by just traversing a linked list.
1510         This design also allows for a simple implementation when doing iteration
1511         while the hash table is mutating. Whenever we remove a bucket from
1512         the hash table, it is removed from the list, meaning items in the
1513         list don't point to it. However, the removed bucket will still point
1514         to things that are either in the list, or have also been removed.
1515         e.g, from a removed bucket, you can always follow pointers until you
1516         either find an item in the list, or you find the tail of the list.
1517         This is a really nice property because it means that a Map or Set
1518         does not need to reason about the all the iterators that point
1519         into its list. Also, whenever we add items to the Map or Set, we
1520         hijack the tail as the new item, and make the new item point to a newly
1521         created tail. This means that any iterator that pointed to the "tail" now
1522         points to non-tail items. This makes the implementation of adding things
1523         to the Map/Set while iterating easy.
1524
1525         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1526         into intrinsics in the DFG. The IR can now reason about hash map
1527         operations and can even do CSE over Wang's hash function, hash map
1528         bucket lookups, hash map bucket loads, and testing if a key is in
1529         the hash table. This makes code patterns for Map like so, super fast
1530         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1531
1532         ```
1533         function getKeyIfPresent(map, key) {
1534             if (map.has(key))
1535                 return map.get(key);
1536         }
1537         ```
1538
1539         This patch is roughly an 8% speedup on ES6SampleBench.
1540
1541
1542         * CMakeLists.txt:
1543         * JavaScriptCore.xcodeproj/project.pbxproj:
1544         * assembler/MacroAssemblerARM64.h:
1545         (JSC::MacroAssemblerARM64::not64):
1546         * bytecode/SpeculatedType.cpp:
1547         (JSC::speculationFromClassInfo):
1548         * bytecode/SpeculatedType.h:
1549         * dfg/DFGAbstractInterpreterInlines.h:
1550         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1551         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1552         * dfg/DFGByteCodeParser.cpp:
1553         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1554         * dfg/DFGClobberize.h:
1555         (JSC::DFG::clobberize):
1556         * dfg/DFGDoesGC.cpp:
1557         (JSC::DFG::doesGC):
1558         * dfg/DFGEdge.h:
1559         (JSC::DFG::Edge::shift):
1560         (JSC::DFG::Edge::makeWord):
1561         * dfg/DFGFixupPhase.cpp:
1562         (JSC::DFG::FixupPhase::fixupNode):
1563         * dfg/DFGHeapLocation.cpp:
1564         (WTF::printInternal):
1565         * dfg/DFGHeapLocation.h:
1566         * dfg/DFGNode.h:
1567         (JSC::DFG::Node::hasHeapPrediction):
1568         * dfg/DFGNodeType.h:
1569         * dfg/DFGOperations.cpp:
1570         * dfg/DFGOperations.h:
1571         * dfg/DFGPredictionPropagationPhase.cpp:
1572         * dfg/DFGSafeToExecute.h:
1573         (JSC::DFG::SafeToExecuteEdge::operator()):
1574         (JSC::DFG::safeToExecute):
1575         * dfg/DFGSpeculativeJIT.cpp:
1576         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1577         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1578         (JSC::DFG::SpeculativeJIT::speculate):
1579         * dfg/DFGSpeculativeJIT.h:
1580         (JSC::DFG::SpeculativeJIT::callOperation):
1581         * dfg/DFGSpeculativeJIT32_64.cpp:
1582         (JSC::DFG::SpeculativeJIT::compile):
1583         * dfg/DFGSpeculativeJIT64.cpp:
1584         (JSC::DFG::SpeculativeJIT::compile):
1585         * dfg/DFGUseKind.cpp:
1586         (WTF::printInternal):
1587         * dfg/DFGUseKind.h:
1588         (JSC::DFG::typeFilterFor):
1589         (JSC::DFG::isCell):
1590         * ftl/FTLAbstractHeapRepository.h:
1591         * ftl/FTLCapabilities.cpp:
1592         (JSC::FTL::canCompile):
1593         * ftl/FTLLowerDFGToB3.cpp:
1594         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1595         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1596         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1597         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1598         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1599         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1600         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1601         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1602         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1603         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1604         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1605         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1606         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1607         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1608         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1609         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1610         * jit/AssemblyHelpers.cpp:
1611         (JSC::AssemblyHelpers::wangsInt64Hash):
1612         * jit/AssemblyHelpers.h:
1613         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1614         * jit/JITOperations.h:
1615         * parser/ModuleAnalyzer.cpp:
1616         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1617         * runtime/HashMapImpl.cpp: Added.
1618         (JSC::HashMapBucket<Data>::visitChildren):
1619         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1620         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1621         * runtime/HashMapImpl.h: Added.
1622         (JSC::HashMapBucket::selectStructure):
1623         (JSC::HashMapBucket::createStructure):
1624         (JSC::HashMapBucket::create):
1625         (JSC::HashMapBucket::HashMapBucket):
1626         (JSC::HashMapBucket::setNext):
1627         (JSC::HashMapBucket::setPrev):
1628         (JSC::HashMapBucket::setKey):
1629         (JSC::HashMapBucket::setValue):
1630         (JSC::HashMapBucket::key):
1631         (JSC::HashMapBucket::value):
1632         (JSC::HashMapBucket::next):
1633         (JSC::HashMapBucket::prev):
1634         (JSC::HashMapBucket::deleted):
1635         (JSC::HashMapBucket::setDeleted):
1636         (JSC::HashMapBucket::offsetOfKey):
1637         (JSC::HashMapBucket::offsetOfValue):
1638         (JSC::HashMapBuffer::allocationSize):
1639         (JSC::HashMapBuffer::buffer):
1640         (JSC::HashMapBuffer::create):
1641         (JSC::areKeysEqual):
1642         (JSC::normalizeMapKey):
1643         (JSC::jsMapHash):
1644         (JSC::HashMapImpl::selectStructure):
1645         (JSC::HashMapImpl::createStructure):
1646         (JSC::HashMapImpl::create):
1647         (JSC::HashMapImpl::HashMapImpl):
1648         (JSC::HashMapImpl::buffer):
1649         (JSC::HashMapImpl::finishCreation):
1650         (JSC::HashMapImpl::emptyValue):
1651         (JSC::HashMapImpl::isEmpty):
1652         (JSC::HashMapImpl::deletedValue):
1653         (JSC::HashMapImpl::isDeleted):
1654         (JSC::HashMapImpl::findBucket):
1655         (JSC::HashMapImpl::get):
1656         (JSC::HashMapImpl::has):
1657         (JSC::HashMapImpl::add):
1658         (JSC::HashMapImpl::remove):
1659         (JSC::HashMapImpl::size):
1660         (JSC::HashMapImpl::clear):
1661         (JSC::HashMapImpl::bufferSizeInBytes):
1662         (JSC::HashMapImpl::offsetOfBuffer):
1663         (JSC::HashMapImpl::offsetOfCapacity):
1664         (JSC::HashMapImpl::head):
1665         (JSC::HashMapImpl::tail):
1666         (JSC::HashMapImpl::approximateSize):
1667         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
1668         (JSC::HashMapImpl::rehash):
1669         (JSC::HashMapImpl::makeAndSetNewBuffer):
1670         * runtime/Intrinsic.h:
1671         * runtime/JSCJSValue.h:
1672         * runtime/JSCJSValueInlines.h:
1673         (JSC::sameValue):
1674         * runtime/JSGlobalObject.cpp:
1675         (JSC::JSGlobalObject::init):
1676         * runtime/JSMap.cpp:
1677         (JSC::JSMap::destroy): Deleted.
1678         (JSC::JSMap::estimatedSize): Deleted.
1679         (JSC::JSMap::visitChildren): Deleted.
1680         (JSC::JSMap::copyBackingStore): Deleted.
1681         (JSC::JSMap::has): Deleted.
1682         (JSC::JSMap::size): Deleted.
1683         (JSC::JSMap::get): Deleted.
1684         (JSC::JSMap::set): Deleted.
1685         (JSC::JSMap::clear): Deleted.
1686         (JSC::JSMap::remove): Deleted.
1687         * runtime/JSMap.h:
1688         (JSC::JSMap::createStructure):
1689         (JSC::JSMap::create):
1690         (JSC::JSMap::get):
1691         (JSC::JSMap::set):
1692         (JSC::JSMap::JSMap):
1693         (JSC::JSMap::Entry::key): Deleted.
1694         (JSC::JSMap::Entry::value): Deleted.
1695         (JSC::JSMap::Entry::visitChildren): Deleted.
1696         (JSC::JSMap::Entry::setKey): Deleted.
1697         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
1698         (JSC::JSMap::Entry::setValue): Deleted.
1699         (JSC::JSMap::Entry::clear): Deleted.
1700         * runtime/JSMapIterator.cpp:
1701         (JSC::JSMapIterator::finishCreation):
1702         (JSC::JSMapIterator::visitChildren):
1703         (JSC::JSMapIterator::clone):
1704         * runtime/JSMapIterator.h:
1705         (JSC::JSMapIterator::advanceIter):
1706         (JSC::JSMapIterator::next):
1707         (JSC::JSMapIterator::nextKeyValue):
1708         (JSC::JSMapIterator::JSMapIterator):
1709         (JSC::JSMapIterator::setIterator):
1710         (JSC::JSMapIterator::finish): Deleted.
1711         (JSC::JSMapIterator::iteratorData): Deleted.
1712         * runtime/JSModuleLoader.cpp:
1713         (JSC::JSModuleLoader::finishCreation):
1714         * runtime/JSModuleLoader.h:
1715         (JSC::JSModuleLoader::create):
1716         * runtime/JSModuleRecord.cpp:
1717         (JSC::JSModuleRecord::finishCreation):
1718         * runtime/JSModuleRecord.h:
1719         (JSC::JSModuleRecord::create):
1720         * runtime/JSSet.cpp:
1721         (JSC::JSSet::destroy): Deleted.
1722         (JSC::JSSet::estimatedSize): Deleted.
1723         (JSC::JSSet::visitChildren): Deleted.
1724         (JSC::JSSet::copyBackingStore): Deleted.
1725         (JSC::JSSet::has): Deleted.
1726         (JSC::JSSet::size): Deleted.
1727         (JSC::JSSet::add): Deleted.
1728         (JSC::JSSet::clear): Deleted.
1729         (JSC::JSSet::remove): Deleted.
1730         * runtime/JSSet.h:
1731         (JSC::JSSet::createStructure):
1732         (JSC::JSSet::create):
1733         (JSC::JSSet::add):
1734         (JSC::JSSet::JSSet):
1735         (JSC::JSSet::Entry::key): Deleted.
1736         (JSC::JSSet::Entry::value): Deleted.
1737         (JSC::JSSet::Entry::visitChildren): Deleted.
1738         (JSC::JSSet::Entry::setKey): Deleted.
1739         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
1740         (JSC::JSSet::Entry::setValue): Deleted.
