Remove poisoning of typed array vector
[WebKit-https.git] / Source / JavaScriptCore / runtime / JSObject.h
1 /*
2  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
3  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
4  *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
5  *
6  *  This library is free software; you can redistribute it and/or
7  *  modify it under the terms of the GNU Library General Public
8  *  License as published by the Free Software Foundation; either
9  *  version 2 of the License, or (at your option) any later version.
10  *
11  *  This library is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  *  Library General Public License for more details.
15  *
16  *  You should have received a copy of the GNU Library General Public License
17  *  along with this library; see the file COPYING.LIB.  If not, write to
18  *  the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
19  *  Boston, MA 02110-1301, USA.
20  *
21  */
22
23 #pragma once
24
25 #include "ArrayConventions.h"
26 #include "ArrayStorage.h"
27 #include "Butterfly.h"
28 #include "CPU.h"
29 #include "CagedBarrierPtr.h"
30 #include "CallFrame.h"
31 #include "ClassInfo.h"
32 #include "CustomGetterSetter.h"
33 #include "DOMAttributeGetterSetter.h"
34 #include "Heap.h"
35 #include "IndexingHeaderInlines.h"
36 #include "JSCast.h"
37 #include "ObjectInitializationScope.h"
38 #include "PropertySlot.h"
39 #include "PropertyStorage.h"
40 #include "PutDirectIndexMode.h"
41 #include "PutPropertySlot.h"
42 #include "Structure.h"
43 #include "StructureTransitionTable.h"
44 #include "VM.h"
45 #include "JSString.h"
46 #include "SparseArrayValueMap.h"
47 #include <wtf/StdLibExtras.h>
48
49 namespace JSC {
50 namespace DOMJIT {
51 class Signature;
52 }
53
54 inline JSCell* getJSFunction(JSValue value)
55 {
56     if (value.isCell() && (value.asCell()->type() == JSFunctionType))
57         return value.asCell();
58     return 0;
59 }
60
61 class GetterSetter;
62 class InternalFunction;
63 class JSFunction;
64 class LLIntOffsetsExtractor;
65 class MarkedBlock;
66 class PropertyDescriptor;
67 class PropertyNameArray;
68 class Structure;
69 class ThrowScope;
70 struct HashTable;
71 struct HashTableValue;
72
73 JS_EXPORT_PRIVATE JSObject* throwTypeError(ExecState*, ThrowScope&, const String&);
74 extern JS_EXPORT_PRIVATE const char* const NonExtensibleObjectPropertyDefineError;
75 extern JS_EXPORT_PRIVATE const char* const ReadonlyPropertyWriteError;
76 extern JS_EXPORT_PRIVATE const char* const ReadonlyPropertyChangeError;
77 extern JS_EXPORT_PRIVATE const char* const UnableToDeletePropertyError;
78 extern JS_EXPORT_PRIVATE const char* const UnconfigurablePropertyChangeAccessMechanismError;
79 extern JS_EXPORT_PRIVATE const char* const UnconfigurablePropertyChangeConfigurabilityError;
80 extern JS_EXPORT_PRIVATE const char* const UnconfigurablePropertyChangeEnumerabilityError;
81 extern JS_EXPORT_PRIVATE const char* const UnconfigurablePropertyChangeWritabilityError;
82
83 COMPILE_ASSERT(PropertyAttribute::None < FirstInternalAttribute, None_is_below_FirstInternalAttribute);
84 COMPILE_ASSERT(PropertyAttribute::ReadOnly < FirstInternalAttribute, ReadOnly_is_below_FirstInternalAttribute);
85 COMPILE_ASSERT(PropertyAttribute::DontEnum < FirstInternalAttribute, DontEnum_is_below_FirstInternalAttribute);
86 COMPILE_ASSERT(PropertyAttribute::DontDelete < FirstInternalAttribute, DontDelete_is_below_FirstInternalAttribute);
87 COMPILE_ASSERT(PropertyAttribute::Accessor < FirstInternalAttribute, Accessor_is_below_FirstInternalAttribute);
88
89 class JSFinalObject;
90
91 class JSObject : public JSCell {
92     friend class BatchedTransitionOptimizer;
93     friend class JIT;
94     friend class JSCell;
95     friend class JSFinalObject;
96     friend class MarkedBlock;
97     JS_EXPORT_PRIVATE friend bool setUpStaticFunctionSlot(VM&, const HashTableValue*, JSObject*, PropertyName, PropertySlot&);
98
99     enum PutMode {
100         PutModePut,
101         PutModeDefineOwnProperty,
102     };
103
104 public:
105     typedef JSCell Base;
106
107     template<typename>
108     static CompleteSubspace* subspaceFor(VM& vm)
109     {
110         return &vm.cellJSValueOOBSpace;
111     }
112
113     // This is a super dangerous method for JITs. Sometimes the JITs will want to create either a
114     // JSFinalObject or a JSArray. This is the method that will do that.
115     static JSObject* createRawObject(ExecState* exec, Structure* structure, Butterfly* = nullptr);
116
117     JS_EXPORT_PRIVATE static size_t estimatedSize(JSCell*);
118     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
119     JS_EXPORT_PRIVATE static void heapSnapshot(JSCell*, HeapSnapshotBuilder&);
120
121     JS_EXPORT_PRIVATE static String className(const JSObject*);
122     JS_EXPORT_PRIVATE static String calculatedClassName(JSObject*);
123
124     // This function is what Object.prototype.toString() will use to get the name of
125     // an object when using Symbol.toStringTag fails. For the most part there is no
126     // difference between this and className(). The main use case is for new JS language
127     // objects to set the default tag to "Object".
128     JS_EXPORT_PRIVATE static String toStringName(const JSObject*, ExecState*);
129
130     // This is the fully virtual [[GetPrototypeOf]] internal function defined
131     // in the ECMAScript 6 specification. Use this when doing a [[GetPrototypeOf]] 
132     // operation as dictated in the specification.
133     JSValue getPrototype(VM&, ExecState*);
134     JS_EXPORT_PRIVATE static JSValue getPrototype(JSObject*, ExecState*);
135     // This gets the prototype directly off of the structure. This does not do
136     // dynamic dispatch on the getPrototype method table method. It is not valid 
137     // to use this when performing a [[GetPrototypeOf]] operation in the specification.
138     // It is valid to use though when you know that you want to directly get it
139     // without consulting the method table. This is akin to getting the [[Prototype]]
140     // internal field directly as described in the specification.
141     JSValue getPrototypeDirect(VM&) const;
142
143     // This sets the prototype without checking for cycles and without
144     // doing dynamic dispatch on [[SetPrototypeOf]] operation in the specification.
145     // It is not valid to use this when performing a [[SetPrototypeOf]] operation in
146     // the specification. It is valid to use though when you know that you want to directly
147     // set it without consulting the method table and when you definitely won't
148     // introduce a cycle in the prototype chain. This is akin to setting the
149     // [[Prototype]] internal field directly as described in the specification.
150     JS_EXPORT_PRIVATE void setPrototypeDirect(VM&, JSValue prototype);
151 private:
152     // This is OrdinarySetPrototypeOf in the specification. Section 9.1.2.1
153     // https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof
154     JS_EXPORT_PRIVATE bool setPrototypeWithCycleCheck(VM&, ExecState*, JSValue prototype, bool shouldThrowIfCantSet);
155 public:
156     // This is the fully virtual [[SetPrototypeOf]] internal function defined
157     // in the ECMAScript 6 specification. Use this when doing a [[SetPrototypeOf]] 
158     // operation as dictated in the specification.
159     bool setPrototype(VM&, ExecState*, JSValue prototype, bool shouldThrowIfCantSet = false);
160     JS_EXPORT_PRIVATE static bool setPrototype(JSObject*, ExecState*, JSValue prototype, bool shouldThrowIfCantSet);
161         
162     bool mayInterceptIndexedAccesses()
163     {
164         return structure()->mayInterceptIndexedAccesses();
165     }
166         
167     JSValue get(ExecState*, PropertyName) const;
168     JSValue get(ExecState*, unsigned propertyName) const;
169
170     bool getPropertySlot(ExecState*, PropertyName, PropertySlot&);
171     bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);
172     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, CallbackWhenNoException) const;
173     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, PropertySlot&, CallbackWhenNoException) const;
174
175     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
176     JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
177
178     // The key difference between this and getOwnPropertySlot is that getOwnPropertySlot
179     // currently returns incorrect results for the DOM window (with non-own properties)
180     // being returned. Once this is fixed we should migrate code & remove this method.
