[JSC] Array.prototype.reverse modifies JSImmutableButterfly
[WebKit-https.git] / Source / JavaScriptCore / runtime / JSObject.h
1 /*
2  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
3  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
4  *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
5  *
6  *  This library is free software; you can redistribute it and/or
7  *  modify it under the terms of the GNU Library General Public
8  *  License as published by the Free Software Foundation; either
9  *  version 2 of the License, or (at your option) any later version.
10  *
11  *  This library is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  *  Library General Public License for more details.
15  *
16  *  You should have received a copy of the GNU Library General Public License
17  *  along with this library; see the file COPYING.LIB.  If not, write to
18  *  the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
19  *  Boston, MA 02110-1301, USA.
20  *
21  */
22
23 #pragma once
24
25 #include "ArrayConventions.h"
26 #include "ArrayStorage.h"
27 #include "Butterfly.h"
28 #include "CPU.h"
29 #include "CagedBarrierPtr.h"
30 #include "CallFrame.h"
31 #include "ClassInfo.h"
32 #include "CustomGetterSetter.h"
33 #include "DOMAttributeGetterSetter.h"
34 #include "Heap.h"
35 #include "IndexingHeaderInlines.h"
36 #include "JSCast.h"
37 #include "ObjectInitializationScope.h"
38 #include "PropertySlot.h"
39 #include "PropertyStorage.h"
40 #include "PutDirectIndexMode.h"
41 #include "PutPropertySlot.h"
42 #include "Structure.h"
43 #include "StructureTransitionTable.h"
44 #include "VM.h"
45 #include "JSString.h"
46 #include "SparseArrayValueMap.h"
47 #include <wtf/StdLibExtras.h>
48
49 namespace JSC {
50 namespace DOMJIT {
51 class Signature;
52 }
53
54 inline JSCell* getJSFunction(JSValue value)
55 {
56     if (value.isCell() && (value.asCell()->type() == JSFunctionType))
57         return value.asCell();
58     return 0;
59 }
60
61 class GetterSetter;
62 class InternalFunction;
63 class JSFunction;
64 class LLIntOffsetsExtractor;
65 class MarkedBlock;
66 class PropertyDescriptor;
67 class PropertyNameArray;
68 class Structure;
69 class ThrowScope;
70 struct HashTable;
71 struct HashTableValue;
72
73 JS_EXPORT_PRIVATE JSObject* throwTypeError(ExecState*, ThrowScope&, const String&);
74 extern JS_EXPORT_PRIVATE const ASCIILiteral NonExtensibleObjectPropertyDefineError;
75 extern JS_EXPORT_PRIVATE const ASCIILiteral ReadonlyPropertyWriteError;
76 extern JS_EXPORT_PRIVATE const ASCIILiteral ReadonlyPropertyChangeError;
77 extern JS_EXPORT_PRIVATE const ASCIILiteral UnableToDeletePropertyError;
78 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeAccessMechanismError;
79 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeConfigurabilityError;
80 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeEnumerabilityError;
81 extern JS_EXPORT_PRIVATE const ASCIILiteral UnconfigurablePropertyChangeWritabilityError;
82
83 COMPILE_ASSERT(PropertyAttribute::None < FirstInternalAttribute, None_is_below_FirstInternalAttribute);
84 COMPILE_ASSERT(PropertyAttribute::ReadOnly < FirstInternalAttribute, ReadOnly_is_below_FirstInternalAttribute);
85 COMPILE_ASSERT(PropertyAttribute::DontEnum < FirstInternalAttribute, DontEnum_is_below_FirstInternalAttribute);
86 COMPILE_ASSERT(PropertyAttribute::DontDelete < FirstInternalAttribute, DontDelete_is_below_FirstInternalAttribute);
87 COMPILE_ASSERT(PropertyAttribute::Accessor < FirstInternalAttribute, Accessor_is_below_FirstInternalAttribute);
88
89 class JSFinalObject;
90
91 class JSObject : public JSCell {
92     friend class BatchedTransitionOptimizer;
93     friend class JIT;
94     friend class JSCell;
95     friend class JSFinalObject;
96     friend class MarkedBlock;
97     JS_EXPORT_PRIVATE friend bool setUpStaticFunctionSlot(VM&, const HashTableValue*, JSObject*, PropertyName, PropertySlot&);
98
99     enum PutMode {
100         PutModePut,
101         PutModeDefineOwnProperty,
102     };
103
104 public:
105     typedef JSCell Base;
106
107     template<typename>
108     static CompleteSubspace* subspaceFor(VM& vm)
109     {
110         return &vm.cellJSValueOOBSpace;
111     }
112
113     // This is a super dangerous method for JITs. Sometimes the JITs will want to create either a
114     // JSFinalObject or a JSArray. This is the method that will do that.
115     static JSObject* createRawObject(ExecState* exec, Structure* structure, Butterfly* = nullptr);
116
117     JS_EXPORT_PRIVATE static size_t estimatedSize(JSCell*, VM&);
118     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
119     JS_EXPORT_PRIVATE static void heapSnapshot(JSCell*, HeapSnapshotBuilder&);
120
121     JS_EXPORT_PRIVATE static String className(const JSObject*, VM&);
122     JS_EXPORT_PRIVATE static String calculatedClassName(JSObject*);
123
124     // This function is what Object.prototype.toString() will use to get the name of
125     // an object when using Symbol.toStringTag fails. For the most part there is no
126     // difference between this and className(). The main use case is for new JS language
127     // objects to set the default tag to "Object".
128     JS_EXPORT_PRIVATE static String toStringName(const JSObject*, ExecState*);
129
130     // This is the fully virtual [[GetPrototypeOf]] internal function defined
131     // in the ECMAScript 6 specification. Use this when doing a [[GetPrototypeOf]] 
132     // operation as dictated in the specification.
133     JSValue getPrototype(VM&, ExecState*);
134     JS_EXPORT_PRIVATE static JSValue getPrototype(JSObject*, ExecState*);
135     // This gets the prototype directly off of the structure. This does not do
136     // dynamic dispatch on the getPrototype method table method. It is not valid 
137     // to use this when performing a [[GetPrototypeOf]] operation in the specification.
138     // It is valid to use though when you know that you want to directly get it
139     // without consulting the method table. This is akin to getting the [[Prototype]]
140     // internal field directly as described in the specification.
141     JSValue getPrototypeDirect(VM&) const;
142
143     // This sets the prototype without checking for cycles and without
144     // doing dynamic dispatch on [[SetPrototypeOf]] operation in the specification.
145     // It is not valid to use this when performing a [[SetPrototypeOf]] operation in
146     // the specification. It is valid to use though when you know that you want to directly
147     // set it without consulting the method table and when you definitely won't
148     // introduce a cycle in the prototype chain. This is akin to setting the
149     // [[Prototype]] internal field directly as described in the specification.
150     JS_EXPORT_PRIVATE void setPrototypeDirect(VM&, JSValue prototype);
151 private:
152     // This is OrdinarySetPrototypeOf in the specification. Section 9.1.2.1
153     // https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof
154     JS_EXPORT_PRIVATE bool setPrototypeWithCycleCheck(VM&, ExecState*, JSValue prototype, bool shouldThrowIfCantSet);
155 public:
156     // This is the fully virtual [[SetPrototypeOf]] internal function defined
157     // in the ECMAScript 6 specification. Use this when doing a [[SetPrototypeOf]] 
158     // operation as dictated in the specification.
159     bool setPrototype(VM&, ExecState*, JSValue prototype, bool shouldThrowIfCantSet = false);
160     JS_EXPORT_PRIVATE static bool setPrototype(JSObject*, ExecState*, JSValue prototype, bool shouldThrowIfCantSet);
161         
162     bool mayInterceptIndexedAccesses(VM& vm)
163     {
164         return structure(vm)->mayInterceptIndexedAccesses();
165     }
166         
167     JSValue get(ExecState*, PropertyName) const;
168     JSValue get(ExecState*, unsigned propertyName) const;
169
170     template<bool checkNullStructure = false>
171     bool getPropertySlot(ExecState*, PropertyName, PropertySlot&);
172     bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);
173     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, CallbackWhenNoException) const;
174     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, PropertySlot&, CallbackWhenNoException) const;
175
176     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
177     JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
178     bool getOwnPropertySlotInline(ExecState*, PropertyName, PropertySlot&);
179
180     // The key difference between this and getOwnPropertySlot is that getOwnPropertySlot
181     // currently returns incorrect results for the DOM window (with non-own properties)
182     // being returned. Once this is fixed we should migrate code & remove this method.
