e8194c8c7372d3acbb828a73d49b88ddf4a8661a
[WebKit-https.git] / Source / JavaScriptCore / runtime / JSObject.h
1 /*
2  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
3  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
4  *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
5  *
6  *  This library is free software; you can redistribute it and/or
7  *  modify it under the terms of the GNU Library General Public
8  *  License as published by the Free Software Foundation; either
9  *  version 2 of the License, or (at your option) any later version.
10  *
11  *  This library is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  *  Library General Public License for more details.
15  *
16  *  You should have received a copy of the GNU Library General Public License
17  *  along with this library; see the file COPYING.LIB.  If not, write to
18  *  the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
19  *  Boston, MA 02110-1301, USA.
20  *
21  */
22
23 #pragma once
24
25 #include "ArrayConventions.h"
26 #include "ArrayStorage.h"
27 #include "Butterfly.h"
28 #include "CPU.h"
29 #include "CagedBarrierPtr.h"
30 #include "CallFrame.h"
31 #include "ClassInfo.h"
32 #include "CustomGetterSetter.h"
33 #include "DOMAttributeGetterSetter.h"
34 #include "Heap.h"
35 #include "IndexingHeaderInlines.h"
36 #include "JSCast.h"
37 #include "ObjectInitializationScope.h"
38 #include "PropertySlot.h"
39 #include "PropertyStorage.h"
40 #include "PutDirectIndexMode.h"
41 #include "PutPropertySlot.h"
42 #include "Structure.h"
43 #include "StructureTransitionTable.h"
44 #include "VM.h"
45 #include "JSString.h"
46 #include "SparseArrayValueMap.h"
47 #include <wtf/StdLibExtras.h>
48
49 namespace JSC {
50 namespace DOMJIT {
51 class Signature;
52 }
53
54 inline JSCell* getJSFunction(JSValue value)
55 {
56     if (value.isCell() && (value.asCell()->type() == JSFunctionType))
57         return value.asCell();
58     return 0;
59 }
60
61 class GetterSetter;
62 class InternalFunction;
63 class JSFunction;
64 class LLIntOffsetsExtractor;
65 class MarkedBlock;
66 class PropertyDescriptor;
67 class PropertyNameArray;
68 class Structure;
69 class ThrowScope;
70 struct HashTable;
71 struct HashTableValue;
72
73 JS_EXPORT_PRIVATE JSObject* throwTypeError(ExecState*, ThrowScope&, const String&);
74 extern JS_EXPORT_PRIVATE const ASCIILiteral NonExtensibleObjectPropertyDefineError;
75 extern JS_EXPORT_PRIVATE const ASCIILiteral ReadonlyPropertyWriteError;
76 extern JS_EXPORT_PRIVATE const ASCIILiteral ReadonlyPropertyChangeError;
77 extern JS_EXPORT_PRIVATE const ASCIILiteral UnableToDeletePropertyError;
78 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeAccessMechanismError;
79 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeConfigurabilityError;
80 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeEnumerabilityError;
81 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeWritabilityError;
82
83 COMPILE_ASSERT(PropertyAttribute::None < FirstInternalAttribute, None_is_below_FirstInternalAttribute);
84 COMPILE_ASSERT(PropertyAttribute::ReadOnly < FirstInternalAttribute, ReadOnly_is_below_FirstInternalAttribute);
85 COMPILE_ASSERT(PropertyAttribute::DontEnum < FirstInternalAttribute, DontEnum_is_below_FirstInternalAttribute);
86 COMPILE_ASSERT(PropertyAttribute::DontDelete < FirstInternalAttribute, DontDelete_is_below_FirstInternalAttribute);
87 COMPILE_ASSERT(PropertyAttribute::Accessor < FirstInternalAttribute, Accessor_is_below_FirstInternalAttribute);
88
89 class JSFinalObject;
90
91 class JSObject : public JSCell {
92     friend class BatchedTransitionOptimizer;
93     friend class JIT;
94     friend class JSCell;
95     friend class JSFinalObject;
96     friend class MarkedBlock;
97     JS_EXPORT_PRIVATE friend bool setUpStaticFunctionSlot(VM&, const HashTableValue*, JSObject*, PropertyName, PropertySlot&);
98
99     enum PutMode {
100         PutModePut,
101         PutModeDefineOwnProperty,
102     };
103
104 public:
105     typedef JSCell Base;
106
107     // This is a super dangerous method for JITs. Sometimes the JITs will want to create either a
108     // JSFinalObject or a JSArray. This is the method that will do that.
109     static JSObject* createRawObject(ExecState* exec, Structure* structure, Butterfly* = nullptr);
110
111     JS_EXPORT_PRIVATE static size_t estimatedSize(JSCell*, VM&);
112     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
113     JS_EXPORT_PRIVATE static void heapSnapshot(JSCell*, HeapSnapshotBuilder&);
114
115     JS_EXPORT_PRIVATE static String className(const JSObject*, VM&);
116     JS_EXPORT_PRIVATE static String calculatedClassName(JSObject*);
117
118     // This function is what Object.prototype.toString() will use to get the name of
119     // an object when using Symbol.toStringTag fails. For the most part there is no
120     // difference between this and className(). The main use case is for new JS language
121     // objects to set the default tag to "Object".
122     JS_EXPORT_PRIVATE static String toStringName(const JSObject*, ExecState*);
123
124     // This is the fully virtual [[GetPrototypeOf]] internal function defined
125     // in the ECMAScript 6 specification. Use this when doing a [[GetPrototypeOf]] 
126     // operation as dictated in the specification.
127     JSValue getPrototype(VM&, ExecState*);
128     JS_EXPORT_PRIVATE static JSValue getPrototype(JSObject*, ExecState*);
129     // This gets the prototype directly off of the structure. This does not do
130     // dynamic dispatch on the getPrototype method table method. It is not valid 
131     // to use this when performing a [[GetPrototypeOf]] operation in the specification.
132     // It is valid to use though when you know that you want to directly get it
133     // without consulting the method table. This is akin to getting the [[Prototype]]
134     // internal field directly as described in the specification.
135     JSValue getPrototypeDirect(VM&) const;
136
137     // This sets the prototype without checking for cycles and without
138     // doing dynamic dispatch on [[SetPrototypeOf]] operation in the specification.
139     // It is not valid to use this when performing a [[SetPrototypeOf]] operation in
140     // the specification. It is valid to use though when you know that you want to directly
141     // set it without consulting the method table and when you definitely won't
142     // introduce a cycle in the prototype chain. This is akin to setting the
143     // [[Prototype]] internal field directly as described in the specification.
144     JS_EXPORT_PRIVATE void setPrototypeDirect(VM&, JSValue prototype);
145 private:
146     // This is OrdinarySetPrototypeOf in the specification. Section 9.1.2.1
147     // https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof
148     JS_EXPORT_PRIVATE bool setPrototypeWithCycleCheck(VM&, ExecState*, JSValue prototype, bool shouldThrowIfCantSet);
149 public:
150     // This is the fully virtual [[SetPrototypeOf]] internal function defined
151     // in the ECMAScript 6 specification. Use this when doing a [[SetPrototypeOf]] 
152     // operation as dictated in the specification.
153     bool setPrototype(VM&, ExecState*, JSValue prototype, bool shouldThrowIfCantSet = false);
154     JS_EXPORT_PRIVATE static bool setPrototype(JSObject*, ExecState*, JSValue prototype, bool shouldThrowIfCantSet);
155         
156     inline bool mayInterceptIndexedAccesses(VM&);
157
158     JSValue get(ExecState*, PropertyName) const;
159     JSValue get(ExecState*, unsigned propertyName) const;
160
161     template<bool checkNullStructure = false>
162     bool getPropertySlot(ExecState*, PropertyName, PropertySlot&);
163     bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);
164     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, CallbackWhenNoException) const;
165     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, PropertySlot&, CallbackWhenNoException) const;
166
167     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
168     JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
169     bool getOwnPropertySlotInline(ExecState*, PropertyName, PropertySlot&);
170
171     // The key difference between this and getOwnPropertySlot is that getOwnPropertySlot
172     // currently returns incorrect results for the DOM window (with non-own properties)
173     // being returned. Once this is fixed we should migrate code & remove this method.
174     JS_EXPORT_PRIVATE bool getOwnPropertyDescriptor(ExecState*, PropertyName, PropertyDescriptor&);
175
176     unsigned getArrayLength() const
177     {
178         if (!hasIndexedProperties(indexingType()))
179             return 0;
180         return m_butterfly->publicLength();
181     }
182         
183     unsigned getVectorLength()
184     {
185         if (!hasIndexedProperties(indexingType()))
186             return 0;
187         return m_butterfly->vectorLength();
188     }
189     
190     static bool putInlineForJSObject(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
191     
192     JS_EXPORT_PRIVATE static bool put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
193     // putByIndex assumes that the receiver is this JSCell object.