1741         (JSC::JSSet::Entry::clear): Deleted.
1742         * runtime/JSSetIterator.cpp:
1743         (JSC::JSSetIterator::finishCreation):
1744         (JSC::JSSetIterator::visitChildren):
1745         (JSC::JSSetIterator::clone):
1746         * runtime/JSSetIterator.h:
1747         (JSC::JSSetIterator::advanceIter):
1748         (JSC::JSSetIterator::next):
1749         (JSC::JSSetIterator::JSSetIterator):
1750         (JSC::JSSetIterator::setIterator):
1751         (JSC::JSSetIterator::finish): Deleted.
1752         (JSC::JSSetIterator::iteratorData): Deleted.
1753         * runtime/JSType.h:
1754         * runtime/MapBase.cpp: Added.
1755         (JSC::MapBase<HashMapBucketType>::visitChildren):
1756         (JSC::MapBase<HashMapBucketType>::estimatedSize):
1757         * runtime/MapBase.h: Added.
1758         (JSC::MapBase::size):
1759         (JSC::MapBase::has):
1760         (JSC::MapBase::clear):
1761         (JSC::MapBase::remove):
1762         (JSC::MapBase::findBucket):
1763         (JSC::MapBase::offsetOfHashMapImpl):
1764         (JSC::MapBase::impl):
1765         (JSC::MapBase::finishCreation):
1766         (JSC::MapBase::MapBase):
1767         * runtime/MapConstructor.cpp:
1768         (JSC::constructMap):
1769         * runtime/MapIteratorPrototype.cpp:
1770         (JSC::MapIteratorPrototypeFuncNext):
1771         * runtime/MapPrototype.cpp:
1772         (JSC::MapPrototype::finishCreation):
1773         (JSC::getMap):
1774         (JSC::privateFuncIsMap):
1775         (JSC::privateFuncMapIteratorNext):
1776         * runtime/PropertyDescriptor.cpp:
1777         (JSC::sameValue): Deleted.
1778         * runtime/PropertyDescriptor.h:
1779         * runtime/SetConstructor.cpp:
1780         (JSC::constructSet):
1781         * runtime/SetIteratorPrototype.cpp:
1782         (JSC::SetIteratorPrototypeFuncNext):
1783         * runtime/SetPrototype.cpp:
1784         (JSC::SetPrototype::finishCreation):
1785         (JSC::getSet):
1786         (JSC::privateFuncSetIteratorNext):
1787         * runtime/VM.cpp:
1788         (JSC::VM::VM):
1789         * runtime/VM.h:
1790
1791 2016-09-06  Benjamin Poulain  <bpoulain@apple.com>
1792
1793         [JSC] Make ArithClz32 work with Cell arguments
1794         https://bugs.webkit.org/show_bug.cgi?id=161369
1795
1796         Reviewed by Geoffrey Garen.
1797
1798         ArithClz32 was already working with all primitive types
1799         thanks to the magic of ValueToInt32.
1800         This patch adds support for cell arguments through a function
1801         call.
1802
1803         * dfg/DFGAbstractInterpreterInlines.h:
1804         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1805         * dfg/DFGClobberize.h:
1806         (JSC::DFG::clobberize):
1807         * dfg/DFGFixupPhase.cpp:
1808         (JSC::DFG::FixupPhase::fixupNode):
1809         * dfg/DFGNodeType.h:
1810         * dfg/DFGOperations.cpp:
1811         * dfg/DFGOperations.h:
1812         * dfg/DFGSpeculativeJIT.cpp:
1813         (JSC::DFG::SpeculativeJIT::compileArithClz32):
1814         * dfg/DFGSpeculativeJIT.h:
1815         (JSC::DFG::SpeculativeJIT::callOperation):
1816         * ftl/FTLLowerDFGToB3.cpp:
1817         (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
1818
1819 2016-09-06  Mark Lam  <mark.lam@apple.com>
1820
1821         Gardening: change to use old header guard to appease Win EWS.
1822
1823         Not reviewed.
1824
1825         * runtime/AuxiliaryBarrier.h:
1826
1827 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1828
1829         Unreviewed, rolling out r205494.
1830         https://bugs.webkit.org/show_bug.cgi?id=161646
1831
1832         This change broke the Windows build (Requested by ryanhaddad
1833         on #webkit).
1834
1835         Reverted changeset:
1836
1837         "Typed arrays should use MarkedSpace instead of CopiedSpace"
1838         https://bugs.webkit.org/show_bug.cgi?id=161100
1839         http://trac.webkit.org/changeset/205494
1840
1841 2016-09-06  Commit Queue  <commit-queue@webkit.org>
1842
1843         Unreviewed, rolling out r205504.
1844         https://bugs.webkit.org/show_bug.cgi?id=161645
1845
1846         Broke the iOS device build (Requested by ryanhaddad on
1847         #webkit).
1848
1849         Reverted changeset:
1850
1851         "Make JSMap and JSSet faster"
1852         https://bugs.webkit.org/show_bug.cgi?id=160989
1853         http://trac.webkit.org/changeset/205504
1854
1855 2016-09-06  Saam Barati  <sbarati@apple.com>
1856
1857         Make JSMap and JSSet faster
1858         https://bugs.webkit.org/show_bug.cgi?id=160989
1859
1860         Reviewed by Filip Pizlo.
1861
1862         This patch revamps how we implement Map and Set. It uses
1863         a new hash map implementation. The hash map uses linear
1864         probing and it uses Wang's 64 bit hash function for JSValues
1865         that aren't strings. Strings use StringImpl's hash function.
1866         The reason I wanted to roll our own HashTable is twofold:
1867         I didn't want to inline WTF::HashMap's implementation into our
1868         JIT, since that seems error prone and unmaintainable. Also, I wanted
1869         a different structure for hash map buckets where buckets also exist in
1870         a linked list.
1871
1872         The reason for making buckets part of a linked list is that iteration
1873         is now simple. Iteration works by just traversing a linked list.
1874         This design also allows for a simple implementation when doing iteration
1875         while the hash table is mutating. Whenever we remove a bucket from
1876         the hash table, it is removed from the list, meaning items in the
1877         list don't point to it. However, the removed bucket will still point
1878         to things that are either in the list, or have also been removed.
1879         e.g, from a removed bucket, you can always follow pointers until you
1880         either find an item in the list, or you find the tail of the list.
1881         This is a really nice property because it means that a Map or Set
1882         does not need to reason about the all the iterators that point
1883         into its list. Also, whenever we add items to the Map or Set, we
1884         hijack the tail as the new item, and make the new item point to a newly
1885         created tail. This means that any iterator that pointed to the "tail" now
1886         points to non-tail items. This makes the implementation of adding things
1887         to the Map/Set while iterating easy.
1888
1889         I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
1890         into intrinsics in the DFG. The IR can now reason about hash map
1891         operations and can even do CSE over Wang's hash function, hash map
1892         bucket lookups, hash map bucket loads, and testing if a key is in
1893         the hash table. This makes code patterns for Map like so, super fast
1894         in the FTL, since we will only be doing a single hash and hash bucket lookup:
1895
1896         ```
1897         function getKeyIfPresent(map, key) {
1898             if (map.has(key))
1899                 return map.get(key);
1900         }
1901         ```
1902
1903         This patch is roughly an 8% speedup on ES6SampleBench.
1904
1905         * CMakeLists.txt:
1906         * JavaScriptCore.xcodeproj/project.pbxproj:
1907         * bytecode/SpeculatedType.cpp:
1908         (JSC::speculationFromClassInfo):
1909         * bytecode/SpeculatedType.h:
1910         * dfg/DFGAbstractInterpreterInlines.h:
1911         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1912         (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
1913         * dfg/DFGByteCodeParser.cpp:
1914         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1915         * dfg/DFGClobberize.h:
1916         (JSC::DFG::clobberize):
1917         * dfg/DFGDoesGC.cpp:
1918         (JSC::DFG::doesGC):
1919         * dfg/DFGEdge.h:
1920         (JSC::DFG::Edge::shift):
1921         (JSC::DFG::Edge::makeWord):
1922         * dfg/DFGFixupPhase.cpp:
1923         (JSC::DFG::FixupPhase::fixupNode):
1924         * dfg/DFGHeapLocation.cpp:
1925         (WTF::printInternal):
1926         * dfg/DFGHeapLocation.h:
1927         * dfg/DFGNode.h:
1928         (JSC::DFG::Node::hasHeapPrediction):
1929         * dfg/DFGNodeType.h:
1930         * dfg/DFGOperations.cpp:
1931         * dfg/DFGOperations.h:
1932         * dfg/DFGPredictionPropagationPhase.cpp:
1933         * dfg/DFGSafeToExecute.h:
1934         (JSC::DFG::SafeToExecuteEdge::operator()):
1935         (JSC::DFG::safeToExecute):
1936         * dfg/DFGSpeculativeJIT.cpp:
1937         (JSC::DFG::SpeculativeJIT::speculateMapObject):
1938         (JSC::DFG::SpeculativeJIT::speculateSetObject):
1939         (JSC::DFG::SpeculativeJIT::speculate):
1940         * dfg/DFGSpeculativeJIT.h:
1941         (JSC::DFG::SpeculativeJIT::callOperation):
1942         * dfg/DFGSpeculativeJIT32_64.cpp:
1943         (JSC::DFG::SpeculativeJIT::compile):
1944         * dfg/DFGSpeculativeJIT64.cpp:
1945         (JSC::DFG::SpeculativeJIT::compile):
1946         * dfg/DFGUseKind.cpp:
1947         (WTF::printInternal):
1948         * dfg/DFGUseKind.h:
1949         (JSC::DFG::typeFilterFor):
1950         (JSC::DFG::isCell):
1951         * ftl/FTLAbstractHeapRepository.h:
1952         * ftl/FTLCapabilities.cpp:
1953         (JSC::FTL::canCompile):
1954         * ftl/FTLLowerDFGToB3.cpp:
1955         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1956         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1957         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1958         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
1959         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
1960         (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
1961         (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
1962         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
1963         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1964         (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
1965         (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
1966         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
1967         (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
1968         (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
1969         (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
1970         (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
1971         * jit/AssemblyHelpers.cpp:
1972         (JSC::AssemblyHelpers::wangsInt64Hash):
1973         * jit/AssemblyHelpers.h:
1974         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
1975         * jit/JITOperations.h:
1976         * parser/ModuleAnalyzer.cpp:
1977         (JSC::ModuleAnalyzer::ModuleAnalyzer):
1978         * runtime/HashMapImpl.cpp: Added.
1979         (JSC::HashMapBucket<Data>::visitChildren):
1980         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1981         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
1982         * runtime/HashMapImpl.h: Added.