183     JS_EXPORT_PRIVATE bool getOwnPropertyDescriptor(ExecState*, PropertyName, PropertyDescriptor&);
184
185     unsigned getArrayLength() const
186     {
187         if (!hasIndexedProperties(indexingType()))
188             return 0;
189         return m_butterfly->publicLength();
190     }
191         
192     unsigned getVectorLength()
193     {
194         if (!hasIndexedProperties(indexingType()))
195             return 0;
196         return m_butterfly->vectorLength();
197     }
198     
199     static bool putInlineForJSObject(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
200     
201     JS_EXPORT_PRIVATE static bool put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
202     // putByIndex assumes that the receiver is this JSCell object.
203     JS_EXPORT_PRIVATE static bool putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
204         
205     // This performs the ECMAScript Set() operation.
206     ALWAYS_INLINE bool putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
207     {
208         if (canSetIndexQuickly(propertyName)) {
209             setIndexQuickly(exec->vm(), propertyName, value);
210             return true;
211         }
212         return methodTable(exec->vm())->putByIndex(this, exec, propertyName, value, shouldThrow);
213     }
214         
215     // This is similar to the putDirect* methods:
216     //  - the prototype chain is not consulted
217     //  - accessors are not called.
218     //  - it will ignore extensibility and read-only properties if PutDirectIndexLikePutDirect is passed as the mode (the default).
219     // This method creates a property with attributes writable, enumerable and configurable all set to true if attributes is zero,
220     // otherwise, it creates a property with the provided attributes. Semantically, this is performing defineOwnProperty.
221     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
222     {
223         auto canSetIndexQuicklyForPutDirect = [&] () -> bool {
224             switch (indexingMode()) {
225             case ALL_BLANK_INDEXING_TYPES:
226             case ALL_UNDECIDED_INDEXING_TYPES:
227                 return false;
228             case ALL_WRITABLE_INT32_INDEXING_TYPES:
229             case ALL_WRITABLE_DOUBLE_INDEXING_TYPES:
230             case ALL_WRITABLE_CONTIGUOUS_INDEXING_TYPES:
231             case ALL_ARRAY_STORAGE_INDEXING_TYPES:
232                 return propertyName < m_butterfly->vectorLength();
233             default:
234                 if (isCopyOnWrite(indexingMode()))
235                     return false;
236                 RELEASE_ASSERT_NOT_REACHED();
237                 return false;
238             }
239         };
240         
241         if (!attributes && canSetIndexQuicklyForPutDirect()) {
242             setIndexQuickly(exec->vm(), propertyName, value);
243             return true;
244         }
245         return putDirectIndexSlowOrBeyondVectorLength(exec, propertyName, value, attributes, mode);
246     }
247     // This is semantically equivalent to performing defineOwnProperty(propertyName, {configurable:true, writable:true, enumerable:true, value:value}).
248     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value)
249     {
250         return putDirectIndex(exec, propertyName, value, 0, PutDirectIndexLikePutDirect);
251     }
252
253     // A generally non-throwing version of putDirect and putDirectIndex.
254     // However, it's only guaranteed to not throw based on what the receiver is.
255     // For example, if the receiver is a ProxyObject, this is not guaranteed, since
256     // it may call into arbitrary JS code. It's the responsibility of the user of
257     // this API to ensure that the receiver object is a well known type if they
258     // want to ensure that this won't throw an exception.
259     JS_EXPORT_PRIVATE bool putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
260         
261     bool hasIndexingHeader(VM& vm) const
262     {
263         return structure(vm)->hasIndexingHeader(this);
264     }
265     
266     bool canGetIndexQuickly(unsigned i)
267     {
268         Butterfly* butterfly = this->butterfly();
269         switch (indexingType()) {
270         case ALL_BLANK_INDEXING_TYPES:
271         case ALL_UNDECIDED_INDEXING_TYPES:
272             return false;
273         case ALL_INT32_INDEXING_TYPES:
274         case ALL_CONTIGUOUS_INDEXING_TYPES:
275             return i < butterfly->vectorLength() && butterfly->contiguous().at(this, i);
276         case ALL_DOUBLE_INDEXING_TYPES: {
277             if (i >= butterfly->vectorLength())
278                 return false;
279             double value = butterfly->contiguousDouble().at(this, i);
280             if (value != value)
281                 return false;
282             return true;
283         }
284         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
285             return i < butterfly->arrayStorage()->vectorLength() && butterfly->arrayStorage()->m_vector[i];
286         default:
287             RELEASE_ASSERT_NOT_REACHED();
288             return false;
289         }
290     }
291         
292     JSValue getIndexQuickly(unsigned i)
293     {
294         Butterfly* butterfly = this->butterfly();
295         switch (indexingType()) {
296         case ALL_INT32_INDEXING_TYPES:
297             return jsNumber(butterfly->contiguous().at(this, i).get().asInt32());
298         case ALL_CONTIGUOUS_INDEXING_TYPES:
299             return butterfly->contiguous().at(this, i).get();
300         case ALL_DOUBLE_INDEXING_TYPES:
301             return JSValue(JSValue::EncodeAsDouble, butterfly->contiguousDouble().at(this, i));
302         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
303             return butterfly->arrayStorage()->m_vector[i].get();
304         default:
305             RELEASE_ASSERT_NOT_REACHED();
306             return JSValue();
307         }
308     }
309         
310     JSValue tryGetIndexQuickly(unsigned i) const
311     {
312         Butterfly* butterfly = const_cast<JSObject*>(this)->butterfly();
313         switch (indexingType()) {
314         case ALL_BLANK_INDEXING_TYPES:
315         case ALL_UNDECIDED_INDEXING_TYPES:
316             break;
317         case ALL_INT32_INDEXING_TYPES:
318             if (i < butterfly->publicLength()) {
319                 JSValue result = butterfly->contiguous().at(this, i).get();
320                 ASSERT(result.isInt32() || !result);
321                 return result;
322             }
323             break;
324         case ALL_CONTIGUOUS_INDEXING_TYPES:
325             if (i < butterfly->publicLength())
326                 return butterfly->contiguous().at(this, i).get();
327             break;
328         case ALL_DOUBLE_INDEXING_TYPES: {
329             if (i >= butterfly->publicLength())
330                 break;
331             double result = butterfly->contiguousDouble().at(this, i);
332             if (result != result)
333                 break;
334             return JSValue(JSValue::EncodeAsDouble, result);
335         }
336         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
337             if (i < butterfly->arrayStorage()->vectorLength())
338                 return butterfly->arrayStorage()->m_vector[i].get();
339             break;
340         default:
341             RELEASE_ASSERT_NOT_REACHED();
342             break;
343         }
344         return JSValue();
345     }
346         
347     JSValue getDirectIndex(ExecState* exec, unsigned i)
348     {
349         if (JSValue result = tryGetIndexQuickly(i))
350             return result;
351         PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
352         if (methodTable(exec->vm())->getOwnPropertySlotByIndex(this, exec, i, slot))
353             return slot.getValue(exec, i);
354         return JSValue();
355     }
356         
357     JSValue getIndex(ExecState* exec, unsigned i) const
358     {
359         if (JSValue result = tryGetIndexQuickly(i))
360             return result;
361         return get(exec, i);
362     }
363         
364     bool canSetIndexQuickly(unsigned i)
365     {
366         Butterfly* butterfly = this->butterfly();
367         switch (indexingMode()) {
368         case ALL_BLANK_INDEXING_TYPES:
369         case ALL_UNDECIDED_INDEXING_TYPES:
370             return false;
371         case ALL_WRITABLE_INT32_INDEXING_TYPES:
372         case ALL_WRITABLE_DOUBLE_INDEXING_TYPES:
373         case ALL_WRITABLE_CONTIGUOUS_INDEXING_TYPES:
374         case NonArrayWithArrayStorage:
375         case ArrayWithArrayStorage:
376             return i < butterfly->vectorLength();
377         case NonArrayWithSlowPutArrayStorage:
378         case ArrayWithSlowPutArrayStorage:
379             return i < butterfly->arrayStorage()->vectorLength()
380                 && !!butterfly->arrayStorage()->m_vector[i];
381         default:
382             if (isCopyOnWrite(indexingMode()))
383                 return false;
384             RELEASE_ASSERT_NOT_REACHED();
385             return false;
386         }
387     }
388         
389     void setIndexQuickly(VM& vm, unsigned i, JSValue v)
390     {
391         Butterfly* butterfly = m_butterfly.get();
392         ASSERT(!isCopyOnWrite(indexingMode()));
393         switch (indexingType()) {
394         case ALL_INT32_INDEXING_TYPES: {
395             ASSERT(i < butterfly->vectorLength());
396             if (!v.isInt32()) {
397                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
398                 return;
399             }
400             FALLTHROUGH;
401         }
402         case ALL_CONTIGUOUS_INDEXING_TYPES: {
403             ASSERT(i < butterfly->vectorLength());
404             butterfly->contiguous().at(this, i).set(vm, this, v);
405             if (i >= butterfly->publicLength())
406                 butterfly->setPublicLength(i + 1);
407             break;
408         }
409         case ALL_DOUBLE_INDEXING_TYPES: {
410             ASSERT(i < butterfly->vectorLength());
411             if (!v.isNumber()) {
412                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
413                 return;
414             }
415             double value = v.asNumber();
416             if (value != value) {
417                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
418                 return;
419             }
420             butterfly->contiguousDouble().at(this, i) = value;
421             if (i >= butterfly->publicLength())
422                 butterfly->setPublicLength(i + 1);
423             break;
424         }
425         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
426             ArrayStorage* storage = butterfly->arrayStorage();
427             WriteBarrier<Unknown>& x = storage->m_vector[i];
428             JSValue old = x.get();
429             x.set(vm, this, v);
430             if (!old) {
431                 ++storage->m_numValuesInVector;
432                 if (i >= storage->length())
433                     storage->setLength(i + 1);
434             }
435             break;
436         }
437         default:
438             RELEASE_ASSERT_NOT_REACHED();
439         }
440     }
441
442     void initializeIndex(ObjectInitializationScope& scope, unsigned i, JSValue v)
443     {
444         initializeIndex(scope, i, v, indexingType());
445     }
446
447     // NOTE: Clients of this method may call it more than once for any index, and this is supposed
448     // to work.