181     JS_EXPORT_PRIVATE bool getOwnPropertyDescriptor(ExecState*, PropertyName, PropertyDescriptor&);
182
183     unsigned getArrayLength() const
184     {
185         if (!hasIndexedProperties(indexingType()))
186             return 0;
187         return m_butterfly->publicLength();
188     }
189         
190     unsigned getVectorLength()
191     {
192         if (!hasIndexedProperties(indexingType()))
193             return 0;
194         return m_butterfly->vectorLength();
195     }
196     
197     static bool putInlineForJSObject(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
198     
199     JS_EXPORT_PRIVATE static bool put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
200     // putByIndex assumes that the receiver is this JSCell object.
201     JS_EXPORT_PRIVATE static bool putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
202         
203     // This performs the ECMAScript Set() operation.
204     ALWAYS_INLINE bool putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
205     {
206         if (canSetIndexQuickly(propertyName)) {
207             setIndexQuickly(exec->vm(), propertyName, value);
208             return true;
209         }
210         return methodTable(exec->vm())->putByIndex(this, exec, propertyName, value, shouldThrow);
211     }
212         
213     // This is similar to the putDirect* methods:
214     //  - the prototype chain is not consulted
215     //  - accessors are not called.
216     //  - it will ignore extensibility and read-only properties if PutDirectIndexLikePutDirect is passed as the mode (the default).
217     // This method creates a property with attributes writable, enumerable and configurable all set to true if attributes is zero,
218     // otherwise, it creates a property with the provided attributes. Semantically, this is performing defineOwnProperty.
219     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
220     {
221         auto canSetIndexQuicklyForPutDirect = [&] () -> bool {
222             switch (indexingType()) {
223             case ALL_BLANK_INDEXING_TYPES:
224             case ALL_UNDECIDED_INDEXING_TYPES:
225                 return false;
226             case ALL_INT32_INDEXING_TYPES:
227             case ALL_DOUBLE_INDEXING_TYPES:
228             case ALL_CONTIGUOUS_INDEXING_TYPES:
229             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
230                 return propertyName < m_butterfly->vectorLength();
231             default:
232                 RELEASE_ASSERT_NOT_REACHED();
233                 return false;
234             }
235         };
236         
237         if (!attributes && canSetIndexQuicklyForPutDirect()) {
238             setIndexQuickly(exec->vm(), propertyName, value);
239             return true;
240         }
241         return putDirectIndexSlowOrBeyondVectorLength(exec, propertyName, value, attributes, mode);
242     }
243     // This is semantically equivalent to performing defineOwnProperty(propertyName, {configurable:true, writable:true, enumerable:true, value:value}).
244     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value)
245     {
246         return putDirectIndex(exec, propertyName, value, 0, PutDirectIndexLikePutDirect);
247     }
248
249     // A generally non-throwing version of putDirect and putDirectIndex.
250     // However, it's only guaranteed to not throw based on what the receiver is.
251     // For example, if the receiver is a ProxyObject, this is not guaranteed, since
252     // it may call into arbitrary JS code. It's the responsibility of the user of
253     // this API to ensure that the receiver object is a well known type if they
254     // want to ensure that this won't throw an exception.
255     JS_EXPORT_PRIVATE bool putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
256         
257     bool hasIndexingHeader() const
258     {
259         return structure()->hasIndexingHeader(this);
260     }
261     
262     bool canGetIndexQuickly(unsigned i)
263     {
264         Butterfly* butterfly = this->butterfly();
265         switch (indexingType()) {
266         case ALL_BLANK_INDEXING_TYPES:
267         case ALL_UNDECIDED_INDEXING_TYPES:
268             return false;
269         case ALL_INT32_INDEXING_TYPES:
270         case ALL_CONTIGUOUS_INDEXING_TYPES:
271             return i < butterfly->vectorLength() && butterfly->contiguous().at(i);
272         case ALL_DOUBLE_INDEXING_TYPES: {
273             if (i >= butterfly->vectorLength())
274                 return false;
275             double value = butterfly->contiguousDouble().at(i);
276             if (value != value)
277                 return false;
278             return true;
279         }
280         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
281             return i < butterfly->arrayStorage()->vectorLength() && butterfly->arrayStorage()->m_vector[i];
282         default:
283             RELEASE_ASSERT_NOT_REACHED();
284             return false;
285         }
286     }
287         
288     JSValue getIndexQuickly(unsigned i)
289     {
290         Butterfly* butterfly = this->butterfly();
291         switch (indexingType()) {
292         case ALL_INT32_INDEXING_TYPES:
293             return jsNumber(butterfly->contiguous().at(i).get().asInt32());
294         case ALL_CONTIGUOUS_INDEXING_TYPES:
295             return butterfly->contiguous().at(i).get();
296         case ALL_DOUBLE_INDEXING_TYPES:
297             return JSValue(JSValue::EncodeAsDouble, butterfly->contiguousDouble().at(i));
298         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
299             return butterfly->arrayStorage()->m_vector[i].get();
300         default:
301             RELEASE_ASSERT_NOT_REACHED();
302             return JSValue();
303         }
304     }
305         
306     JSValue tryGetIndexQuickly(unsigned i) const
307     {
308         Butterfly* butterfly = const_cast<JSObject*>(this)->butterfly();
309         switch (indexingType()) {
310         case ALL_BLANK_INDEXING_TYPES:
311         case ALL_UNDECIDED_INDEXING_TYPES:
312             break;
313         case ALL_INT32_INDEXING_TYPES:
314             if (i < butterfly->publicLength()) {
315                 JSValue result = butterfly->contiguous().at(i).get();
316                 ASSERT(result.isInt32() || !result);
317                 return result;
318             }
319             break;
320         case ALL_CONTIGUOUS_INDEXING_TYPES:
321             if (i < butterfly->publicLength())
322                 return butterfly->contiguous().at(i).get();
323             break;
324         case ALL_DOUBLE_INDEXING_TYPES: {
325             if (i >= butterfly->publicLength())
326                 break;
327             double result = butterfly->contiguousDouble().at(i);
328             if (result != result)
329                 break;
330             return JSValue(JSValue::EncodeAsDouble, result);
331         }
332         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
333             if (i < butterfly->arrayStorage()->vectorLength())
334                 return butterfly->arrayStorage()->m_vector[i].get();
335             break;
336         default:
337             RELEASE_ASSERT_NOT_REACHED();
338             break;
339         }
340         return JSValue();
341     }
342         
343     JSValue getDirectIndex(ExecState* exec, unsigned i)
344     {
345         if (JSValue result = tryGetIndexQuickly(i))
346             return result;
347         PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
348         if (methodTable(exec->vm())->getOwnPropertySlotByIndex(this, exec, i, slot))
349             return slot.getValue(exec, i);
350         return JSValue();
351     }
352         
353     JSValue getIndex(ExecState* exec, unsigned i) const
354     {
355         if (JSValue result = tryGetIndexQuickly(i))
356             return result;
357         return get(exec, i);
358     }
359         
360     bool canSetIndexQuickly(unsigned i)
361     {
362         Butterfly* butterfly = this->butterfly();
363         switch (indexingType()) {
364         case ALL_BLANK_INDEXING_TYPES:
365         case ALL_UNDECIDED_INDEXING_TYPES:
366             return false;
367         case ALL_INT32_INDEXING_TYPES:
368         case ALL_DOUBLE_INDEXING_TYPES:
369         case ALL_CONTIGUOUS_INDEXING_TYPES:
370         case NonArrayWithArrayStorage:
371         case ArrayWithArrayStorage:
372             return i < butterfly->vectorLength();
373         case NonArrayWithSlowPutArrayStorage:
374         case ArrayWithSlowPutArrayStorage:
375             return i < butterfly->arrayStorage()->vectorLength()
376                 && !!butterfly->arrayStorage()->m_vector[i];
377         default:
378             RELEASE_ASSERT_NOT_REACHED();
379             return false;
380         }
381     }
382         
383     void setIndexQuickly(VM& vm, unsigned i, JSValue v)
384     {
385         Butterfly* butterfly = m_butterfly.get();
386         switch (indexingType()) {
387         case ALL_INT32_INDEXING_TYPES: {
388             ASSERT(i < butterfly->vectorLength());
389             if (!v.isInt32()) {
390                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
391                 return;
392             }
393             FALLTHROUGH;
394         }
395         case ALL_CONTIGUOUS_INDEXING_TYPES: {
396             ASSERT(i < butterfly->vectorLength());
397             butterfly->contiguous().at(i).set(vm, this, v);
398             if (i >= butterfly->publicLength())
399                 butterfly->setPublicLength(i + 1);
400             break;
401         }
402         case ALL_DOUBLE_INDEXING_TYPES: {
403             ASSERT(i < butterfly->vectorLength());
404             if (!v.isNumber()) {
405                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
406                 return;
407             }
408             double value = v.asNumber();
409             if (value != value) {
410                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
411                 return;
412             }
413             butterfly->contiguousDouble().at(i) = value;
414             if (i >= butterfly->publicLength())
415                 butterfly->setPublicLength(i + 1);
416             break;
417         }
418         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
419             ArrayStorage* storage = butterfly->arrayStorage();
420             WriteBarrier<Unknown>& x = storage->m_vector[i];
421             JSValue old = x.get();
422             x.set(vm, this, v);
423             if (!old) {
424                 ++storage->m_numValuesInVector;
425                 if (i >= storage->length())
426                     storage->setLength(i + 1);
427             }
428             break;
429         }
430         default:
431             RELEASE_ASSERT_NOT_REACHED();
432         }
433     }
434
435     void initializeIndex(ObjectInitializationScope& scope, unsigned i, JSValue v)
436     {
437         initializeIndex(scope, i, v, indexingType());
438     }
439
440     // NOTE: Clients of this method may call it more than once for any index, and this is supposed
441     // to work.