1983         (JSC::HashMapBucket::selectStructure):
1984         (JSC::HashMapBucket::createStructure):
1985         (JSC::HashMapBucket::create):
1986         (JSC::HashMapBucket::HashMapBucket):
1987         (JSC::HashMapBucket::setNext):
1988         (JSC::HashMapBucket::setPrev):
1989         (JSC::HashMapBucket::setKey):
1990         (JSC::HashMapBucket::setValue):
1991         (JSC::HashMapBucket::key):
1992         (JSC::HashMapBucket::value):
1993         (JSC::HashMapBucket::next):
1994         (JSC::HashMapBucket::prev):
1995         (JSC::HashMapBucket::deleted):
1996         (JSC::HashMapBucket::setDeleted):
1997         (JSC::HashMapBucket::offsetOfKey):
1998         (JSC::HashMapBucket::offsetOfValue):
1999         (JSC::HashMapBuffer::allocationSize):
2000         (JSC::HashMapBuffer::buffer):
2001         (JSC::HashMapBuffer::create):
2002         (JSC::areKeysEqual):
2003         (JSC::normalizeMapKey):
2004         (JSC::jsMapHash):
2005         (JSC::HashMapImpl::selectStructure):
2006         (JSC::HashMapImpl::createStructure):
2007         (JSC::HashMapImpl::create):
2008         (JSC::HashMapImpl::HashMapImpl):
2009         (JSC::HashMapImpl::buffer):
2010         (JSC::HashMapImpl::finishCreation):
2011         (JSC::HashMapImpl::emptyValue):
2012         (JSC::HashMapImpl::isEmpty):
2013         (JSC::HashMapImpl::deletedValue):
2014         (JSC::HashMapImpl::isDeleted):
2015         (JSC::HashMapImpl::findBucket):
2016         (JSC::HashMapImpl::get):
2017         (JSC::HashMapImpl::has):
2018         (JSC::HashMapImpl::add):
2019         (JSC::HashMapImpl::remove):
2020         (JSC::HashMapImpl::size):
2021         (JSC::HashMapImpl::clear):
2022         (JSC::HashMapImpl::bufferSizeInBytes):
2023         (JSC::HashMapImpl::offsetOfBuffer):
2024         (JSC::HashMapImpl::offsetOfCapacity):
2025         (JSC::HashMapImpl::head):
2026         (JSC::HashMapImpl::tail):
2027         (JSC::HashMapImpl::approximateSize):
2028         (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
2029         (JSC::HashMapImpl::rehash):
2030         (JSC::HashMapImpl::makeAndSetNewBuffer):
2031         * runtime/Intrinsic.h:
2032         * runtime/JSCJSValue.h:
2033         * runtime/JSCJSValueInlines.h:
2034         (JSC::sameValue):
2035         * runtime/JSGlobalObject.cpp:
2036         (JSC::JSGlobalObject::init):
2037         * runtime/JSMap.cpp:
2038         (JSC::JSMap::destroy): Deleted.
2039         (JSC::JSMap::estimatedSize): Deleted.
2040         (JSC::JSMap::visitChildren): Deleted.
2041         (JSC::JSMap::copyBackingStore): Deleted.
2042         (JSC::JSMap::has): Deleted.
2043         (JSC::JSMap::size): Deleted.
2044         (JSC::JSMap::get): Deleted.
2045         (JSC::JSMap::set): Deleted.
2046         (JSC::JSMap::clear): Deleted.
2047         (JSC::JSMap::remove): Deleted.
2048         * runtime/JSMap.h:
2049         (JSC::JSMap::createStructure):
2050         (JSC::JSMap::create):
2051         (JSC::JSMap::get):
2052         (JSC::JSMap::set):
2053         (JSC::JSMap::JSMap):
2054         (JSC::JSMap::Entry::key): Deleted.
2055         (JSC::JSMap::Entry::value): Deleted.
2056         (JSC::JSMap::Entry::visitChildren): Deleted.
2057         (JSC::JSMap::Entry::setKey): Deleted.
2058         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
2059         (JSC::JSMap::Entry::setValue): Deleted.
2060         (JSC::JSMap::Entry::clear): Deleted.
2061         * runtime/JSMapIterator.cpp:
2062         (JSC::JSMapIterator::finishCreation):
2063         (JSC::JSMapIterator::visitChildren):
2064         (JSC::JSMapIterator::clone):
2065         * runtime/JSMapIterator.h:
2066         (JSC::JSMapIterator::advanceIter):
2067         (JSC::JSMapIterator::next):
2068         (JSC::JSMapIterator::nextKeyValue):
2069         (JSC::JSMapIterator::JSMapIterator):
2070         (JSC::JSMapIterator::setIterator):
2071         (JSC::JSMapIterator::finish): Deleted.
2072         (JSC::JSMapIterator::iteratorData): Deleted.
2073         * runtime/JSModuleLoader.cpp:
2074         (JSC::JSModuleLoader::finishCreation):
2075         * runtime/JSModuleLoader.h:
2076         (JSC::JSModuleLoader::create):
2077         * runtime/JSModuleRecord.cpp:
2078         (JSC::JSModuleRecord::finishCreation):
2079         * runtime/JSModuleRecord.h:
2080         (JSC::JSModuleRecord::create):
2081         * runtime/JSSet.cpp:
2082         (JSC::JSSet::destroy): Deleted.
2083         (JSC::JSSet::estimatedSize): Deleted.
2084         (JSC::JSSet::visitChildren): Deleted.
2085         (JSC::JSSet::copyBackingStore): Deleted.
2086         (JSC::JSSet::has): Deleted.
2087         (JSC::JSSet::size): Deleted.
2088         (JSC::JSSet::add): Deleted.
2089         (JSC::JSSet::clear): Deleted.
2090         (JSC::JSSet::remove): Deleted.
2091         * runtime/JSSet.h:
2092         (JSC::JSSet::createStructure):
2093         (JSC::JSSet::create):
2094         (JSC::JSSet::add):
2095         (JSC::JSSet::JSSet):
2096         (JSC::JSSet::Entry::key): Deleted.
2097         (JSC::JSSet::Entry::value): Deleted.
2098         (JSC::JSSet::Entry::visitChildren): Deleted.
2099         (JSC::JSSet::Entry::setKey): Deleted.
2100         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
2101         (JSC::JSSet::Entry::setValue): Deleted.
2102         (JSC::JSSet::Entry::clear): Deleted.
2103         * runtime/JSSetIterator.cpp:
2104         (JSC::JSSetIterator::finishCreation):
2105         (JSC::JSSetIterator::visitChildren):
2106         (JSC::JSSetIterator::clone):
2107         * runtime/JSSetIterator.h:
2108         (JSC::JSSetIterator::advanceIter):
2109         (JSC::JSSetIterator::next):
2110         (JSC::JSSetIterator::JSSetIterator):
2111         (JSC::JSSetIterator::setIterator):
2112         (JSC::JSSetIterator::finish): Deleted.
2113         (JSC::JSSetIterator::iteratorData): Deleted.
2114         * runtime/JSType.h:
2115         * runtime/MapBase.cpp: Added.
2116         (JSC::MapBase<HashMapBucketType>::visitChildren):
2117         (JSC::MapBase<HashMapBucketType>::estimatedSize):
2118         * runtime/MapBase.h: Added.
2119         (JSC::MapBase::size):
2120         (JSC::MapBase::has):
2121         (JSC::MapBase::clear):
2122         (JSC::MapBase::remove):
2123         (JSC::MapBase::findBucket):
2124         (JSC::MapBase::offsetOfHashMapImpl):
2125         (JSC::MapBase::impl):
2126         (JSC::MapBase::finishCreation):
2127         (JSC::MapBase::MapBase):
2128         * runtime/MapConstructor.cpp:
2129         (JSC::constructMap):
2130         * runtime/MapIteratorPrototype.cpp:
2131         (JSC::MapIteratorPrototypeFuncNext):
2132         * runtime/MapPrototype.cpp:
2133         (JSC::MapPrototype::finishCreation):
2134         (JSC::getMap):
2135         (JSC::privateFuncIsMap):
2136         (JSC::privateFuncMapIteratorNext):
2137         * runtime/PropertyDescriptor.cpp:
2138         (JSC::sameValue): Deleted.
2139         * runtime/PropertyDescriptor.h:
2140         * runtime/SetConstructor.cpp:
2141         (JSC::constructSet):
2142         * runtime/SetIteratorPrototype.cpp:
2143         (JSC::SetIteratorPrototypeFuncNext):
2144         * runtime/SetPrototype.cpp:
2145         (JSC::SetPrototype::finishCreation):
2146         (JSC::getSet):
2147         (JSC::privateFuncSetIteratorNext):
2148         * runtime/VM.cpp:
2149         (JSC::VM::VM):
2150         * runtime/VM.h:
2151
2152 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2153
2154         Typed arrays should use MarkedSpace instead of CopiedSpace
2155         https://bugs.webkit.org/show_bug.cgi?id=161100
2156
2157         Reviewed by Geoffrey Garen.
2158         
2159         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2160         
2161         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2162         everything that typed arrays want.
2163
2164         * dfg/DFGOperations.cpp:
2165         (JSC::DFG::newTypedArrayWithSize):
2166         * dfg/DFGOperations.h:
2167         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2168         * dfg/DFGSpeculativeJIT.cpp:
2169         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2170         * dfg/DFGSpeculativeJIT.h:
2171         (JSC::DFG::SpeculativeJIT::callOperation):
2172         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2173         * ftl/FTLLowerDFGToB3.cpp:
2174         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2175         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2176         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2177         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2178         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2179         * heap/CopyToken.h:
2180         * heap/SlotVisitor.cpp:
2181         (JSC::SlotVisitor::markAuxiliary):
2182         * jit/JITOperations.h:
2183         * runtime/JSArrayBufferView.cpp:
2184         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2185         (JSC::JSArrayBufferView::JSArrayBufferView):
2186         * runtime/JSArrayBufferView.h:
2187         * runtime/JSGenericTypedArrayView.h:
2188         * runtime/JSGenericTypedArrayViewInlines.h:
2189         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2190         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2191         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2192         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2193
2194 2016-09-06  Michael Catanzaro  <mcatanzaro@igalia.com>
2195
2196         Silence GCC warning spam introduced in r205462
2197
2198         Rubber-stamped by Filip Pizlo.
2199
2200         * bytecode/Opcode.h:
2201         (JSC::padOpcodeName):
2202
2203 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2204
2205         Heap::isMarked() should use concurrent lazy flipping
2206         https://bugs.webkit.org/show_bug.cgi?id=161613
2207
2208         Reviewed by Michael Catanzaro.
2209         
2210         I found out about this race condition via
2211         https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
2212         
2213         The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
2214         phase. So, they need to lazy-flip in a non-racy way.