449     ALWAYS_INLINE void initializeIndex(ObjectInitializationScope& scope, unsigned i, JSValue v, IndexingType indexingType)
450     {
451         VM& vm = scope.vm();
452         Butterfly* butterfly = m_butterfly.get();
453         switch (indexingType) {
454         case ALL_UNDECIDED_INDEXING_TYPES: {
455             setIndexQuicklyToUndecided(vm, i, v);
456             break;
457         }
458         case ALL_INT32_INDEXING_TYPES: {
459             ASSERT(i < butterfly->publicLength());
460             ASSERT(i < butterfly->vectorLength());
461             if (!v.isInt32()) {
462                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
463                 break;
464             }
465             FALLTHROUGH;
466         }
467         case ALL_CONTIGUOUS_INDEXING_TYPES: {
468             ASSERT(i < butterfly->publicLength());
469             ASSERT(i < butterfly->vectorLength());
470             butterfly->contiguous().at(this, i).set(vm, this, v);
471             break;
472         }
473         case ALL_DOUBLE_INDEXING_TYPES: {
474             ASSERT(i < butterfly->publicLength());
475             ASSERT(i < butterfly->vectorLength());
476             if (!v.isNumber()) {
477                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
478                 return;
479             }
480             double value = v.asNumber();
481             if (value != value) {
482                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
483                 return;
484             }
485             butterfly->contiguousDouble().at(this, i) = value;
486             break;
487         }
488         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
489             ArrayStorage* storage = butterfly->arrayStorage();
490             ASSERT(i < storage->length());
491             ASSERT(i < storage->m_numValuesInVector);
492             storage->m_vector[i].set(vm, this, v);
493             break;
494         }
495         default:
496             RELEASE_ASSERT_NOT_REACHED();
497         }
498     }
499         
500     void initializeIndexWithoutBarrier(ObjectInitializationScope& scope, unsigned i, JSValue v)
501     {
502         initializeIndexWithoutBarrier(scope, i, v, indexingType());
503     }
504
505     // This version of initializeIndex is for cases where you know that you will not need any
506     // barriers. This implies not having any data format conversions.
507     ALWAYS_INLINE void initializeIndexWithoutBarrier(ObjectInitializationScope&, unsigned i, JSValue v, IndexingType indexingType)
508     {
509         Butterfly* butterfly = m_butterfly.get();
510         switch (indexingType) {
511         case ALL_UNDECIDED_INDEXING_TYPES: {
512             RELEASE_ASSERT_NOT_REACHED();
513             break;
514         }
515         case ALL_INT32_INDEXING_TYPES: {
516             ASSERT(i < butterfly->publicLength());
517             ASSERT(i < butterfly->vectorLength());
518             RELEASE_ASSERT(v.isInt32());
519             FALLTHROUGH;
520         }
521         case ALL_CONTIGUOUS_INDEXING_TYPES: {
522             ASSERT(i < butterfly->publicLength());
523             ASSERT(i < butterfly->vectorLength());
524             butterfly->contiguous().at(this, i).setWithoutWriteBarrier(v);
525             break;
526         }
527         case ALL_DOUBLE_INDEXING_TYPES: {
528             ASSERT(i < butterfly->publicLength());
529             ASSERT(i < butterfly->vectorLength());
530             RELEASE_ASSERT(v.isNumber());
531             double value = v.asNumber();
532             RELEASE_ASSERT(value == value);
533             butterfly->contiguousDouble().at(this, i) = value;
534             break;
535         }
536         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
537             ArrayStorage* storage = butterfly->arrayStorage();
538             ASSERT(i < storage->length());
539             ASSERT(i < storage->m_numValuesInVector);
540             storage->m_vector[i].setWithoutWriteBarrier(v);
541             break;
542         }
543         default:
544             RELEASE_ASSERT_NOT_REACHED();
545         }
546     }
547         
548     bool hasSparseMap()
549     {
550         switch (indexingType()) {
551         case ALL_BLANK_INDEXING_TYPES:
552         case ALL_UNDECIDED_INDEXING_TYPES:
553         case ALL_INT32_INDEXING_TYPES:
554         case ALL_DOUBLE_INDEXING_TYPES:
555         case ALL_CONTIGUOUS_INDEXING_TYPES:
556             return false;
557         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
558             return !!m_butterfly->arrayStorage()->m_sparseMap;
559         default:
560             RELEASE_ASSERT_NOT_REACHED();
561             return false;
562         }
563     }
564         
565     bool inSparseIndexingMode()
566     {
567         switch (indexingType()) {
568         case ALL_BLANK_INDEXING_TYPES:
569         case ALL_UNDECIDED_INDEXING_TYPES:
570         case ALL_INT32_INDEXING_TYPES:
571         case ALL_DOUBLE_INDEXING_TYPES:
572         case ALL_CONTIGUOUS_INDEXING_TYPES:
573             return false;
574         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
575             return m_butterfly->arrayStorage()->inSparseMode();
576         default:
577             RELEASE_ASSERT_NOT_REACHED();
578             return false;
579         }
580     }
581         
582     void enterDictionaryIndexingMode(VM&);
583
584     // putDirect is effectively an unchecked vesion of 'defineOwnProperty':
585     //  - the prototype chain is not consulted
586     //  - accessors are not called.
587     //  - attributes will be respected (after the call the property will exist with the given attributes)
588     //  - the property name is assumed to not be an index.
589     bool putDirect(VM&, PropertyName, JSValue, unsigned attributes = 0);
590     bool putDirect(VM&, PropertyName, JSValue, PutPropertySlot&);
591     void putDirectWithoutTransition(VM&, PropertyName, JSValue, unsigned attributes = 0);
592     bool putDirectNonIndexAccessor(VM&, PropertyName, GetterSetter*, unsigned attributes);
593     bool putDirectAccessor(ExecState*, PropertyName, GetterSetter*, unsigned attributes);
594     JS_EXPORT_PRIVATE bool putDirectCustomAccessor(VM&, PropertyName, JSValue, unsigned attributes);
595
596     bool putGetter(ExecState*, PropertyName, JSValue, unsigned attributes);
597     bool putSetter(ExecState*, PropertyName, JSValue, unsigned attributes);
598
599     JS_EXPORT_PRIVATE bool hasProperty(ExecState*, PropertyName) const;
600     JS_EXPORT_PRIVATE bool hasProperty(ExecState*, unsigned propertyName) const;
601     bool hasPropertyGeneric(ExecState*, PropertyName, PropertySlot::InternalMethodType) const;
602     bool hasPropertyGeneric(ExecState*, unsigned propertyName, PropertySlot::InternalMethodType) const;
603     bool hasOwnProperty(ExecState*, PropertyName, PropertySlot&) const;
604     bool hasOwnProperty(ExecState*, PropertyName) const;
605     bool hasOwnProperty(ExecState*, unsigned) const;
606
607     JS_EXPORT_PRIVATE static bool deleteProperty(JSCell*, ExecState*, PropertyName);
608     JS_EXPORT_PRIVATE static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
609
610     JS_EXPORT_PRIVATE static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
611     JSValue ordinaryToPrimitive(ExecState*, PreferredPrimitiveType) const;
612
613     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue value, JSValue hasInstanceValue);
614     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue);
615     static bool defaultHasInstance(ExecState*, JSValue, JSValue prototypeProperty);
616
617     JS_EXPORT_PRIVATE static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
618     JS_EXPORT_PRIVATE static void getOwnNonIndexPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
619     JS_EXPORT_PRIVATE static void getPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
620
621     JS_EXPORT_PRIVATE static uint32_t getEnumerableLength(ExecState*, JSObject*);
622     JS_EXPORT_PRIVATE static void getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
623     JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
624
625     JS_EXPORT_PRIVATE JSValue toPrimitive(ExecState*, PreferredPrimitiveType = NoPreference) const;
626     bool getPrimitiveNumber(ExecState*, double& number, JSValue&) const;
627     JS_EXPORT_PRIVATE double toNumber(ExecState*) const;
628     JS_EXPORT_PRIVATE JSString* toString(ExecState*) const;
629
630     JS_EXPORT_PRIVATE static JSValue toThis(JSCell*, ExecState*, ECMAMode);
631
632     // This get function only looks at the property map.