194     JS_EXPORT_PRIVATE static bool putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
195         
196     // This performs the ECMAScript Set() operation.
197     ALWAYS_INLINE bool putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
198     {
199         if (canSetIndexQuickly(propertyName)) {
200             setIndexQuickly(exec->vm(), propertyName, value);
201             return true;
202         }
203         return methodTable(exec->vm())->putByIndex(this, exec, propertyName, value, shouldThrow);
204     }
205         
206     // This is similar to the putDirect* methods:
207     //  - the prototype chain is not consulted
208     //  - accessors are not called.
209     //  - it will ignore extensibility and read-only properties if PutDirectIndexLikePutDirect is passed as the mode (the default).
210     // This method creates a property with attributes writable, enumerable and configurable all set to true if attributes is zero,
211     // otherwise, it creates a property with the provided attributes. Semantically, this is performing defineOwnProperty.
212     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
213     {
214         ASSERT(!value.isCustomGetterSetter());
215         auto canSetIndexQuicklyForPutDirect = [&] () -> bool {
216             switch (indexingMode()) {
217             case ALL_BLANK_INDEXING_TYPES:
218             case ALL_UNDECIDED_INDEXING_TYPES:
219                 return false;
220             case ALL_WRITABLE_INT32_INDEXING_TYPES:
221             case ALL_WRITABLE_DOUBLE_INDEXING_TYPES:
222             case ALL_WRITABLE_CONTIGUOUS_INDEXING_TYPES:
223             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
224                 return propertyName < m_butterfly->vectorLength();
225             default:
226                 if (isCopyOnWrite(indexingMode()))
227                     return false;
228                 RELEASE_ASSERT_NOT_REACHED();
229                 return false;
230             }
231         };
232         
233         if (!attributes && canSetIndexQuicklyForPutDirect()) {
234             setIndexQuickly(exec->vm(), propertyName, value);
235             return true;
236         }
237         return putDirectIndexSlowOrBeyondVectorLength(exec, propertyName, value, attributes, mode);
238     }
239     // This is semantically equivalent to performing defineOwnProperty(propertyName, {configurable:true, writable:true, enumerable:true, value:value}).
240     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value)
241     {
242         return putDirectIndex(exec, propertyName, value, 0, PutDirectIndexLikePutDirect);
243     }
244
245     // A generally non-throwing version of putDirect and putDirectIndex.
246     // However, it's only guaranteed to not throw based on what the receiver is.
247     // For example, if the receiver is a ProxyObject, this is not guaranteed, since
248     // it may call into arbitrary JS code. It's the responsibility of the user of
249     // this API to ensure that the receiver object is a well known type if they
250     // want to ensure that this won't throw an exception.
251     JS_EXPORT_PRIVATE bool putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
252         
253     bool hasIndexingHeader(VM& vm) const
254     {
255         return structure(vm)->hasIndexingHeader(this);
256     }
257     
258     bool canGetIndexQuickly(unsigned i)
259     {
260         Butterfly* butterfly = this->butterfly();
261         switch (indexingType()) {
262         case ALL_BLANK_INDEXING_TYPES:
263         case ALL_UNDECIDED_INDEXING_TYPES:
264             return false;
265         case ALL_INT32_INDEXING_TYPES:
266         case ALL_CONTIGUOUS_INDEXING_TYPES:
267             return i < butterfly->vectorLength() && butterfly->contiguous().at(this, i);
268         case ALL_DOUBLE_INDEXING_TYPES: {
269             if (i >= butterfly->vectorLength())
270                 return false;
271             double value = butterfly->contiguousDouble().at(this, i);
272             if (value != value)
273                 return false;
274             return true;
275         }
276         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
277             return i < butterfly->arrayStorage()->vectorLength() && butterfly->arrayStorage()->m_vector[i];
278         default:
279             RELEASE_ASSERT_NOT_REACHED();
280             return false;
281         }
282     }
283         
284     JSValue getIndexQuickly(unsigned i)
285     {
286         Butterfly* butterfly = this->butterfly();
287         switch (indexingType()) {
288         case ALL_INT32_INDEXING_TYPES:
289             return jsNumber(butterfly->contiguous().at(this, i).get().asInt32());
290         case ALL_CONTIGUOUS_INDEXING_TYPES:
291             return butterfly->contiguous().at(this, i).get();
292         case ALL_DOUBLE_INDEXING_TYPES:
293             return JSValue(JSValue::EncodeAsDouble, butterfly->contiguousDouble().at(this, i));
294         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
295             return butterfly->arrayStorage()->m_vector[i].get();
296         default:
297             RELEASE_ASSERT_NOT_REACHED();
298             return JSValue();
299         }
300     }
301         
302     JSValue tryGetIndexQuickly(unsigned i) const
303     {
304         Butterfly* butterfly = const_cast<JSObject*>(this)->butterfly();
305         switch (indexingType()) {
306         case ALL_BLANK_INDEXING_TYPES:
307         case ALL_UNDECIDED_INDEXING_TYPES:
308             break;
309         case ALL_INT32_INDEXING_TYPES:
310             if (i < butterfly->publicLength()) {
311                 JSValue result = butterfly->contiguous().at(this, i).get();
312                 ASSERT(result.isInt32() || !result);
313                 return result;
314             }
315             break;
316         case ALL_CONTIGUOUS_INDEXING_TYPES:
317             if (i < butterfly->publicLength())
318                 return butterfly->contiguous().at(this, i).get();
319             break;
320         case ALL_DOUBLE_INDEXING_TYPES: {
321             if (i >= butterfly->publicLength())
322                 break;
323             double result = butterfly->contiguousDouble().at(this, i);
324             if (result != result)
325                 break;
326             return JSValue(JSValue::EncodeAsDouble, result);
327         }
328         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
329             if (i < butterfly->arrayStorage()->vectorLength())
330                 return butterfly->arrayStorage()->m_vector[i].get();
331             break;
332         default:
333             RELEASE_ASSERT_NOT_REACHED();
334             break;
335         }
336         return JSValue();
337     }
338         
339     JSValue getDirectIndex(ExecState* exec, unsigned i)
340     {
341         if (JSValue result = tryGetIndexQuickly(i))
342             return result;
343         PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
344         if (methodTable(exec->vm())->getOwnPropertySlotByIndex(this, exec, i, slot))
345             return slot.getValue(exec, i);
346         return JSValue();
347     }
348         
349     JSValue getIndex(ExecState* exec, unsigned i) const
350     {
351         if (JSValue result = tryGetIndexQuickly(i))
352             return result;
353         return get(exec, i);
354     }
355         
356     bool canSetIndexQuickly(unsigned i)
357     {
358         Butterfly* butterfly = this->butterfly();
359         switch (indexingMode()) {
360         case ALL_BLANK_INDEXING_TYPES:
361         case ALL_UNDECIDED_INDEXING_TYPES:
362             return false;
363         case ALL_WRITABLE_INT32_INDEXING_TYPES:
364         case ALL_WRITABLE_DOUBLE_INDEXING_TYPES:
365         case ALL_WRITABLE_CONTIGUOUS_INDEXING_TYPES:
366         case NonArrayWithArrayStorage:
367         case ArrayWithArrayStorage:
368             return i < butterfly->vectorLength();
369         case NonArrayWithSlowPutArrayStorage:
370         case ArrayWithSlowPutArrayStorage:
371             return i < butterfly->arrayStorage()->vectorLength()
372                 && !!butterfly->arrayStorage()->m_vector[i];
373         default:
374             if (isCopyOnWrite(indexingMode()))
375                 return false;
376             RELEASE_ASSERT_NOT_REACHED();
377             return false;
378         }
379     }
380         
381     void setIndexQuickly(VM& vm, unsigned i, JSValue v)
382     {
383         Butterfly* butterfly = m_butterfly.get();
384         ASSERT(!isCopyOnWrite(indexingMode()));
385         switch (indexingType()) {
386         case ALL_INT32_INDEXING_TYPES: {
387             ASSERT(i < butterfly->vectorLength());
388             if (!v.isInt32()) {
389                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
390                 return;
391             }
392             FALLTHROUGH;
393         }
394         case ALL_CONTIGUOUS_INDEXING_TYPES: {
395             ASSERT(i < butterfly->vectorLength());
396             butterfly->contiguous().at(this, i).set(vm, this, v);
397             if (i >= butterfly->publicLength())
398                 butterfly->setPublicLength(i + 1);
399             break;
400         }
401         case ALL_DOUBLE_INDEXING_TYPES: {
402             ASSERT(i < butterfly->vectorLength());
403             if (!v.isNumber()) {
404                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
405                 return;
406             }
407             double value = v.asNumber();
408             if (value != value) {
409                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
410                 return;
411             }
412             butterfly->contiguousDouble().at(this, i) = value;
413             if (i >= butterfly->publicLength())
414                 butterfly->setPublicLength(i + 1);
415             break;
416         }
417         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
418             ArrayStorage* storage = butterfly->arrayStorage();
419             WriteBarrier<Unknown>& x = storage->m_vector[i];
420             JSValue old = x.get();
421             x.set(vm, this, v);
422             if (!old) {
423                 ++storage->m_numValuesInVector;
424                 if (i >= storage->length())
425                     storage->setLength(i + 1);
426             }
427             break;
428         }
429         default:
430             RELEASE_ASSERT_NOT_REACHED();
431         }
432     }
433
434     void initializeIndex(ObjectInitializationScope& scope, unsigned i, JSValue v)
435     {
436         initializeIndex(scope, i, v, indexingType());
437     }
438
439     // NOTE: Clients of this method may call it more than once for any index, and this is supposed
440     // to work.