2215
2216         * heap/HeapInlines.h:
2217         (JSC::Heap::isLive):
2218         (JSC::Heap::isMarked):
2219
2220 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2221
2222         Unreviewed, reset generator test results after the butterflies.
2223
2224         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2225         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2226         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2227         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2228         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2229         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2230         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2231         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2232         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2233         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2234         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2235         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2236         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2237         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2238
2239 2016-09-05  Filip Pizlo  <fpizlo@apple.com>
2240
2241         Unreviewed, fix cloop build.
2242
2243         * bytecode/SuperSampler.cpp:
2244
2245 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
2246
2247         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
2248         https://bugs.webkit.org/show_bug.cgi?id=160125
2249
2250         Reviewed by Geoffrey Garen and Keith Miller.
2251
2252         In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
2253         copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
2254         from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
2255         fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
2256         to get rid of copied space. This change moves copied space's biggest client over to marked
2257         space.
2258         
2259         Moving butterflies to marked space means having them use the new Auxiliary HeapCell
2260         allocation path. This is a fairly mechanical change, but it caused performance regressions
2261         everywhere, so this change also fixes MarkedSpace's performance issues.
2262         
2263         At a high level the mechanical changes are:
2264         
2265         - We use AuxiliaryBarrier instead of CopyBarrier.
2266         
2267         - We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
2268           CheckedBoolean stuff, since it's so much more trouble than it's worth.
2269         
2270         - The JITs have to emit inlined marked space allocations instead of inline copy space
2271           allocations.
2272         
2273         - Everyone has to get used to zeroing their butterflies after allocation instead of relying
2274           on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
2275           space doesn't.
2276         
2277         That's about 1/3 of this change. But this led to performance problems, which I fixed with
2278         optimizations that amounted to a major MarkedSpace rewrite:
2279         
2280         - MarkedSpace always causes internal fragmentation for array allocations because the vector
2281           length we choose when we resize usually leads to a cell size that doesn't correspond to any
2282           size class. I got around this by making array allocations usually round up vectorLength to
2283           the maximum allowed by the size class that we would have allocated in. Also,
2284           ensureLengthSlow() and friends first make sure that the requested length can't just be
2285           fulfilled with the current allocation size. This safeguard means that not every array
2286           allocation has to do size class queries. For example, the fast path of new Array(length)
2287           never does any size class queries, under the assumption that (1) the speed gained from
2288           avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
2289           size class query, is too small to offset the speed lost by doing the query on every
2290           allocation and (2) new Array(length) is a pretty good hint that resizing is not very
2291           likely.
2292         
2293         - Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
2294           changes MarkedSpace size classes to use a linear progression for very small sizes followed
2295           by a geometric progression that naturally transitions to a hyperbolic progression. We want
2296           hyperbolic sizes when we get close to blockSize: for example the largest size we want is
2297           payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
2298           next size down should be payloadSize / 3 rounded down, and so on. After the last precise
2299           size (80 bytes), we proceed using a geometric progression, but round up each size to
2300           minimize slop at the end of the block. This naturally causes the geometric progression to
2301           turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
2302           it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
2303         
2304         - Large allocations caused massive internal fragmentation, since the smallest large
2305           allocation had to use exactly blockSize, and the largest small allocation used
2306           blockSize / 2. The next size up - the first large allocation size to require two blocks -
2307           also had 50% internal fragmentation. This is because we required large allocations to be
2308           blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
2309           that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
2310           owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
2311           a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
2312           Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
2313           out great since (1) typed arrays won't use large allocations anyway since they have their
2314           own malloc fallback and (2) large array butterflies already have a 8 byte header, which
2315           means that the 8 byte base misalignment aligns the large array payload on a 16 byte
2316           boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
2317           rare as possible; for example, ExecState::vm() skips the check because we know that callees
2318           must be small allocations. It's also possible to use template tricks to do one check for
2319           cell container kind, and then invoke a function specialized for MarkedBlock or a function
2320           specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
2321           that get used from functions that are template-specialized like this. That's mostly to
2322           speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
2323           directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
2324           allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
2325           HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
2326           cutoff for large allocations is runtime-configurable, so long as you don't choose something
2327           so small that callees end up large. I found that 400 bytes is roughly optimal. This means
2328           that the MarkedBlock size classes end up being:
2329           
2330           16, 32, 48, 64, 80, 112, 160, 224, 320
2331           
2332           The next size class would have been 432, but that's above the 400 byte cutoff. All of this
2333           is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
2334           size classes you end up with by doing --dumpSizeClasses=true.
2335         
2336         - Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
2337           of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
2338           lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
2339           MarkedBlocks because the list that contains the interesting meta-data is allocated on the
2340           side, for better locality during a sequential walk. It's no longer necessary to scan
2341           MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
2342           maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
2343           bits because we now use versioned mark bits: to clear then, just increment the 64-bit
2344           heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
2345           because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
2346           the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
2347           together, these optimizations allowed me to reduce block size to 16KB without losing much
2348           performance. There is some small perf loss on JetStream/splay, but not enough to hurt
2349           JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
2350           progression on membuster. That's not possible yet, since there is still enough per-block
2351           overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
2352           this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
2353         
2354         - Even after all of that, copying butterflies was still faster because it allowed us to skip
2355           sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
2356           so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
2357           larger than O(live), especially in an eden collection. Copying satisfies this premise while
2358           mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
2359           MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
2360           that we walk the block to build a free list. This means walking dead space. The new
2361           allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
2362           The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
2363           pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
2364           we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
2365           quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
2366           is completely empty, which is the common case because of the generational hypothesis: the
2367           number of objects that survive an eden collection is a tiny fraction of the number of
2368           objects that had been allocated, and this fraction is so small that there are typically
2369           fewer than one survivors per MarkedBlock. This change was enough to make this change a net
2370           win over tip-of-tree.
2371         
2372         - FTL now shares the same allocation fast paths as everything else, which is great, because
2373           bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
2374           control flow, since it won't be able to improve the machine code we write ourselves. GC
2375           fast paths are best written in assembly. So, I've empowered B3 to have even better support
2376           for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
2377           So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
2378           AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
2379           size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
2380           ability to constant-fold some allocator logic (in case we first assume that we're doing a
2381           variable-length allocation but then realize that the length is known). I think it makes
2382           sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
2383           since this makes lowering easier (you can constant fold during lowering more easily) and it
2384           reduces the amount of malloc traffic. In the future, we could teach B3 how to better
2385           constant-fold this code. That would require allowing loads to be constant-folded, which is
2386           doable but hella tricky.
2387         
2388         - It used to be that if a logical object allocation required two physical allocations (first
2389           the butterfly and then the cell), then the JIT would emit the code in such a way that a
2390           failure in the second fast path would cause us to forget the successful first physical
2391           allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
2392           register to storing either the butterfly or null, because the butterfly register is anyway
2393           going to be free inside the first allocation. The only overhead here is zeroing the
2394           butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
2395           path, which can then either allocate a butterfly or not. So now we never waste a successful
2396           allocation. This patch implements such a solution both in DFG (where it's easy to do this
2397           since we control registers already) and in FTL (where it's annoying, because mutable
2398           "butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
2399           duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
2400           one version of this patch, this wastage would resonate with some Kraken benchmark: the
2401           benchmark would always allocate N small things followed by one bigger thing. The problem
2402           was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
2403           the JSObject size class, which both the small and big thing shared for their cell, could
2404           hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
2405           it allocated the big thing. So, it would end up having to allocate the big thing's large
2406           butterfly twice, every single time! Ouch!
2407         
2408         - It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
2409           amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
2410           of the allocator to initialize the object to whatever state they need. It used to be that
2411           we would just use a dumb loop. I initially changed this so that we would end up in memset
2412           for large allocations, but this didn't actually help performance that much. I got a much
2413           better result by playing with different memsets written in assembly. First I wrote one
2414           using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
2415           "rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
2416           allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
2417           memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
2418           double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
2419           of stores (if the size is known), but those paths in the JIT won't trigger for
2420           NewArrayWithSize() if the size is large, since that takes us to the
2421           operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
2422           optimizations here are all in JSArray::create() - that's the hot place for large arrays
2423           that need to be filled with holes.
2424         
2425         All of this put together gives us neutral perf on JetStream,  membuster, and PLT3, a ~1%
2426         regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
2427         because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
2428         best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
2429         difference, but take the hit for now because it's a crazy corner case. By comparison, the
2430         alternative approach of using a copy barrier would have cost us 1-2%. That's the real
2431         apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
2432         finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
2433         marking barrier and we simply won't need a copying barrier. This change gets us there for
2434         the purposes of our benchmarks, since the remaining clients of copied space are not very
2435         important. On the other hand, if we keep copying, then getting barrier-ready would mean
2436         adding back the copy barrier, which costs more perf.
2437         
2438         We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
2439         typed arrays and a few other weird things over to Aux MarkedSpace.
2440         
2441         This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
2442         and CellContainer meant that I had to include those files from everywhere. Fortunately,
2443         just including JSCInlines.h (instead of manually including the files that includes) is
2444         usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
2445         that we were already basically doing. In places where JSCInlines.h would be too much, I just
2446         included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
2447         JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
2448         meant having to manually include HeapInlines.h from the places that previously got it
2449         implicitly via JSObject.h. But that led to more problems for some reason: I started getting
2450         build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
2451         since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
2452         made it impossible to include it from outside JSC. This was a lot of work, but it was
2453         necessary to get the patch to build on all ports. It's also a net win. There were many places
2454         in WebCore that were transitively including a *ton* of JSC headers just because of the
2455         JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
2456         (for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
2457
2458         * API/JSManagedValue.mm:
2459         (-[JSManagedValue initWithValue:]):
2460         * API/JSTypedArray.cpp:
2461         * API/ObjCCallbackFunction.mm:
2462         * API/tests/testapi.mm:
2463         (testObjectiveCAPI):
2464         (testWeakValue): Deleted.
2465         * CMakeLists.txt:
2466         * JavaScriptCore.xcodeproj/project.pbxproj:
2467         * Scripts/builtins/builtins_generate_combined_implementation.py:
2468         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
2469         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2470         (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
2471         * Scripts/builtins/builtins_generate_separate_implementation.py:
2472         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
2473         * assembler/AbstractMacroAssembler.h:
2474         (JSC::AbstractMacroAssembler::JumpList::link):
2475         (JSC::AbstractMacroAssembler::JumpList::linkTo):
2476         * assembler/MacroAssembler.h:
2477         * assembler/MacroAssemblerARM64.h:
2478         (JSC::MacroAssemblerARM64::add32):
2479         * assembler/MacroAssemblerCodeRef.cpp: Added.
2480         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
2481         (JSC::MacroAssemblerCodePtr::dumpWithName):
2482         (JSC::MacroAssemblerCodePtr::dump):
2483         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
2484         (JSC::MacroAssemblerCodeRef::dump):
2485         * assembler/MacroAssemblerCodeRef.h:
2486         (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
2487         (JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
2488         (JSC::MacroAssemblerCodePtr::dump): Deleted.
2489         (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
2490         (JSC::MacroAssemblerCodeRef::dump): Deleted.