633     JSValue getDirect(VM& vm, PropertyName propertyName) const
634     {
635         Structure* structure = this->structure(vm);
636         PropertyOffset offset = structure->get(vm, propertyName);
637         checkOffset(offset, structure->inlineCapacity());
638         return offset != invalidOffset ? getDirect(offset) : JSValue();
639     }
640     
641     JSValue getDirect(VM& vm, PropertyName propertyName, unsigned& attributes) const
642     {
643         Structure* structure = this->structure(vm);
644         PropertyOffset offset = structure->get(vm, propertyName, attributes);
645         checkOffset(offset, structure->inlineCapacity());
646         return offset != invalidOffset ? getDirect(offset) : JSValue();
647     }
648
649     PropertyOffset getDirectOffset(VM& vm, PropertyName propertyName)
650     {
651         Structure* structure = this->structure(vm);
652         PropertyOffset offset = structure->get(vm, propertyName);
653         checkOffset(offset, structure->inlineCapacity());
654         return offset;
655     }
656
657     PropertyOffset getDirectOffset(VM& vm, PropertyName propertyName, unsigned& attributes)
658     {
659         Structure* structure = this->structure(vm);
660         PropertyOffset offset = structure->get(vm, propertyName, attributes);
661         checkOffset(offset, structure->inlineCapacity());
662         return offset;
663     }
664
665     bool hasInlineStorage() const { return structure()->hasInlineStorage(); }
666     ConstPropertyStorage inlineStorageUnsafe() const
667     {
668         return bitwise_cast<ConstPropertyStorage>(this + 1);
669     }
670     PropertyStorage inlineStorageUnsafe()
671     {
672         return bitwise_cast<PropertyStorage>(this + 1);
673     }
674     ConstPropertyStorage inlineStorage() const
675     {
676         ASSERT(hasInlineStorage());
677         return inlineStorageUnsafe();
678     }
679     PropertyStorage inlineStorage()
680     {
681         ASSERT(hasInlineStorage());
682         return inlineStorageUnsafe();
683     }
684         
685     const Butterfly* butterfly() const { return m_butterfly.get(); }
686     Butterfly* butterfly() { return m_butterfly.get(); }
687     
688     ConstPropertyStorage outOfLineStorage() const { return m_butterfly->propertyStorage(); }
689     PropertyStorage outOfLineStorage() { return m_butterfly->propertyStorage(); }
690
691     ALWAYS_INLINE const WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset) const
692     {
693         if (isInlineOffset(offset))
694             return &inlineStorage()[offsetInInlineStorage(offset)];
695         return &outOfLineStorage()[offsetInOutOfLineStorage(offset)];
696     }
697
698     ALWAYS_INLINE WriteBarrierBase<Unknown>* locationForOffset(PropertyOffset offset)
699     {
700         if (isInlineOffset(offset))
701             return &inlineStorage()[offsetInInlineStorage(offset)];
702         return &outOfLineStorage()[offsetInOutOfLineStorage(offset)];
703     }
704
705     void transitionTo(VM&, Structure*);
706
707     bool hasCustomProperties(VM& vm) { return structure(vm)->didTransition(); }
708     bool hasGetterSetterProperties(VM& vm) { return structure(vm)->hasGetterSetterProperties(); }
709     bool hasCustomGetterSetterProperties(VM& vm) { return structure(vm)->hasCustomGetterSetterProperties(); }
710
711     // putOwnDataProperty has 'put' like semantics, however this method:
712     //  - assumes the object contains no own getter/setter properties.
713     //  - provides no special handling for __proto__
714     //  - does not walk the prototype chain (to check for accessors or non-writable properties).
715     // This is used by JSLexicalEnvironment.
716     bool putOwnDataProperty(VM&, PropertyName, JSValue, PutPropertySlot&);
717     bool putOwnDataPropertyMayBeIndex(ExecState*, PropertyName, JSValue, PutPropertySlot&);
718
719     // Fast access to known property offsets.
720     ALWAYS_INLINE JSValue getDirect(PropertyOffset offset) const { return locationForOffset(offset)->get(); }
721     JSValue getDirectConcurrently(Structure* expectedStructure, PropertyOffset) const;
722     void putDirect(VM& vm, PropertyOffset offset, JSValue value) { locationForOffset(offset)->set(vm, this, value); }
723     void putDirectWithoutBarrier(PropertyOffset offset, JSValue value) { locationForOffset(offset)->setWithoutWriteBarrier(value); }
724     void putDirectUndefined(PropertyOffset offset) { locationForOffset(offset)->setUndefined(); }
725
726     JS_EXPORT_PRIVATE bool putDirectNativeIntrinsicGetter(VM&, JSGlobalObject*, Identifier, NativeFunction, Intrinsic, unsigned attributes);
727     JS_EXPORT_PRIVATE bool putDirectNativeFunction(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, unsigned attributes);
728     JS_EXPORT_PRIVATE bool putDirectNativeFunction(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, const DOMJIT::Signature*, unsigned attributes);
729     JS_EXPORT_PRIVATE void putDirectNativeFunctionWithoutTransition(VM&, JSGlobalObject*, const PropertyName&, unsigned functionLength, NativeFunction, Intrinsic, unsigned attributes);
730
731     JS_EXPORT_PRIVATE JSFunction* putDirectBuiltinFunction(VM&, JSGlobalObject*, const PropertyName&, FunctionExecutable*, unsigned attributes);
732     JSFunction* putDirectBuiltinFunctionWithoutTransition(VM&, JSGlobalObject*, const PropertyName&, FunctionExecutable*, unsigned attributes);
733
734     JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
735
736     bool isEnvironment() const;
737     bool isGlobalObject() const;
738     bool isJSLexicalEnvironment() const;
739     bool isGlobalLexicalEnvironment() const;
740     bool isStrictEvalActivation() const;
741     bool isWithScope() const;
742
743     bool isErrorInstance() const;
744
745     JS_EXPORT_PRIVATE void seal(VM&);
746     JS_EXPORT_PRIVATE void freeze(VM&);
747     JS_EXPORT_PRIVATE static bool preventExtensions(JSObject*, ExecState*);
748     JS_EXPORT_PRIVATE static bool isExtensible(JSObject*, ExecState*);
749     bool isSealed(VM& vm) { return structure(vm)->isSealed(vm); }
750     bool isFrozen(VM& vm) { return structure(vm)->isFrozen(vm); }
751
752     bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
753     JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName);
754     bool needsSlowPutIndexing(VM&) const;
755
756 private:
757     NonPropertyTransition suggestedArrayStorageTransition(VM&) const;
758     ALWAYS_INLINE bool isExtensibleImpl(VM& vm) { return isStructureExtensible(vm); }
759 public:
760     // You should only call isStructureExtensible() when:
761     // - Performing this check in a way that isn't described in the specification 
762     //   as calling the virtual [[IsExtensible]] trap.
763     // - When you're guaranteed that object->methodTable(vm)->isExtensible isn't
764     //   overridden.
765     ALWAYS_INLINE bool isStructureExtensible(VM& vm) { return structure(vm)->isStructureExtensible(); }
766     // You should call this when performing [[IsExtensible]] trap in a place
767     // that is described in the specification. This performs the fully virtual
768     // [[IsExtensible]] trap.
769     bool isExtensible(ExecState*);
770     bool indexingShouldBeSparse(VM& vm)
771     {
772         return !isStructureExtensible(vm)
773             || structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero();
774     }
775
776     bool staticPropertiesReified(VM& vm) { return structure(vm)->staticPropertiesReified(); }
777     void reifyAllStaticProperties(ExecState*);
778
779     JS_EXPORT_PRIVATE Butterfly* allocateMoreOutOfLineStorage(VM&, size_t oldSize, size_t newSize);
780
781     // Call this when you do not need to change the structure.
782     void setButterfly(VM&, Butterfly*);
783     
784     // Call this if you do need to change the structure, or if you changed something about a structure
785     // in-place.