442     ALWAYS_INLINE void initializeIndex(ObjectInitializationScope& scope, unsigned i, JSValue v, IndexingType indexingType)
443     {
444         VM& vm = scope.vm();
445         Butterfly* butterfly = m_butterfly.get();
446         switch (indexingType) {
447         case ALL_UNDECIDED_INDEXING_TYPES: {
448             setIndexQuicklyToUndecided(vm, i, v);
449             break;
450         }
451         case ALL_INT32_INDEXING_TYPES: {
452             ASSERT(i < butterfly->publicLength());
453             ASSERT(i < butterfly->vectorLength());
454             if (!v.isInt32()) {
455                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
456                 break;
457             }
458             FALLTHROUGH;
459         }
460         case ALL_CONTIGUOUS_INDEXING_TYPES: {
461             ASSERT(i < butterfly->publicLength());
462             ASSERT(i < butterfly->vectorLength());
463             butterfly->contiguous().at(i).set(vm, this, v);
464             break;
465         }
466         case ALL_DOUBLE_INDEXING_TYPES: {
467             ASSERT(i < butterfly->publicLength());
468             ASSERT(i < butterfly->vectorLength());
469             if (!v.isNumber()) {
470                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
471                 return;
472             }
473             double value = v.asNumber();
474             if (value != value) {
475                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
476                 return;
477             }
478             butterfly->contiguousDouble().at(i) = value;
479             break;
480         }
481         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
482             ArrayStorage* storage = butterfly->arrayStorage();
483             ASSERT(i < storage->length());
484             ASSERT(i < storage->m_numValuesInVector);
485             storage->m_vector[i].set(vm, this, v);
486             break;
487         }
488         default:
489             RELEASE_ASSERT_NOT_REACHED();
490         }
491     }
492         
493     void initializeIndexWithoutBarrier(ObjectInitializationScope& scope, unsigned i, JSValue v)
494     {
495         initializeIndexWithoutBarrier(scope, i, v, indexingType());
496     }
497
498     // This version of initializeIndex is for cases where you know that you will not need any
499     // barriers. This implies not having any data format conversions.
500     ALWAYS_INLINE void initializeIndexWithoutBarrier(ObjectInitializationScope&, unsigned i, JSValue v, IndexingType indexingType)
501     {
502         Butterfly* butterfly = m_butterfly.get();
503         switch (indexingType) {
504         case ALL_UNDECIDED_INDEXING_TYPES: {
505             RELEASE_ASSERT_NOT_REACHED();
506             break;
507         }
508         case ALL_INT32_INDEXING_TYPES: {
509             ASSERT(i < butterfly->publicLength());
510             ASSERT(i < butterfly->vectorLength());
511             RELEASE_ASSERT(v.isInt32());
512             FALLTHROUGH;
513         }
514         case ALL_CONTIGUOUS_INDEXING_TYPES: {
515             ASSERT(i < butterfly->publicLength());
516             ASSERT(i < butterfly->vectorLength());
517             butterfly->contiguous().at(i).setWithoutWriteBarrier(v);
518             break;
519         }
520         case ALL_DOUBLE_INDEXING_TYPES: {
521             ASSERT(i < butterfly->publicLength());
522             ASSERT(i < butterfly->vectorLength());
523             RELEASE_ASSERT(v.isNumber());
524             double value = v.asNumber();
525             RELEASE_ASSERT(value == value);
526             butterfly->contiguousDouble().at(i) = value;
527             break;
528         }
529         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
530             ArrayStorage* storage = butterfly->arrayStorage();
531             ASSERT(i < storage->length());
532             ASSERT(i < storage->m_numValuesInVector);
533             storage->m_vector[i].setWithoutWriteBarrier(v);
534             break;
535         }
536         default:
537             RELEASE_ASSERT_NOT_REACHED();
538         }
539     }
540         
541     bool hasSparseMap()
542     {
543         switch (indexingType()) {
544         case ALL_BLANK_INDEXING_TYPES:
545         case ALL_UNDECIDED_INDEXING_TYPES:
546         case ALL_INT32_INDEXING_TYPES:
547         case ALL_DOUBLE_INDEXING_TYPES:
548         case ALL_CONTIGUOUS_INDEXING_TYPES:
549             return false;
550         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
551             return !!m_butterfly->arrayStorage()->m_sparseMap;
552         default:
553             RELEASE_ASSERT_NOT_REACHED();
554             return false;
555         }
556     }
557         
558     bool inSparseIndexingMode()
559     {
560         switch (indexingType()) {
561         case ALL_BLANK_INDEXING_TYPES:
562         case ALL_UNDECIDED_INDEXING_TYPES:
563         case ALL_INT32_INDEXING_TYPES:
564         case ALL_DOUBLE_INDEXING_TYPES:
565         case ALL_CONTIGUOUS_INDEXING_TYPES:
566             return false;
567         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
568             return m_butterfly->arrayStorage()->inSparseMode();
569         default:
570             RELEASE_ASSERT_NOT_REACHED();
571             return false;
572         }
573     }
574         
575     void enterDictionaryIndexingMode(VM&);
576
577     // putDirect is effectively an unchecked vesion of 'defineOwnProperty':
578     //  - the prototype chain is not consulted
579     //  - accessors are not called.
580     //  - attributes will be respected (after the call the property will exist with the given attributes)
581     //  - the property name is assumed to not be an index.
582     bool putDirect(VM&, PropertyName, JSValue, unsigned attributes = 0);
583     bool putDirect(VM&, PropertyName, JSValue, PutPropertySlot&);
584     void putDirectWithoutTransition(VM&, PropertyName, JSValue, unsigned attributes = 0);
585     bool putDirectNonIndexAccessor(VM&, PropertyName, JSValue, unsigned attributes);
586     bool putDirectAccessor(ExecState*, PropertyName, JSValue, unsigned attributes);
587     JS_EXPORT_PRIVATE bool putDirectCustomAccessor(VM&, PropertyName, JSValue, unsigned attributes);
588
589     bool putGetter(ExecState*, PropertyName, JSValue, unsigned attributes);
590     bool putSetter(ExecState*, PropertyName, JSValue, unsigned attributes);
591
592     JS_EXPORT_PRIVATE bool hasProperty(ExecState*, PropertyName) const;
593     JS_EXPORT_PRIVATE bool hasProperty(ExecState*, unsigned propertyName) const;
594     bool hasPropertyGeneric(ExecState*, PropertyName, PropertySlot::InternalMethodType) const;
595     bool hasPropertyGeneric(ExecState*, unsigned propertyName, PropertySlot::InternalMethodType) const;
596     bool hasOwnProperty(ExecState*, PropertyName, PropertySlot&) const;
597     bool hasOwnProperty(ExecState*, PropertyName) const;
598     bool hasOwnProperty(ExecState*, unsigned) const;
599
600     JS_EXPORT_PRIVATE static bool deleteProperty(JSCell*, ExecState*, PropertyName);
601     JS_EXPORT_PRIVATE static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
602
603     JS_EXPORT_PRIVATE static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
604     JSValue ordinaryToPrimitive(ExecState*, PreferredPrimitiveType) const;
605
606     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue value, JSValue hasInstanceValue);
607     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue);
608     static bool defaultHasInstance(ExecState*, JSValue, JSValue prototypeProperty);
609
610     JS_EXPORT_PRIVATE static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
611     JS_EXPORT_PRIVATE static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
612     JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
613
614     JS_EXPORT_PRIVATE static uint32_t getEnumerableLength(ExecState*, JSObject*);
615     JS_EXPORT_PRIVATE static void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
616     JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
617
618     JS_EXPORT_PRIVATE JSValue toPrimitive(ExecState*, PreferredPrimitiveType = NoPreference) const;
619     bool getPrimitiveNumber(ExecState*, double& number, JSValue&) const;
620     JS_EXPORT_PRIVATE double toNumber(ExecState*) const;
621     JS_EXPORT_PRIVATE JSString* toString(ExecState*) const;
622
623     JS_EXPORT_PRIVATE static JSValue toThis(JSCell*, ExecState*, ECMAMode);
624
625     // This get function only looks at the property map.