441     ALWAYS_INLINE void initializeIndex(ObjectInitializationScope& scope, unsigned i, JSValue v, IndexingType indexingType)
442     {
443         VM& vm = scope.vm();
444         Butterfly* butterfly = m_butterfly.get();
445         switch (indexingType) {
446         case ALL_UNDECIDED_INDEXING_TYPES: {
447             setIndexQuicklyToUndecided(vm, i, v);
448             break;
449         }
450         case ALL_INT32_INDEXING_TYPES: {
451             ASSERT(i < butterfly->publicLength());
452             ASSERT(i < butterfly->vectorLength());
453             if (!v.isInt32()) {
454                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
455                 break;
456             }
457             FALLTHROUGH;
458         }
459         case ALL_CONTIGUOUS_INDEXING_TYPES: {
460             ASSERT(i < butterfly->publicLength());
461             ASSERT(i < butterfly->vectorLength());
462             butterfly->contiguous().at(this, i).set(vm, this, v);
463             break;
464         }
465         case ALL_DOUBLE_INDEXING_TYPES: {
466             ASSERT(i < butterfly->publicLength());
467             ASSERT(i < butterfly->vectorLength());
468             if (!v.isNumber()) {
469                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
470                 return;
471             }
472             double value = v.asNumber();
473             if (value != value) {
474                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
475                 return;
476             }
477             butterfly->contiguousDouble().at(this, i) = value;
478             break;
479         }
480         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
481             ArrayStorage* storage = butterfly->arrayStorage();
482             ASSERT(i < storage->length());
483             ASSERT(i < storage->m_numValuesInVector);
484             storage->m_vector[i].set(vm, this, v);
485             break;
486         }
487         default:
488             RELEASE_ASSERT_NOT_REACHED();
489         }
490     }
491         
492     void initializeIndexWithoutBarrier(ObjectInitializationScope& scope, unsigned i, JSValue v)
493     {
494         initializeIndexWithoutBarrier(scope, i, v, indexingType());
495     }
496
497     // This version of initializeIndex is for cases where you know that you will not need any
498     // barriers. This implies not having any data format conversions.
499     ALWAYS_INLINE void initializeIndexWithoutBarrier(ObjectInitializationScope&, unsigned i, JSValue v, IndexingType indexingType)
500     {
501         Butterfly* butterfly = m_butterfly.get();
502         switch (indexingType) {
503         case ALL_UNDECIDED_INDEXING_TYPES: {
504             RELEASE_ASSERT_NOT_REACHED();
505             break;
506         }
507         case ALL_INT32_INDEXING_TYPES: {
508             ASSERT(i < butterfly->publicLength());
509             ASSERT(i < butterfly->vectorLength());
510             RELEASE_ASSERT(v.isInt32());
511             FALLTHROUGH;
512         }
513         case ALL_CONTIGUOUS_INDEXING_TYPES: {
514             ASSERT(i < butterfly->publicLength());
515             ASSERT(i < butterfly->vectorLength());
516             butterfly->contiguous().at(this, i).setWithoutWriteBarrier(v);
517             break;
518         }
519         case ALL_DOUBLE_INDEXING_TYPES: {
520             ASSERT(i < butterfly->publicLength());
521             ASSERT(i < butterfly->vectorLength());
522             RELEASE_ASSERT(v.isNumber());
523             double value = v.asNumber();
524             RELEASE_ASSERT(value == value);
525             butterfly->contiguousDouble().at(this, i) = value;
526             break;
527         }
528         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
529             ArrayStorage* storage = butterfly->arrayStorage();
530             ASSERT(i < storage->length());
531             ASSERT(i < storage->m_numValuesInVector);
532             storage->m_vector[i].setWithoutWriteBarrier(v);
533             break;
534         }
535         default:
536             RELEASE_ASSERT_NOT_REACHED();
537         }
538     }
539         
540     bool hasSparseMap()
541     {
542         switch (indexingType()) {
543         case ALL_BLANK_INDEXING_TYPES:
544         case ALL_UNDECIDED_INDEXING_TYPES:
545         case ALL_INT32_INDEXING_TYPES:
546         case ALL_DOUBLE_INDEXING_TYPES:
547         case ALL_CONTIGUOUS_INDEXING_TYPES:
548             return false;
549         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
550             return !!m_butterfly->arrayStorage()->m_sparseMap;
551         default:
552             RELEASE_ASSERT_NOT_REACHED();
553             return false;
554         }
555     }
556         
557     bool inSparseIndexingMode()
558     {
559         switch (indexingType()) {
560         case ALL_BLANK_INDEXING_TYPES:
561         case ALL_UNDECIDED_INDEXING_TYPES:
562         case ALL_INT32_INDEXING_TYPES:
563         case ALL_DOUBLE_INDEXING_TYPES:
564         case ALL_CONTIGUOUS_INDEXING_TYPES:
565             return false;
566         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
567             return m_butterfly->arrayStorage()->inSparseMode();
568         default:
569             RELEASE_ASSERT_NOT_REACHED();
570             return false;
571         }
572     }
573         
574     void enterDictionaryIndexingMode(VM&);
575
576     // putDirect is effectively an unchecked vesion of 'defineOwnProperty':
577     //  - the prototype chain is not consulted
578     //  - accessors are not called.
579     //  - attributes will be respected (after the call the property will exist with the given attributes)
580     //  - the property name is assumed to not be an index.
581     bool putDirect(VM&, PropertyName, JSValue, unsigned attributes = 0);
582     bool putDirect(VM&, PropertyName, JSValue, PutPropertySlot&);
583     void putDirectWithoutTransition(VM&, PropertyName, JSValue, unsigned attributes = 0);
584     bool putDirectNonIndexAccessor(VM&, PropertyName, GetterSetter*, unsigned attributes);
585     bool putDirectAccessor(ExecState*, PropertyName, GetterSetter*, unsigned attributes);
586     JS_EXPORT_PRIVATE bool putDirectCustomAccessor(VM&, PropertyName, JSValue, unsigned attributes);
587
588     bool putGetter(ExecState*, PropertyName, JSValue, unsigned attributes);
589     bool putSetter(ExecState*, PropertyName, JSValue, unsigned attributes);
590
591     JS_EXPORT_PRIVATE bool hasProperty(ExecState*, PropertyName) const;
592     JS_EXPORT_PRIVATE bool hasProperty(ExecState*, unsigned propertyName) const;
593     bool hasPropertyGeneric(ExecState*, PropertyName, PropertySlot::InternalMethodType) const;
594     bool hasPropertyGeneric(ExecState*, unsigned propertyName, PropertySlot::InternalMethodType) const;
595     bool hasOwnProperty(ExecState*, PropertyName, PropertySlot&) const;
596     bool hasOwnProperty(ExecState*, PropertyName) const;
597     bool hasOwnProperty(ExecState*, unsigned) const;
598
599     JS_EXPORT_PRIVATE static bool deleteProperty(JSCell*, ExecState*, PropertyName);
600     JS_EXPORT_PRIVATE static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
601
602     JS_EXPORT_PRIVATE static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
603     JSValue ordinaryToPrimitive(ExecState*, PreferredPrimitiveType) const;
604
605     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue value, JSValue hasInstanceValue);
606     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue);
607     static bool defaultHasInstance(ExecState*, JSValue, JSValue prototypeProperty);
608
609     JS_EXPORT_PRIVATE static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
610     JS_EXPORT_PRIVATE static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
611     JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
612
613     JS_EXPORT_PRIVATE static uint32_t getEnumerableLength(ExecState*, JSObject*);
614     JS_EXPORT_PRIVATE static void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
615     JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
616
617     JS_EXPORT_PRIVATE JSValue toPrimitive(ExecState*, PreferredPrimitiveType = NoPreference) const;
618     bool getPrimitiveNumber(ExecState*, double& number, JSValue&) const;
619     JS_EXPORT_PRIVATE double toNumber(ExecState*) const;
620     JS_EXPORT_PRIVATE JSString* toString(ExecState*) const;
621
622     JS_EXPORT_PRIVATE static JSValue toThis(JSCell*, ExecState*, ECMAMode);
623
624     // This get function only looks at the property map.