786     void nukeStructureAndSetButterfly(VM&, StructureID oldStructureID, Butterfly*);
787
788     void setStructure(VM&, Structure*);
789
790     JS_EXPORT_PRIVATE void convertToDictionary(VM&);
791
792     void flattenDictionaryObject(VM& vm)
793     {
794         structure(vm)->flattenDictionaryStructure(vm, this);
795     }
796     void shiftButterflyAfterFlattening(const GCSafeConcurrentJSLocker&, VM&, Structure* structure, size_t outOfLineCapacityAfter);
797
798     JSGlobalObject* globalObject() const
799     {
800         ASSERT(structure()->globalObject());
801         ASSERT(!isGlobalObject() || ((JSObject*)structure()->globalObject()) == this);
802         return structure()->globalObject();
803     }
804         
805     JSGlobalObject* globalObject(VM& vm) const
806     {
807         ASSERT(structure(vm)->globalObject());
808         ASSERT(!isGlobalObject() || ((JSObject*)structure(vm)->globalObject()) == this);
809         return structure(vm)->globalObject();
810     }
811         
812     void switchToSlowPutArrayStorage(VM&);
813         
814     // The receiver is the prototype in this case. The following:
815     //
816     // asObject(foo->structure()->storedPrototype())->attemptToInterceptPutByIndexOnHoleForPrototype(...)
817     //
818     // is equivalent to:
819     //
820     // foo->attemptToInterceptPutByIndexOnHole(...);
821     bool attemptToInterceptPutByIndexOnHoleForPrototype(ExecState*, JSValue thisValue, unsigned propertyName, JSValue, bool shouldThrow, bool& putResult);
822         
823     // Returns 0 if int32 storage cannot be created - either because
824     // indexing should be sparse, we're having a bad time, or because
825     // we already have a more general form of storage (double,
826     // contiguous, array storage).
827     ContiguousJSValues tryMakeWritableInt32(VM& vm)
828     {
829         if (LIKELY(hasInt32(indexingType()) && !isCopyOnWrite(indexingMode())))
830             return m_butterfly->contiguousInt32();
831             
832         return tryMakeWritableInt32Slow(vm);
833     }
834         
835     // Returns 0 if double storage cannot be created - either because
836     // indexing should be sparse, we're having a bad time, or because
837     // we already have a more general form of storage (contiguous,
838     // or array storage).
839     ContiguousDoubles tryMakeWritableDouble(VM& vm)
840     {
841         if (LIKELY(hasDouble(indexingType()) && !isCopyOnWrite(indexingMode())))
842             return m_butterfly->contiguousDouble();
843             
844         return tryMakeWritableDoubleSlow(vm);
845     }
846         
847     // Returns 0 if contiguous storage cannot be created - either because
848     // indexing should be sparse or because we're having a bad time.
849     ContiguousJSValues tryMakeWritableContiguous(VM& vm)
850     {
851         if (LIKELY(hasContiguous(indexingType()) && !isCopyOnWrite(indexingMode())))
852             return m_butterfly->contiguous();
853             
854         return tryMakeWritableContiguousSlow(vm);
855     }
856
857     // Ensure that the object is in a mode where it has array storage. Use
858     // this if you're about to perform actions that would have required the
859     // object to be converted to have array storage, if it didn't have it
860     // already.
861     ArrayStorage* ensureArrayStorage(VM& vm)
862     {
863         if (LIKELY(hasAnyArrayStorage(indexingType())))
864             return m_butterfly->arrayStorage();
865
866         return ensureArrayStorageSlow(vm);
867     }
868
869     void ensureWritable(VM& vm)
870     {
871         if (isCopyOnWrite(indexingMode()))
872             convertFromCopyOnWrite(vm);
873     }
874         
875     static size_t offsetOfInlineStorage();
876         
877     static ptrdiff_t butterflyOffset()
878     {
879         return OBJECT_OFFSETOF(JSObject, m_butterfly);
880     }
881     void* butterflyAddress()
882     {
883         return &m_butterfly;
884     }
885
886     JS_EXPORT_PRIVATE JSValue getMethod(ExecState*, CallData&, CallType&, const Identifier&, const String& errorMessage);
887
888     bool canPerformFastPutInline(VM&, PropertyName);
889     bool canPerformFastPutInlineExcludingProto(VM&);
890
891     DECLARE_EXPORT_INFO;
892
893 protected:
894     void finishCreation(VM& vm)
895     {
896         Base::finishCreation(vm);
897         ASSERT(jsDynamicCast<JSObject*>(vm, this));
898         ASSERT(structure(vm)->hasPolyProto() || getPrototypeDirect(vm).isNull() || Heap::heap(this) == Heap::heap(getPrototypeDirect(vm)));
899         ASSERT(structure(vm)->isObject());
900         ASSERT(classInfo(vm));
901     }
902
903     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
904     {
905         return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
906     }
907
908     // To instantiate objects you likely want JSFinalObject, below.
909     // To create derived types you likely want JSNonFinalObject, below.
910     JSObject(VM&, Structure*, Butterfly* = nullptr);
911     
912     // Visits the butterfly unless there is a race. Returns the structure if there was no race.
913     Structure* visitButterfly(SlotVisitor&);
914     
915     Structure* visitButterflyImpl(SlotVisitor&);
916     
917     void markAuxiliaryAndVisitOutOfLineProperties(SlotVisitor&, Butterfly*, Structure*, PropertyOffset lastOffset);
918
919     // Call this if you know that the object is in a mode where it has array
920     // storage. This will assert otherwise.
921     ArrayStorage* arrayStorage()
922     {
923         ASSERT(hasAnyArrayStorage(indexingType()));
924         return m_butterfly->arrayStorage();
925     }
926         
927     // Call this if you want to predicate some actions on whether or not the
928     // object is in a mode where it has array storage.
929     ArrayStorage* arrayStorageOrNull()
930     {
931         switch (indexingType()) {
932         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
933             return m_butterfly->arrayStorage();
934                 
935         default:
936             return 0;
937         }
938     }
939         
940     size_t butterflyTotalSize();
941     size_t butterflyPreCapacity();
942
943     Butterfly* createInitialUndecided(VM&, unsigned length);
944     ContiguousJSValues createInitialInt32(VM&, unsigned length);
945     ContiguousDoubles createInitialDouble(VM&, unsigned length);
946     ContiguousJSValues createInitialContiguous(VM&, unsigned length);
947
948     void convertUndecidedForValue(VM&, JSValue);
949     void createInitialForValueAndSet(VM&, unsigned index, JSValue);
950     void convertInt32ForValue(VM&, JSValue);
951     void convertDoubleForValue(VM&, JSValue);
952     void convertFromCopyOnWrite(VM&);
953
954     static Butterfly* createArrayStorageButterfly(VM&, JSObject* intendedOwner, Structure*, unsigned length, unsigned vectorLength, Butterfly* oldButterfly = nullptr);
955     ArrayStorage* createArrayStorage(VM&, unsigned length, unsigned vectorLength);
956     ArrayStorage* createInitialArrayStorage(VM&);
957         
958     ContiguousJSValues convertUndecidedToInt32(VM&);
959     ContiguousDoubles convertUndecidedToDouble(VM&);
960     ContiguousJSValues convertUndecidedToContiguous(VM&);
961     ArrayStorage* convertUndecidedToArrayStorage(VM&, NonPropertyTransition);
962     ArrayStorage* convertUndecidedToArrayStorage(VM&);
963         
964     ContiguousDoubles convertInt32ToDouble(VM&);
965     ContiguousJSValues convertInt32ToContiguous(VM&);
966     ArrayStorage* convertInt32ToArrayStorage(VM&, NonPropertyTransition);
967     ArrayStorage* convertInt32ToArrayStorage(VM&);
968
969     ContiguousJSValues convertDoubleToContiguous(VM&);
970     ArrayStorage* convertDoubleToArrayStorage(VM&, NonPropertyTransition);
971     ArrayStorage* convertDoubleToArrayStorage(VM&);
972         
973     ArrayStorage* convertContiguousToArrayStorage(VM&, NonPropertyTransition);
974     ArrayStorage* convertContiguousToArrayStorage(VM&);
975
976         
977     ArrayStorage* ensureArrayStorageExistsAndEnterDictionaryIndexingMode(VM&);
978         
979     bool defineOwnNonIndexProperty(ExecState*, PropertyName, const PropertyDescriptor&, bool throwException);
980
981     template<IndexingType indexingShape>
982     bool putByIndexBeyondVectorLengthWithoutAttributes(ExecState*, unsigned propertyName, JSValue);
983     bool putByIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, bool shouldThrow, ArrayStorage*);
984
985     bool increaseVectorLength(VM&, unsigned newLength);
986     void deallocateSparseIndexMap();
987     bool defineOwnIndexedProperty(ExecState*, unsigned, const PropertyDescriptor&, bool throwException);
988     SparseArrayValueMap* allocateSparseIndexMap(VM&);
989         
990     void notifyPresenceOfIndexedAccessors(VM&);
991         
992     bool attemptToInterceptPutByIndexOnHole(ExecState*, unsigned index, JSValue, bool shouldThrow, bool& putResult);
993         
994     // Call this if you want setIndexQuickly to succeed and you're sure that
995     // the array is contiguous.
