Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
https://bugs.webkit.org/show_bug.cgi?id=160125
Reviewed by Geoffrey Garen and Keith Miller.
JSTests:
Most of the things I did properly covered by existing tests, but I found some simple cases of
unshifting that had sketchy coverage.
* stress/array-storage-array-unshift.js: Added.
* stress/contiguous-array-unshift.js: Added.
* stress/double-array-unshift.js: Added.
* stress/int32-array-unshift.js: Added.
Source/bmalloc:
I needed to tryMemalign, so I added such a thing.
* bmalloc/Allocator.cpp:
(bmalloc::Allocator::allocate):
(bmalloc::Allocator::tryAllocate):
(bmalloc::Allocator::allocateImpl):
* bmalloc/Allocator.h:
* bmalloc/Cache.h:
(bmalloc::Cache::tryAllocate):
* bmalloc/bmalloc.h:
(bmalloc::api::tryMemalign):
Source/JavaScriptCore:
In order to make the GC concurrent (bug 149432), we would either need to enable concurrent
copying or we would need to not copy. Concurrent copying carries a 1-2% throughput overhead
from the barriers alone. Considering that MarkedSpace does a decent job of avoiding
fragmentation, it's unlikely that it's worth paying 1-2% throughput for copying. So, we want
to get rid of copied space. This change moves copied space's biggest client over to marked
space.
Moving butterflies to marked space means having them use the new Auxiliary HeapCell
allocation path. This is a fairly mechanical change, but it caused performance regressions
everywhere, so this change also fixes MarkedSpace's performance issues.
At a high level the mechanical changes are:
- We use AuxiliaryBarrier instead of CopyBarrier.
- We use tryAllocateAuxiliary instead of tryAllocateStorage. I got rid of the silly
CheckedBoolean stuff, since it's so much more trouble than it's worth.
- The JITs have to emit inlined marked space allocations instead of inline copy space
allocations.
- Everyone has to get used to zeroing their butterflies after allocation instead of relying
on them being pre-zeroed by the GC. Copied space would zero things for you, while marked
space doesn't.
That's about 1/3 of this change. But this led to performance problems, which I fixed with
optimizations that amounted to a major MarkedSpace rewrite:
- MarkedSpace always causes internal fragmentation for array allocations because the vector
length we choose when we resize usually leads to a cell size that doesn't correspond to any
size class. I got around this by making array allocations usually round up vectorLength to
the maximum allowed by the size class that we would have allocated in. Also,
ensureLengthSlow() and friends first make sure that the requested length can't just be
fulfilled with the current allocation size. This safeguard means that not every array
allocation has to do size class queries. For example, the fast path of new Array(length)
never does any size class queries, under the assumption that (1) the speed gained from
avoiding an ensureLengthSlow() call, which then just changes the vectorLength by doing the
size class query, is too small to offset the speed lost by doing the query on every
allocation and (2) new Array(length) is a pretty good hint that resizing is not very
likely.
- Size classes in MarkedSpace were way too precise, which led to external fragmentation. This
changes MarkedSpace size classes to use a linear progression for very small sizes followed
by a geometric progression that naturally transitions to a hyperbolic progression. We want
hyperbolic sizes when we get close to blockSize: for example the largest size we want is
payloadSize / 2 rounded down, to ensure we get exactly two cells with minimal slop. The
next size down should be payloadSize / 3 rounded down, and so on. After the last precise
size (80 bytes), we proceed using a geometric progression, but round up each size to
minimize slop at the end of the block. This naturally causes the geometric progression to
turn hyperbolic for large sizes. The size class configuration happens at VM start-up, so
it can be controlled with runtime options. I found that a base of 1.4 works pretty well.
- Large allocations caused massive internal fragmentation, since the smallest large
allocation had to use exactly blockSize, and the largest small allocation used
blockSize / 2. The next size up - the first large allocation size to require two blocks -
also had 50% internal fragmentation. This is because we required large allocations to be
blockSize aligned, so that MarkedBlock::blockFor() would work. I decided to rewrite all of
that. Cells no longer have to be owned by a MarkedBlock. They can now alternatively be
owned by a LargeAllocation. These two things are abstracted as CellContainer. You know that
a cell is owned by a LargeAllocation if the MarkedBlock::atomSize / 2 bit is set.
Basically, large allocations are deliberately misaligned by 8 bytes. This actually works
out great since (1) typed arrays won't use large allocations anyway since they have their
own malloc fallback and (2) large array butterflies already have a 8 byte header, which
means that the 8 byte base misalignment aligns the large array payload on a 16 byte
boundary. I took extreme care to make sure that the isLargeAllocation bit checks are as
rare as possible; for example, ExecState::vm() skips the check because we know that callees
must be small allocations. It's also possible to use template tricks to do one check for
cell container kind, and then invoke a function specialized for MarkedBlock or a function
specialized for LargeAllocation. LargeAllocation includes stubs for all MarkedBlock methods
that get used from functions that are template-specialized like this. That's mostly to
speed up the GC marking code. Most other code can use CellContainer API or HeapCell API
directly. That's another thing: HeapCell, the common base of JSCell and auxiliary
allocations, is now smart enough to do a lot of things for you, like HeapCell::vm(),
HeapCell::heap(), HeapCell::isLargeAllocation(), and HeapCell::cellContainer(). The size
cutoff for large allocations is runtime-configurable, so long as you don't choose something
so small that callees end up large. I found that 400 bytes is roughly optimal. This means
that the MarkedBlock size classes end up being:
16, 32, 48, 64, 80, 112, 160, 224, 320
The next size class would have been 432, but that's above the 400 byte cutoff. All of this
is configurable with --sizeClassProgression and --largeAllocationCutoff. You can see what
size classes you end up with by doing --dumpSizeClasses=true.
- Copied space uses 64KB blocks, while marked space used to use 16KB blocks. Allocating a lot
of stuff in 16KB blocks was slower than allocating it in 64KB blocks because the GC had a
lot of per-block overhead. I removed this overhead: It's now 2x faster to scan all
MarkedBlocks because the list that contains the interesting meta-data is allocated on the
side, for better locality during a sequential walk. It's no longer necessary to scan
MarkedBlocks to find WeakSets, since the sets of WeakSets for eden scan and full scan are
maintained on-the-fly. It's no longer necessary to scan all MarkedBlocks to clear mark
bits because we now use versioned mark bits: to clear then, just increment the 64-bit
heap version. It's no longer necessary to scan retired MarkedBlocks while allocating
because marking retires them on-the-fly. It's no longer necessary to sort all blocks in
the IncrementalSweeper's snapshot because blocks now know if they are in the snapshot. Put
together, these optimizations allowed me to reduce block size to 16KB without losing much
performance. There is some small perf loss on JetStream/splay, but not enough to hurt
JetStream overall. I tried reducing block sizes further, to 4KB, since that is a
progression on membuster. That's not possible yet, since there is still enough per-block
overhead yet that such a reduction hurts JetStream too much. I filed a bug about improving
this further: https://bugs.webkit.org/show_bug.cgi?id=161581.
- Even after all of that, copying butterflies was still faster because it allowed us to skip
sweeping dead space. A good GC allocates over dead bytes without explicitly freeing them,
so the GC pause is O(size of live), not O(size of live + dead). O(dead) is usually much
larger than O(live), especially in an eden collection. Copying satisfies this premise while
mark+sweep does not. So, I invented a new kind of allocator: bump'n'pop. Previously, our
MarkedSpace allocator was a freelist pop. That's simple and easy to inline but requires
that we walk the block to build a free list. This means walking dead space. The new
allocator allows totally free MarkedBlocks to simply set up a bump-pointer arena instead.
The allocator is a hybrid of bump-pointer and freelist pop. It tries bump first. The bump
pointer always bumps by cellSize, so the result of filling a block with bumping looks as if
we had used freelist popping to fill it. Additionally, each MarkedBlock now has a bit to
quickly tell if the block is entirely free. This makes sweeping O(1) whenever a MarkedBlock
is completely empty, which is the common case because of the generational hypothesis: the
number of objects that survive an eden collection is a tiny fraction of the number of
objects that had been allocated, and this fraction is so small that there are typically
fewer than one survivors per MarkedBlock. This change was enough to make this change a net
win over tip-of-tree.
- FTL now shares the same allocation fast paths as everything else, which is great, because
bump'n'pop has gnarly control flow. We don't really want B3 to have to think about that
control flow, since it won't be able to improve the machine code we write ourselves. GC
fast paths are best written in assembly. So, I've empowered B3 to have even better support
for Patchpoint terminals. It's now totally fine for a Patchpoint terminal to be non-Void.
So, the new FTL allocation fast paths are just Patchpoint terminals that call through to
AssemblyHelpers::emitAllocate(). B3 still reasons about things like constant-folding the
size class calculation and constant-hoisting the allocator. Also, I gave the FTL the
ability to constant-fold some allocator logic (in case we first assume that we're doing a
variable-length allocation but then realize that the length is known). I think it makes
sense to have constant folding rules in FTL::Output, or whatever the B3 IR builder is,
since this makes lowering easier (you can constant fold during lowering more easily) and it
reduces the amount of malloc traffic. In the future, we could teach B3 how to better
constant-fold this code. That would require allowing loads to be constant-folded, which is
doable but hella tricky.
- It used to be that if a logical object allocation required two physical allocations (first
the butterfly and then the cell), then the JIT would emit the code in such a way that a
failure in the second fast path would cause us to forget the successful first physical
allocation. This was pointlessly wasteful. It turns out that it's very cheap to devote a
register to storing either the butterfly or null, because the butterfly register is anyway
going to be free inside the first allocation. The only overhead here is zeroing the
butterfly register. With that in place, we can just pass the butterfly-or-null to the slow
path, which can then either allocate a butterfly or not. So now we never waste a successful
allocation. This patch implements such a solution both in DFG (where it's easy to do this
since we control registers already) and in FTL (where it's annoying, because mutable
"butterfly-or-null" variables are hard to say in SSA; also I realized that we had code
duplicated the JSArray allocation utility, so I deduplicated it). This came up because in
one version of this patch, this wastage would resonate with some Kraken benchmark: the
benchmark would always allocate N small things followed by one bigger thing. The problem
was I accidentally adjusted the various fixed overheads in MarkedBlock in such a way that
the JSObject size class, which both the small and big thing shared for their cell, could
hold exactly N cells per MarkedBlock. Then the benchmark would always call slow path when
it allocated the big thing. So, it would end up having to allocate the big thing's large
butterfly twice, every single time! Ouch!
- It used to be that we zeroed CopiedBlocks using memset, and so array allocations enjoyed
amortization of the cost of zeroing. This doesn't work anymore - it's now up to the client
of the allocator to initialize the object to whatever state they need. It used to be that
we would just use a dumb loop. I initially changed this so that we would end up in memset
for large allocations, but this didn't actually help performance that much. I got a much
better result by playing with different memsets written in assembly. First I wrote one
using non-temporal stores. That was a small speed-up over memset. Then I tried the classic
"rep stos" approach, and holy cow that version was fast. It's a ~20% speed-up on array
allocation microbenchmarks. So, this patch adds code paths to do "rep stos" on x86_64, or
memset, or use a loop, as appropriate, for both "contiguous" arrays (holes are zero) and
double arrays (holes are PNaN). Note that the JIT always emits either a loop or a flat slab
of stores (if the size is known), but those paths in the JIT won't trigger for
NewArrayWithSize() if the size is large, since that takes us to the
operationNewArrayWithSize() slow path, which calls into JSArray::create(). That's why the
optimizations here are all in JSArray::create() - that's the hot place for large arrays
that need to be filled with holes.
All of this put together gives us neutral perf on JetStream, membuster, and PLT3, a ~1%
regression on Speedometer, and up to a 4% regression Kraken. The Kraken regression is
because Kraken was allocating exactly 1024 element arrays at a rate of 400MB/sec. This is a
best-case scenario for bump allocation. I think that we should fix bmalloc to make up the
difference, but take the hit for now because it's a crazy corner case. By comparison, the
alternative approach of using a copy barrier would have cost us 1-2%. That's the real
apples-to-apples comparison if your premise is that we should have a concurrent GC. After we
finish removing copied space, we will be barrier-ready for concurrent GC: we already have a
marking barrier and we simply won't need a copying barrier. This change gets us there for
the purposes of our benchmarks, since the remaining clients of copied space are not very
important. On the other hand, if we keep copying, then getting barrier-ready would mean
adding back the copy barrier, which costs more perf.
We might get bigger speed-ups once we remove CopiedSpace altogether. That requires moving
typed arrays and a few other weird things over to Aux MarkedSpace.
This also includes some header sanitization. The introduction of AuxiliaryBarrier, HeapCell,
and CellContainer meant that I had to include those files from everywhere. Fortunately,
just including JSCInlines.h (instead of manually including the files that includes) is
usually enough. So, I made most of JSC's cpp files include JSCInlines.h, which is something
that we were already basically doing. In places where JSCInlines.h would be too much, I just
included HeapInlines.h. This got weird, because we previously included HeapInlines.h from
JSObject.h. That's bad because it led to some circular dependencies, so I fixed it - but that
meant having to manually include HeapInlines.h from the places that previously got it
implicitly via JSObject.h. But that led to more problems for some reason: I started getting
build errors because non-JSC files were having trouble including Opcode.h. That's just silly,
since Opcode.h is meant to be an internal JSC header. So, I made it an internal header and
made it impossible to include it from outside JSC. This was a lot of work, but it was
necessary to get the patch to build on all ports. It's also a net win. There were many places
in WebCore that were transitively including a *ton* of JSC headers just because of the
JSObject.h->HeapInlines.h edge and a bunch of dependency edges that arose from some public
(for WebCore) JSC headers needing Interpreter.h or Opcode.h for bad reasons.
* API/JSManagedValue.mm:
(-[JSManagedValue initWithValue:]):
* API/JSTypedArray.cpp:
* API/ObjCCallbackFunction.mm:
* API/tests/testapi.mm:
(testObjectiveCAPI):
(testWeakValue): Deleted.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/builtins/builtins_generate_combined_implementation.py:
(BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
* Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
(BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
* Scripts/builtins/builtins_generate_separate_implementation.py:
(BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::JumpList::link):
(JSC::AbstractMacroAssembler::JumpList::linkTo):
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::add32):
* assembler/MacroAssemblerCodeRef.cpp: Added.
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(JSC::MacroAssemblerCodePtr::dumpWithName):
(JSC::MacroAssemblerCodePtr::dump):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
(JSC::MacroAssemblerCodeRef::dump):
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
(JSC::MacroAssemblerCodePtr::dumpWithName): Deleted.
(JSC::MacroAssemblerCodePtr::dump): Deleted.
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
(JSC::MacroAssemblerCodeRef::dump): Deleted.
* b3/B3BasicBlock.cpp:
(JSC::B3::BasicBlock::appendBoolConstant):
* b3/B3BasicBlock.h:
* b3/B3DuplicateTails.cpp:
* b3/B3StackmapGenerationParams.h:
* b3/testb3.cpp:
(JSC::B3::testPatchpointTerminalReturnValue):
(JSC::B3::run):
* bindings/ScriptValue.cpp:
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
* bytecode/BytecodeBasicBlock.cpp:
* bytecode/BytecodeLivenessAnalysis.cpp:
* bytecode/BytecodeUseDef.h:
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::callTypeFor):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::callTypeFor): Deleted.
* bytecode/CallLinkStatus.cpp:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::clearLLIntGetByIdCache):
(JSC::CodeBlock::predictedMachineCodeSize):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::clearLLIntGetByIdCache): Deleted.
* bytecode/ExecutionCounter.h:
* bytecode/Instruction.h:
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::isNull):
(JSC::ObjectAllocationProfile::initialize):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
* bytecode/PreciseJumpTargets.cpp:
* bytecode/StructureStubInfo.cpp:
* bytecode/StructureStubInfo.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::vm): Deleted.
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedInstructionStream.cpp:
* bytecode/UnlinkedInstructionStream.h:
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCompile.cpp:
* ftl/FTLJITFinalizer.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
(JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
(JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize): Deleted.
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::constBool):
(JSC::FTL::Output::add):
(JSC::FTL::Output::shl):
(JSC::FTL::Output::aShr):
(JSC::FTL::Output::lShr):
(JSC::FTL::Output::zeroExt):
(JSC::FTL::Output::equal):
(JSC::FTL::Output::notEqual):
(JSC::FTL::Output::above):
(JSC::FTL::Output::aboveOrEqual):
(JSC::FTL::Output::below):
(JSC::FTL::Output::belowOrEqual):
(JSC::FTL::Output::greaterThan):
(JSC::FTL::Output::greaterThanOrEqual):
(JSC::FTL::Output::lessThan):
(JSC::FTL::Output::lessThanOrEqual):
(JSC::FTL::Output::select):
(JSC::FTL::Output::appendSuccessor):
(JSC::FTL::Output::addIncomingToPhi):
* ftl/FTLOutput.h:
* ftl/FTLValueFromBlock.h:
(JSC::FTL::ValueFromBlock::operator bool):
(JSC::FTL::ValueFromBlock::ValueFromBlock): Deleted.
* ftl/FTLWeightedTarget.h:
(JSC::FTL::WeightedTarget::frequentedBlock):
* heap/CellContainer.h: Added.
(JSC::CellContainer::CellContainer):
(JSC::CellContainer::operator bool):
(JSC::CellContainer::isMarkedBlock):
(JSC::CellContainer::isLargeAllocation):
(JSC::CellContainer::markedBlock):
(JSC::CellContainer::largeAllocation):
* heap/CellContainerInlines.h: Added.
(JSC::CellContainer::isMarked):
(JSC::CellContainer::isMarkedOrNewlyAllocated):
(JSC::CellContainer::noteMarked):
(JSC::CellContainer::cellSize):
(JSC::CellContainer::weakSet):
(JSC::CellContainer::flipIfNecessary):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::ConservativeRoots):
(JSC::ConservativeRoots::~ConservativeRoots):
(JSC::ConservativeRoots::grow):
(JSC::ConservativeRoots::genericAddPointer):
(JSC::ConservativeRoots::genericAddSpan):
* heap/ConservativeRoots.h:
(JSC::ConservativeRoots::roots):
* heap/CopyToken.h:
* heap/FreeList.cpp: Added.
(JSC::FreeList::dump):
* heap/FreeList.h: Added.
(JSC::FreeList::FreeList):
(JSC::FreeList::list):
(JSC::FreeList::bump):
(JSC::FreeList::operator==):
(JSC::FreeList::operator!=):
(JSC::FreeList::operator bool):
(JSC::FreeList::allocationWillFail):
(JSC::FreeList::allocationWillSucceed):
* heap/GCTypeMap.h: Added.
(JSC::GCTypeMap::operator[]):
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::markRoots):
(JSC::Heap::copyBackingStores):
(JSC::Heap::gatherStackRoots):
(JSC::Heap::gatherJSStackRoots):
(JSC::Heap::gatherScratchBufferRoots):
(JSC::Heap::clearLivenessData):
(JSC::Heap::visitSmallStrings):
(JSC::Heap::visitConservativeRoots):
(JSC::Heap::removeDeadCompilerWorklistEntries):
(JSC::Heap::gatherExtraHeapSnapshotData):
(JSC::Heap::removeDeadHeapSnapshotNodes):
(JSC::Heap::visitProtectedObjects):
(JSC::Heap::visitArgumentBuffers):
(JSC::Heap::visitException):
(JSC::Heap::visitStrongHandles):
(JSC::Heap::visitHandleStack):
(JSC::Heap::visitSamplingProfiler):
(JSC::Heap::traceCodeBlocksAndJITStubRoutines):
(JSC::Heap::converge):
(JSC::Heap::visitWeakHandles):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::clearUnmarkedExecutables):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::collectAllGarbage):
(JSC::Heap::collect):
(JSC::Heap::collectWithoutAnySweep):
(JSC::Heap::collectImpl):
(JSC::Heap::suspendCompilerThreads):
(JSC::Heap::willStartCollection):
(JSC::Heap::flushOldStructureIDTables):
(JSC::Heap::flushWriteBarrierBuffer):
(JSC::Heap::stopAllocation):
(JSC::Heap::prepareForMarking):
(JSC::Heap::reapWeakHandles):
(JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
(JSC::Heap::sweepArrayBuffers):
(JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
(JSC::MarkedBlockSnapshotFunctor::operator()):
(JSC::Heap::snapshotMarkedSpace):
(JSC::Heap::deleteSourceProviderCaches):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
(JSC::Heap::resetAllocators):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didFinishCollection):
(JSC::Heap::resumeCompilerThreads):
(JSC::Zombify::visit):
(JSC::Heap::forEachCodeBlockImpl):
* heap/Heap.h:
(JSC::Heap::allocatorForObjectWithoutDestructor):
(JSC::Heap::allocatorForObjectWithDestructor):
(JSC::Heap::allocatorForAuxiliaryData):
(JSC::Heap::jitStubRoutines):
(JSC::Heap::codeBlockSet):
(JSC::Heap::storageAllocator): Deleted.
* heap/HeapCell.h:
(JSC::HeapCell::isZapped): Deleted.
* heap/HeapCellInlines.h: Added.
(JSC::HeapCell::isLargeAllocation):
(JSC::HeapCell::cellContainer):
(JSC::HeapCell::markedBlock):
(JSC::HeapCell::largeAllocation):
(JSC::HeapCell::heap):
(JSC::HeapCell::vm):
(JSC::HeapCell::cellSize):
(JSC::HeapCell::allocatorAttributes):
(JSC::HeapCell::destructionMode):
(JSC::HeapCell::cellKind):
* heap/HeapInlines.h:
(JSC::Heap::heap):
(JSC::Heap::isLive):
(JSC::Heap::isMarked):
(JSC::Heap::testAndSetMarked):
(JSC::Heap::setMarked):
(JSC::Heap::cellSize):
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::allocateObjectOfType):
(JSC::Heap::subspaceForObjectOfType):
(JSC::Heap::allocatorForObjectOfType):
(JSC::Heap::allocateAuxiliary):
(JSC::Heap::tryAllocateAuxiliary):
(JSC::Heap::tryReallocateAuxiliary):
(JSC::Heap::isPointerGCObject): Deleted.
(JSC::Heap::isValueGCObject): Deleted.
* heap/HeapOperation.cpp: Added.
(WTF::printInternal):
* heap/HeapOperation.h:
* heap/HeapUtil.h: Added.
(JSC::HeapUtil::findGCObjectPointersForMarking):
(JSC::HeapUtil::isPointerGCObjectJSCell):
(JSC::HeapUtil::isValueGCObject):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::sweepNextBlock):
* heap/IncrementalSweeper.h:
* heap/LargeAllocation.cpp: Added.
(JSC::LargeAllocation::tryCreate):
(JSC::LargeAllocation::LargeAllocation):
(JSC::LargeAllocation::lastChanceToFinalize):
(JSC::LargeAllocation::shrink):
(JSC::LargeAllocation::visitWeakSet):
(JSC::LargeAllocation::reapWeakSet):
(JSC::LargeAllocation::flip):
(JSC::LargeAllocation::isEmpty):
(JSC::LargeAllocation::sweep):
(JSC::LargeAllocation::destroy):
(JSC::LargeAllocation::dump):
* heap/LargeAllocation.h: Added.
(JSC::LargeAllocation::fromCell):
(JSC::LargeAllocation::cell):
(JSC::LargeAllocation::isLargeAllocation):
(JSC::LargeAllocation::heap):
(JSC::LargeAllocation::vm):
(JSC::LargeAllocation::weakSet):
(JSC::LargeAllocation::clearNewlyAllocated):
(JSC::LargeAllocation::isNewlyAllocated):
(JSC::LargeAllocation::isMarked):
(JSC::LargeAllocation::isMarkedOrNewlyAllocated):
(JSC::LargeAllocation::isLive):
(JSC::LargeAllocation::hasValidCell):
(JSC::LargeAllocation::cellSize):
(JSC::LargeAllocation::aboveLowerBound):
(JSC::LargeAllocation::belowUpperBound):
(JSC::LargeAllocation::contains):
(JSC::LargeAllocation::attributes):
(JSC::LargeAllocation::flipIfNecessary):
(JSC::LargeAllocation::flipIfNecessaryConcurrently):
(JSC::LargeAllocation::testAndSetMarked):
(JSC::LargeAllocation::setMarked):
(JSC::LargeAllocation::clearMarked):
(JSC::LargeAllocation::noteMarked):
(JSC::LargeAllocation::headerSize):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::MarkedAllocator):
(JSC::MarkedAllocator::isPagedOut):
(JSC::MarkedAllocator::retire):
(JSC::MarkedAllocator::filterNextBlock):
(JSC::MarkedAllocator::setNextBlockToSweep):
(JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
(JSC::MarkedAllocator::tryAllocateWithoutCollecting):
(JSC::MarkedAllocator::allocateSlowCase):
(JSC::MarkedAllocator::tryAllocateSlowCase):
(JSC::MarkedAllocator::allocateSlowCaseImpl):
(JSC::blockHeaderSize):
(JSC::MarkedAllocator::blockSizeForBytes):
(JSC::MarkedAllocator::tryAllocateBlock):
(JSC::MarkedAllocator::addBlock):
(JSC::MarkedAllocator::removeBlock):
(JSC::MarkedAllocator::stopAllocating):
(JSC::MarkedAllocator::reset):
(JSC::MarkedAllocator::lastChanceToFinalize):
(JSC::MarkedAllocator::setFreeList):
(JSC::isListPagedOut): Deleted.
(JSC::MarkedAllocator::tryAllocateHelper): Deleted.
(JSC::MarkedAllocator::tryPopFreeList): Deleted.
(JSC::MarkedAllocator::tryAllocate): Deleted.
(JSC::MarkedAllocator::allocateBlock): Deleted.
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::takeLastActiveBlock):
(JSC::MarkedAllocator::offsetOfFreeList):
(JSC::MarkedAllocator::offsetOfCellSize):
(JSC::MarkedAllocator::tryAllocate):
(JSC::MarkedAllocator::allocate):
(JSC::MarkedAllocator::forEachBlock):
(JSC::MarkedAllocator::offsetOfFreeListHead): Deleted.
(JSC::MarkedAllocator::MarkedAllocator): Deleted.
(JSC::MarkedAllocator::init): Deleted.
(JSC::MarkedAllocator::stopAllocating): Deleted.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::tryCreate):
(JSC::MarkedBlock::Handle::Handle):
(JSC::MarkedBlock::Handle::~Handle):
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::Handle::specializedSweep):
(JSC::MarkedBlock::Handle::sweep):
(JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
(JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode):
(JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
(JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor):
(JSC::SetNewlyAllocatedFunctor::operator()):
(JSC::MarkedBlock::Handle::stopAllocating):
(JSC::MarkedBlock::Handle::lastChanceToFinalize):
(JSC::MarkedBlock::Handle::resumeAllocating):
(JSC::MarkedBlock::Handle::zap):
(JSC::MarkedBlock::Handle::forEachFreeCell):
(JSC::MarkedBlock::flipIfNecessary):
(JSC::MarkedBlock::Handle::flipIfNecessary):
(JSC::MarkedBlock::flipIfNecessarySlow):
(JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
(JSC::MarkedBlock::clearMarks):
(JSC::MarkedBlock::assertFlipped):
(JSC::MarkedBlock::needsFlip):
(JSC::MarkedBlock::Handle::needsFlip):
(JSC::MarkedBlock::Handle::willRemoveBlock):
(JSC::MarkedBlock::Handle::didConsumeFreeList):
(JSC::MarkedBlock::markCount):
(JSC::MarkedBlock::Handle::isEmpty):
(JSC::MarkedBlock::clearHasAnyMarked):
(JSC::MarkedBlock::noteMarkedSlow):
(WTF::printInternal):
(JSC::MarkedBlock::create): Deleted.
(JSC::MarkedBlock::destroy): Deleted.
(JSC::MarkedBlock::callDestructor): Deleted.
(JSC::MarkedBlock::specializedSweep): Deleted.
(JSC::MarkedBlock::sweep): Deleted.
(JSC::MarkedBlock::sweepHelper): Deleted.
(JSC::MarkedBlock::stopAllocating): Deleted.
(JSC::MarkedBlock::clearMarksWithCollectionType): Deleted.
(JSC::MarkedBlock::lastChanceToFinalize): Deleted.
(JSC::MarkedBlock::resumeAllocating): Deleted.
(JSC::MarkedBlock::didRetireBlock): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::VoidFunctor::returnValue):
(JSC::MarkedBlock::CountFunctor::CountFunctor):
(JSC::MarkedBlock::CountFunctor::count):
(JSC::MarkedBlock::CountFunctor::returnValue):
(JSC::MarkedBlock::Handle::hasAnyNewlyAllocated):
(JSC::MarkedBlock::Handle::isOnBlocksToSweep):
(JSC::MarkedBlock::Handle::setIsOnBlocksToSweep):
(JSC::MarkedBlock::Handle::state):
(JSC::MarkedBlock::needsDestruction):
(JSC::MarkedBlock::handle):
(JSC::MarkedBlock::Handle::block):
(JSC::MarkedBlock::firstAtom):
(JSC::MarkedBlock::atoms):
(JSC::MarkedBlock::isAtomAligned):
(JSC::MarkedBlock::Handle::cellAlign):
(JSC::MarkedBlock::blockFor):
(JSC::MarkedBlock::Handle::allocator):
(JSC::MarkedBlock::Handle::heap):
(JSC::MarkedBlock::Handle::vm):
(JSC::MarkedBlock::vm):
(JSC::MarkedBlock::Handle::weakSet):
(JSC::MarkedBlock::weakSet):
(JSC::MarkedBlock::Handle::shrink):
(JSC::MarkedBlock::Handle::visitWeakSet):
(JSC::MarkedBlock::Handle::reapWeakSet):
(JSC::MarkedBlock::Handle::cellSize):
(JSC::MarkedBlock::cellSize):
(JSC::MarkedBlock::Handle::attributes):
(JSC::MarkedBlock::attributes):
(JSC::MarkedBlock::Handle::needsDestruction):
(JSC::MarkedBlock::Handle::destruction):
(JSC::MarkedBlock::Handle::cellKind):
(JSC::MarkedBlock::Handle::markCount):
(JSC::MarkedBlock::Handle::size):
(JSC::MarkedBlock::atomNumber):
(JSC::MarkedBlock::flipIfNecessary):
(JSC::MarkedBlock::flipIfNecessaryConcurrently):
(JSC::MarkedBlock::Handle::flipIfNecessary):
(JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
(JSC::MarkedBlock::Handle::flipForEdenCollection):
(JSC::MarkedBlock::assertFlipped):
(JSC::MarkedBlock::Handle::assertFlipped):
(JSC::MarkedBlock::isMarked):
(JSC::MarkedBlock::testAndSetMarked):
(JSC::MarkedBlock::Handle::isNewlyAllocated):
(JSC::MarkedBlock::Handle::setNewlyAllocated):
(JSC::MarkedBlock::Handle::clearNewlyAllocated):
(JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
(JSC::MarkedBlock::isMarkedOrNewlyAllocated):
(JSC::MarkedBlock::Handle::isLive):
(JSC::MarkedBlock::isAtom):
(JSC::MarkedBlock::Handle::isLiveCell):
(JSC::MarkedBlock::Handle::forEachCell):
(JSC::MarkedBlock::Handle::forEachLiveCell):
(JSC::MarkedBlock::Handle::forEachDeadCell):
(JSC::MarkedBlock::Handle::needsSweeping):
(JSC::MarkedBlock::Handle::isAllocated):
(JSC::MarkedBlock::Handle::isMarked):
(JSC::MarkedBlock::Handle::isFreeListed):
(JSC::MarkedBlock::hasAnyMarked):
(JSC::MarkedBlock::noteMarked):
(WTF::MarkedBlockHash::hash):
(JSC::MarkedBlock::FreeList::FreeList): Deleted.
(JSC::MarkedBlock::allocator): Deleted.
(JSC::MarkedBlock::heap): Deleted.
(JSC::MarkedBlock::shrink): Deleted.
(JSC::MarkedBlock::visitWeakSet): Deleted.
(JSC::MarkedBlock::reapWeakSet): Deleted.
(JSC::MarkedBlock::willRemoveBlock): Deleted.
(JSC::MarkedBlock::didConsumeFreeList): Deleted.
(JSC::MarkedBlock::markCount): Deleted.
(JSC::MarkedBlock::isEmpty): Deleted.
(JSC::MarkedBlock::destruction): Deleted.
(JSC::MarkedBlock::cellKind): Deleted.
(JSC::MarkedBlock::size): Deleted.
(JSC::MarkedBlock::capacity): Deleted.
(JSC::MarkedBlock::setMarked): Deleted.
(JSC::MarkedBlock::clearMarked): Deleted.
(JSC::MarkedBlock::isNewlyAllocated): Deleted.
(JSC::MarkedBlock::setNewlyAllocated): Deleted.
(JSC::MarkedBlock::clearNewlyAllocated): Deleted.
(JSC::MarkedBlock::isLive): Deleted.
(JSC::MarkedBlock::isLiveCell): Deleted.
(JSC::MarkedBlock::forEachCell): Deleted.
(JSC::MarkedBlock::forEachLiveCell): Deleted.
(JSC::MarkedBlock::forEachDeadCell): Deleted.
(JSC::MarkedBlock::needsSweeping): Deleted.
(JSC::MarkedBlock::isAllocated): Deleted.
(JSC::MarkedBlock::isMarkedOrRetired): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::initializeSizeClassForStepSize):
(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::~MarkedSpace):
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::allocate):
(JSC::MarkedSpace::tryAllocate):
(JSC::MarkedSpace::allocateLarge):
(JSC::MarkedSpace::tryAllocateLarge):
(JSC::MarkedSpace::sweep):
(JSC::MarkedSpace::sweepLargeAllocations):
(JSC::MarkedSpace::zombifySweep):
(JSC::MarkedSpace::resetAllocators):
(JSC::MarkedSpace::visitWeakSets):
(JSC::MarkedSpace::reapWeakSets):
(JSC::MarkedSpace::stopAllocating):
(JSC::MarkedSpace::prepareForMarking):
(JSC::MarkedSpace::resumeAllocating):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::freeBlock):
(JSC::MarkedSpace::freeOrShrinkBlock):
(JSC::MarkedSpace::shrink):
(JSC::MarkedSpace::clearNewlyAllocated):
(JSC::VerifyMarked::operator()):
(JSC::MarkedSpace::flip):
(JSC::MarkedSpace::objectCount):
(JSC::MarkedSpace::size):
(JSC::MarkedSpace::capacity):
(JSC::MarkedSpace::addActiveWeakSet):
(JSC::MarkedSpace::didAddBlock):
(JSC::MarkedSpace::didAllocateInBlock):
(JSC::MarkedSpace::forEachAllocator): Deleted.
(JSC::VerifyMarkedOrRetired::operator()): Deleted.
(JSC::MarkedSpace::clearMarks): Deleted.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::sizeClassToIndex):
(JSC::MarkedSpace::indexToSizeClass):
(JSC::MarkedSpace::version):
(JSC::MarkedSpace::blocksWithNewObjects):
(JSC::MarkedSpace::largeAllocations):
(JSC::MarkedSpace::largeAllocationsNurseryOffset):
(JSC::MarkedSpace::largeAllocationsOffsetForThisCollection):
(JSC::MarkedSpace::largeAllocationsForThisCollectionBegin):
(JSC::MarkedSpace::largeAllocationsForThisCollectionEnd):
(JSC::MarkedSpace::largeAllocationsForThisCollectionSize):
(JSC::MarkedSpace::forEachLiveCell):
(JSC::MarkedSpace::forEachDeadCell):
(JSC::MarkedSpace::allocatorFor):
(JSC::MarkedSpace::destructorAllocatorFor):
(JSC::MarkedSpace::auxiliaryAllocatorFor):
(JSC::MarkedSpace::allocateWithoutDestructor):
(JSC::MarkedSpace::allocateWithDestructor):
(JSC::MarkedSpace::allocateAuxiliary):
(JSC::MarkedSpace::tryAllocateAuxiliary):
(JSC::MarkedSpace::forEachBlock):
(JSC::MarkedSpace::forEachAllocator):
(JSC::MarkedSpace::optimalSizeFor):
(JSC::MarkedSpace::didAddBlock): Deleted.
(JSC::MarkedSpace::didAllocateInBlock): Deleted.
(JSC::MarkedSpace::objectCount): Deleted.
(JSC::MarkedSpace::size): Deleted.
(JSC::MarkedSpace::capacity): Deleted.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::SlotVisitor):
(JSC::SlotVisitor::didStartMarking):
(JSC::SlotVisitor::reset):
(JSC::SlotVisitor::append):
(JSC::SlotVisitor::appendJSCellOrAuxiliary):
(JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::markAuxiliary):
(JSC::SlotVisitor::noteLiveAuxiliaryCell):
(JSC::SlotVisitor::visitChildren):
* heap/SlotVisitor.h:
* heap/WeakBlock.cpp:
(JSC::WeakBlock::create):
(JSC::WeakBlock::WeakBlock):
(JSC::WeakBlock::visit):
(JSC::WeakBlock::reap):
* heap/WeakBlock.h:
(JSC::WeakBlock::disconnectContainer):
(JSC::WeakBlock::disconnectMarkedBlock): Deleted.
* heap/WeakSet.cpp:
(JSC::WeakSet::~WeakSet):
(JSC::WeakSet::sweep):
(JSC::WeakSet::shrink):
(JSC::WeakSet::addAllocator):
* heap/WeakSet.h:
(JSC::WeakSet::container):
(JSC::WeakSet::setContainer):
(JSC::WeakSet::WeakSet):
(JSC::WeakSet::visit):
(JSC::WeakSet::shrink): Deleted.
* heap/WeakSetInlines.h:
(JSC::WeakSet::allocate):
* inspector/InjectedScriptManager.cpp:
* inspector/JSGlobalObjectInspectorController.cpp:
* inspector/JSJavaScriptCallFrame.cpp:
* inspector/ScriptDebugServer.cpp:
* inspector/agents/InspectorDebuggerAgent.cpp:
* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
* interpreter/Interpreter.cpp:
(JSC::loadVarargs):
(JSC::StackFrame::sourceID): Deleted.
(JSC::StackFrame::sourceURL): Deleted.
(JSC::StackFrame::functionName): Deleted.
(JSC::StackFrame::computeLineAndColumn): Deleted.
(JSC::StackFrame::toString): Deleted.
* interpreter/Interpreter.h:
(JSC::StackFrame::isNative): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
* jit/JIT.cpp:
(JSC::JIT::compileCTINativeCall):
(JSC::JIT::link):
* jit/JIT.h:
(JSC::JIT::compileCTINativeCall): Deleted.
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITExceptions.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitWriteBarrier):
* jit/JITThunks.cpp:
* jit/JITThunks.h:
* jsc.cpp:
(functionDescribeArray):
(main):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntExceptions.cpp:
* llint/LLIntThunks.cpp:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/ModuleAnalyzer.cpp:
* parser/NodeConstructors.h:
* parser/Nodes.h:
* profiler/ProfilerBytecode.cpp:
* profiler/ProfilerBytecode.h:
* profiler/ProfilerBytecodeSequence.cpp:
* runtime/ArrayConventions.h:
(JSC::indexingHeaderForArrayStorage):
(JSC::baseIndexingHeaderForArrayStorage):
(JSC::indexingHeaderForArray): Deleted.
(JSC::baseIndexingHeaderForArray): Deleted.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ArrayStorage.h:
(JSC::ArrayStorage::vectorLength):
(JSC::ArrayStorage::totalSizeFor):
(JSC::ArrayStorage::totalSize):
(JSC::ArrayStorage::availableVectorLength):
(JSC::ArrayStorage::optimalVectorLength):
(JSC::ArrayStorage::sizeFor): Deleted.
* runtime/AuxiliaryBarrier.h: Added.
(JSC::AuxiliaryBarrier::AuxiliaryBarrier):
(JSC::AuxiliaryBarrier::clear):
(JSC::AuxiliaryBarrier::get):
(JSC::AuxiliaryBarrier::slot):
(JSC::AuxiliaryBarrier::operator bool):
(JSC::AuxiliaryBarrier::setWithoutBarrier):
* runtime/AuxiliaryBarrierInlines.h: Added.
(JSC::AuxiliaryBarrier<T>::AuxiliaryBarrier):
(JSC::AuxiliaryBarrier<T>::set):
* runtime/Butterfly.h:
* runtime/ButterflyInlines.h:
(JSC::Butterfly::availableContiguousVectorLength):
(JSC::Butterfly::optimalContiguousVectorLength):
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::growArrayRight):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
* runtime/CommonSlowPathsExceptions.cpp:
* runtime/CommonSlowPathsExceptions.h:
* runtime/DataView.cpp:
* runtime/DirectArguments.h:
* runtime/ECMAScriptSpecInternalFunctions.cpp:
* runtime/Error.cpp:
* runtime/Error.h:
* runtime/ErrorInstance.cpp:
* runtime/ErrorInstance.h:
* runtime/Exception.cpp:
* runtime/Exception.h:
* runtime/GeneratorFrame.cpp:
* runtime/GeneratorPrototype.cpp:
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::InternalFunction):
* runtime/IntlCollator.cpp:
* runtime/IntlCollatorConstructor.cpp:
* runtime/IntlCollatorPrototype.cpp:
* runtime/IntlDateTimeFormat.cpp:
* runtime/IntlDateTimeFormatConstructor.cpp:
* runtime/IntlDateTimeFormatPrototype.cpp:
* runtime/IntlNumberFormat.cpp:
* runtime/IntlNumberFormatConstructor.cpp:
* runtime/IntlNumberFormatPrototype.cpp:
* runtime/IntlObject.cpp:
* runtime/IteratorPrototype.cpp:
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitialized):
(JSC::JSArray::setLengthWritable):
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::setLengthWithArrayStorage):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSArray.h:
(JSC::createContiguousArrayButterfly):
(JSC::createArrayButterfly):
(JSC::JSArray::create):
(JSC::JSArray::tryCreateUninitialized): Deleted.
* runtime/JSArrayBufferView.h:
* runtime/JSCInlines.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure):
* runtime/JSCallee.cpp:
(JSC::JSCallee::JSCallee):
* runtime/JSCell.cpp:
(JSC::JSCell::estimatedSize):
* runtime/JSCell.h:
(JSC::JSCell::cellStateOffset): Deleted.
* runtime/JSCellInlines.h:
(JSC::ExecState::vm):
(JSC::JSCell::classInfo):
(JSC::JSCell::callDestructor):
(JSC::JSCell::vm): Deleted.
* runtime/JSFunction.cpp:
(JSC::JSFunction::create):
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
(JSC::JSFunction::setFunctionName):
(JSC::JSFunction::reifyLength):
(JSC::JSFunction::reifyName):
(JSC::JSFunction::reifyLazyPropertyIfNeeded):
(JSC::JSFunction::reifyBoundNameIfNeeded):
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
(JSC::JSFunction::JSFunction):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
* runtime/JSInternalPromise.cpp:
* runtime/JSInternalPromiseConstructor.cpp:
* runtime/JSInternalPromiseDeferred.cpp:
* runtime/JSInternalPromisePrototype.cpp:
* runtime/JSJob.cpp:
* runtime/JSMapIterator.cpp:
* runtime/JSModuleNamespaceObject.cpp:
* runtime/JSModuleRecord.cpp:
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterfly):
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::createInitialArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::growOutOfLineStorage):
(JSC::JSObject::copyButterfly): Deleted.
(JSC::JSObject::copyBackingStore): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::globalObject):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary): Deleted.
* runtime/JSObjectInlines.h:
* runtime/JSPromise.cpp:
* runtime/JSPromiseConstructor.cpp:
* runtime/JSPromiseDeferred.cpp:
* runtime/JSPromisePrototype.cpp:
* runtime/JSPropertyNameIterator.cpp:
* runtime/JSScope.cpp:
(JSC::JSScope::resolve):
* runtime/JSScope.h:
(JSC::JSScope::globalObject):
(JSC::JSScope::vm): Deleted.
* runtime/JSSetIterator.cpp:
* runtime/JSStringIterator.cpp:
* runtime/JSTemplateRegistryKey.cpp:
* runtime/JSTypedArrayViewConstructor.cpp:
* runtime/JSTypedArrayViewPrototype.cpp:
* runtime/JSWeakMap.cpp:
* runtime/JSWeakSet.cpp:
* runtime/MapConstructor.cpp:
* runtime/MapIteratorPrototype.cpp:
* runtime/MapPrototype.cpp:
* runtime/NativeErrorConstructor.cpp:
* runtime/NativeStdFunctionCell.cpp:
* runtime/Operations.h:
(JSC::scribbleFreeCells):
(JSC::scribble):
* runtime/Options.h:
* runtime/PropertyTable.cpp:
* runtime/ProxyConstructor.cpp:
* runtime/ProxyObject.cpp:
* runtime/ProxyRevoke.cpp:
* runtime/RegExp.cpp:
(JSC::RegExp::match):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::matchCompareWithInterpreter):
* runtime/RegExp.h:
* runtime/RegExpConstructor.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
(JSC::createRegExpMatchesArray):
* runtime/RegExpPrototype.cpp:
(JSC::genericSplit):
* runtime/RuntimeType.cpp:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::processUnverifiedStackTraces):
* runtime/SetConstructor.cpp:
* runtime/SetIteratorPrototype.cpp:
* runtime/SetPrototype.cpp:
* runtime/StackFrame.cpp: Added.
(JSC::StackFrame::sourceID):
(JSC::StackFrame::sourceURL):
(JSC::StackFrame::functionName):
(JSC::StackFrame::computeLineAndColumn):
(JSC::StackFrame::toString):
* runtime/StackFrame.h: Added.
(JSC::StackFrame::isNative):
* runtime/StringConstructor.cpp:
* runtime/StringIteratorPrototype.cpp:
* runtime/StructureInlines.h:
(JSC::Structure::propertyTable):
* runtime/TemplateRegistry.cpp:
* runtime/TestRunnerUtils.cpp:
(JSC::finalizeStatsAtEndOfTesting):
* runtime/TestRunnerUtils.h:
* runtime/TypeProfilerLog.cpp:
* runtime/TypeSet.cpp:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::ensureStackCapacityForCLoop):
(JSC::VM::isSafeToRecurseSoftCLoop):
* runtime/VM.h:
* runtime/VMEntryScope.h:
* runtime/VMInlines.h:
(JSC::VM::ensureStackCapacityFor):
(JSC::VM::isSafeToRecurseSoft):
* runtime/WeakMapConstructor.cpp:
* runtime/WeakMapData.cpp:
* runtime/WeakMapPrototype.cpp:
* runtime/WeakSetConstructor.cpp:
* runtime/WeakSetPrototype.cpp:
* testRegExp.cpp:
(testOneRegExp):
* tools/JSDollarVM.cpp:
* tools/JSDollarVMPrototype.cpp:
(JSC::JSDollarVMPrototype::isInObjectSpace):
Source/WebCore:
No new tests because no new WebCore behavior.
Just rewiring #includes.
* ForwardingHeaders/heap/HeapInlines.h: Added.
* ForwardingHeaders/interpreter/Interpreter.h: Removed.
* ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h: Added.
* Modules/indexeddb/IDBCursorWithValue.cpp:
* Modules/indexeddb/client/TransactionOperation.cpp:
* Modules/indexeddb/server/SQLiteIDBBackingStore.cpp:
* Modules/indexeddb/server/UniqueIDBDatabase.cpp:
* bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp:
* bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp:
* bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp:
* bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp:
* bindings/js/JSClientRectCustom.cpp:
* bindings/js/JSDOMBinding.cpp:
* bindings/js/JSDOMBinding.h:
* bindings/js/JSDeviceMotionEventCustom.cpp:
* bindings/js/JSDeviceOrientationEventCustom.cpp:
* bindings/js/JSErrorEventCustom.cpp:
* bindings/js/JSIDBCursorWithValueCustom.cpp:
* bindings/js/JSIDBIndexCustom.cpp:
* bindings/js/JSPopStateEventCustom.cpp:
* bindings/js/JSWebGL2RenderingContextCustom.cpp:
* bindings/js/JSWorkerGlobalScopeCustom.cpp:
* bindings/js/WorkerScriptController.cpp:
* contentextensions/ContentExtensionParser.cpp:
* dom/ErrorEvent.cpp:
* html/HTMLCanvasElement.cpp:
* html/MediaDocument.cpp:
* inspector/CommandLineAPIModule.cpp:
* loader/EmptyClients.cpp:
* page/CaptionUserPreferences.cpp:
* page/Frame.cpp:
* page/PageGroup.cpp:
* page/UserContentController.cpp:
* platform/mock/mediasource/MockBox.cpp:
* testing/GCObservation.cpp:
Source/WebKit2:
Just rewiring some #includes.
* UIProcess/ViewGestureController.cpp:
* UIProcess/WebPageProxy.cpp:
* UIProcess/WebProcessPool.cpp:
* UIProcess/WebProcessProxy.cpp:
* WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp:
* WebProcess/Plugins/Netscape/JSNPObject.cpp:
Source/WTF:
I needed tryFastAlignedMalloc() so I added it.
* wtf/FastMalloc.cpp:
(WTF::tryFastAlignedMalloc):
* wtf/FastMalloc.h:
* wtf/ParkingLot.cpp:
(WTF::ParkingLot::forEachImpl):
(WTF::ParkingLot::forEach): Deleted.
* wtf/ParkingLot.h:
(WTF::ParkingLot::parkConditionally):
(WTF::ParkingLot::unparkOne):
(WTF::ParkingLot::forEach):
* wtf/ScopedLambda.h:
(WTF::scopedLambdaRef):
* wtf/SentinelLinkedList.h:
(WTF::SentinelLinkedList::forEach):
(WTF::RawNode>::takeFrom):
* wtf/SimpleStats.h:
(WTF::SimpleStats::operator bool):
(WTF::SimpleStats::operator!): Deleted.
Tools:
* DumpRenderTree/TestRunner.cpp:
* DumpRenderTree/mac/DumpRenderTree.mm:
(DumpRenderTreeMain):
* Scripts/run-jsc-stress-tests:
* TestWebKitAPI/Tests/WTF/Vector.cpp:
(TestWebKitAPI::TEST):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@205462 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/runtime/ArrayConventions.cpp b/Source/JavaScriptCore/runtime/ArrayConventions.cpp
new file mode 100644
index 0000000..d1492efa
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/ArrayConventions.cpp
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ArrayConventions.h"
+
+#include "JSCInlines.h"
+
+namespace JSC {
+
+#if USE(JSVALUE64)
+void clearArrayMemset(WriteBarrier<Unknown>* base, unsigned count)
+{
+#if CPU(X86_64)
+ uint64_t zero = 0;
+ asm volatile (
+ "rep stosq\n\t"
+ : "+D"(base), "+c"(count)
+ : "a"(zero)
+ : "memory"
+ );
+#else // not CPU(X86_64)
+ memset(base, 0, count * sizeof(WriteBarrier<Unknown>));
+#endif // generic CPU
+}
+
+void clearArrayMemset(double* base, unsigned count)
+{
+#if CPU(X86_64)
+ uint64_t pnan = bitwise_cast<uint64_t>(PNaN);
+ asm volatile (
+ "rep stosq\n\t"
+ : "+D"(base), "+c"(count)
+ : "a"(pnan)
+ : "memory"
+ );
+#else // not CPU(X86_64)
+ // Oh no, we can't actually do any better than this!
+ for (unsigned i = count; i--;)
+ base[i] = PNaN;
+#endif // generic CPU
+}
+#endif // USE(JSVALUE64)
+
+} // namespace JSC
+
diff --git a/Source/JavaScriptCore/runtime/ArrayConventions.h b/Source/JavaScriptCore/runtime/ArrayConventions.h
index 9c62ea9..2d7b377 100644
--- a/Source/JavaScriptCore/runtime/ArrayConventions.h
+++ b/Source/JavaScriptCore/runtime/ArrayConventions.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2003, 2007, 2008, 2009, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2007, 2008, 2009, 2012, 2016 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -70,13 +70,15 @@
// 0xFFFFFFFF is a bit weird -- is not an array index even though it's an integer.
#define MAX_ARRAY_INDEX 0xFFFFFFFEU
-// The value BASE_VECTOR_LEN is the maximum number of vector elements we'll allocate
+// The value BASE_XXX_VECTOR_LEN is the maximum number of vector elements we'll allocate
// for an array that was created with a sepcified length (e.g. a = new Array(123))
-#define BASE_VECTOR_LEN 4U
-
+#define BASE_CONTIGUOUS_VECTOR_LEN 3U
+#define BASE_CONTIGUOUS_VECTOR_LEN_EMPTY 5U
+#define BASE_ARRAY_STORAGE_VECTOR_LEN 4U
+
// The upper bound to the size we'll grow a zero length array when the first element
// is added.
-#define FIRST_VECTOR_GROW 4U
+#define FIRST_ARRAY_STORAGE_VECTOR_GROW 4U
#define MIN_BEYOND_LENGTH_SPARSE_INDEX 1000
@@ -96,7 +98,7 @@
return i >= MIN_BEYOND_LENGTH_SPARSE_INDEX && i > length;
}
-inline IndexingHeader indexingHeaderForArray(unsigned length, unsigned vectorLength)
+inline IndexingHeader indexingHeaderForArrayStorage(unsigned length, unsigned vectorLength)
{
IndexingHeader result;
result.setPublicLength(length);
@@ -104,9 +106,42 @@
return result;
}
-inline IndexingHeader baseIndexingHeaderForArray(unsigned length)
+inline IndexingHeader baseIndexingHeaderForArrayStorage(unsigned length)
{
- return indexingHeaderForArray(length, BASE_VECTOR_LEN);
+ return indexingHeaderForArrayStorage(length, BASE_ARRAY_STORAGE_VECTOR_LEN);
+}
+
+#if USE(JSVALUE64)
+JS_EXPORT_PRIVATE void clearArrayMemset(WriteBarrier<Unknown>* base, unsigned count);
+JS_EXPORT_PRIVATE void clearArrayMemset(double* base, unsigned count);
+#endif // USE(JSVALUE64)
+
+ALWAYS_INLINE void clearArray(WriteBarrier<Unknown>* base, unsigned count)
+{
+#if USE(JSVALUE64)
+ const unsigned minCountForMemset = 100;
+ if (count >= minCountForMemset) {
+ clearArrayMemset(base, count);
+ return;
+ }
+#endif
+
+ for (unsigned i = count; i--;)
+ base[i].clear();
+}
+
+ALWAYS_INLINE void clearArray(double* base, unsigned count)
+{
+#if USE(JSVALUE64)
+ const unsigned minCountForMemset = 100;
+ if (count >= minCountForMemset) {
+ clearArrayMemset(base, count);
+ return;
+ }
+#endif
+
+ for (unsigned i = count; i--;)
+ base[i] = PNaN;
}
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
index 00de361..3d36d3a 100644
--- a/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
@@ -1006,7 +1006,7 @@
if (UNLIKELY(vm.exception()))
return JSValue::encode(jsUndefined());
}
-
+
setLength(exec, thisObj, length - deleteCount + additionalArgs);
return JSValue::encode(result);
}
@@ -1143,6 +1143,7 @@
unsigned firstArraySize = firstButterfly->publicLength();
IndexingType type = first->mergeIndexingTypeForCopying(indexingTypeForValue(second) | IsArray);
+
if (type == NonArray)
type = first->indexingType();
@@ -1171,7 +1172,7 @@
auto scope = DECLARE_THROW_SCOPE(vm);
JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
-
+
// This code assumes that neither array has set Symbol.isConcatSpreadable. If the first array
// has indexed accessors then one of those accessors might change the value of Symbol.isConcatSpreadable
// on the second argument.
@@ -1187,14 +1188,15 @@
return concatAppendOne(exec, vm, firstArray, second);
JSArray* secondArray = jsCast<JSArray*>(second);
-
+
Butterfly* firstButterfly = firstArray->butterfly();
Butterfly* secondButterfly = secondArray->butterfly();
unsigned firstArraySize = firstButterfly->publicLength();
unsigned secondArraySize = secondButterfly->publicLength();
- IndexingType type = firstArray->mergeIndexingTypeForCopying(secondArray->indexingType());
+ IndexingType secondType = secondArray->indexingType();
+ IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);
if (type == NonArray || !firstArray->canFastCopy(vm, secondArray) || firstArraySize + secondArraySize >= MIN_SPARSE_ARRAY_INDEX) {
JSArray* result = constructEmptyArray(exec, nullptr, firstArraySize + secondArraySize);
if (vm.exception())
@@ -1213,7 +1215,7 @@
JSArray* result = JSArray::tryCreateUninitialized(vm, resultStructure, firstArraySize + secondArraySize);
if (!result)
return JSValue::encode(throwOutOfMemoryError(exec, scope));
-
+
if (type == ArrayWithDouble) {
double* buffer = result->butterfly()->contiguousDouble().data();
memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
@@ -1221,7 +1223,12 @@
} else if (type != ArrayWithUndecided) {
WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
- memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
+ if (secondType != ArrayWithUndecided)
+ memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
+ else {
+ for (unsigned i = secondArraySize; i--;)
+ buffer[i + firstArraySize].clear();
+ }
}
result->butterfly()->setPublicLength(firstArraySize + secondArraySize);
diff --git a/Source/JavaScriptCore/runtime/ArrayStorage.h b/Source/JavaScriptCore/runtime/ArrayStorage.h
index c93dc3b..6da59fc 100644
--- a/Source/JavaScriptCore/runtime/ArrayStorage.h
+++ b/Source/JavaScriptCore/runtime/ArrayStorage.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -29,7 +29,9 @@
#include "ArrayConventions.h"
#include "Butterfly.h"
#include "IndexingHeader.h"
+#include "MarkedSpace.h"
#include "SparseArrayValueMap.h"
+#include "Structure.h"
#include "WriteBarrier.h"
#include <wtf/Noncopyable.h>
@@ -58,7 +60,7 @@
// We steal two fields from the indexing header: vectorLength and length.
unsigned length() const { return indexingHeader()->publicLength(); }
void setLength(unsigned length) { indexingHeader()->setPublicLength(length); }
- unsigned vectorLength() { return indexingHeader()->vectorLength(); }
+ unsigned vectorLength() const { return indexingHeader()->vectorLength(); }
void setVectorLength(unsigned length) { indexingHeader()->setVectorLength(length); }
ALWAYS_INLINE void copyHeaderFromDuringGC(const ArrayStorage& other)
@@ -99,6 +101,66 @@
{
return ArrayStorage::vectorOffset() + vectorLength * sizeof(WriteBarrier<Unknown>);
}
+
+ static size_t totalSizeFor(unsigned indexBias, size_t propertyCapacity, unsigned vectorLength)
+ {
+ return Butterfly::totalSize(indexBias, propertyCapacity, true, sizeFor(vectorLength));
+ }
+
+ size_t totalSize(size_t propertyCapacity) const
+ {
+ return totalSizeFor(m_indexBias, propertyCapacity, vectorLength());
+ }
+
+ size_t totalSize(Structure* structure) const
+ {
+ return totalSize(structure->outOfLineCapacity());
+ }
+
+ static unsigned availableVectorLength(unsigned indexBias, size_t propertyCapacity, unsigned vectorLength)
+ {
+ size_t cellSize = MarkedSpace::optimalSizeFor(totalSizeFor(indexBias, propertyCapacity, vectorLength));
+
+ vectorLength = (cellSize - totalSizeFor(indexBias, propertyCapacity, 0)) / sizeof(WriteBarrier<Unknown>);
+
+ return vectorLength;
+ }
+
+ static unsigned availableVectorLength(unsigned indexBias, Structure* structure, unsigned vectorLength)
+ {
+ return availableVectorLength(indexBias, structure->outOfLineCapacity(), vectorLength);
+ }
+
+ unsigned availableVectorLength(size_t propertyCapacity, unsigned vectorLength)
+ {
+ return availableVectorLength(m_indexBias, propertyCapacity, vectorLength);
+ }
+
+ unsigned availableVectorLength(Structure* structure, unsigned vectorLength)
+ {
+ return availableVectorLength(structure->outOfLineCapacity(), vectorLength);
+ }
+
+ static unsigned optimalVectorLength(unsigned indexBias, size_t propertyCapacity, unsigned vectorLength)
+ {
+ vectorLength = std::max(BASE_ARRAY_STORAGE_VECTOR_LEN, vectorLength);
+ return availableVectorLength(indexBias, propertyCapacity, vectorLength);
+ }
+
+ static unsigned optimalVectorLength(unsigned indexBias, Structure* structure, unsigned vectorLength)
+ {
+ return optimalVectorLength(indexBias, structure->outOfLineCapacity(), vectorLength);
+ }
+
+ unsigned optimalVectorLength(size_t propertyCapacity, unsigned vectorLength)
+ {
+ return optimalVectorLength(m_indexBias, propertyCapacity, vectorLength);
+ }
+
+ unsigned optimalVectorLength(Structure* structure, unsigned vectorLength)
+ {
+ return optimalVectorLength(structure->outOfLineCapacity(), vectorLength);
+ }
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h b/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h
new file mode 100644
index 0000000..193c63c
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+namespace JSC {
+
+class JSCell;
+class VM;
+
+// An Auxiliary barrier is a barrier that does not try to reason about the value being stored into
+// it, other than interpreting a falsy value as not needing a barrier. It's OK to use this for either
+// JSCells or any other kind of data, so long as it responds to operator!().
+template<typename T>
+class AuxiliaryBarrier {
+public:
+ AuxiliaryBarrier() { }
+
+ template<typename U>
+ AuxiliaryBarrier(VM&, JSCell*, U&&);
+
+ void clear() { m_value = T(); }
+
+ template<typename U>
+ void set(VM&, JSCell*, U&&);
+
+ const T& get() const { return m_value; }
+
+ T* slot() { return &m_value; }
+
+ explicit operator bool() const { return !!m_value; }
+
+ template<typename U>
+ void setWithoutBarrier(U&& value) { m_value = std::forward<U>(value); }
+
+private:
+ T m_value;
+};
+
+} // namespace JSC
+
diff --git a/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h b/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h
new file mode 100644
index 0000000..6d4e789
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "AuxiliaryBarrier.h"
+#include "Heap.h"
+#include "VM.h"
+
+namespace JSC {
+
+template<typename T>
+template<typename U>
+AuxiliaryBarrier<T>::AuxiliaryBarrier(VM& vm, JSCell* owner, U&& value)
+{
+ m_value = std::forward<U>(value);
+ vm.heap.writeBarrier(owner);
+}
+
+template<typename T>
+template<typename U>
+void AuxiliaryBarrier<T>::set(VM& vm, JSCell* owner, U&& value)
+{
+ m_value = std::forward<U>(value);
+ vm.heap.writeBarrier(owner);
+}
+
+} // namespace JSC
+
diff --git a/Source/JavaScriptCore/runtime/Butterfly.h b/Source/JavaScriptCore/runtime/Butterfly.h
index 20dccd9..94e17a1 100644
--- a/Source/JavaScriptCore/runtime/Butterfly.h
+++ b/Source/JavaScriptCore/runtime/Butterfly.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -90,6 +90,12 @@
return reinterpret_cast<Butterfly*>(static_cast<EncodedJSValue*>(base) + preCapacity + propertyCapacity + 1);
}
+ ALWAYS_INLINE static unsigned availableContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength);
+ static unsigned availableContiguousVectorLength(Structure*, unsigned vectorLength);
+
+ ALWAYS_INLINE static unsigned optimalContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength);
+ static unsigned optimalContiguousVectorLength(Structure*, unsigned vectorLength);
+
// This method is here not just because it's handy, but to remind you that
// the whole point of butterflies is to do evil pointer arithmetic.
static Butterfly* fromPointer(char* ptr)
diff --git a/Source/JavaScriptCore/runtime/ButterflyInlines.h b/Source/JavaScriptCore/runtime/ButterflyInlines.h
index 3fd8dc1..b34ad0e 100644
--- a/Source/JavaScriptCore/runtime/ButterflyInlines.h
+++ b/Source/JavaScriptCore/runtime/ButterflyInlines.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -35,12 +35,38 @@
namespace JSC {
+ALWAYS_INLINE unsigned Butterfly::availableContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength)
+{
+ size_t cellSize = totalSize(0, propertyCapacity, true, sizeof(EncodedJSValue) * vectorLength);
+ cellSize = MarkedSpace::optimalSizeFor(cellSize);
+ vectorLength = (cellSize - totalSize(0, propertyCapacity, true, 0)) / sizeof(EncodedJSValue);
+ return vectorLength;
+}
+
+ALWAYS_INLINE unsigned Butterfly::availableContiguousVectorLength(Structure* structure, unsigned vectorLength)
+{
+ return availableContiguousVectorLength(structure ? structure->outOfLineCapacity() : 0, vectorLength);
+}
+
+ALWAYS_INLINE unsigned Butterfly::optimalContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength)
+{
+ if (!vectorLength)
+ vectorLength = BASE_CONTIGUOUS_VECTOR_LEN_EMPTY;
+ else
+ vectorLength = std::max(BASE_CONTIGUOUS_VECTOR_LEN, vectorLength);
+ return availableContiguousVectorLength(propertyCapacity, vectorLength);
+}
+
+ALWAYS_INLINE unsigned Butterfly::optimalContiguousVectorLength(Structure* structure, unsigned vectorLength)
+{
+ return optimalContiguousVectorLength(structure ? structure->outOfLineCapacity() : 0, vectorLength);
+}
+
inline Butterfly* Butterfly::createUninitialized(VM& vm, JSCell* intendedOwner, size_t preCapacity, size_t propertyCapacity, bool hasIndexingHeader, size_t indexingPayloadSizeInBytes)
{
- void* temp;
size_t size = totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
- RELEASE_ASSERT(vm.heap.tryAllocateStorage(intendedOwner, size, &temp));
- Butterfly* result = fromBase(temp, preCapacity, propertyCapacity);
+ void* base = vm.heap.allocateAuxiliary(intendedOwner, size);
+ Butterfly* result = fromBase(base, preCapacity, propertyCapacity);
return result;
}
@@ -119,7 +145,8 @@
void* theBase = base(0, propertyCapacity);
size_t oldSize = totalSize(0, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes);
size_t newSize = totalSize(0, propertyCapacity, true, newIndexingPayloadSizeInBytes);
- if (!vm.heap.tryReallocateStorage(intendedOwner, &theBase, oldSize, newSize))
+ theBase = vm.heap.tryReallocateAuxiliary(intendedOwner, theBase, oldSize, newSize);
+ if (!theBase)
return 0;
return fromBase(theBase, 0, propertyCapacity);
}
diff --git a/Source/JavaScriptCore/runtime/ClonedArguments.cpp b/Source/JavaScriptCore/runtime/ClonedArguments.cpp
index 75e10a0..39ca4f3 100644
--- a/Source/JavaScriptCore/runtime/ClonedArguments.cpp
+++ b/Source/JavaScriptCore/runtime/ClonedArguments.cpp
@@ -44,16 +44,19 @@
ClonedArguments* ClonedArguments::createEmpty(
VM& vm, Structure* structure, JSFunction* callee, unsigned length)
{
- unsigned vectorLength = std::max(BASE_VECTOR_LEN, length);
+ unsigned vectorLength = length;
if (vectorLength > MAX_STORAGE_VECTOR_LENGTH)
return 0;
- void* temp;
- if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), &temp))
+ void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
+ if (!temp)
return 0;
Butterfly* butterfly = Butterfly::fromBase(temp, 0, structure->outOfLineCapacity());
butterfly->setVectorLength(vectorLength);
butterfly->setPublicLength(length);
+
+ for (unsigned i = length; i < vectorLength; ++i)
+ butterfly->contiguous()[i].clear();
ClonedArguments* result =
new (NotNull, allocateCell<ClonedArguments>(vm.heap))
diff --git a/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp b/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp
index b0c8fd7..f6799c1 100644
--- a/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp
+++ b/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp
@@ -28,6 +28,7 @@
#include "CallFrame.h"
#include "CodeBlock.h"
+#include "Interpreter.h"
#include "JITExceptions.h"
#include "LLIntCommon.h"
#include "JSCInlines.h"
diff --git a/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h b/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h
index adcbfd4..bf7d498 100644
--- a/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h
+++ b/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h
@@ -26,11 +26,10 @@
#ifndef CommonSlowPathExceptions_h
#define CommonSlowPathExceptions_h
-#include "MacroAssemblerCodeRef.h"
-
namespace JSC {
class ExecState;
+class JSObject;
namespace CommonSlowPaths {
diff --git a/Source/JavaScriptCore/runtime/DataView.cpp b/Source/JavaScriptCore/runtime/DataView.cpp
index 78e743f..4fc73bf 100644
--- a/Source/JavaScriptCore/runtime/DataView.cpp
+++ b/Source/JavaScriptCore/runtime/DataView.cpp
@@ -26,6 +26,7 @@
#include "config.h"
#include "DataView.h"
+#include "JSCInlines.h"
#include "JSDataView.h"
#include "JSGlobalObject.h"
diff --git a/Source/JavaScriptCore/runtime/DirectArguments.h b/Source/JavaScriptCore/runtime/DirectArguments.h
index e6d60a8..33bb0a3 100644
--- a/Source/JavaScriptCore/runtime/DirectArguments.h
+++ b/Source/JavaScriptCore/runtime/DirectArguments.h
@@ -26,6 +26,7 @@
#ifndef DirectArguments_h
#define DirectArguments_h
+#include "CopyBarrier.h"
#include "DirectArgumentsOffset.h"
#include "GenericArguments.h"
diff --git a/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp b/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp
index 0aab6c7..306a6f9 100644
--- a/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp
+++ b/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp
@@ -28,7 +28,7 @@
#include "CallFrame.h"
#include "ConstructData.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "RegExpObject.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/Error.cpp b/Source/JavaScriptCore/runtime/Error.cpp
index 529e20c..5cb7197 100644
--- a/Source/JavaScriptCore/runtime/Error.cpp
+++ b/Source/JavaScriptCore/runtime/Error.cpp
@@ -28,14 +28,16 @@
#include "ErrorConstructor.h"
#include "ExceptionHelpers.h"
#include "FunctionPrototype.h"
+#include "Interpreter.h"
#include "JSArray.h"
#include "JSFunction.h"
#include "JSGlobalObject.h"
#include "JSObject.h"
#include "JSString.h"
-#include "NativeErrorConstructor.h"
#include "JSCInlines.h"
+#include "NativeErrorConstructor.h"
#include "SourceCode.h"
+#include "StackFrame.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/Error.h b/Source/JavaScriptCore/runtime/Error.h
index a5a0e7b..9ddd5eb 100644
--- a/Source/JavaScriptCore/runtime/Error.h
+++ b/Source/JavaScriptCore/runtime/Error.h
@@ -25,7 +25,6 @@
#include "ErrorInstance.h"
#include "InternalFunction.h"
-#include "Interpreter.h"
#include "JSObject.h"
#include "ThrowScope.h"
#include <stdint.h>
diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
index 24a7f53..6c0ea29 100644
--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp
+++ b/Source/JavaScriptCore/runtime/ErrorInstance.cpp
@@ -26,6 +26,7 @@
#include "JSScope.h"
#include "JSCInlines.h"
#include "JSGlobalObjectFunctions.h"
+#include <wtf/text/StringBuilder.h>
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.h b/Source/JavaScriptCore/runtime/ErrorInstance.h
index c823d83..d21f3be 100644
--- a/Source/JavaScriptCore/runtime/ErrorInstance.h
+++ b/Source/JavaScriptCore/runtime/ErrorInstance.h
@@ -21,7 +21,7 @@
#ifndef ErrorInstance_h
#define ErrorInstance_h
-#include "Interpreter.h"
+#include "JSObject.h"
#include "RuntimeType.h"
#include "SourceProvider.h"
diff --git a/Source/JavaScriptCore/runtime/Exception.cpp b/Source/JavaScriptCore/runtime/Exception.cpp
index 051d762..7169abc 100644
--- a/Source/JavaScriptCore/runtime/Exception.cpp
+++ b/Source/JavaScriptCore/runtime/Exception.cpp
@@ -26,6 +26,7 @@
#include "config.h"
#include "Exception.h"
+#include "Interpreter.h"
#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/Exception.h b/Source/JavaScriptCore/runtime/Exception.h
index a73c680..4972757 100644
--- a/Source/JavaScriptCore/runtime/Exception.h
+++ b/Source/JavaScriptCore/runtime/Exception.h
@@ -26,7 +26,8 @@
#ifndef Exception_h
#define Exception_h
-#include "Interpreter.h"
+#include "JSObject.h"
+#include "StackFrame.h"
#include <wtf/Vector.h>
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp b/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp
index e823b3d..4d14c49 100644
--- a/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp
@@ -27,10 +27,8 @@
#include "GeneratorPrototype.h"
#include "JSCBuiltins.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
-#include "StructureInlines.h"
#include "GeneratorPrototype.lut.h"
diff --git a/Source/JavaScriptCore/runtime/InternalFunction.cpp b/Source/JavaScriptCore/runtime/InternalFunction.cpp
index 1801b61..6d7ecf3 100644
--- a/Source/JavaScriptCore/runtime/InternalFunction.cpp
+++ b/Source/JavaScriptCore/runtime/InternalFunction.cpp
@@ -37,6 +37,8 @@
InternalFunction::InternalFunction(VM& vm, Structure* structure)
: JSDestructibleObject(vm, structure)
{
+ // exec->vm() wants callees to not be large allocations.
+ RELEASE_ASSERT(!isLargeAllocation());
}
void InternalFunction::finishCreation(VM& vm, const String& name)
diff --git a/Source/JavaScriptCore/runtime/IntlCollator.cpp b/Source/JavaScriptCore/runtime/IntlCollator.cpp
index a468951..feb1f64 100644
--- a/Source/JavaScriptCore/runtime/IntlCollator.cpp
+++ b/Source/JavaScriptCore/runtime/IntlCollator.cpp
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2015 Andy VanWagoner (thetalecrafter@gmail.com)
* Copyright (C) 2015 Sukolsak Sakshuwong (sukolsak@gmail.com)
+ * Copyright (C) 2016 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -33,8 +34,7 @@
#include "IntlCollatorConstructor.h"
#include "IntlObject.h"
#include "JSBoundFunction.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "ObjectConstructor.h"
#include "SlotVisitorInlines.h"
#include "StructureInlines.h"
diff --git a/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp b/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp
index 2b899b2..f11cca0 100644
--- a/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp
@@ -33,11 +33,8 @@
#include "IntlCollator.h"
#include "IntlCollatorPrototype.h"
#include "IntlObject.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "Lookup.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp b/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
index 7c16f5c..489b9f7 100644
--- a/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
@@ -32,10 +32,7 @@
#include "Error.h"
#include "IntlCollator.h"
#include "JSBoundFunction.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
-#include "JSObject.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp b/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp
index 27677ae..85913af 100644
--- a/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp
+++ b/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp
@@ -34,12 +34,12 @@
#include "IntlDateTimeFormatConstructor.h"
#include "IntlObject.h"
#include "JSBoundFunction.h"
-#include "JSCellInlines.h"
#include "JSCInlines.h"
#include "ObjectConstructor.h"
#include <unicode/ucal.h>
#include <unicode/udatpg.h>
#include <unicode/uenum.h>
+#include <wtf/text/StringBuilder.h>
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp b/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp
index d1b894e..da83a71 100644
--- a/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp
@@ -33,11 +33,8 @@
#include "IntlDateTimeFormatPrototype.h"
#include "IntlObject.h"
#include "IntlObjectInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "Lookup.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp b/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
index 8ba608d..455d17f 100644
--- a/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
@@ -35,10 +35,8 @@
#include "IntlDateTimeFormat.h"
#include "IntlObject.h"
#include "JSBoundFunction.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSObjectInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp b/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp
index b7c06ee..ee5d7a9 100644
--- a/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp
+++ b/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp
@@ -34,7 +34,6 @@
#include "IntlNumberFormatConstructor.h"
#include "IntlObject.h"
#include "JSBoundFunction.h"
-#include "JSCellInlines.h"
#include "JSCInlines.h"
#include "ObjectConstructor.h"
diff --git a/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp b/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp
index 2639fe7..98e500b 100644
--- a/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp
@@ -33,11 +33,8 @@
#include "IntlNumberFormatPrototype.h"
#include "IntlObject.h"
#include "IntlObjectInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "Lookup.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp b/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
index 6114e9e..4fee9e2 100644
--- a/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
@@ -33,10 +33,8 @@
#include "Error.h"
#include "IntlNumberFormat.h"
#include "JSBoundFunction.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSObjectInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp
index fede118..e19499c 100644
--- a/Source/JavaScriptCore/runtime/IntlObject.cpp
+++ b/Source/JavaScriptCore/runtime/IntlObject.cpp
@@ -50,6 +50,7 @@
#include <wtf/Assertions.h>
#include <wtf/NeverDestroyed.h>
#include <wtf/PlatformUserPreferredLanguages.h>
+#include <wtf/text/StringBuilder.h>
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/IteratorPrototype.cpp b/Source/JavaScriptCore/runtime/IteratorPrototype.cpp
index aa95069..121a01e 100644
--- a/Source/JavaScriptCore/runtime/IteratorPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/IteratorPrototype.cpp
@@ -27,11 +27,9 @@
#include "IteratorPrototype.h"
#include "JSCBuiltins.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "ObjectConstructor.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
index f6d7350..a79fad9 100644
--- a/Source/JavaScriptCore/runtime/JSArray.cpp
+++ b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -60,6 +60,54 @@
return butterfly;
}
+JSArray* JSArray::tryCreateUninitialized(VM& vm, Structure* structure, unsigned initialLength)
+{
+ if (initialLength > MAX_STORAGE_VECTOR_LENGTH)
+ return 0;
+
+ unsigned outOfLineStorage = structure->outOfLineCapacity();
+
+ Butterfly* butterfly;
+ IndexingType indexingType = structure->indexingType();
+ if (LIKELY(!hasAnyArrayStorage(indexingType))) {
+ ASSERT(
+ hasUndecided(indexingType)
+ || hasInt32(indexingType)
+ || hasDouble(indexingType)
+ || hasContiguous(indexingType));
+
+ unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
+ void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
+ if (!temp)
+ return nullptr;
+ butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
+ butterfly->setVectorLength(vectorLength);
+ butterfly->setPublicLength(initialLength);
+ if (hasDouble(indexingType)) {
+ for (unsigned i = initialLength; i < vectorLength; ++i)
+ butterfly->contiguousDouble()[i] = PNaN;
+ } else {
+ for (unsigned i = initialLength; i < vectorLength; ++i)
+ butterfly->contiguous()[i].clear();
+ }
+ } else {
+ unsigned vectorLength = ArrayStorage::optimalVectorLength(0, structure, initialLength);
+ void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)));
+ if (!temp)
+ return nullptr;
+ butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
+ *butterfly->indexingHeader() = indexingHeaderForArrayStorage(initialLength, vectorLength);
+ ArrayStorage* storage = butterfly->arrayStorage();
+ storage->m_indexBias = 0;
+ storage->m_sparseMap.clear();
+ storage->m_numValuesInVector = initialLength;
+ for (unsigned i = initialLength; i < vectorLength; ++i)
+ storage->m_vector[i].clear();
+ }
+
+ return createWithButterfly(vm, structure, butterfly);
+}
+
void JSArray::setLengthWritable(ExecState* exec, bool writable)
{
ASSERT(isLengthWritable() || !writable);
@@ -243,13 +291,14 @@
}
// This method makes room in the vector, but leaves the new space for count slots uncleared.
-bool JSArray::unshiftCountSlowCase(VM& vm, bool addToFront, unsigned count)
+bool JSArray::unshiftCountSlowCase(VM& vm, DeferGC&, bool addToFront, unsigned count)
{
ArrayStorage* storage = ensureArrayStorage(vm);
Butterfly* butterfly = storage->butterfly();
- unsigned propertyCapacity = structure(vm)->outOfLineCapacity();
- unsigned propertySize = structure(vm)->outOfLineSize();
-
+ Structure* structure = this->structure(vm);
+ unsigned propertyCapacity = structure->outOfLineCapacity();
+ unsigned propertySize = structure->outOfLineSize();
+
// If not, we should have handled this on the fast path.
ASSERT(!addToFront || count > storage->m_indexBias);
@@ -261,7 +310,8 @@
// * desiredCapacity - how large should we like to grow the vector to - based on 2x requiredVectorLength.
unsigned length = storage->length();
- unsigned usedVectorLength = min(storage->vectorLength(), length);
+ unsigned oldVectorLength = storage->vectorLength();
+ unsigned usedVectorLength = min(oldVectorLength, length);
ASSERT(usedVectorLength <= MAX_STORAGE_VECTOR_LENGTH);
// Check that required vector length is possible, in an overflow-safe fashion.
if (count > MAX_STORAGE_VECTOR_LENGTH - usedVectorLength)
@@ -272,23 +322,29 @@
ASSERT(storage->vectorLength() <= MAX_STORAGE_VECTOR_LENGTH && (MAX_STORAGE_VECTOR_LENGTH - storage->vectorLength()) >= storage->m_indexBias);
unsigned currentCapacity = storage->vectorLength() + storage->m_indexBias;
// The calculation of desiredCapacity won't overflow, due to the range of MAX_STORAGE_VECTOR_LENGTH.
- unsigned desiredCapacity = min(MAX_STORAGE_VECTOR_LENGTH, max(BASE_VECTOR_LEN, requiredVectorLength) << 1);
+ // FIXME: This code should be fixed to avoid internal fragmentation. It's not super high
+ // priority since increaseVectorLength() will "fix" any mistakes we make, but it would be cool
+ // to get this right eventually.
+ unsigned desiredCapacity = min(MAX_STORAGE_VECTOR_LENGTH, max(BASE_ARRAY_STORAGE_VECTOR_LEN, requiredVectorLength) << 1);
// Step 2:
// We're either going to choose to allocate a new ArrayStorage, or we're going to reuse the existing one.
- DeferGC deferGC(vm.heap);
void* newAllocBase = 0;
unsigned newStorageCapacity;
+ bool allocatedNewStorage;
// If the current storage array is sufficiently large (but not too large!) then just keep using it.
if (currentCapacity > desiredCapacity && isDenseEnoughForVector(currentCapacity, requiredVectorLength)) {
- newAllocBase = butterfly->base(structure(vm));
+ newAllocBase = butterfly->base(structure);
newStorageCapacity = currentCapacity;
+ allocatedNewStorage = false;
} else {
size_t newSize = Butterfly::totalSize(0, propertyCapacity, true, ArrayStorage::sizeFor(desiredCapacity));
- if (!vm.heap.tryAllocateStorage(this, newSize, &newAllocBase))
+ newAllocBase = vm.heap.tryAllocateAuxiliary(this, newSize);
+ if (!newAllocBase)
return false;
newStorageCapacity = desiredCapacity;
+ allocatedNewStorage = true;
}
// Step 3:
@@ -306,7 +362,7 @@
// Atomic decay, + the post-capacity cannot be greater than what is available.
postCapacity = min((storage->vectorLength() - length) >> 1, newStorageCapacity - requiredVectorLength);
// If we're moving contents within the same allocation, the post-capacity is being reduced.
- ASSERT(newAllocBase != butterfly->base(structure(vm)) || postCapacity < storage->vectorLength() - length);
+ ASSERT(newAllocBase != butterfly->base(structure) || postCapacity < storage->vectorLength() - length);
}
unsigned newVectorLength = requiredVectorLength + postCapacity;
@@ -318,17 +374,24 @@
ASSERT(count + usedVectorLength <= newVectorLength);
memmove(newButterfly->arrayStorage()->m_vector + count, storage->m_vector, sizeof(JSValue) * usedVectorLength);
memmove(newButterfly->propertyStorage() - propertySize, butterfly->propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
- } else if ((newAllocBase != butterfly->base(structure(vm))) || (newIndexBias != storage->m_indexBias)) {
+
+ if (allocatedNewStorage) {
+ // We will set the vectorLength to newVectorLength. We populated requiredVectorLength
+ // (usedVectorLength + count), which is less. Clear the difference.
+ for (unsigned i = requiredVectorLength; i < newVectorLength; ++i)
+ newButterfly->arrayStorage()->m_vector[i].clear();
+ }
+ } else if ((newAllocBase != butterfly->base(structure)) || (newIndexBias != storage->m_indexBias)) {
memmove(newButterfly->propertyStorage() - propertySize, butterfly->propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
memmove(newButterfly->arrayStorage()->m_vector, storage->m_vector, sizeof(JSValue) * usedVectorLength);
-
- WriteBarrier<Unknown>* newVector = newButterfly->arrayStorage()->m_vector;
+
for (unsigned i = requiredVectorLength; i < newVectorLength; i++)
- newVector[i].clear();
+ newButterfly->arrayStorage()->m_vector[i].clear();
}
newButterfly->arrayStorage()->setVectorLength(newVectorLength);
newButterfly->arrayStorage()->m_indexBias = newIndexBias;
+
setButterflyWithoutChangingStructure(vm, newButterfly);
return true;
@@ -337,7 +400,7 @@
bool JSArray::setLengthWithArrayStorage(ExecState* exec, unsigned newLength, bool throwException, ArrayStorage* storage)
{
unsigned length = storage->length();
-
+
// If the length is read only then we enter sparse mode, so should enter the following 'if'.
ASSERT(isLengthWritable() || storage->m_sparseMap);
@@ -997,6 +1060,10 @@
unsigned vectorLength = storage->vectorLength();
+ // Need to have GC deferred around the unshiftCountSlowCase(), since that leaves the butterfly in
+ // a weird state: some parts of it will be left uninitialized, which we will fill in here.
+ DeferGC deferGC(vm.heap);
+
if (moveFront && storage->m_indexBias >= count) {
Butterfly* newButterfly = storage->butterfly()->unshift(structure(), count);
storage = newButterfly->arrayStorage();
@@ -1005,7 +1072,7 @@
setButterflyWithoutChangingStructure(vm, newButterfly);
} else if (!moveFront && vectorLength - length >= count)
storage = storage->butterfly()->arrayStorage();
- else if (unshiftCountSlowCase(vm, moveFront, count))
+ else if (unshiftCountSlowCase(vm, deferGC, moveFront, count))
storage = arrayStorage();
else {
throwOutOfMemoryError(exec, scope);
@@ -1199,7 +1266,6 @@
ASSERT(length == this->length());
Butterfly* butterfly = m_butterfly.get();
-
switch (indexingType()) {
case ArrayClass:
return;
diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h
index 6ee8e65..c3c5fb5 100644
--- a/Source/JavaScriptCore/runtime/JSArray.h
+++ b/Source/JavaScriptCore/runtime/JSArray.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- * Copyright (C) 2003, 2007, 2008, 2009, 2012, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2003, 2007, 2008, 2009, 2012, 2015-2016 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -60,7 +60,7 @@
// contents are known at time of creation. Clients of this interface must:
// - null-check the result (indicating out of memory, or otherwise unable to allocate vector).
// - call 'initializeIndex' for all properties in sequence, for 0 <= i < initialLength.
- static JSArray* tryCreateUninitialized(VM&, Structure*, unsigned initialLength);
+ JS_EXPORT_PRIVATE static JSArray* tryCreateUninitialized(VM&, Structure*, unsigned initialLength);
JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool throwException);
@@ -168,7 +168,7 @@
bool unshiftCountWithAnyIndexingType(ExecState*, unsigned startIndex, unsigned count);
bool unshiftCountWithArrayStorage(ExecState*, unsigned startIndex, unsigned count, ArrayStorage*);
- bool unshiftCountSlowCase(VM&, bool, unsigned);
+ bool unshiftCountSlowCase(VM&, DeferGC&, bool, unsigned);
bool setLengthWithArrayStorage(ExecState*, unsigned newLength, bool throwException, ArrayStorage*);
void setLengthWritable(ExecState*, bool writable);
@@ -177,7 +177,8 @@
inline Butterfly* createContiguousArrayButterfly(VM& vm, JSCell* intendedOwner, unsigned length, unsigned& vectorLength)
{
IndexingHeader header;
- vectorLength = std::max(length, BASE_VECTOR_LEN);
+ vectorLength = Butterfly::optimalContiguousVectorLength(
+ intendedOwner ? intendedOwner->structure(vm) : 0, length);
header.setVectorLength(vectorLength);
header.setPublicLength(length);
Butterfly* result = Butterfly::create(
@@ -188,11 +189,11 @@
inline Butterfly* createArrayButterfly(VM& vm, JSCell* intendedOwner, unsigned initialLength)
{
Butterfly* butterfly = Butterfly::create(
- vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArray(initialLength),
- ArrayStorage::sizeFor(BASE_VECTOR_LEN));
+ vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArrayStorage(initialLength),
+ ArrayStorage::sizeFor(BASE_ARRAY_STORAGE_VECTOR_LEN));
ArrayStorage* storage = butterfly->arrayStorage();
- storage->m_indexBias = 0;
storage->m_sparseMap.clear();
+ storage->m_indexBias = 0;
storage->m_numValuesInVector = 0;
return butterfly;
}
@@ -211,57 +212,17 @@
|| hasContiguous(structure->indexingType()));
unsigned vectorLength;
butterfly = createContiguousArrayButterfly(vm, 0, initialLength, vectorLength);
- ASSERT(initialLength < MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH);
- if (hasDouble(structure->indexingType())) {
- for (unsigned i = 0; i < vectorLength; ++i)
- butterfly->contiguousDouble()[i] = PNaN;
- }
+ if (hasDouble(structure->indexingType()))
+ clearArray(butterfly->contiguousDouble().data(), vectorLength);
+ else
+ clearArray(butterfly->contiguous().data(), vectorLength);
} else {
ASSERT(
structure->indexingType() == ArrayWithSlowPutArrayStorage
|| structure->indexingType() == ArrayWithArrayStorage);
butterfly = createArrayButterfly(vm, 0, initialLength);
- }
-
- return createWithButterfly(vm, structure, butterfly);
-}
-
-inline JSArray* JSArray::tryCreateUninitialized(VM& vm, Structure* structure, unsigned initialLength)
-{
- unsigned vectorLength = std::max(BASE_VECTOR_LEN, initialLength);
- if (vectorLength > MAX_STORAGE_VECTOR_LENGTH)
- return 0;
-
- unsigned outOfLineStorage = structure->outOfLineCapacity();
-
- Butterfly* butterfly;
- if (LIKELY(!hasAnyArrayStorage(structure->indexingType()))) {
- ASSERT(
- hasUndecided(structure->indexingType())
- || hasInt32(structure->indexingType())
- || hasDouble(structure->indexingType())
- || hasContiguous(structure->indexingType()));
-
- void* temp;
- if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)), &temp))
- return 0;
- butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
- butterfly->setVectorLength(vectorLength);
- butterfly->setPublicLength(initialLength);
- if (hasDouble(structure->indexingType())) {
- for (unsigned i = initialLength; i < vectorLength; ++i)
- butterfly->contiguousDouble()[i] = PNaN;
- }
- } else {
- void* temp;
- if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)), &temp))
- return 0;
- butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
- *butterfly->indexingHeader() = indexingHeaderForArray(initialLength, vectorLength);
- ArrayStorage* storage = butterfly->arrayStorage();
- storage->m_indexBias = 0;
- storage->m_sparseMap.clear();
- storage->m_numValuesInVector = initialLength;
+ for (unsigned i = 0; i < BASE_ARRAY_STORAGE_VECTOR_LEN; ++i)
+ butterfly->arrayStorage()->m_vector[i].clear();
}
return createWithButterfly(vm, structure, butterfly);
diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferView.h b/Source/JavaScriptCore/runtime/JSArrayBufferView.h
index 9520c0b..2aa62a3 100644
--- a/Source/JavaScriptCore/runtime/JSArrayBufferView.h
+++ b/Source/JavaScriptCore/runtime/JSArrayBufferView.h
@@ -26,6 +26,7 @@
#ifndef JSArrayBufferView_h
#define JSArrayBufferView_h
+#include "CopyBarrier.h"
#include "JSObject.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSCInlines.h b/Source/JavaScriptCore/runtime/JSCInlines.h
index 0408b16..4ca0ec5 100644
--- a/Source/JavaScriptCore/runtime/JSCInlines.h
+++ b/Source/JavaScriptCore/runtime/JSCInlines.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -41,7 +41,6 @@
#include "GCIncomingRefCountedInlines.h"
#include "HeapInlines.h"
#include "IdentifierInlines.h"
-#include "Interpreter.h"
#include "JSArrayBufferViewInlines.h"
#include "JSCJSValueInlines.h"
#include "JSFunctionInlines.h"
diff --git a/Source/JavaScriptCore/runtime/JSCJSValue.cpp b/Source/JavaScriptCore/runtime/JSCJSValue.cpp
index 36ff545..68e4c86 100644
--- a/Source/JavaScriptCore/runtime/JSCJSValue.cpp
+++ b/Source/JavaScriptCore/runtime/JSCJSValue.cpp
@@ -29,11 +29,10 @@
#include "Error.h"
#include "ExceptionHelpers.h"
#include "GetterSetter.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "JSFunction.h"
#include "JSGlobalObject.h"
#include "NumberObject.h"
-#include "StructureInlines.h"
#include <wtf/MathExtras.h>
#include <wtf/StringExtras.h>
@@ -278,7 +277,11 @@
out.print("Symbol: ", RawPointer(asCell()));
else if (structure->classInfo()->isSubClassOf(Structure::info()))
out.print("Structure: ", inContext(*jsCast<Structure*>(asCell()), context));
- else {
+ else if (structure->classInfo()->isSubClassOf(JSObject::info())) {
+ out.print("Object: ", RawPointer(asCell()));
+ out.print(" with butterfly ", RawPointer(asObject(asCell())->butterfly()));
+ out.print(" (", inContext(*structure, context), ")");
+ } else {
out.print("Cell: ", RawPointer(asCell()));
out.print(" (", inContext(*structure, context), ")");
}
diff --git a/Source/JavaScriptCore/runtime/JSCallee.cpp b/Source/JavaScriptCore/runtime/JSCallee.cpp
index d303296..9192925 100644
--- a/Source/JavaScriptCore/runtime/JSCallee.cpp
+++ b/Source/JavaScriptCore/runtime/JSCallee.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,13 +27,9 @@
#include "JSCallee.h"
#include "GetterSetter.h"
-#include "JSCJSValueInlines.h"
-#include "JSCell.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
-#include "SlotVisitorInlines.h"
#include "StackVisitor.h"
-#include "StructureInlines.h"
namespace JSC {
@@ -43,6 +39,7 @@
: Base(vm, structure)
, m_scope(vm, this, globalObject)
{
+ RELEASE_ASSERT(!isLargeAllocation());
}
JSCallee::JSCallee(VM& vm, JSScope* scope, Structure* structure)
diff --git a/Source/JavaScriptCore/runtime/JSCell.cpp b/Source/JavaScriptCore/runtime/JSCell.cpp
index 906b240..73719d3 100644
--- a/Source/JavaScriptCore/runtime/JSCell.cpp
+++ b/Source/JavaScriptCore/runtime/JSCell.cpp
@@ -58,7 +58,7 @@
size_t JSCell::estimatedSize(JSCell* cell)
{
- return MarkedBlock::blockFor(cell)->cellSize();
+ return cell->cellSize();
}
void JSCell::copyBackingStore(JSCell*, CopyVisitor&, CopyToken)
diff --git a/Source/JavaScriptCore/runtime/JSCell.h b/Source/JavaScriptCore/runtime/JSCell.h
index b5063e8..2fd7117 100644
--- a/Source/JavaScriptCore/runtime/JSCell.h
+++ b/Source/JavaScriptCore/runtime/JSCell.h
@@ -80,7 +80,7 @@
enum CreatingEarlyCellTag { CreatingEarlyCell };
JSCell(CreatingEarlyCellTag);
-
+
protected:
JSCell(VM&, Structure*);
JS_EXPORT_PRIVATE static void destroy(JSCell*);
@@ -108,8 +108,6 @@
const char* className() const;
- VM* vm() const;
-
// Extracting the value.
JS_EXPORT_PRIVATE bool getString(ExecState*, String&) const;
JS_EXPORT_PRIVATE String getString(ExecState*) const; // null string if not a string
@@ -190,6 +188,8 @@
{
return OBJECT_OFFSETOF(JSCell, m_cellState);
}
+
+ void callDestructor(VM&);
static const TypedArrayType TypedArrayStorageType = NotTypedArray;
protected:
diff --git a/Source/JavaScriptCore/runtime/JSCellInlines.h b/Source/JavaScriptCore/runtime/JSCellInlines.h
index d66bfb6..edaac4b 100644
--- a/Source/JavaScriptCore/runtime/JSCellInlines.h
+++ b/Source/JavaScriptCore/runtime/JSCellInlines.h
@@ -113,16 +113,13 @@
visitor.appendUnbarrieredPointer(&structure);
}
-inline VM* JSCell::vm() const
-{
- return MarkedBlock::blockFor(this)->vm();
-}
-
ALWAYS_INLINE VM& ExecState::vm() const
{
ASSERT(callee());
ASSERT(callee()->vm());
- return *calleeAsValue().asCell()->vm();
+ ASSERT(!callee()->isLargeAllocation());
+ // This is an important optimization since we access this so often.
+ return *calleeAsValue().asCell()->markedBlock().vm();
}
template<typename T>
@@ -233,12 +230,19 @@
&& !structure.typeInfo().overridesGetOwnPropertySlot();
}
-inline const ClassInfo* JSCell::classInfo() const
+ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
{
- MarkedBlock* block = MarkedBlock::blockFor(this);
- if (block->needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
+ if (isLargeAllocation()) {
+ LargeAllocation& allocation = largeAllocation();
+ if (allocation.attributes().destruction == NeedsDestruction
+ && !(inlineTypeFlags() & StructureIsImmortal))
+ return static_cast<const JSDestructibleObject*>(this)->classInfo();
+ return structure(*allocation.vm())->classInfo();
+ }
+ MarkedBlock& block = markedBlock();
+ if (block.needsDestruction() && !(inlineTypeFlags() & StructureIsImmortal))
return static_cast<const JSDestructibleObject*>(this)->classInfo();
- return structure(*block->vm())->classInfo();
+ return structure(*block.vm())->classInfo();
}
inline bool JSCell::toBoolean(ExecState* exec) const
@@ -257,6 +261,18 @@
return MixedTriState;
}
+inline void JSCell::callDestructor(VM& vm)
+{
+ if (isZapped())
+ return;
+ ASSERT(structureID());
+ if (inlineTypeFlags() & StructureIsImmortal)
+ structure(vm)->classInfo()->methodTable.destroy(this);
+ else
+ jsCast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
+ zap();
+}
+
} // namespace JSC
#endif // JSCellInlines_h
diff --git a/Source/JavaScriptCore/runtime/JSFunction.cpp b/Source/JavaScriptCore/runtime/JSFunction.cpp
index be1ac0b..e746c96 100644
--- a/Source/JavaScriptCore/runtime/JSFunction.cpp
+++ b/Source/JavaScriptCore/runtime/JSFunction.cpp
@@ -64,7 +64,7 @@
JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope)
{
- return create(vm, executable, scope, scope->globalObject()->functionStructure());
+ return create(vm, executable, scope, scope->globalObject(vm)->functionStructure());
}
JSFunction* JSFunction::create(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
@@ -78,7 +78,7 @@
JSFunction* JSFunction::create(VM& vm, WebAssemblyExecutable* executable, JSScope* scope)
{
JSFunction* function = new (NotNull, allocateCell<JSFunction>(vm.heap)) JSFunction(vm, executable, scope);
- ASSERT(function->structure()->globalObject());
+ ASSERT(function->structure(vm)->globalObject());
function->finishCreation(vm);
return function;
}
@@ -145,9 +145,9 @@
VM& vm = exec->vm();
JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
if (!prototype)
- prototype = globalObject()->objectPrototype();
+ prototype = globalObject(vm)->objectPrototype();
FunctionRareData* rareData = FunctionRareData::create(vm);
- rareData->initializeObjectAllocationProfile(globalObject()->vm(), prototype, inlineCapacity);
+ rareData->initializeObjectAllocationProfile(vm, prototype, inlineCapacity);
// A DFG compilation thread may be trying to read the rare data
// We want to ensure that it sees it properly allocated
@@ -163,8 +163,8 @@
VM& vm = exec->vm();
JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
if (!prototype)
- prototype = globalObject()->objectPrototype();
- m_rareData->initializeObjectAllocationProfile(globalObject()->vm(), prototype, inlineCapacity);
+ prototype = globalObject(vm)->objectPrototype();
+ m_rareData->initializeObjectAllocationProfile(vm, prototype, inlineCapacity);
return m_rareData.get();
}
@@ -345,37 +345,37 @@
bool JSFunction::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
+ VM& vm = exec->vm();
JSFunction* thisObject = jsCast<JSFunction*>(object);
if (thisObject->isHostOrBuiltinFunction()) {
- thisObject->reifyBoundNameIfNeeded(exec, propertyName);
+ thisObject->reifyBoundNameIfNeeded(vm, exec, propertyName);
return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
}
- if (propertyName == exec->propertyNames().prototype && !thisObject->jsExecutable()->isArrowFunction()) {
- VM& vm = exec->vm();
+ if (propertyName == vm.propertyNames->prototype && !thisObject->jsExecutable()->isArrowFunction()) {
unsigned attributes;
PropertyOffset offset = thisObject->getDirectOffset(vm, propertyName, attributes);
if (!isValidOffset(offset)) {
JSObject* prototype = nullptr;
if (thisObject->jsExecutable()->parseMode() == SourceParseMode::GeneratorWrapperFunctionMode)
- prototype = constructEmptyObject(exec, thisObject->globalObject()->generatorPrototype());
+ prototype = constructEmptyObject(exec, thisObject->globalObject(vm)->generatorPrototype());
else
prototype = constructEmptyObject(exec);
- prototype->putDirect(vm, exec->propertyNames().constructor, thisObject, DontEnum);
- thisObject->putDirect(vm, exec->propertyNames().prototype, prototype, DontDelete | DontEnum);
- offset = thisObject->getDirectOffset(vm, exec->propertyNames().prototype, attributes);
+ prototype->putDirect(vm, vm.propertyNames->constructor, thisObject, DontEnum);
+ thisObject->putDirect(vm, vm.propertyNames->prototype, prototype, DontDelete | DontEnum);
+ offset = thisObject->getDirectOffset(vm, vm.propertyNames->prototype, attributes);
ASSERT(isValidOffset(offset));
}
slot.setValue(thisObject, attributes, thisObject->getDirect(offset), offset);
}
- if (propertyName == exec->propertyNames().arguments) {
+ if (propertyName == vm.propertyNames->arguments) {
if (thisObject->jsExecutable()->isStrictMode() || thisObject->jsExecutable()->isClassConstructorFunction()) {
bool result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
if (!result) {
- GetterSetter* errorGetterSetter = thisObject->globalObject()->throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
+ GetterSetter* errorGetterSetter = thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
thisObject->putDirectAccessor(exec, propertyName, errorGetterSetter, DontDelete | DontEnum | Accessor);
result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
ASSERT(result);
@@ -386,11 +386,11 @@
return true;
}
- if (propertyName == exec->propertyNames().caller) {
+ if (propertyName == vm.propertyNames->caller) {
if (thisObject->jsExecutable()->isStrictMode() || thisObject->jsExecutable()->isClassConstructorFunction()) {
bool result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
if (!result) {
- GetterSetter* errorGetterSetter = thisObject->globalObject()->throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
+ GetterSetter* errorGetterSetter = thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
thisObject->putDirectAccessor(exec, propertyName, errorGetterSetter, DontDelete | DontEnum | Accessor);
result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
ASSERT(result);
@@ -401,7 +401,7 @@
return true;
}
- thisObject->reifyLazyPropertyIfNeeded(exec, propertyName);
+ thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
}
@@ -437,11 +437,11 @@
return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
if (thisObject->isHostOrBuiltinFunction()) {
- thisObject->reifyBoundNameIfNeeded(exec, propertyName);
+ thisObject->reifyBoundNameIfNeeded(vm, exec, propertyName);
return Base::put(thisObject, exec, propertyName, value, slot);
}
- if (propertyName == exec->propertyNames().prototype) {
+ if (propertyName == vm.propertyNames->prototype) {
// Make sure prototype has been reified, such that it can only be overwritten
// following the rules set out in ECMA-262 8.12.9.
PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
@@ -453,19 +453,19 @@
scope.release();
return Base::put(thisObject, exec, propertyName, value, dontCache);
}
- if (thisObject->jsExecutable()->isStrictMode() && (propertyName == exec->propertyNames().arguments || propertyName == exec->propertyNames().caller)) {
+ if (thisObject->jsExecutable()->isStrictMode() && (propertyName == vm.propertyNames->arguments || propertyName == vm.propertyNames->caller)) {
// This will trigger the property to be reified, if this is not already the case!
bool okay = thisObject->hasProperty(exec, propertyName);
ASSERT_UNUSED(okay, okay);
scope.release();
return Base::put(thisObject, exec, propertyName, value, slot);
}
- if (propertyName == exec->propertyNames().arguments || propertyName == exec->propertyNames().caller) {
+ if (propertyName == vm.propertyNames->arguments || propertyName == vm.propertyNames->caller) {
if (slot.isStrictMode())
throwTypeError(exec, scope, StrictModeReadonlyPropertyWriteError);
return false;
}
- thisObject->reifyLazyPropertyIfNeeded(exec, propertyName);
+ thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
scope.release();
return Base::put(thisObject, exec, propertyName, value, slot);
}
@@ -474,16 +474,17 @@
{
JSFunction* thisObject = jsCast<JSFunction*>(cell);
if (thisObject->isHostOrBuiltinFunction())
- thisObject->reifyBoundNameIfNeeded(exec, propertyName);
+ thisObject->reifyBoundNameIfNeeded(exec->vm(), exec, propertyName);
else if (exec->vm().deletePropertyMode() != VM::DeletePropertyMode::IgnoreConfigurable) {
// For non-host functions, don't let these properties by deleted - except by DefineOwnProperty.
+ VM& vm = exec->vm();
FunctionExecutable* executable = thisObject->jsExecutable();
- if (propertyName == exec->propertyNames().arguments
- || (propertyName == exec->propertyNames().prototype && !executable->isArrowFunction())
- || propertyName == exec->propertyNames().caller)
+ if (propertyName == vm.propertyNames->arguments
+ || (propertyName == vm.propertyNames->prototype && !executable->isArrowFunction())
+ || propertyName == vm.propertyNames->caller)
return false;
- thisObject->reifyLazyPropertyIfNeeded(exec, propertyName);
+ thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
}
return Base::deleteProperty(thisObject, exec, propertyName);
@@ -496,11 +497,11 @@
JSFunction* thisObject = jsCast<JSFunction*>(object);
if (thisObject->isHostOrBuiltinFunction()) {
- thisObject->reifyBoundNameIfNeeded(exec, propertyName);
+ thisObject->reifyBoundNameIfNeeded(vm, exec, propertyName);
return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
}
- if (propertyName == exec->propertyNames().prototype) {
+ if (propertyName == vm.propertyNames->prototype) {
// Make sure prototype has been reified, such that it can only be overwritten
// following the rules set out in ECMA-262 8.12.9.
PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
@@ -511,24 +512,24 @@
}
bool valueCheck;
- if (propertyName == exec->propertyNames().arguments) {
+ if (propertyName == vm.propertyNames->arguments) {
if (thisObject->jsExecutable()->isStrictMode()) {
PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
- thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject()->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
+ thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
}
valueCheck = !descriptor.value() || sameValue(exec, descriptor.value(), retrieveArguments(exec, thisObject));
- } else if (propertyName == exec->propertyNames().caller) {
+ } else if (propertyName == vm.propertyNames->caller) {
if (thisObject->jsExecutable()->isStrictMode()) {
PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
- thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject()->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
+ thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject(vm)->throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
}
valueCheck = !descriptor.value() || sameValue(exec, descriptor.value(), retrieveCallerFunction(exec, thisObject));
} else {
- thisObject->reifyLazyPropertyIfNeeded(exec, propertyName);
+ thisObject->reifyLazyPropertyIfNeeded(vm, exec, propertyName);
return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
}
@@ -590,6 +591,7 @@
void JSFunction::setFunctionName(ExecState* exec, JSValue value)
{
+ VM& vm = exec->vm();
// The "name" property may have been already been defined as part of a property list in an
// object literal (and therefore reified).
if (hasReifiedName())
@@ -605,7 +607,6 @@
else
name = makeString('[', String(&uid), ']');
} else {
- VM& vm = exec->vm();
JSString* jsStr = value.toString(exec);
if (vm.exception())
return;
@@ -613,25 +614,24 @@
if (vm.exception())
return;
}
- reifyName(exec, name);
+ reifyName(vm, exec, name);
}
-void JSFunction::reifyLength(ExecState* exec)
+void JSFunction::reifyLength(VM& vm)
{
- VM& vm = exec->vm();
FunctionRareData* rareData = this->rareData(vm);
ASSERT(!hasReifiedLength());
ASSERT(!isHostFunction());
JSValue initialValue = jsNumber(jsExecutable()->parameterCount());
unsigned initialAttributes = DontEnum | ReadOnly;
- const Identifier& identifier = exec->propertyNames().length;
+ const Identifier& identifier = vm.propertyNames->length;
putDirect(vm, identifier, initialValue, initialAttributes);
rareData->setHasReifiedLength();
}
-void JSFunction::reifyName(ExecState* exec)
+void JSFunction::reifyName(VM& vm, ExecState* exec)
{
const Identifier& ecmaName = jsExecutable()->ecmaName();
String name;
@@ -642,18 +642,17 @@
name = exec->propertyNames().defaultKeyword.string();
else
name = ecmaName.string();
- reifyName(exec, name);
+ reifyName(vm, exec, name);
}
-void JSFunction::reifyName(ExecState* exec, String name)
+void JSFunction::reifyName(VM& vm, ExecState* exec, String name)
{
- VM& vm = exec->vm();
FunctionRareData* rareData = this->rareData(vm);
ASSERT(!hasReifiedName());
ASSERT(!isHostFunction());
unsigned initialAttributes = DontEnum | ReadOnly;
- const Identifier& propID = exec->propertyNames().name;
+ const Identifier& propID = vm.propertyNames->name;
if (exec->lexicalGlobalObject()->needsSiteSpecificQuirks()) {
auto illegalCharMatcher = [] (UChar ch) -> bool {
@@ -672,20 +671,20 @@
rareData->setHasReifiedName();
}
-void JSFunction::reifyLazyPropertyIfNeeded(ExecState* exec, PropertyName propertyName)
+void JSFunction::reifyLazyPropertyIfNeeded(VM& vm, ExecState* exec, PropertyName propertyName)
{
- if (propertyName == exec->propertyNames().length) {
+ if (propertyName == vm.propertyNames->length) {
if (!hasReifiedLength())
- reifyLength(exec);
- } else if (propertyName == exec->propertyNames().name) {
+ reifyLength(vm);
+ } else if (propertyName == vm.propertyNames->name) {
if (!hasReifiedName())
- reifyName(exec);
+ reifyName(vm, exec);
}
}
-void JSFunction::reifyBoundNameIfNeeded(ExecState* exec, PropertyName propertyName)
+void JSFunction::reifyBoundNameIfNeeded(VM& vm, ExecState* exec, PropertyName propertyName)
{
- const Identifier& nameIdent = exec->propertyNames().name;
+ const Identifier& nameIdent = vm.propertyNames->name;
if (propertyName != nameIdent)
return;
@@ -693,7 +692,6 @@
return;
if (this->inherits(JSBoundFunction::info())) {
- VM& vm = exec->vm();
FunctionRareData* rareData = this->rareData(vm);
String name = makeString("bound ", static_cast<NativeExecutable*>(m_executable.get())->name());
unsigned initialAttributes = DontEnum | ReadOnly;
diff --git a/Source/JavaScriptCore/runtime/JSFunction.h b/Source/JavaScriptCore/runtime/JSFunction.h
index fa946f2..cdb6f75 100644
--- a/Source/JavaScriptCore/runtime/JSFunction.h
+++ b/Source/JavaScriptCore/runtime/JSFunction.h
@@ -189,11 +189,11 @@
bool hasReifiedLength() const;
bool hasReifiedName() const;
- void reifyLength(ExecState*);
- void reifyName(ExecState*);
- void reifyBoundNameIfNeeded(ExecState*, PropertyName);
- void reifyName(ExecState*, String name);
- void reifyLazyPropertyIfNeeded(ExecState*, PropertyName propertyName);
+ void reifyLength(VM&);
+ void reifyName(VM&, ExecState*);
+ void reifyBoundNameIfNeeded(VM&, ExecState*, PropertyName);
+ void reifyName(VM&, ExecState*, String name);
+ void reifyLazyPropertyIfNeeded(VM&, ExecState*, PropertyName propertyName);
friend class LLIntOffsetsExtractor;
diff --git a/Source/JavaScriptCore/runtime/JSFunctionInlines.h b/Source/JavaScriptCore/runtime/JSFunctionInlines.h
index 8a2db18..72a23c0 100644
--- a/Source/JavaScriptCore/runtime/JSFunctionInlines.h
+++ b/Source/JavaScriptCore/runtime/JSFunctionInlines.h
@@ -35,7 +35,7 @@
VM& vm, FunctionExecutable* executable, JSScope* scope)
{
ASSERT(executable->singletonFunction()->hasBeenInvalidated());
- return createImpl(vm, executable, scope, scope->globalObject()->functionStructure());
+ return createImpl(vm, executable, scope, scope->globalObject(vm)->functionStructure());
}
inline JSFunction::JSFunction(VM& vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
@@ -47,7 +47,7 @@
#if ENABLE(WEBASSEMBLY)
inline JSFunction::JSFunction(VM& vm, WebAssemblyExecutable* executable, JSScope* scope)
- : Base(vm, scope, scope->globalObject()->functionStructure())
+ : Base(vm, scope, scope->globalObject(vm)->functionStructure())
, m_executable(vm, this, executable)
, m_rareData()
{
diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
index a4d212c..d803a08 100644
--- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
+++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
@@ -520,25 +520,15 @@
// up. But if you do *anything* to trigger a GC watermark check, it will know
// that you *had* done those allocations and it will GC appropriately.
Heap* heap = Heap::heap(thisObject);
+ VM& vm = *heap->vm();
DeferGCForAWhile deferGC(*heap);
ASSERT(!thisObject->hasIndexingHeader());
- size_t size = thisObject->byteSize();
-
- if (thisObject->m_mode == FastTypedArray
- && !thisObject->butterfly() && size >= sizeof(IndexingHeader)) {
- ASSERT(thisObject->m_vector);
- // Reuse already allocated memory if at all possible.
- thisObject->m_butterfly.setWithoutBarrier(
- bitwise_cast<IndexingHeader*>(thisObject->vector())->butterfly());
- } else {
- RELEASE_ASSERT(!thisObject->hasIndexingHeader());
- VM& vm = *heap->vm();
- thisObject->m_butterfly.set(vm, thisObject, Butterfly::createOrGrowArrayRight(
- thisObject->butterfly(), vm, thisObject, thisObject->structure(),
- thisObject->structure()->outOfLineCapacity(), false, 0, 0));
- }
+ RELEASE_ASSERT(!thisObject->hasIndexingHeader());
+ thisObject->m_butterfly.set(vm, thisObject, Butterfly::createOrGrowArrayRight(
+ thisObject->butterfly(), vm, thisObject, thisObject->structure(),
+ thisObject->structure()->outOfLineCapacity(), false, 0, 0));
RefPtr<ArrayBuffer> buffer;
diff --git a/Source/JavaScriptCore/runtime/JSInternalPromise.cpp b/Source/JavaScriptCore/runtime/JSInternalPromise.cpp
index f952592..90f8032 100644
--- a/Source/JavaScriptCore/runtime/JSInternalPromise.cpp
+++ b/Source/JavaScriptCore/runtime/JSInternalPromise.cpp
@@ -27,10 +27,7 @@
#include "JSInternalPromise.h"
#include "BuiltinNames.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
-#include "JSObjectInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp b/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp
index 9fcc86e..9a214c6 100644
--- a/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp
@@ -27,11 +27,9 @@
#include "JSInternalPromiseConstructor.h"
#include "JSCBuiltins.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSInternalPromise.h"
#include "JSInternalPromisePrototype.h"
-#include "StructureInlines.h"
#include "JSInternalPromiseConstructor.lut.h"
diff --git a/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp b/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp
index ab4a8f4..0e0f3dd 100644
--- a/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp
+++ b/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp
@@ -29,13 +29,9 @@
#include "BuiltinNames.h"
#include "Error.h"
#include "Exception.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSInternalPromise.h"
#include "JSInternalPromiseConstructor.h"
-#include "JSObjectInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp b/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp
index ecedfaf..5db434b 100644
--- a/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp
+++ b/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp
@@ -28,12 +28,10 @@
#include "Error.h"
#include "JSCBuiltins.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSInternalPromise.h"
#include "Microtask.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSJob.cpp b/Source/JavaScriptCore/runtime/JSJob.cpp
index d11ffa3..00bbfbd 100644
--- a/Source/JavaScriptCore/runtime/JSJob.cpp
+++ b/Source/JavaScriptCore/runtime/JSJob.cpp
@@ -28,12 +28,10 @@
#include "Error.h"
#include "Exception.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSObjectInlines.h"
#include "Microtask.h"
-#include "SlotVisitorInlines.h"
#include "StrongInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSMapIterator.cpp b/Source/JavaScriptCore/runtime/JSMapIterator.cpp
index f13ea5f..2c388a2 100644
--- a/Source/JavaScriptCore/runtime/JSMapIterator.cpp
+++ b/Source/JavaScriptCore/runtime/JSMapIterator.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,12 +26,9 @@
#include "config.h"
#include "JSMapIterator.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSMap.h"
#include "MapDataInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp b/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
index 89834c4..0423333 100644
--- a/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,14 +27,10 @@
#include "JSModuleNamespaceObject.h"
#include "Error.h"
-#include "IdentifierInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSModuleEnvironment.h"
#include "JSModuleRecord.h"
#include "JSPropertyNameIterator.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSModuleRecord.cpp b/Source/JavaScriptCore/runtime/JSModuleRecord.cpp
index 21bac79..eea8435 100644
--- a/Source/JavaScriptCore/runtime/JSModuleRecord.cpp
+++ b/Source/JavaScriptCore/runtime/JSModuleRecord.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,15 +28,11 @@
#include "Error.h"
#include "Executable.h"
-#include "IdentifierInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "Interpreter.h"
+#include "JSCInlines.h"
#include "JSMap.h"
#include "JSModuleEnvironment.h"
#include "JSModuleNamespaceObject.h"
-#include "JSObjectInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index 6e72e59..7bf48fe 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -88,77 +88,6 @@
}
}
-ALWAYS_INLINE void JSObject::copyButterfly(CopyVisitor& visitor, Butterfly* butterfly, size_t storageSize)
-{
- ASSERT(butterfly);
-
- Structure* structure = this->structure();
-
- size_t propertyCapacity = structure->outOfLineCapacity();
- size_t preCapacity;
- size_t indexingPayloadSizeInBytes;
- bool hasIndexingHeader = this->hasIndexingHeader();
- if (UNLIKELY(hasIndexingHeader)) {
- preCapacity = butterfly->indexingHeader()->preCapacity(structure);
- indexingPayloadSizeInBytes = butterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);
- } else {
- preCapacity = 0;
- indexingPayloadSizeInBytes = 0;
- }
- size_t capacityInBytes = Butterfly::totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
- if (visitor.checkIfShouldCopy(butterfly->base(preCapacity, propertyCapacity))) {
- Butterfly* newButterfly = Butterfly::createUninitializedDuringCollection(visitor, preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
-
- // Copy the properties.
- PropertyStorage currentTarget = newButterfly->propertyStorage();
- PropertyStorage currentSource = butterfly->propertyStorage();
- for (size_t count = storageSize; count--;)
- (--currentTarget)->setWithoutWriteBarrier((--currentSource)->get());
-
- if (UNLIKELY(hasIndexingHeader)) {
- *newButterfly->indexingHeader() = *butterfly->indexingHeader();
-
- // Copy the array if appropriate.
-
- WriteBarrier<Unknown>* currentTarget;
- WriteBarrier<Unknown>* currentSource;
- size_t count;
-
- switch (this->indexingType()) {
- case ALL_UNDECIDED_INDEXING_TYPES:
- case ALL_CONTIGUOUS_INDEXING_TYPES:
- case ALL_INT32_INDEXING_TYPES:
- case ALL_DOUBLE_INDEXING_TYPES: {
- currentTarget = newButterfly->contiguous().data();
- currentSource = butterfly->contiguous().data();
- RELEASE_ASSERT(newButterfly->publicLength() <= newButterfly->vectorLength());
- count = newButterfly->vectorLength();
- break;
- }
-
- case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
- newButterfly->arrayStorage()->copyHeaderFromDuringGC(*butterfly->arrayStorage());
- currentTarget = newButterfly->arrayStorage()->m_vector;
- currentSource = butterfly->arrayStorage()->m_vector;
- count = newButterfly->arrayStorage()->vectorLength();
- break;
- }
-
- default:
- currentTarget = 0;
- currentSource = 0;
- count = 0;
- break;
- }
-
- memcpy(currentTarget, currentSource, count * sizeof(EncodedJSValue));
- }
-
- m_butterfly.setWithoutBarrier(newButterfly);
- visitor.didCopy(butterfly->base(preCapacity, propertyCapacity), capacityInBytes);
- }
-}
-
ALWAYS_INLINE void JSObject::visitButterfly(SlotVisitor& visitor, Butterfly* butterfly, Structure* structure)
{
ASSERT(butterfly);
@@ -166,22 +95,21 @@
size_t storageSize = structure->outOfLineSize();
size_t propertyCapacity = structure->outOfLineCapacity();
size_t preCapacity;
- size_t indexingPayloadSizeInBytes;
bool hasIndexingHeader = this->hasIndexingHeader();
- if (UNLIKELY(hasIndexingHeader)) {
+ if (UNLIKELY(hasIndexingHeader))
preCapacity = butterfly->indexingHeader()->preCapacity(structure);
- indexingPayloadSizeInBytes = butterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);
- } else {
+ else
preCapacity = 0;
- indexingPayloadSizeInBytes = 0;
- }
- size_t capacityInBytes = Butterfly::totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
+
+ HeapCell* base = bitwise_cast<HeapCell*>(butterfly->base(preCapacity, propertyCapacity));
+
+ ASSERT(Heap::heap(base) == visitor.heap());
+ // Keep the butterfly alive.
+ visitor.markAuxiliary(base);
+
// Mark the properties.
visitor.appendValuesHidden(butterfly->propertyStorage() - storageSize, storageSize);
- visitor.copyLater(
- this, ButterflyCopyToken,
- butterfly->base(preCapacity, propertyCapacity), capacityInBytes);
// Mark the array if appropriate.
switch (this->indexingType()) {
@@ -225,19 +153,6 @@
#endif
}
-void JSObject::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
- JSObject* thisObject = jsCast<JSObject*>(cell);
- ASSERT_GC_OBJECT_INHERITS(thisObject, info());
-
- if (token != ButterflyCopyToken)
- return;
-
- Butterfly* butterfly = thisObject->m_butterfly.get();
- if (butterfly)
- thisObject->copyButterfly(visitor, butterfly, thisObject->structure()->outOfLineSize());
-}
-
void JSObject::heapSnapshot(JSCell* cell, HeapSnapshotBuilder& builder)
{
JSObject* thisObject = jsCast<JSObject*>(cell);
@@ -783,20 +698,22 @@
if (!vm.prototypeMap.isPrototype(this))
return;
- globalObject()->haveABadTime(vm);
+ globalObject(vm)->haveABadTime(vm);
}
-Butterfly* JSObject::createInitialIndexedStorage(VM& vm, unsigned length, size_t elementSize)
+Butterfly* JSObject::createInitialIndexedStorage(VM& vm, unsigned length)
{
ASSERT(length < MAX_ARRAY_INDEX);
IndexingType oldType = indexingType();
ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
ASSERT(!structure()->needsSlowPutIndexing());
ASSERT(!indexingShouldBeSparse());
- unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
+ Structure* structure = this->structure(vm);
+ unsigned propertyCapacity = structure->outOfLineCapacity();
+ unsigned vectorLength = Butterfly::optimalContiguousVectorLength(propertyCapacity, length);
Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
- m_butterfly.get(), vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
- elementSize * vectorLength);
+ m_butterfly.get(), vm, this, structure, propertyCapacity, false, 0,
+ sizeof(EncodedJSValue) * vectorLength);
newButterfly->setPublicLength(length);
newButterfly->setVectorLength(vectorLength);
return newButterfly;
@@ -805,7 +722,7 @@
Butterfly* JSObject::createInitialUndecided(VM& vm, unsigned length)
{
DeferGC deferGC(vm.heap);
- Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
+ Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateUndecided);
setStructureAndButterfly(vm, newStructure, newButterfly);
return newButterfly;
@@ -814,7 +731,9 @@
ContiguousJSValues JSObject::createInitialInt32(VM& vm, unsigned length)
{
DeferGC deferGC(vm.heap);
- Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
+ Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
+ for (unsigned i = newButterfly->vectorLength(); i--;)
+ newButterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateInt32);
setStructureAndButterfly(vm, newStructure, newButterfly);
return newButterfly->contiguousInt32();
@@ -823,7 +742,7 @@
ContiguousDoubles JSObject::createInitialDouble(VM& vm, unsigned length)
{
DeferGC deferGC(vm.heap);
- Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(double));
+ Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
for (unsigned i = newButterfly->vectorLength(); i--;)
newButterfly->contiguousDouble()[i] = PNaN;
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateDouble);
@@ -834,7 +753,9 @@
ContiguousJSValues JSObject::createInitialContiguous(VM& vm, unsigned length)
{
DeferGC deferGC(vm.heap);
- Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
+ Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
+ for (unsigned i = newButterfly->vectorLength(); i--;)
+ newButterfly->contiguous()[i].setWithoutWriteBarrier(JSValue());
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateContiguous);
setStructureAndButterfly(vm, newStructure, newButterfly);
return newButterfly->contiguous();
@@ -857,6 +778,8 @@
result->m_sparseMap.clear();
result->m_numValuesInVector = 0;
result->m_indexBias = 0;
+ for (size_t i = vectorLength; i--;)
+ result->m_vector[i].setWithoutWriteBarrier(JSValue());
Structure* newStructure = Structure::nonPropertyTransition(vm, structure, structure->suggestedArrayStorageTransition());
setStructureAndButterfly(vm, newStructure, newButterfly);
return result;
@@ -864,12 +787,18 @@
ArrayStorage* JSObject::createInitialArrayStorage(VM& vm)
{
- return createArrayStorage(vm, 0, BASE_VECTOR_LEN);
+ return createArrayStorage(
+ vm, 0, ArrayStorage::optimalVectorLength(0, structure(vm)->outOfLineCapacity(), 0));
}
ContiguousJSValues JSObject::convertUndecidedToInt32(VM& vm)
{
ASSERT(hasUndecided(indexingType()));
+
+ Butterfly* butterfly = m_butterfly.get();
+ for (unsigned i = butterfly->vectorLength(); i--;)
+ butterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
+
setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateInt32));
return m_butterfly.get()->contiguousInt32();
}
@@ -889,6 +818,11 @@
ContiguousJSValues JSObject::convertUndecidedToContiguous(VM& vm)
{
ASSERT(hasUndecided(indexingType()));
+
+ Butterfly* butterfly = m_butterfly.get();
+ for (unsigned i = butterfly->vectorLength(); i--;)
+ butterfly->contiguous()[i].setWithoutWriteBarrier(JSValue());
+
setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateContiguous));
return m_butterfly.get()->contiguous();
}
@@ -925,7 +859,9 @@
unsigned vectorLength = m_butterfly.get()->vectorLength();
ArrayStorage* storage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
- // No need to copy elements.
+
+ for (unsigned i = vectorLength; i--;)
+ storage->m_vector[i].setWithoutWriteBarrier(JSValue());
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
setStructureAndButterfly(vm, newStructure, storage->butterfly());
@@ -946,11 +882,12 @@
WriteBarrier<Unknown>* current = &butterfly->contiguousInt32()[i];
double* currentAsDouble = bitwise_cast<double*>(current);
JSValue v = current->get();
- if (!v) {
+ // NOTE: Since this may be used during initialization, v could be garbage. If it's garbage,
+ // that means it will be overwritten later.
+ if (!v.isInt32()) {
*currentAsDouble = PNaN;
continue;
}
- ASSERT(v.isInt32());
*currentAsDouble = v.asInt32();
}
@@ -974,13 +911,11 @@
unsigned vectorLength = m_butterfly.get()->vectorLength();
ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
Butterfly* butterfly = m_butterfly.get();
- for (unsigned i = 0; i < butterfly->publicLength(); i++) {
+ for (unsigned i = 0; i < vectorLength; i++) {
JSValue v = butterfly->contiguous()[i].get();
- if (v) {
- newStorage->m_vector[i].setWithoutWriteBarrier(v);
+ newStorage->m_vector[i].setWithoutWriteBarrier(v);
+ if (v)
newStorage->m_numValuesInVector++;
- } else
- ASSERT(newStorage->m_vector[i].get().isEmpty());
}
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -1022,13 +957,11 @@
unsigned vectorLength = m_butterfly.get()->vectorLength();
ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
Butterfly* butterfly = m_butterfly.get();
- for (unsigned i = 0; i < butterfly->publicLength(); i++) {
+ for (unsigned i = 0; i < vectorLength; i++) {
double value = butterfly->contiguousDouble()[i];
- if (value == value) {
- newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
+ newStorage->m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
+ if (value == value)
newStorage->m_numValuesInVector++;
- } else
- ASSERT(newStorage->m_vector[i].get().isEmpty());
}
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -1049,13 +982,11 @@
unsigned vectorLength = m_butterfly.get()->vectorLength();
ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
Butterfly* butterfly = m_butterfly.get();
- for (unsigned i = 0; i < butterfly->publicLength(); i++) {
+ for (unsigned i = 0; i < vectorLength; i++) {
JSValue v = butterfly->contiguous()[i].get();
- if (v) {
- newStorage->m_vector[i].setWithoutWriteBarrier(v);
+ newStorage->m_vector[i].setWithoutWriteBarrier(v);
+ if (v)
newStorage->m_numValuesInVector++;
- } else
- ASSERT(newStorage->m_vector[i].get().isEmpty());
}
Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
@@ -2406,7 +2337,7 @@
}
if (structure(vm)->needsSlowPutIndexing()) {
// Convert the indexing type to the SlowPutArrayStorage and retry.
- createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, i + 1));
+ createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, 0, i + 1));
return putByIndex(this, exec, i, value, shouldThrow);
}
@@ -2547,7 +2478,7 @@
exec, i, value, attributes, mode, createArrayStorage(vm, 0, 0));
}
if (structure(vm)->needsSlowPutIndexing()) {
- ArrayStorage* storage = createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, i + 1));
+ ArrayStorage* storage = createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, 0, i + 1));
storage->m_vector[i].set(vm, this, value);
storage->m_numValuesInVector++;
return true;
@@ -2666,7 +2597,8 @@
putDirectWithoutTransition(vm, propertyName, function, attributes);
}
-ALWAYS_INLINE unsigned JSObject::getNewVectorLength(unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength)
+// NOTE: This method is for ArrayStorage vectors.
+ALWAYS_INLINE unsigned JSObject::getNewVectorLength(unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength)
{
ASSERT(desiredLength <= MAX_STORAGE_VECTOR_LENGTH);
@@ -2683,25 +2615,27 @@
ASSERT(increasedLength >= desiredLength);
- lastArraySize = std::min(increasedLength, FIRST_VECTOR_GROW);
+ lastArraySize = std::min(increasedLength, FIRST_ARRAY_STORAGE_VECTOR_GROW);
- return std::min(increasedLength, MAX_STORAGE_VECTOR_LENGTH);
+ return ArrayStorage::optimalVectorLength(
+ indexBias, structure()->outOfLineCapacity(),
+ std::min(increasedLength, MAX_STORAGE_VECTOR_LENGTH));
}
ALWAYS_INLINE unsigned JSObject::getNewVectorLength(unsigned desiredLength)
{
- unsigned vectorLength;
- unsigned length;
+ unsigned indexBias = 0;
+ unsigned vectorLength = 0;
+ unsigned length = 0;
if (hasIndexedProperties(indexingType())) {
+ if (ArrayStorage* storage = arrayStorageOrNull())
+ indexBias = storage->m_indexBias;
vectorLength = m_butterfly.get()->vectorLength();
length = m_butterfly.get()->publicLength();
- } else {
- vectorLength = 0;
- length = 0;
}
- return getNewVectorLength(vectorLength, length, desiredLength);
+ return getNewVectorLength(indexBias, vectorLength, length, desiredLength);
}
template<IndexingType indexingShape>
@@ -2754,19 +2688,28 @@
bool JSObject::increaseVectorLength(VM& vm, unsigned newLength)
{
+ ArrayStorage* storage = arrayStorage();
+
+ unsigned vectorLength = storage->vectorLength();
+ unsigned availableVectorLength = storage->availableVectorLength(structure(vm), vectorLength);
+ if (availableVectorLength >= newLength) {
+ // The cell was already big enough for the desired length!
+ for (unsigned i = vectorLength; i < availableVectorLength; ++i)
+ storage->m_vector[i].clear();
+ storage->setVectorLength(availableVectorLength);
+ return true;
+ }
+
// This function leaves the array in an internally inconsistent state, because it does not move any values from sparse value map
// to the vector. Callers have to account for that, because they can do it more efficiently.
if (newLength > MAX_STORAGE_VECTOR_LENGTH)
return false;
- ArrayStorage* storage = arrayStorage();
-
if (newLength >= MIN_SPARSE_ARRAY_INDEX
&& !isDenseEnoughForVector(newLength, storage->m_numValuesInVector))
return false;
unsigned indexBias = storage->m_indexBias;
- unsigned vectorLength = storage->vectorLength();
ASSERT(newLength > vectorLength);
unsigned newVectorLength = getNewVectorLength(newLength);
@@ -2779,6 +2722,8 @@
ArrayStorage::sizeFor(vectorLength), ArrayStorage::sizeFor(newVectorLength));
if (!newButterfly)
return false;
+ for (unsigned i = vectorLength; i < newVectorLength; ++i)
+ newButterfly->arrayStorage()->m_vector[i].clear();
newButterfly->arrayStorage()->setVectorLength(newVectorLength);
setButterflyWithoutChangingStructure(vm, newButterfly);
return true;
@@ -2793,6 +2738,8 @@
newIndexBias, true, ArrayStorage::sizeFor(newVectorLength));
if (!newButterfly)
return false;
+ for (unsigned i = vectorLength; i < newVectorLength; ++i)
+ newButterfly->arrayStorage()->m_vector[i].clear();
newButterfly->arrayStorage()->setVectorLength(newVectorLength);
newButterfly->arrayStorage()->m_indexBias = newIndexBias;
setButterflyWithoutChangingStructure(vm, newButterfly);
@@ -2807,25 +2754,41 @@
ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
ASSERT(length > butterfly->vectorLength());
- unsigned newVectorLength = std::min(
- length << 1,
- MAX_STORAGE_VECTOR_LENGTH);
unsigned oldVectorLength = butterfly->vectorLength();
- DeferGC deferGC(vm.heap);
- butterfly = butterfly->growArrayRight(
- vm, this, structure(), structure()->outOfLineCapacity(), true,
- oldVectorLength * sizeof(EncodedJSValue),
- newVectorLength * sizeof(EncodedJSValue));
- if (!butterfly)
- return false;
- m_butterfly.set(vm, this, butterfly);
+ unsigned newVectorLength;
+
+ Structure* structure = this->structure(vm);
+ unsigned propertyCapacity = structure->outOfLineCapacity();
+
+ unsigned availableOldLength =
+ Butterfly::availableContiguousVectorLength(propertyCapacity, oldVectorLength);
+ if (availableOldLength >= length) {
+ // This is the case where someone else selected a vector length that caused internal
+ // fragmentation. If we did our jobs right, this would never happen. But I bet we will mess
+ // this up, so this defense should stay.
+ newVectorLength = availableOldLength;
+ } else {
+ newVectorLength = Butterfly::optimalContiguousVectorLength(
+ propertyCapacity, std::min(length << 1, MAX_STORAGE_VECTOR_LENGTH));
+ butterfly = butterfly->growArrayRight(
+ vm, this, structure, propertyCapacity, true,
+ oldVectorLength * sizeof(EncodedJSValue),
+ newVectorLength * sizeof(EncodedJSValue));
+ if (!butterfly)
+ return false;
+ m_butterfly.set(vm, this, butterfly);
+ }
butterfly->setVectorLength(newVectorLength);
if (hasDouble(indexingType())) {
for (unsigned i = oldVectorLength; i < newVectorLength; ++i)
- butterfly->contiguousDouble().data()[i] = PNaN;
+ butterfly->contiguousDouble()[i] = PNaN;
+ } else {
+ for (unsigned i = oldVectorLength; i < newVectorLength; ++i)
+ butterfly->contiguous()[i].clear();
}
+
return true;
}
diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h
index 82f4b0f..e2b8a52 100644
--- a/Source/JavaScriptCore/runtime/JSObject.h
+++ b/Source/JavaScriptCore/runtime/JSObject.h
@@ -26,15 +26,14 @@
#include "ArgList.h"
#include "ArrayConventions.h"
#include "ArrayStorage.h"
+#include "AuxiliaryBarrier.h"
#include "Butterfly.h"
#include "CallFrame.h"
#include "ClassInfo.h"
#include "CommonIdentifiers.h"
-#include "CopyBarrier.h"
#include "CustomGetterSetter.h"
#include "DeferGC.h"
#include "Heap.h"
-#include "HeapInlines.h"
#include "IndexingHeaderInlines.h"
#include "JSCell.h"
#include "PropertySlot.h"
@@ -103,7 +102,6 @@
JS_EXPORT_PRIVATE static size_t estimatedSize(JSCell*);
JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
- JS_EXPORT_PRIVATE static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
JS_EXPORT_PRIVATE static void heapSnapshot(JSCell*, HeapSnapshotBuilder&);
JS_EXPORT_PRIVATE static String className(const JSObject*);
@@ -420,6 +418,8 @@
initializeIndex(vm, i, v, indexingType());
}
+ // NOTE: Clients of this method may call it more than once for any index, and this is supposed
+ // to work.
void initializeIndex(VM& vm, unsigned i, JSValue v, IndexingType indexingType)
{
Butterfly* butterfly = m_butterfly.get();
@@ -692,8 +692,6 @@
void setStructure(VM&, Structure*);
void setStructureAndButterfly(VM&, Structure*, Butterfly*);
- void setStructureAndReallocateStorageIfNecessary(VM&, unsigned oldCapacity, Structure*);
- void setStructureAndReallocateStorageIfNecessary(VM&, Structure*);
JS_EXPORT_PRIVATE void convertToDictionary(VM&);
@@ -710,6 +708,13 @@
return structure()->globalObject();
}
+ JSGlobalObject* globalObject(VM& vm) const
+ {
+ ASSERT(structure(vm)->globalObject());
+ ASSERT(!isGlobalObject() || ((JSObject*)structure()->globalObject()) == this);
+ return structure(vm)->globalObject();
+ }
+
void switchToSlowPutArrayStorage(VM&);
// The receiver is the prototype in this case. The following:
@@ -803,7 +808,6 @@
JSObject(VM&, Structure*, Butterfly* = 0);
void visitButterfly(SlotVisitor&, Butterfly*, Structure*);
- void copyButterfly(CopyVisitor&, Butterfly*, size_t storageSize);
// Call this if you know that the object is in a mode where it has array
// storage. This will assert otherwise.
@@ -914,7 +918,7 @@
void isObject();
void isString();
- Butterfly* createInitialIndexedStorage(VM&, unsigned length, size_t elementSize);
+ Butterfly* createInitialIndexedStorage(VM&, unsigned length);
ArrayStorage* enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(VM&, ArrayStorage*);
@@ -938,7 +942,7 @@
bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
JS_EXPORT_PRIVATE bool putDirectIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
- unsigned getNewVectorLength(unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
+ unsigned getNewVectorLength(unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
unsigned getNewVectorLength(unsigned desiredLength);
ArrayStorage* constructConvertedArrayStorageWithoutCopyingElements(VM&, unsigned neededLength);
@@ -955,7 +959,7 @@
JS_EXPORT_PRIVATE ArrayStorage* ensureArrayStorageSlow(VM&);
protected:
- CopyBarrier<Butterfly> m_butterfly;
+ AuxiliaryBarrier<Butterfly*> m_butterfly;
#if USE(JSVALUE32_64)
private:
uint32_t m_padding;
@@ -1417,8 +1421,16 @@
validateOffset(offset);
ASSERT(newStructure->isValidOffset(offset));
- setStructureAndReallocateStorageIfNecessary(vm, newStructure);
-
+ DeferGC deferGC(vm.heap);
+ size_t oldCapacity = structure->outOfLineCapacity();
+ size_t newCapacity = newStructure->outOfLineCapacity();
+ ASSERT(oldCapacity <= newCapacity);
+ if (oldCapacity == newCapacity)
+ setStructure(vm, newStructure);
+ else {
+ Butterfly* newButterfly = growOutOfLineStorage(vm, oldCapacity, newCapacity);
+ setStructureAndButterfly(vm, newStructure, newButterfly);
+ }
putDirect(vm, offset, value);
slot.setNewProperty(this, offset);
if (attributes & ReadOnly)
@@ -1426,27 +1438,6 @@
return true;
}
-inline void JSObject::setStructureAndReallocateStorageIfNecessary(VM& vm, unsigned oldCapacity, Structure* newStructure)
-{
- ASSERT(oldCapacity <= newStructure->outOfLineCapacity());
-
- if (oldCapacity == newStructure->outOfLineCapacity()) {
- setStructure(vm, newStructure);
- return;
- }
-
- DeferGC deferGC(vm.heap);
- Butterfly* newButterfly = growOutOfLineStorage(
- vm, oldCapacity, newStructure->outOfLineCapacity());
- setStructureAndButterfly(vm, newStructure, newButterfly);
-}
-
-inline void JSObject::setStructureAndReallocateStorageIfNecessary(VM& vm, Structure* newStructure)
-{
- setStructureAndReallocateStorageIfNecessary(
- vm, structure(vm)->outOfLineCapacity(), newStructure);
-}
-
inline bool JSObject::putOwnDataProperty(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
{
ASSERT(value);
diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h
index 5ef7c59..64aa05c 100644
--- a/Source/JavaScriptCore/runtime/JSObjectInlines.h
+++ b/Source/JavaScriptCore/runtime/JSObjectInlines.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
* Copyright (C) 2001 Peter Kelly (pmk@post.com)
- * Copyright (C) 2003-2006, 2008, 2009, 2012-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2006, 2008, 2009, 2012-2016 Apple Inc. All rights reserved.
* Copyright (C) 2007 Eric Seidel (eric@webkit.org)
*
* This library is free software; you can redistribute it and/or
@@ -24,6 +24,7 @@
#ifndef JSObjectInlines_h
#define JSObjectInlines_h
+#include "AuxiliaryBarrierInlines.h"
#include "Error.h"
#include "JSObject.h"
#include "Lookup.h"
diff --git a/Source/JavaScriptCore/runtime/JSPromise.cpp b/Source/JavaScriptCore/runtime/JSPromise.cpp
index 0202e17..29b54ed 100644
--- a/Source/JavaScriptCore/runtime/JSPromise.cpp
+++ b/Source/JavaScriptCore/runtime/JSPromise.cpp
@@ -28,12 +28,9 @@
#include "BuiltinNames.h"
#include "Error.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSPromiseConstructor.h"
#include "Microtask.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp b/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp
index 6312e86..5f21cd6 100644
--- a/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp
@@ -32,14 +32,12 @@
#include "GetterSetter.h"
#include "IteratorOperations.h"
#include "JSCBuiltins.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSFunction.h"
#include "JSPromise.h"
#include "JSPromisePrototype.h"
#include "Lookup.h"
#include "NumberObject.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp b/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp
index 8dd2454..a34f069 100644
--- a/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp
+++ b/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp
@@ -29,13 +29,10 @@
#include "BuiltinNames.h"
#include "Error.h"
#include "Exception.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSObjectInlines.h"
#include "JSPromise.h"
#include "JSPromiseConstructor.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp b/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp
index f3eaa2e..d66dde9 100644
--- a/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp
+++ b/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp
@@ -29,13 +29,11 @@
#include "BuiltinNames.h"
#include "Error.h"
#include "JSCBuiltins.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSFunction.h"
#include "JSGlobalObject.h"
#include "JSPromise.h"
#include "Microtask.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp b/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
index b7ded12..e25998a 100644
--- a/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
+++ b/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple, Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,13 +26,9 @@
#include "config.h"
#include "JSPropertyNameIterator.h"
-#include "IdentifierInlines.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSPropertyNameEnumerator.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSScope.cpp b/Source/JavaScriptCore/runtime/JSScope.cpp
index b3baf87..59ac40c 100644
--- a/Source/JavaScriptCore/runtime/JSScope.cpp
+++ b/Source/JavaScriptCore/runtime/JSScope.cpp
@@ -217,6 +217,7 @@
JSObject* JSScope::resolve(ExecState* exec, JSScope* scope, const Identifier& ident)
{
+ VM& vm = exec->vm();
ScopeChainIterator end = scope->end();
ScopeChainIterator it = scope->begin();
while (1) {
@@ -225,7 +226,7 @@
// Global scope.
if (++it == end) {
- JSScope* globalScopeExtension = scope->globalObject()->globalScopeExtension();
+ JSScope* globalScopeExtension = scope->globalObject(vm)->globalScopeExtension();
if (UNLIKELY(globalScopeExtension)) {
if (object->hasProperty(exec, ident))
return object;
diff --git a/Source/JavaScriptCore/runtime/JSScope.h b/Source/JavaScriptCore/runtime/JSScope.h
index d676411..2d30918 100644
--- a/Source/JavaScriptCore/runtime/JSScope.h
+++ b/Source/JavaScriptCore/runtime/JSScope.h
@@ -69,7 +69,7 @@
JSScope* next();
JSGlobalObject* globalObject();
- VM* vm();
+ JSGlobalObject* globalObject(VM&);
JSObject* globalThis();
SymbolTable* symbolTable();
@@ -129,9 +129,9 @@
return structure()->globalObject();
}
-inline VM* JSScope::vm()
+inline JSGlobalObject* JSScope::globalObject(VM& vm)
{
- return MarkedBlock::blockFor(this)->vm();
+ return structure(vm)->globalObject();
}
inline Register& Register::operator=(JSScope* scope)
diff --git a/Source/JavaScriptCore/runtime/JSSetIterator.cpp b/Source/JavaScriptCore/runtime/JSSetIterator.cpp
index 634c2ac..2f2deb5 100644
--- a/Source/JavaScriptCore/runtime/JSSetIterator.cpp
+++ b/Source/JavaScriptCore/runtime/JSSetIterator.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,12 +26,9 @@
#include "config.h"
#include "JSSetIterator.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSSet.h"
#include "MapDataInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSStringIterator.cpp b/Source/JavaScriptCore/runtime/JSStringIterator.cpp
index 7bfd8a9..43b6c36 100644
--- a/Source/JavaScriptCore/runtime/JSStringIterator.cpp
+++ b/Source/JavaScriptCore/runtime/JSStringIterator.cpp
@@ -28,9 +28,7 @@
#include "JSStringIterator.h"
#include "BuiltinNames.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp b/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp
index e3f3ae9..3b9797c 100644
--- a/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp
+++ b/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2015 Yusuke Suzuki <utatane.tea@gmail.com>.
+ * Copyright (C) 2016 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,9 +27,7 @@
#include "config.h"
#include "JSTemplateRegistryKey.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
#include "VM.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp b/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp
index 02c2fa1..bfae59e 100644
--- a/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp
@@ -30,9 +30,8 @@
#include "Error.h"
#include "GetterSetter.h"
#include "JSCBuiltins.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGenericTypedArrayViewConstructorInlines.h"
-#include "JSObject.h"
#include "JSTypedArrayViewPrototype.h"
#include "JSTypedArrays.h"
diff --git a/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp b/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp
index 3f6aa485..a1949fe 100644
--- a/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp
@@ -29,7 +29,7 @@
#include "BuiltinNames.h"
#include "CallFrame.h"
#include "GetterSetter.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSFunction.h"
#include "JSGenericTypedArrayViewPrototypeFunctions.h"
#include "JSObjectInlines.h"
diff --git a/Source/JavaScriptCore/runtime/JSWeakMap.cpp b/Source/JavaScriptCore/runtime/JSWeakMap.cpp
index 5f85c8f..c027ff2 100644
--- a/Source/JavaScriptCore/runtime/JSWeakMap.cpp
+++ b/Source/JavaScriptCore/runtime/JSWeakMap.cpp
@@ -26,11 +26,8 @@
#include "config.h"
#include "JSWeakMap.h"
-#include "JSCJSValueInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
#include "WeakMapData.h"
-#include "WriteBarrierInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/JSWeakSet.cpp b/Source/JavaScriptCore/runtime/JSWeakSet.cpp
index 07bf372..3577c5d 100644
--- a/Source/JavaScriptCore/runtime/JSWeakSet.cpp
+++ b/Source/JavaScriptCore/runtime/JSWeakSet.cpp
@@ -26,11 +26,8 @@
#include "config.h"
#include "JSWeakSet.h"
-#include "JSCJSValueInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
#include "WeakMapData.h"
-#include "WriteBarrierInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/MapConstructor.cpp b/Source/JavaScriptCore/runtime/MapConstructor.cpp
index ee3b602..5a2b69a 100644
--- a/Source/JavaScriptCore/runtime/MapConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/MapConstructor.cpp
@@ -29,13 +29,11 @@
#include "Error.h"
#include "GetterSetter.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSMap.h"
#include "JSObjectInlines.h"
#include "MapPrototype.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp b/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp
index 63606a3..1ec4d92 100644
--- a/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp
@@ -27,10 +27,8 @@
#include "MapIteratorPrototype.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSMapIterator.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/MapPrototype.cpp b/Source/JavaScriptCore/runtime/MapPrototype.cpp
index efd4416..d50f807 100644
--- a/Source/JavaScriptCore/runtime/MapPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/MapPrototype.cpp
@@ -31,13 +31,11 @@
#include "ExceptionHelpers.h"
#include "GetterSetter.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSFunctionInlines.h"
+#include "JSCInlines.h"
#include "JSMap.h"
#include "JSMapIterator.h"
#include "Lookup.h"
#include "MapDataInlines.h"
-#include "StructureInlines.h"
#include "MapPrototype.lut.h"
diff --git a/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp b/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp
index 800ec89..0974c41 100644
--- a/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp
@@ -22,6 +22,7 @@
#include "NativeErrorConstructor.h"
#include "ErrorInstance.h"
+#include "Interpreter.h"
#include "JSFunction.h"
#include "JSString.h"
#include "NativeErrorPrototype.h"
diff --git a/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp b/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp
index 581f31a..1c03266 100644
--- a/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp
+++ b/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp
@@ -26,10 +26,7 @@
#include "config.h"
#include "NativeStdFunctionCell.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
-#include "JSFunctionInlines.h"
-#include "SlotVisitorInlines.h"
+#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/Operations.h b/Source/JavaScriptCore/runtime/Operations.h
index 4f9bb5c..34e301f 100644
--- a/Source/JavaScriptCore/runtime/Operations.h
+++ b/Source/JavaScriptCore/runtime/Operations.h
@@ -199,6 +199,20 @@
return jsAddSlowCase(callFrame, v1, v2);
}
+inline bool scribbleFreeCells()
+{
+ return !ASSERT_DISABLED || Options::scribbleFreeCells();
+}
+
+inline void scribble(void* base, size_t size)
+{
+ for (size_t i = size / sizeof(EncodedJSValue); i--;) {
+ // Use a 16-byte aligned value to ensure that it passes the cell check.
+ static_cast<EncodedJSValue*>(base)[i] = JSValue::encode(
+ bitwise_cast<JSCell*>(static_cast<intptr_t>(0xbadbeef0)));
+ }
+}
+
} // namespace JSC
#endif // Operations_h
diff --git a/Source/JavaScriptCore/runtime/Options.cpp b/Source/JavaScriptCore/runtime/Options.cpp
index 156eb08..de8a4bb 100644
--- a/Source/JavaScriptCore/runtime/Options.cpp
+++ b/Source/JavaScriptCore/runtime/Options.cpp
@@ -370,7 +370,7 @@
Options::useOSREntryToDFG() = false;
Options::useOSREntryToFTL() = false;
}
-
+
#if PLATFORM(IOS) && !PLATFORM(IOS_SIMULATOR) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000
// Override globally for now. Longer term we'll just make the default
// be to have this option enabled, and have platforms that don't support
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index d1cf255..567c9c2 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -182,6 +182,11 @@
v(bool, testTheFTL, false, Normal, nullptr) \
v(bool, verboseSanitizeStack, false, Normal, nullptr) \
v(bool, useGenerationalGC, true, Normal, nullptr) \
+ v(bool, scribbleFreeCells, false, Normal, nullptr) \
+ v(double, sizeClassProgression, 1.4, Normal, nullptr) \
+ v(unsigned, largeAllocationCutoff, 100000, Normal, nullptr) \
+ v(bool, dumpSizeClasses, false, Normal, nullptr) \
+ v(bool, useBumpAllocator, true, Normal, nullptr) \
v(bool, eagerlyUpdateTopCallFrame, false, Normal, nullptr) \
\
v(bool, useOSREntryToDFG, true, Normal, nullptr) \
diff --git a/Source/JavaScriptCore/runtime/PropertyTable.cpp b/Source/JavaScriptCore/runtime/PropertyTable.cpp
index c458bc5..35aac5a 100644
--- a/Source/JavaScriptCore/runtime/PropertyTable.cpp
+++ b/Source/JavaScriptCore/runtime/PropertyTable.cpp
@@ -26,10 +26,7 @@
#include "config.h"
#include "PropertyMapHashTable.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/ProxyConstructor.cpp b/Source/JavaScriptCore/runtime/ProxyConstructor.cpp
index 8f26294..7ec3af5 100644
--- a/Source/JavaScriptCore/runtime/ProxyConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/ProxyConstructor.cpp
@@ -28,8 +28,7 @@
#include "Error.h"
#include "IdentifierInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "ObjectConstructor.h"
#include "ObjectPrototype.h"
#include "ProxyObject.h"
diff --git a/Source/JavaScriptCore/runtime/ProxyObject.cpp b/Source/JavaScriptCore/runtime/ProxyObject.cpp
index d52f17f..db84cd42 100644
--- a/Source/JavaScriptCore/runtime/ProxyObject.cpp
+++ b/Source/JavaScriptCore/runtime/ProxyObject.cpp
@@ -29,8 +29,7 @@
#include "ArrayConstructor.h"
#include "Error.h"
#include "IdentifierInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSObjectInlines.h"
#include "ObjectConstructor.h"
#include "SlotVisitorInlines.h"
diff --git a/Source/JavaScriptCore/runtime/ProxyRevoke.cpp b/Source/JavaScriptCore/runtime/ProxyRevoke.cpp
index 4ce423b..c792c5b 100644
--- a/Source/JavaScriptCore/runtime/ProxyRevoke.cpp
+++ b/Source/JavaScriptCore/runtime/ProxyRevoke.cpp
@@ -26,10 +26,8 @@
#include "config.h"
#include "ProxyRevoke.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "ProxyObject.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/RegExp.cpp b/Source/JavaScriptCore/runtime/RegExp.cpp
index c87751f..f6d0e9b 100644
--- a/Source/JavaScriptCore/runtime/RegExp.cpp
+++ b/Source/JavaScriptCore/runtime/RegExp.cpp
@@ -296,13 +296,13 @@
m_regExpBytecode = Yarr::byteCompile(pattern, &vm->m_regExpAllocator, &vm->m_regExpAllocatorLock);
}
-int RegExp::match(VM& vm, const String& s, unsigned startOffset, Vector<int, 32>& ovector)
+int RegExp::match(VM& vm, const String& s, unsigned startOffset, Vector<int>& ovector)
{
return matchInline(vm, s, startOffset, ovector);
}
bool RegExp::matchConcurrently(
- VM& vm, const String& s, unsigned startOffset, int& position, Vector<int, 32>& ovector)
+ VM& vm, const String& s, unsigned startOffset, int& position, Vector<int>& ovector)
{
ConcurrentJITLocker locker(m_lock);
@@ -382,7 +382,7 @@
void RegExp::matchCompareWithInterpreter(const String& s, int startOffset, int* offsetVector, int jitResult)
{
int offsetVectorSize = (m_numSubpatterns + 1) * 2;
- Vector<int, 32> interpreterOvector;
+ Vector<int> interpreterOvector;
interpreterOvector.resize(offsetVectorSize);
int* interpreterOffsetVector = interpreterOvector.data();
int interpreterResult = 0;
diff --git a/Source/JavaScriptCore/runtime/RegExp.h b/Source/JavaScriptCore/runtime/RegExp.h
index 995aae5..b6c0d77 100644
--- a/Source/JavaScriptCore/runtime/RegExp.h
+++ b/Source/JavaScriptCore/runtime/RegExp.h
@@ -64,17 +64,18 @@
bool isValid() const { return !m_constructionError && m_flags != InvalidFlags; }
const char* errorMessage() const { return m_constructionError; }
- JS_EXPORT_PRIVATE int match(VM&, const String&, unsigned startOffset, Vector<int, 32>& ovector);
+ JS_EXPORT_PRIVATE int match(VM&, const String&, unsigned startOffset, Vector<int>& ovector);
// Returns false if we couldn't run the regular expression for any reason.
- bool matchConcurrently(VM&, const String&, unsigned startOffset, int& position, Vector<int, 32>& ovector);
+ bool matchConcurrently(VM&, const String&, unsigned startOffset, int& position, Vector<int>& ovector);
JS_EXPORT_PRIVATE MatchResult match(VM&, const String&, unsigned startOffset);
bool matchConcurrently(VM&, const String&, unsigned startOffset, MatchResult&);
// Call these versions of the match functions if you're desperate for performance.
- int matchInline(VM&, const String&, unsigned startOffset, Vector<int, 32>& ovector);
+ template<typename VectorType>
+ int matchInline(VM&, const String&, unsigned startOffset, VectorType& ovector);
MatchResult matchInline(VM&, const String&, unsigned startOffset);
unsigned numSubpatterns() const { return m_numSubpatterns; }
diff --git a/Source/JavaScriptCore/runtime/RegExpConstructor.h b/Source/JavaScriptCore/runtime/RegExpConstructor.h
index 2536525..50c8b5e 100644
--- a/Source/JavaScriptCore/runtime/RegExpConstructor.h
+++ b/Source/JavaScriptCore/runtime/RegExpConstructor.h
@@ -80,7 +80,7 @@
RegExpCachedResult m_cachedResult;
bool m_multiline;
- Vector<int, 32> m_ovector;
+ Vector<int> m_ovector;
};
RegExpConstructor* asRegExpConstructor(JSValue);
diff --git a/Source/JavaScriptCore/runtime/RegExpInlines.h b/Source/JavaScriptCore/runtime/RegExpInlines.h
index 295d931..5b0db95 100644
--- a/Source/JavaScriptCore/runtime/RegExpInlines.h
+++ b/Source/JavaScriptCore/runtime/RegExpInlines.h
@@ -94,7 +94,8 @@
compile(&vm, charSize);
}
-ALWAYS_INLINE int RegExp::matchInline(VM& vm, const String& s, unsigned startOffset, Vector<int, 32>& ovector)
+template<typename VectorType>
+ALWAYS_INLINE int RegExp::matchInline(VM& vm, const String& s, unsigned startOffset, VectorType& ovector)
{
#if ENABLE(REGEXP_TRACING)
m_rtMatchCallCount++;
diff --git a/Source/JavaScriptCore/runtime/RegExpMatchesArray.h b/Source/JavaScriptCore/runtime/RegExpMatchesArray.h
index 7df8c73..a69a151 100644
--- a/Source/JavaScriptCore/runtime/RegExpMatchesArray.h
+++ b/Source/JavaScriptCore/runtime/RegExpMatchesArray.h
@@ -34,17 +34,20 @@
ALWAYS_INLINE JSArray* tryCreateUninitializedRegExpMatchesArray(VM& vm, Structure* structure, unsigned initialLength)
{
- unsigned vectorLength = std::max(BASE_VECTOR_LEN, initialLength);
+ unsigned vectorLength = initialLength;
if (vectorLength > MAX_STORAGE_VECTOR_LENGTH)
return 0;
- void* temp;
- if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), &temp))
- return 0;
+ void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
+ if (!temp)
+ return nullptr;
Butterfly* butterfly = Butterfly::fromBase(temp, 0, structure->outOfLineCapacity());
butterfly->setVectorLength(vectorLength);
butterfly->setPublicLength(initialLength);
-
+
+ for (unsigned i = initialLength; i < vectorLength; ++i)
+ butterfly->contiguous()[i].clear();
+
return JSArray::createWithButterfly(vm, structure, butterfly);
}
@@ -67,40 +70,54 @@
// FIXME: This should handle array allocation errors gracefully.
// https://bugs.webkit.org/show_bug.cgi?id=155144
+ auto setProperties = [&] () {
+ array->putDirect(vm, RegExpMatchesArrayIndexPropertyOffset, jsNumber(result.start));
+ array->putDirect(vm, RegExpMatchesArrayInputPropertyOffset, input);
+ };
+
+ unsigned numSubpatterns = regExp->numSubpatterns();
+
if (UNLIKELY(globalObject->isHavingABadTime())) {
- array = JSArray::tryCreateUninitialized(vm, globalObject->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
+ array = JSArray::tryCreateUninitialized(vm, globalObject->regExpMatchesArrayStructure(), numSubpatterns + 1);
+
+ setProperties();
+
+ array->initializeIndex(vm, 0, jsUndefined());
+
+ for (unsigned i = 1; i <= numSubpatterns; ++i)
+ array->initializeIndex(vm, i, jsUndefined());
+
+ // Now the object is safe to scan by GC.
array->initializeIndex(vm, 0, jsSubstringOfResolved(vm, input, result.start, result.end - result.start));
- if (unsigned numSubpatterns = regExp->numSubpatterns()) {
- for (unsigned i = 1; i <= numSubpatterns; ++i) {
- int start = subpatternResults[2 * i];
- if (start >= 0)
- array->initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start));
- else
- array->initializeIndex(vm, i, jsUndefined());
- }
+ for (unsigned i = 1; i <= numSubpatterns; ++i) {
+ int start = subpatternResults[2 * i];
+ if (start >= 0)
+ array->initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start));
}
} else {
- array = tryCreateUninitializedRegExpMatchesArray(vm, globalObject->regExpMatchesArrayStructure(), regExp->numSubpatterns() + 1);
+ array = tryCreateUninitializedRegExpMatchesArray(vm, globalObject->regExpMatchesArrayStructure(), numSubpatterns + 1);
RELEASE_ASSERT(array);
+ setProperties();
+
+ array->initializeIndex(vm, 0, jsUndefined(), ArrayWithContiguous);
+
+ for (unsigned i = 1; i <= numSubpatterns; ++i)
+ array->initializeIndex(vm, i, jsUndefined(), ArrayWithContiguous);
+
+ // Now the object is safe to scan by GC.
+
array->initializeIndex(vm, 0, jsSubstringOfResolved(vm, input, result.start, result.end - result.start), ArrayWithContiguous);
- if (unsigned numSubpatterns = regExp->numSubpatterns()) {
- for (unsigned i = 1; i <= numSubpatterns; ++i) {
- int start = subpatternResults[2 * i];
- if (start >= 0)
- array->initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start), ArrayWithContiguous);
- else
- array->initializeIndex(vm, i, jsUndefined(), ArrayWithContiguous);
- }
+ for (unsigned i = 1; i <= numSubpatterns; ++i) {
+ int start = subpatternResults[2 * i];
+ if (start >= 0)
+ array->initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start), ArrayWithContiguous);
}
}
- array->putDirect(vm, RegExpMatchesArrayIndexPropertyOffset, jsNumber(result.start));
- array->putDirect(vm, RegExpMatchesArrayInputPropertyOffset, input);
-
return array;
}
diff --git a/Source/JavaScriptCore/runtime/RegExpPrototype.cpp b/Source/JavaScriptCore/runtime/RegExpPrototype.cpp
index 4f9758d..919fd70 100644
--- a/Source/JavaScriptCore/runtime/RegExpPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/RegExpPrototype.cpp
@@ -503,12 +503,14 @@
unsigned& matchPosition, bool regExpIsSticky, bool regExpIsUnicode,
const ControlFunc& control, const PushFunc& push)
{
+ Vector<int> ovector;
+
while (matchPosition < inputSize) {
if (control() == AbortSplit)
return;
- Vector<int, 32> ovector;
-
+ ovector.resize(0);
+
// a. Perform ? Set(splitter, "lastIndex", q, true).
// b. Let z be ? RegExpExec(splitter, S).
int mpos = regexp->match(vm, input, matchPosition, ovector);
diff --git a/Source/JavaScriptCore/runtime/RuntimeType.cpp b/Source/JavaScriptCore/runtime/RuntimeType.cpp
index 6ef504b..dfd8cc9 100644
--- a/Source/JavaScriptCore/runtime/RuntimeType.cpp
+++ b/Source/JavaScriptCore/runtime/RuntimeType.cpp
@@ -28,8 +28,7 @@
#include "config.h"
#include "RuntimeType.h"
-#include "JSCJSValue.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/SamplingProfiler.cpp b/Source/JavaScriptCore/runtime/SamplingProfiler.cpp
index 0ba0927..81f7a7d 100644
--- a/Source/JavaScriptCore/runtime/SamplingProfiler.cpp
+++ b/Source/JavaScriptCore/runtime/SamplingProfiler.cpp
@@ -33,6 +33,7 @@
#include "Executable.h"
#include "HeapInlines.h"
#include "HeapIterationScope.h"
+#include "HeapUtil.h"
#include "InlineCallFrame.h"
#include "Interpreter.h"
#include "JSCJSValueInlines.h"
@@ -357,7 +358,6 @@
RELEASE_ASSERT(m_lock.isLocked());
TinyBloomFilter filter = m_vm.heap.objectSpace().blocks().filter();
- MarkedBlockSet& markedBlockSet = m_vm.heap.objectSpace().blocks();
for (UnprocessedStackTrace& unprocessedStackTrace : m_unprocessedStackTraces) {
m_stackTraces.append(StackTrace());
@@ -391,7 +391,7 @@
JSValue callee = JSValue::decode(encodedCallee);
StackFrame& stackFrame = stackTrace.frames.last();
bool alreadyHasExecutable = !!stackFrame.executable;
- if (!Heap::isValueGCObject(filter, markedBlockSet, callee)) {
+ if (!HeapUtil::isValueGCObject(m_vm.heap, filter, callee)) {
if (!alreadyHasExecutable)
stackFrame.frameType = FrameType::Unknown;
return;
@@ -436,7 +436,7 @@
return;
}
- RELEASE_ASSERT(Heap::isPointerGCObject(filter, markedBlockSet, executable));
+ RELEASE_ASSERT(HeapUtil::isPointerGCObjectJSCell(m_vm.heap, filter, executable));
stackFrame.frameType = FrameType::Executable;
stackFrame.executable = executable;
m_liveCellPointers.add(executable);
diff --git a/Source/JavaScriptCore/runtime/SetConstructor.cpp b/Source/JavaScriptCore/runtime/SetConstructor.cpp
index 8c293b7..e30561c 100644
--- a/Source/JavaScriptCore/runtime/SetConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/SetConstructor.cpp
@@ -29,14 +29,12 @@
#include "Error.h"
#include "GetterSetter.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSObjectInlines.h"
#include "JSSet.h"
#include "MapData.h"
#include "SetPrototype.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp b/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp
index 1e92e79..5a12c68 100644
--- a/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp
@@ -27,10 +27,8 @@
#include "SetIteratorPrototype.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSSetIterator.h"
-#include "StructureInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/SetPrototype.cpp b/Source/JavaScriptCore/runtime/SetPrototype.cpp
index f893ec5..80046d6 100644
--- a/Source/JavaScriptCore/runtime/SetPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/SetPrototype.cpp
@@ -31,13 +31,11 @@
#include "ExceptionHelpers.h"
#include "GetterSetter.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSFunctionInlines.h"
+#include "JSCInlines.h"
#include "JSSet.h"
#include "JSSetIterator.h"
#include "Lookup.h"
#include "MapDataInlines.h"
-#include "StructureInlines.h"
#include "SetPrototype.lut.h"
diff --git a/Source/JavaScriptCore/runtime/StackFrame.cpp b/Source/JavaScriptCore/runtime/StackFrame.cpp
new file mode 100644
index 0000000..ea7ec5e
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/StackFrame.cpp
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "StackFrame.h"
+
+#include "CodeBlock.h"
+#include "DebuggerPrimitives.h"
+#include "JSCInlines.h"
+#include <wtf/text/StringBuilder.h>
+
+namespace JSC {
+
+intptr_t StackFrame::sourceID() const
+{
+ if (!codeBlock)
+ return noSourceID;
+ return codeBlock->ownerScriptExecutable()->sourceID();
+}
+
+String StackFrame::sourceURL() const
+{
+ if (!codeBlock)
+ return ASCIILiteral("[native code]");
+
+ String sourceURL = codeBlock->ownerScriptExecutable()->sourceURL();
+ if (!sourceURL.isNull())
+ return sourceURL;
+ return emptyString();
+}
+
+String StackFrame::functionName(VM& vm) const
+{
+ if (codeBlock) {
+ switch (codeBlock->codeType()) {
+ case EvalCode:
+ return ASCIILiteral("eval code");
+ case ModuleCode:
+ return ASCIILiteral("module code");
+ case FunctionCode:
+ break;
+ case GlobalCode:
+ return ASCIILiteral("global code");
+ default:
+ ASSERT_NOT_REACHED();
+ }
+ }
+ String name;
+ if (callee)
+ name = getCalculatedDisplayName(vm, callee.get()).impl();
+ return name.isNull() ? emptyString() : name;
+}
+
+void StackFrame::computeLineAndColumn(unsigned& line, unsigned& column) const
+{
+ if (!codeBlock) {
+ line = 0;
+ column = 0;
+ return;
+ }
+
+ int divot = 0;
+ int unusedStartOffset = 0;
+ int unusedEndOffset = 0;
+ codeBlock->expressionRangeForBytecodeOffset(bytecodeOffset, divot, unusedStartOffset, unusedEndOffset, line, column);
+
+ ScriptExecutable* executable = codeBlock->ownerScriptExecutable();
+ if (executable->hasOverrideLineNumber())
+ line = executable->overrideLineNumber();
+}
+
+String StackFrame::toString(VM& vm) const
+{
+ StringBuilder traceBuild;
+ String functionName = this->functionName(vm);
+ String sourceURL = this->sourceURL();
+ traceBuild.append(functionName);
+ if (!sourceURL.isEmpty()) {
+ if (!functionName.isEmpty())
+ traceBuild.append('@');
+ traceBuild.append(sourceURL);
+ if (codeBlock) {
+ unsigned line;
+ unsigned column;
+ computeLineAndColumn(line, column);
+
+ traceBuild.append(':');
+ traceBuild.appendNumber(line);
+ traceBuild.append(':');
+ traceBuild.appendNumber(column);
+ }
+ }
+ return traceBuild.toString().impl();
+}
+
+} // namespace JSC
+
diff --git a/Source/JavaScriptCore/runtime/StackFrame.h b/Source/JavaScriptCore/runtime/StackFrame.h
new file mode 100644
index 0000000..3c137c1
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/StackFrame.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "Strong.h"
+
+namespace JSC {
+
+class CodeBlock;
+class JSObject;
+
+struct StackFrame {
+ Strong<JSObject> callee;
+ Strong<CodeBlock> codeBlock;
+ unsigned bytecodeOffset;
+
+ bool isNative() const { return !codeBlock; }
+
+ void computeLineAndColumn(unsigned& line, unsigned& column) const;
+ String functionName(VM&) const;
+ intptr_t sourceID() const;
+ String sourceURL() const;
+ String toString(VM&) const;
+};
+
+} // namespace JSC
+
diff --git a/Source/JavaScriptCore/runtime/StringConstructor.cpp b/Source/JavaScriptCore/runtime/StringConstructor.cpp
index 74d2305..92ad2dc 100644
--- a/Source/JavaScriptCore/runtime/StringConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/StringConstructor.cpp
@@ -28,6 +28,7 @@
#include "JSGlobalObject.h"
#include "JSCInlines.h"
#include "StringPrototype.h"
+#include <wtf/text/StringBuilder.h>
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp b/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp
index 38423ba..f2e6edd 100644
--- a/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp
@@ -27,12 +27,10 @@
#include "config.h"
#include "StringIteratorPrototype.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSStringIterator.h"
#include "ObjectConstructor.h"
-#include "StructureInlines.h"
#include "StringIteratorPrototype.lut.h"
diff --git a/Source/JavaScriptCore/runtime/StructureInlines.h b/Source/JavaScriptCore/runtime/StructureInlines.h
index b943b7e..95d2369 100644
--- a/Source/JavaScriptCore/runtime/StructureInlines.h
+++ b/Source/JavaScriptCore/runtime/StructureInlines.h
@@ -242,7 +242,6 @@
ALWAYS_INLINE WriteBarrier<PropertyTable>& Structure::propertyTable()
{
- ASSERT(!globalObject() || (!globalObject()->vm().heap.isCollecting() || globalObject()->vm().heap.isHeapSnapshotting()));
return m_propertyTableUnsafe;
}
diff --git a/Source/JavaScriptCore/runtime/TemplateRegistry.cpp b/Source/JavaScriptCore/runtime/TemplateRegistry.cpp
index 579e1b6..925807a 100644
--- a/Source/JavaScriptCore/runtime/TemplateRegistry.cpp
+++ b/Source/JavaScriptCore/runtime/TemplateRegistry.cpp
@@ -26,10 +26,9 @@
#include "config.h"
#include "TemplateRegistry.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "ObjectConstructor.h"
-#include "StructureInlines.h"
#include "WeakGCMapInlines.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp b/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp
index 43aa456..516054d 100644
--- a/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp
+++ b/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2014, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -27,7 +27,9 @@
#include "TestRunnerUtils.h"
#include "CodeBlock.h"
+#include "HeapStatistics.h"
#include "JSCInlines.h"
+#include "LLIntData.h"
namespace JSC {
@@ -150,5 +152,14 @@
return optimizeNextInvocation(exec->uncheckedArgument(0));
}
+// This is a hook called at the bitter end of some of our tests.
+void finalizeStatsAtEndOfTesting()
+{
+ if (Options::logHeapStatisticsAtExit())
+ HeapStatistics::reportSuccess();
+ if (Options::reportLLIntStats())
+ LLInt::Data::finalizeStats();
+}
+
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/TestRunnerUtils.h b/Source/JavaScriptCore/runtime/TestRunnerUtils.h
index 14658d6..875fbb6 100644
--- a/Source/JavaScriptCore/runtime/TestRunnerUtils.h
+++ b/Source/JavaScriptCore/runtime/TestRunnerUtils.h
@@ -53,6 +53,8 @@
JS_EXPORT_PRIVATE unsigned numberOfStaticOSRExitFuzzChecks();
JS_EXPORT_PRIVATE unsigned numberOfOSRExitFuzzChecks();
+JS_EXPORT_PRIVATE void finalizeStatsAtEndOfTesting();
+
} // namespace JSC
#endif // TestRunnerUtils_h
diff --git a/Source/JavaScriptCore/runtime/ThrowScope.cpp b/Source/JavaScriptCore/runtime/ThrowScope.cpp
index 57fd99a..09c7c03 100644
--- a/Source/JavaScriptCore/runtime/ThrowScope.cpp
+++ b/Source/JavaScriptCore/runtime/ThrowScope.cpp
@@ -26,7 +26,7 @@
#include "config.h"
#include "ThrowScope.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "VM.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp b/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp
index 9d10aae..60d14e4 100644
--- a/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp
+++ b/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp
@@ -29,7 +29,7 @@
#include "config.h"
#include "TypeProfilerLog.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "TypeLocation.h"
#include <wtf/CurrentTime.h>
diff --git a/Source/JavaScriptCore/runtime/TypeSet.cpp b/Source/JavaScriptCore/runtime/TypeSet.cpp
index d923888..a6afbbd 100644
--- a/Source/JavaScriptCore/runtime/TypeSet.cpp
+++ b/Source/JavaScriptCore/runtime/TypeSet.cpp
@@ -27,8 +27,7 @@
#include "TypeSet.h"
#include "InspectorProtocolObjects.h"
-#include "JSCJSValue.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include <wtf/text/CString.h>
#include <wtf/text/WTFString.h>
#include <wtf/text/StringBuilder.h>
diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp
index c30122c..1bee77f 100644
--- a/Source/JavaScriptCore/runtime/VM.cpp
+++ b/Source/JavaScriptCore/runtime/VM.cpp
@@ -69,6 +69,7 @@
#include "JSPropertyNameEnumerator.h"
#include "JSTemplateRegistryKey.h"
#include "JSWithScope.h"
+#include "LLIntData.h"
#include "Lexer.h"
#include "Lookup.h"
#include "MapData.h"
@@ -98,6 +99,7 @@
#include "WeakMapData.h"
#include <wtf/CurrentTime.h>
#include <wtf/ProcessID.h>
+#include <wtf/SimpleStats.h>
#include <wtf/StringPrintStream.h>
#include <wtf/Threading.h>
#include <wtf/WTFThreadData.h>
@@ -106,6 +108,7 @@
#if !ENABLE(JIT)
#include "CLoopStack.h"
+#include "CLoopStackInlines.h"
#endif
#if ENABLE(DFG_JIT)
@@ -162,6 +165,7 @@
, m_atomicStringTable(vmType == Default ? wtfThreadData().atomicStringTable() : new AtomicStringTable)
, propertyNames(nullptr)
, emptyList(new MarkedArgumentBuffer)
+ , machineCodeBytesPerBytecodeWordForBaselineJIT(std::make_unique<SimpleStats>())
, customGetterSetterFunctionMap(*this)
, stringCache(*this)
, symbolImplToSymbolMap(*this)
@@ -873,4 +877,16 @@
#endif
}
+#if !ENABLE(JIT)
+bool VM::ensureStackCapacityForCLoop(Register* newTopOfStack)
+{
+ return interpreter->cloopStack().ensureCapacityFor(newTopOfStack);
+}
+
+bool VM::isSafeToRecurseSoftCLoop() const
+{
+ return interpreter->cloopStack().isSafeToRecurse();
+}
+#endif // !ENABLE(JIT)
+
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/VM.h b/Source/JavaScriptCore/runtime/VM.h
index d6f4e80..eabc4eb 100644
--- a/Source/JavaScriptCore/runtime/VM.h
+++ b/Source/JavaScriptCore/runtime/VM.h
@@ -39,7 +39,6 @@
#include "JITThunks.h"
#include "JSCJSValue.h"
#include "JSLock.h"
-#include "LLIntData.h"
#include "MacroAssemblerCodeRef.h"
#include "Microtask.h"
#include "NumericStrings.h"
@@ -60,7 +59,6 @@
#include <wtf/Forward.h>
#include <wtf/HashMap.h>
#include <wtf/HashSet.h>
-#include <wtf/SimpleStats.h>
#include <wtf/StackBounds.h>
#include <wtf/Stopwatch.h>
#include <wtf/ThreadSafeRefCounted.h>
@@ -72,6 +70,11 @@
#include <wtf/ListHashSet.h>
#endif
+namespace WTF {
+class SimpleStats;
+} // namespace WTF
+using WTF::SimpleStats;
+
namespace JSC {
class BuiltinExecutables;
@@ -342,7 +345,7 @@
SmallStrings smallStrings;
NumericStrings numericStrings;
DateInstanceCache dateInstanceCache;
- WTF::SimpleStats machineCodeBytesPerBytecodeWordForBaselineJIT;
+ std::unique_ptr<SimpleStats> machineCodeBytesPerBytecodeWordForBaselineJIT;
WeakGCMap<std::pair<CustomGetterSetter*, int>, JSCustomGetterSetterFunction> customGetterSetterFunctionMap;
WeakGCMap<StringImpl*, JSString, PtrHash<StringImpl*>> stringCache;
Strong<JSString> lastCachedString;
@@ -642,6 +645,11 @@
m_lastException = exception;
}
+#if !ENABLE(JIT)
+ bool ensureStackCapacityForCLoop(Register* newTopOfStack);
+ bool isSafeToRecurseSoftCLoop() const;
+#endif // !ENABLE(JIT)
+
JS_EXPORT_PRIVATE void throwException(ExecState*, Exception*);
JS_EXPORT_PRIVATE JSValue throwException(ExecState*, JSValue);
JS_EXPORT_PRIVATE JSObject* throwException(ExecState*, JSObject*);
diff --git a/Source/JavaScriptCore/runtime/VMEntryScope.h b/Source/JavaScriptCore/runtime/VMEntryScope.h
index 2942c36..178bc3b 100644
--- a/Source/JavaScriptCore/runtime/VMEntryScope.h
+++ b/Source/JavaScriptCore/runtime/VMEntryScope.h
@@ -26,7 +26,6 @@
#ifndef VMEntryScope_h
#define VMEntryScope_h
-#include "Interpreter.h"
#include <wtf/StackBounds.h>
#include <wtf/StackStats.h>
#include <wtf/Vector.h>
diff --git a/Source/JavaScriptCore/runtime/VMInlines.h b/Source/JavaScriptCore/runtime/VMInlines.h
index d12250d..626e479 100644
--- a/Source/JavaScriptCore/runtime/VMInlines.h
+++ b/Source/JavaScriptCore/runtime/VMInlines.h
@@ -30,10 +30,6 @@
#include "VM.h"
#include "Watchdog.h"
-#if !ENABLE(JIT)
-#include "CLoopStackInlines.h"
-#endif
-
namespace JSC {
bool VM::ensureStackCapacityFor(Register* newTopOfStack)
@@ -42,7 +38,7 @@
ASSERT(wtfThreadData().stack().isGrowingDownward());
return newTopOfStack >= m_softStackLimit;
#else
- return interpreter->cloopStack().ensureCapacityFor(newTopOfStack);
+ return ensureStackCapacityForCLoop(newTopOfStack);
#endif
}
@@ -51,7 +47,7 @@
{
bool safe = isSafeToRecurse(m_softStackLimit);
#if !ENABLE(JIT)
- safe = safe && interpreter->cloopStack().isSafeToRecurse();
+ safe = safe && isSafeToRecurseSoftCLoop();
#endif
return safe;
}
diff --git a/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp b/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp
index d91818a..75343b1 100644
--- a/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,12 +28,10 @@
#include "Error.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSObjectInlines.h"
#include "JSWeakMap.h"
-#include "StructureInlines.h"
#include "WeakMapPrototype.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/WeakMapData.cpp b/Source/JavaScriptCore/runtime/WeakMapData.cpp
index 1332e8e..a6842c9 100644
--- a/Source/JavaScriptCore/runtime/WeakMapData.cpp
+++ b/Source/JavaScriptCore/runtime/WeakMapData.cpp
@@ -29,8 +29,7 @@
#include "CopiedAllocator.h"
#include "CopyVisitorInlines.h"
#include "ExceptionHelpers.h"
-#include "JSCJSValueInlines.h"
-#include "SlotVisitorInlines.h"
+#include "JSCInlines.h"
#include <wtf/MathExtras.h>
diff --git a/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp b/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp
index bd40d9a..0964e83 100644
--- a/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp
@@ -26,9 +26,8 @@
#include "config.h"
#include "WeakMapPrototype.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "JSWeakMap.h"
-#include "StructureInlines.h"
#include "WeakMapData.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp b/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp
index 56c55ce..270e7c7 100644
--- a/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple, Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,12 +28,10 @@
#include "Error.h"
#include "IteratorOperations.h"
-#include "JSCJSValueInlines.h"
-#include "JSCellInlines.h"
+#include "JSCInlines.h"
#include "JSGlobalObject.h"
#include "JSObjectInlines.h"
#include "JSWeakSet.h"
-#include "StructureInlines.h"
#include "WeakSetPrototype.h"
namespace JSC {
diff --git a/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp b/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp
index b739057..dc756f1 100644
--- a/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp
@@ -26,9 +26,8 @@
#include "config.h"
#include "WeakSetPrototype.h"
-#include "JSCJSValueInlines.h"
+#include "JSCInlines.h"
#include "JSWeakSet.h"
-#include "StructureInlines.h"
#include "WeakMapData.h"
namespace JSC {