625     JSValue getDirect(VM& vm, PropertyName propertyName) const
626     {
627         Structure* structure = this->structure(vm);
628         PropertyOffset offset = structure->get(vm, propertyName);
629         checkOffset(offset, structure->inlineCapacity());
630         return offset != invalidOffset ? getDirect(offset) : JSValue();
631     }
632     
633     JSValue getDirect(VM& vm, PropertyName propertyName, unsigned& attributes) const
634     {
635         Structure* structure = this->structure(vm);
636         PropertyOffset offset = structure->get(vm, propertyName, attributes);
637         checkOffset(offset, structure->inlineCapacity());
638         return offset != invalidOffset ? getDirect(offset) : JSValue();
639     }
640
641     PropertyOffset getDirectOffset(VM& vm, PropertyName propertyName)
642     {
643         Structure* structure = this->structure(vm);
644         PropertyOffset offset = structure->get(vm, propertyName);
645         checkOffset(offset, structure->inlineCapacity());
646         return offset;
647     }
648
649     PropertyOffset getDirectOffset(VM& vm, PropertyName propertyName, unsigned& attributes)
650     {
651         Structure* structure = this->structure(vm);
652         PropertyOffset offset = structure->get(vm, propertyName, attributes);
653         checkOffset(offset, structure->inlineCapacity());
654         return offset;
655     }
656
657     bool hasInlineStorage() const { return structure()->hasInlineStorage(); }
658     ConstPropertyStorage inlineStorageUnsafe() const
659     {
660         return bitwise_cast<ConstPropertyStorage>(this + 1);
661     }
662     PropertyStorage inlineStorageUnsafe()
663     {
664         return bitwise_cast<PropertyStorage>(this + 1);
665     }
666     ConstPropertyStorage inlineStorage() const
667     {
668         ASSERT(hasInlineStorage());
669         return inlineStorageUnsafe();
670     }
671     PropertyStorage inlineStorage()
672     {
673         ASSERT(hasInlineStorage());
674         return inlineStorageUnsafe();
675     }
676         
677     const Butterfly* butterfly() const { return m_butterfly.get(); }
678     Butterfly* butterfly() { return m_butterfly.get(); }
679     
680     ConstPropertyStorage outOfLineStorage() const { return m_butterfly->propertyStorage(); }
681     PropertyStorage outOfLineStorage() { return m_butterfly->propertyStorage(); }
682
683     ALWAYS_INLINE const WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset) const
684     {
685         if (isInlineOffset(offset))
686             return &inlineStorage()[offsetInInlineStorage(offset)];
687         return &outOfLineStorage()[offsetInOutOfLineStorage(offset)];
688     }
689
690     ALWAYS_INLINE WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset)
691     {
692         if (isInlineOffset(offset))
693             return &inlineStorage()[offsetInInlineStorage(offset)];
694         return &outOfLineStorage()[offsetInOutOfLineStorage(offset)];
695     }
696
697     void transitionTo(VM&, Structure*);
698
699     bool hasCustomProperties(VM& vm) { return structure(vm)->didTransition(); }
700     bool hasGetterSetterProperties(VM& vm) { return structure(vm)->hasGetterSetterProperties(); }
701     bool hasCustomGetterSetterProperties(VM& vm) { return structure(vm)->hasCustomGetterSetterProperties(); }
702
703     // putOwnDataProperty has 'put' like semantics, however this method:
704     //  - assumes the object contains no own getter/setter properties.
705     //  - provides no special handling for __proto__
706     //  - does not walk the prototype chain (to check for accessors or non-writable properties).
707     // This is used by JSLexicalEnvironment.
708     bool putOwnDataProperty(VM&, PropertyName, JSValue, PutPropertySlot&);
709     bool putOwnDataPropertyMayBeIndex(ExecState*, PropertyName, JSValue, PutPropertySlot&);
710
711     // Fast access to known property offsets.
712     ALWAYS_INLINE JSValue getDirect(PropertyOffset offset) const { return locationForOffset(offset)->get(); }
713     JSValue getDirectConcurrently(Structure* expectedStructure, PropertyOffset) const;
714     void putDirect(VM& vm, PropertyOffset offset, JSValue value) { locationForOffset(offset)->set(vm, this, value); }
715     void putDirectWithoutBarrier(PropertyOffset offset, JSValue value) { locationForOffset(offset)->setWithoutWriteBarrier(value); }
716     void putDirectUndefined(PropertyOffset offset) { locationForOffset(offset)->setUndefined(); }
717
718     JS_EXPORT_PRIVATE bool putDirectNativeIntrinsicGetter(VM&, JSGlobalObject*, Identifier, NativeFunction, Intrinsic, unsigned attributes);
719     JS_EXPORT_PRIVATE bool putDirectNativeFunction(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, unsigned attributes);
720     JS_EXPORT_PRIVATE bool putDirectNativeFunction(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, const DOMJIT::Signature*, unsigned attributes);
721     JS_EXPORT_PRIVATE void putDirectNativeFunctionWithoutTransition(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, unsigned attributes);
722
723     JS_EXPORT_PRIVATE JSFunction* putDirectBuiltinFunction(VM&, JSGlobalObject*, const PropertyName&, FunctionExecutable*, unsigned attributes);
724     JSFunction* putDirectBuiltinFunctionWithoutTransition(VM&, JSGlobalObject*, const PropertyName&, FunctionExecutable*, unsigned attributes);
725
726     JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
727
728     bool isEnvironment() const;
729     bool isGlobalObject() const;
730     bool isJSLexicalEnvironment() const;
731     bool isGlobalLexicalEnvironment() const;
732     bool isStrictEvalActivation() const;
733     bool isWithScope() const;
734
735     bool isErrorInstance() const;
736
737     JS_EXPORT_PRIVATE void seal(VM&);
738     JS_EXPORT_PRIVATE void freeze(VM&);
739     JS_EXPORT_PRIVATE static bool preventExtensions(JSObject*, ExecState*);
740     JS_EXPORT_PRIVATE static bool isExtensible(JSObject*, ExecState*);
741     bool isSealed(VM& vm) { return structure(vm)->isSealed(vm); }
742     bool isFrozen(VM& vm) { return structure(vm)->isFrozen(vm); }
743
744     bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
745     JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName);
746     bool needsSlowPutIndexing(VM&) const;
747
748 private:
749     NonPropertyTransition suggestedArrayStorageTransition(VM&) const;
750 public:
751     // You should only call isStructureExtensible() when:
752     // - Performing this check in a way that isn't described in the specification 
753     //   as calling the virtual [[IsExtensible]] trap.
754     // - When you're guaranteed that object->methodTable(vm)->isExtensible isn't
755     //   overridden.
756     ALWAYS_INLINE bool isStructureExtensible(VM& vm) { return structure(vm)->isStructureExtensible(); }
757     // You should call this when performing [[IsExtensible]] trap in a place
758     // that is described in the specification. This performs the fully virtual
759     // [[IsExtensible]] trap.
760     bool isExtensible(ExecState*);
761     bool indexingShouldBeSparse(VM& vm)
762     {
763         return !isStructureExtensible(vm)
764             || structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero();
765     }
766
767     bool staticPropertiesReified(VM& vm) { return structure(vm)->staticPropertiesReified(); }
768     void reifyAllStaticProperties(ExecState*);
769
770     JS_EXPORT_PRIVATE Butterfly* allocateMoreOutOfLineStorage(VM&, size_t oldSize, size_t newSize);
771
772     // Call this when you do not need to change the structure.
773     void setButterfly(VM&, Butterfly*);
774     
775     // Call this if you do need to change the structure, or if you changed something about a structure
776     // in-place.
777     void nukeStructureAndSetButterfly(VM&, StructureID oldStructureID, Butterfly*);
778
779     void setStructure(VM&, Structure*);
780
781     JS_EXPORT_PRIVATE void convertToDictionary(VM&);
782
783     void flattenDictionaryObject(VM& vm)
784     {
785         structure(vm)->flattenDictionaryStructure(vm, this);
786     }
787     void shiftButterflyAfterFlattening(const GCSafeConcurrentJSLocker&, VM&, Structure* structure, size_t outOfLineCapacityAfter);
788
789     JSGlobalObject* globalObject() const
790     {
791         ASSERT(structure()->globalObject());
792         ASSERT(!isGlobalObject() || ((JSObject*)structure()->globalObject()) == this);
793         return structure()->globalObject();
794     }
795         
796     JSGlobalObject* globalObject(VM& vm) const
797     {
798         ASSERT(structure(vm)->globalObject());
799         ASSERT(!isGlobalObject() || ((JSObject*)structure(vm)->globalObject()) == this);
800         return structure(vm)->globalObject();
801     }
802         
803     void switchToSlowPutArrayStorage(VM&);
804         
805     // The receiver is the prototype in this case. The following:
806     //
807     // asObject(foo->structure()->storedPrototype())->attemptToInterceptPutByIndexOnHoleForPrototype(...)