996     bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length)
997     {
998         RELEASE_ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
999         ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
1000
1001         if (m_butterfly->vectorLength() < length || isCopyOnWrite(indexingMode())) {
1002             if (!ensureLengthSlow(vm, length))
1003                 return false;
1004         }
1005             
1006         if (m_butterfly->publicLength() < length)
1007             m_butterfly->setPublicLength(length);
1008         return true;
1009     }
1010         
1011     // Call this if you want to shrink the butterfly backing store, and you're
1012     // sure that the array is contiguous.
1013     void reallocateAndShrinkButterfly(VM&, unsigned length);
1014     
1015     template<IndexingType indexingShape>
1016     unsigned countElements(Butterfly*);
1017         
1018     // This is relevant to undecided, int32, double, and contiguous.
1019     unsigned countElements();
1020         
1021 private:
1022     friend class LLIntOffsetsExtractor;
1023     friend class VMInspector;
1024
1025     // Nobody should ever ask any of these questions on something already known to be a JSObject.
1026     using JSCell::isAPIValueWrapper;
1027     using JSCell::isGetterSetter;
1028     void getObject();
1029     void getString(ExecState* exec);
1030     void isObject();
1031     void isString();
1032         
1033     Butterfly* createInitialIndexedStorage(VM&, unsigned length);
1034         
1035     ArrayStorage* enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(VM&, ArrayStorage*);
1036         
1037     template<PutMode>
1038     bool putDirectInternal(VM&, PropertyName, JSValue, unsigned attr, PutPropertySlot&);
1039
1040     JS_EXPORT_PRIVATE NEVER_INLINE bool putInlineSlow(ExecState*, PropertyName, JSValue, PutPropertySlot&);
1041
1042     bool getNonIndexPropertySlot(ExecState*, PropertyName, PropertySlot&);
1043     bool getOwnNonIndexPropertySlot(VM&, Structure*, PropertyName, PropertySlot&);
1044     JS_EXPORT_PRIVATE void fillGetterPropertySlot(VM&, PropertySlot&, JSCell*, unsigned, PropertyOffset);
1045     void fillCustomGetterPropertySlot(VM&, PropertySlot&, CustomGetterSetter*, unsigned, Structure*);
1046
1047     JS_EXPORT_PRIVATE bool getOwnStaticPropertySlot(VM&, PropertyName, PropertySlot&);
1048     struct PropertyHashEntry {
1049         const HashTable* table;
1050         const HashTableValue* value;
1051     };
1052     std::optional<PropertyHashEntry> findPropertyHashEntry(VM&, PropertyName) const;
1053         
1054     bool putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
1055     bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
1056     JS_EXPORT_PRIVATE bool putDirectIndexSlowOrBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
1057         
1058     unsigned getNewVectorLength(VM&, unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
1059     unsigned getNewVectorLength(VM&, unsigned desiredLength);
1060
1061     ArrayStorage* constructConvertedArrayStorageWithoutCopyingElements(VM&, unsigned neededLength);
1062         
1063     JS_EXPORT_PRIVATE void setIndexQuicklyToUndecided(VM&, unsigned index, JSValue);
1064     JS_EXPORT_PRIVATE void convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(VM&, unsigned index, JSValue);
1065     JS_EXPORT_PRIVATE void convertDoubleToContiguousWhilePerformingSetIndex(VM&, unsigned index, JSValue);
1066         
1067     bool ensureLengthSlow(VM&, unsigned length);
1068         
1069     ContiguousJSValues tryMakeWritableInt32Slow(VM&);
1070     ContiguousDoubles tryMakeWritableDoubleSlow(VM&);
1071     ContiguousJSValues tryMakeWritableContiguousSlow(VM&);
1072     JS_EXPORT_PRIVATE ArrayStorage* ensureArrayStorageSlow(VM&);
1073
1074     PropertyOffset prepareToPutDirectWithoutTransition(VM&, PropertyName, unsigned attributes, StructureID, Structure*);
1075
1076     AuxiliaryBarrier<Butterfly*> m_butterfly;
1077 #if USE(JSVALUE32_64)
1078     unsigned m_32BitPadding;
1079 #endif
1080 };
1081
1082 // JSNonFinalObject is a type of JSObject that has some internal storage,
1083 // but also preserves some space in the collector cell for additional
1084 // data members in derived types.
1085 class JSNonFinalObject : public JSObject {
1086     friend class JSObject;
1087
1088 public:
1089     typedef JSObject Base;
1090
1091     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
1092     {
1093         return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
1094     }
1095
1096 protected:
1097     explicit JSNonFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = 0)
1098         : JSObject(vm, structure, butterfly)
1099     {
1100     }
1101
1102     void finishCreation(VM& vm)
1103     {
1104         Base::finishCreation(vm);
1105         ASSERT(!this->structure(vm)->hasInlineStorage());
1106         ASSERT(classInfo(vm));
1107     }
1108 };
1109
1110 class JSFinalObject;
1111
1112 // JSFinalObject is a type of JSObject that contains sufficient internal
1113 // storage to fully make use of the collector cell containing it.
1114 class JSFinalObject final : public JSObject {
1115     friend class JSObject;
1116
1117 public:
1118     typedef JSObject Base;
1119     static const unsigned StructureFlags = Base::StructureFlags;
1120
1121     static size_t allocationSize(Checked<size_t> inlineCapacity)
1122     {
1123         return (sizeof(JSObject) + inlineCapacity * sizeof(WriteBarrierBase<Unknown>)).unsafeGet();
1124     }
1125
1126     static inline const TypeInfo typeInfo() { return TypeInfo(FinalObjectType, StructureFlags); }
1127     static const IndexingType defaultIndexingType = NonArray;
1128         
1129     static const unsigned defaultSize = 64;
1130     static inline unsigned defaultInlineCapacity()
1131     {
1132         return (defaultSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
1133     }
1134
1135     static const unsigned maxSize = 512;
1136     static inline unsigned maxInlineCapacity()
1137     {
1138         return (maxSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
1139     }
1140
1141     static JSFinalObject* create(ExecState*, Structure*, Butterfly* = nullptr);
1142     static JSFinalObject* create(VM&, Structure*);
1143     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, unsigned inlineCapacity)
1144     {
1145         return Structure::create(vm, globalObject, prototype, typeInfo(), info(), defaultIndexingType, inlineCapacity);
1146     }
1147
1148     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
1149
1150     DECLARE_EXPORT_INFO;
1151
1152 protected:
1153     void visitChildrenCommon(SlotVisitor&);
1154         
1155     void finishCreation(VM& vm)
1156     {
1157         Base::finishCreation(vm);
1158         ASSERT(structure(vm)->totalStorageCapacity() == structure(vm)->inlineCapacity());
1159         ASSERT(classInfo(vm));
1160     }
1161
1162 private:
1163     friend class LLIntOffsetsExtractor;
1164
1165     explicit JSFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = nullptr)
1166         : JSObject(vm, structure, butterfly)
1167     {
1168         memset(inlineStorageUnsafe(), 0, structure->inlineCapacity() * sizeof(EncodedJSValue));
1169     }
1170 };
1171
1172 JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState*);
1173
1174 inline JSObject* JSObject::createRawObject(
1175     ExecState* exec, Structure* structure, Butterfly* butterfly)
1176 {
1177     VM& vm = exec->vm();
1178     JSObject* finalObject = new (
1179         NotNull, 
1180         allocateCell<JSFinalObject>(
1181             vm.heap,
1182             JSFinalObject::allocationSize(structure->inlineCapacity())
1183         )
1184     ) JSObject(vm, structure, butterfly);
1185     finalObject->finishCreation(vm);
1186     return finalObject;
1187 }
1188
1189 inline JSFinalObject* JSFinalObject::create(
1190     ExecState* exec, Structure* structure, Butterfly* butterfly)
1191 {
1192     VM& vm = exec->vm();
1193     JSFinalObject* finalObject = new (
1194         NotNull, 
1195         allocateCell<JSFinalObject>(
1196             vm.heap,
1197             allocationSize(structure->inlineCapacity())
1198         )
1199     ) JSFinalObject(vm, structure, butterfly);
1200     finalObject->finishCreation(vm);
1201     return finalObject;
1202 }
1203
1204 inline JSFinalObject* JSFinalObject::create(VM& vm, Structure* structure)
1205 {
1206     JSFinalObject* finalObject = new (NotNull, allocateCell<JSFinalObject>(vm.heap, allocationSize(structure->inlineCapacity()))) JSFinalObject(vm, structure);
1207     finalObject->finishCreation(vm);
1208     return finalObject;