2491         * b3/B3BasicBlock.cpp:
2492         (JSC::B3::BasicBlock::appendBoolConstant):
2493         * b3/B3BasicBlock.h:
2494         * b3/B3DuplicateTails.cpp:
2495         * b3/B3StackmapGenerationParams.h:
2496         * b3/testb3.cpp:
2497         (JSC::B3::testPatchpointTerminalReturnValue):
2498         (JSC::B3::run):
2499         * bindings/ScriptValue.cpp:
2500         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2501         * bytecode/BytecodeBasicBlock.cpp:
2502         * bytecode/BytecodeLivenessAnalysis.cpp:
2503         * bytecode/BytecodeUseDef.h:
2504         * bytecode/CallLinkInfo.cpp:
2505         (JSC::CallLinkInfo::callTypeFor):
2506         * bytecode/CallLinkInfo.h:
2507         (JSC::CallLinkInfo::callTypeFor): Deleted.
2508         * bytecode/CallLinkStatus.cpp:
2509         * bytecode/CodeBlock.cpp:
2510         (JSC::CodeBlock::finishCreation):
2511         (JSC::CodeBlock::clearLLIntGetByIdCache):
2512         (JSC::CodeBlock::predictedMachineCodeSize):
2513         * bytecode/CodeBlock.h:
2514         (JSC::CodeBlock::jitCodeMap): Deleted.
2515         (JSC::clearLLIntGetByIdCache): Deleted.
2516         * bytecode/ExecutionCounter.h:
2517         * bytecode/Instruction.h:
2518         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2519         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2520         * bytecode/ObjectAllocationProfile.h:
2521         (JSC::ObjectAllocationProfile::isNull):
2522         (JSC::ObjectAllocationProfile::initialize):
2523         * bytecode/Opcode.h:
2524         (JSC::padOpcodeName):
2525         * bytecode/PolymorphicAccess.cpp:
2526         (JSC::AccessCase::generateImpl):
2527         (JSC::PolymorphicAccess::regenerate):
2528         * bytecode/PolymorphicAccess.h:
2529         * bytecode/PreciseJumpTargets.cpp:
2530         * bytecode/StructureStubInfo.cpp:
2531         * bytecode/StructureStubInfo.h:
2532         * bytecode/UnlinkedCodeBlock.cpp:
2533         (JSC::UnlinkedCodeBlock::vm): Deleted.
2534         * bytecode/UnlinkedCodeBlock.h:
2535         * bytecode/UnlinkedInstructionStream.cpp:
2536         * bytecode/UnlinkedInstructionStream.h:
2537         * dfg/DFGOperations.cpp:
2538         * dfg/DFGSpeculativeJIT.cpp:
2539         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2540         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2541         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2542         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2543         * dfg/DFGSpeculativeJIT.h:
2544         (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
2545         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
2546         * dfg/DFGSpeculativeJIT32_64.cpp:
2547         (JSC::DFG::SpeculativeJIT::compile):
2548         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2549         * dfg/DFGSpeculativeJIT64.cpp:
2550         (JSC::DFG::SpeculativeJIT::compile):
2551         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
2552         * dfg/DFGStrengthReductionPhase.cpp:
2553         (JSC::DFG::StrengthReductionPhase::handleNode):
2554         * ftl/FTLAbstractHeapRepository.h:
2555         * ftl/FTLCompile.cpp:
2556         * ftl/FTLJITFinalizer.cpp:
2557         * ftl/FTLLowerDFGToB3.cpp:
2558         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
2559         (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
2560         (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
2561         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
2562         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2563         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2564         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2565         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
2566         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
2567         (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
2568         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
2569         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
2570         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
2571         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
2572         (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
2573         * ftl/FTLOutput.cpp:
2574         (JSC::FTL::Output::constBool):
2575         (JSC::FTL::Output::add):
2576         (JSC::FTL::Output::shl):
2577         (JSC::FTL::Output::aShr):
2578         (JSC::FTL::Output::lShr):
2579         (JSC::FTL::Output::zeroExt):
2580         (JSC::FTL::Output::equal):
2581         (JSC::FTL::Output::notEqual):
2582         (JSC::FTL::Output::above):
2583         (JSC::FTL::Output::aboveOrEqual):
2584         (JSC::FTL::Output::below):
2585         (JSC::FTL::Output::belowOrEqual):
2586         (JSC::FTL::Output::greaterThan):
2587         (JSC::FTL::Output::greaterThanOrEqual):
2588         (JSC::FTL::Output::lessThan):
2589         (JSC::FTL::Output::lessThanOrEqual):
2590         (JSC::FTL::Output::select):
2591         (JSC::FTL::Output::appendSuccessor):
2592         (JSC::FTL::Output::addIncomingToPhi):
2593         * ftl/FTLOutput.h:
2594         * ftl/FTLValueFromBlock.h:
2595         (JSC::FTL::ValueFromBlock::operator bool):
2596         (JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
2597         * ftl/FTLWeightedTarget.h:
2598         (JSC::FTL::WeightedTarget::frequentedBlock):
2599         * heap/CellContainer.h: Added.
2600         (JSC::CellContainer::CellContainer):
2601         (JSC::CellContainer::operator bool):
2602         (JSC::CellContainer::isMarkedBlock):
2603         (JSC::CellContainer::isLargeAllocation):
2604         (JSC::CellContainer::markedBlock):
2605         (JSC::CellContainer::largeAllocation):
2606         * heap/CellContainerInlines.h: Added.
2607         (JSC::CellContainer::isMarked):
2608         (JSC::CellContainer::isMarkedOrNewlyAllocated):
2609         (JSC::CellContainer::noteMarked):
2610         (JSC::CellContainer::cellSize):
2611         (JSC::CellContainer::weakSet):
2612         (JSC::CellContainer::flipIfNecessary):
2613         * heap/ConservativeRoots.cpp:
2614         (JSC::ConservativeRoots::ConservativeRoots):
2615         (JSC::ConservativeRoots::~ConservativeRoots):
2616         (JSC::ConservativeRoots::grow):
2617         (JSC::ConservativeRoots::genericAddPointer):
2618         (JSC::ConservativeRoots::genericAddSpan):
2619         * heap/ConservativeRoots.h:
2620         (JSC::ConservativeRoots::roots):
2621         * heap/CopyToken.h:
2622         * heap/FreeList.cpp: Added.
2623         (JSC::FreeList::dump):
2624         * heap/FreeList.h: Added.
2625         (JSC::FreeList::FreeList):
2626         (JSC::FreeList::list):
2627         (JSC::FreeList::bump):
2628         (JSC::FreeList::operator==):
2629         (JSC::FreeList::operator!=):
2630         (JSC::FreeList::operator bool):
2631         (JSC::FreeList::allocationWillFail):
2632         (JSC::FreeList::allocationWillSucceed):
2633         * heap/GCTypeMap.h: Added.
2634         (JSC::GCTypeMap::operator[]):
2635         * heap/Heap.cpp:
2636         (JSC::Heap::Heap):
2637         (JSC::Heap::lastChanceToFinalize):
2638         (JSC::Heap::finalizeUnconditionalFinalizers):
2639         (JSC::Heap::markRoots):
2640         (JSC::Heap::copyBackingStores):
2641         (JSC::Heap::gatherStackRoots):
2642         (JSC::Heap::gatherJSStackRoots):
2643         (JSC::Heap::gatherScratchBufferRoots):
2644         (JSC::Heap::clearLivenessData):
2645         (JSC::Heap::visitSmallStrings):
2646         (JSC::Heap::visitConservativeRoots):
2647         (JSC::Heap::removeDeadCompilerWorklistEntries):
2648         (JSC::Heap::gatherExtraHeapSnapshotData):
2649         (JSC::Heap::removeDeadHeapSnapshotNodes):
2650         (JSC::Heap::visitProtectedObjects):
2651         (JSC::Heap::visitArgumentBuffers):
2652         (JSC::Heap::visitException):
2653         (JSC::Heap::visitStrongHandles):
2654         (JSC::Heap::visitHandleStack):
2655         (JSC::Heap::visitSamplingProfiler):
2656         (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
2657         (JSC::Heap::converge):
2658         (JSC::Heap::visitWeakHandles):
2659         (JSC::Heap::updateObjectCounts):
2660         (JSC::Heap::clearUnmarkedExecutables):
2661         (JSC::Heap::deleteUnmarkedCompiledCode):
2662         (JSC::Heap::collectAllGarbage):
2663         (JSC::Heap::collect):
2664         (JSC::Heap::collectWithoutAnySweep):
2665         (JSC::Heap::collectImpl):
2666         (JSC::Heap::suspendCompilerThreads):
2667         (JSC::Heap::willStartCollection):
2668         (JSC::Heap::flushOldStructureIDTables):
2669         (JSC::Heap::flushWriteBarrierBuffer):
2670         (JSC::Heap::stopAllocation):
2671         (JSC::Heap::prepareForMarking):
2672         (JSC::Heap::reapWeakHandles):
2673         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
2674         (JSC::Heap::sweepArrayBuffers):
2675         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
2676         (JSC::MarkedBlockSnapshotFunctor::operator()):
2677         (JSC::Heap::snapshotMarkedSpace):
2678         (JSC::Heap::deleteSourceProviderCaches):
2679         (JSC::Heap::notifyIncrementalSweeper):
2680         (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
2681         (JSC::Heap::resetAllocators):
2682         (JSC::Heap::updateAllocationLimits):
2683         (JSC::Heap::didFinishCollection):
2684         (JSC::Heap::resumeCompilerThreads):
2685         (JSC::Zombify::visit):
2686         (JSC::Heap::forEachCodeBlockImpl):
2687         * heap/Heap.h:
2688         (JSC::Heap::allocatorForObjectWithoutDestructor):
2689         (JSC::Heap::allocatorForObjectWithDestructor):
2690         (JSC::Heap::allocatorForAuxiliaryData):
2691         (JSC::Heap::jitStubRoutines):
2692         (JSC::Heap::codeBlockSet):
2693         (JSC::Heap::storageAllocator): Deleted.
2694         * heap/HeapCell.h:
2695         (JSC::HeapCell::isZapped): Deleted.
2696         * heap/HeapCellInlines.h: Added.
2697         (JSC::HeapCell::isLargeAllocation):
2698         (JSC::HeapCell::cellContainer):
2699         (JSC::HeapCell::markedBlock):
2700         (JSC::HeapCell::largeAllocation):
2701         (JSC::HeapCell::heap):
2702         (JSC::HeapCell::vm):
2703         (JSC::HeapCell::cellSize):
2704         (JSC::HeapCell::allocatorAttributes):
2705         (JSC::HeapCell::destructionMode):
2706         (JSC::HeapCell::cellKind):
2707         * heap/HeapInlines.h:
2708         (JSC::Heap::heap):
2709         (JSC::Heap::isLive):
2710         (JSC::Heap::isMarked):
2711         (JSC::Heap::testAndSetMarked):
2712         (JSC::Heap::setMarked):
2713         (JSC::Heap::cellSize):
2714         (JSC::Heap::forEachCodeBlock):
2715         (JSC::Heap::allocateObjectOfType):
2716         (JSC::Heap::subspaceForObjectOfType):
2717         (JSC::Heap::allocatorForObjectOfType):
2718         (JSC::Heap::allocateAuxiliary):
2719         (JSC::Heap::tryAllocateAuxiliary):
2720         (JSC::Heap::tryReallocateAuxiliary):
2721         (JSC::Heap::isPointerGCObject): Deleted.