626     JSValue getDirect(VM& vm, PropertyName propertyName) const
627     {
628         Structure* structure = this->structure(vm);
629         PropertyOffset offset = structure->get(vm, propertyName);
630         checkOffset(offset, structure->inlineCapacity());
631         return offset != invalidOffset ? getDirect(offset) : JSValue();
632     }
633     
634     JSValue getDirect(VM& vm, PropertyName propertyName, unsigned& attributes) const
635     {
636         Structure* structure = this->structure(vm);
637         PropertyOffset offset = structure->get(vm, propertyName, attributes);
638         checkOffset(offset, structure->inlineCapacity());
639         return offset != invalidOffset ? getDirect(offset) : JSValue();
640     }
641
642     PropertyOffset getDirectOffset(VM& vm, PropertyName propertyName)
643     {
644         Structure* structure = this->structure(vm);
645         PropertyOffset offset = structure->get(vm, propertyName);
646         checkOffset(offset, structure->inlineCapacity());
647         return offset;
648     }
649
650     PropertyOffset getDirectOffset(VM& vm, PropertyName propertyName, unsigned& attributes)
651     {
652         Structure* structure = this->structure(vm);
653         PropertyOffset offset = structure->get(vm, propertyName, attributes);
654         checkOffset(offset, structure->inlineCapacity());
655         return offset;
656     }
657
658     bool hasInlineStorage() const { return structure()->hasInlineStorage(); }
659     ConstPropertyStorage inlineStorageUnsafe() const
660     {
661         return bitwise_cast<ConstPropertyStorage>(this + 1);
662     }
663     PropertyStorage inlineStorageUnsafe()
664     {
665         return bitwise_cast<PropertyStorage>(this + 1);
666     }
667     ConstPropertyStorage inlineStorage() const
668     {
669         ASSERT(hasInlineStorage());
670         return inlineStorageUnsafe();
671     }
672     PropertyStorage inlineStorage()
673     {
674         ASSERT(hasInlineStorage());
675         return inlineStorageUnsafe();
676     }
677         
678     const Butterfly* butterfly() const { return m_butterfly.get(); }
679     Butterfly* butterfly() { return m_butterfly.get(); }
680     
681     ConstPropertyStorage outOfLineStorage() const { return m_butterfly->propertyStorage(); }
682     PropertyStorage outOfLineStorage() { return m_butterfly->propertyStorage(); }
683
684     ALWAYS_INLINE const WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset) const
685     {
686         if (isInlineOffset(offset))
687             return &inlineStorage()[offsetInInlineStorage(offset)];
688         return &outOfLineStorage()[offsetInOutOfLineStorage(offset)];
689     }
690
691     ALWAYS_INLINE WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset)
692     {
693         if (isInlineOffset(offset))
694             return &inlineStorage()[offsetInInlineStorage(offset)];
695         return &outOfLineStorage()[offsetInOutOfLineStorage(offset)];
696     }
697
698     void transitionTo(VM&, Structure*);
699
700     bool hasCustomProperties() { return structure()->didTransition(); }
701     bool hasGetterSetterProperties() { return structure()->hasGetterSetterProperties(); }
702     bool hasCustomGetterSetterProperties() { return structure()->hasCustomGetterSetterProperties(); }
703
704     // putOwnDataProperty has 'put' like semantics, however this method:
705     //  - assumes the object contains no own getter/setter properties.
706     //  - provides no special handling for __proto__
707     //  - does not walk the prototype chain (to check for accessors or non-writable properties).
708     // This is used by JSLexicalEnvironment.
709     bool putOwnDataProperty(VM&, PropertyName, JSValue, PutPropertySlot&);
710     bool putOwnDataPropertyMayBeIndex(ExecState*, PropertyName, JSValue, PutPropertySlot&);
711
712     // Fast access to known property offsets.
713     ALWAYS_INLINE JSValue getDirect(PropertyOffset offset) const { return locationForOffset(offset)->get(); }
714     void putDirect(VM& vm, PropertyOffset offset, JSValue value) { locationForOffset(offset)->set(vm, this, value); }
715     void putDirectWithoutBarrier(PropertyOffset offset, JSValue value) { locationForOffset(offset)->setWithoutWriteBarrier(value); }
716     void putDirectUndefined(PropertyOffset offset) { locationForOffset(offset)->setUndefined(); }
717
718     JS_EXPORT_PRIVATE bool putDirectNativeIntrinsicGetter(VM&, JSGlobalObject*, Identifier, NativeFunction, Intrinsic, unsigned attributes);
719     JS_EXPORT_PRIVATE bool putDirectNativeFunction(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, unsigned attributes);
720     JS_EXPORT_PRIVATE bool putDirectNativeFunction(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, const DOMJIT::Signature*, unsigned attributes);
721     JS_EXPORT_PRIVATE void putDirectNativeFunctionWithoutTransition(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, unsigned attributes);
722
723     JS_EXPORT_PRIVATE JSFunction* putDirectBuiltinFunction(VM&, JSGlobalObject*, const PropertyName&, FunctionExecutable*, unsigned attributes);
724     JSFunction* putDirectBuiltinFunctionWithoutTransition(VM&, JSGlobalObject*, const PropertyName&, FunctionExecutable*, unsigned attributes);
725
726     JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
727
728     bool isEnvironment() const;
729     bool isGlobalObject() const;
730     bool isJSLexicalEnvironment() const;
731     bool isGlobalLexicalEnvironment() const;
732     bool isStrictEvalActivation() const;
733     bool isWithScope() const;
734
735     bool isErrorInstance() const;
736
737     JS_EXPORT_PRIVATE void seal(VM&);
738     JS_EXPORT_PRIVATE void freeze(VM&);
739     JS_EXPORT_PRIVATE static bool preventExtensions(JSObject*, ExecState*);
740     JS_EXPORT_PRIVATE static bool isExtensible(JSObject*, ExecState*);
741     bool isSealed(VM& vm) { return structure(vm)->isSealed(vm); }
742     bool isFrozen(VM& vm) { return structure(vm)->isFrozen(vm); }
743
744     bool anyObjectInChainMayInterceptIndexedAccesses() const;
745     JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName);
746     bool needsSlowPutIndexing() const;
747     NonPropertyTransition suggestedArrayStorageTransition() const;
748
749 private:
750     ALWAYS_INLINE bool isExtensibleImpl() { return isStructureExtensible(); }
751 public:
752     // You should only call isStructureExtensible() when:
753     // - Performing this check in a way that isn't described in the specification 
754     //   as calling the virtual [[IsExtensible]] trap.
755     // - When you're guaranteed that object->methodTable()->isExtensible isn't
756     //   overridden.
757     ALWAYS_INLINE bool isStructureExtensible() { return structure()->isStructureExtensible(); }
758     // You should call this when performing [[IsExtensible]] trap in a place
759     // that is described in the specification. This performs the fully virtual
760     // [[IsExtensible]] trap.
761     bool isExtensible(ExecState*);
762     bool indexingShouldBeSparse()
763     {
764         return !isStructureExtensible()
765             || structure()->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero();
766     }
767
768     bool staticPropertiesReified() { return structure()->staticPropertiesReified(); }
769     void reifyAllStaticProperties(ExecState*);
770
771     JS_EXPORT_PRIVATE Butterfly* allocateMoreOutOfLineStorage(VM&, size_t oldSize, size_t newSize);
772
773     // Call this when you do not need to change the structure.
774     void setButterfly(VM&, Butterfly*);
775     
776     // Call this if you do need to change the structure, or if you changed something about a structure
777     // in-place.