808     //
809     // is equivalent to:
810     //
811     // foo->attemptToInterceptPutByIndexOnHole(...);
812     bool attemptToInterceptPutByIndexOnHoleForPrototype(ExecState*, JSValue thisValue, unsigned propertyName, JSValue, bool shouldThrow, bool& putResult);
813         
814     // Returns 0 if int32 storage cannot be created - either because
815     // indexing should be sparse, we're having a bad time, or because
816     // we already have a more general form of storage (double,
817     // contiguous, array storage).
818     ContiguousJSValues tryMakeWritableInt32(VM& vm)
819     {
820         if (LIKELY(hasInt32(indexingType()) && !isCopyOnWrite(indexingMode())))
821             return m_butterfly->contiguousInt32();
822             
823         return tryMakeWritableInt32Slow(vm);
824     }
825         
826     // Returns 0 if double storage cannot be created - either because
827     // indexing should be sparse, we're having a bad time, or because
828     // we already have a more general form of storage (contiguous,
829     // or array storage).
830     ContiguousDoubles tryMakeWritableDouble(VM& vm)
831     {
832         if (LIKELY(hasDouble(indexingType()) && !isCopyOnWrite(indexingMode())))
833             return m_butterfly->contiguousDouble();
834             
835         return tryMakeWritableDoubleSlow(vm);
836     }
837         
838     // Returns 0 if contiguous storage cannot be created - either because
839     // indexing should be sparse or because we're having a bad time.
840     ContiguousJSValues tryMakeWritableContiguous(VM& vm)
841     {
842         if (LIKELY(hasContiguous(indexingType()) && !isCopyOnWrite(indexingMode())))
843             return m_butterfly->contiguous();
844             
845         return tryMakeWritableContiguousSlow(vm);
846     }
847
848     // Ensure that the object is in a mode where it has array storage. Use
849     // this if you're about to perform actions that would have required the
850     // object to be converted to have array storage, if it didn't have it
851     // already.
852     ArrayStorage* ensureArrayStorage(VM& vm)
853     {
854         if (LIKELY(hasAnyArrayStorage(indexingType())))
855             return m_butterfly->arrayStorage();
856
857         return ensureArrayStorageSlow(vm);
858     }
859
860     void ensureWritable(VM& vm)
861     {
862         if (isCopyOnWrite(indexingMode()))
863             convertFromCopyOnWrite(vm);
864     }
865         
866     static size_t offsetOfInlineStorage();
867         
868     static ptrdiff_t butterflyOffset()
869     {
870         return OBJECT_OFFSETOF(JSObject, m_butterfly);
871     }
872     void* butterflyAddress()
873     {
874         return &m_butterfly;
875     }
876
877     JS_EXPORT_PRIVATE JSValue getMethod(ExecState*, CallData&, CallType&, const Identifier&, const String& errorMessage);
878
879     bool canPerformFastPutInline(VM&, PropertyName);
880     bool canPerformFastPutInlineExcludingProto(VM&);
881
882     bool mayBePrototype() const;
883     void didBecomePrototype();
884
885     DECLARE_EXPORT_INFO;
886
887 protected:
888     void finishCreation(VM& vm)
889     {
890         Base::finishCreation(vm);
891         ASSERT(jsDynamicCast<JSObject*>(vm, this));
892         ASSERT(structure(vm)->hasPolyProto() || getPrototypeDirect(vm).isNull() || Heap::heap(this) == Heap::heap(getPrototypeDirect(vm)));
893         ASSERT(structure(vm)->isObject());
894         ASSERT(classInfo(vm));
895     }
896
897     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
898     {
899         return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
900     }
901
902     // To instantiate objects you likely want JSFinalObject, below.
903     // To create derived types you likely want JSNonFinalObject, below.
904     JSObject(VM&, Structure*, Butterfly* = nullptr);
905     
906     // Visits the butterfly unless there is a race. Returns the structure if there was no race.
907     Structure* visitButterfly(SlotVisitor&);
908     
909     Structure* visitButterflyImpl(SlotVisitor&);
910     
911     void markAuxiliaryAndVisitOutOfLineProperties(SlotVisitor&, Butterfly*, Structure*, PropertyOffset lastOffset);
912
913     // Call this if you know that the object is in a mode where it has array
914     // storage. This will assert otherwise.
915     ArrayStorage* arrayStorage()
916     {
917         ASSERT(hasAnyArrayStorage(indexingType()));
918         return m_butterfly->arrayStorage();
919     }
920         
921     // Call this if you want to predicate some actions on whether or not the
922     // object is in a mode where it has array storage.
923     ArrayStorage* arrayStorageOrNull()
924     {
925         switch (indexingType()) {
926         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
927             return m_butterfly->arrayStorage();
928                 
929         default:
930             return 0;
931         }
932     }
933         
934     size_t butterflyTotalSize();
935     size_t butterflyPreCapacity();
936
937     Butterfly* createInitialUndecided(VM&, unsigned length);
938     ContiguousJSValues createInitialInt32(VM&, unsigned length);
939     ContiguousDoubles createInitialDouble(VM&, unsigned length);
940     ContiguousJSValues createInitialContiguous(VM&, unsigned length);
941
942     void convertUndecidedForValue(VM&, JSValue);
943     void createInitialForValueAndSet(VM&, unsigned index, JSValue);
944     void convertInt32ForValue(VM&, JSValue);
945     void convertDoubleForValue(VM&, JSValue);
946     void convertFromCopyOnWrite(VM&);
947
948     static Butterfly* createArrayStorageButterfly(VM&, JSObject* intendedOwner, Structure*, unsigned length, unsigned vectorLength, Butterfly* oldButterfly = nullptr);
949     ArrayStorage* createArrayStorage(VM&, unsigned length, unsigned vectorLength);
950     ArrayStorage* createInitialArrayStorage(VM&);
951         
952     ContiguousJSValues convertUndecidedToInt32(VM&);
953     ContiguousDoubles convertUndecidedToDouble(VM&);
954     ContiguousJSValues convertUndecidedToContiguous(VM&);
955     ArrayStorage* convertUndecidedToArrayStorage(VM&, NonPropertyTransition);
956     ArrayStorage* convertUndecidedToArrayStorage(VM&);
957         
958     ContiguousDoubles convertInt32ToDouble(VM&);
959     ContiguousJSValues convertInt32ToContiguous(VM&);
960     ArrayStorage* convertInt32ToArrayStorage(VM&, NonPropertyTransition);
961     ArrayStorage* convertInt32ToArrayStorage(VM&);
962
963     ContiguousJSValues convertDoubleToContiguous(VM&);
964     ArrayStorage* convertDoubleToArrayStorage(VM&, NonPropertyTransition);
965     ArrayStorage* convertDoubleToArrayStorage(VM&);
966         
967     ArrayStorage* convertContiguousToArrayStorage(VM&, NonPropertyTransition);
968     ArrayStorage* convertContiguousToArrayStorage(VM&);
969
970         
971     ArrayStorage* ensureArrayStorageExistsAndEnterDictionaryIndexingMode(VM&);
972         
973     bool defineOwnNonIndexProperty(ExecState*, PropertyName, const PropertyDescriptor&, bool throwException);
974
975     template<IndexingType indexingShape>
976     bool putByIndexBeyondVectorLengthWithoutAttributes(ExecState*, unsigned propertyName, JSValue);
977     bool putByIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, bool shouldThrow, ArrayStorage*);
978
979     bool increaseVectorLength(VM&, unsigned newLength);
980     void deallocateSparseIndexMap();
981     bool defineOwnIndexedProperty(ExecState*, unsigned, const PropertyDescriptor&, bool throwException);
982     SparseArrayValueMap* allocateSparseIndexMap(VM&);
983         
984     void notifyPresenceOfIndexedAccessors(VM&);
985         
986     bool attemptToInterceptPutByIndexOnHole(ExecState*, unsigned index, JSValue, bool shouldThrow, bool& putResult);
987         
988     // Call this if you want setIndexQuickly to succeed and you're sure that
989     // the array is contiguous.