2722         (JSC::Heap::isValueGCObject): Deleted.
2723         * heap/HeapOperation.cpp: Added.
2724         (WTF::printInternal):
2725         * heap/HeapOperation.h:
2726         * heap/HeapUtil.h: Added.
2727         (JSC::HeapUtil::findGCObjectPointersForMarking):
2728         (JSC::HeapUtil::isPointerGCObjectJSCell):
2729         (JSC::HeapUtil::isValueGCObject):
2730         * heap/IncrementalSweeper.cpp:
2731         (JSC::IncrementalSweeper::sweepNextBlock):
2732         * heap/IncrementalSweeper.h:
2733         * heap/LargeAllocation.cpp: Added.
2734         (JSC::LargeAllocation::tryCreate):
2735         (JSC::LargeAllocation::LargeAllocation):
2736         (JSC::LargeAllocation::lastChanceToFinalize):
2737         (JSC::LargeAllocation::shrink):
2738         (JSC::LargeAllocation::visitWeakSet):
2739         (JSC::LargeAllocation::reapWeakSet):
2740         (JSC::LargeAllocation::flip):
2741         (JSC::LargeAllocation::isEmpty):
2742         (JSC::LargeAllocation::sweep):
2743         (JSC::LargeAllocation::destroy):
2744         (JSC::LargeAllocation::dump):
2745         * heap/LargeAllocation.h: Added.
2746         (JSC::LargeAllocation::fromCell):
2747         (JSC::LargeAllocation::cell):
2748         (JSC::LargeAllocation::isLargeAllocation):
2749         (JSC::LargeAllocation::heap):
2750         (JSC::LargeAllocation::vm):
2751         (JSC::LargeAllocation::weakSet):
2752         (JSC::LargeAllocation::clearNewlyAllocated):
2753         (JSC::LargeAllocation::isNewlyAllocated):
2754         (JSC::LargeAllocation::isMarked):
2755         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
2756         (JSC::LargeAllocation::isLive):
2757         (JSC::LargeAllocation::hasValidCell):
2758         (JSC::LargeAllocation::cellSize):
2759         (JSC::LargeAllocation::aboveLowerBound):
2760         (JSC::LargeAllocation::belowUpperBound):
2761         (JSC::LargeAllocation::contains):
2762         (JSC::LargeAllocation::attributes):
2763         (JSC::LargeAllocation::flipIfNecessary):
2764         (JSC::LargeAllocation::flipIfNecessaryConcurrently):
2765         (JSC::LargeAllocation::testAndSetMarked):
2766         (JSC::LargeAllocation::setMarked):
2767         (JSC::LargeAllocation::clearMarked):
2768         (JSC::LargeAllocation::noteMarked):
2769         (JSC::LargeAllocation::headerSize):
2770         * heap/MarkedAllocator.cpp:
2771         (JSC::MarkedAllocator::MarkedAllocator):
2772         (JSC::MarkedAllocator::isPagedOut):
2773         (JSC::MarkedAllocator::retire):
2774         (JSC::MarkedAllocator::filterNextBlock):
2775         (JSC::MarkedAllocator::setNextBlockToSweep):
2776         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
2777         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2778         (JSC::MarkedAllocator::allocateSlowCase):
2779         (JSC::MarkedAllocator::tryAllocateSlowCase):
2780         (JSC::MarkedAllocator::allocateSlowCaseImpl):
2781         (JSC::blockHeaderSize):
2782         (JSC::MarkedAllocator::blockSizeForBytes):
2783         (JSC::MarkedAllocator::tryAllocateBlock):
2784         (JSC::MarkedAllocator::addBlock):
2785         (JSC::MarkedAllocator::removeBlock):
2786         (JSC::MarkedAllocator::stopAllocating):
2787         (JSC::MarkedAllocator::reset):
2788         (JSC::MarkedAllocator::lastChanceToFinalize):
2789         (JSC::MarkedAllocator::setFreeList):
2790         (JSC::isListPagedOut): Deleted.
2791         (JSC::MarkedAllocator::tryAllocateHelper): Deleted.
2792         (JSC::MarkedAllocator::tryPopFreeList): Deleted.
2793         (JSC::MarkedAllocator::tryAllocate): Deleted.
2794         (JSC::MarkedAllocator::allocateBlock): Deleted.
2795         * heap/MarkedAllocator.h:
2796         (JSC::MarkedAllocator::takeLastActiveBlock):
2797         (JSC::MarkedAllocator::offsetOfFreeList):
2798         (JSC::MarkedAllocator::offsetOfCellSize):
2799         (JSC::MarkedAllocator::tryAllocate):
2800         (JSC::MarkedAllocator::allocate):
2801         (JSC::MarkedAllocator::forEachBlock):
2802         (JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
2803         (JSC::MarkedAllocator::MarkedAllocator): Deleted.
2804         (JSC::MarkedAllocator::init): Deleted.
2805         (JSC::MarkedAllocator::stopAllocating): Deleted.
2806         * heap/MarkedBlock.cpp:
2807         (JSC::MarkedBlock::tryCreate):
2808         (JSC::MarkedBlock::Handle::Handle):
2809         (JSC::MarkedBlock::Handle::~Handle):
2810         (JSC::MarkedBlock::MarkedBlock):
2811         (JSC::MarkedBlock::Handle::specializedSweep):
2812         (JSC::MarkedBlock::Handle::sweep):
2813         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
2814         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
2815         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
2816         (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
2817         (JSC::SetNewlyAllocatedFunctor::operator()):
2818         (JSC::MarkedBlock::Handle::stopAllocating):
2819         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2820         (JSC::MarkedBlock::Handle::resumeAllocating):
2821         (JSC::MarkedBlock::Handle::zap):
2822         (JSC::MarkedBlock::Handle::forEachFreeCell):
2823         (JSC::MarkedBlock::flipIfNecessary):
2824         (JSC::MarkedBlock::Handle::flipIfNecessary):
2825         (JSC::MarkedBlock::flipIfNecessarySlow):
2826         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2827         (JSC::MarkedBlock::clearMarks):
2828         (JSC::MarkedBlock::assertFlipped):
2829         (JSC::MarkedBlock::needsFlip):
2830         (JSC::MarkedBlock::Handle::needsFlip):
2831         (JSC::MarkedBlock::Handle::willRemoveBlock):
2832         (JSC::MarkedBlock::Handle::didConsumeFreeList):
2833         (JSC::MarkedBlock::markCount):
2834         (JSC::MarkedBlock::Handle::isEmpty):
2835         (JSC::MarkedBlock::clearHasAnyMarked):
2836         (JSC::MarkedBlock::noteMarkedSlow):
2837         (WTF::printInternal):
2838         (JSC::MarkedBlock::create): Deleted.
2839         (JSC::MarkedBlock::destroy): Deleted.
2840         (JSC::MarkedBlock::callDestructor): Deleted.
2841         (JSC::MarkedBlock::specializedSweep): Deleted.
2842         (JSC::MarkedBlock::sweep): Deleted.
2843         (JSC::MarkedBlock::sweepHelper): Deleted.
2844         (JSC::MarkedBlock::stopAllocating): Deleted.
2845         (JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
2846         (JSC::MarkedBlock::lastChanceToFinalize): Deleted.
2847         (JSC::MarkedBlock::resumeAllocating): Deleted.
2848         (JSC::MarkedBlock::didRetireBlock): Deleted.
2849         * heap/MarkedBlock.h:
2850         (JSC::MarkedBlock::VoidFunctor::returnValue):
2851         (JSC::MarkedBlock::CountFunctor::CountFunctor):
2852         (JSC::MarkedBlock::CountFunctor::count):
2853         (JSC::MarkedBlock::CountFunctor::returnValue):
2854         (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
2855         (JSC::MarkedBlock::Handle::isOnBlocksToSweep):
2856         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
2857         (JSC::MarkedBlock::Handle::state):
2858         (JSC::MarkedBlock::needsDestruction):
2859         (JSC::MarkedBlock::handle):
2860         (JSC::MarkedBlock::Handle::block):
2861         (JSC::MarkedBlock::firstAtom):
2862         (JSC::MarkedBlock::atoms):
2863         (JSC::MarkedBlock::isAtomAligned):
2864         (JSC::MarkedBlock::Handle::cellAlign):
2865         (JSC::MarkedBlock::blockFor):
2866         (JSC::MarkedBlock::Handle::allocator):
2867         (JSC::MarkedBlock::Handle::heap):
2868         (JSC::MarkedBlock::Handle::vm):
2869         (JSC::MarkedBlock::vm):
2870         (JSC::MarkedBlock::Handle::weakSet):
2871         (JSC::MarkedBlock::weakSet):
2872         (JSC::MarkedBlock::Handle::shrink):
2873         (JSC::MarkedBlock::Handle::visitWeakSet):
2874         (JSC::MarkedBlock::Handle::reapWeakSet):
2875         (JSC::MarkedBlock::Handle::cellSize):
2876         (JSC::MarkedBlock::cellSize):
2877         (JSC::MarkedBlock::Handle::attributes):
2878         (JSC::MarkedBlock::attributes):
2879         (JSC::MarkedBlock::Handle::needsDestruction):
2880         (JSC::MarkedBlock::Handle::destruction):
2881         (JSC::MarkedBlock::Handle::cellKind):
2882         (JSC::MarkedBlock::Handle::markCount):
2883         (JSC::MarkedBlock::Handle::size):
2884         (JSC::MarkedBlock::atomNumber):
2885         (JSC::MarkedBlock::flipIfNecessary):
2886         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2887         (JSC::MarkedBlock::Handle::flipIfNecessary):
2888         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2889         (JSC::MarkedBlock::Handle::flipForEdenCollection):
2890         (JSC::MarkedBlock::assertFlipped):
2891         (JSC::MarkedBlock::Handle::assertFlipped):
2892         (JSC::MarkedBlock::isMarked):
2893         (JSC::MarkedBlock::testAndSetMarked):
2894         (JSC::MarkedBlock::Handle::isNewlyAllocated):
2895         (JSC::MarkedBlock::Handle::setNewlyAllocated):
2896         (JSC::MarkedBlock::Handle::clearNewlyAllocated):
2897         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
2898         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
2899         (JSC::MarkedBlock::Handle::isLive):
2900         (JSC::MarkedBlock::isAtom):
2901         (JSC::MarkedBlock::Handle::isLiveCell):
2902         (JSC::MarkedBlock::Handle::forEachCell):
2903         (JSC::MarkedBlock::Handle::forEachLiveCell):
2904         (JSC::MarkedBlock::Handle::forEachDeadCell):
2905         (JSC::MarkedBlock::Handle::needsSweeping):
2906         (JSC::MarkedBlock::Handle::isAllocated):
2907         (JSC::MarkedBlock::Handle::isMarked):
2908         (JSC::MarkedBlock::Handle::isFreeListed):
2909         (JSC::MarkedBlock::hasAnyMarked):
2910         (JSC::MarkedBlock::noteMarked):
2911         (WTF::MarkedBlockHash::hash):
2912         (JSC::MarkedBlock::FreeList::FreeList): Deleted.