778     void nukeStructureAndSetButterfly(VM&, StructureID oldStructureID, Butterfly*);
779
780     void setStructure(VM&, Structure*);
781
782     JS_EXPORT_PRIVATE void convertToDictionary(VM&);
783
784     void flattenDictionaryObject(VM& vm)
785     {
786         structure(vm)->flattenDictionaryStructure(vm, this);
787     }
788     void shiftButterflyAfterFlattening(const GCSafeConcurrentJSLocker&, VM&, Structure* structure, size_t outOfLineCapacityAfter);
789
790     JSGlobalObject* globalObject() const
791     {
792         ASSERT(structure()->globalObject());
793         ASSERT(!isGlobalObject() || ((JSObject*)structure()->globalObject()) == this);
794         return structure()->globalObject();
795     }
796         
797     JSGlobalObject* globalObject(VM& vm) const
798     {
799         ASSERT(structure(vm)->globalObject());
800         ASSERT(!isGlobalObject() || ((JSObject*)structure()->globalObject()) == this);
801         return structure(vm)->globalObject();
802     }
803         
804     void switchToSlowPutArrayStorage(VM&);
805         
806     // The receiver is the prototype in this case. The following:
807     //
808     // asObject(foo->structure()->storedPrototype())->attemptToInterceptPutByIndexOnHoleForPrototype(...)
809     //
810     // is equivalent to:
811     //
812     // foo->attemptToInterceptPutByIndexOnHole(...);
813     bool attemptToInterceptPutByIndexOnHoleForPrototype(ExecState*, JSValue thisValue, unsigned propertyName, JSValue, bool shouldThrow, bool& putResult);
814         
815     // Returns 0 if int32 storage cannot be created - either because
816     // indexing should be sparse, we're having a bad time, or because
817     // we already have a more general form of storage (double,
818     // contiguous, array storage).
819     ContiguousJSValues ensureInt32(VM& vm)
820     {
821         if (LIKELY(hasInt32(indexingType())))
822             return m_butterfly->contiguousInt32();
823             
824         return ensureInt32Slow(vm);
825     }
826         
827     // Returns 0 if double storage cannot be created - either because
828     // indexing should be sparse, we're having a bad time, or because
829     // we already have a more general form of storage (contiguous,
830     // or array storage).
831     ContiguousDoubles ensureDouble(VM& vm)
832     {
833         if (LIKELY(hasDouble(indexingType())))
834             return m_butterfly->contiguousDouble();
835             
836         return ensureDoubleSlow(vm);
837     }
838         
839     // Returns 0 if contiguous storage cannot be created - either because
840     // indexing should be sparse or because we're having a bad time.
841     ContiguousJSValues ensureContiguous(VM& vm)
842     {
843         if (LIKELY(hasContiguous(indexingType())))
844             return m_butterfly->contiguous();
845             
846         return ensureContiguousSlow(vm);
847     }
848
849     // Ensure that the object is in a mode where it has array storage. Use
850     // this if you're about to perform actions that would have required the
851     // object to be converted to have array storage, if it didn't have it
852     // already.
853     ArrayStorage* ensureArrayStorage(VM& vm)
854     {
855         if (LIKELY(hasAnyArrayStorage(indexingType())))
856             return m_butterfly->arrayStorage();
857
858         return ensureArrayStorageSlow(vm);
859     }
860         
861     static size_t offsetOfInlineStorage();
862         
863     static ptrdiff_t butterflyOffset()
864     {
865         return OBJECT_OFFSETOF(JSObject, m_butterfly);
866     }
867     void* butterflyAddress()
868     {
869         return &m_butterfly;
870     }
871
872     JS_EXPORT_PRIVATE JSValue getMethod(ExecState*, CallData&, CallType&, const Identifier&, const String& errorMessage);
873
874     DECLARE_EXPORT_INFO;
875
876 protected:
877     void finishCreation(VM& vm)
878     {
879         Base::finishCreation(vm);
880         ASSERT(jsDynamicCast<JSObject*>(vm, this));
881         ASSERT(structure()->hasPolyProto() || getPrototypeDirect(vm).isNull() || Heap::heap(this) == Heap::heap(getPrototypeDirect(vm)));
882         ASSERT(structure()->isObject());
883         ASSERT(classInfo(vm));
884     }
885
886     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
887     {
888         return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
889     }
890
891     // To instantiate objects you likely want JSFinalObject, below.
892     // To create derived types you likely want JSNonFinalObject, below.
893     JSObject(VM&, Structure*, Butterfly* = nullptr);
894     
895     // Visits the butterfly unless there is a race. Returns the structure if there was no race.
896     Structure* visitButterfly(SlotVisitor&);
897     
898     Structure* visitButterflyImpl(SlotVisitor&);
899     
900     void markAuxiliaryAndVisitOutOfLineProperties(SlotVisitor&, Butterfly*, Structure*, PropertyOffset lastOffset);
901
902     // Call this if you know that the object is in a mode where it has array
903     // storage. This will assert otherwise.
904     ArrayStorage* arrayStorage()
905     {
906         ASSERT(hasAnyArrayStorage(indexingType()));
907         return m_butterfly->arrayStorage();
908     }
909         
910     // Call this if you want to predicate some actions on whether or not the
911     // object is in a mode where it has array storage.
912     ArrayStorage* arrayStorageOrNull()
913     {
914         switch (indexingType()) {
915         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
916             return m_butterfly->arrayStorage();
917                 
918         default:
919             return 0;
920         }
921     }
922         
923     size_t butterflyTotalSize();
924     size_t butterflyPreCapacity();
925
926     Butterfly* createInitialUndecided(VM&, unsigned length);
927     ContiguousJSValues createInitialInt32(VM&, unsigned length);
928     ContiguousDoubles createInitialDouble(VM&, unsigned length);
929     ContiguousJSValues createInitialContiguous(VM&, unsigned length);
930         
931     void convertUndecidedForValue(VM&, JSValue);
932     void createInitialForValueAndSet(VM&, unsigned index, JSValue);
933     void convertInt32ForValue(VM&, JSValue);
934         
935     static Butterfly* createArrayStorageButterfly(VM&, JSCell* intendedOwner, Structure*, unsigned length, unsigned vectorLength, Butterfly* oldButterfly = nullptr);
936     ArrayStorage* createArrayStorage(VM&, unsigned length, unsigned vectorLength);
937     ArrayStorage* createInitialArrayStorage(VM&);
938         
939     ContiguousJSValues convertUndecidedToInt32(VM&);
940     ContiguousDoubles convertUndecidedToDouble(VM&);
941     ContiguousJSValues convertUndecidedToContiguous(VM&);
942     ArrayStorage* convertUndecidedToArrayStorage(VM&, NonPropertyTransition);
943     ArrayStorage* convertUndecidedToArrayStorage(VM&);
944         
945     ContiguousDoubles convertInt32ToDouble(VM&);
946     ContiguousJSValues convertInt32ToContiguous(VM&);
947     ArrayStorage* convertInt32ToArrayStorage(VM&, NonPropertyTransition);
948     ArrayStorage* convertInt32ToArrayStorage(VM&);
949     
950     ContiguousJSValues convertDoubleToContiguous(VM&);
951     ArrayStorage* convertDoubleToArrayStorage(VM&, NonPropertyTransition);
952     ArrayStorage* convertDoubleToArrayStorage(VM&);
953         
954     ArrayStorage* convertContiguousToArrayStorage(VM&, NonPropertyTransition);
955     ArrayStorage* convertContiguousToArrayStorage(VM&);
956
957         
958     ArrayStorage* ensureArrayStorageExistsAndEnterDictionaryIndexingMode(VM&);
959         
960     bool defineOwnNonIndexProperty(ExecState*, PropertyName, const PropertyDescriptor&, bool throwException);
961
962     template<IndexingType indexingShape>
963     bool putByIndexBeyondVectorLengthWithoutAttributes(ExecState*, unsigned propertyName, JSValue);
964     bool putByIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, bool shouldThrow, ArrayStorage*);
965
966     bool increaseVectorLength(VM&, unsigned newLength);
967     void deallocateSparseIndexMap();
968     bool defineOwnIndexedProperty(ExecState*, unsigned, const PropertyDescriptor&, bool throwException);
969     SparseArrayValueMap* allocateSparseIndexMap(VM&);
970         
971     void notifyPresenceOfIndexedAccessors(VM&);
972         
973     bool attemptToInterceptPutByIndexOnHole(ExecState*, unsigned index, JSValue, bool shouldThrow, bool& putResult);
974         
975     // Call this if you want setIndexQuickly to succeed and you're sure that
976     // the array is contiguous.