990     bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length)
991     {
992         RELEASE_ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
993         ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
994
995         if (m_butterfly->vectorLength() < length || isCopyOnWrite(indexingMode())) {
996             if (!ensureLengthSlow(vm, length))
997                 return false;
998         }
999             
1000         if (m_butterfly->publicLength() < length)
1001             m_butterfly->setPublicLength(length);
1002         return true;
1003     }
1004         
1005     // Call this if you want to shrink the butterfly backing store, and you're
1006     // sure that the array is contiguous.
1007     void reallocateAndShrinkButterfly(VM&, unsigned length);
1008     
1009     template<IndexingType indexingShape>
1010     unsigned countElements(Butterfly*);
1011         
1012     // This is relevant to undecided, int32, double, and contiguous.
1013     unsigned countElements();
1014         
1015 private:
1016     friend class LLIntOffsetsExtractor;
1017     friend class VMInspector;
1018
1019     // Nobody should ever ask any of these questions on something already known to be a JSObject.
1020     using JSCell::isAPIValueWrapper;
1021     using JSCell::isGetterSetter;
1022     void getObject();
1023     void getString(ExecState* exec);
1024     void isObject();
1025     void isString();
1026         
1027     Butterfly* createInitialIndexedStorage(VM&, unsigned length);
1028         
1029     ArrayStorage* enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(VM&, ArrayStorage*);
1030         
1031     template<PutMode>
1032     bool putDirectInternal(VM&, PropertyName, JSValue, unsigned attr, PutPropertySlot&);
1033
1034     JS_EXPORT_PRIVATE NEVER_INLINE bool putInlineSlow(ExecState*, PropertyName, JSValue, PutPropertySlot&);
1035
1036     bool getNonIndexPropertySlot(ExecState*, PropertyName, PropertySlot&);
1037     bool getOwnNonIndexPropertySlot(VM&, Structure*, PropertyName, PropertySlot&);
1038     JS_EXPORT_PRIVATE void fillGetterPropertySlot(VM&, PropertySlot&, JSCell*, unsigned, PropertyOffset);
1039     void fillCustomGetterPropertySlot(VM&, PropertySlot&, CustomGetterSetter*, unsigned, Structure*);
1040
1041     JS_EXPORT_PRIVATE bool getOwnStaticPropertySlot(VM&, PropertyName, PropertySlot&);
1042     struct PropertyHashEntry {
1043         const HashTable* table;
1044         const HashTableValue* value;
1045     };
1046     Optional<PropertyHashEntry> findPropertyHashEntry(VM&, PropertyName) const;
1047         
1048     bool putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
1049     bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
1050     JS_EXPORT_PRIVATE bool putDirectIndexSlowOrBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
1051         
1052     unsigned getNewVectorLength(VM&, unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
1053     unsigned getNewVectorLength(VM&, unsigned desiredLength);
1054
1055     ArrayStorage* constructConvertedArrayStorageWithoutCopyingElements(VM&, unsigned neededLength);
1056         
1057     JS_EXPORT_PRIVATE void setIndexQuicklyToUndecided(VM&, unsigned index, JSValue);
1058     JS_EXPORT_PRIVATE void convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(VM&, unsigned index, JSValue);
1059     JS_EXPORT_PRIVATE void convertDoubleToContiguousWhilePerformingSetIndex(VM&, unsigned index, JSValue);
1060         
1061     bool ensureLengthSlow(VM&, unsigned length);
1062         
1063     ContiguousJSValues tryMakeWritableInt32Slow(VM&);
1064     ContiguousDoubles tryMakeWritableDoubleSlow(VM&);
1065     ContiguousJSValues tryMakeWritableContiguousSlow(VM&);
1066     JS_EXPORT_PRIVATE ArrayStorage* ensureArrayStorageSlow(VM&);
1067
1068     PropertyOffset prepareToPutDirectWithoutTransition(VM&, PropertyName, unsigned attributes, StructureID, Structure*);
1069
1070     AuxiliaryBarrier<Butterfly*> m_butterfly;
1071 #if CPU(ADDRESS32)
1072     unsigned m_32BitPadding;
1073 #endif
1074 };
1075
1076 // JSNonFinalObject is a type of JSObject that has some internal storage,
1077 // but also preserves some space in the collector cell for additional
1078 // data members in derived types.
1079 class JSNonFinalObject : public JSObject {
1080     friend class JSObject;
1081
1082 public:
1083     typedef JSObject Base;
1084
1085     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
1086     {
1087         return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
1088     }
1089
1090 protected:
1091     explicit JSNonFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = 0)
1092         : JSObject(vm, structure, butterfly)
1093     {
1094     }
1095
1096     void finishCreation(VM& vm)
1097     {
1098         Base::finishCreation(vm);
1099         ASSERT(!this->structure(vm)->hasInlineStorage());
1100         ASSERT(classInfo(vm));
1101     }
1102 };
1103
1104 class JSFinalObject;
1105
1106 // JSFinalObject is a type of JSObject that contains sufficient internal
1107 // storage to fully make use of the collector cell containing it.
1108 class JSFinalObject final : public JSObject {
1109     friend class JSObject;
1110
1111 public:
1112     typedef JSObject Base;
1113     static const unsigned StructureFlags = Base::StructureFlags;
1114
1115     static size_t allocationSize(Checked<size_t> inlineCapacity)
1116     {
1117         return (sizeof(JSObject) + inlineCapacity * sizeof(WriteBarrierBase<Unknown>)).unsafeGet();
1118     }
1119
1120     static inline const TypeInfo typeInfo() { return TypeInfo(FinalObjectType, StructureFlags); }
1121     static const IndexingType defaultIndexingType = NonArray;
1122         
1123     static const unsigned defaultSize = 64;
1124     static inline unsigned defaultInlineCapacity()
1125     {
1126         return (defaultSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
1127     }
1128
1129     static const unsigned maxSize = 512;
1130     static inline unsigned maxInlineCapacity()
1131     {
1132         return (maxSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
1133     }
1134
1135     static JSFinalObject* create(ExecState*, Structure*, Butterfly* = nullptr);
1136     static JSFinalObject* create(VM&, Structure*);
1137     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, unsigned inlineCapacity)
1138     {
1139         return Structure::create(vm, globalObject, prototype, typeInfo(), info(), defaultIndexingType, inlineCapacity);
1140     }
1141
1142     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
1143
1144     DECLARE_EXPORT_INFO;
1145
1146 protected:
1147     void visitChildrenCommon(SlotVisitor&);
1148         
1149     void finishCreation(VM& vm)
1150     {
1151         Base::finishCreation(vm);
1152         ASSERT(structure(vm)->totalStorageCapacity() == structure(vm)->inlineCapacity());
1153         ASSERT(classInfo(vm));
1154     }
1155
1156 private:
1157     friend class LLIntOffsetsExtractor;
1158
1159     explicit JSFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = nullptr)
1160         : JSObject(vm, structure, butterfly)
1161     {
1162         memset(inlineStorageUnsafe(), 0, structure->inlineCapacity() * sizeof(EncodedJSValue));
1163     }
1164 };
1165
1166 JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState*);
1167
1168 inline JSObject* JSObject::createRawObject(
1169     ExecState* exec, Structure* structure, Butterfly* butterfly)
1170 {
1171     VM& vm = exec->vm();
1172     JSObject* finalObject = new (
1173         NotNull, 
1174         allocateCell<JSFinalObject>(
1175             vm.heap,
1176             JSFinalObject::allocationSize(structure->inlineCapacity())
1177         )
1178     ) JSObject(vm, structure, butterfly);
1179     finalObject->finishCreation(vm);
1180     return finalObject;
1181 }
1182
1183 inline JSFinalObject* JSFinalObject::create(
1184     ExecState* exec, Structure* structure, Butterfly* butterfly)
1185 {
1186     VM& vm = exec->vm();
1187     JSFinalObject* finalObject = new (
1188         NotNull, 
1189         allocateCell<JSFinalObject>(
1190             vm.heap,
1191             allocationSize(structure->inlineCapacity())
1192         )
1193     ) JSFinalObject(vm, structure, butterfly);
1194     finalObject->finishCreation(vm);
1195     return finalObject;
1196 }
1197
1198 inline JSFinalObject* JSFinalObject::create(VM& vm, Structure* structure)
1199 {
1200     JSFinalObject* finalObject = new (NotNull, allocateCell<JSFinalObject>(vm.heap, allocationSize(structure->inlineCapacity()))) JSFinalObject(vm, structure);
1201     finalObject->finishCreation(vm);
1202     return finalObject;
1203 }
1204