1209 }
1210
1211 inline size_t JSObject::offsetOfInlineStorage()
1212 {
1213     return sizeof(JSObject);
1214 }
1215
1216 inline bool JSObject::isGlobalObject() const
1217 {
1218     return type() == GlobalObjectType;
1219 }
1220
1221 inline bool JSObject::isJSLexicalEnvironment() const
1222 {
1223     return type() == LexicalEnvironmentType || type() == ModuleEnvironmentType;
1224 }
1225
1226 inline bool JSObject::isGlobalLexicalEnvironment() const
1227 {
1228     return type() == GlobalLexicalEnvironmentType;
1229 }
1230
1231 inline bool JSObject::isStrictEvalActivation() const
1232 {
1233     return type() == StrictEvalActivationType;
1234 }
1235
1236 inline bool JSObject::isEnvironment() const
1237 {
1238     bool result = GlobalObjectType <= type() && type() <= StrictEvalActivationType;
1239     ASSERT((isGlobalObject() || isJSLexicalEnvironment() || isGlobalLexicalEnvironment() || isStrictEvalActivation()) == result);
1240     return result;
1241 }
1242
1243 inline bool JSObject::isErrorInstance() const
1244 {
1245     return type() == ErrorInstanceType;
1246 }
1247
1248 inline bool JSObject::isWithScope() const
1249 {
1250     return type() == WithScopeType;
1251 }
1252
1253 inline void JSObject::setStructure(VM& vm, Structure* structure)
1254 {
1255     ASSERT(structure);
1256     ASSERT(!m_butterfly == !(structure->outOfLineCapacity() || structure->hasIndexingHeader(this)));
1257     JSCell::setStructure(vm, structure);
1258 }
1259
1260 inline void JSObject::setButterfly(VM& vm, Butterfly* butterfly)
1261 {
1262     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
1263         WTF::storeStoreFence();
1264         m_butterfly.set(vm, this, butterfly);
1265         WTF::storeStoreFence();
1266         return;
1267     }
1268
1269     m_butterfly.set(vm, this, butterfly);
1270 }
1271
1272 inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
1273 {
1274     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
1275         setStructureIDDirectly(nuke(oldStructureID));
1276         WTF::storeStoreFence();
1277         m_butterfly.set(vm, this, butterfly);
1278         WTF::storeStoreFence();
1279         return;
1280     }
1281
1282     m_butterfly.set(vm, this, butterfly);
1283 }
1284
1285 inline CallType getCallData(VM& vm, JSValue value, CallData& callData)
1286 {
1287     CallType result = value.isCell() ? value.asCell()->methodTable(vm)->getCallData(value.asCell(), callData) : CallType::None;
1288     ASSERT(result == CallType::None || value.isValidCallee());
1289     return result;
1290 }
1291
1292 inline ConstructType getConstructData(VM& vm, JSValue value, ConstructData& constructData)
1293 {
1294     ConstructType result = value.isCell() ? value.asCell()->methodTable(vm)->getConstructData(value.asCell(), constructData) : ConstructType::None;
1295     ASSERT(result == ConstructType::None || value.isValidCallee());
1296     return result;
1297 }
1298
1299 inline JSObject* asObject(JSCell* cell)
1300 {
1301     ASSERT(cell->isObject());
1302     return jsCast<JSObject*>(cell);
1303 }
1304
1305 inline JSObject* asObject(JSValue value)
1306 {
1307     return asObject(value.asCell());
1308 }
1309
1310 inline JSObject::JSObject(VM& vm, Structure* structure, Butterfly* butterfly)
1311     : JSCell(vm, structure)
1312     , m_butterfly(vm, this, butterfly)
1313 {
1314 }
1315
1316 inline JSValue JSObject::getPrototypeDirect(VM& vm) const
1317 {
1318     return structure(vm)->storedPrototype(this);
1319 }
1320
1321 inline JSValue JSObject::getPrototype(VM& vm, ExecState* exec)
1322 {
1323     auto getPrototypeMethod = methodTable(vm)->getPrototype;
1324     MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
1325     if (LIKELY(getPrototypeMethod == defaultGetPrototype))
1326         return getPrototypeDirect(vm);
1327     return getPrototypeMethod(this, exec);
1328 }
1329
1330 // Normally, we never shrink the butterfly so if we know an offset is valid for some
1331 // past structure then it should be valid for any new structure. However, we may sometimes
1332 // shrink the butterfly when we are holding the Structure's ConcurrentJSLock, such as when we
1333 // flatten an object.
1334 inline JSValue JSObject::getDirectConcurrently(Structure* structure, PropertyOffset offset) const
1335 {
1336     ConcurrentJSLocker locker(structure->lock());
1337     if (!structure->isValidOffset(offset))
1338         return { };
1339     return getDirect(offset);
1340 }
1341
1342 // It is safe to call this method with a PropertyName that is actually an index,
1343 // but if so will always return false (doesn't search index storage).
1344 ALWAYS_INLINE bool JSObject::getOwnNonIndexPropertySlot(VM& vm, Structure* structure, PropertyName propertyName, PropertySlot& slot)
1345 {
1346     unsigned attributes;
1347     PropertyOffset offset = structure->get(vm, propertyName, attributes);
1348     if (!isValidOffset(offset)) {
1349         if (!TypeInfo::hasStaticPropertyTable(inlineTypeFlags()))
1350             return false;
1351         return getOwnStaticPropertySlot(vm, propertyName, slot);
1352     }
1353     
1354     // getPropertySlot relies on this method never returning index properties!
1355     ASSERT(!parseIndex(propertyName));
1356
1357     JSValue value = getDirect(offset);
1358     if (value.isCell()) {
1359         ASSERT(value);
1360         JSCell* cell = value.asCell();
1361         JSType type = cell->type();
1362         switch (type) {
1363         case GetterSetterType:
1364             fillGetterPropertySlot(vm, slot, cell, attributes, offset);
1365             return true;
1366         case CustomGetterSetterType:
1367             fillCustomGetterPropertySlot(vm, slot, jsCast<CustomGetterSetter*>(cell), attributes, structure);
1368             return true;
1369         default:
1370             break;
1371         }
1372     }
1373     
1374     slot.setValue(this, attributes, value, offset);
1375     return true;
1376 }
1377
1378 ALWAYS_INLINE void JSObject::fillCustomGetterPropertySlot(VM& vm, PropertySlot& slot, CustomGetterSetter* customGetterSetter, unsigned attributes, Structure* structure)
1379 {
1380     if (customGetterSetter->inherits<DOMAttributeGetterSetter>(vm)) {
1381         auto* domAttribute = jsCast<DOMAttributeGetterSetter*>(customGetterSetter);
1382         if (structure->isUncacheableDictionary())
1383             slot.setCustom(this, attributes, domAttribute->getter(), domAttribute->domAttribute());
1384         else
1385             slot.setCacheableCustom(this, attributes, domAttribute->getter(), domAttribute->domAttribute());
1386         return;
1387     }
1388
1389     if (structure->isUncacheableDictionary())
1390         slot.setCustom(this, attributes, customGetterSetter->getter());
1391     else
1392         slot.setCacheableCustom(this, attributes, customGetterSetter->getter());
1393 }
1394
1395 // It may seem crazy to inline a function this large, especially a virtual function,
1396 // but it makes a big difference to property lookup that derived classes can inline their
1397 // base class call to this.
1398 ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
1399 {
1400     VM& vm = exec->vm();
1401     Structure* structure = object->structure(vm);
1402     if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
1403         return true;
1404     if (std::optional<uint32_t> index = parseIndex(propertyName))
1405         return getOwnPropertySlotByIndex(object, exec, index.value(), slot);
1406     return false;
1407 }
1408
1409 // It may seem crazy to inline a function this large but it makes a big difference
1410 // since this is function very hot in variable lookup
1411 template<bool checkNullStructure>
1412 ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
1413 {
1414     VM& vm = exec->vm();
1415     auto& structureIDTable = vm.heap.structureIDTable();
1416     JSObject* object = this;
1417     while (true) {
1418         if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
1419             // If propertyName is an index then we may have missed it (as this loop is using
1420             // getOwnNonIndexPropertySlot), so we cannot safely call the overridden getOwnPropertySlot
1421             // (lest we return a property from a prototype that is shadowed). Check now for an index,
1422             // if so we need to start afresh from this object.
1423             if (std::optional<uint32_t> index = parseIndex(propertyName))
1424                 return getPropertySlot(exec, index.value(), slot);
1425             // Safe to continue searching from current position; call getNonIndexPropertySlot to avoid
1426             // parsing the int again.