977     bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length)
978     {
979         RELEASE_ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
980         ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
981
982         if (m_butterfly->vectorLength() < length) {
983             if (!ensureLengthSlow(vm, length))
984                 return false;
985         }
986             
987         if (m_butterfly->publicLength() < length)
988             m_butterfly->setPublicLength(length);
989         return true;
990     }
991         
992     // Call this if you want to shrink the butterfly backing store, and you're
993     // sure that the array is contiguous.
994     void reallocateAndShrinkButterfly(VM&, unsigned length);
995     
996     template<IndexingType indexingShape>
997     unsigned countElements(Butterfly*);
998         
999     // This is relevant to undecided, int32, double, and contiguous.
1000     unsigned countElements();
1001         
1002 private:
1003     friend class LLIntOffsetsExtractor;
1004         
1005     // Nobody should ever ask any of these questions on something already known to be a JSObject.
1006     using JSCell::isAPIValueWrapper;
1007     using JSCell::isGetterSetter;
1008     void getObject();
1009     void getString(ExecState* exec);
1010     void isObject();
1011     void isString();
1012         
1013     Butterfly* createInitialIndexedStorage(VM&, unsigned length);
1014         
1015     ArrayStorage* enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(VM&, ArrayStorage*);
1016         
1017     template<PutMode>
1018     bool putDirectInternal(VM&, PropertyName, JSValue, unsigned attr, PutPropertySlot&);
1019     bool canPerformFastPutInline(VM&, PropertyName);
1020
1021     JS_EXPORT_PRIVATE NEVER_INLINE bool putInlineSlow(ExecState*, PropertyName, JSValue, PutPropertySlot&);
1022
1023     bool getNonIndexPropertySlot(ExecState*, PropertyName, PropertySlot&);
1024     bool getOwnNonIndexPropertySlot(VM&, Structure*, PropertyName, PropertySlot&);
1025     JS_EXPORT_PRIVATE void fillGetterPropertySlot(PropertySlot&, JSCell*, unsigned, PropertyOffset);
1026     void fillCustomGetterPropertySlot(VM&, PropertySlot&, CustomGetterSetter*, unsigned, Structure*);
1027
1028     JS_EXPORT_PRIVATE bool getOwnStaticPropertySlot(VM&, PropertyName, PropertySlot&);
1029     struct PropertyHashEntry {
1030         const HashTable* table;
1031         const HashTableValue* value;
1032     };
1033     std::optional<PropertyHashEntry> findPropertyHashEntry(VM&, PropertyName) const;
1034         
1035     bool putIndexedDescriptor(ExecState*, SparseArrayEntry*, const PropertyDescriptor&, PropertyDescriptor& old);
1036         
1037     bool putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
1038     bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
1039     JS_EXPORT_PRIVATE bool putDirectIndexSlowOrBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
1040         
1041     unsigned getNewVectorLength(unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
1042     unsigned getNewVectorLength(unsigned desiredLength);
1043
1044     ArrayStorage* constructConvertedArrayStorageWithoutCopyingElements(VM&, unsigned neededLength);
1045         
1046     JS_EXPORT_PRIVATE void setIndexQuicklyToUndecided(VM&, unsigned index, JSValue);
1047     JS_EXPORT_PRIVATE void convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(VM&, unsigned index, JSValue);
1048     JS_EXPORT_PRIVATE void convertDoubleToContiguousWhilePerformingSetIndex(VM&, unsigned index, JSValue);
1049         
1050     bool ensureLengthSlow(VM&, unsigned length);
1051         
1052     ContiguousJSValues ensureInt32Slow(VM&);
1053     ContiguousDoubles ensureDoubleSlow(VM&);
1054     ContiguousJSValues ensureContiguousSlow(VM&);
1055     JS_EXPORT_PRIVATE ArrayStorage* ensureArrayStorageSlow(VM&);
1056
1057     PropertyOffset prepareToPutDirectWithoutTransition(VM&, PropertyName, unsigned attributes, StructureID, Structure*);
1058
1059     AuxiliaryBarrier<Butterfly*> m_butterfly;
1060 #if USE(JSVALUE32_64)
1061     unsigned m_32BitPadding;
1062 #endif
1063 };
1064
1065 // JSNonFinalObject is a type of JSObject that has some internal storage,
1066 // but also preserves some space in the collector cell for additional
1067 // data members in derived types.
1068 class JSNonFinalObject : public JSObject {
1069     friend class JSObject;
1070
1071 public:
1072     typedef JSObject Base;
1073
1074     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
1075     {
1076         return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
1077     }
1078
1079 protected:
1080     explicit JSNonFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = 0)
1081         : JSObject(vm, structure, butterfly)
1082     {
1083     }
1084
1085     void finishCreation(VM& vm)
1086     {
1087         Base::finishCreation(vm);
1088         ASSERT(!this->structure()->hasInlineStorage());
1089         ASSERT(classInfo(vm));
1090     }
1091 };
1092
1093 class JSFinalObject;
1094
1095 // JSFinalObject is a type of JSObject that contains sufficient internal
1096 // storage to fully make use of the collector cell containing it.
1097 class JSFinalObject final : public JSObject {
1098     friend class JSObject;
1099
1100 public:
1101     typedef JSObject Base;
1102     static const unsigned StructureFlags = Base::StructureFlags;
1103
1104     static size_t allocationSize(Checked<size_t> inlineCapacity)
1105     {
1106         return (sizeof(JSObject) + inlineCapacity * sizeof(WriteBarrierBase<Unknown>)).unsafeGet();
1107     }
1108
1109     static inline const TypeInfo typeInfo() { return TypeInfo(FinalObjectType, StructureFlags); }
1110     static const IndexingType defaultIndexingType = NonArray;
1111         
1112     static const unsigned defaultSize = 64;
1113     static inline unsigned defaultInlineCapacity()
1114     {
1115         return (defaultSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
1116     }
1117
1118     static const unsigned maxSize = 512;
1119     static inline unsigned maxInlineCapacity()
1120     {
1121         return (maxSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
1122     }
1123
1124     static JSFinalObject* create(ExecState*, Structure*, Butterfly* = nullptr);
1125     static JSFinalObject* create(VM&, Structure*);
1126     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, unsigned inlineCapacity)
1127     {
1128         return Structure::create(vm, globalObject, prototype, typeInfo(), info(), defaultIndexingType, inlineCapacity);
1129     }
1130
1131     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
1132
1133     DECLARE_EXPORT_INFO;
1134
1135 protected:
1136     void visitChildrenCommon(SlotVisitor&);
1137         
1138     void finishCreation(VM& vm)
1139     {
1140         Base::finishCreation(vm);
1141         ASSERT(structure()->totalStorageCapacity() == structure()->inlineCapacity());
1142         ASSERT(classInfo(vm));
1143     }
1144
1145 private:
1146     friend class LLIntOffsetsExtractor;
1147
1148     explicit JSFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = nullptr)
1149         : JSObject(vm, structure, butterfly)
1150     {
1151         memset(inlineStorageUnsafe(), 0, structure->inlineCapacity() * sizeof(EncodedJSValue));
1152     }
1153 };
1154
1155 JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState*);
1156
1157 inline JSObject* JSObject::createRawObject(
1158     ExecState* exec, Structure* structure, Butterfly* butterfly)
1159 {
1160     VM& vm = exec->vm();
1161     JSObject* finalObject = new (
1162         NotNull, 
1163         allocateCell<JSFinalObject>(
1164             vm.heap,
1165             JSFinalObject::allocationSize(structure->inlineCapacity())
1166         )
1167     ) JSObject(vm, structure, butterfly);
1168     finalObject->finishCreation(vm);
1169     return finalObject;
1170 }
1171
1172 inline JSFinalObject* JSFinalObject::create(
1173     ExecState* exec, Structure* structure, Butterfly* butterfly)
1174 {
1175     VM& vm = exec->vm();
1176     JSFinalObject* finalObject = new (
1177         NotNull, 
1178         allocateCell<JSFinalObject>(
1179             vm.heap,
1180             allocationSize(structure->inlineCapacity())
1181         )
1182     ) JSFinalObject(vm, structure, butterfly);
1183     finalObject->finishCreation(vm);