1205 inline size_t JSObject::offsetOfInlineStorage()
1206 {
1207     return sizeof(JSObject);
1208 }
1209
1210 inline bool JSObject::isGlobalObject() const
1211 {
1212     return type() == GlobalObjectType;
1213 }
1214
1215 inline bool JSObject::isJSLexicalEnvironment() const
1216 {
1217     return type() == LexicalEnvironmentType || type() == ModuleEnvironmentType;
1218 }
1219
1220 inline bool JSObject::isGlobalLexicalEnvironment() const
1221 {
1222     return type() == GlobalLexicalEnvironmentType;
1223 }
1224
1225 inline bool JSObject::isStrictEvalActivation() const
1226 {
1227     return type() == StrictEvalActivationType;
1228 }
1229
1230 inline bool JSObject::isEnvironment() const
1231 {
1232     bool result = GlobalObjectType <= type() && type() <= StrictEvalActivationType;
1233     ASSERT((isGlobalObject() || isJSLexicalEnvironment() || isGlobalLexicalEnvironment() || isStrictEvalActivation()) == result);
1234     return result;
1235 }
1236
1237 inline bool JSObject::isErrorInstance() const
1238 {
1239     return type() == ErrorInstanceType;
1240 }
1241
1242 inline bool JSObject::isWithScope() const
1243 {
1244     return type() == WithScopeType;
1245 }
1246
1247 inline void JSObject::setStructure(VM& vm, Structure* structure)
1248 {
1249     ASSERT(structure);
1250     ASSERT(!m_butterfly == !(structure->outOfLineCapacity() || structure->hasIndexingHeader(this)));
1251     JSCell::setStructure(vm, structure);
1252 }
1253
1254 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
1255 {
1256     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
1257         WTF::storeStoreFence();
1258         m_butterfly.set(vm, this, butterfly);
1259         WTF::storeStoreFence();
1260         return;
1261     }
1262
1263     m_butterfly.set(vm, this, butterfly);
1264 }
1265
1266 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
1267 {
1268     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
1269         setStructureIDDirectly(nuke(oldStructureID));
1270         WTF::storeStoreFence();
1271         m_butterfly.set(vm, this, butterfly);
1272         WTF::storeStoreFence();
1273         return;
1274     }
1275
1276     m_butterfly.set(vm, this, butterfly);
1277 }
1278
1279 inline CallType getCallData(VM& vm, JSValue value, CallData& callData)
1280 {
1281     CallType result = value.isCell() ? value.asCell()->methodTable(vm)->getCallData(value.asCell(), callData) : CallType::None;
1282     ASSERT(result == CallType::None || value.isValidCallee());
1283     return result;
1284 }
1285
1286 inline ConstructType getConstructData(VM& vm, JSValue value, ConstructData& constructData)
1287 {
1288     ConstructType result = value.isCell() ? value.asCell()->methodTable(vm)->getConstructData(value.asCell(), constructData) : ConstructType::None;
1289     ASSERT(result == ConstructType::None || value.isValidCallee());
1290     return result;
1291 }
1292
1293 inline JSObject* asObject(JSCell* cell)
1294 {
1295     ASSERT(cell->isObject());
1296     return jsCast<JSObject*>(cell);
1297 }
1298
1299 inline JSObject* asObject(JSValue value)
1300 {
1301     return asObject(value.asCell());
1302 }
1303
1304 inline JSObject::JSObject(VM& vm, Structure* structure, Butterfly* butterfly)
1305     : JSCell(vm, structure)
1306     , m_butterfly(vm, this, butterfly)
1307 {
1308 }
1309
1310 inline JSValue JSObject::getPrototypeDirect(VM& vm) const
1311 {
1312     return structure(vm)->storedPrototype(this);
1313 }
1314
1315 inline JSValue JSObject::getPrototype(VM& vm, ExecState* exec)
1316 {
1317     auto getPrototypeMethod = methodTable(vm)->getPrototype;
1318     MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
1319     if (LIKELY(getPrototypeMethod == defaultGetPrototype))
1320         return getPrototypeDirect(vm);
1321     return getPrototypeMethod(this, exec);
1322 }
1323
1324 // Normally, we never shrink the butterfly so if we know an offset is valid for some
1325 // past structure then it should be valid for any new structure. However, we may sometimes
1326 // shrink the butterfly when we are holding the Structure's ConcurrentJSLock, such as when we
1327 // flatten an object.
1328 inline JSValue JSObject::getDirectConcurrently(Structure* structure, PropertyOffset offset) const
1329 {
1330     ConcurrentJSLocker locker(structure->lock());
1331     if (!structure->isValidOffset(offset))
1332         return { };
1333     return getDirect(offset);
1334 }
1335
1336 // It is safe to call this method with a PropertyName that is actually an index,
1337 // but if so will always return false (doesn't search index storage).
1338 ALWAYS_INLINE bool JSObject::getOwnNonIndexPropertySlot(VM& vm, Structure* structure, PropertyName propertyName, PropertySlot& slot)
1339 {
1340     unsigned attributes;
1341     PropertyOffset offset = structure->get(vm, propertyName, attributes);
1342     if (!isValidOffset(offset)) {
1343         if (!TypeInfo::hasStaticPropertyTable(inlineTypeFlags()))
1344             return false;
1345         return getOwnStaticPropertySlot(vm, propertyName, slot);
1346     }
1347     
1348     // getPropertySlot relies on this method never returning index properties!
1349     ASSERT(!parseIndex(propertyName));
1350
1351     JSValue value = getDirect(offset);
1352     if (value.isCell()) {
1353         ASSERT(value);
1354         JSCell* cell = value.asCell();
1355         JSType type = cell->type();
1356         switch (type) {
1357         case GetterSetterType:
1358             fillGetterPropertySlot(vm, slot, cell, attributes, offset);
1359             return true;
1360         case CustomGetterSetterType:
1361             fillCustomGetterPropertySlot(vm, slot, jsCast<CustomGetterSetter*>(cell), attributes, structure);
1362             return true;
1363         default:
1364             break;
1365         }
1366     }
1367     
1368     slot.setValue(this, attributes, value, offset);
1369     return true;
1370 }
1371
1372 ALWAYS_INLINE void JSObject::fillCustomGetterPropertySlot(VM& vm, PropertySlot& slot, CustomGetterSetter* customGetterSetter, unsigned attributes, Structure* structure)
1373 {
1374     ASSERT(attributes & PropertyAttribute::CustomAccessorOrValue);
1375     if (customGetterSetter->inherits<DOMAttributeGetterSetter>(vm)) {
1376         auto* domAttribute = jsCast<DOMAttributeGetterSetter*>(customGetterSetter);
1377         if (structure->isUncacheableDictionary())
1378             slot.setCustom(this, attributes, domAttribute->getter(), domAttribute->domAttribute());
1379         else
1380             slot.setCacheableCustom(this, attributes, domAttribute->getter(), domAttribute->domAttribute());
1381         return;
1382     }
1383
1384     if (structure->isUncacheableDictionary())
1385         slot.setCustom(this, attributes, customGetterSetter->getter());
1386     else
1387         slot.setCacheableCustom(this, attributes, customGetterSetter->getter());
1388 }
1389
1390 // It may seem crazy to inline a function this large, especially a virtual function,
1391 // but it makes a big difference to property lookup that derived classes can inline their
1392 // base class call to this.
1393 ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
1394 {
1395     VM& vm = exec->vm();
1396     Structure* structure = object->structure(vm);
1397     if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
1398         return true;
1399     if (Optional<uint32_t> index = parseIndex(propertyName))
1400         return getOwnPropertySlotByIndex(object, exec, index.value(), slot);
1401     return false;
1402 }
1403
1404 // It may seem crazy to inline a function this large but it makes a big difference
1405 // since this is function very hot in variable lookup
1406 template<bool checkNullStructure>
1407 ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
1408 {
1409     VM& vm = exec->vm();
1410     auto& structureIDTable = vm.heap.structureIDTable();
1411     JSObject* object = this;
1412     while (true) {
1413         if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
1414             // If propertyName is an index then we may have missed it (as this loop is using
1415             // getOwnNonIndexPropertySlot), so we cannot safely call the overridden getOwnPropertySlot
1416             // (lest we return a property from a prototype that is shadowed). Check now for an index,
1417             // if so we need to start afresh from this object.
1418             if (Optional<uint32_t> index = parseIndex(propertyName))
1419                 return getPropertySlot(exec, index.value(), slot);
1420             // Safe to continue searching from current position; call getNonIndexPropertySlot to avoid
1421             // parsing the int again.
1422             return object->getNonIndexPropertySlot(exec, propertyName, slot);
1423         }
1424         ASSERT(object->type() != ProxyObjectType);
1425         Structure* structure = structureIDTable.get(object->structureID());
1426 #if USE(JSVALUE64)
1427         if (checkNullStructure && UNLIKELY(!structure))
1428             CRASH_WITH_INFO(object->type(), object->structureID(), structureIDTable.size());
1429 #endif
1430         if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
1431             return true;
1432         // FIXME: This doesn't look like it's following the specification:
1433         // https://bugs.webkit.org/show_bug.cgi?id=172572
1434         JSValue prototype = structure->storedPrototype(object);
1435         if (!prototype.isObject())
1436             break;
1437         object = asObject(prototype);
1438     }
1439
1440     if (Optional<uint32_t> index = parseIndex(propertyName))
1441         return getPropertySlot(exec, index.value(), slot);
1442     return false;
1443 }
1444
1445 inline JSValue JSObject::get(ExecState* exec, PropertyName propertyName) const
1446 {
1447     VM& vm = exec->vm();
1448     auto scope = DECLARE_THROW_SCOPE(vm);
1449     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
1450     bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
1451     EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
1452     if (hasProperty)
1453         RELEASE_AND_RETURN(scope, slot.getValue(exec, propertyName));
1454
1455     return jsUndefined();
1456 }
1457
1458 inline JSValue JSObject::get(ExecState* exec, unsigned propertyName) const
1459 {
1460     VM& vm = exec->vm();
1461     auto scope = DECLARE_THROW_SCOPE(vm);
1462     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
1463     bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
1464     EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
1465     if (hasProperty)
1466         RELEASE_AND_RETURN(scope, slot.getValue(exec, propertyName));
1467
1468     return jsUndefined();
1469 }
1470
1471 inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1472 {
1473     ASSERT(value);
1474     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
1475     ASSERT(!structure(vm)->hasGetterSetterProperties());
1476     ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
1477
1478     return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
1479 }
1480
1481 inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1482 {
1483     VM& vm = exec->vm();
1484     ASSERT(value);
1485     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
1486     ASSERT(!structure(vm)->hasGetterSetterProperties());
1487     ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
1488
1489     if (Optional<uint32_t> index = parseIndex(propertyName))
1490         return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
1491
1492     return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
1493 }
1494
1495 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
1496 {
1497     ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));
1498     ASSERT(!value.isCustomGetterSetter() && !(attributes & PropertyAttribute::CustomAccessorOrValue));
1499     PutPropertySlot slot(this);
1500     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, attributes, slot);
1501 }
1502
1503 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1504 {
1505     ASSERT(!value.isGetterSetter());
1506     ASSERT(!value.isCustomGetterSetter());
1507     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, 0, slot);
1508 }
1509
1510 ALWAYS_INLINE JSObject* Register::object() const
1511 {
1512     return asObject(jsValue());
1513 }
1514
1515 ALWAYS_INLINE Register& Register::operator=(JSObject* object)
1516 {
1517     u.value = JSValue::encode(JSValue(object));
1518     return *this;
1519 }
1520
1521 inline size_t offsetInButterfly(PropertyOffset offset)
1522 {
1523     return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
1524 }
1525
1526 inline size_t JSObject::butterflyPreCapacity()
1527 {
1528     VM& vm = *this->vm();
1529     if (UNLIKELY(hasIndexingHeader(vm)))
1530         return butterfly()->indexingHeader()->preCapacity(structure(vm));
1531     return 0;
1532 }
1533
1534 inline size_t JSObject::butterflyTotalSize()
1535 {
1536     VM& vm = *this->vm();
1537     Structure* structure = this->structure(vm);
1538     Butterfly* butterfly = this->butterfly();
1539     size_t preCapacity;
1540     size_t indexingPayloadSizeInBytes;
1541     bool hasIndexingHeader = this->hasIndexingHeader(vm);
1542
1543     if (UNLIKELY(hasIndexingHeader)) {
1544         preCapacity = butterfly->indexingHeader()->preCapacity(structure);
1545         indexingPayloadSizeInBytes = butterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);
1546     } else {
1547         preCapacity = 0;
1548         indexingPayloadSizeInBytes = 0;
1549     }
1550
1551     return Butterfly::totalSize(preCapacity, structure->outOfLineCapacity(), hasIndexingHeader, indexingPayloadSizeInBytes);
1552 }
1553
1554 inline int indexRelativeToBase(PropertyOffset offset)
1555 {
1556     if (isOutOfLineOffset(offset))
1557         return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
1558     ASSERT(!(JSObject::offsetOfInlineStorage() % sizeof(EncodedJSValue)));
1559     return JSObject::offsetOfInlineStorage() / sizeof(EncodedJSValue) + offsetInInlineStorage(offset);
1560 }
1561
1562 inline int offsetRelativeToBase(PropertyOffset offset)
1563 {
1564     if (isOutOfLineOffset(offset))
1565         return offsetInOutOfLineStorage(offset) * sizeof(EncodedJSValue) + Butterfly::offsetOfPropertyStorage();
1566     return JSObject::offsetOfInlineStorage() + offsetInInlineStorage(offset) * sizeof(EncodedJSValue);
1567 }
1568
1569 // Returns the maximum offset (away from zero) a load instruction will encode.
1570 inline size_t maxOffsetRelativeToBase(PropertyOffset offset)
1571 {
1572     ptrdiff_t addressOffset = offsetRelativeToBase(offset);
1573 #if USE(JSVALUE32_64)
1574     if (addressOffset >= 0)
1575         return static_cast<size_t>(addressOffset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag);
1576 #endif
1577     return static_cast<size_t>(addressOffset);
1578 }
1579
1580 COMPILE_ASSERT(!(sizeof(JSObject) % sizeof(WriteBarrierBase<Unknown>)), JSObject_inline_storage_has_correct_alignment);
1581
1582 template<unsigned charactersCount>
1583 ALWAYS_INLINE Identifier makeIdentifier(VM& vm, const char (&characters)[charactersCount])
1584 {
1585     return Identifier::fromString(&vm, characters);
1586 }
1587
1588 ALWAYS_INLINE Identifier makeIdentifier(VM& vm, const char* name)
1589 {
1590     return Identifier::fromString(&vm, name);
1591 }
1592
1593 ALWAYS_INLINE Identifier makeIdentifier(VM&, const Identifier& name)
1594 {
1595     return name;
1596 }
1597
1598 bool validateAndApplyPropertyDescriptor(ExecState*, JSObject*, PropertyName, bool isExtensible,
1599     const PropertyDescriptor& descriptor, bool isCurrentDefined, const PropertyDescriptor& current, bool throwException);
1600
1601 JS_EXPORT_PRIVATE NEVER_INLINE bool ordinarySetSlow(ExecState*, JSObject*, PropertyName, JSValue, JSValue receiver, bool shouldThrow);
1602
1603 // Helper for defining native functions, if you're not using a static hash table.
1604 // Use this macro from within finishCreation() methods in prototypes. This assumes
1605 // you've defined variables called exec, globalObject, and vm, and they
1606 // have the expected meanings.
1607 #define JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, attributes, length, intrinsic) \
1608     putDirectNativeFunction(\
1609         vm, globalObject, makeIdentifier(vm, (jsName)), (length), cppName, \
1610         (intrinsic), (attributes))
1611
1612 #define JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, attributes, length, intrinsic) \
1613     putDirectNativeFunctionWithoutTransition(\
1614         vm, globalObject, makeIdentifier(vm, (jsName)), (length), cppName, \
1615         (intrinsic), (attributes))
1616
1617 // As above, but this assumes that the function you're defining doesn't have an
1618 // intrinsic.
1619 #define JSC_NATIVE_FUNCTION(jsName, cppName, attributes, length) \
1620     JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, (attributes), (length), NoIntrinsic)
1621
1622 #define JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, attributes, length) \
1623     JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, (attributes), (length), NoIntrinsic)
1624
1625 // Identical helpers but for builtins. Note that currently, we don't support builtins that are
1626 // also intrinsics, but we probably will do that eventually.
1627 #define JSC_BUILTIN_FUNCTION(jsName, generatorName, attributes) \
1628     putDirectBuiltinFunction(\
1629         vm, globalObject, makeIdentifier(vm, (jsName)), (generatorName)(vm), (attributes))
1630
1631 #define JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(jsName, generatorName, attributes) \
1632     putDirectBuiltinFunctionWithoutTransition(\
1633         vm, globalObject, makeIdentifier(vm, (jsName)), (generatorName)(vm), (attributes))
1634
1635 // Helper for defining native getters on properties.
1636 #define JSC_NATIVE_INTRINSIC_GETTER(jsName, cppName, attributes, intrinsic)  \
1637     putDirectNativeIntrinsicGetter(\
1638         vm, globalObject, makeIdentifier(vm, (jsName)), (cppName), \
1639         (intrinsic), ((attributes) | PropertyAttribute::Accessor))
1640
1641 #define JSC_NATIVE_GETTER(jsName, cppName, attributes) \
1642     JSC_NATIVE_INTRINSIC_GETTER((jsName), (cppName), (attributes), NoIntrinsic)
1643
1644 } // namespace JSC