1427             return object->getNonIndexPropertySlot(exec, propertyName, slot);
1428         }
1429         ASSERT(object->type() != ProxyObjectType);
1430         Structure* structure = structureIDTable.get(object->structureID());
1431 #if USE(JSVALUE64)
1432         if (checkNullStructure && UNLIKELY(!structure))
1433             CRASH_WITH_INFO(object->type(), object->structureID(), structureIDTable.size());
1434 #endif
1435         if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
1436             return true;
1437         // FIXME: This doesn't look like it's following the specification:
1438         // https://bugs.webkit.org/show_bug.cgi?id=172572
1439         JSValue prototype = structure->storedPrototype(object);
1440         if (!prototype.isObject())
1441             break;
1442         object = asObject(prototype);
1443     }
1444
1445     if (std::optional<uint32_t> index = parseIndex(propertyName))
1446         return getPropertySlot(exec, index.value(), slot);
1447     return false;
1448 }
1449
1450 inline JSValue JSObject::get(ExecState* exec, PropertyName propertyName) const
1451 {
1452     VM& vm = exec->vm();
1453     auto scope = DECLARE_THROW_SCOPE(vm);
1454     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
1455     bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
1456     EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
1457     if (hasProperty) {
1458         scope.release();
1459         return slot.getValue(exec, propertyName);
1460     }
1461     return jsUndefined();
1462 }
1463
1464 inline JSValue JSObject::get(ExecState* exec, unsigned propertyName) const
1465 {
1466     VM& vm = exec->vm();
1467     auto scope = DECLARE_THROW_SCOPE(vm);
1468     PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
1469     bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
1470     EXCEPTION_ASSERT(!scope.exception() || !hasProperty);
1471     if (hasProperty) {
1472         scope.release();
1473         return slot.getValue(exec, propertyName);
1474     }
1475     return jsUndefined();
1476 }
1477
1478 inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1479 {
1480     ASSERT(value);
1481     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
1482     ASSERT(!structure(vm)->hasGetterSetterProperties());
1483     ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
1484
1485     return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
1486 }
1487
1488 inline bool JSObject::putOwnDataPropertyMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1489 {
1490     VM& vm = exec->vm();
1491     ASSERT(value);
1492     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
1493     ASSERT(!structure(vm)->hasGetterSetterProperties());
1494     ASSERT(!structure(vm)->hasCustomGetterSetterProperties());
1495
1496     if (std::optional<uint32_t> index = parseIndex(propertyName))
1497         return putDirectIndex(exec, index.value(), value, 0, PutDirectIndexLikePutDirect);
1498
1499     return putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot);
1500 }
1501
1502 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
1503 {
1504     ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));
1505     ASSERT(!value.isCustomGetterSetter());
1506     PutPropertySlot slot(this);
1507     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, attributes, slot);
1508 }
1509
1510 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
1511 {
1512     ASSERT(!value.isGetterSetter());
1513     ASSERT(!value.isCustomGetterSetter());
1514     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, 0, slot);
1515 }
1516
1517 ALWAYS_INLINE JSObject* Register::object() const
1518 {
1519     return asObject(jsValue());
1520 }
1521
1522 ALWAYS_INLINE Register& Register::operator=(JSObject* object)
1523 {
1524     u.value = JSValue::encode(JSValue(object));
1525     return *this;
1526 }
1527
1528 inline size_t offsetInButterfly(PropertyOffset offset)
1529 {
1530     return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
1531 }
1532
1533 inline size_t JSObject::butterflyPreCapacity()
1534 {
1535     VM& vm = *this->vm();
1536     if (UNLIKELY(hasIndexingHeader(vm)))
1537         return butterfly()->indexingHeader()->preCapacity(structure(vm));
1538     return 0;
1539 }
1540
1541 inline size_t JSObject::butterflyTotalSize()
1542 {
1543     VM& vm = *this->vm();
1544     Structure* structure = this->structure(vm);
1545     Butterfly* butterfly = this->butterfly();
1546     size_t preCapacity;
1547     size_t indexingPayloadSizeInBytes;
1548     bool hasIndexingHeader = this->hasIndexingHeader(vm);
1549
1550     if (UNLIKELY(hasIndexingHeader)) {
1551         preCapacity = butterfly->indexingHeader()->preCapacity(structure);
1552         indexingPayloadSizeInBytes = butterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);
1553     } else {
1554         preCapacity = 0;
1555         indexingPayloadSizeInBytes = 0;
1556     }
1557
1558     return Butterfly::totalSize(preCapacity, structure->outOfLineCapacity(), hasIndexingHeader, indexingPayloadSizeInBytes);
1559 }
1560
1561 inline int indexRelativeToBase(PropertyOffset offset)
1562 {
1563     if (isOutOfLineOffset(offset))
1564         return offsetInOutOfLineStorage(offset) + Butterfly::indexOfPropertyStorage();
1565     ASSERT(!(JSObject::offsetOfInlineStorage() % sizeof(EncodedJSValue)));
1566     return JSObject::offsetOfInlineStorage() / sizeof(EncodedJSValue) + offsetInInlineStorage(offset);
1567 }
1568
1569 inline int offsetRelativeToBase(PropertyOffset offset)
1570 {
1571     if (isOutOfLineOffset(offset))
1572         return offsetInOutOfLineStorage(offset) * sizeof(EncodedJSValue) + Butterfly::offsetOfPropertyStorage();
1573     return JSObject::offsetOfInlineStorage() + offsetInInlineStorage(offset) * sizeof(EncodedJSValue);
1574 }
1575
1576 // Returns the maximum offset (away from zero) a load instruction will encode.
1577 inline size_t maxOffsetRelativeToBase(PropertyOffset offset)
1578 {
1579     ptrdiff_t addressOffset = offsetRelativeToBase(offset);
1580 #if USE(JSVALUE32_64)
1581     if (addressOffset >= 0)
1582         return static_cast<size_t>(addressOffset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag);
1583 #endif
1584     return static_cast<size_t>(addressOffset);
1585 }
1586
1587 COMPILE_ASSERT(!(sizeof(JSObject) % sizeof(WriteBarrierBase<Unknown>)), JSObject_inline_storage_has_correct_alignment);
1588
1589 template<unsigned charactersCount>
1590 ALWAYS_INLINE Identifier makeIdentifier(VM& vm, const char (&characters)[charactersCount])
1591 {
1592     return Identifier::fromString(&vm, characters);
1593 }
1594
1595 ALWAYS_INLINE Identifier makeIdentifier(VM& vm, const char* name)
1596 {
1597     return Identifier::fromString(&vm, name);
1598 }
1599
1600 ALWAYS_INLINE Identifier makeIdentifier(VM&, const Identifier& name)
1601 {
1602     return name;
1603 }
1604
1605 bool validateAndApplyPropertyDescriptor(ExecState*, JSObject*, PropertyName, bool isExtensible,
1606     const PropertyDescriptor& descriptor, bool isCurrentDefined, const PropertyDescriptor& current, bool throwException);
1607
1608 JS_EXPORT_PRIVATE NEVER_INLINE bool ordinarySetSlow(ExecState*, JSObject*, PropertyName, JSValue, JSValue receiver, bool shouldThrow);
1609
1610 // Helper for defining native functions, if you're not using a static hash table.
1611 // Use this macro from within finishCreation() methods in prototypes. This assumes
1612 // you've defined variables called exec, globalObject, and vm, and they
1613 // have the expected meanings.
1614 #define JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, attributes, length, intrinsic) \
1615     putDirectNativeFunction(\
1616         vm, globalObject, makeIdentifier(vm, (jsName)), (length), cppName, \
1617         (intrinsic), (attributes))
1618
1619 #define JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, attributes, length, intrinsic) \
1620     putDirectNativeFunctionWithoutTransition(\
1621         vm, globalObject, makeIdentifier(vm, (jsName)), (length), cppName, \
1622         (intrinsic), (attributes))
1623
1624 // As above, but this assumes that the function you're defining doesn't have an
1625 // intrinsic.
1626 #define JSC_NATIVE_FUNCTION(jsName, cppName, attributes, length) \
1627     JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, (attributes), (length), NoIntrinsic)
1628
1629 #define JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, attributes, length) \
1630     JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(jsName, cppName, (attributes), (length), NoIntrinsic)
1631
1632 // Identical helpers but for builtins. Note that currently, we don't support builtins that are
1633 // also intrinsics, but we probably will do that eventually.
1634 #define JSC_BUILTIN_FUNCTION(jsName, generatorName, attributes) \
1635     putDirectBuiltinFunction(\
1636         vm, globalObject, makeIdentifier(vm, (jsName)), (generatorName)(vm), (attributes))
1637
1638 #define JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(jsName, generatorName, attributes) \
1639     putDirectBuiltinFunctionWithoutTransition(\
1640         vm, globalObject, makeIdentifier(vm, (jsName)), (generatorName)(vm), (attributes))
1641
1642 // Helper for defining native getters on properties.
1643 #define JSC_NATIVE_INTRINSIC_GETTER(jsName, cppName, attributes, intrinsic)  \
1644     putDirectNativeIntrinsicGetter(\
1645         vm, globalObject, makeIdentifier(vm, (jsName)), (cppName), \
1646         (intrinsic), ((attributes) | PropertyAttribute::Accessor))
1647
1648 #define JSC_NATIVE_GETTER(jsName, cppName, attributes) \
1649     JSC_NATIVE_INTRINSIC_GETTER((jsName), (cppName), (attributes), NoIntrinsic)
1650
1651 } // namespace JSC