1184     return finalObject;
1185 }
1186
1187 inline JSFinalObject* JSFinalObject::create(VM& vm, Structure* structure)
1188 {
1189     JSFinalObject* finalObject = new (NotNull, allocateCell<JSFinalObject>(vm.heap, allocationSize(structure->inlineCapacity()))) JSFinalObject(vm, structure);
1190     finalObject->finishCreation(vm);
1191     return finalObject;
1192 }
1193
1194 inline size_t JSObject::offsetOfInlineStorage()
1195 {
1196     return sizeof(JSObject);
1197 }
1198
1199 inline bool JSObject::isGlobalObject() const
1200 {
1201     return type() == GlobalObjectType;
1202 }
1203
1204 inline bool JSObject::isJSLexicalEnvironment() const
1205 {
1206     return type() == LexicalEnvironmentType || type() == ModuleEnvironmentType;
1207 }
1208
1209 inline bool JSObject::isGlobalLexicalEnvironment() const
1210 {
1211     return type() == GlobalLexicalEnvironmentType;
1212 }
1213
1214 inline bool JSObject::isStrictEvalActivation() const
1215 {
1216     return type() == StrictEvalActivationType;
1217 }
1218
1219 inline bool JSObject::isEnvironment() const
1220 {
1221     bool result = GlobalObjectType <= type() && type() <= StrictEvalActivationType;
1222     ASSERT((isGlobalObject() || isJSLexicalEnvironment() || isGlobalLexicalEnvironment() || isStrictEvalActivation()) == result);
1223     return result;
1224 }
1225
1226 inline bool JSObject::isErrorInstance() const
1227 {
1228     return type() == ErrorInstanceType;
1229 }
1230
1231 inline bool JSObject::isWithScope() const
1232 {
1233     return type() == WithScopeType;
1234 }
1235
1236 inline void JSObject::setStructure(VM& vm, Structure* structure)
1237 {
1238     ASSERT(structure);
1239     ASSERT(!m_butterfly == !(structure->outOfLineCapacity() || structure->hasIndexingHeader(this)));
1240     JSCell::setStructure(vm, structure);
1241 }
1242
1243 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
1244 {
1245     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
1246         WTF::storeStoreFence();
1247         m_butterfly.set(vm, this, butterfly);
1248         WTF::storeStoreFence();
1249         return;
1250     }
1251
1252     m_butterfly.set(vm, this, butterfly);
1253 }
1254
1255 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
1256 {
1257     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
1258         setStructureIDDirectly(nuke(oldStructureID));
1259         WTF::storeStoreFence();
1260         m_butterfly.set(vm, this, butterfly);
1261         WTF::storeStoreFence();
1262         return;
1263     }
1264
1265     m_butterfly.set(vm, this, butterfly);
1266 }
1267
1268 inline CallType getCallData(JSValue value, CallData& callData)
1269 {
1270     CallType result = value.isCell() ? value.asCell()->methodTable()->getCallData(value.asCell(), callData) : CallType::None;
1271     ASSERT(result == CallType::None || value.isValidCallee());
1272     return result;
1273 }
1274
1275 inline ConstructType getConstructData(JSValue value, ConstructData& constructData)
1276 {
1277     ConstructType result = value.isCell() ? value.asCell()->methodTable()->getConstructData(value.asCell(), constructData) : ConstructType::None;
1278     ASSERT(result == ConstructType::None || value.isValidCallee());
1279     return result;
1280 }
1281
1282 inline JSObject* asObject(JSCell* cell)
1283 {
1284     ASSERT(cell->isObject());
1285     return jsCast<JSObject*>(cell);
1286 }
1287
1288 inline JSObject* asObject(JSValue value)
1289 {
1290     return asObject(value.asCell());
1291 }
1292
1293 inline JSObject::JSObject(VM& vm, Structure* structure, Butterfly* butterfly)
1294     : JSCell(vm, structure)
1295     , m_butterfly(vm, this, butterfly)
1296 {
1297 }
1298
1299 inline JSValue JSObject::getPrototypeDirect(VM& vm) const
1300 {
1301     return structure(vm)->storedPrototype(this);
1302 }
1303
1304 inline JSValue JSObject::getPrototype(VM& vm, ExecState* exec)
1305 {
1306     auto getPrototypeMethod = methodTable(vm)->getPrototype;
1307     MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
1308     if (LIKELY(getPrototypeMethod == defaultGetPrototype))
1309         return getPrototypeDirect(vm);
1310     return getPrototypeMethod(this, exec);
1311 }
1312
1313 // It is safe to call this method with a PropertyName that is actually an index,
1314 // but if so will always return false (doesn't search index storage).
1315 ALWAYS_INLINE bool JSObject::getOwnNonIndexPropertySlot(VM& vm, Structure* structure, PropertyName propertyName, PropertySlot& slot)
1316 {
1317     unsigned attributes;
1318     PropertyOffset offset = structure->get(vm, propertyName, attributes);
1319     if (!isValidOffset(offset)) {
1320         if (!TypeInfo::hasStaticPropertyTable(inlineTypeFlags()))
1321             return false;
1322         return getOwnStaticPropertySlot(vm, propertyName, slot);
1323     }
1324     
1325     // getPropertySlot relies on this method never returning index properties!
1326     ASSERT(!parseIndex(propertyName));
1327
1328     JSValue value = getDirect(offset);
1329     if (value.isCell()) {
1330         ASSERT(value);
1331         JSCell* cell = value.asCell();
1332         JSType type = cell->type();
1333         switch (type) {
1334         case GetterSetterType:
1335             fillGetterPropertySlot(slot, cell, attributes, offset);
1336             return true;
1337         case CustomGetterSetterType:
1338             fillCustomGetterPropertySlot(vm, slot, jsCast<CustomGetterSetter*>(cell), attributes, structure);
1339             return true;
1340         default:
1341             break;
1342         }
1343     }
1344     
1345     slot.setValue(this, attributes, value, offset);
1346     return true;
1347 }
1348
1349 ALWAYS_INLINE void JSObject::fillCustomGetterPropertySlot(VM& vm, PropertySlot& slot, CustomGetterSetter* customGetterSetter, unsigned attributes, Structure* structure)
1350 {
1351     if (customGetterSetter->inherits<DOMAttributeGetterSetter>(vm)) {
1352         auto* domAttribute = jsCast<DOMAttributeGetterSetter*>(customGetterSetter);
1353         if (structure->isUncacheableDictionary())
1354             slot.setCustom(this, attributes, domAttribute->getter(), domAttribute->domAttribute());
1355         else
1356             slot.setCacheableCustom(this, attributes, domAttribute->getter(), domAttribute->domAttribute());
1357         return;
1358     }
1359
1360     if (structure->isUncacheableDictionary())
1361         slot.setCustom(this, attributes, customGetterSetter->getter());
1362     else
1363         slot.setCacheableCustom(this, attributes, customGetterSetter->getter());
1364 }
1365
1366 // It may seem crazy to inline a function this large, especially a virtual function,
1367 // but it makes a big difference to property lookup that derived classes can inline their
1368 // base class call to this.
1369 ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
1370 {
1371     VM& vm = exec->vm();
1372     Structure* structure = object->structure(vm);
1373     if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
1374         return true;
1375     if (std::optional<uint32_t> index = parseIndex(propertyName))
1376         return getOwnPropertySlotByIndex(object, exec, index.value(), slot);
1377     return false;
1378 }
1379
1380 // It may seem crazy to inline a function this large but it makes a big difference
1381 // since this is function very hot in variable lookup
1382 ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
1383 {
1384     VM& vm = exec->vm();
1385     auto& structureIDTable = vm.heap.structureIDTable();
1386     JSObject* object = this;
1387     while (true) {
1388         if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
1389             // If propertyName is an index then we may have missed it (as this loop is using
1390             // getOwnNonIndexPropertySlot), so we cannot safely call the overridden getOwnPropertySlot
1391             // (lest we return a property from a prototype that is shadowed). Check now for an index,
1392             // if so we need to start afresh from this object.
1393             if (std::optional<uint32_t> index = parseIndex(propertyName))
1394                 return getPropertySlot(exec, index.value(), slot);
1395             // Safe to continue searching from current position; call getNonIndexPropertySlot to avoid
1396             // parsing the int again.