2913         (JSC::MarkedBlock::allocator): Deleted.
2914         (JSC::MarkedBlock::heap): Deleted.
2915         (JSC::MarkedBlock::shrink): Deleted.
2916         (JSC::MarkedBlock::visitWeakSet): Deleted.
2917         (JSC::MarkedBlock::reapWeakSet): Deleted.
2918         (JSC::MarkedBlock::willRemoveBlock): Deleted.
2919         (JSC::MarkedBlock::didConsumeFreeList): Deleted.
2920         (JSC::MarkedBlock::markCount): Deleted.
2921         (JSC::MarkedBlock::isEmpty): Deleted.
2922         (JSC::MarkedBlock::destruction): Deleted.
2923         (JSC::MarkedBlock::cellKind): Deleted.
2924         (JSC::MarkedBlock::size): Deleted.
2925         (JSC::MarkedBlock::capacity): Deleted.
2926         (JSC::MarkedBlock::setMarked): Deleted.
2927         (JSC::MarkedBlock::clearMarked): Deleted.
2928         (JSC::MarkedBlock::isNewlyAllocated): Deleted.
2929         (JSC::MarkedBlock::setNewlyAllocated): Deleted.
2930         (JSC::MarkedBlock::clearNewlyAllocated): Deleted.
2931         (JSC::MarkedBlock::isLive): Deleted.
2932         (JSC::MarkedBlock::isLiveCell): Deleted.
2933         (JSC::MarkedBlock::forEachCell): Deleted.
2934         (JSC::MarkedBlock::forEachLiveCell): Deleted.
2935         (JSC::MarkedBlock::forEachDeadCell): Deleted.
2936         (JSC::MarkedBlock::needsSweeping): Deleted.
2937         (JSC::MarkedBlock::isAllocated): Deleted.
2938         (JSC::MarkedBlock::isMarkedOrRetired): Deleted.
2939         * heap/MarkedSpace.cpp:
2940         (JSC::MarkedSpace::initializeSizeClassForStepSize):
2941         (JSC::MarkedSpace::MarkedSpace):
2942         (JSC::MarkedSpace::~MarkedSpace):
2943         (JSC::MarkedSpace::lastChanceToFinalize):
2944         (JSC::MarkedSpace::allocate):
2945         (JSC::MarkedSpace::tryAllocate):
2946         (JSC::MarkedSpace::allocateLarge):
2947         (JSC::MarkedSpace::tryAllocateLarge):
2948         (JSC::MarkedSpace::sweep):
2949         (JSC::MarkedSpace::sweepLargeAllocations):
2950         (JSC::MarkedSpace::zombifySweep):
2951         (JSC::MarkedSpace::resetAllocators):
2952         (JSC::MarkedSpace::visitWeakSets):
2953         (JSC::MarkedSpace::reapWeakSets):
2954         (JSC::MarkedSpace::stopAllocating):
2955         (JSC::MarkedSpace::prepareForMarking):
2956         (JSC::MarkedSpace::resumeAllocating):
2957         (JSC::MarkedSpace::isPagedOut):
2958         (JSC::MarkedSpace::freeBlock):
2959         (JSC::MarkedSpace::freeOrShrinkBlock):
2960         (JSC::MarkedSpace::shrink):
2961         (JSC::MarkedSpace::clearNewlyAllocated):
2962         (JSC::VerifyMarked::operator()):
2963         (JSC::MarkedSpace::flip):
2964         (JSC::MarkedSpace::objectCount):
2965         (JSC::MarkedSpace::size):
2966         (JSC::MarkedSpace::capacity):
2967         (JSC::MarkedSpace::addActiveWeakSet):
2968         (JSC::MarkedSpace::didAddBlock):
2969         (JSC::MarkedSpace::didAllocateInBlock):
2970         (JSC::MarkedSpace::forEachAllocator): Deleted.
2971         (JSC::VerifyMarkedOrRetired::operator()): Deleted.
2972         (JSC::MarkedSpace::clearMarks): Deleted.
2973         * heap/MarkedSpace.h:
2974         (JSC::MarkedSpace::sizeClassToIndex):
2975         (JSC::MarkedSpace::indexToSizeClass):
2976         (JSC::MarkedSpace::version):
2977         (JSC::MarkedSpace::blocksWithNewObjects):
2978         (JSC::MarkedSpace::largeAllocations):
2979         (JSC::MarkedSpace::largeAllocationsNurseryOffset):
2980         (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
2981         (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
2982         (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
2983         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
2984         (JSC::MarkedSpace::forEachLiveCell):
2985         (JSC::MarkedSpace::forEachDeadCell):
2986         (JSC::MarkedSpace::allocatorFor):
2987         (JSC::MarkedSpace::destructorAllocatorFor):
2988         (JSC::MarkedSpace::auxiliaryAllocatorFor):
2989         (JSC::MarkedSpace::allocateWithoutDestructor):
2990         (JSC::MarkedSpace::allocateWithDestructor):
2991         (JSC::MarkedSpace::allocateAuxiliary):
2992         (JSC::MarkedSpace::tryAllocateAuxiliary):
2993         (JSC::MarkedSpace::forEachBlock):
2994         (JSC::MarkedSpace::forEachAllocator):
2995         (JSC::MarkedSpace::optimalSizeFor):
2996         (JSC::MarkedSpace::didAddBlock): Deleted.
2997         (JSC::MarkedSpace::didAllocateInBlock): Deleted.
2998         (JSC::MarkedSpace::objectCount): Deleted.
2999         (JSC::MarkedSpace::size): Deleted.
3000         (JSC::MarkedSpace::capacity): Deleted.
3001         * heap/SlotVisitor.cpp:
3002         (JSC::SlotVisitor::SlotVisitor):
3003         (JSC::SlotVisitor::didStartMarking):
3004         (JSC::SlotVisitor::reset):
3005         (JSC::SlotVisitor::append):
3006         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3007         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
3008         (JSC::SlotVisitor::appendToMarkStack):
3009         (JSC::SlotVisitor::markAuxiliary):
3010         (JSC::SlotVisitor::noteLiveAuxiliaryCell):
3011         (JSC::SlotVisitor::visitChildren):
3012         * heap/SlotVisitor.h:
3013         * heap/WeakBlock.cpp:
3014         (JSC::WeakBlock::create):
3015         (JSC::WeakBlock::WeakBlock):
3016         (JSC::WeakBlock::visit):
3017         (JSC::WeakBlock::reap):
3018         * heap/WeakBlock.h:
3019         (JSC::WeakBlock::disconnectContainer):
3020         (JSC::WeakBlock::disconnectMarkedBlock): Deleted.
3021         * heap/WeakSet.cpp:
3022         (JSC::WeakSet::~WeakSet):
3023         (JSC::WeakSet::sweep):
3024         (JSC::WeakSet::shrink):
3025         (JSC::WeakSet::addAllocator):
3026         * heap/WeakSet.h:
3027         (JSC::WeakSet::container):
3028         (JSC::WeakSet::setContainer):
3029         (JSC::WeakSet::WeakSet):
3030         (JSC::WeakSet::visit):
3031         (JSC::WeakSet::shrink): Deleted.
3032         * heap/WeakSetInlines.h:
3033         (JSC::WeakSet::allocate):
3034         * inspector/InjectedScriptManager.cpp:
3035         * inspector/JSGlobalObjectInspectorController.cpp:
3036         * inspector/JSJavaScriptCallFrame.cpp:
3037         * inspector/ScriptDebugServer.cpp:
3038         * inspector/agents/InspectorDebuggerAgent.cpp:
3039         * interpreter/CachedCall.h:
3040         (JSC::CachedCall::CachedCall):
3041         * interpreter/Interpreter.cpp:
3042         (JSC::loadVarargs):
3043         (JSC::StackFrame::sourceID): Deleted.
3044         (JSC::StackFrame::sourceURL): Deleted.
3045         (JSC::StackFrame::functionName): Deleted.
3046         (JSC::StackFrame::computeLineAndColumn): Deleted.
3047         (JSC::StackFrame::toString): Deleted.
3048         * interpreter/Interpreter.h:
3049         (JSC::StackFrame::isNative): Deleted.
3050         * jit/AssemblyHelpers.h:
3051         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3052         (JSC::AssemblyHelpers::emitAllocate):
3053         (JSC::AssemblyHelpers::emitAllocateJSCell):
3054         (JSC::AssemblyHelpers::emitAllocateJSObject):
3055         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3056         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3057         * jit/GCAwareJITStubRoutine.cpp:
3058         (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
3059         * jit/JIT.cpp:
3060         (JSC::JIT::compileCTINativeCall):
3061         (JSC::JIT::link):
3062         * jit/JIT.h:
3063         (JSC::JIT::compileCTINativeCall): Deleted.
3064         * jit/JITExceptions.cpp:
3065         (JSC::genericUnwind):
3066         * jit/JITExceptions.h:
3067         * jit/JITOpcodes.cpp:
3068         (JSC::JIT::emit_op_new_object):
3069         (JSC::JIT::emitSlow_op_new_object):
3070         (JSC::JIT::emit_op_create_this):
3071         (JSC::JIT::emitSlow_op_create_this):
3072         * jit/JITOpcodes32_64.cpp:
3073         (JSC::JIT::emit_op_new_object):
3074         (JSC::JIT::emitSlow_op_new_object):
3075         (JSC::JIT::emit_op_create_this):
3076         (JSC::JIT::emitSlow_op_create_this):
3077         * jit/JITOperations.cpp:
3078         * jit/JITOperations.h:
3079         * jit/JITPropertyAccess.cpp:
3080         (JSC::JIT::emitWriteBarrier):
3081         * jit/JITThunks.cpp:
3082         * jit/JITThunks.h:
3083         * jsc.cpp:
3084         (functionDescribeArray):
3085         (main):
3086         * llint/LLIntData.cpp:
3087         (JSC::LLInt::Data::performAssertions):
3088         * llint/LLIntExceptions.cpp:
3089         * llint/LLIntThunks.cpp:
3090         * llint/LLIntThunks.h:
3091         * llint/LowLevelInterpreter.asm:
3092         * llint/LowLevelInterpreter.cpp:
3093         * llint/LowLevelInterpreter32_64.asm:
3094         * llint/LowLevelInterpreter64.asm:
3095         * parser/ModuleAnalyzer.cpp:
3096         * parser/NodeConstructors.h:
3097         * parser/Nodes.h:
3098         * profiler/ProfilerBytecode.cpp:
3099         * profiler/ProfilerBytecode.h:
3100         * profiler/ProfilerBytecodeSequence.cpp:
3101         * runtime/ArrayConventions.h:
3102         (JSC::indexingHeaderForArrayStorage):
3103         (JSC::baseIndexingHeaderForArrayStorage):
3104         (JSC::indexingHeaderForArray): Deleted.