1397             return object->getNonIndexPropertySlot(exec, propertyName, slot);
1398         }
1399         ASSERT(object->type() != ProxyObjectType);
1400         Structure* structure = structureIDTable.get(object->structureID());
1401         if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
1402             return true;
1403         // FIXME: This doesn't look like it's following the specification:
1404         // https://bugs.webkit.org/show_bug.cgi?id=172572
1405         JSValue prototype = structure->storedPrototype(object);
1406         if (!prototype.isObject())
1407             break;
1408         object = asObject(prototype);
1409     }
1410
1411     if (std::optional<uint32_t> index = parseIndex(propertyName))
1412         return getPropertySlot(exec, index.value(), slot);
1413     return false;
1414 }
1415
1416 inline JSValue JSObject::get(ExecState* exec, PropertyName propertyName) const
1417 {
1418     VM& vm = exec->vm();
1419     auto scope = DECLARE_THROW_SCOPE(vm);
1420     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
1421     bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
1422     EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
1423     if (hasProperty) {
1424         scope.release();
1425         return slot.getValue(exec, propertyName);
1426     }
1427     return jsUndefined();
1428 }
1429
1430 inline JSValue JSObject::get(ExecState* exec, unsigned propertyName) const
1431 {
1432     VM& vm = exec->vm();
1433     auto scope = DECLARE_THROW_SCOPE(vm);
1434     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
1435     bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
1436     EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
1437     if (hasProperty) {
1438         scope.release();
1439         return slot.getValue(exec, propertyName);
1440     }
1441     return jsUndefined();
1442 }
1443
1444 inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1445 {
1446     ASSERT(value);
1447     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
1448     ASSERT(!structure()->hasGetterSetterProperties());
1449     ASSERT(!structure()->hasCustomGetterSetterProperties());
1450
1451     return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
1452 }
1453
1454 inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1455 {
1456     ASSERT(value);
1457     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
1458     ASSERT(!structure()->hasGetterSetterProperties());
1459     ASSERT(!structure()->hasCustomGetterSetterProperties());
1460
1461     if (std::optional<uint32_t> index = parseIndex(propertyName))
1462         return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
1463
1464     return putDirectInternal<PutModePut>(exec->vm(), propertyName, value, 0, slot);
1465 }
1466
1467 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
1468 {
1469     ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));
1470     ASSERT(!value.isCustomGetterSetter());
1471     PutPropertySlot slot(this);
1472     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, attributes, slot);
1473 }
1474
1475 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1476 {
1477     ASSERT(!value.isGetterSetter());
1478     ASSERT(!value.isCustomGetterSetter());
1479     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, 0, slot);
1480 }
1481
1482 ALWAYS_INLINE JSObject* Register::object() const
1483 {
1484     return asObject(jsValue());
1485 }
1486
1487 ALWAYS_INLINE Register& Register::operator=(JSObject* object)
1488 {
1489     u.value = JSValue::encode(JSValue(object));
1490     return *this;
1491 }
1492
1493 inline size_t offsetInButterfly(PropertyOffset offset)
1494 {
1495     return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
1496 }
1497
1498 inline size_t JSObject::butterflyPreCapacity()
1499 {
1500     if (UNLIKELY(hasIndexingHeader()))
1501         return butterfly()->indexingHeader()->preCapacity(structure());
1502     return 0;
1503 }
1504
1505 inline size_t JSObject::butterflyTotalSize()
1506 {
1507     Structure* structure = this->structure();
1508     Butterfly* butterfly = this->butterfly();
1509     size_t preCapacity;
1510     size_t indexingPayloadSizeInBytes;
1511     bool hasIndexingHeader = this->hasIndexingHeader();
1512
1513     if (UNLIKELY(hasIndexingHeader)) {
1514         preCapacity = butterfly->indexingHeader()->preCapacity(structure);
1515         indexingPayloadSizeInBytes = butterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);
1516     } else {
1517         preCapacity = 0;
1518         indexingPayloadSizeInBytes = 0;
1519     }
1520
1521     return Butterfly::totalSize(preCapacity, structure->outOfLineCapacity(), hasIndexingHeader, indexingPayloadSizeInBytes);
1522 }
1523
1524 inline int indexRelativeToBase(PropertyOffset offset)
1525 {
1526     if (isOutOfLineOffset(offset))
1527         return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
1528     ASSERT(!(JSObject::offsetOfInlineStorage() % sizeof(EncodedJSValue)));
1529     return JSObject::offsetOfInlineStorage() / sizeof(EncodedJSValue) + offsetInInlineStorage(offset);
1530 }
1531
1532 inline int offsetRelativeToBase(PropertyOffset offset)
1533 {
1534     if (isOutOfLineOffset(offset))
1535         return offsetInOutOfLineStorage(offset) * sizeof(EncodedJSValue) + Butterfly::offsetOfPropertyStorage();
1536     return JSObject::offsetOfInlineStorage() + offsetInInlineStorage(offset) * sizeof(EncodedJSValue);
1537 }
1538
1539 // Returns the maximum offset (away from zero) a load instruction will encode.
1540 inline size_t maxOffsetRelativeToBase(PropertyOffset offset)
1541 {
1542     ptrdiff_t addressOffset = offsetRelativeToBase(offset);
1543 #if USE(JSVALUE32_64)
1544     if (addressOffset >= 0)
1545         return static_cast<size_t>(addressOffset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag);
1546 #endif
1547     return static_cast<size_t>(addressOffset);
1548 }
1549
1550 COMPILE_ASSERT(!(sizeof(JSObject) % sizeof(WriteBarrierBase<Unknown>)), JSObject_inline_storage_has_correct_alignment);
1551
1552 template<unsigned charactersCount>
1553 ALWAYS_INLINE Identifier makeIdentifier(VM& vm, const char (&characters)[charactersCount])
1554 {
1555     return Identifier::fromString(&vm, characters);
1556 }
1557
1558 ALWAYS_INLINE Identifier makeIdentifier(VM& vm, const char* name)
1559 {
1560     return Identifier::fromString(&vm, name);
1561 }
1562
1563 ALWAYS_INLINE Identifier makeIdentifier(VM&, const Identifier& name)
1564 {
1565     return name;
1566 }
1567
1568 bool validateAndApplyPropertyDescriptor(ExecState*, JSObject*, PropertyName, bool isExtensible,
1569     const PropertyDescriptor& descriptor, bool isCurrentDefined, const PropertyDescriptor& current, bool throwException);
1570
1571 JS_EXPORT_PRIVATE NEVER_INLINE bool ordinarySetSlow(ExecState*, JSObject*, PropertyName, JSValue, JSValue receiver, bool shouldThrow);
1572
1573 // Helper for defining native functions, if you're not using a static hash table.
1574 // Use this macro from within finishCreation() methods in prototypes. This assumes
1575 // you've defined variables called exec, globalObject, and vm, and they
1576 // have the expected meanings.
1577 #define JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, attributes, length, intrinsic) \
1578     putDirectNativeFunction(\
1579         vm, globalObject, makeIdentifier(vm, (jsName)), (length), cppName, \
1580         (intrinsic), (attributes))
1581
1582 #define JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, attributes, length, intrinsic) \
1583     putDirectNativeFunctionWithoutTransition(\
1584         vm, globalObject, makeIdentifier(vm, (jsName)), (length), cppName, \
1585         (intrinsic), (attributes))
1586
1587 // As above, but this assumes that the function you're defining doesn't have an
1588 // intrinsic.
1589 #define JSC_NATIVE_FUNCTION(jsName, cppName, attributes, length) \
1590     JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, (attributes), (length), NoIntrinsic)
1591
1592 #define JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, attributes, length) \
1593     JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, (attributes), (length), NoIntrinsic)
1594
1595 // Identical helpers but for builtins. Note that currently, we don't support builtins that are
1596 // also intrinsics, but we probably will do that eventually.
1597 #define JSC_BUILTIN_FUNCTION(jsName, generatorName, attributes) \
1598     putDirectBuiltinFunction(\
1599         vm, globalObject, makeIdentifier(vm, (jsName)), (generatorName)(vm), (attributes))
1600
1601 #define JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(jsName, generatorName, attributes) \
1602     putDirectBuiltinFunctionWithoutTransition(\
1603         vm, globalObject, makeIdentifier(vm, (jsName)), (generatorName)(vm), (attributes))
1604
1605 // Helper for defining native getters on properties.
1606 #define JSC_NATIVE_INTRINSIC_GETTER(jsName, cppName, attributes, intrinsic)  \
1607     putDirectNativeIntrinsicGetter(\
1608         vm, globalObject, makeIdentifier(vm, (jsName)), (cppName), \
1609         (intrinsic), ((attributes) | PropertyAttribute::Accessor))
1610
1611 #define JSC_NATIVE_GETTER(jsName, cppName, attributes) \
1612     JSC_NATIVE_INTRINSIC_GETTER((jsName), (cppName), (attributes), NoIntrinsic)
1613
1614 } // namespace JSC