3105         (JSC::baseIndexingHeaderForArray): Deleted.
3106         * runtime/ArrayPrototype.cpp:
3107         (JSC::arrayProtoFuncSplice):
3108         (JSC::concatAppendOne):
3109         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3110         * runtime/ArrayStorage.h:
3111         (JSC::ArrayStorage::vectorLength):
3112         (JSC::ArrayStorage::totalSizeFor):
3113         (JSC::ArrayStorage::totalSize):
3114         (JSC::ArrayStorage::availableVectorLength):
3115         (JSC::ArrayStorage::optimalVectorLength):
3116         (JSC::ArrayStorage::sizeFor): Deleted.
3117         * runtime/AuxiliaryBarrier.h: Added.
3118         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
3119         (JSC::AuxiliaryBarrier::clear):
3120         (JSC::AuxiliaryBarrier::get):
3121         (JSC::AuxiliaryBarrier::slot):
3122         (JSC::AuxiliaryBarrier::operator bool):
3123         (JSC::AuxiliaryBarrier::setWithoutBarrier):
3124         * runtime/AuxiliaryBarrierInlines.h: Added.
3125         (JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
3126         (JSC::AuxiliaryBarrier<T>::set):
3127         * runtime/Butterfly.h:
3128         * runtime/ButterflyInlines.h:
3129         (JSC::Butterfly::availableContiguousVectorLength):
3130         (JSC::Butterfly::optimalContiguousVectorLength):
3131         (JSC::Butterfly::createUninitialized):
3132         (JSC::Butterfly::growArrayRight):
3133         * runtime/ClonedArguments.cpp:
3134         (JSC::ClonedArguments::createEmpty):
3135         * runtime/CommonSlowPathsExceptions.cpp:
3136         * runtime/CommonSlowPathsExceptions.h:
3137         * runtime/DataView.cpp:
3138         * runtime/DirectArguments.h:
3139         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3140         * runtime/Error.cpp:
3141         * runtime/Error.h:
3142         * runtime/ErrorInstance.cpp:
3143         * runtime/ErrorInstance.h:
3144         * runtime/Exception.cpp:
3145         * runtime/Exception.h:
3146         * runtime/GeneratorFrame.cpp:
3147         * runtime/GeneratorPrototype.cpp:
3148         * runtime/InternalFunction.cpp:
3149         (JSC::InternalFunction::InternalFunction):
3150         * runtime/IntlCollator.cpp:
3151         * runtime/IntlCollatorConstructor.cpp:
3152         * runtime/IntlCollatorPrototype.cpp:
3153         * runtime/IntlDateTimeFormat.cpp:
3154         * runtime/IntlDateTimeFormatConstructor.cpp:
3155         * runtime/IntlDateTimeFormatPrototype.cpp:
3156         * runtime/IntlNumberFormat.cpp:
3157         * runtime/IntlNumberFormatConstructor.cpp:
3158         * runtime/IntlNumberFormatPrototype.cpp:
3159         * runtime/IntlObject.cpp:
3160         * runtime/IteratorPrototype.cpp:
3161         * runtime/JSArray.cpp:
3162         (JSC::JSArray::tryCreateUninitialized):
3163         (JSC::JSArray::setLengthWritable):
3164         (JSC::JSArray::unshiftCountSlowCase):
3165         (JSC::JSArray::setLengthWithArrayStorage):
3166         (JSC::JSArray::appendMemcpy):
3167         (JSC::JSArray::setLength):
3168         (JSC::JSArray::pop):
3169         (JSC::JSArray::push):
3170         (JSC::JSArray::fastSlice):
3171         (JSC::JSArray::shiftCountWithArrayStorage):
3172         (JSC::JSArray::shiftCountWithAnyIndexingType):
3173         (JSC::JSArray::unshiftCountWithArrayStorage):
3174         (JSC::JSArray::fillArgList):
3175         (JSC::JSArray::copyToArguments):
3176         * runtime/JSArray.h:
3177         (JSC::createContiguousArrayButterfly):
3178         (JSC::createArrayButterfly):
3179         (JSC::JSArray::create):
3180         (JSC::JSArray::tryCreateUninitialized): Deleted.
3181         * runtime/JSArrayBufferView.h:
3182         * runtime/JSCInlines.h:
3183         * runtime/JSCJSValue.cpp:
3184         (JSC::JSValue::dumpInContextAssumingStructure):
3185         * runtime/JSCallee.cpp:
3186         (JSC::JSCallee::JSCallee):
3187         * runtime/JSCell.cpp:
3188         (JSC::JSCell::estimatedSize):
3189         * runtime/JSCell.h:
3190         (JSC::JSCell::cellStateOffset): Deleted.
3191         * runtime/JSCellInlines.h:
3192         (JSC::ExecState::vm):
3193         (JSC::JSCell::classInfo):
3194         (JSC::JSCell::callDestructor):
3195         (JSC::JSCell::vm): Deleted.
3196         * runtime/JSFunction.cpp:
3197         (JSC::JSFunction::create):
3198         (JSC::JSFunction::allocateAndInitializeRareData):
3199         (JSC::JSFunction::initializeRareData):
3200         (JSC::JSFunction::getOwnPropertySlot):
3201         (JSC::JSFunction::put):
3202         (JSC::JSFunction::deleteProperty):
3203         (JSC::JSFunction::defineOwnProperty):
3204         (JSC::JSFunction::setFunctionName):
3205         (JSC::JSFunction::reifyLength):
3206         (JSC::JSFunction::reifyName):
3207         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3208         (JSC::JSFunction::reifyBoundNameIfNeeded):
3209         * runtime/JSFunction.h:
3210         * runtime/JSFunctionInlines.h:
3211         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3212         (JSC::JSFunction::JSFunction):
3213         * runtime/JSGenericTypedArrayViewInlines.h:
3214         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
3215         * runtime/JSInternalPromise.cpp:
3216         * runtime/JSInternalPromiseConstructor.cpp:
3217         * runtime/JSInternalPromiseDeferred.cpp:
3218         * runtime/JSInternalPromisePrototype.cpp:
3219         * runtime/JSJob.cpp:
3220         * runtime/JSMapIterator.cpp:
3221         * runtime/JSModuleNamespaceObject.cpp:
3222         * runtime/JSModuleRecord.cpp:
3223         * runtime/JSObject.cpp:
3224         (JSC::JSObject::visitButterfly):
3225         (JSC::JSObject::notifyPresenceOfIndexedAccessors):
3226         (JSC::JSObject::createInitialIndexedStorage):
3227         (JSC::JSObject::createInitialUndecided):
3228         (JSC::JSObject::createInitialInt32):
3229         (JSC::JSObject::createInitialDouble):
3230         (JSC::JSObject::createInitialContiguous):
3231         (JSC::JSObject::createArrayStorage):
3232         (JSC::JSObject::createInitialArrayStorage):
3233         (JSC::JSObject::convertUndecidedToInt32):
3234         (JSC::JSObject::convertUndecidedToContiguous):
3235         (JSC::JSObject::convertUndecidedToArrayStorage):
3236         (JSC::JSObject::convertInt32ToDouble):
3237         (JSC::JSObject::convertInt32ToArrayStorage):
3238         (JSC::JSObject::convertDoubleToArrayStorage):
3239         (JSC::JSObject::convertContiguousToArrayStorage):
3240         (JSC::JSObject::putByIndexBeyondVectorLength):
3241         (JSC::JSObject::putDirectIndexBeyondVectorLength):
3242         (JSC::JSObject::getNewVectorLength):
3243         (JSC::JSObject::increaseVectorLength):
3244         (JSC::JSObject::ensureLengthSlow):
3245         (JSC::JSObject::growOutOfLineStorage):
3246         (JSC::JSObject::copyButterfly): Deleted.
3247         (JSC::JSObject::copyBackingStore): Deleted.
3248         * runtime/JSObject.h:
3249         (JSC::JSObject::globalObject):
3250         (JSC::JSObject::putDirectInternal):
3251         (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
3252         * runtime/JSObjectInlines.h:
3253         * runtime/JSPromise.cpp:
3254         * runtime/JSPromiseConstructor.cpp:
3255         * runtime/JSPromiseDeferred.cpp:
3256         * runtime/JSPromisePrototype.cpp:
3257         * runtime/JSPropertyNameIterator.cpp:
3258         * runtime/JSScope.cpp:
3259         (JSC::JSScope::resolve):
3260         * runtime/JSScope.h:
3261         (JSC::JSScope::globalObject):
3262         (JSC::JSScope::vm): Deleted.
3263         * runtime/JSSetIterator.cpp:
3264         * runtime/JSStringIterator.cpp:
3265         * runtime/JSTemplateRegistryKey.cpp:
3266         * runtime/JSTypedArrayViewConstructor.cpp:
3267         * runtime/JSTypedArrayViewPrototype.cpp:
3268         * runtime/JSWeakMap.cpp:
3269         * runtime/JSWeakSet.cpp:
3270         * runtime/MapConstructor.cpp:
3271         * runtime/MapIteratorPrototype.cpp:
3272         * runtime/MapPrototype.cpp:
3273         * runtime/NativeErrorConstructor.cpp:
3274         * runtime/NativeStdFunctionCell.cpp:
3275         * runtime/Operations.h:
3276         (JSC::scribbleFreeCells):
3277         (JSC::scribble):
3278         * runtime/Options.h:
3279         * runtime/PropertyTable.cpp:
3280         * runtime/ProxyConstructor.cpp:
3281         * runtime/ProxyObject.cpp:
3282         * runtime/ProxyRevoke.cpp:
3283         * runtime/RegExp.cpp:
3284         (JSC::RegExp::match):
3285         (JSC::RegExp::matchConcurrently):
3286         (JSC::RegExp::matchCompareWithInterpreter):
3287         * runtime/RegExp.h:
3288         * runtime/RegExpConstructor.h:
3289         * runtime/RegExpInlines.h:
3290         (JSC::RegExp::matchInline):
3291         * runtime/RegExpMatchesArray.h:
3292         (JSC::tryCreateUninitializedRegExpMatchesArray):
3293         (JSC::createRegExpMatchesArray):
3294         * runtime/RegExpPrototype.cpp:
3295         (JSC::genericSplit):
3296         * runtime/RuntimeType.cpp:
3297         * runtime/SamplingProfiler.cpp:
3298         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3299         * runtime/SetConstructor.cpp: