<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[164764] trunk/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/164764">164764</a></dd>
<dt>Author</dt> <dd>mhahnenberg@apple.com</dd>
<dt>Date</dt> <dd>2014-02-26 17:27:18 -0800 (Wed, 26 Feb 2014)</dd>
</dl>

<h3>Log Message</h3>
<pre>Make JSCells have 32-bit Structure pointers
https://bugs.webkit.org/show_bug.cgi?id=123195

Reviewed by Filip Pizlo.

This patch changes JSCells such that they no longer have a full 64-bit Structure
pointer in their header. Instead they now have a 32-bit index into
a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
pointers.

This change frees up an additional 32 bits of information in our object headers.
We then use this extra space to store the indexing type of the object, the JSType
of the object, some various type flags, and garbage collection data (e.g. mark bit).
Because this inline type information is now faster to read, it pays for the slowdown 
incurred by having to perform an extra indirection through the StructureIDTable.

This patch also threads a reference to the current VM through more of the C++ runtime
to offset the cost of having to look up the VM to get the actual Structure pointer.

* API/JSContext.mm:
(-[JSContext setException:]):
(-[JSContext wrapperForObjCObject:]):
(-[JSContext wrapperForJSObject:]):
* API/JSContextRef.cpp:
(JSContextGroupRelease):
(JSGlobalContextRelease):
* API/JSObjectRef.cpp:
(JSObjectIsFunction):
(JSObjectCopyPropertyNames):
* API/JSValue.mm:
(containerValueToObject):
* API/JSWrapperMap.mm:
(tryUnwrapObjcObject):
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::patchableBranch32WithPatch):
(JSC::MacroAssembler::patchableBranch32):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchPtrWithPatch):
(JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
(JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::store8):
(JSC::MacroAssemblerARMv7::branch32WithPatch):
(JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
(JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::branch32WithPatch):
(JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::store32):
(JSC::MacroAssemblerX86_64::moveWithPatch):
(JSC::MacroAssemblerX86_64::branch32WithPatch):
(JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
(JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/RepatchBuffer.h:
(JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
(JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/X86Assembler.h:
(JSC::X86Assembler::revertJumpTo_movq_i64r):
(JSC::X86Assembler::revertJumpTo_movl_i32r):
* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::ArrayProfile):
(JSC::ArrayProfile::addressOfLastSeenStructureID):
(JSC::ArrayProfile::observeStructure):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::heap):
* bytecode/UnlinkedCodeBlock.h:
* debugger/Debugger.h:
* dfg/DFGAbstractHeap.h:
* dfg/DFGArrayifySlowPathGenerator.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchWeakStructure):
(JSC::DFG::JITCompiler::branchStructurePtr):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
(JSC::DFG::putByVal):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::arrayify):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compileToStringOnCell):
(JSC::DFG::SpeculativeJIT::speculateObject):
(JSC::DFG::SpeculativeJIT::speculateFinalObject):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringObject):
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
(JSC::DFG::SpeculativeJIT::emitSwitchChar):
(JSC::DFG::SpeculativeJIT::emitSwitchString):
(JSC::DFG::SpeculativeJIT::genericWriteBarrier):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGWorklist.cpp:
* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
(JSC::FTL::LowerDFGToLLVM::compilePutStructure):
(JSC::FTL::LowerDFGToLLVM::compileToString):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
(JSC::FTL::LowerDFGToLLVM::allocateCell):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::isObject):
(JSC::FTL::LowerDFGToLLVM::isString):
(JSC::FTL::LowerDFGToLLVM::isArrayType):
(JSC::FTL::LowerDFGToLLVM::hasClassInfo):
(JSC::FTL::LowerDFGToLLVM::isType):
(JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
(JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
(JSC::FTL::LowerDFGToLLVM::loadMarkByte):
(JSC::FTL::LowerDFGToLLVM::loadStructure):
(JSC::FTL::LowerDFGToLLVM::weakStructure):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::store8):
* heap/GCAssertions.h:
* heap/Heap.cpp:
(JSC::Heap::getConservativeRegisterRoots):
(JSC::Heap::collect):
(JSC::Heap::writeBarrier):
* heap/Heap.h:
(JSC::Heap::structureIDTable):
* heap/MarkedSpace.h:
(JSC::MarkedSpace::forEachBlock):
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::internalAppend):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfCellNotObject):
(JSC::AssemblyHelpers::genericWriteBarrier):
(JSC::AssemblyHelpers::emitLoadStructure):
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
(JSC::JIT::privateCompileClosureCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::emit_op_ret_object_or_this):
(JSC::JIT::compileOpCall):
(JSC::JIT::privateCompileClosureCall):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::generateFastPathChecks):
* jit/JITInlineCacheGenerator.h:
* jit/JITInlines.h:
(JSC::JIT::emitLoadCharacterString):
(JSC::JIT::checkStructure):
(JSC::JIT::emitJumpIfCellNotObject):
(JSC::JIT::emitAllocateJSObject):
(JSC::JIT::emitArrayProfilingSiteWithCell):
(JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
(JSC::JIT::branchStructure):
(JSC::branchStructure):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_string):
(JSC::JIT::emit_op_ret_object_or_this):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_next_pname):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_string):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_next_pname):
(JSC::JIT::emit_op_to_this):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_get_by_pname):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::checkMarkWord):
(JSC::JIT::emitWriteBarrier):
(JSC::JIT::addStructureTransitionCheck):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_pname):
(JSC::JIT::emitLoadWithStructureCheck):
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitJumpIfNotType):
* jit/Repatch.cpp:
(JSC::repatchByIdSelfAccess):
(JSC::addStructureTransitionCheck):
(JSC::replaceWithJump):
(JSC::generateProtoChainAccessStub):
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::writeBarrier):
(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStub):
(JSC::tryBuildPutByIdList):
(JSC::tryRepatchIn):
(JSC::linkClosureCall):
(JSC::resetGetByID):
(JSC::resetPutByID):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::loadJSStringArgument):
(JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
* jit/ThunkGenerators.cpp:
(JSC::virtualForThunkGenerator):
(JSC::arrayIteratorNextThunkGenerator):
* jit/UnusedPointer.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Arguments.cpp:
(JSC::Arguments::createStrictModeCallerIfNecessary):
(JSC::Arguments::createStrictModeCalleeIfNecessary):
* runtime/Arguments.h:
(JSC::Arguments::createStructure):
* runtime/ArrayPrototype.cpp:
(JSC::shift):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncReverse):
(JSC::performSlowSort):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/Executable.h:
(JSC::ExecutableBase::isFunctionExecutable):
(JSC::ExecutableBase::clearCodeVirtual):
(JSC::ScriptExecutable::unlinkCalls):
* runtime/GetterSetter.cpp:
(JSC::callGetter):
(JSC::callSetter):
* runtime/InitializeThreading.cpp:
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::sortNumericVector):
(JSC::JSArray::sortNumeric):
(JSC::JSArray::sortCompactedVector):
(JSC::JSArray::sort):
(JSC::JSArray::sortVector):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
(JSC::JSArray::compactForSorting):
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toThis):
(JSC::JSValue::put):
(JSC::JSValue::putByIndex):
(JSC::JSValue::equalSlowCaseInline):
* runtime/JSCell.cpp:
(JSC::JSCell::put):
(JSC::JSCell::putByIndex):
(JSC::JSCell::deleteProperty):
(JSC::JSCell::deletePropertyByIndex):
* runtime/JSCell.h:
(JSC::JSCell::clearStructure):
(JSC::JSCell::mark):
(JSC::JSCell::isMarked):
(JSC::JSCell::structureIDOffset):
(JSC::JSCell::typeInfoFlagsOffset):
(JSC::JSCell::typeInfoTypeOffset):
(JSC::JSCell::indexingTypeOffset):
(JSC::JSCell::gcDataOffset):
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
(JSC::JSCell::finishCreation):
(JSC::JSCell::type):
(JSC::JSCell::indexingType):
(JSC::JSCell::structure):
(JSC::JSCell::visitChildren):
(JSC::JSCell::isObject):
(JSC::JSCell::isString):
(JSC::JSCell::isGetterSetter):
(JSC::JSCell::isProxy):
(JSC::JSCell::isAPIValueWrapper):
(JSC::JSCell::setStructure):
(JSC::JSCell::methodTable):
(JSC::Heap::writeBarrier):
* runtime/JSDataView.cpp:
(JSC::JSDataView::createStructure):
* runtime/JSDestructibleObject.h:
(JSC::JSCell::classInfo):
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::createStructure):
* runtime/JSObject.cpp:
(JSC::getCallableObjectSlow):
(JSC::JSObject::copyButterfly):
(JSC::JSObject::visitButterfly):
(JSC::JSFinalObject::visitChildren):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::put):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToContiguous):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::genericConvertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::ensureInt32Slow):
(JSC::JSObject::ensureDoubleSlow):
(JSC::JSObject::ensureContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::setPrototype):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::hasOwnProperty):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getPrimitiveNumber):
(JSC::JSObject::hasInstance):
(JSC::JSObject::getPropertySpecificValue):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::seal):
(JSC::JSObject::freeze):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::reifyStaticFunctionsForDelete):
(JSC::JSObject::removeDirect):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::countElements):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::growOutOfLineStorage):
(JSC::JSObject::getOwnPropertyDescriptor):
(JSC::putDescriptor):
(JSC::JSObject::defineOwnNonIndexProperty):
* runtime/JSObject.h:
(JSC::getJSFunction):
(JSC::JSObject::getArrayLength):
(JSC::JSObject::getVectorLength):
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly):
(JSC::JSObject::getDirectIndex):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::canSetIndexQuicklyForPutDirect):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::hasSparseMap):
(JSC::JSObject::inSparseIndexingMode):
(JSC::JSObject::getDirect):
(JSC::JSObject::getDirectOffset):
(JSC::JSObject::isSealed):
(JSC::JSObject::isFrozen):
(JSC::JSObject::flattenDictionaryObject):
(JSC::JSObject::ensureInt32):
(JSC::JSObject::ensureDouble):
(JSC::JSObject::ensureContiguous):
(JSC::JSObject::rageEnsureContiguous):
(JSC::JSObject::ensureArrayStorage):
(JSC::JSObject::arrayStorage):
(JSC::JSObject::arrayStorageOrNull):
(JSC::JSObject::ensureLength):
(JSC::JSObject::currentIndexingData):
(JSC::JSObject::getHolyIndexQuickly):
(JSC::JSObject::currentRelevantLength):
(JSC::JSObject::isGlobalObject):
(JSC::JSObject::isVariableObject):
(JSC::JSObject::isStaticScopeObject):
(JSC::JSObject::isNameScopeObject):
(JSC::JSObject::isActivationObject):
(JSC::JSObject::isErrorInstance):
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::fastGetOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure):
* runtime/JSProxy.cpp:
(JSC::JSProxy::getOwnPropertySlot):
(JSC::JSProxy::getOwnPropertySlotByIndex):
(JSC::JSProxy::put):
(JSC::JSProxy::putByIndex):
(JSC::JSProxy::defineOwnProperty):
(JSC::JSProxy::deleteProperty):
(JSC::JSProxy::deletePropertyByIndex):
(JSC::JSProxy::getPropertyNames):
(JSC::JSProxy::getOwnPropertyNames):
* runtime/JSScope.cpp:
(JSC::JSScope::objectAtScope):
* runtime/JSString.h:
(JSC::JSString::createStructure):
(JSC::isJSString):
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::isObject):
(JSC::TypeInfo::structureIsImmortal):
(JSC::TypeInfo::zeroedGCDataOffset):
(JSC::TypeInfo::inlineTypeFlags):
* runtime/MapData.h:
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyNames):
(JSC::objectConstructorKeys):
(JSC::objectConstructorDefineProperty):
(JSC::defineProperties):
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncToString):
* runtime/Operations.cpp:
(JSC::jsTypeStringForValue):
(JSC::jsIsObjectType):
* runtime/Operations.h:
(JSC::normalizePrototypeChainForChainAccess):
(JSC::normalizePrototypeChain):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::createStructure):
* runtime/RegExp.h:
(JSC::RegExp::createStructure):
* runtime/SparseArrayValueMap.h:
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::~Structure):
(JSC::Structure::prototypeChainMayInterceptStoreTo):
* runtime/Structure.h:
(JSC::Structure::id):
(JSC::Structure::idBlob):
(JSC::Structure::objectInitializationFields):
(JSC::Structure::structureIDOffset):
* runtime/StructureChain.h:
(JSC::StructureChain::createStructure):
* runtime/StructureIDTable.cpp: Added.
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::~StructureIDTable):
(JSC::StructureIDTable::resize):
(JSC::StructureIDTable::flushOldTables):
(JSC::StructureIDTable::allocateID):
(JSC::StructureIDTable::deallocateID):
* runtime/StructureIDTable.h: Added.
(JSC::StructureIDTable::base):
(JSC::StructureIDTable::get):
* runtime/SymbolTable.h:
* runtime/TypedArrayType.cpp:
(JSC::typeForTypedArrayType):
* runtime/TypedArrayType.h:
* runtime/WeakMapData.h:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreAPIJSContextmm">trunk/Source/JavaScriptCore/API/JSContext.mm</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSContextRefcpp">trunk/Source/JavaScriptCore/API/JSContextRef.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSObjectRefcpp">trunk/Source/JavaScriptCore/API/JSObjectRef.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSValuemm">trunk/Source/JavaScriptCore/API/JSValue.mm</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSWrapperMapmm">trunk/Source/JavaScriptCore/API/JSWrapperMap.mm</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreGNUmakefilelistam">trunk/Source/JavaScriptCore/GNUmakefile.list.am</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxprojfilters">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerAbstractMacroAssemblerh">trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerh">trunk/Source/JavaScriptCore/assembler/MacroAssembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerARM64h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerARMv7h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerX86h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerX86_64h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerRepatchBufferh">trunk/Source/JavaScriptCore/assembler/RepatchBuffer.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerX86Assemblerh">trunk/Source/JavaScriptCore/assembler/X86Assembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeArrayProfilecpp">trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeArrayProfileh">trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockh">trunk/Source/JavaScriptCore/bytecode/CodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockh">trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractHeaph">trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGArrayifySlowPathGeneratorh">trunk/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilerh">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompiler32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompiler64cpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommoncpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGWorklistcpp">trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositorycpp">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp">trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOutputh">trunk/Source/JavaScriptCore/ftl/FTLOutput.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapGCAssertionsh">trunk/Source/JavaScriptCore/heap/GCAssertions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeaph">trunk/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedSpaceh">trunk/Source/JavaScriptCore/heap/MarkedSpace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSlotVisitorh">trunk/Source/JavaScriptCore/heap/SlotVisitor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSlotVisitorInlinesh">trunk/Source/JavaScriptCore/heap/SlotVisitorInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitAssemblyHelpersh">trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITh">trunk/Source/JavaScriptCore/jit/JIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCallcpp">trunk/Source/JavaScriptCore/jit/JITCall.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCall32_64cpp">trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlineCacheGeneratorcpp">trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlineCacheGeneratorh">trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlinesh">trunk/Source/JavaScriptCore/jit/JITInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJSInterfaceJITh">trunk/Source/JavaScriptCore/jit/JSInterfaceJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchcpp">trunk/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitSpecializedThunkJITh">trunk/Source/JavaScriptCore/jit/SpecializedThunkJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitThunkGeneratorscpp">trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArgumentscpp">trunk/Source/JavaScriptCore/runtime/Arguments.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArgumentsh">trunk/Source/JavaScriptCore/runtime/Arguments.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypecpp">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExecutableh">trunk/Source/JavaScriptCore/runtime/Executable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeGetterSettercpp">trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInitializeThreadingcpp">trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArraycpp">trunk/Source/JavaScriptCore/runtime/JSArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValueInlinesh">trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellcpp">trunk/Source/JavaScriptCore/runtime/JSCell.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellh">trunk/Source/JavaScriptCore/runtime/JSCell.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellInlinesh">trunk/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDataViewcpp">trunk/Source/JavaScriptCore/runtime/JSDataView.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDestructibleObjecth">trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectcpp">trunk/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorh">trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSProxycpp">trunk/Source/JavaScriptCore/runtime/JSProxy.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSScopecpp">trunk/Source/JavaScriptCore/runtime/JSScope.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringh">trunk/Source/JavaScriptCore/runtime/JSString.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypeh">trunk/Source/JavaScriptCore/runtime/JSType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypeInfoh">trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapDatah">trunk/Source/JavaScriptCore/runtime/MapData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectConstructorcpp">trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeObjectPrototypecpp">trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOperationscpp">trunk/Source/JavaScriptCore/runtime/Operations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOperationsh">trunk/Source/JavaScriptCore/runtime/Operations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimePropertyMapHashTableh">trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExph">trunk/Source/JavaScriptCore/runtime/RegExp.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSparseArrayValueMaph">trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructurecpp">trunk/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureh">trunk/Source/JavaScriptCore/runtime/Structure.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureChainh">trunk/Source/JavaScriptCore/runtime/StructureChain.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSymbolTableh">trunk/Source/JavaScriptCore/runtime/SymbolTable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypedArrayTypecpp">trunk/Source/JavaScriptCore/runtime/TypedArrayType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypedArrayTypeh">trunk/Source/JavaScriptCore/runtime/TypedArrayType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakMapDatah">trunk/Source/JavaScriptCore/runtime/WeakMapData.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureIDBlobh">trunk/Source/JavaScriptCore/runtime/StructureIDBlob.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureIDTablecpp">trunk/Source/JavaScriptCore/runtime/StructureIDTable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStructureIDTableh">trunk/Source/JavaScriptCore/runtime/StructureIDTable.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreAPIJSContextmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSContext.mm (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSContext.mm        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/API/JSContext.mm        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -103,6 +103,7 @@
</span><span class="cx"> 
</span><span class="cx"> - (void)setException:(JSValue *)value
</span><span class="cx"> {
</span><ins>+    JSC::APIEntryShim entryShim(toJS(m_context));
</ins><span class="cx">     if (value)
</span><span class="cx">         m_exception.set(toJS(m_context)-&gt;vm(), toJS(JSValueToObject(m_context, valueInternalValue(value), 0)));
</span><span class="cx">     else
</span><span class="lines">@@ -270,14 +271,13 @@
</span><span class="cx"> 
</span><span class="cx"> - (JSValue *)wrapperForObjCObject:(id)object
</span><span class="cx"> {
</span><del>-    // Lock access to m_wrapperMap
-    JSC::JSLockHolder lock(toJS(m_context));
</del><ins>+    JSC::APIEntryShim entryShim(toJS(m_context));
</ins><span class="cx">     return [m_wrapperMap jsWrapperForObject:object];
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> - (JSValue *)wrapperForJSObject:(JSValueRef)value
</span><span class="cx"> {
</span><del>-    JSC::JSLockHolder lock(toJS(m_context));
</del><ins>+    JSC::APIEntryShim entryShim(toJS(m_context));
</ins><span class="cx">     return [m_wrapperMap objcWrapperForJSValueRef:value];
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSContextRefcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSContextRef.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSContextRef.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/API/JSContextRef.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -67,16 +67,10 @@
</span><span class="cx"> 
</span><span class="cx"> void JSContextGroupRelease(JSContextGroupRef group)
</span><span class="cx"> {
</span><del>-    IdentifierTable* savedIdentifierTable;
</del><span class="cx">     VM&amp; vm = *toJS(group);
</span><span class="cx"> 
</span><del>-    {
-        JSLockHolder lock(vm);
-        savedIdentifierTable = wtfThreadData().setCurrentIdentifierTable(vm.identifierTable);
-        vm.deref();
-    }
-
-    wtfThreadData().setCurrentIdentifierTable(savedIdentifierTable);
</del><ins>+    APIEntryShim entryShim(&amp;vm);
+    vm.deref();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static bool internalScriptTimeoutCallback(ExecState* exec, void* callbackPtr, void* callbackData)
</span><span class="lines">@@ -164,7 +158,7 @@
</span><span class="cx">     IdentifierTable* savedIdentifierTable;
</span><span class="cx">     ExecState* exec = toJS(ctx);
</span><span class="cx">     {
</span><del>-        JSLockHolder lock(exec);
</del><ins>+        APIEntryShim entryShim(exec);
</ins><span class="cx"> 
</span><span class="cx">         VM&amp; vm = exec-&gt;vm();
</span><span class="cx">         savedIdentifierTable = wtfThreadData().setCurrentIdentifierTable(vm.identifierTable);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSObjectRefcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSObjectRef.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSObjectRef.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/API/JSObjectRef.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -507,10 +507,11 @@
</span><span class="cx">     return false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool JSObjectIsFunction(JSContextRef, JSObjectRef object)
</del><ins>+bool JSObjectIsFunction(JSContextRef ctx, JSObjectRef object)
</ins><span class="cx"> {
</span><span class="cx">     if (!object)
</span><span class="cx">         return false;
</span><ins>+    APIEntryShim entryShim(toJS(ctx));
</ins><span class="cx">     CallData callData;
</span><span class="cx">     JSCell* cell = toJS(object);
</span><span class="cx">     return cell-&gt;methodTable()-&gt;getCallData(cell, callData) != CallTypeNone;
</span><span class="lines">@@ -606,12 +607,12 @@
</span><span class="cx">         ASSERT_NOT_REACHED();
</span><span class="cx">         return 0;
</span><span class="cx">     }
</span><del>-    JSObject* jsObject = toJS(object);
</del><span class="cx">     ExecState* exec = toJS(ctx);
</span><span class="cx">     APIEntryShim entryShim(exec);
</span><span class="cx"> 
</span><span class="cx">     VM* vm = &amp;exec-&gt;vm();
</span><span class="cx"> 
</span><ins>+    JSObject* jsObject = toJS(object);
</ins><span class="cx">     JSPropertyNameArrayRef propertyNames = new OpaqueJSPropertyNameArray(vm);
</span><span class="cx">     PropertyNameArray array(vm);
</span><span class="cx">     jsObject-&gt;methodTable()-&gt;getPropertyNames(jsObject, exec, array, ExcludeDontEnumProperties);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSValuemm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSValue.mm (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSValue.mm        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/API/JSValue.mm        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -698,6 +698,8 @@
</span><span class="cx">             ASSERT([current.objc isKindOfClass:[NSMutableDictionary class]]);
</span><span class="cx">             NSMutableDictionary *dictionary = (NSMutableDictionary *)current.objc;
</span><span class="cx"> 
</span><ins>+            JSC::APIEntryShim entryShim(toJS(context));
+
</ins><span class="cx">             JSPropertyNameArrayRef propertyNameArray = JSObjectCopyPropertyNames(context, js);
</span><span class="cx">             size_t length = JSPropertyNameArrayGetCount(propertyNameArray);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSWrapperMapmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSWrapperMap.mm (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSWrapperMap.mm        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/API/JSWrapperMap.mm        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -625,6 +625,7 @@
</span><span class="cx">     JSValueRef exception = 0;
</span><span class="cx">     JSObjectRef object = JSValueToObject(context, value, &amp;exception);
</span><span class="cx">     ASSERT(!exception);
</span><ins>+    JSC::APIEntryShim entryShim(toJS(context));
</ins><span class="cx">     if (toJS(object)-&gt;inherits(JSC::JSCallbackObject&lt;JSC::JSAPIWrapperObject&gt;::info()))
</span><span class="cx">         return (id)JSC::jsCast&lt;JSC::JSAPIWrapperObject*&gt;(toJS(object))-&gt;wrappedObject();
</span><span class="cx">     if (id target = tryUnwrapConstructor(object))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -472,6 +472,7 @@
</span><span class="cx">     runtime/StringRecursionChecker.cpp
</span><span class="cx">     runtime/Structure.cpp
</span><span class="cx">     runtime/StructureChain.cpp
</span><ins>+    runtime/StructureIDTable.cpp
</ins><span class="cx">     runtime/StructureRareData.cpp
</span><span class="cx">     runtime/SymbolTable.cpp
</span><span class="cx">     runtime/TestRunnerUtils.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/ChangeLog        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -1,3 +1,560 @@
</span><ins>+2014-02-25  Mark Hahnenberg  &lt;mhahnenberg@apple.com&gt;
+
+        Make JSCells have 32-bit Structure pointers
+        https://bugs.webkit.org/show_bug.cgi?id=123195
+
+        Reviewed by Filip Pizlo.
+
+        This patch changes JSCells such that they no longer have a full 64-bit Structure
+        pointer in their header. Instead they now have a 32-bit index into
+        a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
+        pointers.
+
+        This change frees up an additional 32 bits of information in our object headers.
+        We then use this extra space to store the indexing type of the object, the JSType
+        of the object, some various type flags, and garbage collection data (e.g. mark bit).
+        Because this inline type information is now faster to read, it pays for the slowdown 
+        incurred by having to perform an extra indirection through the StructureIDTable.
+
+        This patch also threads a reference to the current VM through more of the C++ runtime
+        to offset the cost of having to look up the VM to get the actual Structure pointer.
+
+        * API/JSContext.mm:
+        (-[JSContext setException:]):
+        (-[JSContext wrapperForObjCObject:]):
+        (-[JSContext wrapperForJSObject:]):
+        * API/JSContextRef.cpp:
+        (JSContextGroupRelease):
+        (JSGlobalContextRelease):
+        * API/JSObjectRef.cpp:
+        (JSObjectIsFunction):
+        (JSObjectCopyPropertyNames):
+        * API/JSValue.mm:
+        (containerValueToObject):
+        * API/JSWrapperMap.mm:
+        (tryUnwrapObjcObject):
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::patchableBranch32WithPatch):
+        (JSC::MacroAssembler::patchableBranch32):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
+        (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
+        (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
+        (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::store8):
+        (JSC::MacroAssemblerARMv7::branch32WithPatch):
+        (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
+        (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
+        (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::branch32WithPatch):
+        (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
+        (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::store32):
+        (JSC::MacroAssemblerX86_64::moveWithPatch):
+        (JSC::MacroAssemblerX86_64::branch32WithPatch):
+        (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
+        (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
+        (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
+        * assembler/RepatchBuffer.h:
+        (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::revertJumpTo_movq_i64r):
+        (JSC::X86Assembler::revertJumpTo_movl_i32r):
+        * bytecode/ArrayProfile.cpp:
+        (JSC::ArrayProfile::computeUpdatedPrediction):
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::ArrayProfile):
+        (JSC::ArrayProfile::addressOfLastSeenStructureID):
+        (JSC::ArrayProfile::observeStructure):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::heap):
+        * bytecode/UnlinkedCodeBlock.h:
+        * debugger/Debugger.h:
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGArrayifySlowPathGenerator.h:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::branchWeakStructure):
+        (JSC::DFG::JITCompiler::branchStructurePtr):
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::osrWriteBarrier):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::putByVal):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::arrayify):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
+        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
+        (JSC::DFG::SpeculativeJIT::speculateObject):
+        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
+        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+        (JSC::DFG::SpeculativeJIT::speculateString):
+        (JSC::DFG::SpeculativeJIT::speculateStringObject):
+        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
+        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+        (JSC::DFG::SpeculativeJIT::emitSwitchString):
+        (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
+        (JSC::DFG::SpeculativeJIT::writeBarrier):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::writeBarrier):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::writeBarrier):
+        * dfg/DFGWorklist.cpp:
+        * ftl/FTLAbstractHeapRepository.cpp:
+        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
+        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
+        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
+        (JSC::FTL::LowerDFGToLLVM::compileToString):
+        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
+        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
+        (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
+        (JSC::FTL::LowerDFGToLLVM::allocateCell):
+        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
+        (JSC::FTL::LowerDFGToLLVM::isObject):
+        (JSC::FTL::LowerDFGToLLVM::isString):
+        (JSC::FTL::LowerDFGToLLVM::isArrayType):
+        (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
+        (JSC::FTL::LowerDFGToLLVM::isType):
+        (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
+        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
+        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
+        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
+        (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
+        (JSC::FTL::LowerDFGToLLVM::loadStructure):
+        (JSC::FTL::LowerDFGToLLVM::weakStructure):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::store8):
+        * heap/GCAssertions.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::getConservativeRegisterRoots):
+        (JSC::Heap::collect):
+        (JSC::Heap::writeBarrier):
+        * heap/Heap.h:
+        (JSC::Heap::structureIDTable):
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::forEachBlock):
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::internalAppend):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfCellNotObject):
+        (JSC::AssemblyHelpers::genericWriteBarrier):
+        (JSC::AssemblyHelpers::emitLoadStructure):
+        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+        * jit/JIT.h:
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        (JSC::JIT::privateCompileClosureCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::emit_op_ret_object_or_this):
+        (JSC::JIT::compileOpCall):
+        (JSC::JIT::privateCompileClosureCall):
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITByIdGenerator::generateFastPathChecks):
+        * jit/JITInlineCacheGenerator.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::emitLoadCharacterString):
+        (JSC::JIT::checkStructure):
+        (JSC::JIT::emitJumpIfCellNotObject):
+        (JSC::JIT::emitAllocateJSObject):
+        (JSC::JIT::emitArrayProfilingSiteWithCell):
+        (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
+        (JSC::JIT::branchStructure):
+        (JSC::branchStructure):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_check_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_is_string):
+        (JSC::JIT::emit_op_ret_object_or_this):
+        (JSC::JIT::emit_op_to_primitive):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_get_pnames):
+        (JSC::JIT::emit_op_next_pname):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emitSlow_op_to_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_check_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_is_string):
+        (JSC::JIT::emit_op_to_primitive):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emitSlow_op_eq):
+        (JSC::JIT::emitSlow_op_neq):
+        (JSC::JIT::compileOpStrictEq):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        (JSC::JIT::emit_op_get_pnames):
+        (JSC::JIT::emit_op_next_pname):
+        (JSC::JIT::emit_op_to_this):
+        * jit/JITOperations.cpp:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emit_op_get_by_pname):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emit_op_get_by_id):
+        (JSC::JIT::emitLoadWithStructureCheck):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        (JSC::JIT::emitSlow_op_put_to_scope):
+        (JSC::JIT::checkMarkWord):
+        (JSC::JIT::emitWriteBarrier):
+        (JSC::JIT::addStructureTransitionCheck):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emit_op_get_by_id):
+        (JSC::JIT::emit_op_get_by_pname):
+        (JSC::JIT::emitLoadWithStructureCheck):
+        * jit/JSInterfaceJIT.h:
+        (JSC::JSInterfaceJIT::emitJumpIfNotType):
+        * jit/Repatch.cpp:
+        (JSC::repatchByIdSelfAccess):
+        (JSC::addStructureTransitionCheck):
+        (JSC::replaceWithJump):
+        (JSC::generateProtoChainAccessStub):
+        (JSC::tryCacheGetByID):
+        (JSC::tryBuildGetByIDList):
+        (JSC::writeBarrier):
+        (JSC::emitPutReplaceStub):
+        (JSC::emitPutTransitionStub):
+        (JSC::tryBuildPutByIdList):
+        (JSC::tryRepatchIn):
+        (JSC::linkClosureCall):
+        (JSC::resetGetByID):
+        (JSC::resetPutByID):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadJSStringArgument):
+        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualForThunkGenerator):
+        (JSC::arrayIteratorNextThunkGenerator):
+        * jit/UnusedPointer.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::createStrictModeCallerIfNecessary):
+        (JSC::Arguments::createStrictModeCalleeIfNecessary):
+        * runtime/Arguments.h:
+        (JSC::Arguments::createStructure):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::shift):
+        (JSC::unshift):
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::performSlowSort):
+        (JSC::arrayProtoFuncSort):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/Executable.h:
+        (JSC::ExecutableBase::isFunctionExecutable):
+        (JSC::ExecutableBase::clearCodeVirtual):
+        (JSC::ScriptExecutable::unlinkCalls):
+        * runtime/GetterSetter.cpp:
+        (JSC::callGetter):
+        (JSC::callSetter):
+        * runtime/InitializeThreading.cpp:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::push):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithArrayStorage):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::sortNumericVector):
+        (JSC::JSArray::sortNumeric):
+        (JSC::JSArray::sortCompactedVector):
+        (JSC::JSArray::sort):
+        (JSC::JSArray::sortVector):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        (JSC::JSArray::compactForSorting):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toThis):
+        (JSC::JSValue::put):
+        (JSC::JSValue::putByIndex):
+        (JSC::JSValue::equalSlowCaseInline):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::put):
+        (JSC::JSCell::putByIndex):
+        (JSC::JSCell::deleteProperty):
+        (JSC::JSCell::deletePropertyByIndex):
+        * runtime/JSCell.h:
+        (JSC::JSCell::clearStructure):
+        (JSC::JSCell::mark):
+        (JSC::JSCell::isMarked):
+        (JSC::JSCell::structureIDOffset):
+        (JSC::JSCell::typeInfoFlagsOffset):
+        (JSC::JSCell::typeInfoTypeOffset):
+        (JSC::JSCell::indexingTypeOffset):
+        (JSC::JSCell::gcDataOffset):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::JSCell):
+        (JSC::JSCell::finishCreation):
+        (JSC::JSCell::type):
+        (JSC::JSCell::indexingType):
+        (JSC::JSCell::structure):
+        (JSC::JSCell::visitChildren):
+        (JSC::JSCell::isObject):
+        (JSC::JSCell::isString):
+        (JSC::JSCell::isGetterSetter):
+        (JSC::JSCell::isProxy):
+        (JSC::JSCell::isAPIValueWrapper):
+        (JSC::JSCell::setStructure):
+        (JSC::JSCell::methodTable):
+        (JSC::Heap::writeBarrier):
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::createStructure):
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSCell::classInfo):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::getOwnNonIndexPropertyNames):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::defineOwnProperty):
+        * runtime/JSGenericTypedArrayView.h:
+        (JSC::JSGenericTypedArrayView::createStructure):
+        * runtime/JSObject.cpp:
+        (JSC::getCallableObjectSlow):
+        (JSC::JSObject::copyButterfly):
+        (JSC::JSObject::visitButterfly):
+        (JSC::JSFinalObject::visitChildren):
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::put):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+        (JSC::JSObject::enterDictionaryIndexingMode):
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::genericConvertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::ensureInt32Slow):
+        (JSC::JSObject::ensureDoubleSlow):
+        (JSC::JSObject::ensureContiguousSlow):
+        (JSC::JSObject::ensureArrayStorageSlow):
+        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+        (JSC::JSObject::setPrototype):
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+        (JSC::JSObject::putDirectNonIndexAccessor):
+        (JSC::JSObject::deleteProperty):
+        (JSC::JSObject::hasOwnProperty):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getPrimitiveNumber):
+        (JSC::JSObject::hasInstance):
+        (JSC::JSObject::getPropertySpecificValue):
+        (JSC::JSObject::getPropertyNames):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::getOwnNonIndexPropertyNames):
+        (JSC::JSObject::seal):
+        (JSC::JSObject::freeze):
+        (JSC::JSObject::preventExtensions):
+        (JSC::JSObject::reifyStaticFunctionsForDelete):
+        (JSC::JSObject::removeDirect):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putDirectIndexBeyondVectorLength):
+        (JSC::JSObject::getNewVectorLength):
+        (JSC::JSObject::countElements):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::growOutOfLineStorage):
+        (JSC::JSObject::getOwnPropertyDescriptor):
+        (JSC::putDescriptor):
+        (JSC::JSObject::defineOwnNonIndexProperty):
+        * runtime/JSObject.h:
+        (JSC::getJSFunction):
+        (JSC::JSObject::getArrayLength):
+        (JSC::JSObject::getVectorLength):
+        (JSC::JSObject::putByIndexInline):
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly):
+        (JSC::JSObject::getDirectIndex):
+        (JSC::JSObject::canSetIndexQuickly):
+        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::hasSparseMap):
+        (JSC::JSObject::inSparseIndexingMode):
+        (JSC::JSObject::getDirect):
+        (JSC::JSObject::getDirectOffset):
+        (JSC::JSObject::isSealed):
+        (JSC::JSObject::isFrozen):
+        (JSC::JSObject::flattenDictionaryObject):
+        (JSC::JSObject::ensureInt32):
+        (JSC::JSObject::ensureDouble):
+        (JSC::JSObject::ensureContiguous):
+        (JSC::JSObject::rageEnsureContiguous):
+        (JSC::JSObject::ensureArrayStorage):
+        (JSC::JSObject::arrayStorage):
+        (JSC::JSObject::arrayStorageOrNull):
+        (JSC::JSObject::ensureLength):
+        (JSC::JSObject::currentIndexingData):
+        (JSC::JSObject::getHolyIndexQuickly):
+        (JSC::JSObject::currentRelevantLength):
+        (JSC::JSObject::isGlobalObject):
+        (JSC::JSObject::isVariableObject):
+        (JSC::JSObject::isStaticScopeObject):
+        (JSC::JSObject::isNameScopeObject):
+        (JSC::JSObject::isActivationObject):
+        (JSC::JSObject::isErrorInstance):
+        (JSC::JSObject::inlineGetOwnPropertySlot):
+        (JSC::JSObject::fastGetOwnPropertySlot):
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        * runtime/JSPropertyNameIterator.h:
+        (JSC::JSPropertyNameIterator::createStructure):
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::getOwnPropertySlot):
+        (JSC::JSProxy::getOwnPropertySlotByIndex):
+        (JSC::JSProxy::put):
+        (JSC::JSProxy::putByIndex):
+        (JSC::JSProxy::defineOwnProperty):
+        (JSC::JSProxy::deleteProperty):
+        (JSC::JSProxy::deletePropertyByIndex):
+        (JSC::JSProxy::getPropertyNames):
+        (JSC::JSProxy::getOwnPropertyNames):
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::objectAtScope):
+        * runtime/JSString.h:
+        (JSC::JSString::createStructure):
+        (JSC::isJSString):
+        * runtime/JSType.h:
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::TypeInfo):
+        (JSC::TypeInfo::isObject):
+        (JSC::TypeInfo::structureIsImmortal):
+        (JSC::TypeInfo::zeroedGCDataOffset):
+        (JSC::TypeInfo::inlineTypeFlags):
+        * runtime/MapData.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetOwnPropertyNames):
+        (JSC::objectConstructorKeys):
+        (JSC::objectConstructorDefineProperty):
+        (JSC::defineProperties):
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        (JSC::objectConstructorIsSealed):
+        (JSC::objectConstructorIsFrozen):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncDefineGetter):
+        (JSC::objectProtoFuncDefineSetter):
+        (JSC::objectProtoFuncToString):
+        * runtime/Operations.cpp:
+        (JSC::jsTypeStringForValue):
+        (JSC::jsIsObjectType):
+        * runtime/Operations.h:
+        (JSC::normalizePrototypeChainForChainAccess):
+        (JSC::normalizePrototypeChain):
+        * runtime/PropertyMapHashTable.h:
+        (JSC::PropertyTable::createStructure):
+        * runtime/RegExp.h:
+        (JSC::RegExp::createStructure):
+        * runtime/SparseArrayValueMap.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::~Structure):
+        (JSC::Structure::prototypeChainMayInterceptStoreTo):
+        * runtime/Structure.h:
+        (JSC::Structure::id):
+        (JSC::Structure::idBlob):
+        (JSC::Structure::objectInitializationFields):
+        (JSC::Structure::structureIDOffset):
+        * runtime/StructureChain.h:
+        (JSC::StructureChain::createStructure):
+        * runtime/StructureIDTable.cpp: Added.
+        (JSC::StructureIDTable::StructureIDTable):
+        (JSC::StructureIDTable::~StructureIDTable):
+        (JSC::StructureIDTable::resize):
+        (JSC::StructureIDTable::flushOldTables):
+        (JSC::StructureIDTable::allocateID):
+        (JSC::StructureIDTable::deallocateID):
+        * runtime/StructureIDTable.h: Added.
+        (JSC::StructureIDTable::base):
+        (JSC::StructureIDTable::get):
+        * runtime/SymbolTable.h:
+        * runtime/TypedArrayType.cpp:
+        (JSC::typeForTypedArrayType):
+        * runtime/TypedArrayType.h:
+        * runtime/WeakMapData.h:
+
</ins><span class="cx"> 2014-02-26  Mark Hahnenberg  &lt;mhahnenberg@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Unconditional logging in compileFTLOSRExit
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreGNUmakefilelistam"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/GNUmakefile.list.am (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/GNUmakefile.list.am        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/GNUmakefile.list.am        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -1228,6 +1228,9 @@
</span><span class="cx">         Source/JavaScriptCore/runtime/StructureChain.h \
</span><span class="cx">         Source/JavaScriptCore/runtime/Structure.cpp \
</span><span class="cx">         Source/JavaScriptCore/runtime/Structure.h \
</span><ins>+        Source/JavaScriptCore/runtime/StructureIDBlob.h \
+        Source/JavaScriptCore/runtime/StructureIDTable.cpp \
+        Source/JavaScriptCore/runtime/StructureIDTable.h \
</ins><span class="cx">         Source/JavaScriptCore/runtime/StructureInlines.h \
</span><span class="cx">         Source/JavaScriptCore/runtime/StructureRareData.cpp \
</span><span class="cx">         Source/JavaScriptCore/runtime/StructureRareData.h \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -718,6 +718,7 @@
</span><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\StringRecursionChecker.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\Structure.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\StructureChain.cpp&quot; /&gt;
</span><ins>+    &lt;ClCompile Include=&quot;..\runtime\StructureIDTable.cpp&quot; /&gt;
</ins><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\StructureRareData.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\SymbolTable.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\TestRunnerUtils.cpp&quot; /&gt;
</span><span class="lines">@@ -1406,6 +1407,8 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StringRecursionChecker.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\Structure.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StructureChain.h&quot; /&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\runtime\StructureIDBlob.h&quot; /&gt;
+    &lt;ClInclude Include=&quot;..\runtime\StructureIDTable.h&quot; /&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StructureRareData.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StructureRareDataInlines.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StructureTransitionTable.h&quot; /&gt;
</span><span class="lines">@@ -1468,4 +1471,4 @@
</span><span class="cx">   &lt;ImportGroup Label=&quot;ExtensionTargets&quot;&gt;
</span><span class="cx">     &lt;Import Project=&quot;$(VCTargetsPath)\BuildCustomizations\masm.targets&quot; /&gt;
</span><span class="cx">   &lt;/ImportGroup&gt;
</span><del>-&lt;/Project&gt;
</del><span class="cx">\ No newline at end of file
</span><ins>+&lt;/Project&gt;
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxprojfilters"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -795,6 +795,9 @@
</span><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\StructureChain.cpp&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;runtime&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClCompile&gt;
</span><ins>+    &lt;ClCompile Include=&quot;..\runtime\StructureIDTable.cpp&quot;&gt;
+      &lt;Filter&gt;runtime&lt;/Filter&gt;
+    &lt;/ClCompile&gt;
</ins><span class="cx">     &lt;ClCompile Include=&quot;..\runtime\SymbolTable.cpp&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;runtime&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClCompile&gt;
</span><span class="lines">@@ -2429,9 +2432,18 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\Structure.h&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;runtime&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClInclude&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\runtime\StructureIDBlobh&quot;&gt;
+      &lt;Filter&gt;runtime&lt;/Filter&gt;
+    &lt;/ClInclude&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StructureChain.h&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;runtime&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClInclude&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\runtime\StructureIDBlob.h&quot;&gt;
+      &lt;Filter&gt;runtime&lt;/Filter&gt;
+    &lt;/ClInclude&gt;
+    &lt;ClInclude Include=&quot;..\runtime\StructureIDTable.h&quot;&gt;
+      &lt;Filter&gt;runtime&lt;/Filter&gt;
+    &lt;/ClInclude&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\runtime\StructureTransitionTable.h&quot;&gt;
</span><span class="cx">       &lt;Filter&gt;runtime&lt;/Filter&gt;
</span><span class="cx">     &lt;/ClInclude&gt;
</span><span class="lines">@@ -3340,4 +3352,4 @@
</span><span class="cx">   &lt;ItemGroup&gt;
</span><span class="cx">     &lt;MASM Include=&quot;$(ConfigurationBuildDir)\obj$(PlatformArchitecture)\$(ProjectName)\DerivedSources\LowLevelInterpreterWin.asm&quot; /&gt;
</span><span class="cx">   &lt;/ItemGroup&gt;
</span><del>-&lt;/Project&gt;
</del><span class="cx">\ No newline at end of file
</span><ins>+&lt;/Project&gt;
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -773,12 +773,15 @@
</span><span class="cx">                 2A68295B1875F80500B6C3E2 /* CopyWriteBarrier.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 2A6F462617E959CE00C45C98 /* HeapOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A6F462517E959CE00C45C98 /* HeapOperation.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */; };
</span><ins>+                2AAAA31218BD49D100394CC8 /* StructureIDBlob.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AAAA31018BD49D100394CC8 /* StructureIDBlob.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 2AAD964A18569417001F93BE /* RecursiveAllocationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AAD964918569417001F93BE /* RecursiveAllocationScope.h */; };
</span><span class="cx">                 2AC922BB18A16182003CE0FB /* FTLDWARFDebugLineInfo.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2AC922B918A16182003CE0FB /* FTLDWARFDebugLineInfo.cpp */; };
</span><span class="cx">                 2AC922BC18A16182003CE0FB /* FTLDWARFDebugLineInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AC922BA18A16182003CE0FB /* FTLDWARFDebugLineInfo.h */; };
</span><span class="cx">                 2ACCF3DE185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */; };
</span><span class="cx">                 2ACCF3DF185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */; };
</span><span class="cx">                 2AD8932B17E3868F00668276 /* HeapIterationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD8932917E3868F00668276 /* HeapIterationScope.h */; };
</span><ins>+                2AF7382C18BBBF92008A5A37 /* StructureIDTable.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */; };
+                2AF7382D18BBBF92008A5A37 /* StructureIDTable.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AF7382B18BBBF92008A5A37 /* StructureIDTable.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 371D842D17C98B6E00ECF994 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 371D842C17C98B6E00ECF994 /* libz.dylib */; };
</span><span class="cx">                 41359CF30FDD89AD00206180 /* DateConversion.h in Headers */ = {isa = PBXBuildFile; fileRef = D21202290AD4310C00ED79B6 /* DateConversion.h */; };
</span><span class="cx">                 4443AE3316E188D90076F110 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 51F0EB6105C86C6B00E6DF1B /* Foundation.framework */; };
</span><span class="lines">@@ -2214,12 +2217,15 @@
</span><span class="cx">                 2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CopyWriteBarrier.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2A6F462517E959CE00C45C98 /* HeapOperation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapOperation.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DeferGC.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><ins>+                2AAAA31018BD49D100394CC8 /* StructureIDBlob.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureIDBlob.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</ins><span class="cx">                 2AAD964918569417001F93BE /* RecursiveAllocationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RecursiveAllocationScope.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2AC922B918A16182003CE0FB /* FTLDWARFDebugLineInfo.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLDWARFDebugLineInfo.cpp; path = ftl/FTLDWARFDebugLineInfo.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2AC922BA18A16182003CE0FB /* FTLDWARFDebugLineInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLDWARFDebugLineInfo.h; path = ftl/FTLDWARFDebugLineInfo.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2ACCF3DC185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStoreBarrierElisionPhase.cpp; path = dfg/DFGStoreBarrierElisionPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2ACCF3DD185FE26B0083E2AD /* DFGStoreBarrierElisionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStoreBarrierElisionPhase.h; path = dfg/DFGStoreBarrierElisionPhase.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2AD8932917E3868F00668276 /* HeapIterationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapIterationScope.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><ins>+                2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StructureIDTable.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
+                2AF7382B18BBBF92008A5A37 /* StructureIDTable.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureIDTable.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</ins><span class="cx">                 371D842C17C98B6E00ECF994 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = &quot;compiled.mach-o.dylib&quot;; name = libz.dylib; path = usr/lib/libz.dylib; sourceTree = SDKROOT; };
</span><span class="cx">                 449097EE0F8F81B50076A327 /* FeatureDefines.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = FeatureDefines.xcconfig; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 451539B812DC994500EF7AC4 /* Yarr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = Yarr.h; path = yarr/Yarr.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -3757,6 +3763,8 @@
</span><span class="cx">                 7EF6E0BB0EB7A1EC0079AFAF /* runtime */ = {
</span><span class="cx">                         isa = PBXGroup;
</span><span class="cx">                         children = (
</span><ins>+                                2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */,
+                                2AF7382B18BBBF92008A5A37 /* StructureIDTable.h */,
</ins><span class="cx">                                 BCF605110E203EF800B9A64D /* ArgList.cpp */,
</span><span class="cx">                                 BCF605120E203EF800B9A64D /* ArgList.h */,
</span><span class="cx">                                 BC257DE50E1F51C50016B6C9 /* Arguments.cpp */,
</span><span class="lines">@@ -4140,6 +4148,7 @@
</span><span class="cx">                                 1420BE7A10AA6DDB00F455D2 /* WeakRandom.h */,
</span><span class="cx">                                 A7DCB77912E3D90500911940 /* WriteBarrier.h */,
</span><span class="cx">                                 C2B6D75218A33793004A9301 /* WriteBarrierInlines.h */,
</span><ins>+                                2AAAA31018BD49D100394CC8 /* StructureIDBlob.h */,
</ins><span class="cx">                         );
</span><span class="cx">                         path = runtime;
</span><span class="cx">                         sourceTree = &quot;&lt;group&gt;&quot;;
</span><span class="lines">@@ -4830,6 +4839,7 @@
</span><span class="cx">                                 0F6B1CB91861244C00845D97 /* ArityCheckMode.h in Headers */,
</span><span class="cx">                                 A1A009C11831A26E00CF8711 /* ARM64Assembler.h in Headers */,
</span><span class="cx">                                 86D3B2C410156BDE002865E7 /* ARMAssembler.h in Headers */,
</span><ins>+                                2AAAA31218BD49D100394CC8 /* StructureIDBlob.h in Headers */,
</ins><span class="cx">                                 86ADD1450FDDEA980006EEC2 /* ARMv7Assembler.h in Headers */,
</span><span class="cx">                                 65C0285D1717966800351E35 /* ARMv7DOpcode.h in Headers */,
</span><span class="cx">                                 0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */,
</span><span class="lines">@@ -4843,6 +4853,7 @@
</span><span class="cx">                                 0F63945515D07057006A597C /* ArrayProfile.h in Headers */,
</span><span class="cx">                                 BC18C3E70E16F5CD00B34460 /* ArrayPrototype.h in Headers */,
</span><span class="cx">                                 BC18C5240E16FC8A00B34460 /* ArrayPrototype.lut.h in Headers */,
</span><ins>+                                2AF7382D18BBBF92008A5A37 /* StructureIDTable.h in Headers */,
</ins><span class="cx">                                 0FB7F39615ED8E4600F167B2 /* ArrayStorage.h in Headers */,
</span><span class="cx">                                 9688CB150ED12B4E001D649F /* AssemblerBuffer.h in Headers */,
</span><span class="cx">                                 86D3B2C510156BDE002865E7 /* AssemblerBufferWithConstantPool.h in Headers */,
</span><span class="lines">@@ -6282,6 +6293,7 @@
</span><span class="cx">                                 A5CEEE14187F3BAD00E55C99 /* InspectorAgent.cpp in Sources */,
</span><span class="cx">                                 A593CF86184038CA00BFCE27 /* InspectorAgentRegistry.cpp in Sources */,
</span><span class="cx">                                 A593CF7C1840360300BFCE27 /* InspectorBackendDispatcher.cpp in Sources */,
</span><ins>+                                2AF7382C18BBBF92008A5A37 /* StructureIDTable.cpp in Sources */,
</ins><span class="cx">                                 A5FD0081189B191A00633231 /* InspectorConsoleAgent.cpp in Sources */,
</span><span class="cx">                                 A57D23E51890CEBF0031C7FA /* InspectorDebuggerAgent.cpp in Sources */,
</span><span class="cx">                                 A532438718568335002ED692 /* InspectorJSBackendDispatchers.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerAbstractMacroAssemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -434,7 +434,7 @@
</span><span class="cx"> 
</span><span class="cx">     // DataLabel32:
</span><span class="cx">     //
</span><del>-    // A DataLabelPtr is used to refer to a location in the code containing a pointer to be
</del><ins>+    // A DataLabel32 is used to refer to a location in the code containing a 32-bit constant to be
</ins><span class="cx">     // patched after the code has been generated.
</span><span class="cx">     class DataLabel32 {
</span><span class="cx">         template&lt;class TemplateAssemblerType&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssembler.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssembler.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssembler.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -366,6 +366,11 @@
</span><span class="cx">         return PatchableJump(branchPtrWithPatch(cond, left, dataLabel, initialRightValue));
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    PatchableJump patchableBranch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        return PatchableJump(branch32WithPatch(cond, left, dataLabel, initialRightValue));
+    }
+
</ins><span class="cx"> #if !CPU(ARM_TRADITIONAL)
</span><span class="cx">     PatchableJump patchableJump()
</span><span class="cx">     {
</span><span class="lines">@@ -381,6 +386,11 @@
</span><span class="cx">     {
</span><span class="cx">         return PatchableJump(branch32(cond, reg, imm));
</span><span class="cx">     }
</span><ins>+
+    PatchableJump patchableBranch32(RelationalCondition cond, Address address, TrustedImm32 imm)
+    {
+        return PatchableJump(branch32(cond, address, imm));
+    }
</ins><span class="cx"> #endif
</span><span class="cx"> #endif
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerARM64h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -2220,6 +2220,13 @@
</span><span class="cx">         return branch64(cond, left, dataTempRegister);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    ALWAYS_INLINE Jump branch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        dataLabel = DataLabel32(this);
+        moveWithPatch(initialRightValue, getCachedDataTempRegisterIDAndInvalidate());
+        return branch32(cond, left, dataTempRegister);
+    }
+
</ins><span class="cx">     PatchableJump patchableBranchPtr(RelationalCondition cond, Address left, TrustedImmPtr right = TrustedImmPtr(0))
</span><span class="cx">     {
</span><span class="cx">         m_makeJumpPatchable = true;
</span><span class="lines">@@ -2252,6 +2259,14 @@
</span><span class="cx">         return PatchableJump(result);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    PatchableJump patchableBranch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        m_makeJumpPatchable = true;
+        Jump result = branch32WithPatch(cond, left, dataLabel, initialRightValue);
+        m_makeJumpPatchable = false;
+        return PatchableJump(result);
+    }
+
</ins><span class="cx">     PatchableJump patchableJump()
</span><span class="cx">     {
</span><span class="cx">         m_makeJumpPatchable = true;
</span><span class="lines">@@ -2322,6 +2337,7 @@
</span><span class="cx">     RegisterID scratchRegisterForBlinding() { return getCachedDataTempRegisterIDAndInvalidate(); }
</span><span class="cx"> 
</span><span class="cx">     static bool canJumpReplacePatchableBranchPtrWithPatch() { return false; }
</span><ins>+    static bool canJumpReplacePatchableBranch32WithPatch() { return false; }
</ins><span class="cx">     
</span><span class="cx">     static CodeLocationLabel startOfBranchPtrWithPatchOnRegister(CodeLocationDataLabelPtr label)
</span><span class="cx">     {
</span><span class="lines">@@ -2334,6 +2350,12 @@
</span><span class="cx">         return CodeLocationLabel();
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    static CodeLocationLabel startOfPatchableBranch32WithPatchOnAddress(CodeLocationDataLabel32)
+    {
+        UNREACHABLE_FOR_PLATFORM();
+        return CodeLocationLabel();
+    }
+    
</ins><span class="cx">     static void revertJumpReplacementToBranchPtrWithPatch(CodeLocationLabel instructionStart, RegisterID, void* initialValue)
</span><span class="cx">     {
</span><span class="cx">         reemitInitialMoveWithPatch(instructionStart.dataLocation(), initialValue);
</span><span class="lines">@@ -2344,6 +2366,11 @@
</span><span class="cx">         UNREACHABLE_FOR_PLATFORM();
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static void revertJumpReplacementToPatchableBranch32WithPatch(CodeLocationLabel, Address, int32_t)
+    {
+        UNREACHABLE_FOR_PLATFORM();
+    }
+
</ins><span class="cx"> protected:
</span><span class="cx">     ALWAYS_INLINE Jump makeBranch(ARM64Assembler::Condition cond)
</span><span class="cx">     {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerARMv7h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -753,6 +753,11 @@
</span><span class="cx">         store32(dataTempRegister, address);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    void store8(RegisterID src, Address address)
+    {
+        store8(src, setupArmAddress(address));
+    }
+    
</ins><span class="cx">     void store8(RegisterID src, BaseIndex address)
</span><span class="cx">     {
</span><span class="cx">         store8(src, setupArmAddress(address));
</span><span class="lines">@@ -770,6 +775,12 @@
</span><span class="cx">         store8(dataTempRegister, address);
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    void store8(TrustedImm32 imm, Address address)
+    {
+        move(imm, dataTempRegister);
+        store8(dataTempRegister, address);
+    }
+    
</ins><span class="cx">     void store16(RegisterID src, BaseIndex address)
</span><span class="cx">     {
</span><span class="cx">         store16(src, setupArmAddress(address));
</span><span class="lines">@@ -1726,6 +1737,13 @@
</span><span class="cx">         return branch32(cond, addressTempRegister, dataTempRegister);
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    ALWAYS_INLINE Jump branch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        load32(left, addressTempRegister);
+        dataLabel = moveWithPatch(initialRightValue, dataTempRegister);
+        return branch32(cond, addressTempRegister, dataTempRegister);
+    }
+    
</ins><span class="cx">     PatchableJump patchableBranchPtr(RelationalCondition cond, Address left, TrustedImmPtr right = TrustedImmPtr(0))
</span><span class="cx">     {
</span><span class="cx">         m_makeJumpPatchable = true;
</span><span class="lines">@@ -1758,6 +1776,14 @@
</span><span class="cx">         return PatchableJump(result);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    PatchableJump patchableBranch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        m_makeJumpPatchable = true;
+        Jump result = branch32WithPatch(cond, left, dataLabel, initialRightValue);
+        m_makeJumpPatchable = false;
+        return PatchableJump(result);
+    }
+
</ins><span class="cx">     PatchableJump patchableJump()
</span><span class="cx">     {
</span><span class="cx">         padBeforePatch();
</span><span class="lines">@@ -1796,6 +1822,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     static bool canJumpReplacePatchableBranchPtrWithPatch() { return false; }
</span><ins>+    static bool canJumpReplacePatchableBranch32WithPatch() { return false; }
</ins><span class="cx">     
</span><span class="cx">     static CodeLocationLabel startOfBranchPtrWithPatchOnRegister(CodeLocationDataLabelPtr label)
</span><span class="cx">     {
</span><span class="lines">@@ -1819,11 +1846,22 @@
</span><span class="cx">         return CodeLocationLabel();
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    static CodeLocationLabel startOfPatchableBranch32WithPatchOnAddress(CodeLocationDataLabel32)
+    {
+        UNREACHABLE_FOR_PLATFORM();
+        return CodeLocationLabel();
+    }
+    
</ins><span class="cx">     static void revertJumpReplacementToPatchableBranchPtrWithPatch(CodeLocationLabel, Address, void*)
</span><span class="cx">     {
</span><span class="cx">         UNREACHABLE_FOR_PLATFORM();
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static void revertJumpReplacementToPatchableBranch32WithPatch(CodeLocationLabel, Address, int32_t)
+    {
+        UNREACHABLE_FOR_PLATFORM();
+    }
+
</ins><span class="cx"> #if USE(MASM_PROBE)
</span><span class="cx">     struct CPUState {
</span><span class="cx">         #define DECLARE_REGISTER(_type, _regName) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerX86h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -257,6 +257,14 @@
</span><span class="cx">         return Jump(m_assembler.jCC(x86Condition(cond)));
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    Jump branch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        padBeforePatch();
+        m_assembler.cmpl_im_force32(initialRightValue.m_value, left.offset, left.base);
+        dataLabel = DataLabel32(this);
+        return Jump(m_assembler.jCC(x86Condition(cond)));
+    }
+
</ins><span class="cx">     DataLabelPtr storePtrWithPatch(TrustedImmPtr initialValue, ImplicitAddress address)
</span><span class="cx">     {
</span><span class="cx">         padBeforePatch();
</span><span class="lines">@@ -277,6 +285,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     static bool canJumpReplacePatchableBranchPtrWithPatch() { return true; }
</span><ins>+    static bool canJumpReplacePatchableBranch32WithPatch() { return true; }
</ins><span class="cx">     
</span><span class="cx">     static CodeLocationLabel startOfBranchPtrWithPatchOnRegister(CodeLocationDataLabelPtr label)
</span><span class="cx">     {
</span><span class="lines">@@ -299,6 +308,17 @@
</span><span class="cx">         return label.labelAtOffset(-totalBytes);
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    static CodeLocationLabel startOfPatchableBranch32WithPatchOnAddress(CodeLocationDataLabel32 label)
+    {
+        const int opcodeBytes = 1;
+        const int modRMBytes = 1;
+        const int offsetBytes = 0;
+        const int immediateBytes = 4;
+        const int totalBytes = opcodeBytes + modRMBytes + offsetBytes + immediateBytes;
+        ASSERT(totalBytes &gt;= maxJumpReplacementSize());
+        return label.labelAtOffset(-totalBytes);
+    }
+    
</ins><span class="cx">     static void revertJumpReplacementToBranchPtrWithPatch(CodeLocationLabel instructionStart, RegisterID reg, void* initialValue)
</span><span class="cx">     {
</span><span class="cx">         X86Assembler::revertJumpTo_cmpl_ir_force32(instructionStart.executableAddress(), reinterpret_cast&lt;intptr_t&gt;(initialValue), reg);
</span><span class="lines">@@ -310,6 +330,12 @@
</span><span class="cx">         X86Assembler::revertJumpTo_cmpl_im_force32(instructionStart.executableAddress(), reinterpret_cast&lt;intptr_t&gt;(initialValue), 0, address.base);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static void revertJumpReplacementToPatchableBranch32WithPatch(CodeLocationLabel instructionStart, Address address, int32_t initialValue)
+    {
+        ASSERT(!address.offset);
+        X86Assembler::revertJumpTo_cmpl_im_force32(instructionStart.executableAddress(), initialValue, 0, address.base);
+    }
+
</ins><span class="cx"> #if USE(MASM_PROBE)
</span><span class="cx">     // For details about probe(), see comment in MacroAssemblerX86_64.h.
</span><span class="cx">     void probe(ProbeFunction, void* arg1 = 0, void* arg2 = 0);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerX86_64h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -126,6 +126,16 @@
</span><span class="cx">         move(TrustedImmPtr(address), scratchRegister);
</span><span class="cx">         store32(imm, scratchRegister);
</span><span class="cx">     }
</span><ins>+
+    void store32(RegisterID source, void* address)
+    {
+        if (source == X86Registers::eax)
+            m_assembler.movl_EAXm(address);
+        else {
+            move(TrustedImmPtr(address), scratchRegister);
+            store32(source, scratchRegister);
+        }
+    }
</ins><span class="cx">     
</span><span class="cx">     void store8(TrustedImm32 imm, void* address)
</span><span class="cx">     {
</span><span class="lines">@@ -627,6 +637,13 @@
</span><span class="cx">         return DataLabelPtr(this);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    DataLabelPtr moveWithPatch(TrustedImm32 initialValue, RegisterID dest)
+    {
+        padBeforePatch();
+        m_assembler.movq_i64r(initialValue.m_value, dest);
+        return DataLabelPtr(this);
+    }
+
</ins><span class="cx">     Jump branchPtrWithPatch(RelationalCondition cond, RegisterID left, DataLabelPtr&amp; dataLabel, TrustedImmPtr initialRightValue = TrustedImmPtr(0))
</span><span class="cx">     {
</span><span class="cx">         dataLabel = moveWithPatch(initialRightValue, scratchRegister);
</span><span class="lines">@@ -639,6 +656,14 @@
</span><span class="cx">         return branch64(cond, left, scratchRegister);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    Jump branch32WithPatch(RelationalCondition cond, Address left, DataLabel32&amp; dataLabel, TrustedImm32 initialRightValue = TrustedImm32(0))
+    {
+        padBeforePatch();
+        m_assembler.movl_i32r(initialRightValue.m_value, scratchRegister);
+        dataLabel = DataLabel32(this);
+        return branch32(cond, left, scratchRegister);
+    }
+
</ins><span class="cx">     DataLabelPtr storePtrWithPatch(TrustedImmPtr initialValue, ImplicitAddress address)
</span><span class="cx">     {
</span><span class="cx">         DataLabelPtr label = moveWithPatch(initialValue, scratchRegister);
</span><span class="lines">@@ -687,6 +712,7 @@
</span><span class="cx">     static RegisterID scratchRegisterForBlinding() { return scratchRegister; }
</span><span class="cx"> 
</span><span class="cx">     static bool canJumpReplacePatchableBranchPtrWithPatch() { return true; }
</span><ins>+    static bool canJumpReplacePatchableBranch32WithPatch() { return true; }
</ins><span class="cx">     
</span><span class="cx">     static CodeLocationLabel startOfBranchPtrWithPatchOnRegister(CodeLocationDataLabelPtr label)
</span><span class="cx">     {
</span><span class="lines">@@ -698,16 +724,36 @@
</span><span class="cx">         return label.labelAtOffset(-totalBytes);
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    static CodeLocationLabel startOfBranch32WithPatchOnRegister(CodeLocationDataLabel32 label)
+    {
+        const int rexBytes = 1;
+        const int opcodeBytes = 1;
+        const int immediateBytes = 4;
+        const int totalBytes = rexBytes + opcodeBytes + immediateBytes;
+        ASSERT(totalBytes &gt;= maxJumpReplacementSize());
+        return label.labelAtOffset(-totalBytes);
+    }
+    
</ins><span class="cx">     static CodeLocationLabel startOfPatchableBranchPtrWithPatchOnAddress(CodeLocationDataLabelPtr label)
</span><span class="cx">     {
</span><span class="cx">         return startOfBranchPtrWithPatchOnRegister(label);
</span><span class="cx">     }
</span><ins>+
+    static CodeLocationLabel startOfPatchableBranch32WithPatchOnAddress(CodeLocationDataLabel32 label)
+    {
+        return startOfBranch32WithPatchOnRegister(label);
+    }
</ins><span class="cx">     
</span><span class="cx">     static void revertJumpReplacementToPatchableBranchPtrWithPatch(CodeLocationLabel instructionStart, Address, void* initialValue)
</span><span class="cx">     {
</span><span class="cx">         X86Assembler::revertJumpTo_movq_i64r(instructionStart.executableAddress(), reinterpret_cast&lt;intptr_t&gt;(initialValue), scratchRegister);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static void revertJumpReplacementToPatchableBranch32WithPatch(CodeLocationLabel instructionStart, Address, int32_t initialValue)
+    {
+        X86Assembler::revertJumpTo_movl_i32r(instructionStart.executableAddress(), initialValue, scratchRegister);
+    }
+
</ins><span class="cx">     static void revertJumpReplacementToBranchPtrWithPatch(CodeLocationLabel instructionStart, RegisterID, void* initialValue)
</span><span class="cx">     {
</span><span class="cx">         X86Assembler::revertJumpTo_movq_i64r(instructionStart.executableAddress(), reinterpret_cast&lt;intptr_t&gt;(initialValue), scratchRegister);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerRepatchBufferh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/RepatchBuffer.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/RepatchBuffer.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/RepatchBuffer.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -157,6 +157,11 @@
</span><span class="cx">     {
</span><span class="cx">         return MacroAssembler::startOfPatchableBranchPtrWithPatchOnAddress(label);
</span><span class="cx">     }
</span><ins>+
+    static CodeLocationLabel startOfPatchableBranch32WithPatchOnAddress(CodeLocationDataLabel32 label)
+    {
+        return MacroAssembler::startOfPatchableBranch32WithPatchOnAddress(label);
+    }
</ins><span class="cx">     
</span><span class="cx">     void replaceWithJump(CodeLocationLabel instructionStart, CodeLocationLabel destination)
</span><span class="cx">     {
</span><span class="lines">@@ -176,6 +181,11 @@
</span><span class="cx">         MacroAssembler::revertJumpReplacementToPatchableBranchPtrWithPatch(instructionStart, address, value);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    void revertJumpReplacementToPatchableBranch32WithPatch(CodeLocationLabel instructionStart, MacroAssembler::Address address, int32_t value)
+    {
+        MacroAssembler::revertJumpReplacementToPatchableBranch32WithPatch(instructionStart, address, value);
+    }
+
</ins><span class="cx"> private:
</span><span class="cx">     CodeBlock* m_codeBlock;
</span><span class="cx"> #if ENABLE(ASSEMBLER_WX_EXCLUSIVE)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerX86Assemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/X86Assembler.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/X86Assembler.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/assembler/X86Assembler.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -1330,7 +1330,7 @@
</span><span class="cx">     {
</span><span class="cx">         m_formatter.oneByteOp8(OP_MOV_EbGb, src, base, index, scale, offset);
</span><span class="cx">     }
</span><del>-    
</del><ins>+
</ins><span class="cx">     void movw_rm(RegisterID src, int offset, RegisterID base, RegisterID index, int scale)
</span><span class="cx">     {
</span><span class="cx">         m_formatter.prefix(PRE_OPERAND_SIZE);
</span><span class="lines">@@ -2054,9 +2054,9 @@
</span><span class="cx"> #if CPU(X86_64)
</span><span class="cx">     static void revertJumpTo_movq_i64r(void* instructionStart, int64_t imm, RegisterID dst)
</span><span class="cx">     {
</span><ins>+        const unsigned instructionSize = 10; // REX.W MOV IMM64
</ins><span class="cx">         const int rexBytes = 1;
</span><span class="cx">         const int opcodeBytes = 1;
</span><del>-        ASSERT(rexBytes + opcodeBytes &lt;= maxJumpReplacementSize());
</del><span class="cx">         uint8_t* ptr = reinterpret_cast&lt;uint8_t*&gt;(instructionStart);
</span><span class="cx">         ptr[0] = PRE_REX | (1 &lt;&lt; 3) | (dst &gt;&gt; 3);
</span><span class="cx">         ptr[1] = OP_MOV_EAXIv | (dst &amp; 7);
</span><span class="lines">@@ -2066,11 +2066,33 @@
</span><span class="cx">             uint8_t asBytes[8];
</span><span class="cx">         } u;
</span><span class="cx">         u.asWord = imm;
</span><del>-        for (unsigned i = rexBytes + opcodeBytes; i &lt; static_cast&lt;unsigned&gt;(maxJumpReplacementSize()); ++i)
</del><ins>+        for (unsigned i = rexBytes + opcodeBytes; i &lt; instructionSize; ++i)
</ins><span class="cx">             ptr[i] = u.asBytes[i - rexBytes - opcodeBytes];
</span><span class="cx">     }
</span><ins>+
+    static void revertJumpTo_movl_i32r(void* instructionStart, int32_t imm, RegisterID dst)
+    {
+        // We only revert jumps on inline caches, and inline caches always use the scratch register (r11).
+        // FIXME: If the above is ever false then we need to make this smarter with respect to emitting 
+        // the REX byte.
+        ASSERT(dst == X86Registers::r11);
+        const unsigned instructionSize = 6; // REX MOV IMM32
+        const int rexBytes = 1;
+        const int opcodeBytes = 1;
+        uint8_t* ptr = reinterpret_cast&lt;uint8_t*&gt;(instructionStart);
+        ptr[0] = PRE_REX | (dst &gt;&gt; 3);
+        ptr[1] = OP_MOV_EAXIv | (dst &amp; 7);
+        
+        union {
+            uint32_t asWord;
+            uint8_t asBytes[4];
+        } u;
+        u.asWord = imm;
+        for (unsigned i = rexBytes + opcodeBytes; i &lt; instructionSize; ++i)
+            ptr[i] = u.asBytes[i - rexBytes - opcodeBytes];
+    }
</ins><span class="cx"> #endif
</span><del>-    
</del><ins>+
</ins><span class="cx">     static void revertJumpTo_cmpl_ir_force32(void* instructionStart, int32_t imm, RegisterID dst)
</span><span class="cx">     {
</span><span class="cx">         const int opcodeBytes = 1;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeArrayProfilecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -77,24 +77,25 @@
</span><span class="cx"> 
</span><span class="cx"> void ArrayProfile::computeUpdatedPrediction(const ConcurrentJITLocker&amp;, CodeBlock* codeBlock)
</span><span class="cx"> {
</span><del>-    if (!m_lastSeenStructure)
</del><ins>+    if (!m_lastSeenStructureID)
</ins><span class="cx">         return;
</span><span class="cx">     
</span><del>-    m_observedArrayModes |= arrayModeFromStructure(m_lastSeenStructure);
</del><ins>+    Structure* lastSeenStructure = codeBlock-&gt;heap()-&gt;structureIDTable().get(m_lastSeenStructureID);
+    m_observedArrayModes |= arrayModeFromStructure(lastSeenStructure);
</ins><span class="cx">     
</span><span class="cx">     if (!m_didPerformFirstRunPruning
</span><span class="cx">         &amp;&amp; hasTwoOrMoreBitsSet(m_observedArrayModes)) {
</span><del>-        m_observedArrayModes = arrayModeFromStructure(m_lastSeenStructure);
</del><ins>+        m_observedArrayModes = arrayModeFromStructure(lastSeenStructure);
</ins><span class="cx">         m_didPerformFirstRunPruning = true;
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     m_mayInterceptIndexedAccesses |=
</span><del>-        m_lastSeenStructure-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero();
</del><ins>+        lastSeenStructure-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero();
</ins><span class="cx">     JSGlobalObject* globalObject = codeBlock-&gt;globalObject();
</span><del>-    if (!globalObject-&gt;isOriginalArrayStructure(m_lastSeenStructure)
-        &amp;&amp; !globalObject-&gt;isOriginalTypedArrayStructure(m_lastSeenStructure))
</del><ins>+    if (!globalObject-&gt;isOriginalArrayStructure(lastSeenStructure)
+        &amp;&amp; !globalObject-&gt;isOriginalTypedArrayStructure(lastSeenStructure))
</ins><span class="cx">         m_usesOriginalArrayStructures = false;
</span><del>-    m_lastSeenStructure = 0;
</del><ins>+    m_lastSeenStructureID = 0;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> CString ArrayProfile::briefDescription(const ConcurrentJITLocker&amp; locker, CodeBlock* codeBlock)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeArrayProfileh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -135,7 +135,7 @@
</span><span class="cx"> public:
</span><span class="cx">     ArrayProfile()
</span><span class="cx">         : m_bytecodeOffset(std::numeric_limits&lt;unsigned&gt;::max())
</span><del>-        , m_lastSeenStructure(0)
</del><ins>+        , m_lastSeenStructureID(0)
</ins><span class="cx">         , m_mayStoreToHole(false)
</span><span class="cx">         , m_outOfBounds(false)
</span><span class="cx">         , m_mayInterceptIndexedAccesses(false)
</span><span class="lines">@@ -147,7 +147,7 @@
</span><span class="cx">     
</span><span class="cx">     ArrayProfile(unsigned bytecodeOffset)
</span><span class="cx">         : m_bytecodeOffset(bytecodeOffset)
</span><del>-        , m_lastSeenStructure(0)
</del><ins>+        , m_lastSeenStructureID(0)
</ins><span class="cx">         , m_mayStoreToHole(false)
</span><span class="cx">         , m_outOfBounds(false)
</span><span class="cx">         , m_mayInterceptIndexedAccesses(false)
</span><span class="lines">@@ -159,14 +159,14 @@
</span><span class="cx">     
</span><span class="cx">     unsigned bytecodeOffset() const { return m_bytecodeOffset; }
</span><span class="cx">     
</span><del>-    Structure** addressOfLastSeenStructure() { return &amp;m_lastSeenStructure; }
</del><ins>+    StructureID* addressOfLastSeenStructureID() { return &amp;m_lastSeenStructureID; }
</ins><span class="cx">     ArrayModes* addressOfArrayModes() { return &amp;m_observedArrayModes; }
</span><span class="cx">     bool* addressOfMayStoreToHole() { return &amp;m_mayStoreToHole; }
</span><span class="cx">     bool* addressOfOutOfBounds() { return &amp;m_outOfBounds; }
</span><span class="cx">     
</span><span class="cx">     void observeStructure(Structure* structure)
</span><span class="cx">     {
</span><del>-        m_lastSeenStructure = structure;
</del><ins>+        m_lastSeenStructureID = structure-&gt;id();
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void computeUpdatedPrediction(const ConcurrentJITLocker&amp;, CodeBlock*);
</span><span class="lines">@@ -188,7 +188,7 @@
</span><span class="cx">     static Structure* polymorphicStructure() { return static_cast&lt;Structure*&gt;(reinterpret_cast&lt;void*&gt;(1)); }
</span><span class="cx">     
</span><span class="cx">     unsigned m_bytecodeOffset;
</span><del>-    Structure* m_lastSeenStructure;
</del><ins>+    StructureID m_lastSeenStructureID;
</ins><span class="cx">     bool m_mayStoreToHole; // This flag may become overloaded to indicate other special cases that were encountered during array access, as it depends on indexing type. Since we currently have basically just one indexing type (two variants of ArrayStorage), this flag for now just means exactly what its name implies.
</span><span class="cx">     bool m_outOfBounds;
</span><span class="cx">     bool m_mayInterceptIndexedAccesses : 1;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -669,6 +669,7 @@
</span><span class="cx">         return constantBufferAsVector(index).data();
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    Heap* heap() const { return m_heap; }
</ins><span class="cx">     JSGlobalObject* globalObject() { return m_globalObject.get(); }
</span><span class="cx"> 
</span><span class="cx">     JSGlobalObject* globalObjectFor(CodeOrigin);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -206,7 +206,7 @@
</span><span class="cx">         return Structure::create(vm, globalObject, proto, TypeInfo(UnlinkedFunctionExecutableType, StructureFlags), info());
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    static const unsigned StructureFlags = OverridesVisitChildren | JSCell::StructureFlags;
</del><ins>+    static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal | JSCell::StructureFlags;
</ins><span class="cx"> 
</span><span class="cx">     DECLARE_EXPORT_INFO;
</span><span class="cx"> };
</span><span class="lines">@@ -579,7 +579,7 @@
</span><span class="cx"> 
</span><span class="cx"> protected:
</span><span class="cx"> 
</span><del>-    static const unsigned StructureFlags = OverridesVisitChildren | Base::StructureFlags;
</del><ins>+    static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal | Base::StructureFlags;
</ins><span class="cx">     static void visitChildren(JSCell*, SlotVisitor&amp;);
</span><span class="cx"> 
</span><span class="cx"> public:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -53,7 +53,10 @@
</span><span class="cx">     macro(JSArrayBufferView_length) \
</span><span class="cx">     macro(JSArrayBufferView_mode) \
</span><span class="cx">     macro(JSArrayBufferView_vector) \
</span><del>-    macro(JSCell_structure) \
</del><ins>+    macro(JSCell_structureID) \
+    macro(JSCell_indexingType) \
+    macro(JSCell_typeInfoFlags) \
+    macro(JSCell_typeInfoType) \
</ins><span class="cx">     macro(JSFunction_executable) \
</span><span class="cx">     macro(JSFunction_scopeChain) \
</span><span class="cx">     macro(JSObject_butterfly) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGArrayifySlowPathGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -120,23 +120,14 @@
</span><span class="cx">         if (m_op == ArrayifyToStructure) {
</span><span class="cx">             ASSERT(m_structure);
</span><span class="cx">             m_badIndexingTypeJump.fill(
</span><del>-                jit, jit-&gt;m_jit.branchWeakPtr(
-                    MacroAssembler::NotEqual,
-                    MacroAssembler::Address(m_baseGPR, JSCell::structureOffset()),
-                    m_structure));
</del><ins>+                jit, jit-&gt;m_jit.branchWeakStructure(MacroAssembler::NotEqual, MacroAssembler::Address(m_baseGPR, JSCell::structureIDOffset()), m_structure));
</ins><span class="cx">         } else {
</span><del>-            // Alas, we need to reload the structure because silent spilling does not save
-            // temporaries. Nor would it be useful for it to do so. Either way we're talking
-            // about a load.
-            jit-&gt;m_jit.loadPtr(
-                MacroAssembler::Address(m_baseGPR, JSCell::structureOffset()), m_structureGPR);
-            
</del><span class="cx">             // Finally, check that we have the kind of array storage that we wanted to get.
</span><span class="cx">             // Note that this is a backwards speculation check, which will result in the 
</span><span class="cx">             // bytecode operation corresponding to this arrayification being reexecuted.
</span><span class="cx">             // That's fine, since arrayification is not user-visible.
</span><span class="cx">             jit-&gt;m_jit.load8(
</span><del>-                MacroAssembler::Address(m_structureGPR, Structure::indexingTypeOffset()), m_structureGPR);
</del><ins>+                MacroAssembler::Address(m_baseGPR, JSCell::indexingTypeOffset()), m_structureGPR);
</ins><span class="cx">             m_badIndexingTypeJump.fill(
</span><span class="cx">                 jit, jit-&gt;jumpSlowForUnwantedArrayMode(m_structureGPR, m_arrayMode));
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -60,7 +60,7 @@
</span><span class="cx">     //   versions of those nodes that backward-exit instead, but I'm not convinced
</span><span class="cx">     //   of the soundness.
</span><span class="cx">     //
</span><del>-    // - Some nodes lie, and claim that they do not read the JSCell_structure.
</del><ins>+    // - Some nodes lie, and claim that they do not read the JSCell_structureID, JSCell_typeInfoFlags, etc.
</ins><span class="cx">     //   These are nodes that use the structure in a way that does not depend on
</span><span class="cx">     //   things that change under structure transitions.
</span><span class="cx">     //
</span><span class="lines">@@ -79,7 +79,7 @@
</span><span class="cx">     //   small hacking.
</span><span class="cx">     
</span><span class="cx">     if (edgesUseStructure(graph, node))
</span><del>-        read(JSCell_structure);
</del><ins>+        read(JSCell_structureID);
</ins><span class="cx">     
</span><span class="cx">     switch (node-&gt;op()) {
</span><span class="cx">     case JSConstant:
</span><span class="lines">@@ -412,19 +412,30 @@
</span><span class="cx">         
</span><span class="cx">     case CheckStructure:
</span><span class="cx">     case StructureTransitionWatchpoint:
</span><ins>+    case InstanceOf:
+        read(JSCell_structureID);
+        return;
+
</ins><span class="cx">     case CheckArray:
</span><ins>+        read(JSCell_indexingType);
+        read(JSCell_typeInfoType);
+        read(JSCell_structureID);
+        return;
+
</ins><span class="cx">     case CheckHasInstance:
</span><del>-    case InstanceOf:
-        read(JSCell_structure);
</del><ins>+        read(JSCell_typeInfoFlags);
</ins><span class="cx">         return;
</span><del>-        
</del><ins>+
</ins><span class="cx">     case CheckExecutable:
</span><span class="cx">         read(JSFunction_executable);
</span><span class="cx">         return;
</span><span class="cx">         
</span><span class="cx">     case PutStructure:
</span><span class="cx">     case PhantomPutStructure:
</span><del>-        write(JSCell_structure);
</del><ins>+        write(JSCell_structureID);
+        write(JSCell_typeInfoType);
+        write(JSCell_typeInfoFlags);
+        write(JSCell_indexingType);
</ins><span class="cx">         return;
</span><span class="cx">         
</span><span class="cx">     case AllocatePropertyStorage:
</span><span class="lines">@@ -444,9 +455,11 @@
</span><span class="cx">         
</span><span class="cx">     case Arrayify:
</span><span class="cx">     case ArrayifyToStructure:
</span><del>-        read(JSCell_structure);
</del><ins>+        read(JSCell_structureID);
+        read(JSCell_indexingType);
</ins><span class="cx">         read(JSObject_butterfly);
</span><del>-        write(JSCell_structure);
</del><ins>+        write(JSCell_structureID);
+        write(JSCell_indexingType);
</ins><span class="cx">         write(JSObject_butterfly);
</span><span class="cx">         clobberizeForAllocation(read, write);
</span><span class="cx">         return;
</span><span class="lines">@@ -469,17 +482,17 @@
</span><span class="cx">         return;
</span><span class="cx">         
</span><span class="cx">     case MultiGetByOffset:
</span><del>-        read(JSCell_structure);
</del><ins>+        read(JSCell_structureID);
</ins><span class="cx">         read(JSObject_butterfly);
</span><span class="cx">         read(AbstractHeap(NamedProperties, node-&gt;multiGetByOffsetData().identifierNumber));
</span><span class="cx">         return;
</span><span class="cx">         
</span><span class="cx">     case MultiPutByOffset:
</span><del>-        read(JSCell_structure);
</del><ins>+        read(JSCell_structureID);
</ins><span class="cx">         read(JSObject_butterfly);
</span><span class="cx">         write(AbstractHeap(NamedProperties, node-&gt;multiPutByOffsetData().identifierNumber));
</span><span class="cx">         if (node-&gt;multiPutByOffsetData().writesStructures())
</span><del>-            write(JSCell_structure);
</del><ins>+            write(JSCell_structureID);
</ins><span class="cx">         if (node-&gt;multiPutByOffsetData().reallocatesStorage()) {
</span><span class="cx">             write(JSObject_butterfly);
</span><span class="cx">             clobberizeForAllocation(read, write);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -249,7 +249,29 @@
</span><span class="cx">         addWeakReference(weakPtr);
</span><span class="cx">         return result;
</span><span class="cx">     }
</span><del>-    
</del><ins>+
+    template&lt;typename T&gt;
+    Jump branchWeakStructure(RelationalCondition cond, T left, Structure* weakStructure)
+    {
+#if USE(JSVALUE64)
+        Jump result = branch32(cond, left, TrustedImm32(weakStructure-&gt;id()));
+        addWeakReference(weakStructure);
+        return result;
+#else
+        return branchWeakPtr(cond, left, weakStructure);
+#endif
+    }
+
+    template&lt;typename T&gt;
+    Jump branchStructurePtr(RelationalCondition cond, T left, Structure* structure)
+    {
+#if USE(JSVALUE64)
+        return branch32(cond, left, TrustedImm32(structure-&gt;id()));
+#else
+        return branchPtr(cond, left, TrustedImmPtr(structure));
+#endif
+    }
+
</ins><span class="cx">     void noticeOSREntry(BasicBlock&amp; basicBlock, JITCompiler::Label blockHead, LinkBuffer&amp; linkBuffer)
</span><span class="cx">     {
</span><span class="cx">         // OSR entry is not allowed into blocks deemed unreachable by control flow analysis.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompiler32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -121,8 +121,8 @@
</span><span class="cx">                 } else
</span><span class="cx">                     value = exit.m_jsValueSource.payloadGPR();
</span><span class="cx">                 
</span><del>-                m_jit.loadPtr(AssemblyHelpers::Address(value, JSCell::structureOffset()), scratch1);
-                m_jit.storePtr(scratch1, arrayProfile-&gt;addressOfLastSeenStructure());
</del><ins>+                m_jit.loadPtr(AssemblyHelpers::Address(value, JSCell::structureIDOffset()), scratch1);
+                m_jit.storePtr(scratch1, arrayProfile-&gt;addressOfLastSeenStructureID());
</ins><span class="cx">                 m_jit.load8(AssemblyHelpers::Address(scratch1, Structure::indexingTypeOffset()), scratch1);
</span><span class="cx">                 m_jit.move(AssemblyHelpers::TrustedImm32(1), scratch2);
</span><span class="cx">                 m_jit.lshift32(scratch1, scratch2);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompiler64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -116,9 +116,9 @@
</span><span class="cx">                 } else
</span><span class="cx">                     value = exit.m_jsValueSource.gpr();
</span><span class="cx">                 
</span><del>-                m_jit.loadPtr(AssemblyHelpers::Address(value, JSCell::structureOffset()), scratch1);
-                m_jit.storePtr(scratch1, arrayProfile-&gt;addressOfLastSeenStructure());
-                m_jit.load8(AssemblyHelpers::Address(scratch1, Structure::indexingTypeOffset()), scratch1);
</del><ins>+                m_jit.load32(AssemblyHelpers::Address(value, JSCell::structureIDOffset()), scratch1);
+                m_jit.store32(scratch1, arrayProfile-&gt;addressOfLastSeenStructureID());
+                m_jit.load8(AssemblyHelpers::Address(value, JSCell::indexingTypeOffset()), scratch1);
</ins><span class="cx">                 m_jit.move(AssemblyHelpers::TrustedImm32(1), scratch2);
</span><span class="cx">                 m_jit.lshift32(scratch1, scratch2);
</span><span class="cx">                 m_jit.or32(scratch2, AssemblyHelpers::AbsoluteAddress(arrayProfile-&gt;addressOfArrayModes()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommoncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -162,9 +162,9 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(GGC)
</span><del>-static void osrWriteBarrier(CCallHelpers&amp; jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
</del><ins>+static void osrWriteBarrier(CCallHelpers&amp; jit, GPRReg owner, GPRReg scratch)
</ins><span class="cx"> {
</span><del>-    AssemblyHelpers::Jump definitelyNotMarked = jit.genericWriteBarrier(owner, scratch1, scratch2);
</del><ins>+    AssemblyHelpers::Jump definitelyNotMarked = jit.genericWriteBarrier(owner);
</ins><span class="cx"> 
</span><span class="cx">     // We need these extra slots because setupArgumentsWithExecState will use poke on x86.
</span><span class="cx"> #if CPU(X86)
</span><span class="lines">@@ -172,8 +172,8 @@
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">     jit.setupArgumentsWithExecState(owner);
</span><del>-    jit.move(MacroAssembler::TrustedImmPtr(reinterpret_cast&lt;void*&gt;(operationOSRWriteBarrier)), scratch1);
-    jit.call(scratch1);
</del><ins>+    jit.move(MacroAssembler::TrustedImmPtr(reinterpret_cast&lt;void*&gt;(operationOSRWriteBarrier)), scratch);
+    jit.call(scratch);
</ins><span class="cx"> 
</span><span class="cx"> #if CPU(X86)
</span><span class="cx">     jit.addPtr(MacroAssembler::TrustedImm32(sizeof(void*) * 3), MacroAssembler::stackPointerRegister);
</span><span class="lines">@@ -190,7 +190,7 @@
</span><span class="cx">     for (CodeOrigin codeOrigin = exit.m_codeOrigin; ; codeOrigin = codeOrigin.inlineCallFrame-&gt;caller) {
</span><span class="cx">         CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(codeOrigin);
</span><span class="cx">         jit.move(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock-&gt;ownerExecutable()), GPRInfo::nonArgGPR0); 
</span><del>-        osrWriteBarrier(jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1, GPRInfo::nonArgGPR2);
</del><ins>+        osrWriteBarrier(jit, GPRInfo::nonArgGPR0, GPRInfo::nonArgGPR1);
</ins><span class="cx">         if (!codeOrigin.inlineCallFrame)
</span><span class="cx">             break;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -79,7 +79,7 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        object-&gt;methodTable()-&gt;putByIndex(object, exec, index, value, strict);
</del><ins>+        object-&gt;methodTable(vm)-&gt;putByIndex(object, exec, index, value, strict);
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -222,12 +222,12 @@
</span><span class="cx"> 
</span><span class="cx"> JSCell* JIT_OPERATION operationCreateThis(ExecState* exec, JSObject* constructor, int32_t inlineCapacity)
</span><span class="cx"> {
</span><del>-    VM* vm = &amp;exec-&gt;vm();
-    NativeCallFrameTracer tracer(vm, exec);
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    NativeCallFrameTracer tracer(&amp;vm, exec);
</ins><span class="cx"> 
</span><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx">     ConstructData constructData;
</span><del>-    ASSERT(jsCast&lt;JSFunction*&gt;(constructor)-&gt;methodTable()-&gt;getConstructData(jsCast&lt;JSFunction*&gt;(constructor), constructData) == ConstructTypeJS);
</del><ins>+    ASSERT(jsCast&lt;JSFunction*&gt;(constructor)-&gt;methodTable(vm)-&gt;getConstructData(jsCast&lt;JSFunction*&gt;(constructor), constructData) == ConstructTypeJS);
</ins><span class="cx"> #endif
</span><span class="cx">     
</span><span class="cx">     return constructEmptyObject(exec, jsCast&lt;JSFunction*&gt;(constructor)-&gt;allocationProfile(exec, inlineCapacity)-&gt;structure());
</span><span class="lines">@@ -392,8 +392,8 @@
</span><span class="cx"> 
</span><span class="cx"> void JIT_OPERATION operationPutByValBeyondArrayBoundsStrict(ExecState* exec, JSObject* array, int32_t index, EncodedJSValue encodedValue)
</span><span class="cx"> {
</span><del>-    VM* vm = &amp;exec-&gt;vm();
-    NativeCallFrameTracer tracer(vm, exec);
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    NativeCallFrameTracer tracer(&amp;vm, exec);
</ins><span class="cx">     
</span><span class="cx">     if (index &gt;= 0) {
</span><span class="cx">         array-&gt;putByIndexInline(exec, index, JSValue::decode(encodedValue), true);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -698,9 +698,7 @@
</span><span class="cx">     case Array::SlowPutArrayStorage: {
</span><span class="cx">         GPRTemporary temp(this);
</span><span class="cx">         GPRReg tempGPR = temp.gpr();
</span><del>-        m_jit.loadPtr(
-            MacroAssembler::Address(baseReg, JSCell::structureOffset()), tempGPR);
-        m_jit.load8(MacroAssembler::Address(tempGPR, Structure::indexingTypeOffset()), tempGPR);
</del><ins>+        m_jit.load8(MacroAssembler::Address(baseReg, JSCell::indexingTypeOffset()), tempGPR);
</ins><span class="cx">         speculationCheck(
</span><span class="cx">             BadIndexingType, JSValueSource::unboxedCell(baseReg), 0,
</span><span class="cx">             jumpSlowForUnwantedArrayMode(tempGPR, node-&gt;arrayMode()));
</span><span class="lines">@@ -709,18 +707,29 @@
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     case Array::Arguments:
</span><del>-        expectedClassInfo = Arguments::info();
-        break;
</del><ins>+        speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node,
+            m_jit.branch8(
+                MacroAssembler::NotEqual,
+                MacroAssembler::Address(baseReg, JSCell::typeInfoTypeOffset()),
+                MacroAssembler::TrustedImm32(ArgumentsType)));
+
+        noResult(m_currentNode);
+        return;
</ins><span class="cx">     default:
</span><del>-        expectedClassInfo = classInfoForType(node-&gt;arrayMode().typedArrayType());
-        break;
</del><ins>+        speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node,
+            m_jit.branch8(
+                MacroAssembler::NotEqual,
+                MacroAssembler::Address(baseReg, JSCell::typeInfoTypeOffset()),
+                MacroAssembler::TrustedImm32(typeForTypedArrayType(node-&gt;arrayMode().typedArrayType()))));
+        noResult(m_currentNode);
+        return;
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     RELEASE_ASSERT(expectedClassInfo);
</span><span class="cx">     
</span><span class="cx">     GPRTemporary temp(this);
</span><del>-    m_jit.loadPtr(
-        MacroAssembler::Address(baseReg, JSCell::structureOffset()), temp.gpr());
</del><ins>+    GPRTemporary temp2(this);
+    m_jit.emitLoadStructure(baseReg, temp.gpr(), temp2.gpr());
</ins><span class="cx">     speculationCheck(
</span><span class="cx">         BadType, JSValueSource::unboxedCell(baseReg), node,
</span><span class="cx">         m_jit.branchPtr(
</span><span class="lines">@@ -750,16 +759,13 @@
</span><span class="cx">     MacroAssembler::JumpList slowPath;
</span><span class="cx">     
</span><span class="cx">     if (node-&gt;op() == ArrayifyToStructure) {
</span><del>-        slowPath.append(m_jit.branchWeakPtr(
</del><ins>+        slowPath.append(m_jit.branchWeakStructure(
</ins><span class="cx">             JITCompiler::NotEqual,
</span><del>-            JITCompiler::Address(baseReg, JSCell::structureOffset()),
</del><ins>+            JITCompiler::Address(baseReg, JSCell::structureIDOffset()),
</ins><span class="cx">             node-&gt;structure()));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(
-            MacroAssembler::Address(baseReg, JSCell::structureOffset()), structureGPR);
-        
</del><span class="cx">         m_jit.load8(
</span><del>-            MacroAssembler::Address(structureGPR, Structure::indexingTypeOffset()), tempGPR);
</del><ins>+            MacroAssembler::Address(baseReg, JSCell::indexingTypeOffset()), tempGPR);
</ins><span class="cx">         
</span><span class="cx">         slowPath.append(jumpSlowForUnwantedArrayMode(tempGPR, node-&gt;arrayMode()));
</span><span class="cx">     }
</span><span class="lines">@@ -1131,24 +1137,25 @@
</span><span class="cx">         if (m_state.forNode(node-&gt;child1()).m_type &amp; ~SpecObject) {
</span><span class="cx">             speculationCheck(
</span><span class="cx">                 BadType, JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), 
</span><del>-                m_jit.branchPtr(
</del><ins>+                m_jit.branchStructurePtr(
</ins><span class="cx">                     MacroAssembler::Equal, 
</span><del>-                    MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
-                    MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                    MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+                    m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         }
</span><span class="cx">         if (m_state.forNode(node-&gt;child2()).m_type &amp; ~SpecObject) {
</span><span class="cx">             speculationCheck(
</span><span class="cx">                 BadType, JSValueSource::unboxedCell(op2GPR), node-&gt;child2(),
</span><del>-                m_jit.branchPtr(
</del><ins>+                m_jit.branchStructurePtr(
</ins><span class="cx">                     MacroAssembler::Equal, 
</span><del>-                    MacroAssembler::Address(op2GPR, JSCell::structureOffset()), 
-                    MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                    MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
+                    m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         }
</span><span class="cx">     } else {
</span><span class="cx">         GPRTemporary structure(this);
</span><ins>+        GPRTemporary temp(this);
</ins><span class="cx">         GPRReg structureGPR = structure.gpr();
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><ins>+        m_jit.emitLoadStructure(op1GPR, structureGPR, temp.gpr());
</ins><span class="cx">         if (m_state.forNode(node-&gt;child1()).m_type &amp; ~SpecObject) {
</span><span class="cx">             speculationCheck(
</span><span class="cx">                 BadType, JSValueSource::unboxedCell(op1GPR), node-&gt;child1(),
</span><span class="lines">@@ -1160,10 +1167,10 @@
</span><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), node-&gt;child1(),
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
</del><ins>+        m_jit.emitLoadStructure(op2GPR, structureGPR, temp.gpr());
</ins><span class="cx">         if (m_state.forNode(node-&gt;child2()).m_type &amp; ~SpecObject) {
</span><span class="cx">             speculationCheck(
</span><span class="cx">                 BadType, JSValueSource::unboxedCell(op2GPR), node-&gt;child2(),
</span><span class="lines">@@ -1175,7 +1182,7 @@
</span><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op2GPR), node-&gt;child2(),
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -2524,18 +2531,17 @@
</span><span class="cx">     noResult(node);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void SpeculativeJIT::compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchReg)
</del><ins>+void SpeculativeJIT::compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchReg, GPRReg scratch2Reg)
</ins><span class="cx"> {
</span><span class="cx">     // Check that prototype is an object.
</span><del>-    m_jit.loadPtr(MacroAssembler::Address(prototypeReg, JSCell::structureOffset()), scratchReg);
-    speculationCheck(BadType, JSValueRegs(), 0, m_jit.branchIfNotObject(scratchReg));
</del><ins>+    speculationCheck(BadType, JSValueRegs(), 0, m_jit.branchIfCellNotObject(prototypeReg));
</ins><span class="cx">     
</span><span class="cx">     // Initialize scratchReg with the value being checked.
</span><span class="cx">     m_jit.move(valueReg, scratchReg);
</span><span class="cx">     
</span><span class="cx">     // Walk up the prototype chain of the value (in scratchReg), comparing to prototypeReg.
</span><span class="cx">     MacroAssembler::Label loop(&amp;m_jit);
</span><del>-    m_jit.loadPtr(MacroAssembler::Address(scratchReg, JSCell::structureOffset()), scratchReg);
</del><ins>+    m_jit.emitLoadStructure(scratchReg, scratchReg, scratch2Reg);
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     m_jit.load64(MacroAssembler::Address(scratchReg, Structure::prototypeOffset()), scratchReg);
</span><span class="cx">     MacroAssembler::Jump isInstance = m_jit.branch64(MacroAssembler::Equal, scratchReg, prototypeReg);
</span><span class="lines">@@ -2574,9 +2580,11 @@
</span><span class="cx">         JSValueOperand value(this, node-&gt;child1());
</span><span class="cx">         SpeculateCellOperand prototype(this, node-&gt;child2());
</span><span class="cx">         GPRTemporary scratch(this);
</span><ins>+        GPRTemporary scratch2(this);
</ins><span class="cx">         
</span><span class="cx">         GPRReg prototypeReg = prototype.gpr();
</span><span class="cx">         GPRReg scratchReg = scratch.gpr();
</span><ins>+        GPRReg scratch2Reg = scratch2.gpr();
</ins><span class="cx">         
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">         GPRReg valueReg = value.gpr();
</span><span class="lines">@@ -2593,7 +2601,7 @@
</span><span class="cx">         
</span><span class="cx">         isCell.link(&amp;m_jit);
</span><span class="cx">         
</span><del>-        compileInstanceOfForObject(node, valueReg, prototypeReg, scratchReg);
</del><ins>+        compileInstanceOfForObject(node, valueReg, prototypeReg, scratchReg, scratch2Reg);
</ins><span class="cx">         
</span><span class="cx">         done.link(&amp;m_jit);
</span><span class="cx"> 
</span><span class="lines">@@ -2609,12 +2617,14 @@
</span><span class="cx">     SpeculateCellOperand prototype(this, node-&gt;child2());
</span><span class="cx">     
</span><span class="cx">     GPRTemporary scratch(this);
</span><ins>+    GPRTemporary scratch2(this);
</ins><span class="cx">     
</span><span class="cx">     GPRReg valueReg = value.gpr();
</span><span class="cx">     GPRReg prototypeReg = prototype.gpr();
</span><span class="cx">     GPRReg scratchReg = scratch.gpr();
</span><ins>+    GPRReg scratch2Reg = scratch2.gpr();
</ins><span class="cx">     
</span><del>-    compileInstanceOfForObject(node, valueReg, prototypeReg, scratchReg);
</del><ins>+    compileInstanceOfForObject(node, valueReg, prototypeReg, scratchReg, scratch2Reg);
</ins><span class="cx"> 
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     jsValueResult(scratchReg, node, DataFormatJSBoolean);
</span><span class="lines">@@ -4362,11 +4372,13 @@
</span><span class="cx">     case StringOrStringObjectUse: {
</span><span class="cx">         GPRTemporary result(this);
</span><span class="cx">         GPRReg resultGPR = result.gpr();
</span><ins>+
+        m_jit.load32(JITCompiler::Address(op1GPR, JSCell::structureIDOffset()), resultGPR);
+        JITCompiler::Jump isString = m_jit.branchStructurePtr(
+            JITCompiler::Equal, 
+            resultGPR,
+            m_jit.vm()-&gt;stringStructure.get());
</ins><span class="cx">         
</span><del>-        m_jit.loadPtr(JITCompiler::Address(op1GPR, JSCell::structureOffset()), resultGPR);
-        JITCompiler::Jump isString = m_jit.branchPtr(
-            JITCompiler::Equal, resultGPR, TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
-        
</del><span class="cx">         speculateStringObjectForStructure(node-&gt;child1(), resultGPR);
</span><span class="cx">         
</span><span class="cx">         m_jit.loadPtr(JITCompiler::Address(op1GPR, JSWrapperObject::internalValueCellOffset()), resultGPR);
</span><span class="lines">@@ -4392,10 +4404,10 @@
</span><span class="cx">         flushRegisters();
</span><span class="cx">         JITCompiler::Jump done;
</span><span class="cx">         if (node-&gt;child1()-&gt;prediction() &amp; SpecString) {
</span><del>-            JITCompiler::Jump needCall = m_jit.branchPtr(
</del><ins>+            JITCompiler::Jump needCall = m_jit.branchStructurePtr(
</ins><span class="cx">                 JITCompiler::NotEqual,
</span><del>-                JITCompiler::Address(op1GPR, JSCell::structureOffset()),
-                TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
</del><ins>+                JITCompiler::Address(op1GPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get());
</ins><span class="cx">             m_jit.move(op1GPR, resultGPR);
</span><span class="cx">             done = m_jit.jump();
</span><span class="cx">             needCall.link(&amp;m_jit);
</span><span class="lines">@@ -4596,10 +4608,10 @@
</span><span class="cx">     SpeculateCellOperand operand(this, edge);
</span><span class="cx">     GPRReg gpr = operand.gpr();
</span><span class="cx">     DFG_TYPE_CHECK(
</span><del>-        JSValueSource::unboxedCell(gpr), edge, SpecObject, m_jit.branchPtr(
</del><ins>+        JSValueSource::unboxedCell(gpr), edge, SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">             MacroAssembler::Equal, 
</span><del>-            MacroAssembler::Address(gpr, JSCell::structureOffset()), 
-            MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+            MacroAssembler::Address(gpr, JSCell::structureIDOffset()), 
+            m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::speculateFinalObject(Edge edge)
</span><span class="lines">@@ -4608,14 +4620,11 @@
</span><span class="cx">         return;
</span><span class="cx">     
</span><span class="cx">     SpeculateCellOperand operand(this, edge);
</span><del>-    GPRTemporary structure(this);
</del><span class="cx">     GPRReg gpr = operand.gpr();
</span><del>-    GPRReg structureGPR = structure.gpr();
-    m_jit.loadPtr(MacroAssembler::Address(gpr, JSCell::structureOffset()), structureGPR);
</del><span class="cx">     DFG_TYPE_CHECK(
</span><span class="cx">         JSValueSource::unboxedCell(gpr), edge, SpecFinalObject, m_jit.branch8(
</span><span class="cx">             MacroAssembler::NotEqual,
</span><del>-            MacroAssembler::Address(structureGPR, Structure::typeInfoTypeOffset()),
</del><ins>+            MacroAssembler::Address(gpr, JSCell::typeInfoTypeOffset()),
</ins><span class="cx">             TrustedImm32(FinalObjectType)));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -4632,10 +4641,10 @@
</span><span class="cx">     MacroAssembler::Jump notCell = m_jit.branchTest64(
</span><span class="cx">         MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister);
</span><span class="cx">     DFG_TYPE_CHECK(
</span><del>-        JSValueRegs(gpr), edge, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+        JSValueRegs(gpr), edge, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">             MacroAssembler::Equal, 
</span><del>-            MacroAssembler::Address(gpr, JSCell::structureOffset()), 
-            MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+            MacroAssembler::Address(gpr, JSCell::structureIDOffset()), 
+            m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     MacroAssembler::Jump done = m_jit.jump();
</span><span class="cx">     notCell.link(&amp;m_jit);
</span><span class="cx">     if (needsTypeCheck(edge, SpecCell | SpecOther)) {
</span><span class="lines">@@ -4655,10 +4664,10 @@
</span><span class="cx">     MacroAssembler::Jump notCell =
</span><span class="cx">         m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::CellTag));
</span><span class="cx">     DFG_TYPE_CHECK(
</span><del>-        JSValueRegs(tagGPR, payloadGPR), edge, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+        JSValueRegs(tagGPR, payloadGPR), edge, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">             MacroAssembler::Equal, 
</span><del>-            MacroAssembler::Address(payloadGPR, JSCell::structureOffset()), 
-            MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+            MacroAssembler::Address(payloadGPR, JSCell::structureIDOffset()), 
+            m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     MacroAssembler::Jump done = m_jit.jump();
</span><span class="cx">     notCell.link(&amp;m_jit);
</span><span class="cx">     if (needsTypeCheck(edge, SpecCell | SpecOther)) {
</span><span class="lines">@@ -4678,10 +4687,10 @@
</span><span class="cx"> void SpeculativeJIT::speculateString(Edge edge, GPRReg cell)
</span><span class="cx"> {
</span><span class="cx">     DFG_TYPE_CHECK(
</span><del>-        JSValueSource::unboxedCell(cell), edge, SpecString, m_jit.branchPtr(
</del><ins>+        JSValueSource::unboxedCell(cell), edge, SpecString, m_jit.branchStructurePtr(
</ins><span class="cx">             MacroAssembler::NotEqual, 
</span><del>-            MacroAssembler::Address(cell, JSCell::structureOffset()), 
-            MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+            MacroAssembler::Address(cell, JSCell::structureIDOffset()), 
+            m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::speculateStringIdentAndLoadStorage(Edge edge, GPRReg string, GPRReg storage)
</span><span class="lines">@@ -4734,7 +4743,7 @@
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::speculateStringObject(Edge edge, GPRReg gpr)
</span><span class="cx"> {
</span><del>-    speculateStringObjectForStructure(edge, JITCompiler::Address(gpr, JSCell::structureOffset()));
</del><ins>+    speculateStringObjectForStructure(edge, JITCompiler::Address(gpr, JSCell::structureIDOffset()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::speculateStringObject(Edge edge)
</span><span class="lines">@@ -4760,17 +4769,18 @@
</span><span class="cx">     GPRReg gpr = operand.gpr();
</span><span class="cx">     if (!needsTypeCheck(edge, SpecString | SpecStringObject))
</span><span class="cx">         return;
</span><ins>+
+    GPRTemporary structureID(this);
+    GPRReg structureIDGPR = structureID.gpr();
+
+    m_jit.load32(JITCompiler::Address(gpr, JSCell::structureIDOffset()), structureIDGPR); 
+    JITCompiler::Jump isString = m_jit.branchStructurePtr(
+        JITCompiler::Equal,
+        structureIDGPR, 
+        m_jit.vm()-&gt;stringStructure.get());
</ins><span class="cx">     
</span><del>-    GPRTemporary structure(this);
-    GPRReg structureGPR = structure.gpr();
</del><ins>+    speculateStringObjectForStructure(edge, structureIDGPR);
</ins><span class="cx">     
</span><del>-    m_jit.loadPtr(JITCompiler::Address(gpr, JSCell::structureOffset()), structureGPR);
-    
-    JITCompiler::Jump isString = m_jit.branchPtr(
-        JITCompiler::Equal, structureGPR, TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
-    
-    speculateStringObjectForStructure(edge, structureGPR);
-    
</del><span class="cx">     isString.link(&amp;m_jit);
</span><span class="cx">     
</span><span class="cx">     m_interpreter.filter(edge, SpecString | SpecStringObject);
</span><span class="lines">@@ -5034,10 +5044,10 @@
</span><span class="cx"> #endif
</span><span class="cx">         
</span><span class="cx">         addBranch(
</span><del>-            m_jit.branchPtr(
</del><ins>+            m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::NotEqual,
</span><del>-                MacroAssembler::Address(op1Regs.payloadGPR(), JSCell::structureOffset()),
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())),
</del><ins>+                MacroAssembler::Address(op1Regs.payloadGPR(), JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()),
</ins><span class="cx">             data-&gt;fallThrough.block);
</span><span class="cx">         
</span><span class="cx">         emitSwitchCharStringJump(data, op1Regs.payloadGPR(), tempGPR);
</span><span class="lines">@@ -5334,10 +5344,10 @@
</span><span class="cx"> #endif
</span><span class="cx">         
</span><span class="cx">         addBranch(
</span><del>-            m_jit.branchPtr(
</del><ins>+            m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::NotEqual,
</span><del>-                MacroAssembler::Address(op1Regs.payloadGPR(), JSCell::structureOffset()),
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())),
</del><ins>+                MacroAssembler::Address(op1Regs.payloadGPR(), JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()),
</ins><span class="cx">             data-&gt;fallThrough.block);
</span><span class="cx">         
</span><span class="cx">         emitSwitchStringOnString(data, op1Regs.payloadGPR());
</span><span class="lines">@@ -5426,30 +5436,14 @@
</span><span class="cx">     noResult(node);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JITCompiler::Jump SpeculativeJIT::genericWriteBarrier(CCallHelpers&amp; jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2)
</del><ins>+JITCompiler::Jump SpeculativeJIT::genericWriteBarrier(CCallHelpers&amp; jit, GPRReg owner)
</ins><span class="cx"> {
</span><del>-    jit.move(owner, scratch1);
-    jit.move(owner, scratch2);
-
-    jit.andPtr(MacroAssembler::TrustedImmPtr(MarkedBlock::blockMask), scratch1);
-    jit.andPtr(MacroAssembler::TrustedImmPtr(~MarkedBlock::blockMask), scratch2);
-
-    // Shift index
-#if USE(JSVALUE64)
-    jit.rshift64(MacroAssembler::TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
-#else
-    jit.rshift32(MacroAssembler::TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
-#endif
-
-    // Emit load and branch
-    return jit.branchTest8(MacroAssembler::Zero, MacroAssembler::BaseIndex(scratch1, scratch2, MacroAssembler::TimesOne, MarkedBlock::offsetOfMarks()));
</del><ins>+    return jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(owner, JSCell::gcDataOffset()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JITCompiler::Jump SpeculativeJIT::genericWriteBarrier(CCallHelpers&amp; jit, JSCell* owner)
</span><span class="cx"> {
</span><del>-    MarkedBlock* block = MarkedBlock::blockFor(owner);
-    size_t markIndex = (reinterpret_cast&lt;size_t&gt;(owner) &amp; ~MarkedBlock::blockMask) &gt;&gt; (MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount);
-    uint8_t* address = reinterpret_cast&lt;uint8_t*&gt;(reinterpret_cast&lt;char*&gt;(block) + MarkedBlock::offsetOfMarks()) + markIndex;
</del><ins>+    uint8_t* address = reinterpret_cast&lt;uint8_t*&gt;(owner) + JSCell::gcDataOffset();
</ins><span class="cx">     return jit.branchTest8(MacroAssembler::Zero, MacroAssembler::AbsoluteAddress(address));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -5509,14 +5503,14 @@
</span><span class="cx">     if (Heap::isMarked(value))
</span><span class="cx">         return;
</span><span class="cx"> 
</span><del>-    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
</del><ins>+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR);
</ins><span class="cx">     storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
</span><span class="cx">     definitelyNotMarked.link(&amp;m_jit);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::writeBarrier(GPRReg ownerGPR, GPRReg scratch1, GPRReg scratch2)
</span><span class="cx"> {
</span><del>-    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
</del><ins>+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR);
</ins><span class="cx">     storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
</span><span class="cx">     definitelyNotMarked.link(&amp;m_jit);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -296,7 +296,7 @@
</span><span class="cx">     void storeToWriteBarrierBuffer(GPRReg cell, GPRReg scratch1, GPRReg scratch2);
</span><span class="cx">     void storeToWriteBarrierBuffer(JSCell*, GPRReg scratch1, GPRReg scratch2);
</span><span class="cx"> 
</span><del>-    static JITCompiler::Jump genericWriteBarrier(CCallHelpers&amp; jit, GPRReg owner, GPRReg scratch1, GPRReg scratch2);
</del><ins>+    static JITCompiler::Jump genericWriteBarrier(CCallHelpers&amp; jit, GPRReg owner);
</ins><span class="cx">     static JITCompiler::Jump genericWriteBarrier(CCallHelpers&amp; jit, JSCell* owner);
</span><span class="cx">     void writeBarrier(GPRReg owner, GPRReg scratch1, GPRReg scratch2);
</span><span class="cx">     void writeBarrier(GPRReg owner, JSCell* value, GPRReg scratch1, GPRReg scratch2);
</span><span class="lines">@@ -739,7 +739,7 @@
</span><span class="cx">     void nonSpeculativeNonPeepholeStrictEq(Node*, bool invert = false);
</span><span class="cx">     bool nonSpeculativeStrictEq(Node*, bool invert = false);
</span><span class="cx">     
</span><del>-    void compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchAndResultReg);
</del><ins>+    void compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchAndResultReg, GPRReg scratch2Reg);
</ins><span class="cx">     void compileInstanceOf(Node*);
</span><span class="cx">     
</span><span class="cx">     ptrdiff_t calleeFrameOffset(int numArgs)
</span><span class="lines">@@ -2105,7 +2105,7 @@
</span><span class="cx">         
</span><span class="cx">         return slowPath;
</span><span class="cx">     }
</span><del>-    
</del><ins>+
</ins><span class="cx">     // Allocator for a cell of a specific size.
</span><span class="cx">     template &lt;typename StructureType&gt; // StructureType can be GPR or ImmPtr.
</span><span class="cx">     void emitAllocateJSCell(GPRReg resultGPR, GPRReg allocatorGPR, StructureType structure,
</span><span class="lines">@@ -2120,7 +2120,7 @@
</span><span class="cx">         m_jit.storePtr(scratchGPR, MacroAssembler::Address(allocatorGPR, MarkedAllocator::offsetOfFreeListHead()));
</span><span class="cx"> 
</span><span class="cx">         // Initialize the object's Structure.
</span><del>-        m_jit.storePtr(structure, MacroAssembler::Address(resultGPR, JSCell::structureOffset()));
</del><ins>+        m_jit.emitStoreStructureWithTypeInfo(structure, resultGPR, scratchGPR);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Allocator for an object of a specific size.
</span><span class="lines">@@ -3045,8 +3045,8 @@
</span><span class="cx">     if (!m_state.forNode(edge).m_currentKnownStructure.isSubsetOf(StructureSet(stringObjectStructure))) {
</span><span class="cx">         speculationCheck(
</span><span class="cx">             NotStringObject, JSValueRegs(), 0,
</span><del>-            m_jit.branchPtr(
-                JITCompiler::NotEqual, structureLocation, TrustedImmPtr(stringObjectStructure)));
</del><ins>+            m_jit.branchStructurePtr(
+                JITCompiler::NotEqual, structureLocation, stringObjectStructure));
</ins><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -247,8 +247,10 @@
</span><span class="cx">         if (!isKnownCell(operand.node()))
</span><span class="cx">             notCell = m_jit.branch32(MacroAssembler::NotEqual, argTagGPR, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(JITCompiler::Address(argPayloadGPR, JSCell::structureOffset()), resultPayloadGPR);
-        JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(JITCompiler::NonZero, JITCompiler::Address(resultPayloadGPR, Structure::typeInfoFlagsOffset()), JITCompiler::TrustedImm32(MasqueradesAsUndefined));
</del><ins>+        JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(
+            JITCompiler::NonZero, 
+            JITCompiler::Address(argPayloadGPR, JSCell::typeInfoFlagsOffset()), 
+            JITCompiler::TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">         
</span><span class="cx">         m_jit.move(invert ? TrustedImm32(1) : TrustedImm32(0), resultPayloadGPR);
</span><span class="cx">         notMasqueradesAsUndefined = m_jit.jump();
</span><span class="lines">@@ -312,12 +314,15 @@
</span><span class="cx">         if (!isKnownCell(operand.node()))
</span><span class="cx">             notCell = m_jit.branch32(MacroAssembler::NotEqual, argTagGPR, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(JITCompiler::Address(argPayloadGPR, JSCell::structureOffset()), resultGPR);
-        branchTest8(JITCompiler::Zero, JITCompiler::Address(resultGPR, Structure::typeInfoFlagsOffset()), JITCompiler::TrustedImm32(MasqueradesAsUndefined), invert ? taken : notTaken);
</del><ins>+        branchTest8(JITCompiler::Zero, 
+            JITCompiler::Address(argPayloadGPR, JSCell::typeInfoFlagsOffset()), 
+            JITCompiler::TrustedImm32(MasqueradesAsUndefined), 
+            invert ? taken : notTaken);
</ins><span class="cx">    
</span><span class="cx">         GPRReg localGlobalObjectGPR = localGlobalObject.gpr();
</span><span class="cx">         GPRReg remoteGlobalObjectGPR = remoteGlobalObject.gpr();
</span><span class="cx">         m_jit.move(TrustedImmPtr(m_jit.graph().globalObjectFor(m_currentNode-&gt;origin.semantic)), localGlobalObjectGPR);
</span><ins>+        m_jit.loadPtr(JITCompiler::Address(argPayloadGPR, JSCell::structureIDOffset()), resultGPR);
</ins><span class="cx">         m_jit.loadPtr(JITCompiler::Address(resultGPR, Structure::globalObjectOffset()), remoteGlobalObjectGPR);
</span><span class="cx">         branchPtr(JITCompiler::Equal, localGlobalObjectGPR, remoteGlobalObjectGPR, invert ? notTaken : taken);
</span><span class="cx">     }
</span><span class="lines">@@ -1136,39 +1141,34 @@
</span><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op2GPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        GPRTemporary structure(this);
-        GPRReg structureGPR = structure.gpr();
-
-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1213,19 +1213,18 @@
</span><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal,
</span><del>-                structureGPR,
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), leftChild, 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1241,20 +1240,19 @@
</span><span class="cx">             JSValueRegs(op2TagGPR, op2PayloadGPR), rightChild, (~SpecCell) | SpecObject,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(op2PayloadGPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueRegs(op2TagGPR, op2PayloadGPR), rightChild, (~SpecCell) | SpecObject,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal,
</span><del>-                structureGPR,
</del><ins>+                MacroAssembler::Address(op2PayloadGPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         speculationCheck(BadType, JSValueRegs(op2TagGPR, op2PayloadGPR), rightChild, 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2PayloadGPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1320,19 +1318,18 @@
</span><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()),
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), leftChild,
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1347,20 +1344,19 @@
</span><span class="cx">             JSValueRegs(op2TagGPR, op2PayloadGPR), rightChild, (~SpecCell) | SpecObject,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(op2PayloadGPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2PayloadGPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueRegs(op2TagGPR, op2PayloadGPR), rightChild, (~SpecCell) | SpecObject,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
</del><ins>+                MacroAssembler::Address(op2PayloadGPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">         speculationCheck(BadType, JSValueRegs(op2TagGPR, op2PayloadGPR), rightChild,
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2PayloadGPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1443,10 +1439,10 @@
</span><span class="cx">             JSValueRegs(valueTagGPR, valuePayloadGPR), nodeUse, (~SpecCell) | SpecObject,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal,
</span><del>-                MacroAssembler::Address(valuePayloadGPR, JSCell::structureOffset()),
</del><ins>+                MacroAssembler::Address(valuePayloadGPR, JSCell::structureIDOffset()),
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(valuePayloadGPR, JSCell::structureOffset()), structureGPR);
</del><ins>+        m_jit.loadPtr(MacroAssembler::Address(valuePayloadGPR, JSCell::structureIDOffset()), structureGPR);
</ins><span class="cx"> 
</span><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueRegs(valueTagGPR, valuePayloadGPR), nodeUse, (~SpecCell) | SpecObject,
</span><span class="lines">@@ -1458,7 +1454,7 @@
</span><span class="cx">         MacroAssembler::Jump isNotMasqueradesAsUndefined = 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::Zero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(valuePayloadGPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined));
</span><span class="cx"> 
</span><span class="cx">         speculationCheck(BadType, JSValueRegs(valueTagGPR, valuePayloadGPR), nodeUse, 
</span><span class="lines">@@ -1573,10 +1569,10 @@
</span><span class="cx">             JSValueRegs(valueTagGPR, valuePayloadGPR), nodeUse, (~SpecCell) | SpecObject,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(valuePayloadGPR, JSCell::structureOffset()), 
</del><ins>+                MacroAssembler::Address(valuePayloadGPR, JSCell::structureIDOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(valuePayloadGPR, JSCell::structureOffset()), scratchGPR);
</del><ins>+        m_jit.loadPtr(MacroAssembler::Address(valuePayloadGPR, JSCell::structureIDOffset()), scratchGPR);
</ins><span class="cx"> 
</span><span class="cx">         DFG_TYPE_CHECK(
</span><span class="cx">             JSValueRegs(valueTagGPR, valuePayloadGPR), nodeUse, (~SpecCell) | SpecObject,
</span><span class="lines">@@ -1585,7 +1581,10 @@
</span><span class="cx">                 scratchGPR,
</span><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</span><span class="cx"> 
</span><del>-        JITCompiler::Jump isNotMasqueradesAsUndefined = m_jit.branchTest8(JITCompiler::Zero, MacroAssembler::Address(scratchGPR, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+        JITCompiler::Jump isNotMasqueradesAsUndefined = m_jit.branchTest8(
+            JITCompiler::Zero, 
+            MacroAssembler::Address(valuePayloadGPR, JSCell::typeInfoFlagsOffset()), 
+            TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx"> 
</span><span class="cx">         speculationCheck(BadType, JSValueRegs(valueTagGPR, valuePayloadGPR), nodeUse,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="lines">@@ -3077,7 +3076,7 @@
</span><span class="cx">             m_jit.move(op1PayloadGPR, resultPayloadGPR);
</span><span class="cx">         } else {
</span><span class="cx">             MacroAssembler::Jump alreadyPrimitive = m_jit.branch32(MacroAssembler::NotEqual, op1TagGPR, TrustedImm32(JSValue::CellTag));
</span><del>-            MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1PayloadGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
</del><ins>+            MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1PayloadGPR, JSCell::structureIDOffset()), MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">             
</span><span class="cx">             alreadyPrimitive.link(&amp;m_jit);
</span><span class="cx">             m_jit.move(op1TagGPR, resultTagGPR);
</span><span class="lines">@@ -3110,7 +3109,7 @@
</span><span class="cx">                     JITCompiler::NotEqual, op1TagGPR, TrustedImm32(JSValue::CellTag));
</span><span class="cx">                 JITCompiler::Jump slowPath2 = m_jit.branchPtr(
</span><span class="cx">                     JITCompiler::NotEqual,
</span><del>-                    JITCompiler::Address(op1PayloadGPR, JSCell::structureOffset()),
</del><ins>+                    JITCompiler::Address(op1PayloadGPR, JSCell::structureIDOffset()),
</ins><span class="cx">                     TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
</span><span class="cx">                 m_jit.move(op1PayloadGPR, resultGPR);
</span><span class="cx">                 done = m_jit.jump();
</span><span class="lines">@@ -3476,11 +3475,9 @@
</span><span class="cx">         MacroAssembler::JumpList slowCases;
</span><span class="cx">         slowCases.append(m_jit.branch32(
</span><span class="cx">             MacroAssembler::NotEqual, thisValueTagGPR, TrustedImm32(JSValue::CellTag)));
</span><del>-        m_jit.loadPtr(
-            MacroAssembler::Address(thisValuePayloadGPR, JSCell::structureOffset()), tempGPR);
</del><span class="cx">         slowCases.append(m_jit.branch8(
</span><span class="cx">             MacroAssembler::NotEqual,
</span><del>-            MacroAssembler::Address(tempGPR, Structure::typeInfoTypeOffset()),
</del><ins>+            MacroAssembler::Address(thisValuePayloadGPR, JSCell::typeInfoTypeOffset()),
</ins><span class="cx">             TrustedImm32(FinalObjectType)));
</span><span class="cx">         m_jit.move(thisValuePayloadGPR, tempGPR);
</span><span class="cx">         m_jit.move(thisValueTagGPR, tempTagGPR);
</span><span class="lines">@@ -3787,12 +3784,12 @@
</span><span class="cx">                 BadCache, JSValueSource::unboxedCell(base.gpr()), 0,
</span><span class="cx">                 m_jit.branchWeakPtr(
</span><span class="cx">                     JITCompiler::NotEqual,
</span><del>-                    JITCompiler::Address(base.gpr(), JSCell::structureOffset()),
</del><ins>+                    JITCompiler::Address(base.gpr(), JSCell::structureIDOffset()),
</ins><span class="cx">                     node-&gt;structureSet()[0]));
</span><span class="cx">         } else {
</span><span class="cx">             GPRTemporary structure(this);
</span><span class="cx">             
</span><del>-            m_jit.loadPtr(JITCompiler::Address(base.gpr(), JSCell::structureOffset()), structure.gpr());
</del><ins>+            m_jit.loadPtr(JITCompiler::Address(base.gpr(), JSCell::structureIDOffset()), structure.gpr());
</ins><span class="cx">             
</span><span class="cx">             JITCompiler::JumpList done;
</span><span class="cx">             
</span><span class="lines">@@ -3823,7 +3820,7 @@
</span><span class="cx">         
</span><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx">         SpeculateCellOperand op1(this, node-&gt;child1());
</span><del>-        JITCompiler::Jump isOK = m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(op1.gpr(), JSCell::structureOffset()), TrustedImmPtr(node-&gt;structure()));
</del><ins>+        JITCompiler::Jump isOK = m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(op1.gpr(), JSCell::structureIDOffset()), TrustedImmPtr(node-&gt;structure()));
</ins><span class="cx">         m_jit.breakpoint();
</span><span class="cx">         isOK.link(&amp;m_jit);
</span><span class="cx"> #else
</span><span class="lines">@@ -3847,7 +3844,7 @@
</span><span class="cx">         SpeculateCellOperand base(this, node-&gt;child1());
</span><span class="cx">         GPRReg baseGPR = base.gpr();
</span><span class="cx">         
</span><del>-        m_jit.storePtr(MacroAssembler::TrustedImmPtr(node-&gt;structureTransitionData().newStructure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
</del><ins>+        m_jit.storePtr(MacroAssembler::TrustedImmPtr(node-&gt;structureTransitionData().newStructure), MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()));
</ins><span class="cx">         
</span><span class="cx">         noResult(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -4051,8 +4048,10 @@
</span><span class="cx">         GPRTemporary structure(this);
</span><span class="cx"> 
</span><span class="cx">         // Speculate that base 'ImplementsDefaultHasInstance'.
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(base.gpr(), JSCell::structureOffset()), structure.gpr());
-        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(structure.gpr(), Structure::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
+            MacroAssembler::Zero, 
+            MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), 
+            MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
</ins><span class="cx"> 
</span><span class="cx">         noResult(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -4080,8 +4079,10 @@
</span><span class="cx">             m_jit.move(TrustedImm32(0), result.gpr());
</span><span class="cx">             notMasqueradesAsUndefined = m_jit.jump();
</span><span class="cx">         } else {
</span><del>-            m_jit.loadPtr(JITCompiler::Address(value.payloadGPR(), JSCell::structureOffset()), result.gpr());
-            JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(JITCompiler::NonZero, JITCompiler::Address(result.gpr(), Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+            JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(
+                JITCompiler::NonZero, 
+                JITCompiler::Address(value.payloadGPR(), JSCell::typeInfoFlagsOffset()), 
+                TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">             m_jit.move(TrustedImm32(0), result.gpr());
</span><span class="cx">             notMasqueradesAsUndefined = m_jit.jump();
</span><span class="cx">             
</span><span class="lines">@@ -4124,8 +4125,10 @@
</span><span class="cx">         
</span><span class="cx">         JITCompiler::Jump isNotCell = m_jit.branch32(JITCompiler::NotEqual, value.tagGPR(), JITCompiler::TrustedImm32(JSValue::CellTag));
</span><span class="cx">         
</span><del>-        m_jit.loadPtr(JITCompiler::Address(value.payloadGPR(), JSCell::structureOffset()), result.gpr());
-        m_jit.compare8(JITCompiler::Equal, JITCompiler::Address(result.gpr(), Structure::typeInfoTypeOffset()), TrustedImm32(StringType), result.gpr());
</del><ins>+        m_jit.compare8(JITCompiler::Equal, 
+            JITCompiler::Address(value.payloadGPR(), JSCell::typeInfoTypeOffset()), 
+            TrustedImm32(StringType), 
+            result.gpr());
</ins><span class="cx">         JITCompiler::Jump done = m_jit.jump();
</span><span class="cx">         
</span><span class="cx">         isNotCell.link(&amp;m_jit);
</span><span class="lines">@@ -4178,8 +4181,10 @@
</span><span class="cx">             DFG_TYPE_CHECK(JSValueRegs(tagGPR, payloadGPR), node-&gt;child1(), SpecCell, isNotCell);
</span><span class="cx"> 
</span><span class="cx">         if (!node-&gt;child1()-&gt;shouldSpeculateObject() || node-&gt;child1().useKind() == StringUse) {
</span><del>-            m_jit.loadPtr(JITCompiler::Address(payloadGPR, JSCell::structureOffset()), tempGPR);
-            JITCompiler::Jump notString = m_jit.branch8(JITCompiler::NotEqual, JITCompiler::Address(tempGPR, Structure::typeInfoTypeOffset()), TrustedImm32(StringType));
</del><ins>+            JITCompiler::Jump notString = m_jit.branch8(
+                JITCompiler::NotEqual, 
+                JITCompiler::Address(payloadGPR, JSCell::typeInfoTypeOffset()), 
+                TrustedImm32(StringType));
</ins><span class="cx">             if (node-&gt;child1().useKind() == StringUse)
</span><span class="cx">                 DFG_TYPE_CHECK(JSValueRegs(tagGPR, payloadGPR), node-&gt;child1(), SpecString, notString);
</span><span class="cx">             m_jit.move(TrustedImmPtr(m_jit.vm()-&gt;smallStrings.stringString()), resultGPR);
</span><span class="lines">@@ -4708,7 +4713,7 @@
</span><span class="cx">     if (!isKnownCell(valueUse.node()))
</span><span class="cx">         isNotCell = m_jit.branch32(JITCompiler::NotEqual, valueTagGPR, JITCompiler::TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
</del><ins>+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR);
</ins><span class="cx">     storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
</span><span class="cx">     definitelyNotMarked.link(&amp;m_jit);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -247,12 +247,15 @@
</span><span class="cx">     } else {
</span><span class="cx">         GPRTemporary localGlobalObject(this);
</span><span class="cx">         GPRTemporary remoteGlobalObject(this);
</span><ins>+        GPRTemporary scratch(this);
</ins><span class="cx"> 
</span><span class="cx">         if (!isKnownCell(operand.node()))
</span><span class="cx">             notCell = m_jit.branchTest64(MacroAssembler::NonZero, argGPR, GPRInfo::tagMaskRegister);
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(JITCompiler::Address(argGPR, JSCell::structureOffset()), resultGPR);
-        JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(JITCompiler::NonZero, JITCompiler::Address(resultGPR, Structure::typeInfoFlagsOffset()), JITCompiler::TrustedImm32(MasqueradesAsUndefined));
</del><ins>+        JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(
+            JITCompiler::NonZero, 
+            JITCompiler::Address(argGPR, JSCell::typeInfoFlagsOffset()), 
+            JITCompiler::TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx"> 
</span><span class="cx">         m_jit.move(invert ? TrustedImm32(1) : TrustedImm32(0), resultGPR);
</span><span class="cx">         notMasqueradesAsUndefined = m_jit.jump();
</span><span class="lines">@@ -261,6 +264,7 @@
</span><span class="cx">         GPRReg localGlobalObjectGPR = localGlobalObject.gpr();
</span><span class="cx">         GPRReg remoteGlobalObjectGPR = remoteGlobalObject.gpr();
</span><span class="cx">         m_jit.move(JITCompiler::TrustedImmPtr(m_jit.graph().globalObjectFor(m_currentNode-&gt;origin.semantic)), localGlobalObjectGPR);
</span><ins>+        m_jit.emitLoadStructure(argGPR, resultGPR, scratch.gpr());
</ins><span class="cx">         m_jit.loadPtr(JITCompiler::Address(resultGPR, Structure::globalObjectOffset()), remoteGlobalObjectGPR);
</span><span class="cx">         m_jit.comparePtr(invert ? JITCompiler::NotEqual : JITCompiler::Equal, localGlobalObjectGPR, remoteGlobalObjectGPR, resultGPR);
</span><span class="cx">     }
</span><span class="lines">@@ -311,16 +315,20 @@
</span><span class="cx">     } else {
</span><span class="cx">         GPRTemporary localGlobalObject(this);
</span><span class="cx">         GPRTemporary remoteGlobalObject(this);
</span><ins>+        GPRTemporary scratch(this);
</ins><span class="cx"> 
</span><span class="cx">         if (!isKnownCell(operand.node()))
</span><span class="cx">             notCell = m_jit.branchTest64(MacroAssembler::NonZero, argGPR, GPRInfo::tagMaskRegister);
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(JITCompiler::Address(argGPR, JSCell::structureOffset()), resultGPR);
-        branchTest8(JITCompiler::Zero, JITCompiler::Address(resultGPR, Structure::typeInfoFlagsOffset()), JITCompiler::TrustedImm32(MasqueradesAsUndefined), invert ? taken : notTaken);
</del><ins>+        branchTest8(JITCompiler::Zero, 
+            JITCompiler::Address(argGPR, JSCell::typeInfoFlagsOffset()), 
+            JITCompiler::TrustedImm32(MasqueradesAsUndefined), 
+            invert ? taken : notTaken);
</ins><span class="cx"> 
</span><span class="cx">         GPRReg localGlobalObjectGPR = localGlobalObject.gpr();
</span><span class="cx">         GPRReg remoteGlobalObjectGPR = remoteGlobalObject.gpr();
</span><span class="cx">         m_jit.move(TrustedImmPtr(m_jit.graph().globalObjectFor(m_currentNode-&gt;origin.semantic)), localGlobalObjectGPR);
</span><ins>+        m_jit.emitLoadStructure(argGPR, resultGPR, scratch.gpr());
</ins><span class="cx">         m_jit.loadPtr(JITCompiler::Address(resultGPR, Structure::globalObjectOffset()), remoteGlobalObjectGPR);
</span><span class="cx">         branchPtr(JITCompiler::Equal, localGlobalObjectGPR, remoteGlobalObjectGPR, invert ? notTaken : taken);
</span><span class="cx">     }
</span><span class="lines">@@ -1519,41 +1527,36 @@
</span><span class="cx">    
</span><span class="cx">     if (masqueradesAsUndefinedWatchpointIsStillValid()) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op2GPR, JSCell::structureOffset()), 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     } else {
</span><del>-        GPRTemporary structure(this);
-        GPRReg structureGPR = structure.gpr();
-
-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), node-&gt;child1(),
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx"> 
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op2GPR), node-&gt;child2(), SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op2GPR), node-&gt;child2(),
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1576,37 +1579,26 @@
</span><span class="cx">     GPRReg op1GPR = op1.gpr();
</span><span class="cx">     GPRReg op2GPR = op2.gpr();
</span><span class="cx">     GPRReg resultGPR = result.gpr();
</span><del>-    GPRTemporary structure;
-    GPRReg structureGPR = InvalidGPRReg;
</del><span class="cx"> 
</span><span class="cx">     bool masqueradesAsUndefinedWatchpointValid =
</span><span class="cx">         masqueradesAsUndefinedWatchpointIsStillValid();
</span><span class="cx"> 
</span><del>-    if (!masqueradesAsUndefinedWatchpointValid) {
-        // The masquerades as undefined case will use the structure register, so allocate it here.
-        // Do this at the top of the function to avoid branching around a register allocation.
-        GPRTemporary realStructure(this);
-        structure.adopt(realStructure);
-        structureGPR = structure.gpr();
-    }
-
</del><span class="cx">     if (masqueradesAsUndefinedWatchpointValid) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal,
</span><del>-                structureGPR,
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), leftChild,
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1618,21 +1610,20 @@
</span><span class="cx">     // We know that within this branch, rightChild must be a cell. 
</span><span class="cx">     if (masqueradesAsUndefinedWatchpointValid) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op2GPR, JSCell::structureOffset()), 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal,
</span><del>-                structureGPR,
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         speculationCheck(BadType, JSValueRegs(op2GPR), rightChild,
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1679,37 +1670,26 @@
</span><span class="cx">     GPRReg op1GPR = op1.gpr();
</span><span class="cx">     GPRReg op2GPR = op2.gpr();
</span><span class="cx">     GPRReg resultGPR = result.gpr();
</span><del>-    GPRTemporary structure;
-    GPRReg structureGPR = InvalidGPRReg;
</del><span class="cx">     
</span><del>-    bool masqueradesAsUndefinedWatchpointValid =
</del><ins>+    bool masqueradesAsUndefinedWatchpointValid = 
</ins><span class="cx">         masqueradesAsUndefinedWatchpointIsStillValid();
</span><span class="cx"> 
</span><del>-    if (!masqueradesAsUndefinedWatchpointValid) {
-        // The masquerades as undefined case will use the structure register, so allocate it here.
-        // Do this at the top of the function to avoid branching around a register allocation.
-        GPRTemporary realStructure(this);
-        structure.adopt(realStructure);
-        structureGPR = structure.gpr();
-    }
-
</del><span class="cx">     if (masqueradesAsUndefinedWatchpointValid) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op1GPR, JSCell::structureOffset()), 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op1GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueSource::unboxedCell(op1GPR), leftChild, SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         speculationCheck(BadType, JSValueSource::unboxedCell(op1GPR), leftChild, 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op1GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -1721,21 +1701,20 @@
</span><span class="cx">     // We know that within this branch, rightChild must be a cell. 
</span><span class="cx">     if (masqueradesAsUndefinedWatchpointValid) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(op2GPR, JSCell::structureOffset()), 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(op2GPR, JSCell::structureOffset()), structureGPR);
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(op2GPR), rightChild, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                structureGPR, 
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">         speculationCheck(BadType, JSValueRegs(op2GPR), rightChild,
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::NonZero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(op2GPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1833,6 +1812,8 @@
</span><span class="cx">     GPRReg resultGPR = result.gpr();
</span><span class="cx">     GPRTemporary structure;
</span><span class="cx">     GPRReg structureGPR = InvalidGPRReg;
</span><ins>+    GPRTemporary scratch;
+    GPRReg scratchGPR = InvalidGPRReg;
</ins><span class="cx"> 
</span><span class="cx">     bool masqueradesAsUndefinedWatchpointValid =
</span><span class="cx">         masqueradesAsUndefinedWatchpointIsStillValid();
</span><span class="lines">@@ -1841,32 +1822,34 @@
</span><span class="cx">         // The masquerades as undefined case will use the structure register, so allocate it here.
</span><span class="cx">         // Do this at the top of the function to avoid branching around a register allocation.
</span><span class="cx">         GPRTemporary realStructure(this);
</span><ins>+        GPRTemporary realScratch(this);
</ins><span class="cx">         structure.adopt(realStructure);
</span><ins>+        scratch.adopt(realScratch);
</ins><span class="cx">         structureGPR = structure.gpr();
</span><ins>+        scratchGPR = scratch.gpr();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     MacroAssembler::Jump notCell = m_jit.branchTest64(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
</span><span class="cx">     if (masqueradesAsUndefinedWatchpointValid) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal,
</span><del>-                MacroAssembler::Address(valueGPR, JSCell::structureOffset()),
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(valueGPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(valueGPR, JSCell::structureOffset()), structureGPR);
-
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal,
</span><del>-                structureGPR,
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(valueGPR, JSCell::structureIDOffset()), 
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx"> 
</span><span class="cx">         MacroAssembler::Jump isNotMasqueradesAsUndefined = 
</span><span class="cx">             m_jit.branchTest8(
</span><span class="cx">                 MacroAssembler::Zero, 
</span><del>-                MacroAssembler::Address(structureGPR, Structure::typeInfoFlagsOffset()), 
</del><ins>+                MacroAssembler::Address(valueGPR, JSCell::typeInfoFlagsOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined));
</span><span class="cx"> 
</span><ins>+        m_jit.emitLoadStructure(valueGPR, structureGPR, scratchGPR);
</ins><span class="cx">         speculationCheck(BadType, JSValueRegs(valueGPR), nodeUse, 
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><span class="lines">@@ -1985,31 +1968,41 @@
</span><span class="cx"> {
</span><span class="cx">     JSValueOperand value(this, nodeUse, ManualOperandSpeculation);
</span><span class="cx">     GPRTemporary scratch(this);
</span><ins>+    GPRTemporary structure;
</ins><span class="cx">     GPRReg valueGPR = value.gpr();
</span><span class="cx">     GPRReg scratchGPR = scratch.gpr();
</span><del>-    
</del><ins>+    GPRReg structureGPR = InvalidGPRReg;
+
+    if (!masqueradesAsUndefinedWatchpointIsStillValid()) {
+        GPRTemporary realStructure(this);
+        structure.adopt(realStructure);
+        structureGPR = structure.gpr();
+    }
+
</ins><span class="cx">     MacroAssembler::Jump notCell = m_jit.branchTest64(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
</span><span class="cx">     if (masqueradesAsUndefinedWatchpointIsStillValid()) {
</span><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(valueGPR, JSCell::structureOffset()),
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(valueGPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()));                
</ins><span class="cx">     } else {
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(valueGPR, JSCell::structureOffset()), scratchGPR);
-
</del><span class="cx">         DFG_TYPE_CHECK(
</span><del>-            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchPtr(
</del><ins>+            JSValueRegs(valueGPR), nodeUse, (~SpecCell) | SpecObject, m_jit.branchStructurePtr(
</ins><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                scratchGPR,
-                MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get())));
</del><ins>+                MacroAssembler::Address(valueGPR, JSCell::structureIDOffset()),
+                m_jit.vm()-&gt;stringStructure.get()));
</ins><span class="cx"> 
</span><del>-        JITCompiler::Jump isNotMasqueradesAsUndefined = m_jit.branchTest8(JITCompiler::Zero, MacroAssembler::Address(scratchGPR, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+        JITCompiler::Jump isNotMasqueradesAsUndefined = m_jit.branchTest8(
+            JITCompiler::Zero, 
+            MacroAssembler::Address(valueGPR, JSCell::typeInfoFlagsOffset()), 
+            TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx"> 
</span><ins>+        m_jit.emitLoadStructure(valueGPR, structureGPR, scratchGPR);
</ins><span class="cx">         speculationCheck(BadType, JSValueRegs(valueGPR), nodeUse,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><del>-                MacroAssembler::Address(scratchGPR, Structure::globalObjectOffset()), 
</del><ins>+                MacroAssembler::Address(structureGPR, Structure::globalObjectOffset()), 
</ins><span class="cx">                 MacroAssembler::TrustedImmPtr(m_jit.graph().globalObjectFor(m_currentNode-&gt;origin.semantic))));
</span><span class="cx"> 
</span><span class="cx">         isNotMasqueradesAsUndefined.link(&amp;m_jit);
</span><span class="lines">@@ -3417,7 +3410,10 @@
</span><span class="cx">         op1.use();
</span><span class="cx">         
</span><span class="cx">         MacroAssembler::Jump alreadyPrimitive = m_jit.branchTest64(MacroAssembler::NonZero, op1GPR, GPRInfo::tagMaskRegister);
</span><del>-        MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
</del><ins>+        MacroAssembler::Jump notPrimitive = m_jit.branchStructurePtr(
+            MacroAssembler::NotEqual, 
+            MacroAssembler::Address(op1GPR, JSCell::structureIDOffset()), 
+            m_jit.vm()-&gt;stringStructure.get());
</ins><span class="cx">         
</span><span class="cx">         alreadyPrimitive.link(&amp;m_jit);
</span><span class="cx">         m_jit.move(op1GPR, resultGPR);
</span><span class="lines">@@ -3443,10 +3439,10 @@
</span><span class="cx">             if (node-&gt;child1()-&gt;prediction() &amp; SpecString) {
</span><span class="cx">                 JITCompiler::Jump slowPath1 = m_jit.branchTest64(
</span><span class="cx">                     JITCompiler::NonZero, op1GPR, GPRInfo::tagMaskRegister);
</span><del>-                JITCompiler::Jump slowPath2 = m_jit.branchPtr(
</del><ins>+                JITCompiler::Jump slowPath2 = m_jit.branchStructurePtr(
</ins><span class="cx">                     JITCompiler::NotEqual,
</span><del>-                    JITCompiler::Address(op1GPR, JSCell::structureOffset()),
-                    TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()));
</del><ins>+                    JITCompiler::Address(op1GPR, JSCell::structureIDOffset()),
+                    m_jit.vm()-&gt;stringStructure.get());
</ins><span class="cx">                 m_jit.move(op1GPR, resultGPR);
</span><span class="cx">                 done = m_jit.jump();
</span><span class="cx">                 slowPath1.link(&amp;m_jit);
</span><span class="lines">@@ -3665,7 +3661,7 @@
</span><span class="cx">                 emitAllocateBasicStorage(resultGPR, storageGPR));
</span><span class="cx">             m_jit.subPtr(scratchGPR, storageGPR);
</span><span class="cx">             Structure* structure = globalObject-&gt;arrayStructureForIndexingTypeDuringAllocation(node-&gt;indexingType());
</span><del>-            emitAllocateJSObject&lt;JSArray&gt;(resultGPR, ImmPtr(structure), storageGPR, scratchGPR, scratch2GPR, slowCases);
</del><ins>+            emitAllocateJSObject&lt;JSArray&gt;(resultGPR, TrustedImmPtr(structure), storageGPR, scratchGPR, scratch2GPR, slowCases);
</ins><span class="cx">             
</span><span class="cx">             m_jit.store32(sizeGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
</span><span class="cx">             m_jit.store32(sizeGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
</span><span class="lines">@@ -3803,11 +3799,9 @@
</span><span class="cx">         MacroAssembler::JumpList slowCases;
</span><span class="cx">         slowCases.append(m_jit.branchTest64(
</span><span class="cx">             MacroAssembler::NonZero, thisValueGPR, GPRInfo::tagMaskRegister));
</span><del>-        m_jit.loadPtr(
-            MacroAssembler::Address(thisValueGPR, JSCell::structureOffset()), tempGPR);
</del><span class="cx">         slowCases.append(m_jit.branch8(
</span><span class="cx">             MacroAssembler::NotEqual,
</span><del>-            MacroAssembler::Address(tempGPR, Structure::typeInfoTypeOffset()),
</del><ins>+            MacroAssembler::Address(thisValueGPR, JSCell::typeInfoTypeOffset()),
</ins><span class="cx">             TrustedImm32(FinalObjectType)));
</span><span class="cx">         m_jit.move(thisValueGPR, tempGPR);
</span><span class="cx">         J_JITOperation_EJ function;
</span><span class="lines">@@ -4098,24 +4092,20 @@
</span><span class="cx">         if (node-&gt;structureSet().size() == 1) {
</span><span class="cx">             speculationCheck(
</span><span class="cx">                 exitKind, JSValueSource::unboxedCell(base.gpr()), 0,
</span><del>-                m_jit.branchWeakPtr(
</del><ins>+                m_jit.branchWeakStructure(
</ins><span class="cx">                     JITCompiler::NotEqual,
</span><del>-                    JITCompiler::Address(base.gpr(), JSCell::structureOffset()),
</del><ins>+                    JITCompiler::Address(base.gpr(), JSCell::structureIDOffset()),
</ins><span class="cx">                     node-&gt;structureSet()[0]));
</span><span class="cx">         } else {
</span><del>-            GPRTemporary structure(this);
-            
-            m_jit.loadPtr(JITCompiler::Address(base.gpr(), JSCell::structureOffset()), structure.gpr());
-            
</del><span class="cx">             JITCompiler::JumpList done;
</span><span class="cx">             
</span><span class="cx">             for (size_t i = 0; i &lt; node-&gt;structureSet().size() - 1; ++i)
</span><del>-                done.append(m_jit.branchWeakPtr(JITCompiler::Equal, structure.gpr(), node-&gt;structureSet()[i]));
</del><ins>+                done.append(m_jit.branchWeakStructure(JITCompiler::Equal, MacroAssembler::Address(base.gpr(), JSCell::structureIDOffset()), node-&gt;structureSet()[i]));
</ins><span class="cx">             
</span><span class="cx">             speculationCheck(
</span><span class="cx">                 exitKind, JSValueSource::unboxedCell(base.gpr()), 0,
</span><del>-                m_jit.branchWeakPtr(
-                    JITCompiler::NotEqual, structure.gpr(), node-&gt;structureSet().last()));
</del><ins>+                m_jit.branchWeakStructure(
+                    JITCompiler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::structureIDOffset()), node-&gt;structureSet().last()));
</ins><span class="cx">             
</span><span class="cx">             done.link(&amp;m_jit);
</span><span class="cx">         }
</span><span class="lines">@@ -4131,12 +4121,15 @@
</span><span class="cx">         // we shouldn't really load it since that could be a waste. For now though,
</span><span class="cx">         // we'll just rely on the fact that when a watchpoint fires then that's
</span><span class="cx">         // quite a hint already.
</span><del>-        
</del><ins>+
</ins><span class="cx">         m_jit.addWeakReference(node-&gt;structure());
</span><span class="cx"> 
</span><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx">         SpeculateCellOperand op1(this, node-&gt;child1());
</span><del>-        JITCompiler::Jump isOK = m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(op1.gpr(), JSCell::structureOffset()), TrustedImmPtr(node-&gt;structure()));
</del><ins>+        JITCompiler::Jump isOK = m_jit.branchStructurePtr(
+            JITCompiler::Equal, 
+            JITCompiler::Address(op1.gpr(), JSCell::structureIDOffset()), 
+            node-&gt;structure());
</ins><span class="cx">         m_jit.breakpoint();
</span><span class="cx">         isOK.link(&amp;m_jit);
</span><span class="cx"> #else
</span><span class="lines">@@ -4155,14 +4148,18 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case PutStructure: {
</span><ins>+        Structure* oldStructure = node-&gt;structureTransitionData().previousStructure;
+        Structure* newStructure = node-&gt;structureTransitionData().newStructure;
+
</ins><span class="cx">         m_jit.jitCode()-&gt;common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
</span><span class="cx"> 
</span><span class="cx">         SpeculateCellOperand base(this, node-&gt;child1());
</span><del>-        GPRTemporary scratch1(this);
-        GPRTemporary scratch2(this);
</del><span class="cx">         GPRReg baseGPR = base.gpr();
</span><span class="cx">         
</span><del>-        m_jit.storePtr(MacroAssembler::TrustedImmPtr(node-&gt;structureTransitionData().newStructure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
</del><ins>+        ASSERT_UNUSED(oldStructure, oldStructure-&gt;indexingType() == newStructure-&gt;indexingType());
+        ASSERT(oldStructure-&gt;typeInfo().type() == newStructure-&gt;typeInfo().type());
+        ASSERT(oldStructure-&gt;typeInfo().inlineTypeFlags() == newStructure-&gt;typeInfo().inlineTypeFlags());
+        m_jit.store32(MacroAssembler::TrustedImm32(newStructure-&gt;id()), MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()));
</ins><span class="cx">         
</span><span class="cx">         noResult(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -4342,8 +4339,10 @@
</span><span class="cx">         GPRTemporary structure(this);
</span><span class="cx"> 
</span><span class="cx">         // Speculate that base 'ImplementsDefaultHasInstance'.
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(base.gpr(), JSCell::structureOffset()), structure.gpr());
-        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(structure.gpr(), Structure::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
+            MacroAssembler::Zero, 
+            MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), 
+            MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
</ins><span class="cx"> 
</span><span class="cx">         noResult(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -4371,8 +4370,10 @@
</span><span class="cx">             m_jit.move(TrustedImm32(0), result.gpr());
</span><span class="cx">             notMasqueradesAsUndefined = m_jit.jump();
</span><span class="cx">         } else {
</span><del>-            m_jit.loadPtr(JITCompiler::Address(value.gpr(), JSCell::structureOffset()), result.gpr());
-            JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(JITCompiler::NonZero, JITCompiler::Address(result.gpr(), Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+            JITCompiler::Jump isMasqueradesAsUndefined = m_jit.branchTest8(
+                JITCompiler::NonZero, 
+                JITCompiler::Address(value.gpr(), JSCell::typeInfoFlagsOffset()), 
+                TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">             m_jit.move(TrustedImm32(0), result.gpr());
</span><span class="cx">             notMasqueradesAsUndefined = m_jit.jump();
</span><span class="cx"> 
</span><span class="lines">@@ -4419,8 +4420,10 @@
</span><span class="cx">         
</span><span class="cx">         JITCompiler::Jump isNotCell = m_jit.branchTest64(JITCompiler::NonZero, value.gpr(), GPRInfo::tagMaskRegister);
</span><span class="cx">         
</span><del>-        m_jit.loadPtr(JITCompiler::Address(value.gpr(), JSCell::structureOffset()), result.gpr());
-        m_jit.compare8(JITCompiler::Equal, JITCompiler::Address(result.gpr(), Structure::typeInfoTypeOffset()), TrustedImm32(StringType), result.gpr());
</del><ins>+        m_jit.compare8(JITCompiler::Equal, 
+            JITCompiler::Address(value.gpr(), JSCell::typeInfoTypeOffset()), 
+            TrustedImm32(StringType), 
+            result.gpr());
</ins><span class="cx">         m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
</span><span class="cx">         JITCompiler::Jump done = m_jit.jump();
</span><span class="cx">         
</span><span class="lines">@@ -4459,8 +4462,6 @@
</span><span class="cx">     case TypeOf: {
</span><span class="cx">         JSValueOperand value(this, node-&gt;child1(), ManualOperandSpeculation);
</span><span class="cx">         GPRReg valueGPR = value.gpr();
</span><del>-        GPRTemporary temp(this);
-        GPRReg tempGPR = temp.gpr();
</del><span class="cx">         GPRResult result(this);
</span><span class="cx">         GPRReg resultGPR = result.gpr();
</span><span class="cx">         JITCompiler::JumpList doneJumps;
</span><span class="lines">@@ -4474,8 +4475,10 @@
</span><span class="cx">             DFG_TYPE_CHECK(JSValueSource(valueGPR), node-&gt;child1(), SpecCell, isNotCell);
</span><span class="cx"> 
</span><span class="cx">         if (!node-&gt;child1()-&gt;shouldSpeculateObject() || node-&gt;child1().useKind() == StringUse) {
</span><del>-            m_jit.loadPtr(JITCompiler::Address(valueGPR, JSCell::structureOffset()), tempGPR);
-            JITCompiler::Jump notString = m_jit.branch8(JITCompiler::NotEqual, JITCompiler::Address(tempGPR, Structure::typeInfoTypeOffset()), TrustedImm32(StringType));
</del><ins>+            JITCompiler::Jump notString = m_jit.branch8(
+                JITCompiler::NotEqual, 
+                JITCompiler::Address(valueGPR, JSCell::typeInfoTypeOffset()), 
+                TrustedImm32(StringType));
</ins><span class="cx">             if (node-&gt;child1().useKind() == StringUse)
</span><span class="cx">                 DFG_TYPE_CHECK(JSValueSource(valueGPR), node-&gt;child1(), SpecString, notString);
</span><span class="cx">             m_jit.move(TrustedImmPtr(m_jit.vm()-&gt;smallStrings.stringString()), resultGPR);
</span><span class="lines">@@ -5025,7 +5028,7 @@
</span><span class="cx">     if (!isKnownCell(valueUse.node()))
</span><span class="cx">         isNotCell = m_jit.branchTest64(JITCompiler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
</span><span class="cx"> 
</span><del>-    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR, scratch1, scratch2);
</del><ins>+    JITCompiler::Jump definitelyNotMarked = genericWriteBarrier(m_jit, ownerGPR);
</ins><span class="cx">     storeToWriteBarrierBuffer(ownerGPR, scratch1, scratch2);
</span><span class="cx">     definitelyNotMarked.link(&amp;m_jit);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGWorklistcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -28,6 +28,7 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx"> 
</span><ins>+#include &quot;APIShims.h&quot;
</ins><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;DeferGC.h&quot;
</span><span class="cx"> #include &quot;DFGLongLivedState.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositorycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx">     FOR_EACH_ABSTRACT_FIELD(ABSTRACT_FIELD_INITIALIZATION)
</span><span class="cx"> #undef ABSTRACT_FIELD_INITIALIZATION
</span><span class="cx">     
</span><del>-    , JSCell_freeListNext(JSCell_structure)
</del><ins>+    , JSCell_freeListNext(JSCell_structureID)
</ins><span class="cx">     
</span><span class="cx"> #define INDEXED_ABSTRACT_HEAP_INITIALIZATION(name, offset, size) , name(context, &amp;root, #name, offset, size)
</span><span class="cx">     FOR_EACH_INDEXED_ABSTRACT_HEAP(INDEXED_ABSTRACT_HEAP_INITIALIZATION)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -48,7 +48,11 @@
</span><span class="cx">     macro(JSArrayBufferView_length, JSArrayBufferView::offsetOfLength()) \
</span><span class="cx">     macro(JSArrayBufferView_mode, JSArrayBufferView::offsetOfMode()) \
</span><span class="cx">     macro(JSArrayBufferView_vector, JSArrayBufferView::offsetOfVector()) \
</span><del>-    macro(JSCell_structure, JSCell::structureOffset()) \
</del><ins>+    macro(JSCell_structureID, JSCell::structureIDOffset()) \
+    macro(JSCell_typeInfoFlags, JSCell::typeInfoFlagsOffset()) \
+    macro(JSCell_typeInfoType, JSCell::typeInfoTypeOffset()) \
+    macro(JSCell_indexingType, JSCell::indexingTypeOffset()) \
+    macro(JSCell_gcData, JSCell::gcDataOffset()) \
</ins><span class="cx">     macro(JSFunction_executable, JSFunction::offsetOfExecutable()) \
</span><span class="cx">     macro(JSFunction_scope, JSFunction::offsetOfScopeChain()) \
</span><span class="cx">     macro(JSObject_butterfly, JSObject::butterflyOffset()) \
</span><span class="lines">@@ -62,11 +66,9 @@
</span><span class="cx">     macro(MarkedBlock_markBits, MarkedBlock::offsetOfMarks()) \
</span><span class="cx">     macro(StringImpl_data, StringImpl::dataOffset()) \
</span><span class="cx">     macro(StringImpl_hashAndFlags, StringImpl::flagsOffset()) \
</span><ins>+    macro(Structure_structureID, Structure::structureIDOffset()) \
</ins><span class="cx">     macro(Structure_classInfo, Structure::classInfoOffset()) \
</span><span class="cx">     macro(Structure_globalObject, Structure::globalObjectOffset()) \
</span><del>-    macro(Structure_indexingType, Structure::indexingTypeOffset()) \
-    macro(Structure_typeInfoFlags, Structure::typeInfoFlagsOffset()) \
-    macro(Structure_typeInfoType, Structure::typeInfoTypeOffset())
</del><span class="cx"> 
</span><span class="cx"> #define FOR_EACH_INDEXED_ABSTRACT_HEAP(macro) \
</span><span class="cx">     macro(JSRopeString_fibers, JSRopeString::offsetOfFibers(), sizeof(WriteBarrier&lt;JSString&gt;)) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -1540,12 +1540,12 @@
</span><span class="cx">         else
</span><span class="cx">             exitKind = BadCache;
</span><span class="cx">         
</span><del>-        LValue structure = m_out.loadPtr(cell, m_heaps.JSCell_structure);
</del><ins>+        LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</ins><span class="cx">         
</span><span class="cx">         if (m_node-&gt;structureSet().size() == 1) {
</span><span class="cx">             speculate(
</span><span class="cx">                 exitKind, jsValueValue(cell), 0,
</span><del>-                m_out.notEqual(structure, weakPointer(m_node-&gt;structureSet()[0])));
</del><ins>+                m_out.notEqual(structureID, weakStructure(m_node-&gt;structureSet()[0])));
</ins><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -1555,14 +1555,14 @@
</span><span class="cx">         for (unsigned i = 0; i &lt; m_node-&gt;structureSet().size() - 1; ++i) {
</span><span class="cx">             LBasicBlock nextStructure = FTL_NEW_BLOCK(m_out, (&quot;CheckStructure nextStructure&quot;));
</span><span class="cx">             m_out.branch(
</span><del>-                m_out.equal(structure, weakPointer(m_node-&gt;structureSet()[i])),
</del><ins>+                m_out.equal(structureID, weakStructure(m_node-&gt;structureSet()[i])),
</ins><span class="cx">                 unsure(continuation), unsure(nextStructure));
</span><span class="cx">             m_out.appendTo(nextStructure);
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         speculate(
</span><span class="cx">             exitKind, jsValueValue(cell), 0,
</span><del>-            m_out.notEqual(structure, weakPointer(m_node-&gt;structureSet().last())));
</del><ins>+            m_out.notEqual(structureID, weakStructure(m_node-&gt;structureSet().last())));
</ins><span class="cx">         
</span><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -1602,10 +1602,10 @@
</span><span class="cx">         LBasicBlock unexpectedStructure = FTL_NEW_BLOCK(m_out, (&quot;ArrayifyToStructure unexpected structure&quot;));
</span><span class="cx">         LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;ArrayifyToStructure continuation&quot;));
</span><span class="cx">         
</span><del>-        LValue structure = m_out.loadPtr(cell, m_heaps.JSCell_structure);
</del><ins>+        LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</ins><span class="cx">         
</span><span class="cx">         m_out.branch(
</span><del>-            m_out.notEqual(structure, weakPointer(m_node-&gt;structure())),
</del><ins>+            m_out.notEqual(structureID, weakStructure(m_node-&gt;structure())),
</ins><span class="cx">             rarely(unexpectedStructure), usually(continuation));
</span><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.appendTo(unexpectedStructure, continuation);
</span><span class="lines">@@ -1646,10 +1646,9 @@
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         
</span><del>-        structure = m_out.loadPtr(cell, m_heaps.JSCell_structure);
</del><span class="cx">         speculate(
</span><span class="cx">             BadIndexingType, jsValueValue(cell), 0,
</span><del>-            m_out.notEqual(structure, weakPointer(m_node-&gt;structure())));
</del><ins>+            m_out.notEqual(structureID, weakStructure(m_node-&gt;structure())));
</ins><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         
</span><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -1658,10 +1657,17 @@
</span><span class="cx">     void compilePutStructure()
</span><span class="cx">     {
</span><span class="cx">         m_ftlState.jitCode-&gt;common.notifyCompilingStructureTransition(m_graph.m_plan, codeBlock(), m_node);
</span><del>-        
-        m_out.storePtr(
-            weakPointer(m_node-&gt;structureTransitionData().newStructure),
-            lowCell(m_node-&gt;child1()), m_heaps.JSCell_structure);
</del><ins>+
+        Structure* oldStructure = m_node-&gt;structureTransitionData().previousStructure;
+        Structure* newStructure = m_node-&gt;structureTransitionData().newStructure;
+        ASSERT_UNUSED(oldStructure, oldStructure-&gt;indexingType() == newStructure-&gt;indexingType());
+        ASSERT(oldStructure-&gt;typeInfo().inlineTypeFlags() == newStructure-&gt;typeInfo().inlineTypeFlags());
+        ASSERT(oldStructure-&gt;typeInfo().type() == newStructure-&gt;typeInfo().type());
+
+        LValue cell = lowCell(m_node-&gt;child1()); 
+        m_out.store32(
+            weakStructure(newStructure),
+            cell, m_heaps.JSCell_structureID);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compilePhantomPutStructure()
</span><span class="lines">@@ -2467,7 +2473,7 @@
</span><span class="cx">         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
</span><span class="cx">         
</span><span class="cx">         ValueFromBlock fastResult = m_out.anchor(allocateObject(
</span><del>-            m_out.constIntPtr(allocator), m_out.constIntPtr(structure), m_out.intPtrZero, slowPath));
</del><ins>+            m_out.constIntPtr(allocator), structure, m_out.intPtrZero, slowPath));
</ins><span class="cx">         
</span><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         
</span><span class="lines">@@ -2644,7 +2650,7 @@
</span><span class="cx">             LValue butterfly = m_out.sub(endOfStorage, payloadSize);
</span><span class="cx">             
</span><span class="cx">             LValue object = allocateObject&lt;JSArray&gt;(
</span><del>-                m_out.constIntPtr(structure), butterfly, failCase);
</del><ins>+                structure, butterfly, failCase);
</ins><span class="cx">             
</span><span class="cx">             m_out.store32(publicLength, butterfly, m_heaps.Butterfly_publicLength);
</span><span class="cx">             m_out.store32(vectorLength, butterfly, m_heaps.Butterfly_vectorLength);
</span><span class="lines">@@ -2741,18 +2747,18 @@
</span><span class="cx">             
</span><span class="cx">         case StringOrStringObjectUse: {
</span><span class="cx">             LValue cell = lowCell(m_node-&gt;child1());
</span><del>-            LValue structure = m_out.loadPtr(cell, m_heaps.JSCell_structure);
</del><ins>+            LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</ins><span class="cx">             
</span><span class="cx">             LBasicBlock notString = FTL_NEW_BLOCK(m_out, (&quot;ToString StringOrStringObject not string case&quot;));
</span><span class="cx">             LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;ToString StringOrStringObject continuation&quot;));
</span><span class="cx">             
</span><span class="cx">             ValueFromBlock simpleResult = m_out.anchor(cell);
</span><span class="cx">             m_out.branch(
</span><del>-                m_out.equal(structure, m_out.constIntPtr(vm().stringStructure.get())),
</del><ins>+                m_out.equal(structureID, m_out.constInt32(vm().stringStructure-&gt;id())),
</ins><span class="cx">                 unsure(continuation), unsure(notString));
</span><span class="cx">             
</span><span class="cx">             LBasicBlock lastNext = m_out.appendTo(notString, continuation);
</span><del>-            speculateStringObjectForStructure(m_node-&gt;child1(), structure);
</del><ins>+            speculateStringObjectForStructureID(m_node-&gt;child1(), structureID);
</ins><span class="cx">             ValueFromBlock unboxedResult = m_out.anchor(
</span><span class="cx">                 m_out.loadPtr(cell, m_heaps.JSWrapperObject_internalValue));
</span><span class="cx">             m_out.jump(continuation);
</span><span class="lines">@@ -2788,8 +2794,8 @@
</span><span class="cx">             LValue isStringPredicate;
</span><span class="cx">             if (m_node-&gt;child1()-&gt;prediction() &amp; SpecString) {
</span><span class="cx">                 isStringPredicate = m_out.equal(
</span><del>-                    m_out.loadPtr(value, m_heaps.JSCell_structure),
-                    m_out.constIntPtr(vm().stringStructure.get()));
</del><ins>+                    m_out.load32(value, m_heaps.JSCell_structureID),
+                    m_out.constInt32(vm().stringStructure-&gt;id()));
</ins><span class="cx">             } else
</span><span class="cx">                 isStringPredicate = m_out.booleanFalse;
</span><span class="cx">             m_out.branch(isStringPredicate, unsure(continuation), unsure(notString));
</span><span class="lines">@@ -2864,7 +2870,7 @@
</span><span class="cx">         
</span><span class="cx">         LValue result = allocateCell(
</span><span class="cx">             m_out.constIntPtr(&amp;allocator),
</span><del>-            m_out.constIntPtr(vm().stringStructure.get()),
</del><ins>+            vm().stringStructure.get(),
</ins><span class="cx">             slowPath);
</span><span class="cx">         
</span><span class="cx">         m_out.storePtr(m_out.intPtrZero, result, m_heaps.JSString_value);
</span><span class="lines">@@ -3081,11 +3087,11 @@
</span><span class="cx">             GetByIdVariant variant = data.variants[i];
</span><span class="cx">             for (unsigned j = variant.structureSet().size(); j--;) {
</span><span class="cx">                 cases.append(SwitchCase(
</span><del>-                    weakPointer(variant.structureSet()[j]), blocks[i], Weight(1)));
</del><ins>+                    weakStructure(variant.structureSet()[j]), blocks[i], Weight(1)));
</ins><span class="cx">             }
</span><span class="cx">         }
</span><span class="cx">         m_out.switchInstruction(
</span><del>-            m_out.loadPtr(base, m_heaps.JSCell_structure), cases, exit, Weight(0));
</del><ins>+            m_out.load32(base, m_heaps.JSCell_structureID), cases, exit, Weight(0));
</ins><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.m_nextBlock;
</span><span class="cx">         
</span><span class="lines">@@ -3147,10 +3153,10 @@
</span><span class="cx">         for (unsigned i = data.variants.size(); i--;) {
</span><span class="cx">             PutByIdVariant variant = data.variants[i];
</span><span class="cx">             cases.append(
</span><del>-                SwitchCase(weakPointer(variant.oldStructure()), blocks[i], Weight(1)));
</del><ins>+                SwitchCase(weakStructure(variant.oldStructure()), blocks[i], Weight(1)));
</ins><span class="cx">         }
</span><span class="cx">         m_out.switchInstruction(
</span><del>-            m_out.loadPtr(base, m_heaps.JSCell_structure), cases, exit, Weight(0));
</del><ins>+            m_out.load32(base, m_heaps.JSCell_structureID), cases, exit, Weight(0));
</ins><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.m_nextBlock;
</span><span class="cx">         
</span><span class="lines">@@ -3172,8 +3178,12 @@
</span><span class="cx">                 
</span><span class="cx">                 storage = storageForTransition(
</span><span class="cx">                     base, variant.offset(), variant.oldStructure(), variant.newStructure());
</span><del>-                m_out.storePtr(
-                    weakPointer(variant.newStructure()), base, m_heaps.JSCell_structure);
</del><ins>+
+                ASSERT(variant.oldStructure()-&gt;indexingType() == variant.newStructure()-&gt;indexingType());
+                ASSERT(variant.oldStructure()-&gt;typeInfo().inlineTypeFlags() == variant.newStructure()-&gt;typeInfo().inlineTypeFlags());
+                ASSERT(variant.oldStructure()-&gt;typeInfo().type() == variant.newStructure()-&gt;typeInfo().type());
+                m_out.store32(
+                    weakStructure(variant.newStructure()), base, m_heaps.JSCell_structureID);
</ins><span class="cx">             }
</span><span class="cx">             
</span><span class="cx">             storeProperty(value, storage, data.identifierNumber, variant.offset());
</span><span class="lines">@@ -3942,14 +3952,14 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><del>-        LValue structure = m_out.loadPtr(cell, m_heaps.JSCell_structure);
</del><ins>+        LValue structureID = m_out.load32(cell, m_heaps.JSCell_structureID);
</ins><span class="cx">         FTL_TYPE_CHECK(
</span><span class="cx">             jsValueValue(cell), edge, filter,
</span><del>-            m_out.equal(structure, m_out.constIntPtr(vm().stringStructure.get())));
</del><ins>+            m_out.equal(structureID, m_out.constInt32(vm().stringStructure-&gt;id())));
</ins><span class="cx">         speculate(
</span><span class="cx">             BadType, jsValueValue(cell), edge.node(),
</span><span class="cx">             m_out.testNonZero8(
</span><del>-                m_out.load8(structure, m_heaps.Structure_typeInfoFlags),
</del><ins>+                m_out.load8(cell, m_heaps.JSCell_typeInfoFlags),
</ins><span class="cx">                 m_out.constInt8(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -3981,8 +3991,8 @@
</span><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><span class="cx">         setBoolean(m_out.phi(m_out.boolean, fastResult, slowResult));
</span><span class="cx">     }
</span><del>-    
-    LValue allocateCell(LValue allocator, LValue structure, LBasicBlock slowPath)
</del><ins>+
+    LValue allocateCell(LValue allocator, Structure* structure, LBasicBlock slowPath)
</ins><span class="cx">     {
</span><span class="cx">         LBasicBlock success = FTL_NEW_BLOCK(m_out, (&quot;object allocation success&quot;));
</span><span class="cx">         
</span><span class="lines">@@ -3997,13 +4007,17 @@
</span><span class="cx">             m_out.loadPtr(result, m_heaps.JSCell_freeListNext),
</span><span class="cx">             allocator, m_heaps.MarkedAllocator_freeListHead);
</span><span class="cx">         
</span><del>-        m_out.storePtr(structure, result, m_heaps.JSCell_structure);
</del><ins>+        m_out.store32(m_out.constInt32(structure-&gt;id()), result, m_heaps.JSCell_structureID);
+        m_out.store8(m_out.constInt8(structure-&gt;indexingType()), result, m_heaps.JSCell_indexingType);
+        m_out.store8(m_out.constInt8(structure-&gt;typeInfo().type()), result, m_heaps.JSCell_typeInfoType);
+        m_out.store8(m_out.constInt8(structure-&gt;typeInfo().inlineTypeFlags()), result, m_heaps.JSCell_typeInfoFlags);
+        m_out.store8(m_out.constInt8(0), result, m_heaps.JSCell_gcData);
</ins><span class="cx">         
</span><span class="cx">         return result;
</span><span class="cx">     }
</span><del>-    
</del><ins>+
</ins><span class="cx">     LValue allocateObject(
</span><del>-        LValue allocator, LValue structure, LValue butterfly, LBasicBlock slowPath)
</del><ins>+        LValue allocator, Structure* structure, LValue butterfly, LBasicBlock slowPath)
</ins><span class="cx">     {
</span><span class="cx">         LValue result = allocateCell(allocator, structure, slowPath);
</span><span class="cx">         m_out.storePtr(butterfly, result, m_heaps.JSObject_butterfly);
</span><span class="lines">@@ -4011,7 +4025,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     template&lt;typename ClassType&gt;
</span><del>-    LValue allocateObject(LValue structure, LValue butterfly, LBasicBlock slowPath)
</del><ins>+    LValue allocateObject(Structure* structure, LValue butterfly, LBasicBlock slowPath)
</ins><span class="cx">     {
</span><span class="cx">         MarkedAllocator* allocator;
</span><span class="cx">         size_t size = ClassType::allocationSize(0);
</span><span class="lines">@@ -4080,7 +4094,7 @@
</span><span class="cx">             endOfStorage, m_out.constIntPtr(sizeof(JSValue) * vectorLength));
</span><span class="cx">         
</span><span class="cx">         LValue object = allocateObject&lt;JSArray&gt;(
</span><del>-            m_out.constIntPtr(structure), butterfly, slowPath);
</del><ins>+            structure, butterfly, slowPath);
</ins><span class="cx">         
</span><span class="cx">         m_out.store32(m_out.constInt32(numElements), butterfly, m_heaps.Butterfly_publicLength);
</span><span class="cx">         m_out.store32(m_out.constInt32(vectorLength), butterfly, m_heaps.Butterfly_vectorLength);
</span><span class="lines">@@ -4219,8 +4233,8 @@
</span><span class="cx">             FTL_TYPE_CHECK(
</span><span class="cx">                 jsValueValue(value), edge, (~SpecCell) | SpecObject,
</span><span class="cx">                 m_out.equal(
</span><del>-                    m_out.loadPtr(value, m_heaps.JSCell_structure),
-                    m_out.constIntPtr(vm().stringStructure.get())));
</del><ins>+                    m_out.load32(value, m_heaps.JSCell_structureID),
+                    m_out.constInt32(vm().stringStructure-&gt;id())));
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -4231,18 +4245,18 @@
</span><span class="cx">             LBasicBlock masqueradesCase =
</span><span class="cx">                 FTL_NEW_BLOCK(m_out, (&quot;EqualNullOrUndefined masquerades case&quot;));
</span><span class="cx">                 
</span><del>-            LValue structure = m_out.loadPtr(value, m_heaps.JSCell_structure);
-            
</del><span class="cx">             results.append(m_out.anchor(m_out.booleanFalse));
</span><span class="cx">             
</span><span class="cx">             m_out.branch(
</span><span class="cx">                 m_out.testNonZero8(
</span><del>-                    m_out.load8(structure, m_heaps.Structure_typeInfoFlags),
</del><ins>+                    m_out.load8(value, m_heaps.JSCell_typeInfoFlags),
</ins><span class="cx">                     m_out.constInt8(MasqueradesAsUndefined)),
</span><span class="cx">                 rarely(masqueradesCase), usually(continuation));
</span><span class="cx">             
</span><span class="cx">             m_out.appendTo(masqueradesCase, primitiveCase);
</span><span class="cx">             
</span><ins>+            LValue structure = loadStructure(value);
+            
</ins><span class="cx">             results.append(m_out.anchor(
</span><span class="cx">                 m_out.equal(
</span><span class="cx">                     m_out.constIntPtr(m_graph.globalObjectFor(m_node-&gt;origin.semantic)),
</span><span class="lines">@@ -5003,8 +5017,8 @@
</span><span class="cx">     LValue isObject(LValue cell)
</span><span class="cx">     {
</span><span class="cx">         return m_out.notEqual(
</span><del>-            m_out.loadPtr(cell, m_heaps.JSCell_structure),
-            m_out.constIntPtr(vm().stringStructure.get()));
</del><ins>+            m_out.load32(cell, m_heaps.JSCell_structureID),
+            m_out.constInt32(vm().stringStructure-&gt;id()));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     LValue isNotString(LValue cell)
</span><span class="lines">@@ -5015,8 +5029,8 @@
</span><span class="cx">     LValue isString(LValue cell)
</span><span class="cx">     {
</span><span class="cx">         return m_out.equal(
</span><del>-            m_out.loadPtr(cell, m_heaps.JSCell_structure),
-            m_out.constIntPtr(vm().stringStructure.get()));
</del><ins>+            m_out.load32(cell, m_heaps.JSCell_structureID),
+            m_out.constInt32(vm().stringStructure-&gt;id()));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     LValue isNotObject(LValue cell)
</span><span class="lines">@@ -5030,9 +5044,7 @@
</span><span class="cx">         case Array::Int32:
</span><span class="cx">         case Array::Double:
</span><span class="cx">         case Array::Contiguous: {
</span><del>-            LValue indexingType = m_out.load8(
-                m_out.loadPtr(cell, m_heaps.JSCell_structure),
-                m_heaps.Structure_indexingType);
</del><ins>+            LValue indexingType = m_out.load8(cell, m_heaps.JSCell_indexingType);
</ins><span class="cx">             
</span><span class="cx">             switch (arrayMode.arrayClass()) {
</span><span class="cx">             case Array::OriginalArray:
</span><span class="lines">@@ -5060,7 +5072,9 @@
</span><span class="cx">         }
</span><span class="cx">             
</span><span class="cx">         default:
</span><del>-            return hasClassInfo(cell, classInfoForType(arrayMode.typedArrayType()));
</del><ins>+            return m_out.equal(
+                m_out.load8(cell, m_heaps.JSCell_typeInfoType), 
+                m_out.constInt8(typeForTypedArrayType(arrayMode.typedArrayType())));
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -5068,7 +5082,7 @@
</span><span class="cx">     {
</span><span class="cx">         return m_out.equal(
</span><span class="cx">             m_out.loadPtr(
</span><del>-                m_out.loadPtr(cell, m_heaps.JSCell_structure),
</del><ins>+                loadStructure(cell),
</ins><span class="cx">                 m_heaps.Structure_classInfo),
</span><span class="cx">             m_out.constIntPtr(classInfo));
</span><span class="cx">     }
</span><span class="lines">@@ -5076,9 +5090,7 @@
</span><span class="cx">     LValue isType(LValue cell, JSType type)
</span><span class="cx">     {
</span><span class="cx">         return m_out.equal(
</span><del>-            m_out.load8(
-                m_out.loadPtr(cell, m_heaps.JSCell_structure),
-                m_heaps.Structure_typeInfoType),
</del><ins>+            m_out.load8(cell, m_heaps.JSCell_typeInfoType),
</ins><span class="cx">             m_out.constInt8(type));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -5165,13 +5177,13 @@
</span><span class="cx">         LBasicBlock notString = FTL_NEW_BLOCK(m_out, (&quot;Speculate StringOrStringObject not string case&quot;));
</span><span class="cx">         LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;Speculate StringOrStringObject continuation&quot;));
</span><span class="cx">         
</span><del>-        LValue structure = m_out.loadPtr(lowCell(edge), m_heaps.JSCell_structure);
</del><ins>+        LValue structureID = m_out.load32(lowCell(edge), m_heaps.JSCell_structureID);
</ins><span class="cx">         m_out.branch(
</span><del>-            m_out.equal(structure, m_out.constIntPtr(vm().stringStructure.get())),
</del><ins>+            m_out.equal(structureID, m_out.constInt32(vm().stringStructure-&gt;id())),
</ins><span class="cx">             unsure(continuation), unsure(notString));
</span><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.appendTo(notString, continuation);
</span><del>-        speculateStringObjectForStructure(edge, structure);
</del><ins>+        speculateStringObjectForStructureID(edge, structureID);
</ins><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         
</span><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -5181,10 +5193,10 @@
</span><span class="cx">     
</span><span class="cx">     void speculateStringObjectForCell(Edge edge, LValue cell)
</span><span class="cx">     {
</span><del>-        speculateStringObjectForStructure(edge, m_out.loadPtr(cell, m_heaps.JSCell_structure));
</del><ins>+        speculateStringObjectForStructureID(edge, m_out.load32(cell, m_heaps.JSCell_structureID));
</ins><span class="cx">     }
</span><span class="cx">     
</span><del>-    void speculateStringObjectForStructure(Edge edge, LValue structure)
</del><ins>+    void speculateStringObjectForStructureID(Edge edge, LValue structureID)
</ins><span class="cx">     {
</span><span class="cx">         Structure* stringObjectStructure =
</span><span class="cx">             m_graph.globalObjectFor(m_node-&gt;origin.semantic)-&gt;stringObjectStructure();
</span><span class="lines">@@ -5194,22 +5206,23 @@
</span><span class="cx">         
</span><span class="cx">         speculate(
</span><span class="cx">             NotStringObject, noValue(), 0,
</span><del>-            m_out.notEqual(structure, weakPointer(stringObjectStructure)));
</del><ins>+            m_out.notEqual(structureID, weakStructure(stringObjectStructure)));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void speculateNonNullObject(Edge edge, LValue cell)
</span><span class="cx">     {
</span><del>-        LValue structure = m_out.loadPtr(cell, m_heaps.JSCell_structure);
</del><span class="cx">         FTL_TYPE_CHECK(
</span><span class="cx">             jsValueValue(cell), edge, SpecObject, 
</span><del>-            m_out.equal(structure, m_out.constIntPtr(vm().stringStructure.get())));
</del><ins>+            m_out.equal(
+                m_out.load32(cell, m_heaps.JSCell_structureID),
+                m_out.constInt32(vm().stringStructure-&gt;id())));
</ins><span class="cx">         if (masqueradesAsUndefinedWatchpointIsStillValid())
</span><span class="cx">             return;
</span><span class="cx">         
</span><span class="cx">         speculate(
</span><span class="cx">             BadType, jsValueValue(cell), edge.node(),
</span><span class="cx">             m_out.testNonZero8(
</span><del>-                m_out.load8(structure, m_heaps.Structure_typeInfoFlags),
</del><ins>+                m_out.load8(cell, m_heaps.JSCell_typeInfoFlags),
</ins><span class="cx">                 m_out.constInt8(MasqueradesAsUndefined)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -5264,10 +5277,7 @@
</span><span class="cx">     
</span><span class="cx">     LValue loadMarkByte(LValue base)
</span><span class="cx">     {
</span><del>-        LValue markedBlock = m_out.bitAnd(base, m_out.constInt64(MarkedBlock::blockMask));
-        LValue baseOffset = m_out.bitAnd(base, m_out.constInt64(~MarkedBlock::blockMask));
-        LValue markByteIndex = m_out.lShr(baseOffset, m_out.constInt64(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount));
-        return m_out.load8(m_out.baseIndex(m_heaps.MarkedBlock_markBits, markedBlock, markByteIndex, ScaleOne, MarkedBlock::offsetOfMarks()));
</del><ins>+        return m_out.load8(base, m_heaps.JSCell_gcData);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void emitStoreBarrier(LValue base, LValue value, Edge valueEdge)
</span><span class="lines">@@ -5732,12 +5742,25 @@
</span><span class="cx">     {
</span><span class="cx">         m_graph.m_plan.weakReferences.addLazily(target);
</span><span class="cx">     }
</span><del>-    
</del><ins>+
+    LValue loadStructure(LValue value)
+    {
+        LValue tableIndex = m_out.load32(value, m_heaps.JSCell_structureID);
+        LValue tableBase = m_out.get(m_out.constIntPtr(vm().heap.structureIDTable().base()));
+        return m_out.get(m_out.baseIndex(tableBase, tableIndex, ScaleEight));
+    }
+
</ins><span class="cx">     LValue weakPointer(JSCell* pointer)
</span><span class="cx">     {
</span><span class="cx">         addWeakReference(pointer);
</span><span class="cx">         return m_out.constIntPtr(pointer);
</span><span class="cx">     }
</span><ins>+
+    LValue weakStructure(Structure* structure)
+    {
+        addWeakReference(structure);
+        return m_out.constInt32(structure-&gt;id());
+    }
</ins><span class="cx">     
</span><span class="cx">     TypedPointer addressFor(LValue base, int operand, ptrdiff_t offset = 0)
</span><span class="cx">     {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -106,9 +106,9 @@
</span><span class="cx">         if (exit.m_kind == BadCache || exit.m_kind == BadIndexingType) {
</span><span class="cx">             CodeOrigin codeOrigin = exit.m_codeOriginForExitProfile;
</span><span class="cx">             if (ArrayProfile* arrayProfile = jit.baselineCodeBlockFor(codeOrigin)-&gt;getArrayProfile(codeOrigin.bytecodeIndex)) {
</span><del>-                jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, JSCell::structureOffset()), GPRInfo::regT1);
-                jit.storePtr(GPRInfo::regT1, arrayProfile-&gt;addressOfLastSeenStructure());
-                jit.load8(MacroAssembler::Address(GPRInfo::regT1, Structure::indexingTypeOffset()), GPRInfo::regT1);
</del><ins>+                jit.load32(MacroAssembler::Address(GPRInfo::regT0, JSCell::structureIDOffset()), GPRInfo::regT1);
+                jit.store32(GPRInfo::regT1, arrayProfile-&gt;addressOfLastSeenStructureID());
+                jit.load8(MacroAssembler::Address(GPRInfo::regT0, JSCell::indexingTypeOffset()), GPRInfo::regT1);
</ins><span class="cx">                 jit.move(MacroAssembler::TrustedImm32(1), GPRInfo::regT2);
</span><span class="cx">                 jit.lshift32(GPRInfo::regT1, GPRInfo::regT2);
</span><span class="cx">                 jit.or32(GPRInfo::regT2, MacroAssembler::AbsoluteAddress(arrayProfile-&gt;addressOfArrayModes()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOutputh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOutput.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOutput.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/ftl/FTLOutput.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -267,6 +267,7 @@
</span><span class="cx">     LValue load64(LValue base, const AbstractField&amp; field) { return load64(address(base, field)); }
</span><span class="cx">     LValue loadPtr(LValue base, const AbstractField&amp; field) { return loadPtr(address(base, field)); }
</span><span class="cx">     LValue loadDouble(LValue base, const AbstractField&amp; field) { return loadDouble(address(base, field)); }
</span><ins>+    void store8(LValue value, LValue base, const AbstractField&amp; field) { store8(value, address(base, field)); }
</ins><span class="cx">     void store32(LValue value, LValue base, const AbstractField&amp; field) { store32(value, address(base, field)); }
</span><span class="cx">     void store64(LValue value, LValue base, const AbstractField&amp; field) { store64(value, address(base, field)); }
</span><span class="cx">     void storePtr(LValue value, LValue base, const AbstractField&amp; field) { storePtr(value, address(base, field)); }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapGCAssertionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/GCAssertions.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/GCAssertions.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/heap/GCAssertions.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -32,7 +32,7 @@
</span><span class="cx"> #if ENABLE(GC_VALIDATION)
</span><span class="cx"> #define ASSERT_GC_OBJECT_LOOKS_VALID(cell) do { \
</span><span class="cx">     RELEASE_ASSERT(cell);\
</span><del>-    RELEASE_ASSERT(cell-&gt;unvalidatedStructure()-&gt;unvalidatedStructure() == cell-&gt;unvalidatedStructure()-&gt;unvalidatedStructure()-&gt;unvalidatedStructure()); \
</del><ins>+    RELEASE_ASSERT(cell-&gt;structure()-&gt;structure() == cell-&gt;structure()-&gt;structure()-&gt;structure()); \
</ins><span class="cx"> } while (0)
</span><span class="cx"> 
</span><span class="cx"> #define ASSERT_GC_OBJECT_INHERITS(object, classInfo) do {\
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -437,6 +437,7 @@
</span><span class="cx">     JSCell** registerRoots = stackRoots.roots();
</span><span class="cx">     for (size_t i = 0; i &lt; stackRootCount; i++) {
</span><span class="cx">         setMarked(registerRoots[i]);
</span><ins>+        registerRoots[i]-&gt;mark();
</ins><span class="cx">         roots.add(registerRoots[i]);
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="lines">@@ -857,6 +858,7 @@
</span><span class="cx"> 
</span><span class="cx">     {
</span><span class="cx">         GCPHASE(StopAllocation);
</span><ins>+        m_structureIDTable.flushOldTables();
</ins><span class="cx">         m_objectSpace.stopAllocating();
</span><span class="cx">         if (m_operationInProgress == FullCollection)
</span><span class="cx">             m_storageSpace.didStartFullCollection();
</span><span class="lines">@@ -1110,8 +1112,11 @@
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(GGC)
</span><span class="cx">     ASSERT_GC_OBJECT_LOOKS_VALID(const_cast&lt;JSCell*&gt;(from));
</span><del>-    if (!from || !isMarked(from))
</del><ins>+    if (!from || !from-&gt;isMarked()) {
+        ASSERT(!from || !isMarked(from));
</ins><span class="cx">         return;
</span><ins>+    }
+    ASSERT(isMarked(from));
</ins><span class="cx">     addToRememberedSet(from);
</span><span class="cx"> #else
</span><span class="cx">     UNUSED_PARAM(from);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/heap/Heap.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include &quot;MarkedSpace.h&quot;
</span><span class="cx"> #include &quot;Options.h&quot;
</span><span class="cx"> #include &quot;SlotVisitor.h&quot;
</span><ins>+#include &quot;StructureIDTable.h&quot;
</ins><span class="cx"> #include &quot;WeakHandleOwner.h&quot;
</span><span class="cx"> #include &quot;WriteBarrierBuffer.h&quot;
</span><span class="cx"> #include &quot;WriteBarrierSupport.h&quot;
</span><span class="lines">@@ -201,6 +202,9 @@
</span><span class="cx">         
</span><span class="cx">         bool isDeferred() const { return !!m_deferralDepth || Options::disableGC(); }
</span><span class="cx"> 
</span><ins>+        BlockAllocator&amp; blockAllocator();
+        StructureIDTable&amp; structureIDTable() { return m_structureIDTable; }
+
</ins><span class="cx"> #if USE(CF)
</span><span class="cx">         template&lt;typename T&gt; void releaseSoon(RetainPtr&lt;T&gt;&amp;&amp;);
</span><span class="cx"> #endif
</span><span class="lines">@@ -259,7 +263,6 @@
</span><span class="cx">         size_t sizeAfterCollect();
</span><span class="cx"> 
</span><span class="cx">         JSStack&amp; stack();
</span><del>-        BlockAllocator&amp; blockAllocator();
</del><span class="cx">         
</span><span class="cx">         JS_EXPORT_PRIVATE void incrementDeferralDepth();
</span><span class="cx">         void decrementDeferralDepth();
</span><span class="lines">@@ -280,6 +283,7 @@
</span><span class="cx">         
</span><span class="cx">         HeapOperation m_operationInProgress;
</span><span class="cx">         BlockAllocator m_blockAllocator;
</span><ins>+        StructureIDTable m_structureIDTable;
</ins><span class="cx">         MarkedSpace m_objectSpace;
</span><span class="cx">         CopiedSpace m_storageSpace;
</span><span class="cx">         GCIncomingRefCountedSet&lt;ArrayBuffer&gt; m_arrayBuffers;
</span><span class="lines">@@ -393,18 +397,6 @@
</span><span class="cx"> #endif
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    inline void Heap::writeBarrier(const JSCell* from, JSCell* to)
-    {
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        WriteBarrierCounters::countWriteBarrier();
-#endif
-        if (!from || !isMarked(from))
-            return;
-        if (!to || isMarked(to))
-            return;
-        addToRememberedSet(from);
-    }
-
</del><span class="cx">     inline void Heap::writeBarrier(const JSCell* from, JSValue to)
</span><span class="cx">     {
</span><span class="cx"> #if ENABLE(WRITE_BARRIER_PROFILING)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedSpaceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedSpace.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedSpace.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/heap/MarkedSpace.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -244,20 +244,22 @@
</span><span class="cx"> 
</span><span class="cx"> template &lt;typename Functor&gt; inline typename Functor::ReturnType MarkedSpace::forEachBlock(Functor&amp; functor)
</span><span class="cx"> {
</span><del>-    for (size_t i = 0; i &lt; preciseCount; ++i) {
</del><ins>+    for (size_t i = 0; i &lt; preciseCount; ++i)
</ins><span class="cx">         m_normalSpace.preciseAllocators[i].forEachBlock(functor);
</span><ins>+    for (size_t i = 0; i &lt; impreciseCount; ++i)
+        m_normalSpace.impreciseAllocators[i].forEachBlock(functor);
+    m_normalSpace.largeAllocator.forEachBlock(functor);
+
+    for (size_t i = 0; i &lt; preciseCount; ++i)
</ins><span class="cx">         m_normalDestructorSpace.preciseAllocators[i].forEachBlock(functor);
</span><ins>+    for (size_t i = 0; i &lt; impreciseCount; ++i)
+        m_normalDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
+    m_normalDestructorSpace.largeAllocator.forEachBlock(functor);
+
+    for (size_t i = 0; i &lt; preciseCount; ++i)
</ins><span class="cx">         m_immortalStructureDestructorSpace.preciseAllocators[i].forEachBlock(functor);
</span><del>-    }
-
-    for (size_t i = 0; i &lt; impreciseCount; ++i) {
-        m_normalSpace.impreciseAllocators[i].forEachBlock(functor);
-        m_normalDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
</del><ins>+    for (size_t i = 0; i &lt; impreciseCount; ++i)
</ins><span class="cx">         m_immortalStructureDestructorSpace.impreciseAllocators[i].forEachBlock(functor);
</span><del>-    }
-
-    m_normalSpace.largeAllocator.forEachBlock(functor);
-    m_normalDestructorSpace.largeAllocator.forEachBlock(functor);
</del><span class="cx">     m_immortalStructureDestructorSpace.largeAllocator.forEachBlock(functor);
</span><span class="cx"> 
</span><span class="cx">     return functor.returnValue();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSlotVisitorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/SlotVisitor.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/SlotVisitor.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/heap/SlotVisitor.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -54,6 +54,8 @@
</span><span class="cx"> 
</span><span class="cx">     MarkStackArray&amp; markStack() { return m_stack; }
</span><span class="cx"> 
</span><ins>+    VM&amp; vm();
+    const VM&amp; vm() const;
</ins><span class="cx">     Heap* heap() const;
</span><span class="cx"> 
</span><span class="cx">     void append(ConservativeRoots&amp;);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSlotVisitorInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/SlotVisitorInlines.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/SlotVisitorInlines.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/heap/SlotVisitorInlines.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -108,9 +108,12 @@
</span><span class="cx"> #if ENABLE(GC_VALIDATION)
</span><span class="cx">     validate(cell);
</span><span class="cx"> #endif
</span><del>-    if (Heap::testAndSetMarked(cell) || !cell-&gt;structure())
</del><ins>+    if (Heap::testAndSetMarked(cell) || !cell-&gt;structure()) {
+        ASSERT(cell-&gt;structure());
</ins><span class="cx">         return;
</span><ins>+    }
</ins><span class="cx"> 
</span><ins>+    cell-&gt;mark();
</ins><span class="cx">     m_bytesVisited += MarkedBlock::blockFor(cell)-&gt;cellSize();
</span><span class="cx">         
</span><span class="cx">     MARK_LOG_CHILD(*this, cell);
</span><span class="lines">@@ -279,6 +282,16 @@
</span><span class="cx">     return &amp;sharedData().m_vm-&gt;heap;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline VM&amp; SlotVisitor::vm()
+{
+    return *sharedData().m_vm;
+}
+
+inline const VM&amp; SlotVisitor::vm() const
+{
+    return *sharedData().m_vm;
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // SlotVisitorInlines_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -286,9 +286,9 @@
</span><span class="cx">         return payloadFor(static_cast&lt;VirtualRegister&gt;(operand));
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Jump branchIfNotObject(GPRReg structureReg)
</del><ins>+    Jump branchIfCellNotObject(GPRReg cellReg)
</ins><span class="cx">     {
</span><del>-        return branch8(Below, Address(structureReg, Structure::typeInfoTypeOffset()), TrustedImm32(ObjectType));
</del><ins>+        return branch8(Below, Address(cellReg, JSCell::typeInfoTypeOffset()), TrustedImm32(ObjectType));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     static GPRReg selectScratchGPR(GPRReg preserve1 = InvalidGPRReg, GPRReg preserve2 = InvalidGPRReg, GPRReg preserve3 = InvalidGPRReg, GPRReg preserve4 = InvalidGPRReg)
</span><span class="lines">@@ -387,21 +387,9 @@
</span><span class="cx">     void jitAssertArgumentCountSane() { }
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    Jump genericWriteBarrier(GPRReg owner, GPRReg scratch1, GPRReg scratch2)
</del><ins>+    Jump genericWriteBarrier(GPRReg owner)
</ins><span class="cx">     {
</span><del>-        move(owner, scratch1);
-        move(owner, scratch2);
-    
-        andPtr(TrustedImmPtr(MarkedBlock::blockMask), scratch1);
-        andPtr(TrustedImmPtr(~MarkedBlock::blockMask), scratch2);
-    
-#if USE(JSVALUE64)
-        rshift64(TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
-#else
-        rshift32(TrustedImm32(MarkedBlock::atomShiftAmount + MarkedBlock::markByteShiftAmount), scratch2);
-#endif
-    
-        return branchTest8(Zero, BaseIndex(scratch1, scratch2, TimesOne, MarkedBlock::offsetOfMarks()));
</del><ins>+        return branchTest8(Zero, Address(owner, JSCell::gcDataOffset()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // These methods convert between doubles, and doubles boxed and JSValues.
</span><span class="lines">@@ -559,6 +547,79 @@
</span><span class="cx">         return offsetOfArgumentsIncludingThis(codeOrigin.inlineCallFrame);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    void emitLoadStructure(RegisterID source, RegisterID dest, RegisterID scratch)
+    {
+#if USE(JSVALUE64)
+        load32(MacroAssembler::Address(source, JSCell::structureIDOffset()), dest);
+        loadPtr(vm()-&gt;heap.structureIDTable().base(), scratch);
+        loadPtr(MacroAssembler::BaseIndex(scratch, dest, MacroAssembler::TimesEight), dest);
+#else
+        UNUSED_PARAM(scratch);
+        loadPtr(MacroAssembler::Address(source, JSCell::structureIDOffset()), dest);
+#endif
+    }
+
+    static void emitLoadStructure(AssemblyHelpers&amp; jit, RegisterID base, RegisterID dest, RegisterID scratch)
+    {
+#if USE(JSVALUE64)
+        jit.load32(MacroAssembler::Address(base, JSCell::structureIDOffset()), dest);
+        jit.loadPtr(jit.vm()-&gt;heap.structureIDTable().base(), scratch);
+        jit.loadPtr(MacroAssembler::BaseIndex(scratch, dest, MacroAssembler::TimesEight), dest);
+#else
+        UNUSED_PARAM(scratch);
+        jit.loadPtr(MacroAssembler::Address(base, JSCell::structureIDOffset()), dest);
+#endif
+    }
+
+    void emitStoreStructureWithTypeInfo(TrustedImmPtr structure, RegisterID dest, RegisterID)
+    {
+        emitStoreStructureWithTypeInfo(*this, structure, dest);
+    }
+
+    void emitStoreStructureWithTypeInfo(RegisterID structure, RegisterID dest, RegisterID scratch)
+    {
+#if USE(JSVALUE64)
+        load64(MacroAssembler::Address(structure, Structure::structureIDOffset()), scratch);
+        store64(scratch, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#else
+        // Store all the info flags using a single 32-bit wide load and store.
+        load32(MacroAssembler::Address(structure, Structure::indexingTypeOffset()), scratch);
+        store32(scratch, MacroAssembler::Address(dest, JSCell::indexingTypeOffset()));
+
+        // Store the StructureID
+        storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#endif
+    }
+
+    static void emitStoreStructureWithTypeInfo(AssemblyHelpers&amp; jit, TrustedImmPtr structure, RegisterID dest)
+    {
+        const Structure* structurePtr = static_cast&lt;const Structure*&gt;(structure.m_value);
+#if USE(JSVALUE64)
+        jit.store64(TrustedImm64(structurePtr-&gt;idBlob()), MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#ifndef NDEBUG
+        Jump correctStructure = jit.branch32(Equal, MacroAssembler::Address(dest, JSCell::structureIDOffset()), TrustedImm32(structurePtr-&gt;id()));
+        jit.breakpoint();
+        correctStructure.link(&amp;jit);
+
+        Jump correctIndexingType = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::indexingTypeOffset()), TrustedImm32(structurePtr-&gt;indexingType()));
+        jit.breakpoint();
+        correctIndexingType.link(&amp;jit);
+
+        Jump correctType = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::typeInfoTypeOffset()), TrustedImm32(structurePtr-&gt;typeInfo().type()));
+        jit.breakpoint();
+        correctType.link(&amp;jit);
+
+        Jump correctFlags = jit.branch8(Equal, MacroAssembler::Address(dest, JSCell::typeInfoFlagsOffset()), TrustedImm32(structurePtr-&gt;typeInfo().inlineTypeFlags()));
+        jit.breakpoint();
+        correctFlags.link(&amp;jit);
+#endif
+#else
+        // Do a 32-bit wide store to initialize the cell's fields.
+        jit.store32(TrustedImm32(structurePtr-&gt;objectInitializationBlob()), MacroAssembler::Address(dest, JSCell::indexingTypeOffset()));
+        jit.storePtr(structure, MacroAssembler::Address(dest, JSCell::structureIDOffset()));
+#endif
+    }
+
</ins><span class="cx">     void writeBarrier(GPRReg owner, GPRReg scratch1, GPRReg scratch2, WriteBarrierUseKind useKind)
</span><span class="cx">     {
</span><span class="cx">         UNUSED_PARAM(owner);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JIT.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -305,7 +305,7 @@
</span><span class="cx">         
</span><span class="cx">         void emitLoadDouble(int index, FPRegisterID value);
</span><span class="cx">         void emitLoadInt32ToDouble(int index, FPRegisterID value);
</span><del>-        Jump emitJumpIfNotObject(RegisterID structureReg);
</del><ins>+        Jump emitJumpIfCellNotObject(RegisterID cellReg);
</ins><span class="cx"> 
</span><span class="cx">         Jump addStructureTransitionCheck(JSCell*, Structure*, StructureStubInfo*, RegisterID scratch);
</span><span class="cx">         void addStructureTransitionCheck(JSCell*, Structure*, StructureStubInfo*, JumpList&amp; failureCases, RegisterID scratch);
</span><span class="lines">@@ -314,7 +314,7 @@
</span><span class="cx">         enum WriteBarrierMode { UnconditionalWriteBarrier, ShouldFilterValue, ShouldFilterBaseAndValue };
</span><span class="cx">         // value register in write barrier is used before any scratch registers
</span><span class="cx">         // so may safely be the same as either of the scratch registers.
</span><del>-        Jump checkMarkWord(RegisterID owner, RegisterID scratch1, RegisterID scratch2);
</del><ins>+        Jump checkMarkWord(RegisterID owner);
</ins><span class="cx">         Jump checkMarkWord(JSCell* owner);
</span><span class="cx">         void emitWriteBarrier(unsigned owner, unsigned value, WriteBarrierMode);
</span><span class="cx">         void emitWriteBarrier(JSCell* owner, unsigned value, WriteBarrierMode);
</span><span class="lines">@@ -328,8 +328,8 @@
</span><span class="cx">         void emitValueProfilingSite(ValueProfile*);
</span><span class="cx">         void emitValueProfilingSite(unsigned bytecodeOffset);
</span><span class="cx">         void emitValueProfilingSite();
</span><del>-        void emitArrayProfilingSite(RegisterID structureAndIndexingType, RegisterID scratch, ArrayProfile*);
-        void emitArrayProfilingSiteForBytecodeIndex(RegisterID structureAndIndexingType, RegisterID scratch, unsigned bytecodeIndex);
</del><ins>+        void emitArrayProfilingSiteWithCell(RegisterID cell, RegisterID indexingType, ArrayProfile*);
+        void emitArrayProfilingSiteForBytecodeIndexWithCell(RegisterID cell, RegisterID indexingType, unsigned bytecodeIndex);
</ins><span class="cx">         void emitArrayProfileStoreToHoleSpecialCase(ArrayProfile*);
</span><span class="cx">         void emitArrayProfileOutOfBoundsSpecialCase(ArrayProfile*);
</span><span class="cx">         
</span><span class="lines">@@ -369,6 +369,8 @@
</span><span class="cx">         
</span><span class="cx">         enum FinalObjectMode { MayBeFinal, KnownNotFinal };
</span><span class="cx"> 
</span><ins>+        template &lt;typename T&gt; Jump branchStructure(RelationalCondition, T leftHandSide, Structure*);
+
</ins><span class="cx"> #if USE(JSVALUE32_64)
</span><span class="cx">         bool getOperandConstantImmediateInt(int op1, int op2, int&amp; op, int32_t&amp; constant);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCallcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCall.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCall.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITCall.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -188,8 +188,8 @@
</span><span class="cx">         if (opcodeID == op_call &amp;&amp; shouldEmitProfiling()) {
</span><span class="cx">             emitGetVirtualRegister(registerOffset + CallFrame::argumentOffsetIncludingThis(0), regT0);
</span><span class="cx">             Jump done = emitJumpIfNotJSCell(regT0);
</span><del>-            loadPtr(Address(regT0, JSCell::structureOffset()), regT0);
-            storePtr(regT0, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile-&gt;addressOfLastSeenStructure());
</del><ins>+            load32(Address(regT0, JSCell::structureIDOffset()), regT0);
+            store32(regT0, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile-&gt;addressOfLastSeenStructureID());
</ins><span class="cx">             done.link(this);
</span><span class="cx">         }
</span><span class="cx">     
</span><span class="lines">@@ -260,7 +260,7 @@
</span><span class="cx">     JumpList slowCases;
</span><span class="cx"> 
</span><span class="cx">     slowCases.append(branchTestPtr(NonZero, regT0, tagMaskRegister));
</span><del>-    slowCases.append(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(expectedStructure)));
</del><ins>+    slowCases.append(branchStructure(NotEqual, Address(regT0, JSCell::structureIDOffset()), expectedStructure));
</ins><span class="cx">     slowCases.append(branchPtr(NotEqual, Address(regT0, JSFunction::offsetOfExecutable()), TrustedImmPtr(expectedExecutable)));
</span><span class="cx">     
</span><span class="cx">     loadPtr(Address(regT0, JSFunction::offsetOfScopeChain()), regT1);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCall32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -70,8 +70,7 @@
</span><span class="cx"> 
</span><span class="cx">     emitLoad(result, regT1, regT0);
</span><span class="cx">     Jump notJSCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump notObject = emitJumpIfNotObject(regT2);
</del><ins>+    Jump notObject = emitJumpIfCellNotObject(regT0);
</ins><span class="cx"> 
</span><span class="cx">     checkStackPointerAlignment();
</span><span class="cx">     emitFunctionEpilogue();
</span><span class="lines">@@ -266,8 +265,8 @@
</span><span class="cx">         if (opcodeID == op_call &amp;&amp; shouldEmitProfiling()) {
</span><span class="cx">             emitLoad(registerOffset + CallFrame::argumentOffsetIncludingThis(0), regT0, regT1);
</span><span class="cx">             Jump done = branch32(NotEqual, regT0, TrustedImm32(JSValue::CellTag));
</span><del>-            loadPtr(Address(regT1, JSCell::structureOffset()), regT1);
-            storePtr(regT1, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile-&gt;addressOfLastSeenStructure());
</del><ins>+            loadPtr(Address(regT1, JSCell::structureIDOffset()), regT1);
+            storePtr(regT1, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile-&gt;addressOfLastSeenStructureID());
</ins><span class="cx">             done.link(this);
</span><span class="cx">         }
</span><span class="cx">     
</span><span class="lines">@@ -342,7 +341,7 @@
</span><span class="cx">     JumpList slowCases;
</span><span class="cx"> 
</span><span class="cx">     slowCases.append(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
</span><del>-    slowCases.append(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(expectedStructure)));
</del><ins>+    slowCases.append(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(expectedStructure)));
</ins><span class="cx">     slowCases.append(branchPtr(NotEqual, Address(regT0, JSFunction::offsetOfExecutable()), TrustedImmPtr(expectedExecutable)));
</span><span class="cx">     
</span><span class="cx">     loadPtr(Address(regT0, JSFunction::offsetOfScopeChain()), regT1);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlineCacheGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -101,10 +101,10 @@
</span><span class="cx"> 
</span><span class="cx"> void JITByIdGenerator::generateFastPathChecks(MacroAssembler&amp; jit, GPRReg butterfly)
</span><span class="cx"> {
</span><del>-    m_structureCheck = jit.patchableBranchPtrWithPatch(
</del><ins>+    m_structureCheck = jit.patchableBranch32WithPatch(
</ins><span class="cx">         MacroAssembler::NotEqual,
</span><del>-        MacroAssembler::Address(m_base.payloadGPR(), JSCell::structureOffset()),
-        m_structureImm, MacroAssembler::TrustedImmPtr(reinterpret_cast&lt;void*&gt;(unusedPointer)));
</del><ins>+        MacroAssembler::Address(m_base.payloadGPR(), JSCell::structureIDOffset()),
+        m_structureImm, MacroAssembler::TrustedImm32(0));
</ins><span class="cx">     
</span><span class="cx">     m_propertyStorageLoad = jit.convertibleLoadPtr(
</span><span class="cx">         MacroAssembler::Address(m_base.payloadGPR(), JSObject::butterflyOffset()), butterfly);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlineCacheGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -78,7 +78,7 @@
</span><span class="cx">     JSValueRegs m_base;
</span><span class="cx">     JSValueRegs m_value;
</span><span class="cx">     
</span><del>-    MacroAssembler::DataLabelPtr m_structureImm;
</del><ins>+    MacroAssembler::DataLabel32 m_structureImm;
</ins><span class="cx">     MacroAssembler::PatchableJump m_structureCheck;
</span><span class="cx">     MacroAssembler::ConvertibleLoadLabel m_propertyStorageLoad;
</span><span class="cx">     AssemblerLabel m_loadOrStore;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlines.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlines.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITInlines.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -72,7 +72,7 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE void JIT::emitLoadCharacterString(RegisterID src, RegisterID dst, JumpList&amp; failures)
</span><span class="cx"> {
</span><del>-    failures.append(branchPtr(NotEqual, Address(src, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</del><ins>+    failures.append(branchStructure(NotEqual, Address(src, JSCell::structureIDOffset()), m_vm-&gt;stringStructure.get()));
</ins><span class="cx">     failures.append(branch32(NotEqual, MacroAssembler::Address(src, ThunkHelpers::jsStringLengthOffset()), TrustedImm32(1)));
</span><span class="cx">     loadPtr(MacroAssembler::Address(src, ThunkHelpers::jsStringValueOffset()), dst);
</span><span class="cx">     failures.append(branchTest32(Zero, dst));
</span><span class="lines">@@ -557,7 +557,7 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE JIT::Jump JIT::checkStructure(RegisterID reg, Structure* structure)
</span><span class="cx"> {
</span><del>-    return branchPtr(NotEqual, Address(reg, JSCell::structureOffset()), TrustedImmPtr(structure));
</del><ins>+    return branchStructure(NotEqual, Address(reg, JSCell::structureIDOffset()), structure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE void JIT::linkSlowCaseIfNotJSCell(Vector&lt;SlowCaseEntry&gt;::iterator&amp; iter, int vReg)
</span><span class="lines">@@ -605,9 +605,9 @@
</span><span class="cx">     jump.linkTo(m_labels[m_bytecodeOffset + relativeOffset], this);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE JIT::Jump JIT::emitJumpIfNotObject(RegisterID structureReg)
</del><ins>+ALWAYS_INLINE JIT::Jump JIT::emitJumpIfCellNotObject(RegisterID cellReg)
</ins><span class="cx"> {
</span><del>-    return branch8(Below, Address(structureReg, Structure::typeInfoTypeOffset()), TrustedImm32(ObjectType));
</del><ins>+    return branch8(Below, Address(cellReg, JSCell::typeInfoTypeOffset()), TrustedImm32(ObjectType));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(SAMPLING_FLAGS)
</span><span class="lines">@@ -678,11 +678,11 @@
</span><span class="cx">     loadPtr(Address(result), scratch);
</span><span class="cx">     storePtr(scratch, Address(allocator, MarkedAllocator::offsetOfFreeListHead()));
</span><span class="cx"> 
</span><del>-    // initialize the object's structure
-    storePtr(structure, Address(result, JSCell::structureOffset()));
-
</del><span class="cx">     // initialize the object's property storage pointer
</span><span class="cx">     storePtr(TrustedImmPtr(0), Address(result, JSObject::butterflyOffset()));
</span><ins>+
+    // initialize the object's structure
+    emitStoreStructureWithTypeInfo(structure, result, scratch);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void JIT::emitValueProfilingSite(ValueProfile* valueProfile)
</span><span class="lines">@@ -718,22 +718,19 @@
</span><span class="cx">     emitValueProfilingSite(m_bytecodeOffset);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void JIT::emitArrayProfilingSite(RegisterID structureAndIndexingType, RegisterID scratch, ArrayProfile* arrayProfile)
</del><ins>+inline void JIT::emitArrayProfilingSiteWithCell(RegisterID cell, RegisterID indexingType, ArrayProfile* arrayProfile)
</ins><span class="cx"> {
</span><del>-    UNUSED_PARAM(scratch); // We had found this scratch register useful here before, so I will keep it for now.
-    
-    RegisterID structure = structureAndIndexingType;
-    RegisterID indexingType = structureAndIndexingType;
-    
-    if (shouldEmitProfiling())
-        storePtr(structure, arrayProfile-&gt;addressOfLastSeenStructure());
</del><ins>+    if (shouldEmitProfiling()) {
+        load32(MacroAssembler::Address(cell, JSCell::structureIDOffset()), indexingType);
+        store32(indexingType, arrayProfile-&gt;addressOfLastSeenStructureID());
+    }
</ins><span class="cx"> 
</span><del>-    load8(Address(structure, Structure::indexingTypeOffset()), indexingType);
</del><ins>+    load8(Address(cell, JSCell::indexingTypeOffset()), indexingType);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void JIT::emitArrayProfilingSiteForBytecodeIndex(RegisterID structureAndIndexingType, RegisterID scratch, unsigned bytecodeIndex)
</del><ins>+inline void JIT::emitArrayProfilingSiteForBytecodeIndexWithCell(RegisterID cell, RegisterID indexingType, unsigned bytecodeIndex)
</ins><span class="cx"> {
</span><del>-    emitArrayProfilingSite(structureAndIndexingType, scratch, m_codeBlock-&gt;getOrAddArrayProfile(bytecodeIndex));
</del><ins>+    emitArrayProfilingSiteWithCell(cell, indexingType, m_codeBlock-&gt;getOrAddArrayProfile(bytecodeIndex));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void JIT::emitArrayProfileStoreToHoleSpecialCase(ArrayProfile* arrayProfile)
</span><span class="lines">@@ -1082,6 +1079,26 @@
</span><span class="cx"> 
</span><span class="cx"> #endif // USE(JSVALUE32_64)
</span><span class="cx"> 
</span><ins>+template &lt;typename T&gt;
+JIT::Jump JIT::branchStructure(RelationalCondition condition, T leftHandSide, Structure* structure)
+{
+#if USE(JSVALUE64)
+    return branch32(condition, leftHandSide, TrustedImm32(structure-&gt;id()));
+#else
+    return branchPtr(condition, leftHandSide, TrustedImmPtr(structure));
+#endif
+}
+
+template &lt;typename T&gt;
+MacroAssembler::Jump branchStructure(MacroAssembler&amp; jit, MacroAssembler::RelationalCondition condition, T leftHandSide, Structure* structure)
+{
+#if USE(JSVALUE64)
+    return jit.branch32(condition, leftHandSide, MacroAssembler::TrustedImm32(structure-&gt;id()));
+#else
+    return jit.branchPtr(condition, leftHandSide, MacroAssembler::TrustedImmPtr(structure));
+#endif
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // ENABLE(JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -118,8 +118,7 @@
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT0, baseVal);
</span><span class="cx"> 
</span><span class="cx">     // Check that baseVal 'ImplementsHasInstance'.
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT0);
-    addSlowCase(branchTest8(Zero, Address(regT0, Structure::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+    addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emit_op_instanceof(Instruction* currentInstruction)
</span><span class="lines">@@ -138,8 +137,7 @@
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT1, proto);
</span><span class="cx"> 
</span><span class="cx">     // Check that prototype is an object
</span><del>-    loadPtr(Address(regT1, JSCell::structureOffset()), regT3);
-    addSlowCase(emitJumpIfNotObject(regT3));
</del><ins>+    addSlowCase(emitJumpIfCellNotObject(regT1));
</ins><span class="cx">     
</span><span class="cx">     // Optimistically load the result true, and start looping.
</span><span class="cx">     // Initially, regT1 still contains proto and regT2 still contains value.
</span><span class="lines">@@ -149,7 +147,7 @@
</span><span class="cx"> 
</span><span class="cx">     // Load the prototype of the object in regT2.  If this is equal to regT1 - WIN!
</span><span class="cx">     // Otherwise, check if we've hit null - if we have then drop out of the loop, if not go again.
</span><del>-    loadPtr(Address(regT2, JSCell::structureOffset()), regT2);
</del><ins>+    emitLoadStructure(regT2, regT2, regT3);
</ins><span class="cx">     load64(Address(regT2, Structure::prototypeOffset()), regT2);
</span><span class="cx">     Jump isInstance = branchPtr(Equal, regT2, regT1);
</span><span class="cx">     emitJumpIfJSCell(regT2).linkTo(loop, this);
</span><span class="lines">@@ -174,12 +172,12 @@
</span><span class="cx">     Jump done = jump();
</span><span class="cx">     
</span><span class="cx">     isCell.link(this);
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT1, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">     move(TrustedImm32(0), regT0);
</span><span class="cx">     Jump notMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><ins>+    emitLoadStructure(regT0, regT1, regT2);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     loadPtr(Address(regT1, Structure::globalObjectOffset()), regT1);
</span><span class="cx">     comparePtr(Equal, regT0, regT1, regT0);
</span><span class="lines">@@ -221,8 +219,7 @@
</span><span class="cx">     emitGetVirtualRegister(value, regT0);
</span><span class="cx">     Jump isNotCell = emitJumpIfNotJSCell(regT0);
</span><span class="cx">     
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    compare8(Equal, Address(regT1, Structure::typeInfoTypeOffset()), TrustedImm32(StringType), regT0);
</del><ins>+    compare8(Equal, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType), regT0);
</ins><span class="cx">     emitTagAsBoolImmediate(regT0);
</span><span class="cx">     Jump done = jump();
</span><span class="cx">     
</span><span class="lines">@@ -277,8 +274,7 @@
</span><span class="cx">     // Return the result in %eax.
</span><span class="cx">     emitGetVirtualRegister(currentInstruction[1].u.operand, returnValueGPR);
</span><span class="cx">     Jump notJSCell = emitJumpIfNotJSCell(returnValueGPR);
</span><del>-    loadPtr(Address(returnValueGPR, JSCell::structureOffset()), regT2);
-    Jump notObject = emitJumpIfNotObject(regT2);
</del><ins>+    Jump notObject = emitJumpIfCellNotObject(returnValueGPR);
</ins><span class="cx"> 
</span><span class="cx">     // Return.
</span><span class="cx">     emitFunctionEpilogue();
</span><span class="lines">@@ -302,7 +298,9 @@
</span><span class="cx">     emitGetVirtualRegister(src, regT0);
</span><span class="cx">     
</span><span class="cx">     Jump isImm = emitJumpIfNotJSCell(regT0);
</span><del>-    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</del><ins>+    addSlowCase(branchStructure(NotEqual, 
+        Address(regT0, JSCell::structureIDOffset()), 
+        m_vm-&gt;stringStructure.get()));
</ins><span class="cx">     isImm.link(this);
</span><span class="cx"> 
</span><span class="cx">     if (dst != src)
</span><span class="lines">@@ -353,8 +351,8 @@
</span><span class="cx">     Jump isImmediate = emitJumpIfNotJSCell(regT0);
</span><span class="cx"> 
</span><span class="cx">     // First, handle JSCell cases - check MasqueradesAsUndefined bit on the structure.
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump isNotMasqueradesAsUndefined = branchTest8(Zero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isNotMasqueradesAsUndefined = branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
+    emitLoadStructure(regT0, regT2, regT1);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     addJump(branchPtr(Equal, Address(regT2, Structure::globalObjectOffset()), regT0), target);
</span><span class="cx">     Jump masqueradesGlobalObjectIsForeign = jump();
</span><span class="lines">@@ -376,8 +374,8 @@
</span><span class="cx">     Jump isImmediate = emitJumpIfNotJSCell(regT0);
</span><span class="cx"> 
</span><span class="cx">     // First, handle JSCell cases - check MasqueradesAsUndefined bit on the structure.
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    addJump(branchTest8(Zero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)), target);
</del><ins>+    addJump(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)), target);
+    emitLoadStructure(regT0, regT2, regT1);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     addJump(branchPtr(NotEqual, Address(regT2, Structure::globalObjectOffset()), regT0), target);
</span><span class="cx">     Jump wasNotImmediate = jump();
</span><span class="lines">@@ -472,10 +470,8 @@
</span><span class="cx">     emitGetVirtualRegister(base, regT0);
</span><span class="cx">     if (!m_codeBlock-&gt;isKnownNotImmediate(base))
</span><span class="cx">         isNotObject.append(emitJumpIfNotJSCell(regT0));
</span><del>-    if (base != m_codeBlock-&gt;thisRegister().offset() || m_codeBlock-&gt;isStrictMode()) {
-        loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-        isNotObject.append(emitJumpIfNotObject(regT2));
-    }
</del><ins>+    if (base != m_codeBlock-&gt;thisRegister().offset() || m_codeBlock-&gt;isStrictMode())
+        isNotObject.append(emitJumpIfCellNotObject(regT0));
</ins><span class="cx"> 
</span><span class="cx">     // We could inline the case where you have a valid cache, but
</span><span class="cx">     // this call doesn't seem to be hot.
</span><span class="lines">@@ -529,7 +525,7 @@
</span><span class="cx">     emitGetVirtualRegister(base, regT0);
</span><span class="cx"> 
</span><span class="cx">     // Test base's structure
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
</del><ins>+    emitLoadStructure(regT0, regT2, regT3);
</ins><span class="cx">     callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
</span><span class="cx"> 
</span><span class="cx">     // Test base's prototype chain
</span><span class="lines">@@ -540,7 +536,7 @@
</span><span class="cx">     Label checkPrototype(this);
</span><span class="cx">     load64(Address(regT2, Structure::prototypeOffset()), regT2);
</span><span class="cx">     callHasProperty.append(emitJumpIfNotJSCell(regT2));
</span><del>-    loadPtr(Address(regT2, JSCell::structureOffset()), regT2);
</del><ins>+    emitLoadStructure(regT2, regT2, regT1);
</ins><span class="cx">     callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
</span><span class="cx">     addPtr(TrustedImm32(sizeof(Structure*)), regT3);
</span><span class="cx">     branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
</span><span class="lines">@@ -710,12 +706,12 @@
</span><span class="cx">     emitGetVirtualRegister(src1, regT0);
</span><span class="cx">     Jump isImmediate = emitJumpIfNotJSCell(regT0);
</span><span class="cx"> 
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">     move(TrustedImm32(0), regT0);
</span><span class="cx">     Jump wasNotMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><ins>+    emitLoadStructure(regT0, regT2, regT1);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
</span><span class="cx">     comparePtr(Equal, regT0, regT2, regT0);
</span><span class="lines">@@ -742,12 +738,12 @@
</span><span class="cx">     emitGetVirtualRegister(src1, regT0);
</span><span class="cx">     Jump isImmediate = emitJumpIfNotJSCell(regT0);
</span><span class="cx"> 
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">     move(TrustedImm32(1), regT0);
</span><span class="cx">     Jump wasNotMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><ins>+    emitLoadStructure(regT0, regT2, regT1);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
</span><span class="cx">     comparePtr(NotEqual, regT0, regT2, regT0);
</span><span class="lines">@@ -815,11 +811,12 @@
</span><span class="cx">     emitGetVirtualRegister(currentInstruction[1].u.operand, regT1);
</span><span class="cx"> 
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT1);
</span><del>-    loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
</del><span class="cx"> 
</span><del>-    addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
</del><ins>+    addSlowCase(branch8(NotEqual, Address(regT1, JSCell::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
</ins><span class="cx">     loadPtr(cachedStructure, regT2);
</span><del>-    addSlowCase(branchPtr(NotEqual, regT0, regT2));
</del><ins>+    addSlowCase(branchTestPtr(Zero, regT2));
+    load32(Address(regT2, Structure::structureIDOffset()), regT2);
+    addSlowCase(branch32(NotEqual, Address(regT1, JSCell::structureIDOffset()), regT2));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emit_op_get_callee(Instruction* currentInstruction)
</span><span class="lines">@@ -893,6 +890,7 @@
</span><span class="cx">     linkSlowCase(iter);
</span><span class="cx">     linkSlowCase(iter);
</span><span class="cx">     linkSlowCase(iter);
</span><ins>+    linkSlowCase(iter);
</ins><span class="cx"> 
</span><span class="cx">     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_this);
</span><span class="cx">     slowPathCall.call();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -210,8 +210,7 @@
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(baseVal);
</span><span class="cx">     
</span><span class="cx">     // Check that baseVal 'ImplementsHasInstance'.
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT0);
-    addSlowCase(branchTest8(Zero, Address(regT0, Structure::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+    addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emit_op_instanceof(Instruction* currentInstruction)
</span><span class="lines">@@ -230,8 +229,7 @@
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(proto);
</span><span class="cx">     
</span><span class="cx">     // Check that prototype is an object
</span><del>-    loadPtr(Address(regT1, JSCell::structureOffset()), regT3);
-    addSlowCase(emitJumpIfNotObject(regT3));
</del><ins>+    addSlowCase(emitJumpIfCellNotObject(regT1));
</ins><span class="cx"> 
</span><span class="cx">     // Optimistically load the result true, and start looping.
</span><span class="cx">     // Initially, regT1 still contains proto and regT2 still contains value.
</span><span class="lines">@@ -241,7 +239,7 @@
</span><span class="cx"> 
</span><span class="cx">     // Load the prototype of the cell in regT2.  If this is equal to regT1 - WIN!
</span><span class="cx">     // Otherwise, check if we've hit null - if we have then drop out of the loop, if not go again.
</span><del>-    loadPtr(Address(regT2, JSCell::structureOffset()), regT2);
</del><ins>+    loadPtr(Address(regT2, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     load32(Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT2);
</span><span class="cx">     Jump isInstance = branchPtr(Equal, regT2, regT1);
</span><span class="cx">     branchTest32(NonZero, regT2).linkTo(loop, this);
</span><span class="lines">@@ -297,12 +295,12 @@
</span><span class="cx">     Jump done = jump();
</span><span class="cx">     
</span><span class="cx">     isCell.link(this);
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT1, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">     move(TrustedImm32(0), regT0);
</span><span class="cx">     Jump notMasqueradesAsUndefined = jump();
</span><span class="cx">     
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><ins>+    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT1);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     loadPtr(Address(regT1, Structure::globalObjectOffset()), regT1);
</span><span class="cx">     compare32(Equal, regT0, regT1, regT0);
</span><span class="lines">@@ -341,8 +339,7 @@
</span><span class="cx">     emitLoad(value, regT1, regT0);
</span><span class="cx">     Jump isNotCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><span class="cx">     
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    compare8(Equal, Address(regT1, Structure::typeInfoTypeOffset()), TrustedImm32(StringType), regT0);
</del><ins>+    compare8(Equal, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType), regT0);
</ins><span class="cx">     Jump done = jump();
</span><span class="cx">     
</span><span class="cx">     isNotCell.link(this);
</span><span class="lines">@@ -381,7 +378,7 @@
</span><span class="cx">     emitLoad(src, regT1, regT0);
</span><span class="cx"> 
</span><span class="cx">     Jump isImm = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><del>-    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</del><ins>+    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</ins><span class="cx">     isImm.link(this);
</span><span class="cx"> 
</span><span class="cx">     if (dst != src)
</span><span class="lines">@@ -501,9 +498,8 @@
</span><span class="cx"> 
</span><span class="cx">     Jump isImmediate = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-    // First, handle JSCell cases - check MasqueradesAsUndefined bit on the structure.
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump isNotMasqueradesAsUndefined = branchTest8(Zero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isNotMasqueradesAsUndefined = branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
+    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     addJump(branchPtr(Equal, Address(regT2, Structure::globalObjectOffset()), regT0), target);
</span><span class="cx">     Jump masqueradesGlobalObjectIsForeign = jump();
</span><span class="lines">@@ -527,9 +523,8 @@
</span><span class="cx"> 
</span><span class="cx">     Jump isImmediate = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-    // First, handle JSCell cases - check MasqueradesAsUndefined bit on the structure.
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    addJump(branchTest8(Zero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)), target);
</del><ins>+    addJump(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)), target);
+    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     addJump(branchPtr(NotEqual, Address(regT2, Structure::globalObjectOffset()), regT0), target);
</span><span class="cx">     Jump wasNotImmediate = jump();
</span><span class="lines">@@ -583,8 +578,8 @@
</span><span class="cx">     genericCase.append(getSlowCase(iter)); // tags not equal
</span><span class="cx"> 
</span><span class="cx">     linkSlowCase(iter); // tags equal and JSCell
</span><del>-    genericCase.append(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
-    genericCase.append(branchPtr(NotEqual, Address(regT2, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</del><ins>+    genericCase.append(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
+    genericCase.append(branchPtr(NotEqual, Address(regT2, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</ins><span class="cx"> 
</span><span class="cx">     // String case.
</span><span class="cx">     callOperation(operationCompareStringEq, regT0, regT2);
</span><span class="lines">@@ -627,8 +622,8 @@
</span><span class="cx">     genericCase.append(getSlowCase(iter)); // tags not equal
</span><span class="cx"> 
</span><span class="cx">     linkSlowCase(iter); // tags equal and JSCell
</span><del>-    genericCase.append(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
-    genericCase.append(branchPtr(NotEqual, Address(regT2, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</del><ins>+    genericCase.append(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
+    genericCase.append(branchPtr(NotEqual, Address(regT2, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</ins><span class="cx"> 
</span><span class="cx">     // String case.
</span><span class="cx">     callOperation(operationCompareStringEq, regT0, regT2);
</span><span class="lines">@@ -658,8 +653,8 @@
</span><span class="cx"> 
</span><span class="cx">     // Jump to a slow case if both are strings.
</span><span class="cx">     Jump notCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><del>-    Jump firstNotString = branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get()));
-    addSlowCase(branchPtr(Equal, Address(regT2, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</del><ins>+    Jump firstNotString = branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get()));
+    addSlowCase(branchPtr(Equal, Address(regT2, JSCell::structureIDOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get())));
</ins><span class="cx">     notCell.link(this);
</span><span class="cx">     firstNotString.link(this);
</span><span class="cx"> 
</span><span class="lines">@@ -710,12 +705,12 @@
</span><span class="cx">     emitLoad(src, regT1, regT0);
</span><span class="cx">     Jump isImmediate = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">     move(TrustedImm32(0), regT1);
</span><span class="cx">     Jump wasNotMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><ins>+    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
</span><span class="cx">     compare32(Equal, regT0, regT2, regT1);
</span><span class="lines">@@ -741,12 +736,12 @@
</span><span class="cx">     emitLoad(src, regT1, regT0);
</span><span class="cx">     Jump isImmediate = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</del><ins>+    Jump isMasqueradesAsUndefined = branchTest8(NonZero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</ins><span class="cx">     move(TrustedImm32(1), regT1);
</span><span class="cx">     Jump wasNotMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><ins>+    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     move(TrustedImmPtr(m_codeBlock-&gt;globalObject()), regT0);
</span><span class="cx">     loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
</span><span class="cx">     compare32(NotEqual, regT0, regT2, regT1);
</span><span class="lines">@@ -785,10 +780,8 @@
</span><span class="cx">     emitLoad(base, regT1, regT0);
</span><span class="cx">     if (!m_codeBlock-&gt;isKnownNotImmediate(base))
</span><span class="cx">         isNotObject.append(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
</span><del>-    if (VirtualRegister(base) != m_codeBlock-&gt;thisRegister() || m_codeBlock-&gt;isStrictMode()) {
-        loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-        isNotObject.append(emitJumpIfNotObject(regT2));
-    }
</del><ins>+    if (VirtualRegister(base) != m_codeBlock-&gt;thisRegister() || m_codeBlock-&gt;isStrictMode())
+        isNotObject.append(emitJumpIfCellNotObject(regT0));
</ins><span class="cx"> 
</span><span class="cx">     // We could inline the case where you have a valid cache, but
</span><span class="cx">     // this call doesn't seem to be hot.
</span><span class="lines">@@ -841,7 +834,7 @@
</span><span class="cx">     loadPtr(payloadFor(base), regT0);
</span><span class="cx"> 
</span><span class="cx">     // Test base's structure
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
</del><ins>+    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
</span><span class="cx"> 
</span><span class="cx">     // Test base's prototype chain
</span><span class="lines">@@ -852,7 +845,7 @@
</span><span class="cx">     Label checkPrototype(this);
</span><span class="cx">     callHasProperty.append(branch32(Equal, Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::NullTag)));
</span><span class="cx">     loadPtr(Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT2);
</span><del>-    loadPtr(Address(regT2, JSCell::structureOffset()), regT2);
</del><ins>+    loadPtr(Address(regT2, JSCell::structureIDOffset()), regT2);
</ins><span class="cx">     callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
</span><span class="cx">     addPtr(TrustedImm32(sizeof(Structure*)), regT3);
</span><span class="cx">     branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
</span><span class="lines">@@ -1091,8 +1084,8 @@
</span><span class="cx">     emitLoad(thisRegister, regT3, regT2);
</span><span class="cx"> 
</span><span class="cx">     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag)));
</span><del>-    loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
-    addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
</del><ins>+    addSlowCase(branch8(NotEqual, Address(regT2, JSCell::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
+    loadPtr(Address(regT2, JSCell::structureIDOffset()), regT0);
</ins><span class="cx">     loadPtr(cachedStructure, regT2);
</span><span class="cx">     addSlowCase(branchPtr(NotEqual, regT0, regT2));
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -439,7 +439,7 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><del>-    ASSERT(structure-&gt;outOfLineCapacity() &gt; base-&gt;structure()-&gt;outOfLineCapacity());
</del><ins>+    ASSERT(structure-&gt;outOfLineCapacity() &gt; base-&gt;structure(vm)-&gt;outOfLineCapacity());
</ins><span class="cx">     ASSERT(!vm.heap.storageAllocator().fastPathShouldSucceed(structure-&gt;outOfLineCapacity() * sizeof(JSValue)));
</span><span class="cx">     base-&gt;setStructureAndReallocateStorageIfNecessary(vm, structure);
</span><span class="cx">     base-&gt;putDirect(vm, offset, JSValue::decode(value));
</span><span class="lines">@@ -447,6 +447,7 @@
</span><span class="cx"> 
</span><span class="cx"> static void putByVal(CallFrame* callFrame, JSValue baseValue, JSValue subscript, JSValue value)
</span><span class="cx"> {
</span><ins>+    VM&amp; vm = callFrame-&gt;vm();
</ins><span class="cx">     if (LIKELY(subscript.isUInt32())) {
</span><span class="cx">         uint32_t i = subscript.asUInt32();
</span><span class="cx">         if (baseValue.isObject()) {
</span><span class="lines">@@ -454,7 +455,7 @@
</span><span class="cx">             if (object-&gt;canSetIndexQuickly(i))
</span><span class="cx">                 object-&gt;setIndexQuickly(callFrame-&gt;vm(), i, value);
</span><span class="cx">             else
</span><del>-                object-&gt;methodTable()-&gt;putByIndex(object, callFrame, i, value, callFrame-&gt;codeBlock()-&gt;isStrictMode());
</del><ins>+                object-&gt;methodTable(vm)-&gt;putByIndex(object, callFrame, i, value, callFrame-&gt;codeBlock()-&gt;isStrictMode());
</ins><span class="cx">         } else
</span><span class="cx">             baseValue.putByIndex(callFrame, i, value, callFrame-&gt;codeBlock()-&gt;isStrictMode());
</span><span class="cx">     } else if (isName(subscript)) {
</span><span class="lines">@@ -504,9 +505,9 @@
</span><span class="cx">         ByValInfo&amp; byValInfo = exec-&gt;codeBlock()-&gt;getByValInfo(bytecodeOffset - 1);
</span><span class="cx">         ASSERT(!byValInfo.stubRoutine);
</span><span class="cx"> 
</span><del>-        if (hasOptimizableIndexing(object-&gt;structure())) {
</del><ins>+        if (hasOptimizableIndexing(object-&gt;structure(vm))) {
</ins><span class="cx">             // Attempt to optimize.
</span><del>-            JITArrayMode arrayMode = jitArrayModeForStructure(object-&gt;structure());
</del><ins>+            JITArrayMode arrayMode = jitArrayModeForStructure(object-&gt;structure(vm));
</ins><span class="cx">             if (arrayMode != byValInfo.arrayMode) {
</span><span class="cx">                 JIT::compilePutByVal(&amp;vm, exec-&gt;codeBlock(), &amp;byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
</span><span class="cx">                 didOptimize = true;
</span><span class="lines">@@ -520,7 +521,7 @@
</span><span class="cx">             // where we see non-index-intercepting objects, this gives 10 iterations worth of
</span><span class="cx">             // opportunity for us to observe that the get_by_val may be polymorphic.
</span><span class="cx">             if (++byValInfo.slowPathCount &gt;= 10
</span><del>-                || object-&gt;structure()-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
</del><ins>+                || object-&gt;structure(vm)-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
</ins><span class="cx">                 // Don't ever try to optimize.
</span><span class="cx">                 RepatchBuffer repatchBuffer(exec-&gt;codeBlock());
</span><span class="cx">                 repatchBuffer.relinkCallerToFunction(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationPutByValGeneric));
</span><span class="lines">@@ -550,9 +551,9 @@
</span><span class="cx">         ByValInfo&amp; byValInfo = callFrame-&gt;codeBlock()-&gt;getByValInfo(bytecodeOffset - 1);
</span><span class="cx">         ASSERT(!byValInfo.stubRoutine);
</span><span class="cx">         
</span><del>-        if (hasOptimizableIndexing(object-&gt;structure())) {
</del><ins>+        if (hasOptimizableIndexing(object-&gt;structure(vm))) {
</ins><span class="cx">             // Attempt to optimize.
</span><del>-            JITArrayMode arrayMode = jitArrayModeForStructure(object-&gt;structure());
</del><ins>+            JITArrayMode arrayMode = jitArrayModeForStructure(object-&gt;structure(vm));
</ins><span class="cx">             if (arrayMode != byValInfo.arrayMode) {
</span><span class="cx">                 JIT::compileDirectPutByVal(&amp;vm, callFrame-&gt;codeBlock(), &amp;byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
</span><span class="cx">                 didOptimize = true;
</span><span class="lines">@@ -566,7 +567,7 @@
</span><span class="cx">             // where we see non-index-intercepting objects, this gives 10 iterations worth of
</span><span class="cx">             // opportunity for us to observe that the get_by_val may be polymorphic.
</span><span class="cx">             if (++byValInfo.slowPathCount &gt;= 10
</span><del>-                || object-&gt;structure()-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
</del><ins>+                || object-&gt;structure(vm)-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
</ins><span class="cx">                 // Don't ever try to optimize.
</span><span class="cx">                 RepatchBuffer repatchBuffer(callFrame-&gt;codeBlock());
</span><span class="cx">                 repatchBuffer.relinkCallerToFunction(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationDirectPutByValGeneric));
</span><span class="lines">@@ -781,11 +782,12 @@
</span><span class="cx">     if (!calleeAsFunctionCell)
</span><span class="cx">         return false;
</span><span class="cx">     
</span><ins>+    VM&amp; vm = execCallee-&gt;vm();
</ins><span class="cx">     JSFunction* callee = jsCast&lt;JSFunction*&gt;(calleeAsFunctionCell);
</span><span class="cx">     JSFunction* oldCallee = callLinkInfo.callee.get();
</span><span class="cx">     
</span><span class="cx">     if (!oldCallee
</span><del>-        || oldCallee-&gt;structure() != callee-&gt;structure()
</del><ins>+        || oldCallee-&gt;structure(vm) != callee-&gt;structure(vm)
</ins><span class="cx">         || oldCallee-&gt;executable() != callee-&gt;executable())
</span><span class="cx">         return false;
</span><span class="cx">     
</span><span class="lines">@@ -1361,22 +1363,22 @@
</span><span class="cx"> 
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState* exec, EncodedJSValue encodedValue, EncodedJSValue encodedBaseVal)
</span><span class="cx"> {
</span><del>-    VM* vm = &amp;exec-&gt;vm();
-    NativeCallFrameTracer tracer(vm, exec);
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    NativeCallFrameTracer tracer(&amp;vm, exec);
</ins><span class="cx"> 
</span><span class="cx">     JSValue value = JSValue::decode(encodedValue);
</span><span class="cx">     JSValue baseVal = JSValue::decode(encodedBaseVal);
</span><span class="cx"> 
</span><span class="cx">     if (baseVal.isObject()) {
</span><span class="cx">         JSObject* baseObject = asObject(baseVal);
</span><del>-        ASSERT(!baseObject-&gt;structure()-&gt;typeInfo().implementsDefaultHasInstance());
-        if (baseObject-&gt;structure()-&gt;typeInfo().implementsHasInstance()) {
-            bool result = baseObject-&gt;methodTable()-&gt;customHasInstance(baseObject, exec, value);
</del><ins>+        ASSERT(!baseObject-&gt;structure(vm)-&gt;typeInfo().implementsDefaultHasInstance());
+        if (baseObject-&gt;structure(vm)-&gt;typeInfo().implementsHasInstance()) {
+            bool result = baseObject-&gt;methodTable(vm)-&gt;customHasInstance(baseObject, exec, value);
</ins><span class="cx">             return JSValue::encode(jsBoolean(result));
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    vm-&gt;throwException(exec, createInvalidParameterError(exec, &quot;instanceof&quot;, baseVal));
</del><ins>+    vm.throwException(exec, createInvalidParameterError(exec, &quot;instanceof&quot;, baseVal));
</ins><span class="cx">     return JSValue::encode(JSValue());
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1467,9 +1469,9 @@
</span><span class="cx">         ByValInfo&amp; byValInfo = exec-&gt;codeBlock()-&gt;getByValInfo(bytecodeOffset - 1);
</span><span class="cx">         ASSERT(!byValInfo.stubRoutine);
</span><span class="cx">         
</span><del>-        if (hasOptimizableIndexing(object-&gt;structure())) {
</del><ins>+        if (hasOptimizableIndexing(object-&gt;structure(vm))) {
</ins><span class="cx">             // Attempt to optimize.
</span><del>-            JITArrayMode arrayMode = jitArrayModeForStructure(object-&gt;structure());
</del><ins>+            JITArrayMode arrayMode = jitArrayModeForStructure(object-&gt;structure(vm));
</ins><span class="cx">             if (arrayMode != byValInfo.arrayMode) {
</span><span class="cx">                 JIT::compileGetByVal(&amp;vm, exec-&gt;codeBlock(), &amp;byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
</span><span class="cx">                 didOptimize = true;
</span><span class="lines">@@ -1483,7 +1485,7 @@
</span><span class="cx">             // where we see non-index-intercepting objects, this gives 10 iterations worth of
</span><span class="cx">             // opportunity for us to observe that the get_by_val may be polymorphic.
</span><span class="cx">             if (++byValInfo.slowPathCount &gt;= 10
</span><del>-                || object-&gt;structure()-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
</del><ins>+                || object-&gt;structure(vm)-&gt;typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
</ins><span class="cx">                 // Don't ever try to optimize.
</span><span class="cx">                 RepatchBuffer repatchBuffer(exec-&gt;codeBlock());
</span><span class="cx">                 repatchBuffer.relinkCallerToFunction(ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationGetByValGeneric));
</span><span class="lines">@@ -1547,7 +1549,7 @@
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><span class="cx">     JSObject* baseObj = JSValue::decode(encodedBase).toObject(exec);
</span><del>-    bool couldDelete = baseObj-&gt;methodTable()-&gt;deleteProperty(baseObj, exec, *identifier);
</del><ins>+    bool couldDelete = baseObj-&gt;methodTable(vm)-&gt;deleteProperty(baseObj, exec, *identifier);
</ins><span class="cx">     JSValue result = jsBoolean(couldDelete);
</span><span class="cx">     if (!couldDelete &amp;&amp; exec-&gt;codeBlock()-&gt;isStrictMode())
</span><span class="cx">         vm.throwException(exec, createTypeError(exec, &quot;Unable to delete property.&quot;));
</span><span class="lines">@@ -1559,7 +1561,7 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><del>-    Structure* structure = obj-&gt;structure();
</del><ins>+    Structure* structure = obj-&gt;structure(vm);
</ins><span class="cx">     JSPropertyNameIterator* jsPropertyNameIterator = structure-&gt;enumerationCache();
</span><span class="cx">     if (!jsPropertyNameIterator || jsPropertyNameIterator-&gt;cachedPrototypeChain() != structure-&gt;prototypeChain(exec))
</span><span class="cx">         jsPropertyNameIterator = JSPropertyNameIterator::create(exec, obj);
</span><span class="lines">@@ -1689,10 +1691,10 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Covers implicit globals. Since they don't exist until they first execute, we didn't know how to cache them at compile time.
</span><del>-    if (slot.isCacheableValue() &amp;&amp; slot.slotBase() == scope &amp;&amp; scope-&gt;structure()-&gt;propertyAccessesAreCacheable()) {
</del><ins>+    if (slot.isCacheableValue() &amp;&amp; slot.slotBase() == scope &amp;&amp; scope-&gt;structure(vm)-&gt;propertyAccessesAreCacheable()) {
</ins><span class="cx">         if (modeAndType.type() == GlobalProperty || modeAndType.type() == GlobalPropertyWithVarInjectionChecks) {
</span><span class="cx">             ConcurrentJITLocker locker(codeBlock-&gt;m_lock);
</span><del>-            pc[5].u.structure.set(exec-&gt;vm(), codeBlock-&gt;ownerExecutable(), scope-&gt;structure());
</del><ins>+            pc[5].u.structure.set(exec-&gt;vm(), codeBlock-&gt;ownerExecutable(), scope-&gt;structure(vm));
</ins><span class="cx">             pc[6].u.operand = slot.cachedOffset();
</span><span class="cx">         }
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -51,7 +51,10 @@
</span><span class="cx"> {
</span><span class="cx">     JSInterfaceJIT jit(vm);
</span><span class="cx">     JumpList failures;
</span><del>-    failures.append(jit.branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(vm-&gt;stringStructure.get())));
</del><ins>+    failures.append(JSC::branchStructure(jit,
+        NotEqual, 
+        Address(regT0, JSCell::structureIDOffset()), 
+        vm-&gt;stringStructure.get()));
</ins><span class="cx"> 
</span><span class="cx">     // Load string length to regT2, and start the process of loading the data pointer into regT0
</span><span class="cx">     jit.load32(Address(regT0, ThunkHelpers::jsStringLengthOffset()), regT2);
</span><span class="lines">@@ -106,8 +109,7 @@
</span><span class="cx">     zeroExtend32ToPtr(regT1, regT1);
</span><span class="cx"> 
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT0, base);
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    emitArrayProfilingSite(regT2, regT3, profile);
</del><ins>+    emitArrayProfilingSiteWithCell(regT0, regT2, profile);
</ins><span class="cx">     and32(TrustedImm32(IndexingShapeMask), regT2);
</span><span class="cx"> 
</span><span class="cx">     PatchableJump badType;
</span><span class="lines">@@ -204,7 +206,9 @@
</span><span class="cx">     linkSlowCaseIfNotJSCell(iter, base); // base cell check
</span><span class="cx">     Jump nonCell = jump();
</span><span class="cx">     linkSlowCase(iter); // base array check
</span><del>-    Jump notString = branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get()));
</del><ins>+    Jump notString = branchStructure(NotEqual, 
+        Address(regT0, JSCell::structureIDOffset()), 
+        m_vm-&gt;stringStructure.get());
</ins><span class="cx">     emitNakedCall(CodeLocationLabel(m_vm-&gt;getCTIStub(stringGetByValStubGenerator).code()));
</span><span class="cx">     Jump failed = branchTest64(Zero, regT0);
</span><span class="cx">     emitPutVirtualRegister(dst, regT0);
</span><span class="lines">@@ -275,7 +279,7 @@
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT0, base);
</span><span class="cx"> 
</span><span class="cx">     // Test base's structure
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
</del><ins>+    emitLoadStructure(regT0, regT2, regT3);
</ins><span class="cx">     addSlowCase(branchPtr(NotEqual, regT2, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure))));
</span><span class="cx">     load32(addressFor(i), regT3);
</span><span class="cx">     sub32(TrustedImm32(1), regT3);
</span><span class="lines">@@ -316,8 +320,7 @@
</span><span class="cx">     // See comment in op_get_by_val.
</span><span class="cx">     zeroExtend32ToPtr(regT1, regT1);
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT0, base);
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    emitArrayProfilingSite(regT2, regT3, profile);
</del><ins>+    emitArrayProfilingSiteWithCell(regT0, regT2, profile);
</ins><span class="cx">     and32(TrustedImm32(IndexingShapeMask), regT2);
</span><span class="cx">     
</span><span class="cx">     PatchableJump badType;
</span><span class="lines">@@ -513,10 +516,8 @@
</span><span class="cx">     
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT0, baseVReg);
</span><span class="cx">     
</span><del>-    if (*ident == m_vm-&gt;propertyNames-&gt;length &amp;&amp; shouldEmitProfiling()) {
-        loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-        emitArrayProfilingSiteForBytecodeIndex(regT1, regT2, m_bytecodeOffset);
-    }
</del><ins>+    if (*ident == m_vm-&gt;propertyNames-&gt;length &amp;&amp; shouldEmitProfiling())
+        emitArrayProfilingSiteForBytecodeIndexWithCell(regT0, regT1, m_bytecodeOffset);
</ins><span class="cx"> 
</span><span class="cx">     JITGetByIdGenerator gen(
</span><span class="cx">         m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
</span><span class="lines">@@ -693,7 +694,9 @@
</span><span class="cx"> {
</span><span class="cx">     emitGetVirtualRegister(scope, regT0);
</span><span class="cx">     loadPtr(structureSlot, regT1);
</span><del>-    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), regT1));
</del><ins>+    addSlowCase(branchTestPtr(Zero, regT1));
+    load32(Address(regT1, Structure::structureIDOffset()), regT1);
+    addSlowCase(branch32(NotEqual, Address(regT0, JSCell::structureIDOffset()), regT1));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emitGetGlobalProperty(uintptr_t* operandSlot)
</span><span class="lines">@@ -754,6 +757,8 @@
</span><span class="cx">     if (resolveType == GlobalVar || resolveType == ClosureVar)
</span><span class="cx">         return;
</span><span class="cx"> 
</span><ins>+    if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks)
+        linkSlowCase(iter);
</ins><span class="cx">     linkSlowCase(iter);
</span><span class="cx">     callOperation(WithProfile, operationGetFromScope, dst, currentInstruction);
</span><span class="cx"> }
</span><span class="lines">@@ -855,6 +860,8 @@
</span><span class="cx">     if ((resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
</span><span class="cx">         &amp;&amp; currentInstruction[5].u.watchpointSet-&gt;state() != IsInvalidated)
</span><span class="cx">         linkCount++;
</span><ins>+    if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks)
+        linkCount++;
</ins><span class="cx">     if (!linkCount)
</span><span class="cx">         return;
</span><span class="cx">     while (linkCount--)
</span><span class="lines">@@ -872,25 +879,14 @@
</span><span class="cx"> 
</span><span class="cx"> #endif // USE(JSVALUE64)
</span><span class="cx"> 
</span><del>-JIT::Jump JIT::checkMarkWord(RegisterID owner, RegisterID scratch1, RegisterID scratch2)
</del><ins>+JIT::Jump JIT::checkMarkWord(RegisterID owner)
</ins><span class="cx"> {
</span><del>-    move(owner, scratch1);
-    move(owner, scratch2);
-
-    andPtr(TrustedImmPtr(MarkedBlock::blockMask), scratch1);
-    andPtr(TrustedImmPtr(~MarkedBlock::blockMask), scratch2);
-
-    rshift32(TrustedImm32(3 + 4), scratch2);
-
-    return branchTest8(Zero, BaseIndex(scratch1, scratch2, TimesOne, MarkedBlock::offsetOfMarks()));
</del><ins>+    return branchTest8(Zero, Address(owner, JSCell::gcDataOffset()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JIT::Jump JIT::checkMarkWord(JSCell* owner)
</span><span class="cx"> {
</span><del>-    MarkedBlock* block = MarkedBlock::blockFor(owner);
-    size_t index = (reinterpret_cast&lt;size_t&gt;(owner) &amp; ~MarkedBlock::blockMask) &gt;&gt; (3 + 4);
-    void* address = (reinterpret_cast&lt;char*&gt;(block) + MarkedBlock::offsetOfMarks()) + index;
-
</del><ins>+    uint8_t* address = reinterpret_cast&lt;uint8_t*&gt;(owner) + JSCell::gcDataOffset();
</ins><span class="cx">     return branchTest8(Zero, AbsoluteAddress(address));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -908,7 +904,7 @@
</span><span class="cx">     if (mode == ShouldFilterBaseAndValue)
</span><span class="cx">         ownerNotCell = branchTest64(NonZero, regT0, tagMaskRegister);
</span><span class="cx"> 
</span><del>-    Jump ownerNotMarked = checkMarkWord(regT0, regT1, regT2);
</del><ins>+    Jump ownerNotMarked = checkMarkWord(regT0);
</ins><span class="cx">     callOperation(operationUnconditionalWriteBarrier, regT0);
</span><span class="cx">     ownerNotMarked.link(this);
</span><span class="cx"> 
</span><span class="lines">@@ -957,7 +953,7 @@
</span><span class="cx">     if (mode == ShouldFilterBaseAndValue)
</span><span class="cx">         ownerNotCell = branch32(NotEqual, regT0, TrustedImm32(JSValue::CellTag));
</span><span class="cx"> 
</span><del>-    Jump ownerNotMarked = checkMarkWord(regT1, regT0, regT2);
</del><ins>+    Jump ownerNotMarked = checkMarkWord(regT1);
</ins><span class="cx">     callOperation(operationUnconditionalWriteBarrier, regT1);
</span><span class="cx">     ownerNotMarked.link(this);
</span><span class="cx"> 
</span><span class="lines">@@ -1013,7 +1009,7 @@
</span><span class="cx">         structure-&gt;addTransitionWatchpoint(stubInfo-&gt;addWatchpoint(m_codeBlock));
</span><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx">         move(TrustedImmPtr(object), scratch);
</span><del>-        Jump ok = branchPtr(Equal, Address(scratch, JSCell::structureOffset()), TrustedImmPtr(structure));
</del><ins>+        Jump ok = branchStructure(Equal, Address(scratch, JSCell::structureIDOffset()), structure);
</ins><span class="cx">         breakpoint();
</span><span class="cx">         ok.link(this);
</span><span class="cx"> #endif
</span><span class="lines">@@ -1022,7 +1018,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     move(TrustedImmPtr(object), scratch);
</span><del>-    return branchPtr(NotEqual, Address(scratch, JSCell::structureOffset()), TrustedImmPtr(structure));
</del><ins>+    return branchStructure(NotEqual, Address(scratch, JSCell::structureIDOffset()), structure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::addStructureTransitionCheck(JSCell* object, Structure* structure, StructureStubInfo* stubInfo, JumpList&amp; failureCases, RegisterID scratch)
</span><span class="lines">@@ -1180,8 +1176,8 @@
</span><span class="cx">     
</span><span class="cx">     JumpList slowCases;
</span><span class="cx">     
</span><del>-    loadPtr(Address(base, JSCell::structureOffset()), scratch);
-    badType = patchableBranchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(classInfoForType(type)));
</del><ins>+    load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
+    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
</ins><span class="cx">     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
</span><span class="cx">     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), base);
</span><span class="cx">     
</span><span class="lines">@@ -1250,9 +1246,9 @@
</span><span class="cx"> #endif
</span><span class="cx">     
</span><span class="cx">     JumpList slowCases;
</span><del>-    
-    loadPtr(Address(base, JSCell::structureOffset()), scratch);
-    badType = patchableBranchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(classInfoForType(type)));
</del><ins>+
+    load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
+    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
</ins><span class="cx">     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
</span><span class="cx">     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), base);
</span><span class="cx">     
</span><span class="lines">@@ -1304,8 +1300,8 @@
</span><span class="cx">     
</span><span class="cx">     JumpList slowCases;
</span><span class="cx">     
</span><del>-    loadPtr(Address(base, JSCell::structureOffset()), earlyScratch);
-    badType = patchableBranchPtr(NotEqual, Address(earlyScratch, Structure::classInfoOffset()), TrustedImmPtr(classInfoForType(type)));
</del><ins>+    load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
+    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
</ins><span class="cx">     Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
</span><span class="cx">     emitArrayProfileOutOfBoundsSpecialCase(profile);
</span><span class="cx">     Jump done = jump();
</span><span class="lines">@@ -1376,8 +1372,8 @@
</span><span class="cx">     
</span><span class="cx">     JumpList slowCases;
</span><span class="cx">     
</span><del>-    loadPtr(Address(base, JSCell::structureOffset()), earlyScratch);
-    badType = patchableBranchPtr(NotEqual, Address(earlyScratch, Structure::classInfoOffset()), TrustedImmPtr(classInfoForType(type)));
</del><ins>+    load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
+    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
</ins><span class="cx">     Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
</span><span class="cx">     emitArrayProfileOutOfBoundsSpecialCase(profile);
</span><span class="cx">     Jump done = jump();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx"> {
</span><span class="cx">     JSInterfaceJIT jit(vm);
</span><span class="cx">     JumpList failures;
</span><del>-    failures.append(jit.branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(vm-&gt;stringStructure.get())));
</del><ins>+    failures.append(JSC::branchStructure(jit, NotEqual, Address(regT0, JSCell::structureIDOffset()), vm-&gt;stringStructure.get()));
</ins><span class="cx">     
</span><span class="cx">     // Load string length to regT1, and start the process of loading the data pointer into regT0
</span><span class="cx">     jit.load32(Address(regT0, ThunkHelpers::jsStringLengthOffset()), regT1);
</span><span class="lines">@@ -132,8 +132,7 @@
</span><span class="cx">     
</span><span class="cx">     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag)));
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(base, regT1);
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    emitArrayProfilingSite(regT1, regT3, profile);
</del><ins>+    emitArrayProfilingSiteWithCell(regT0, regT1, profile);
</ins><span class="cx">     and32(TrustedImm32(IndexingShapeMask), regT1);
</span><span class="cx"> 
</span><span class="cx">     PatchableJump badType;
</span><span class="lines">@@ -235,7 +234,7 @@
</span><span class="cx"> 
</span><span class="cx">     Jump nonCell = jump();
</span><span class="cx">     linkSlowCase(iter); // base array check
</span><del>-    Jump notString = branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), TrustedImmPtr(m_vm-&gt;stringStructure.get()));
</del><ins>+    Jump notString = branchStructure(NotEqual, Address(regT0, JSCell::structureIDOffset()), m_vm-&gt;stringStructure.get());
</ins><span class="cx">     emitNakedCall(m_vm-&gt;getCTIStub(stringGetByValStubGenerator).code());
</span><span class="cx">     Jump failed = branchTestPtr(Zero, regT0);
</span><span class="cx">     emitStore(dst, regT1, regT0);
</span><span class="lines">@@ -276,8 +275,7 @@
</span><span class="cx">     
</span><span class="cx">     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag)));
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(base, regT1);
</span><del>-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    emitArrayProfilingSite(regT1, regT3, profile);
</del><ins>+    emitArrayProfilingSiteWithCell(regT0, regT1, profile);
</ins><span class="cx">     and32(TrustedImm32(IndexingShapeMask), regT1);
</span><span class="cx">     
</span><span class="cx">     PatchableJump badType;
</span><span class="lines">@@ -475,10 +473,8 @@
</span><span class="cx">     emitLoad(base, regT1, regT0);
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(base, regT1);
</span><span class="cx"> 
</span><del>-    if (*ident == m_vm-&gt;propertyNames-&gt;length &amp;&amp; shouldEmitProfiling()) {
-        loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-        emitArrayProfilingSiteForBytecodeIndex(regT2, regT3, m_bytecodeOffset);
-    }
</del><ins>+    if (*ident == m_vm-&gt;propertyNames-&gt;length &amp;&amp; shouldEmitProfiling())
+        emitArrayProfilingSiteForBytecodeIndexWithCell(regT0, regT2, m_bytecodeOffset);
</ins><span class="cx"> 
</span><span class="cx">     JITGetByIdGenerator gen(
</span><span class="cx">         m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
</span><span class="lines">@@ -634,7 +630,7 @@
</span><span class="cx">     emitLoadPayload(iter, regT1);
</span><span class="cx">     
</span><span class="cx">     // Test base's structure
</span><del>-    loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
</del><ins>+    loadPtr(Address(regT2, JSCell::structureIDOffset()), regT0);
</ins><span class="cx">     addSlowCase(branchPtr(NotEqual, regT0, Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure))));
</span><span class="cx">     load32(addressFor(i), regT3);
</span><span class="cx">     sub32(TrustedImm32(1), regT3);
</span><span class="lines">@@ -731,7 +727,7 @@
</span><span class="cx"> {
</span><span class="cx">     emitLoad(scope, regT1, regT0);
</span><span class="cx">     loadPtr(structureSlot, regT2);
</span><del>-    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureOffset()), regT2));
</del><ins>+    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), regT2));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emitGetGlobalProperty(uintptr_t* operandSlot)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJSInterfaceJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JSInterfaceJIT.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JSInterfaceJIT.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/JSInterfaceJIT.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -73,7 +73,7 @@
</span><span class="cx">         void emitFastArithIntToImmNoCheck(RegisterID src, RegisterID dest);
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-        Jump emitJumpIfNotType(RegisterID baseReg, RegisterID scratchReg, JSType);
</del><ins>+        Jump emitJumpIfNotType(RegisterID baseReg, JSType);
</ins><span class="cx"> 
</span><span class="cx">         void emitGetFromCallFrameHeaderPtr(JSStack::CallFrameHeaderEntry, RegisterID to, RegisterID from = callFrameRegister);
</span><span class="cx">         void emitPutToCallFrameHeader(RegisterID from, JSStack::CallFrameHeaderEntry);
</span><span class="lines">@@ -224,10 +224,9 @@
</span><span class="cx">     }
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    ALWAYS_INLINE JSInterfaceJIT::Jump JSInterfaceJIT::emitJumpIfNotType(RegisterID baseReg, RegisterID scratchReg, JSType type)
</del><ins>+    ALWAYS_INLINE JSInterfaceJIT::Jump JSInterfaceJIT::emitJumpIfNotType(RegisterID baseReg, JSType type)
</ins><span class="cx">     {
</span><del>-        loadPtr(Address(baseReg, JSCell::structureOffset()), scratchReg);
-        return branch8(NotEqual, Address(scratchReg, Structure::typeInfoTypeOffset()), TrustedImm32(type));
</del><ins>+        return branch8(NotEqual, Address(baseReg, JSCell::typeInfoTypeOffset()), TrustedImm32(type));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     ALWAYS_INLINE void JSInterfaceJIT::emitGetFromCallFrameHeaderPtr(JSStack::CallFrameHeaderEntry entry, RegisterID to, RegisterID from)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/Repatch.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -33,6 +33,8 @@
</span><span class="cx"> #include &quot;DFGSpeculativeJIT.h&quot;
</span><span class="cx"> #include &quot;FTLThunks.h&quot;
</span><span class="cx"> #include &quot;GCAwareJITStubRoutine.h&quot;
</span><ins>+#include &quot;JIT.h&quot;
+#include &quot;JITInlines.h&quot;
</ins><span class="cx"> #include &quot;LinkBuffer.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &quot;PolymorphicPutByIdList.h&quot;
</span><span class="lines">@@ -103,7 +105,7 @@
</span><span class="cx">     repatchCall(repatchBuffer, stubInfo.callReturnLocation, slowPathFunction);
</span><span class="cx"> 
</span><span class="cx">     // Patch the structure check &amp; the offset of the load.
</span><del>-    repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelPtrAtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall), structure);
</del><ins>+    repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall), bitwise_cast&lt;int32_t&gt;(structure-&gt;id()));
</ins><span class="cx">     repatchBuffer.setLoadInstructionIsActive(stubInfo.callReturnLocation.convertibleLoadAtOffset(stubInfo.patch.deltaCallToStorageLoad), isOutOfLineOffset(offset));
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     if (compact)
</span><span class="lines">@@ -131,10 +133,10 @@
</span><span class="cx">         // If we execute this code, the object must have the structure we expect. Assert
</span><span class="cx">         // this in debug modes.
</span><span class="cx">         jit.move(MacroAssembler::TrustedImmPtr(object), scratchGPR);
</span><del>-        MacroAssembler::Jump ok = jit.branchPtr(
</del><ins>+        MacroAssembler::Jump ok = branchStructure(jit,
</ins><span class="cx">             MacroAssembler::Equal,
</span><del>-            MacroAssembler::Address(scratchGPR, JSCell::structureOffset()),
-            MacroAssembler::TrustedImmPtr(structure));
</del><ins>+            MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
+            structure);
</ins><span class="cx">         jit.breakpoint();
</span><span class="cx">         ok.link(&amp;jit);
</span><span class="cx"> #endif
</span><span class="lines">@@ -143,10 +145,10 @@
</span><span class="cx">     
</span><span class="cx">     jit.move(MacroAssembler::TrustedImmPtr(object), scratchGPR);
</span><span class="cx">     failureCases.append(
</span><del>-        jit.branchPtr(
</del><ins>+        branchStructure(jit,
</ins><span class="cx">             MacroAssembler::NotEqual,
</span><del>-            MacroAssembler::Address(scratchGPR, JSCell::structureOffset()),
-            MacroAssembler::TrustedImmPtr(structure)));
</del><ins>+            MacroAssembler::Address(scratchGPR, JSCell::structureIDOffset()),
+            structure));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static void addStructureTransitionCheck(
</span><span class="lines">@@ -165,10 +167,10 @@
</span><span class="cx"> 
</span><span class="cx"> static void replaceWithJump(RepatchBuffer&amp; repatchBuffer, StructureStubInfo&amp; stubInfo, const MacroAssemblerCodePtr target)
</span><span class="cx"> {
</span><del>-    if (MacroAssembler::canJumpReplacePatchableBranchPtrWithPatch()) {
</del><ins>+    if (MacroAssembler::canJumpReplacePatchableBranch32WithPatch()) {
</ins><span class="cx">         repatchBuffer.replaceWithJump(
</span><del>-            RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress(
-                stubInfo.callReturnLocation.dataLabelPtrAtOffset(
</del><ins>+            RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress(
+                stubInfo.callReturnLocation.dataLabel32AtOffset(
</ins><span class="cx">                     -(intptr_t)stubInfo.patch.deltaCheckImmToCall)),
</span><span class="cx">             CodeLocationLabel(target));
</span><span class="cx">         return;
</span><span class="lines">@@ -249,7 +251,10 @@
</span><span class="cx">     
</span><span class="cx">     MacroAssembler::JumpList failureCases;
</span><span class="cx">     
</span><del>-    failureCases.append(stubJit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(structure)));
</del><ins>+    failureCases.append(branchStructure(stubJit,
+        MacroAssembler::NotEqual, 
+        MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), 
+        structure));
</ins><span class="cx"> 
</span><span class="cx">     CodeBlock* codeBlock = exec-&gt;codeBlock();
</span><span class="cx">     if (structure-&gt;typeInfo().newImpurePropertyFiresWatchpoints())
</span><span class="lines">@@ -380,8 +385,7 @@
</span><span class="cx">         
</span><span class="cx">         MacroAssembler::JumpList failureCases;
</span><span class="cx">        
</span><del>-        stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSCell::structureOffset()), scratchGPR); 
-        stubJit.load8(MacroAssembler::Address(scratchGPR, Structure::indexingTypeOffset()), scratchGPR);
</del><ins>+        stubJit.load8(MacroAssembler::Address(baseGPR, JSCell::indexingTypeOffset()), scratchGPR);
</ins><span class="cx">         failureCases.append(stubJit.branchTest32(MacroAssembler::Zero, scratchGPR, MacroAssembler::TrustedImm32(IsArray)));
</span><span class="cx">         failureCases.append(stubJit.branchTest32(MacroAssembler::Zero, scratchGPR, MacroAssembler::TrustedImm32(IndexingShapeMask)));
</span><span class="cx">         
</span><span class="lines">@@ -573,7 +577,10 @@
</span><span class="cx">         
</span><span class="cx">         CCallHelpers stubJit(vm, codeBlock);
</span><span class="cx">         
</span><del>-        MacroAssembler::Jump wrongStruct = stubJit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(structure));
</del><ins>+        MacroAssembler::Jump wrongStruct = branchStructure(stubJit,
+            MacroAssembler::NotEqual, 
+            MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), 
+            structure);
</ins><span class="cx">         
</span><span class="cx">         // The strategy we use for stubs is as follows:
</span><span class="cx">         // 1) Call DFG helper that calls the getter.
</span><span class="lines">@@ -817,7 +824,7 @@
</span><span class="cx">     ASSERT(owner != scratch1);
</span><span class="cx">     ASSERT(owner != scratch2);
</span><span class="cx"> 
</span><del>-    MacroAssembler::Jump definitelyNotMarked = DFG::SpeculativeJIT::genericWriteBarrier(jit, owner, scratch1, scratch2);
</del><ins>+    MacroAssembler::Jump definitelyNotMarked = DFG::SpeculativeJIT::genericWriteBarrier(jit, owner);
</ins><span class="cx">     MacroAssembler::Call call = storeToWriteBarrierBuffer(jit, owner, scratch1, scratch2, allocator);
</span><span class="cx">     definitelyNotMarked.link(&amp;jit);
</span><span class="cx">     return call;
</span><span class="lines">@@ -858,10 +865,10 @@
</span><span class="cx"> 
</span><span class="cx">     allocator.preserveReusedRegistersByPushing(stubJit);
</span><span class="cx"> 
</span><del>-    MacroAssembler::Jump badStructure = stubJit.branchPtr(
</del><ins>+    MacroAssembler::Jump badStructure = branchStructure(stubJit,
</ins><span class="cx">         MacroAssembler::NotEqual,
</span><del>-        MacroAssembler::Address(baseGPR, JSCell::structureOffset()),
-        MacroAssembler::TrustedImmPtr(structure));
</del><ins>+        MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()),
+        structure);
</ins><span class="cx"> 
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     if (isInlineOffset(slot.cachedOffset()))
</span><span class="lines">@@ -975,7 +982,10 @@
</span><span class="cx">             
</span><span class="cx">     ASSERT(oldStructure-&gt;transitionWatchpointSetHasBeenInvalidated());
</span><span class="cx">     
</span><del>-    failureCases.append(stubJit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(oldStructure)));
</del><ins>+    failureCases.append(branchStructure(stubJit,
+        MacroAssembler::NotEqual, 
+        MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), 
+        oldStructure));
</ins><span class="cx">     
</span><span class="cx">     addStructureTransitionCheck(
</span><span class="cx">         oldStructure-&gt;storedPrototype(), exec-&gt;codeBlock(), stubInfo, stubJit, failureCases,
</span><span class="lines">@@ -1026,7 +1036,10 @@
</span><span class="cx">         scratchGPR1HasStorage = true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    stubJit.storePtr(MacroAssembler::TrustedImmPtr(structure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
</del><ins>+    ASSERT(oldStructure-&gt;typeInfo().type() == structure-&gt;typeInfo().type());
+    ASSERT(oldStructure-&gt;typeInfo().inlineTypeFlags() == structure-&gt;typeInfo().inlineTypeFlags());
+    ASSERT(oldStructure-&gt;indexingType() == structure-&gt;indexingType());
+    stubJit.store32(MacroAssembler::TrustedImm32(reinterpret_cast&lt;uint32_t&gt;(structure-&gt;id())), MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()));
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     if (isInlineOffset(slot.cachedOffset()))
</span><span class="cx">         stubJit.store64(valueGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue)));
</span><span class="lines">@@ -1271,7 +1284,7 @@
</span><span class="cx">         
</span><span class="cx">         return true;
</span><span class="cx">     }
</span><del>-    
</del><ins>+
</ins><span class="cx">     return false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1346,10 +1359,10 @@
</span><span class="cx">             needToRestoreScratch = false;
</span><span class="cx">         
</span><span class="cx">         MacroAssembler::JumpList failureCases;
</span><del>-        failureCases.append(stubJit.branchPtr(
</del><ins>+        failureCases.append(branchStructure(stubJit,
</ins><span class="cx">             MacroAssembler::NotEqual,
</span><del>-            MacroAssembler::Address(baseGPR, JSCell::structureOffset()),
-            MacroAssembler::TrustedImmPtr(structure)));
</del><ins>+            MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()),
+            structure));
</ins><span class="cx"> 
</span><span class="cx">         CodeBlock* codeBlock = exec-&gt;codeBlock();
</span><span class="cx">         if (structure-&gt;typeInfo().newImpurePropertyFiresWatchpoints())
</span><span class="lines">@@ -1500,10 +1513,10 @@
</span><span class="cx"> #endif
</span><span class="cx">     
</span><span class="cx">     slowPath.append(
</span><del>-        stubJit.branchPtr(
</del><ins>+        branchStructure(stubJit,
</ins><span class="cx">             CCallHelpers::NotEqual,
</span><del>-            CCallHelpers::Address(calleeGPR, JSCell::structureOffset()),
-            CCallHelpers::TrustedImmPtr(structure)));
</del><ins>+            CCallHelpers::Address(calleeGPR, JSCell::structureIDOffset()),
+            structure));
</ins><span class="cx">     
</span><span class="cx">     slowPath.append(
</span><span class="cx">         stubJit.branchPtr(
</span><span class="lines">@@ -1573,16 +1586,16 @@
</span><span class="cx"> void resetGetByID(RepatchBuffer&amp; repatchBuffer, StructureStubInfo&amp; stubInfo)
</span><span class="cx"> {
</span><span class="cx">     repatchCall(repatchBuffer, stubInfo.callReturnLocation, operationGetByIdOptimize);
</span><del>-    CodeLocationDataLabelPtr structureLabel = stubInfo.callReturnLocation.dataLabelPtrAtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall);
-    if (MacroAssembler::canJumpReplacePatchableBranchPtrWithPatch()) {
-        repatchBuffer.revertJumpReplacementToPatchableBranchPtrWithPatch(
-            RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress(structureLabel),
</del><ins>+    CodeLocationDataLabel32 structureLabel = stubInfo.callReturnLocation.dataLabel32AtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall);
+    if (MacroAssembler::canJumpReplacePatchableBranch32WithPatch()) {
+        repatchBuffer.revertJumpReplacementToPatchableBranch32WithPatch(
+            RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress(structureLabel),
</ins><span class="cx">             MacroAssembler::Address(
</span><span class="cx">                 static_cast&lt;MacroAssembler::RegisterID&gt;(stubInfo.patch.baseGPR),
</span><del>-                JSCell::structureOffset()),
-            reinterpret_cast&lt;void*&gt;(unusedPointer));
</del><ins>+                JSCell::structureIDOffset()),
+            static_cast&lt;int32_t&gt;(unusedPointer));
</ins><span class="cx">     }
</span><del>-    repatchBuffer.repatch(structureLabel, reinterpret_cast&lt;void*&gt;(unusedPointer));
</del><ins>+    repatchBuffer.repatch(structureLabel, static_cast&lt;int32_t&gt;(unusedPointer));
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabelCompactAtOffset(stubInfo.patch.deltaCallToLoadOrStore), 0);
</span><span class="cx"> #else
</span><span class="lines">@@ -1607,16 +1620,16 @@
</span><span class="cx">         optimizedFunction = operationPutByIdDirectNonStrictOptimize;
</span><span class="cx">     }
</span><span class="cx">     repatchCall(repatchBuffer, stubInfo.callReturnLocation, optimizedFunction);
</span><del>-    CodeLocationDataLabelPtr structureLabel = stubInfo.callReturnLocation.dataLabelPtrAtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall);
-    if (MacroAssembler::canJumpReplacePatchableBranchPtrWithPatch()) {
-        repatchBuffer.revertJumpReplacementToPatchableBranchPtrWithPatch(
-            RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress(structureLabel),
</del><ins>+    CodeLocationDataLabel32 structureLabel = stubInfo.callReturnLocation.dataLabel32AtOffset(-(intptr_t)stubInfo.patch.deltaCheckImmToCall);
+    if (MacroAssembler::canJumpReplacePatchableBranch32WithPatch()) {
+        repatchBuffer.revertJumpReplacementToPatchableBranch32WithPatch(
+            RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress(structureLabel),
</ins><span class="cx">             MacroAssembler::Address(
</span><span class="cx">                 static_cast&lt;MacroAssembler::RegisterID&gt;(stubInfo.patch.baseGPR),
</span><del>-                JSCell::structureOffset()),
-            reinterpret_cast&lt;void*&gt;(unusedPointer));
</del><ins>+                JSCell::structureIDOffset()),
+            static_cast&lt;int32_t&gt;(unusedPointer));
</ins><span class="cx">     }
</span><del>-    repatchBuffer.repatch(structureLabel, reinterpret_cast&lt;void*&gt;(unusedPointer));
</del><ins>+    repatchBuffer.repatch(structureLabel, static_cast&lt;int32_t&gt;(unusedPointer));
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     repatchBuffer.repatch(stubInfo.callReturnLocation.dataLabel32AtOffset(stubInfo.patch.deltaCallToLoadOrStore), 0);
</span><span class="cx"> #else
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitSpecializedThunkJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/SpecializedThunkJIT.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/SpecializedThunkJIT.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/SpecializedThunkJIT.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -29,6 +29,8 @@
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Executable.h&quot;
</span><ins>+#include &quot;JIT.h&quot;
+#include &quot;JITInlines.h&quot;
</ins><span class="cx"> #include &quot;JSInterfaceJIT.h&quot;
</span><span class="cx"> #include &quot;JSStack.h&quot;
</span><span class="cx"> #include &quot;LinkBuffer.h&quot;
</span><span class="lines">@@ -67,14 +69,18 @@
</span><span class="cx">         void loadJSStringArgument(VM&amp; vm, int argument, RegisterID dst)
</span><span class="cx">         {
</span><span class="cx">             loadCellArgument(argument, dst);
</span><del>-            m_failures.append(branchPtr(NotEqual, Address(dst, JSCell::structureOffset()), TrustedImmPtr(vm.stringStructure.get())));
</del><ins>+            m_failures.append(branchStructure(*this, NotEqual, 
+                Address(dst, JSCell::structureIDOffset()), 
+                vm.stringStructure.get()));
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         void loadArgumentWithSpecificClass(const ClassInfo* classInfo, int argument, RegisterID dst, RegisterID scratch)
</span><span class="cx">         {
</span><span class="cx">             loadCellArgument(argument, dst);
</span><del>-            loadPtr(Address(dst, JSCell::structureOffset()), scratch);
</del><ins>+            emitLoadStructure(dst, scratch, dst);
</ins><span class="cx">             appendFailure(branchPtr(NotEqual, Address(scratch, Structure::classInfoOffset()), TrustedImmPtr(classInfo)));
</span><ins>+            // We have to reload the argument since emitLoadStructure clobbered it.
+            loadCellArgument(argument, dst);
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         void loadInt32Argument(int argument, RegisterID dst, Jump&amp; failTarget)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitThunkGeneratorscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #include &quot;ThunkGenerators.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><ins>+#include &quot;DFGSpeculativeJIT.h&quot;
</ins><span class="cx"> #include &quot;JITOperations.h&quot;
</span><span class="cx"> #include &quot;JSArray.h&quot;
</span><span class="cx"> #include &quot;JSArrayIterator.h&quot;
</span><span class="lines">@@ -189,7 +190,7 @@
</span><span class="cx">             CCallHelpers::NotEqual, GPRInfo::regT1,
</span><span class="cx">             CCallHelpers::TrustedImm32(JSValue::CellTag)));
</span><span class="cx"> #endif
</span><del>-    jit.loadPtr(CCallHelpers::Address(GPRInfo::regT0, JSCell::structureOffset()), GPRInfo::regT2);
</del><ins>+    AssemblyHelpers::emitLoadStructure(jit, GPRInfo::regT0, GPRInfo::regT2, GPRInfo::regT1);
</ins><span class="cx">     slowCase.append(
</span><span class="cx">         jit.branchPtr(
</span><span class="cx">             CCallHelpers::NotEqual,
</span><span class="lines">@@ -959,9 +960,7 @@
</span><span class="cx">     jit.load32(Address(SpecializedThunkJIT::regT4, JSArrayIterator::offsetOfNextIndex()), SpecializedThunkJIT::regT1);
</span><span class="cx">     
</span><span class="cx">     // Pull out the butterfly from iteratedObject
</span><del>-    jit.loadPtr(Address(SpecializedThunkJIT::regT0, JSCell::structureOffset()), SpecializedThunkJIT::regT2);
-    
-    jit.load8(Address(SpecializedThunkJIT::regT2, Structure::indexingTypeOffset()), SpecializedThunkJIT::regT3);
</del><ins>+    jit.load8(Address(SpecializedThunkJIT::regT0, JSCell::indexingTypeOffset()), SpecializedThunkJIT::regT3);
</ins><span class="cx">     jit.loadPtr(Address(SpecializedThunkJIT::regT0, JSObject::butterflyOffset()), SpecializedThunkJIT::regT2);
</span><span class="cx">     
</span><span class="cx">     jit.and32(TrustedImm32(IndexingShapeMask), SpecializedThunkJIT::regT3);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -439,11 +439,12 @@
</span><span class="cx">         end)
</span><span class="cx"> end
</span><span class="cx"> 
</span><del>-macro arrayProfile(structureAndIndexingType, profile, scratch)
-    const structure = structureAndIndexingType
-    const indexingType = structureAndIndexingType
-    storep structure, ArrayProfile::m_lastSeenStructure[profile]
-    loadb Structure::m_indexingType[structure], indexingType
</del><ins>+macro arrayProfile(cellAndIndexingType, profile, scratch)
+    const cell = cellAndIndexingType
+    const indexingType = cellAndIndexingType 
+    loadi JSCell::m_structureID[cell], scratch
+    storei scratch, ArrayProfile::m_lastSeenStructureID[profile]
+    loadb JSCell::m_indexingType[cell], indexingType
</ins><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> macro checkMarkByte(cell, scratch1, scratch2, continuation)
</span><span class="lines">@@ -620,8 +621,8 @@
</span><span class="cx">         storep scratch1, offsetOfFirstFreeCell[allocator]
</span><span class="cx">     
</span><span class="cx">         # Initialize the object.
</span><del>-        storep structure, JSCell::m_structure[result]
</del><span class="cx">         storep 0, JSObject::m_butterfly[result]
</span><ins>+        storeStructureWithTypeInfo(result, structure, scratch1)
</ins><span class="cx">     end
</span><span class="cx"> end
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -531,6 +531,13 @@
</span><span class="cx">         payload)
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+macro storeStructureWithTypeInfo(cell, structure, scratch)
+    storep structure, JSCell::m_structureID[cell]
+
+    loadi Structure::m_blob + StructureIDBlob::u.words.word2[structure], scratch
+    storei scratch, JSCell::m_indexingType[cell]
+end
+
</ins><span class="cx"> macro writeBarrierOnOperand(cellOperand)
</span><span class="cx">     if GGC
</span><span class="cx">         loadisFromInstruction(cellOperand, t1)
</span><span class="lines">@@ -748,10 +755,9 @@
</span><span class="cx">     loadi 4[PC], t0
</span><span class="cx">     bineq TagOffset[cfr, t0, 8], CellTag, .opToThisSlow
</span><span class="cx">     loadi PayloadOffset[cfr, t0, 8], t0
</span><del>-    loadp JSCell::m_structure[t0], t0
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
</del><ins>+    bbneq JSCell::m_type[t0], FinalObjectType, .opToThisSlow
</ins><span class="cx">     loadpFromInstruction(2, t2)
</span><del>-    bpneq t0, t2, .opToThisSlow
</del><ins>+    bpneq JSCell::m_structureID[t0], t2, .opToThisSlow
</ins><span class="cx">     dispatch(3)
</span><span class="cx"> 
</span><span class="cx"> .opToThisSlow:
</span><span class="lines">@@ -868,8 +874,7 @@
</span><span class="cx">     loadi TagOffset[cfr, t0, 8], t1
</span><span class="cx">     loadi PayloadOffset[cfr, t0, 8], t0
</span><span class="cx">     bineq t1, CellTag, .opEqNullImmediate
</span><del>-    loadp JSCell::m_structure[t0], t1
-    btbnz Structure::m_typeInfo + TypeInfo::m_flags[t1], MasqueradesAsUndefined, .opEqNullMasqueradesAsUndefined
</del><ins>+    btbnz JSCell::m_flags[t0], MasqueradesAsUndefined, .opEqNullMasqueradesAsUndefined
</ins><span class="cx">     move 0, t1
</span><span class="cx">     jmp .opEqNullNotImmediate
</span><span class="cx"> .opEqNullMasqueradesAsUndefined:
</span><span class="lines">@@ -915,8 +920,7 @@
</span><span class="cx">     loadi TagOffset[cfr, t0, 8], t1
</span><span class="cx">     loadi PayloadOffset[cfr, t0, 8], t0
</span><span class="cx">     bineq t1, CellTag, .opNeqNullImmediate
</span><del>-    loadp JSCell::m_structure[t0], t1
-    btbnz Structure::m_typeInfo + TypeInfo::m_flags[t1], MasqueradesAsUndefined, .opNeqNullMasqueradesAsUndefined
</del><ins>+    btbnz JSCell::m_flags[t0], MasqueradesAsUndefined, .opNeqNullMasqueradesAsUndefined
</ins><span class="cx">     move 1, t1
</span><span class="cx">     jmp .opNeqNullNotImmediate
</span><span class="cx"> .opNeqNullMasqueradesAsUndefined:
</span><span class="lines">@@ -942,10 +946,8 @@
</span><span class="cx">     bineq t2, t3, .slow
</span><span class="cx">     bib t2, LowestTag, .slow
</span><span class="cx">     bineq t2, CellTag, .notString
</span><del>-    loadp JSCell::m_structure[t0], t2
-    loadp JSCell::m_structure[t1], t3
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t2], StringType, .notString
-    bbeq Structure::m_typeInfo + TypeInfo::m_type[t3], StringType, .slow
</del><ins>+    bbneq JSCell::m_type[t0], StringType, .notString
+    bbeq JSCell::m_type[t1], StringType, .slow
</ins><span class="cx"> .notString:
</span><span class="cx">     loadi 4[PC], t2
</span><span class="cx">     equalityOperation(t0, t1, t0)
</span><span class="lines">@@ -1225,8 +1227,7 @@
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadi 12[PC], t1
</span><span class="cx">     loadConstantOrVariablePayload(t1, CellTag, t0, .opCheckHasInstanceSlow)
</span><del>-    loadp JSCell::m_structure[t0], t0
-    btbz Structure::m_typeInfo + TypeInfo::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
</del><ins>+    btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
</ins><span class="cx">     dispatch(5)
</span><span class="cx"> 
</span><span class="cx"> .opCheckHasInstanceSlow:
</span><span class="lines">@@ -1240,15 +1241,14 @@
</span><span class="cx">     loadi 12[PC], t0
</span><span class="cx">     loadi 4[PC], t3
</span><span class="cx">     loadConstantOrVariablePayload(t0, CellTag, t1, .opInstanceofSlow)
</span><del>-    loadp JSCell::m_structure[t1], t2
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t2], ObjectType, .opInstanceofSlow
</del><ins>+    bbb JSCell::m_type[t1], ObjectType, .opInstanceofSlow
</ins><span class="cx">     loadi 8[PC], t0
</span><span class="cx">     loadConstantOrVariablePayload(t0, CellTag, t2, .opInstanceofSlow)
</span><span class="cx">     
</span><span class="cx">     # Register state: t1 = prototype, t2 = value
</span><span class="cx">     move 1, t0
</span><span class="cx"> .opInstanceofLoop:
</span><del>-    loadp JSCell::m_structure[t2], t2
</del><ins>+    loadp JSCell::m_structureID[t2], t2
</ins><span class="cx">     loadi Structure::m_prototype + PayloadOffset[t2], t2
</span><span class="cx">     bpeq t2, t1, .opInstanceofDone
</span><span class="cx">     btinz t2, .opInstanceofLoop
</span><span class="lines">@@ -1275,12 +1275,12 @@
</span><span class="cx">     storei t3, PayloadOffset[cfr, t0, 8]
</span><span class="cx">     dispatch(3)
</span><span class="cx"> .opIsUndefinedCell:
</span><del>-    loadp JSCell::m_structure[t3], t1
-    btbnz Structure::m_typeInfo + TypeInfo::m_flags[t1], MasqueradesAsUndefined, .opIsUndefinedMasqueradesAsUndefined
</del><ins>+    btbnz JSCell::m_flags[t3], MasqueradesAsUndefined, .opIsUndefinedMasqueradesAsUndefined
</ins><span class="cx">     move 0, t1
</span><span class="cx">     storei t1, PayloadOffset[cfr, t0, 8]
</span><span class="cx">     dispatch(3)
</span><span class="cx"> .opIsUndefinedMasqueradesAsUndefined:
</span><ins>+    loadp JSCell::m_structureID[t3], t1
</ins><span class="cx">     loadp CodeBlock[cfr], t3
</span><span class="cx">     loadp CodeBlock::m_globalObject[t3], t3
</span><span class="cx">     cpeq Structure::m_globalObject[t1], t3, t1
</span><span class="lines">@@ -1318,8 +1318,7 @@
</span><span class="cx">     loadConstantOrVariable(t1, t0, t3)
</span><span class="cx">     storei BooleanTag, TagOffset[cfr, t2, 8]
</span><span class="cx">     bineq t0, CellTag, .opIsStringNotCell
</span><del>-    loadp JSCell::m_structure[t3], t0
-    cbeq Structure::m_typeInfo + TypeInfo::m_type[t0], StringType, t1
</del><ins>+    cbeq JSCell::m_type[t3], StringType, t1
</ins><span class="cx">     storei t1, PayloadOffset[cfr, t2, 8]
</span><span class="cx">     dispatch(3)
</span><span class="cx"> .opIsStringNotCell:
</span><span class="lines">@@ -1387,7 +1386,7 @@
</span><span class="cx">         t3,
</span><span class="cx">         t0,
</span><span class="cx">         macro (propertyStorage, scratch)
</span><del>-            bpneq JSCell::m_structure[t3], t1, .opGetByIdSlow
</del><ins>+            bpneq JSCell::m_structureID[t3], t1, .opGetByIdSlow
</ins><span class="cx">             loadi 4[PC], t1
</span><span class="cx">             loadi TagOffset[propertyStorage, t2], scratch
</span><span class="cx">             loadi PayloadOffset[propertyStorage, t2], t2
</span><span class="lines">@@ -1415,7 +1414,7 @@
</span><span class="cx">     loadi 8[PC], t0
</span><span class="cx">     loadp 16[PC], t1
</span><span class="cx">     loadConstantOrVariablePayload(t0, CellTag, t3, .opGetArrayLengthSlow)
</span><del>-    loadp JSCell::m_structure[t3], t2
</del><ins>+    loadp JSCell::m_structureID[t3], t2
</ins><span class="cx">     arrayProfile(t2, t1, t0)
</span><span class="cx">     btiz t2, IsArray, .opGetArrayLengthSlow
</span><span class="cx">     btiz t2, IndexingShapeMask, .opGetArrayLengthSlow
</span><span class="lines">@@ -1460,7 +1459,7 @@
</span><span class="cx">         t0,
</span><span class="cx">         t3,
</span><span class="cx">         macro (propertyStorage, scratch)
</span><del>-            bpneq JSCell::m_structure[t0], t1, .opPutByIdSlow
</del><ins>+            bpneq JSCell::m_structureID[t0], t1, .opPutByIdSlow
</ins><span class="cx">             loadi 20[PC], t1
</span><span class="cx">             loadConstantOrVariable2Reg(t2, scratch, t2)
</span><span class="cx">             storei scratch, TagOffset[propertyStorage, t1]
</span><span class="lines">@@ -1488,7 +1487,7 @@
</span><span class="cx">     loadi 16[PC], t1
</span><span class="cx">     loadConstantOrVariablePayload(t3, CellTag, t0, .opPutByIdSlow)
</span><span class="cx">     loadi 12[PC], t2
</span><del>-    bpneq JSCell::m_structure[t0], t1, .opPutByIdSlow
</del><ins>+    bpneq JSCell::m_structureID[t0], t1, .opPutByIdSlow
</ins><span class="cx">     additionalChecks(t1, t3, .opPutByIdSlow)
</span><span class="cx">     loadi 20[PC], t1
</span><span class="cx">     getPropertyStorage(
</span><span class="lines">@@ -1500,7 +1499,7 @@
</span><span class="cx">             storei t1, TagOffset[t3]
</span><span class="cx">             loadi 24[PC], t1
</span><span class="cx">             storei t2, PayloadOffset[t3]
</span><del>-            storep t1, JSCell::m_structure[t0]
</del><ins>+            storep t1, JSCell::m_structureID[t0]
</ins><span class="cx">             dispatch(9)
</span><span class="cx">         end)
</span><span class="cx"> 
</span><span class="lines">@@ -1522,7 +1521,7 @@
</span><span class="cx">     bieq Structure::m_prototype + TagOffset[oldStructure], NullTag, .done
</span><span class="cx"> .loop:
</span><span class="cx">     loadi Structure::m_prototype + PayloadOffset[oldStructure], protoCell
</span><del>-    loadp JSCell::m_structure[protoCell], oldStructure
</del><ins>+    loadp JSCell::m_structureID[protoCell], oldStructure
</ins><span class="cx">     bpneq oldStructure, [scratch], slowPath
</span><span class="cx">     addp 4, scratch
</span><span class="cx">     bineq Structure::m_prototype + TagOffset[oldStructure], NullTag, .loop
</span><span class="lines">@@ -1549,7 +1548,7 @@
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadi 8[PC], t2
</span><span class="cx">     loadConstantOrVariablePayload(t2, CellTag, t0, .opGetByValSlow)
</span><del>-    loadp JSCell::m_structure[t0], t2
</del><ins>+    loadp JSCell::m_structureID[t0], t2
</ins><span class="cx">     loadp 16[PC], t3
</span><span class="cx">     arrayProfile(t2, t3, t1)
</span><span class="cx">     loadi 12[PC], t3
</span><span class="lines">@@ -1633,7 +1632,7 @@
</span><span class="cx">     loadConstantOrVariablePayload(t0, CellTag, t2, .opGetByPnameSlow)
</span><span class="cx">     loadi 20[PC], t0
</span><span class="cx">     loadi PayloadOffset[cfr, t0, 8], t3
</span><del>-    loadp JSCell::m_structure[t2], t0
</del><ins>+    loadp JSCell::m_structureID[t2], t0
</ins><span class="cx">     bpneq t0, JSPropertyNameIterator::m_cachedStructure[t3], .opGetByPnameSlow
</span><span class="cx">     loadi 24[PC], t0
</span><span class="cx">     loadi [cfr, t0, 8], t0
</span><span class="lines">@@ -1675,7 +1674,7 @@
</span><span class="cx">     writeBarrierOnOperands(1, 3)
</span><span class="cx">     loadi 4[PC], t0
</span><span class="cx">     loadConstantOrVariablePayload(t0, CellTag, t1, .opPutByValSlow)
</span><del>-    loadp JSCell::m_structure[t1], t2
</del><ins>+    loadp JSCell::m_structureID[t1], t2
</ins><span class="cx">     loadp 16[PC], t3
</span><span class="cx">     arrayProfile(t2, t3, t0)
</span><span class="cx">     loadi 8[PC], t0
</span><span class="lines">@@ -1781,8 +1780,8 @@
</span><span class="cx">     loadi TagOffset[cfr, t0, 8], t1
</span><span class="cx">     loadi PayloadOffset[cfr, t0, 8], t0
</span><span class="cx">     bineq t1, CellTag, .immediate
</span><del>-    loadp JSCell::m_structure[t0], t2
-    cellHandler(t2, Structure::m_typeInfo + TypeInfo::m_flags[t2], .target)
</del><ins>+    loadp JSCell::m_structureID[t0], t2
+    cellHandler(t2, JSCell::m_flags[t0], .target)
</ins><span class="cx">     dispatch(3)
</span><span class="cx"> 
</span><span class="cx"> .target:
</span><span class="lines">@@ -1912,8 +1911,7 @@
</span><span class="cx">     loadp CodeBlock::RareData::m_switchJumpTables + VectorBufferOffset[t2], t2
</span><span class="cx">     addp t3, t2
</span><span class="cx">     bineq t1, CellTag, .opSwitchCharFallThrough
</span><del>-    loadp JSCell::m_structure[t0], t1
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t1], StringType, .opSwitchCharFallThrough
</del><ins>+    bbneq JSCell::m_type[t0], StringType, .opSwitchCharFallThrough
</ins><span class="cx">     bineq JSString::m_length[t0], 1, .opSwitchCharFallThrough
</span><span class="cx">     loadp JSString::m_value[t0], t0
</span><span class="cx">     btpz  t0, .opSwitchOnRope
</span><span class="lines">@@ -1961,9 +1959,9 @@
</span><span class="cx">     negi t3
</span><span class="cx">     bineq ThisArgumentOffset + TagOffset[cfr, t3, 8], CellTag, .done
</span><span class="cx">     loadi ThisArgumentOffset + PayloadOffset[cfr, t3, 8], t0
</span><del>-    loadp JSCell::m_structure[t0], t0
</del><ins>+    loadp JSCell::m_structureID[t0], t0
</ins><span class="cx">     loadpFromInstruction(CallOpCodeSize - 2, t1)
</span><del>-    storep t0, ArrayProfile::m_lastSeenStructure[t1]
</del><ins>+    storep t0, ArrayProfile::m_lastSeenStructureID[t1]
</ins><span class="cx"> .done:
</span><span class="cx"> end
</span><span class="cx"> 
</span><span class="lines">@@ -2026,8 +2024,7 @@
</span><span class="cx">     loadi 4[PC], t2
</span><span class="cx">     loadConstantOrVariable(t2, t1, t0)
</span><span class="cx">     bineq t1, CellTag, .opRetObjectOrThisNotObject
</span><del>-    loadp JSCell::m_structure[t0], t2
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t2], ObjectType, .opRetObjectOrThisNotObject
</del><ins>+    bbb JSCell::m_type[t0], ObjectType, .opRetObjectOrThisNotObject
</ins><span class="cx">     doReturn()
</span><span class="cx"> 
</span><span class="cx"> .opRetObjectOrThisNotObject:
</span><span class="lines">@@ -2042,8 +2039,7 @@
</span><span class="cx">     loadi 4[PC], t3
</span><span class="cx">     loadConstantOrVariable(t2, t1, t0)
</span><span class="cx">     bineq t1, CellTag, .opToPrimitiveIsImm
</span><del>-    loadp JSCell::m_structure[t0], t2
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t2], StringType, .opToPrimitiveSlowCase
</del><ins>+    bbneq JSCell::m_type[t0], StringType, .opToPrimitiveSlowCase
</ins><span class="cx"> .opToPrimitiveIsImm:
</span><span class="cx">     storei t1, TagOffset[cfr, t3, 8]
</span><span class="cx">     storei t0, PayloadOffset[cfr, t3, 8]
</span><span class="lines">@@ -2071,7 +2067,7 @@
</span><span class="cx">     storei t3, PayloadOffset[cfr, t1, 8]
</span><span class="cx">     loadi 8[PC], t3
</span><span class="cx">     loadi PayloadOffset[cfr, t3, 8], t3
</span><del>-    loadp JSCell::m_structure[t3], t1
</del><ins>+    loadp JSCell::m_structureID[t3], t1
</ins><span class="cx">     bpneq t1, JSPropertyNameIterator::m_cachedStructure[t2], .opNextPnameSlow
</span><span class="cx">     loadp JSPropertyNameIterator::m_cachedPrototypeChain[t2], t0
</span><span class="cx">     loadp StructureChain::m_vector[t0], t0
</span><span class="lines">@@ -2079,7 +2075,7 @@
</span><span class="cx"> .opNextPnameCheckPrototypeLoop:
</span><span class="cx">     bieq Structure::m_prototype + TagOffset[t1], NullTag, .opNextPnameSlow
</span><span class="cx">     loadp Structure::m_prototype + PayloadOffset[t1], t2
</span><del>-    loadp JSCell::m_structure[t2], t1
</del><ins>+    loadp JSCell::m_structureID[t2], t1
</ins><span class="cx">     bpneq t1, [t0], .opNextPnameSlow
</span><span class="cx">     addp 4, t0
</span><span class="cx">     btpnz [t0], .opNextPnameCheckPrototypeLoop
</span><span class="lines">@@ -2324,7 +2320,7 @@
</span><span class="cx">     loadisFromInstruction(operand, t0)
</span><span class="cx">     loadp [cfr, t0, 8], t0
</span><span class="cx">     loadpFromInstruction(5, t1)
</span><del>-    bpneq JSCell::m_structure[t0], t1, slowPath
</del><ins>+    bpneq JSCell::m_structureID[t0], t1, slowPath
</ins><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> macro getProperty()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -442,7 +442,30 @@
</span><span class="cx">     storeq value, ValueProfile::m_buckets[scratch]
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+macro loadStructure(cell, structure)
+end
</ins><span class="cx"> 
</span><ins>+macro loadStructureWithScratch(cell, structure, scratch)
+    loadp CodeBlock[cfr], scratch
+    loadp CodeBlock::m_vm[scratch], scratch
+    loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[scratch], scratch
+    loadi JSCell::m_structureID[cell], structure
+    loadp [scratch, structure, 8], structure
+end
+
+macro loadStructureAndClobberFirstArg(cell, structure)
+    loadi JSCell::m_structureID[cell], structure
+    loadp CodeBlock[cfr], cell
+    loadp CodeBlock::m_vm[cell], cell
+    loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[cell], cell
+    loadp [cell, structure, 8], structure
+end
+
+macro storeStructureWithTypeInfo(cell, structure, scratch)
+    loadq Structure::m_blob + StructureIDBlob::u.doubleWord[structure], scratch
+    storeq scratch, JSCell::m_structureID[cell]
+end
+
</ins><span class="cx"> # Entrypoints into the interpreter.
</span><span class="cx"> 
</span><span class="cx"> # Expects that CodeBlock is in t1, which is what prologue() leaves behind.
</span><span class="lines">@@ -595,10 +618,10 @@
</span><span class="cx">     loadisFromInstruction(1, t0)
</span><span class="cx">     loadq [cfr, t0, 8], t0
</span><span class="cx">     btqnz t0, tagMask, .opToThisSlow
</span><del>-    loadp JSCell::m_structure[t0], t0
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
</del><ins>+    bbneq JSCell::m_type[t0], FinalObjectType, .opToThisSlow
+    loadStructureWithScratch(t0, t1, t2)
</ins><span class="cx">     loadpFromInstruction(2, t2)
</span><del>-    bpneq t0, t2, .opToThisSlow
</del><ins>+    bpneq t1, t2, .opToThisSlow
</ins><span class="cx">     dispatch(3)
</span><span class="cx"> 
</span><span class="cx"> .opToThisSlow:
</span><span class="lines">@@ -713,11 +736,11 @@
</span><span class="cx">     loadisFromInstruction(2, t0)
</span><span class="cx">     loadq [cfr, t0, 8], t0
</span><span class="cx">     btqnz t0, tagMask, .immediate
</span><del>-    loadp JSCell::m_structure[t0], t2
-    btbnz Structure::m_typeInfo + TypeInfo::m_flags[t2], MasqueradesAsUndefined, .masqueradesAsUndefined
</del><ins>+    btbnz JSCell::m_flags[t0], MasqueradesAsUndefined, .masqueradesAsUndefined
</ins><span class="cx">     move 0, t0
</span><span class="cx">     jmp .done
</span><span class="cx"> .masqueradesAsUndefined:
</span><ins>+    loadStructureWithScratch(t0, t2, t1)
</ins><span class="cx">     loadp CodeBlock[cfr], t0
</span><span class="cx">     loadp CodeBlock::m_globalObject[t0], t0
</span><span class="cx">     cpeq Structure::m_globalObject[t2], t0, t0
</span><span class="lines">@@ -1054,8 +1077,7 @@
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadisFromInstruction(3, t1)
</span><span class="cx">     loadConstantOrVariableCell(t1, t0, .opCheckHasInstanceSlow)
</span><del>-    loadp JSCell::m_structure[t0], t0
-    btbz Structure::m_typeInfo + TypeInfo::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
</del><ins>+    btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
</ins><span class="cx">     dispatch(5)
</span><span class="cx"> 
</span><span class="cx"> .opCheckHasInstanceSlow:
</span><span class="lines">@@ -1067,24 +1089,23 @@
</span><span class="cx">     traceExecution()
</span><span class="cx">     # Actually do the work.
</span><span class="cx">     loadisFromInstruction(3, t0)
</span><del>-    loadisFromInstruction(1, t3)
</del><span class="cx">     loadConstantOrVariableCell(t0, t1, .opInstanceofSlow)
</span><del>-    loadp JSCell::m_structure[t1], t2
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t2], ObjectType, .opInstanceofSlow
</del><ins>+    bbb JSCell::m_type[t1], ObjectType, .opInstanceofSlow
</ins><span class="cx">     loadisFromInstruction(2, t0)
</span><span class="cx">     loadConstantOrVariableCell(t0, t2, .opInstanceofSlow)
</span><span class="cx">     
</span><span class="cx">     # Register state: t1 = prototype, t2 = value
</span><span class="cx">     move 1, t0
</span><span class="cx"> .opInstanceofLoop:
</span><del>-    loadp JSCell::m_structure[t2], t2
-    loadq Structure::m_prototype[t2], t2
</del><ins>+    loadStructureAndClobberFirstArg(t2, t3)
+    loadq Structure::m_prototype[t3], t2
</ins><span class="cx">     bqeq t2, t1, .opInstanceofDone
</span><span class="cx">     btqz t2, tagMask, .opInstanceofLoop
</span><span class="cx"> 
</span><span class="cx">     move 0, t0
</span><span class="cx"> .opInstanceofDone:
</span><span class="cx">     orq ValueFalse, t0
</span><ins>+    loadisFromInstruction(1, t3)
</ins><span class="cx">     storeq t0, [cfr, t3, 8]
</span><span class="cx">     dispatch(4)
</span><span class="cx"> 
</span><span class="lines">@@ -1104,17 +1125,17 @@
</span><span class="cx">     storeq t3, [cfr, t2, 8]
</span><span class="cx">     dispatch(3)
</span><span class="cx"> .opIsUndefinedCell:
</span><del>-    loadp JSCell::m_structure[t0], t0
-    btbnz Structure::m_typeInfo + TypeInfo::m_flags[t0], MasqueradesAsUndefined, .masqueradesAsUndefined
</del><ins>+    btbnz JSCell::m_flags[t0], MasqueradesAsUndefined, .masqueradesAsUndefined
</ins><span class="cx">     move ValueFalse, t1
</span><span class="cx">     storeq t1, [cfr, t2, 8]
</span><span class="cx">     dispatch(3)
</span><span class="cx"> .masqueradesAsUndefined:
</span><ins>+    loadStructureWithScratch(t0, t3, t1)
</ins><span class="cx">     loadp CodeBlock[cfr], t1
</span><span class="cx">     loadp CodeBlock::m_globalObject[t1], t1
</span><del>-    cpeq Structure::m_globalObject[t0], t1, t3
-    orq ValueFalse, t3
-    storeq t3, [cfr, t2, 8]
</del><ins>+    cpeq Structure::m_globalObject[t3], t1, t0
+    orq ValueFalse, t0
+    storeq t0, [cfr, t2, 8]
</ins><span class="cx">     dispatch(3)
</span><span class="cx"> 
</span><span class="cx"> 
</span><span class="lines">@@ -1147,8 +1168,7 @@
</span><span class="cx">     loadisFromInstruction(1, t2)
</span><span class="cx">     loadConstantOrVariable(t1, t0)
</span><span class="cx">     btqnz t0, tagMask, .opIsStringNotCell
</span><del>-    loadp JSCell::m_structure[t0], t0
-    cbeq Structure::m_typeInfo + TypeInfo::m_type[t0], StringType, t1
</del><ins>+    cbeq JSCell::m_type[t0], StringType, t1
</ins><span class="cx">     orq ValueFalse, t1
</span><span class="cx">     storeq t1, [cfr, t2, 8]
</span><span class="cx">     dispatch(3)
</span><span class="lines">@@ -1200,14 +1220,15 @@
</span><span class="cx">     # to take fast path on the new cache. At worst we take slow path, which is what
</span><span class="cx">     # we would have been doing anyway.
</span><span class="cx">     loadisFromInstruction(2, t0)
</span><ins>+    loadConstantOrVariableCell(t0, t3, .opGetByIdSlow)
+    loadStructureWithScratch(t3, t2, t1)
</ins><span class="cx">     loadpFromInstruction(4, t1)
</span><del>-    loadConstantOrVariableCell(t0, t3, .opGetByIdSlow)
-    loadisFromInstruction(5, t2)
</del><ins>+    bpneq t2, t1, .opGetByIdSlow
</ins><span class="cx">     getPropertyStorage(
</span><span class="cx">         t3,
</span><span class="cx">         t0,
</span><span class="cx">         macro (propertyStorage, scratch)
</span><del>-            bpneq JSCell::m_structure[t3], t1, .opGetByIdSlow
</del><ins>+            loadisFromInstruction(5, t2)
</ins><span class="cx">             loadisFromInstruction(1, t1)
</span><span class="cx">             loadq [propertyStorage, t2], scratch
</span><span class="cx">             storeq scratch, [cfr, t1, 8]
</span><span class="lines">@@ -1233,7 +1254,7 @@
</span><span class="cx">     loadisFromInstruction(2, t0)
</span><span class="cx">     loadpFromInstruction(4, t1)
</span><span class="cx">     loadConstantOrVariableCell(t0, t3, .opGetArrayLengthSlow)
</span><del>-    loadp JSCell::m_structure[t3], t2
</del><ins>+    move t3, t2
</ins><span class="cx">     arrayProfile(t2, t1, t0)
</span><span class="cx">     btiz t2, IsArray, .opGetArrayLengthSlow
</span><span class="cx">     btiz t2, IndexingShapeMask, .opGetArrayLengthSlow
</span><span class="lines">@@ -1271,15 +1292,16 @@
</span><span class="cx">     traceExecution()
</span><span class="cx">     writeBarrierOnOperands(1, 3)
</span><span class="cx">     loadisFromInstruction(1, t3)
</span><ins>+    loadConstantOrVariableCell(t3, t0, .opPutByIdSlow)
+    loadStructureWithScratch(t0, t2, t1)
</ins><span class="cx">     loadpFromInstruction(4, t1)
</span><del>-    loadConstantOrVariableCell(t3, t0, .opPutByIdSlow)
-    loadisFromInstruction(3, t2)
</del><ins>+    bpneq t2, t1, .opPutByIdSlow
</ins><span class="cx">     getPropertyStorage(
</span><span class="cx">         t0,
</span><span class="cx">         t3,
</span><span class="cx">         macro (propertyStorage, scratch)
</span><del>-            bpneq JSCell::m_structure[t0], t1, .opPutByIdSlow
</del><span class="cx">             loadisFromInstruction(5, t1)
</span><ins>+            loadisFromInstruction(3, t2)
</ins><span class="cx">             loadConstantOrVariable(t2, scratch)
</span><span class="cx">             storeq scratch, [propertyStorage, t1]
</span><span class="cx">             dispatch(9)
</span><span class="lines">@@ -1304,9 +1326,10 @@
</span><span class="cx">     loadisFromInstruction(1, t3)
</span><span class="cx">     loadpFromInstruction(4, t1)
</span><span class="cx">     loadConstantOrVariableCell(t3, t0, .opPutByIdSlow)
</span><ins>+    loadStructureWithScratch(t0, t2, t3)
+    bpneq t2, t1, .opPutByIdSlow
+    additionalChecks(t1, t3, t2)
</ins><span class="cx">     loadisFromInstruction(3, t2)
</span><del>-    bpneq JSCell::m_structure[t0], t1, .opPutByIdSlow
-    additionalChecks(t1, t3)
</del><span class="cx">     loadisFromInstruction(5, t1)
</span><span class="cx">     getPropertyStorage(
</span><span class="cx">         t0,
</span><span class="lines">@@ -1316,15 +1339,16 @@
</span><span class="cx">             loadConstantOrVariable(t2, t1)
</span><span class="cx">             storeq t1, [t3]
</span><span class="cx">             loadpFromInstruction(6, t1)
</span><del>-            storep t1, JSCell::m_structure[t0]
</del><ins>+            loadi Structure::m_blob + StructureIDBlob::u.words.word1[t1], t1
+            storei t1, JSCell::m_structureID[t0]
</ins><span class="cx">             dispatch(9)
</span><span class="cx">         end)
</span><span class="cx"> end
</span><span class="cx"> 
</span><del>-macro noAdditionalChecks(oldStructure, scratch)
</del><ins>+macro noAdditionalChecks(oldStructure, scratch, scratch2)
</ins><span class="cx"> end
</span><span class="cx"> 
</span><del>-macro structureChainChecks(oldStructure, scratch)
</del><ins>+macro structureChainChecks(oldStructure, scratch, scratch2)
</ins><span class="cx">     const protoCell = oldStructure    # Reusing the oldStructure register for the proto
</span><span class="cx">     loadpFromInstruction(7, scratch)
</span><span class="cx">     assert(macro (ok) btpnz scratch, ok end)
</span><span class="lines">@@ -1333,7 +1357,8 @@
</span><span class="cx">     bqeq Structure::m_prototype[oldStructure], ValueNull, .done
</span><span class="cx"> .loop:
</span><span class="cx">     loadq Structure::m_prototype[oldStructure], protoCell
</span><del>-    loadp JSCell::m_structure[protoCell], oldStructure
</del><ins>+    loadStructureAndClobberFirstArg(protoCell, scratch2)
+    move scratch2, oldStructure
</ins><span class="cx">     bpneq oldStructure, [scratch], .opPutByIdSlow
</span><span class="cx">     addp 8, scratch
</span><span class="cx">     bqneq Structure::m_prototype[oldStructure], ValueNull, .loop
</span><span class="lines">@@ -1360,8 +1385,8 @@
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadisFromInstruction(2, t2)
</span><span class="cx">     loadConstantOrVariableCell(t2, t0, .opGetByValSlow)
</span><del>-    loadp JSCell::m_structure[t0], t2
</del><span class="cx">     loadpFromInstruction(4, t3)
</span><ins>+    move t0, t2
</ins><span class="cx">     arrayProfile(t2, t3, t1)
</span><span class="cx">     loadisFromInstruction(3, t3)
</span><span class="cx">     loadConstantOrVariableInt32(t3, t1, .opGetByValSlow)
</span><span class="lines">@@ -1444,7 +1469,7 @@
</span><span class="cx">     loadConstantOrVariableCell(t2, t0, .opGetByPnameSlow)
</span><span class="cx">     assertNotConstant(t3)
</span><span class="cx">     loadq [cfr, t3, 8], t1
</span><del>-    loadp JSCell::m_structure[t0], t2
</del><ins>+    loadStructureWithScratch(t0, t2, t3)
</ins><span class="cx">     bpneq t2, JSPropertyNameIterator::m_cachedStructure[t1], .opGetByPnameSlow
</span><span class="cx">     loadisFromInstruction(6, t3)
</span><span class="cx">     loadi PayloadOffset[cfr, t3, 8], t3
</span><span class="lines">@@ -1485,8 +1510,8 @@
</span><span class="cx">     writeBarrierOnOperands(1, 3)
</span><span class="cx">     loadisFromInstruction(1, t0)
</span><span class="cx">     loadConstantOrVariableCell(t0, t1, .opPutByValSlow)
</span><del>-    loadp JSCell::m_structure[t1], t2
</del><span class="cx">     loadpFromInstruction(4, t3)
</span><ins>+    move t1, t2
</ins><span class="cx">     arrayProfile(t2, t3, t0)
</span><span class="cx">     loadisFromInstruction(2, t0)
</span><span class="cx">     loadConstantOrVariableInt32(t0, t3, .opPutByValSlow)
</span><span class="lines">@@ -1589,8 +1614,8 @@
</span><span class="cx">     assertNotConstant(t0)
</span><span class="cx">     loadq [cfr, t0, 8], t0
</span><span class="cx">     btqnz t0, tagMask, .immediate
</span><del>-    loadp JSCell::m_structure[t0], t2
-    cellHandler(t2, Structure::m_typeInfo + TypeInfo::m_flags[t2], .target)
</del><ins>+    loadStructureWithScratch(t0, t2, t1)
+    cellHandler(t2, JSCell::m_flags[t0], .target)
</ins><span class="cx">     dispatch(3)
</span><span class="cx"> 
</span><span class="cx"> .target:
</span><span class="lines">@@ -1722,8 +1747,7 @@
</span><span class="cx">     loadp CodeBlock::RareData::m_switchJumpTables + VectorBufferOffset[t2], t2
</span><span class="cx">     addp t3, t2
</span><span class="cx">     btqnz t1, tagMask, .opSwitchCharFallThrough
</span><del>-    loadp JSCell::m_structure[t1], t0
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], StringType, .opSwitchCharFallThrough
</del><ins>+    bbneq JSCell::m_type[t1], StringType, .opSwitchCharFallThrough
</ins><span class="cx">     bineq JSString::m_length[t1], 1, .opSwitchCharFallThrough
</span><span class="cx">     loadp JSString::m_value[t1], t0
</span><span class="cx">     btpz  t0, .opSwitchOnRope
</span><span class="lines">@@ -1772,9 +1796,9 @@
</span><span class="cx">     negp t3
</span><span class="cx">     loadq ThisArgumentOffset[cfr, t3, 8], t0
</span><span class="cx">     btqnz t0, tagMask, .done
</span><del>-    loadp JSCell::m_structure[t0], t0
</del><span class="cx">     loadpFromInstruction((CallOpCodeSize - 2), t1)
</span><del>-    storep t0, ArrayProfile::m_lastSeenStructure[t1]
</del><ins>+    loadi JSCell::m_structureID[t0], t3
+    storei t3, ArrayProfile::m_lastSeenStructureID[t1]
</ins><span class="cx"> .done:
</span><span class="cx"> end
</span><span class="cx"> 
</span><span class="lines">@@ -1835,8 +1859,7 @@
</span><span class="cx">     loadisFromInstruction(1, t2)
</span><span class="cx">     loadConstantOrVariable(t2, t0)
</span><span class="cx">     btqnz t0, tagMask, .opRetObjectOrThisNotObject
</span><del>-    loadp JSCell::m_structure[t0], t2
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t2], ObjectType, .opRetObjectOrThisNotObject
</del><ins>+    bbb JSCell::m_type[t0], ObjectType, .opRetObjectOrThisNotObject
</ins><span class="cx">     doReturn()
</span><span class="cx"> 
</span><span class="cx"> .opRetObjectOrThisNotObject:
</span><span class="lines">@@ -1851,8 +1874,7 @@
</span><span class="cx">     loadisFromInstruction(1, t3)
</span><span class="cx">     loadConstantOrVariable(t2, t0)
</span><span class="cx">     btqnz t0, tagMask, .opToPrimitiveIsImm
</span><del>-    loadp JSCell::m_structure[t0], t2
-    bbneq Structure::m_typeInfo + TypeInfo::m_type[t2], StringType, .opToPrimitiveSlowCase
</del><ins>+    bbneq JSCell::m_type[t0], StringType, .opToPrimitiveSlowCase
</ins><span class="cx"> .opToPrimitiveIsImm:
</span><span class="cx">     storeq t0, [cfr, t3, 8]
</span><span class="cx">     dispatch(3)
</span><span class="lines">@@ -1882,7 +1904,7 @@
</span><span class="cx">     loadisFromInstruction(2, t3)
</span><span class="cx">     assertNotConstant(t3)
</span><span class="cx">     loadq [cfr, t3, 8], t3
</span><del>-    loadp JSCell::m_structure[t3], t1
</del><ins>+    loadStructureWithScratch(t3, t1, t0)
</ins><span class="cx">     bpneq t1, JSPropertyNameIterator::m_cachedStructure[t2], .opNextPnameSlow
</span><span class="cx">     loadp JSPropertyNameIterator::m_cachedPrototypeChain[t2], t0
</span><span class="cx">     loadp StructureChain::m_vector[t0], t0
</span><span class="lines">@@ -1890,7 +1912,7 @@
</span><span class="cx"> .opNextPnameCheckPrototypeLoop:
</span><span class="cx">     bqeq Structure::m_prototype[t1], ValueNull, .opNextPnameSlow
</span><span class="cx">     loadq Structure::m_prototype[t1], t2
</span><del>-    loadp JSCell::m_structure[t2], t1
</del><ins>+    loadStructureWithScratch(t2, t1, t3)
</ins><span class="cx">     bpneq t1, [t0], .opNextPnameSlow
</span><span class="cx">     addp 8, t0
</span><span class="cx">     btpnz [t0], .opNextPnameCheckPrototypeLoop
</span><span class="lines">@@ -2096,8 +2118,9 @@
</span><span class="cx"> macro loadWithStructureCheck(operand, slowPath)
</span><span class="cx">     loadisFromInstruction(operand, t0)
</span><span class="cx">     loadq [cfr, t0, 8], t0
</span><ins>+    loadStructureWithScratch(t0, t2, t1)
</ins><span class="cx">     loadpFromInstruction(5, t1)
</span><del>-    bpneq JSCell::m_structure[t0], t1, slowPath
</del><ins>+    bpneq t2, t1, slowPath
</ins><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> macro getProperty()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArgumentscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Arguments.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Arguments.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Arguments.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -114,7 +114,7 @@
</span><span class="cx">     m_overrodeCaller = true;
</span><span class="cx">     PropertyDescriptor descriptor;
</span><span class="cx">     descriptor.setAccessorDescriptor(globalObject()-&gt;throwTypeErrorGetterSetter(vm), DontEnum | DontDelete | Accessor);
</span><del>-    methodTable()-&gt;defineOwnProperty(this, exec, vm.propertyNames-&gt;caller, descriptor, false);
</del><ins>+    methodTable(exec-&gt;vm())-&gt;defineOwnProperty(this, exec, vm.propertyNames-&gt;caller, descriptor, false);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Arguments::createStrictModeCalleeIfNecessary(ExecState* exec)
</span><span class="lines">@@ -126,7 +126,7 @@
</span><span class="cx">     m_overrodeCallee = true;
</span><span class="cx">     PropertyDescriptor descriptor;
</span><span class="cx">     descriptor.setAccessorDescriptor(globalObject()-&gt;throwTypeErrorGetterSetter(vm), DontEnum | DontDelete | Accessor);
</span><del>-    methodTable()-&gt;defineOwnProperty(this, exec, vm.propertyNames-&gt;callee, descriptor, false);
</del><ins>+    methodTable(exec-&gt;vm())-&gt;defineOwnProperty(this, exec, vm.propertyNames-&gt;callee, descriptor, false);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool Arguments::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot&amp; slot)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArgumentsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Arguments.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Arguments.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Arguments.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -86,7 +86,7 @@
</span><span class="cx"> 
</span><span class="cx">     static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype) 
</span><span class="cx">     { 
</span><del>-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info()); 
</del><ins>+        return Structure::create(vm, globalObject, prototype, TypeInfo(ArgumentsType, StructureFlags), info()); 
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     static ptrdiff_t offsetOfNumArguments() { return OBJECT_OFFSETOF(Arguments, m_numArguments); }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -212,16 +212,16 @@
</span><span class="cx">             JSValue value = slot.getValue(exec, from);
</span><span class="cx">             if (exec-&gt;hadException())
</span><span class="cx">                 return;
</span><del>-            thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, to, value, true);
</del><ins>+            thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, to, value, true);
</ins><span class="cx">             if (exec-&gt;hadException())
</span><span class="cx">                 return;
</span><del>-        } else if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, to)) {
</del><ins>+        } else if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, to)) {
</ins><span class="cx">             throwTypeError(exec, ASCIILiteral(&quot;Unable to delete property.&quot;));
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     for (unsigned k = length; k &gt; length - count; --k) {
</span><del>-        if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, k - 1)) {
</del><ins>+        if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, k - 1)) {
</ins><span class="cx">             throwTypeError(exec, ASCIILiteral(&quot;Unable to delete property.&quot;));
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="lines">@@ -256,8 +256,8 @@
</span><span class="cx">             JSValue value = slot.getValue(exec, from);
</span><span class="cx">             if (exec-&gt;hadException())
</span><span class="cx">                 return;
</span><del>-            thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, to, value, true);
-        } else if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, to)) {
</del><ins>+            thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, to, value, true);
+        } else if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, to)) {
</ins><span class="cx">             throwTypeError(exec, ASCIILiteral(&quot;Unable to delete property.&quot;));
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="lines">@@ -280,11 +280,11 @@
</span><span class="cx"> 
</span><span class="cx">     // 3. If IsCallable(func) is false, then let func be the standard built-in method Object.prototype.toString (15.2.4.2).
</span><span class="cx">     if (!function.isCell())
</span><del>-        return JSValue::encode(jsMakeNontrivialString(exec, &quot;[object &quot;, thisObject-&gt;methodTable()-&gt;className(thisObject), &quot;]&quot;));
</del><ins>+        return JSValue::encode(jsMakeNontrivialString(exec, &quot;[object &quot;, thisObject-&gt;methodTable(exec-&gt;vm())-&gt;className(thisObject), &quot;]&quot;));
</ins><span class="cx">     CallData callData;
</span><span class="cx">     CallType callType = getCallData(function, callData);
</span><span class="cx">     if (callType == CallTypeNone)
</span><del>-        return JSValue::encode(jsMakeNontrivialString(exec, &quot;[object &quot;, thisObject-&gt;methodTable()-&gt;className(thisObject), &quot;]&quot;));
</del><ins>+        return JSValue::encode(jsMakeNontrivialString(exec, &quot;[object &quot;, thisObject-&gt;methodTable(exec-&gt;vm())-&gt;className(thisObject), &quot;]&quot;));
</ins><span class="cx"> 
</span><span class="cx">     // 4. Return the result of calling the [[Call]] internal method of func providing array as the this value and an empty arguments list.
</span><span class="cx">     if (!isJSArray(thisObject) || callType != CallTypeHost || callData.native.function != arrayProtoFuncJoin)
</span><span class="lines">@@ -468,7 +468,7 @@
</span><span class="cx">         result = thisObj-&gt;get(exec, length - 1);
</span><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><del>-        if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, length - 1)) {
</del><ins>+        if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, length - 1)) {
</ins><span class="cx">             throwTypeError(exec, ASCIILiteral(&quot;Unable to delete property.&quot;));
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">         }
</span><span class="lines">@@ -528,19 +528,19 @@
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx"> 
</span><span class="cx">         if (obj2) {
</span><del>-            thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, k, obj2, true);
</del><ins>+            thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, k, obj2, true);
</ins><span class="cx">             if (exec-&gt;hadException())
</span><span class="cx">                 return JSValue::encode(jsUndefined());
</span><del>-        } else if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, k)) {
</del><ins>+        } else if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, k)) {
</ins><span class="cx">             throwTypeError(exec, ASCIILiteral(&quot;Unable to delete property.&quot;));
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         if (obj) {
</span><del>-            thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, lk1, obj, true);
</del><ins>+            thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, lk1, obj, true);
</ins><span class="cx">             if (exec-&gt;hadException())
</span><span class="cx">                 return JSValue::encode(jsUndefined());
</span><del>-        } else if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, lk1)) {
</del><ins>+        } else if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, lk1)) {
</ins><span class="cx">             throwTypeError(exec, ASCIILiteral(&quot;Unable to delete property.&quot;));
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">         }
</span><span class="lines">@@ -658,18 +658,18 @@
</span><span class="cx">         // Swap themin and i
</span><span class="cx">         if (themin &gt; i) {
</span><span class="cx">             if (minObj) {
</span><del>-                thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, i, minObj, true);
</del><ins>+                thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, i, minObj, true);
</ins><span class="cx">                 if (exec-&gt;hadException())
</span><span class="cx">                     return false;
</span><del>-            } else if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, i)) {
</del><ins>+            } else if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, i)) {
</ins><span class="cx">                 throwTypeError(exec, &quot;Unable to delete property.&quot;);
</span><span class="cx">                 return false;
</span><span class="cx">             }
</span><span class="cx">             if (iObj) {
</span><del>-                thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, themin, iObj, true);
</del><ins>+                thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, themin, iObj, true);
</ins><span class="cx">                 if (exec-&gt;hadException())
</span><span class="cx">                     return false;
</span><del>-            } else if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, themin)) {
</del><ins>+            } else if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, themin)) {
</ins><span class="cx">                 throwTypeError(exec, &quot;Unable to delete property.&quot;);
</span><span class="cx">                 return false;
</span><span class="cx">             }
</span><span class="lines">@@ -703,7 +703,7 @@
</span><span class="cx">         return JSValue::encode(jsUndefined());
</span><span class="cx">     
</span><span class="cx">     PropertyNameArray nameArray(exec);
</span><del>-    thisObj-&gt;methodTable()-&gt;getPropertyNames(thisObj, exec, nameArray, IncludeDontEnumProperties);
</del><ins>+    thisObj-&gt;methodTable(exec-&gt;vm())-&gt;getPropertyNames(thisObj, exec, nameArray, IncludeDontEnumProperties);
</ins><span class="cx">     if (exec-&gt;hadException())
</span><span class="cx">         return JSValue::encode(jsUndefined());
</span><span class="cx"> 
</span><span class="lines">@@ -734,7 +734,7 @@
</span><span class="cx">         if (index &lt; flatArray-&gt;length())
</span><span class="cx">             continue;
</span><span class="cx">         
</span><del>-        if (!thisObj-&gt;methodTable()-&gt;deletePropertyByIndex(thisObj, exec, index)) {
</del><ins>+        if (!thisObj-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObj, exec, index)) {
</ins><span class="cx">             throwTypeError(exec, &quot;Unable to delete property.&quot;);
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">         }
</span><span class="lines">@@ -743,7 +743,7 @@
</span><span class="cx">     for (size_t i = flatArray-&gt;length(); i--;) {
</span><span class="cx">         JSValue value = getOrHole(flatArray, exec, i);
</span><span class="cx">         RELEASE_ASSERT(value);
</span><del>-        thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, i, value, true);
</del><ins>+        thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, i, value, true);
</ins><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">     }
</span><span class="lines">@@ -800,7 +800,7 @@
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">     }
</span><span class="cx">     for (unsigned k = 0; k &lt; additionalArgs; ++k) {
</span><del>-        thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, k + begin, exec-&gt;uncheckedArgument(k + 2), true);
</del><ins>+        thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, k + begin, exec-&gt;uncheckedArgument(k + 2), true);
</ins><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">     }
</span><span class="lines">@@ -825,7 +825,7 @@
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">     }
</span><span class="cx">     for (unsigned k = 0; k &lt; nrArgs; ++k) {
</span><del>-        thisObj-&gt;methodTable()-&gt;putByIndex(thisObj, exec, k, exec-&gt;uncheckedArgument(k), true);
</del><ins>+        thisObj-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObj, exec, k, exec-&gt;uncheckedArgument(k), true);
</ins><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -251,7 +251,7 @@
</span><span class="cx">     BEGIN();
</span><span class="cx">     JSValue v1 = OP(1).jsValue();
</span><span class="cx">     if (v1.isCell())
</span><del>-        pc[2].u.structure.set(exec-&gt;vm(), exec-&gt;codeBlock()-&gt;ownerExecutable(), v1.asCell()-&gt;structure());
</del><ins>+        pc[2].u.structure.set(vm, exec-&gt;codeBlock()-&gt;ownerExecutable(), v1.asCell()-&gt;structure(vm));
</ins><span class="cx">     else
</span><span class="cx">         pc[2].u.structure.clear();
</span><span class="cx">     RETURN(v1.toThis(exec, exec-&gt;codeBlock()-&gt;isStrictMode() ? StrictMode : NotStrictMode));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Executable.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Executable.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Executable.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -100,7 +100,7 @@
</span><span class="cx">     }
</span><span class="cx">     bool isFunctionExecutable()
</span><span class="cx">     {
</span><del>-        return structure()-&gt;typeInfo().type() == FunctionExecutableType;
</del><ins>+        return type() == FunctionExecutableType;
</ins><span class="cx">     }
</span><span class="cx">     bool isProgramExecutable()
</span><span class="cx">     {
</span><span class="lines">@@ -120,7 +120,7 @@
</span><span class="cx">     DECLARE_EXPORT_INFO;
</span><span class="cx"> 
</span><span class="cx"> protected:
</span><del>-    static const unsigned StructureFlags = 0;
</del><ins>+    static const unsigned StructureFlags = StructureIsImmortal;
</ins><span class="cx">     int m_numParametersForCall;
</span><span class="cx">     int m_numParametersForConstruct;
</span><span class="cx"> 
</span><span class="lines">@@ -680,7 +680,7 @@
</span><span class="cx"> 
</span><span class="cx"> inline void ExecutableBase::clearCodeVirtual(ExecutableBase* executable)
</span><span class="cx"> {
</span><del>-    switch (executable-&gt;structure()-&gt;typeInfo().type()) {
</del><ins>+    switch (executable-&gt;type()) {
</ins><span class="cx">     case EvalExecutableType:
</span><span class="cx">         return jsCast&lt;EvalExecutable*&gt;(executable)-&gt;clearCode();
</span><span class="cx">     case ProgramExecutableType:
</span><span class="lines">@@ -694,7 +694,7 @@
</span><span class="cx"> 
</span><span class="cx"> inline void ScriptExecutable::unlinkCalls()
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;typeInfo().type()) {
</del><ins>+    switch (type()) {
</ins><span class="cx">     case EvalExecutableType:
</span><span class="cx">         return jsCast&lt;EvalExecutable*&gt;(this)-&gt;unlinkCalls();
</span><span class="cx">     case ProgramExecutableType:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeGetterSettercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -57,7 +57,7 @@
</span><span class="cx">         return jsUndefined();
</span><span class="cx"> 
</span><span class="cx">     CallData callData;
</span><del>-    CallType callType = getter-&gt;methodTable()-&gt;getCallData(getter, callData);
</del><ins>+    CallType callType = getter-&gt;methodTable(exec-&gt;vm())-&gt;getCallData(getter, callData);
</ins><span class="cx">     return call(exec, getter, callType, callData, base, ArgList());
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -74,7 +74,7 @@
</span><span class="cx">     args.append(value);
</span><span class="cx"> 
</span><span class="cx">     CallData callData;
</span><del>-    CallType callType = setter-&gt;methodTable()-&gt;getCallData(setter, callData);
</del><ins>+    CallType callType = setter-&gt;methodTable(exec-&gt;vm())-&gt;getCallData(setter, callData);
</ins><span class="cx">     call(exec, setter, callType, callData, base, args);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInitializeThreadingcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSLock.h&quot;
</span><span class="cx"> #include &quot;LLIntData.h&quot;
</span><ins>+#include &quot;StructureIDTable.h&quot;
</ins><span class="cx"> #include &quot;WriteBarrier.h&quot;
</span><span class="cx"> #include &lt;mutex&gt;
</span><span class="cx"> #include &lt;wtf/dtoa.h&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -238,8 +238,8 @@
</span><span class="cx"> {
</span><span class="cx">     ArrayStorage* storage = ensureArrayStorage(vm);
</span><span class="cx">     Butterfly* butterfly = storage-&gt;butterfly();
</span><del>-    unsigned propertyCapacity = structure()-&gt;outOfLineCapacity();
-    unsigned propertySize = structure()-&gt;outOfLineSize();
</del><ins>+    unsigned propertyCapacity = structure(vm)-&gt;outOfLineCapacity();
+    unsigned propertySize = structure(vm)-&gt;outOfLineSize();
</ins><span class="cx"> 
</span><span class="cx">     // If not, we should have handled this on the fast path.
</span><span class="cx">     ASSERT(!addToFront || count &gt; storage-&gt;m_indexBias);
</span><span class="lines">@@ -273,7 +273,7 @@
</span><span class="cx">     unsigned newStorageCapacity;
</span><span class="cx">     // If the current storage array is sufficiently large (but not too large!) then just keep using it.
</span><span class="cx">     if (currentCapacity &gt; desiredCapacity &amp;&amp; isDenseEnoughForVector(currentCapacity, requiredVectorLength)) {
</span><del>-        newAllocBase = butterfly-&gt;base(structure());
</del><ins>+        newAllocBase = butterfly-&gt;base(structure(vm));
</ins><span class="cx">         newStorageCapacity = currentCapacity;
</span><span class="cx">     } else {
</span><span class="cx">         size_t newSize = Butterfly::totalSize(0, propertyCapacity, true, ArrayStorage::sizeFor(desiredCapacity));
</span><span class="lines">@@ -297,7 +297,7 @@
</span><span class="cx">         // Atomic decay, + the post-capacity cannot be greater than what is available.
</span><span class="cx">         postCapacity = min((storage-&gt;vectorLength() - length) &gt;&gt; 1, newStorageCapacity - requiredVectorLength);
</span><span class="cx">         // If we're moving contents within the same allocation, the post-capacity is being reduced.
</span><del>-        ASSERT(newAllocBase != butterfly-&gt;base(structure()) || postCapacity &lt; storage-&gt;vectorLength() - length);
</del><ins>+        ASSERT(newAllocBase != butterfly-&gt;base(structure(vm)) || postCapacity &lt; storage-&gt;vectorLength() - length);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     unsigned newVectorLength = requiredVectorLength + postCapacity;
</span><span class="lines">@@ -309,7 +309,7 @@
</span><span class="cx">         ASSERT(count + usedVectorLength &lt;= newVectorLength);
</span><span class="cx">         memmove(newButterfly-&gt;arrayStorage()-&gt;m_vector + count, storage-&gt;m_vector, sizeof(JSValue) * usedVectorLength);
</span><span class="cx">         memmove(newButterfly-&gt;propertyStorage() - propertySize, butterfly-&gt;propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
</span><del>-    } else if ((newAllocBase != butterfly-&gt;base(structure())) || (newIndexBias != storage-&gt;m_indexBias)) {
</del><ins>+    } else if ((newAllocBase != butterfly-&gt;base(structure(vm))) || (newIndexBias != storage-&gt;m_indexBias)) {
</ins><span class="cx">         memmove(newButterfly-&gt;propertyStorage() - propertySize, butterfly-&gt;propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
</span><span class="cx">         memmove(newButterfly-&gt;arrayStorage()-&gt;m_vector, storage-&gt;m_vector, sizeof(JSValue) * usedVectorLength);
</span><span class="cx"> 
</span><span class="lines">@@ -391,7 +391,7 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">         if (!newLength)
</span><span class="cx">             return true;
</span><span class="lines">@@ -420,7 +420,7 @@
</span><span class="cx">             ensureLength(exec-&gt;vm(), newLength);
</span><span class="cx">             return true;
</span><span class="cx">         }
</span><del>-        if (structure()-&gt;indexingType() == ArrayWithDouble) {
</del><ins>+        if (indexingType() == ArrayWithDouble) {
</ins><span class="cx">             for (unsigned i = m_butterfly-&gt;publicLength(); i-- &gt; newLength;)
</span><span class="cx">                 m_butterfly-&gt;contiguousDouble()[i] = QNaN;
</span><span class="cx">         } else {
</span><span class="lines">@@ -442,7 +442,7 @@
</span><span class="cx"> 
</span><span class="cx"> JSValue JSArray::pop(ExecState* exec)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">         return jsUndefined();
</span><span class="cx">         
</span><span class="lines">@@ -537,7 +537,7 @@
</span><span class="cx"> //  - pushing to an array of length 2^32-1 stores the property, but throws a range error.
</span><span class="cx"> void JSArray::push(ExecState* exec, JSValue value)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass: {
</span><span class="cx">         createInitialUndecided(exec-&gt;vm(), 0);
</span><span class="cx">         FALLTHROUGH;
</span><span class="lines">@@ -565,7 +565,7 @@
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         if (length &gt; MAX_ARRAY_INDEX) {
</span><del>-            methodTable()-&gt;putByIndex(this, exec, length, value, true);
</del><ins>+            methodTable(exec-&gt;vm())-&gt;putByIndex(this, exec, length, value, true);
</ins><span class="cx">             if (!exec-&gt;hadException())
</span><span class="cx">                 exec-&gt;vm().throwException(exec, createRangeError(exec, &quot;Invalid array length&quot;));
</span><span class="cx">             return;
</span><span class="lines">@@ -585,7 +585,7 @@
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         if (length &gt; MAX_ARRAY_INDEX) {
</span><del>-            methodTable()-&gt;putByIndex(this, exec, length, value, true);
</del><ins>+            methodTable(exec-&gt;vm())-&gt;putByIndex(this, exec, length, value, true);
</ins><span class="cx">             if (!exec-&gt;hadException())
</span><span class="cx">                 exec-&gt;vm().throwException(exec, createRangeError(exec, &quot;Invalid array length&quot;));
</span><span class="cx">             return;
</span><span class="lines">@@ -617,7 +617,7 @@
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         if (length &gt; MAX_ARRAY_INDEX) {
</span><del>-            methodTable()-&gt;putByIndex(this, exec, length, value, true);
</del><ins>+            methodTable(exec-&gt;vm())-&gt;putByIndex(this, exec, length, value, true);
</ins><span class="cx">             if (!exec-&gt;hadException())
</span><span class="cx">                 exec-&gt;vm().throwException(exec, createRangeError(exec, &quot;Invalid array length&quot;));
</span><span class="cx">             return;
</span><span class="lines">@@ -651,7 +651,7 @@
</span><span class="cx"> 
</span><span class="cx">         // Pushing to an array of invalid length (2^31-1) stores the property, but throws a range error.
</span><span class="cx">         if (storage-&gt;length() &gt; MAX_ARRAY_INDEX) {
</span><del>-            methodTable()-&gt;putByIndex(this, exec, storage-&gt;length(), value, true);
</del><ins>+            methodTable(exec-&gt;vm())-&gt;putByIndex(this, exec, storage-&gt;length(), value, true);
</ins><span class="cx">             // Per ES5.1 15.4.4.7 step 6 &amp; 15.4.5.1 step 3.d.
</span><span class="cx">             if (!exec-&gt;hadException())
</span><span class="cx">                 exec-&gt;vm().throwException(exec, createRangeError(exec, &quot;Invalid array length&quot;));
</span><span class="lines">@@ -675,7 +675,7 @@
</span><span class="cx">     
</span><span class="cx">     // If the array contains holes or is otherwise in an abnormal state,
</span><span class="cx">     // use the generic algorithm in ArrayPrototype.
</span><del>-    if (oldLength != storage-&gt;m_numValuesInVector || inSparseIndexingMode() || shouldUseSlowPut(structure()-&gt;indexingType()))
</del><ins>+    if (oldLength != storage-&gt;m_numValuesInVector || inSparseIndexingMode() || shouldUseSlowPut(indexingType()))
</ins><span class="cx">         return false;
</span><span class="cx"> 
</span><span class="cx">     if (!oldLength)
</span><span class="lines">@@ -749,7 +749,7 @@
</span><span class="cx"> {
</span><span class="cx">     RELEASE_ASSERT(count &gt; 0);
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">         return true;
</span><span class="cx">         
</span><span class="lines">@@ -847,7 +847,7 @@
</span><span class="cx"> 
</span><span class="cx">     // If the array contains holes or is otherwise in an abnormal state,
</span><span class="cx">     // use the generic algorithm in ArrayPrototype.
</span><del>-    if (length != storage-&gt;m_numValuesInVector || storage-&gt;inSparseMode() || shouldUseSlowPut(structure()-&gt;indexingType()))
</del><ins>+    if (length != storage-&gt;m_numValuesInVector || storage-&gt;inSparseMode() || shouldUseSlowPut(indexingType()))
</ins><span class="cx">         return false;
</span><span class="cx"> 
</span><span class="cx">     bool moveFront = !startIndex || startIndex &lt; length / 2;
</span><span class="lines">@@ -885,7 +885,7 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::unshiftCountWithAnyIndexingType(ExecState* exec, unsigned startIndex, unsigned count)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">     case ArrayWithUndecided:
</span><span class="cx">         // We could handle this. But it shouldn't ever come up, so we won't.
</span><span class="lines">@@ -994,20 +994,20 @@
</span><span class="cx">     return codePointCompare(va-&gt;second, vb-&gt;second);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;IndexingType indexingType&gt;
</del><ins>+template&lt;IndexingType arrayIndexingType&gt;
</ins><span class="cx"> void JSArray::sortNumericVector(ExecState* exec, JSValue compareFunction, CallType callType, const CallData&amp; callData)
</span><span class="cx"> {
</span><del>-    ASSERT(indexingType == ArrayWithInt32 || indexingType == ArrayWithDouble || indexingType == ArrayWithContiguous || indexingType == ArrayWithArrayStorage);
</del><ins>+    ASSERT(arrayIndexingType == ArrayWithInt32 || arrayIndexingType == ArrayWithDouble || arrayIndexingType == ArrayWithContiguous || arrayIndexingType == ArrayWithArrayStorage);
</ins><span class="cx">     
</span><span class="cx">     unsigned lengthNotIncludingUndefined;
</span><span class="cx">     unsigned newRelevantLength;
</span><del>-    compactForSorting&lt;indexingType&gt;(
</del><ins>+    compactForSorting&lt;arrayIndexingType&gt;(
</ins><span class="cx">         lengthNotIncludingUndefined,
</span><span class="cx">         newRelevantLength);
</span><span class="cx">     
</span><del>-    ContiguousJSValues data = indexingData&lt;indexingType&gt;();
</del><ins>+    ContiguousJSValues data = indexingData&lt;arrayIndexingType&gt;();
</ins><span class="cx">     
</span><del>-    if (indexingType == ArrayWithArrayStorage &amp;&amp; arrayStorage()-&gt;m_sparseMap.get()) {
</del><ins>+    if (arrayIndexingType == ArrayWithArrayStorage &amp;&amp; arrayStorage()-&gt;m_sparseMap.get()) {
</ins><span class="cx">         throwOutOfMemoryError(exec);
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="lines">@@ -1016,7 +1016,7 @@
</span><span class="cx">         return;
</span><span class="cx">     
</span><span class="cx">     bool allValuesAreNumbers = true;
</span><del>-    switch (indexingType) {
</del><ins>+    switch (arrayIndexingType) {
</ins><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithDouble:
</span><span class="cx">         break;
</span><span class="lines">@@ -1038,7 +1038,7 @@
</span><span class="cx">     // also don't require mergesort's stability, since there's no user visible
</span><span class="cx">     // side-effect from swapping the order of equal primitive values.
</span><span class="cx">     int (*compare)(const void*, const void*);
</span><del>-    switch (indexingType) {
</del><ins>+    switch (arrayIndexingType) {
</ins><span class="cx">     case ArrayWithInt32:
</span><span class="cx">         compare = compareNumbersForQSortWithInt32;
</span><span class="cx">         break;
</span><span class="lines">@@ -1061,7 +1061,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!inSparseIndexingMode());
</span><span class="cx"> 
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">         return;
</span><span class="cx">         
</span><span class="lines">@@ -1114,7 +1114,7 @@
</span><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> 
</span><del>-template&lt;IndexingType indexingType, typename StorageType&gt;
</del><ins>+template&lt;IndexingType arrayIndexingType, typename StorageType&gt;
</ins><span class="cx"> void JSArray::sortCompactedVector(ExecState* exec, ContiguousData&lt;StorageType&gt; data, unsigned relevantLength)
</span><span class="cx"> {
</span><span class="cx">     if (!relevantLength)
</span><span class="lines">@@ -1138,11 +1138,11 @@
</span><span class="cx">     bool isSortingPrimitiveValues = true;
</span><span class="cx"> 
</span><span class="cx">     for (size_t i = 0; i &lt; relevantLength; i++) {
</span><del>-        JSValue value = ContiguousTypeAccessor&lt;indexingType&gt;::getAsValue(data, i);
-        ASSERT(indexingType != ArrayWithInt32 || value.isInt32());
</del><ins>+        JSValue value = ContiguousTypeAccessor&lt;arrayIndexingType&gt;::getAsValue(data, i);
+        ASSERT(arrayIndexingType != ArrayWithInt32 || value.isInt32());
</ins><span class="cx">         ASSERT(!value.isUndefined());
</span><span class="cx">         values[i].first = value;
</span><del>-        if (indexingType != ArrayWithDouble &amp;&amp; indexingType != ArrayWithInt32)
</del><ins>+        if (arrayIndexingType != ArrayWithDouble &amp;&amp; arrayIndexingType != ArrayWithInt32)
</ins><span class="cx">             isSortingPrimitiveValues = isSortingPrimitiveValues &amp;&amp; value.isPrimitive();
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="lines">@@ -1173,7 +1173,7 @@
</span><span class="cx">     
</span><span class="cx">     // If the toString function changed the length of the array or vector storage,
</span><span class="cx">     // increase the length to handle the orignal number of actual values.
</span><del>-    switch (indexingType) {
</del><ins>+    switch (arrayIndexingType) {
</ins><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithDouble:
</span><span class="cx">     case ArrayWithContiguous:
</span><span class="lines">@@ -1183,7 +1183,7 @@
</span><span class="cx">     case ArrayWithArrayStorage:
</span><span class="cx">         if (arrayStorage()-&gt;vectorLength() &lt; relevantLength) {
</span><span class="cx">             increaseVectorLength(exec-&gt;vm(), relevantLength);
</span><del>-            ContiguousTypeAccessor&lt;indexingType&gt;::replaceDataReference(&amp;data, arrayStorage()-&gt;vector());
</del><ins>+            ContiguousTypeAccessor&lt;arrayIndexingType&gt;::replaceDataReference(&amp;data, arrayStorage()-&gt;vector());
</ins><span class="cx">         }
</span><span class="cx">         if (arrayStorage()-&gt;length() &lt; relevantLength)
</span><span class="cx">             arrayStorage()-&gt;setLength(relevantLength);
</span><span class="lines">@@ -1194,7 +1194,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     for (size_t i = 0; i &lt; relevantLength; i++)
</span><del>-        ContiguousTypeAccessor&lt;indexingType&gt;::setWithValue(vm, this, data, i, values[i].first);
</del><ins>+        ContiguousTypeAccessor&lt;arrayIndexingType&gt;::setWithValue(vm, this, data, i, values[i].first);
</ins><span class="cx">     
</span><span class="cx">     Heap::heap(this)-&gt;popTempSortVector(&amp;values);
</span><span class="cx"> }
</span><span class="lines">@@ -1203,7 +1203,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!inSparseIndexingMode());
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">     case ArrayWithUndecided:
</span><span class="cx">         return;
</span><span class="lines">@@ -1335,11 +1335,11 @@
</span><span class="cx">     static handle null() { return 0x7FFFFFFF; }
</span><span class="cx"> };
</span><span class="cx"> 
</span><del>-template&lt;IndexingType indexingType&gt;
</del><ins>+template&lt;IndexingType arrayIndexingType&gt;
</ins><span class="cx"> void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType callType, const CallData&amp; callData)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!inSparseIndexingMode());
</span><del>-    ASSERT(indexingType == structure()-&gt;indexingType());
</del><ins>+    ASSERT(arrayIndexingType == indexingType());
</ins><span class="cx">     
</span><span class="cx">     // FIXME: This ignores exceptions raised in the compare function or in toNumber.
</span><span class="cx">         
</span><span class="lines">@@ -1349,7 +1349,7 @@
</span><span class="cx">     if (m_butterfly-&gt;publicLength() &gt; static_cast&lt;unsigned&gt;(std::numeric_limits&lt;int&gt;::max()))
</span><span class="cx">         return;
</span><span class="cx">         
</span><del>-    unsigned usedVectorLength = relevantLength&lt;indexingType&gt;();
</del><ins>+    unsigned usedVectorLength = relevantLength&lt;arrayIndexingType&gt;();
</ins><span class="cx">     unsigned nodeCount = usedVectorLength;
</span><span class="cx">         
</span><span class="cx">     if (!nodeCount)
</span><span class="lines">@@ -1416,14 +1416,14 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     for (unsigned i = 0; i &lt; elementsToExtractThreshold; ++i) {
</span><span class="cx">         ASSERT(i &lt; butterfly()-&gt;vectorLength());
</span><del>-        if (structure()-&gt;indexingType() == ArrayWithDouble)
</del><ins>+        if (indexingType() == ArrayWithDouble)
</ins><span class="cx">             butterfly()-&gt;contiguousDouble()[i] = tree.abstractor().m_nodes[*iter].value.asNumber();
</span><span class="cx">         else
</span><span class="cx">             currentIndexingData()[i].set(vm, this, tree.abstractor().m_nodes[*iter].value);
</span><span class="cx">         ++iter;
</span><span class="cx">     }
</span><span class="cx">     // Put undefined values back in.
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithDouble:
</span><span class="cx">         ASSERT(elementsToExtractThreshold == undefinedElementsThreshold);
</span><span class="lines">@@ -1439,13 +1439,13 @@
</span><span class="cx">     // Ensure that unused values in the vector are zeroed out.
</span><span class="cx">     for (unsigned i = undefinedElementsThreshold; i &lt; clearElementsThreshold; ++i) {
</span><span class="cx">         ASSERT(i &lt; butterfly()-&gt;vectorLength());
</span><del>-        if (structure()-&gt;indexingType() == ArrayWithDouble)
</del><ins>+        if (indexingType() == ArrayWithDouble)
</ins><span class="cx">             butterfly()-&gt;contiguousDouble()[i] = QNaN;
</span><span class="cx">         else
</span><span class="cx">             currentIndexingData()[i].clear();
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    if (hasArrayStorage(structure()-&gt;indexingType()))
</del><ins>+    if (hasArrayStorage(indexingType()))
</ins><span class="cx">         arrayStorage()-&gt;m_numValuesInVector = newUsedVectorLength;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1453,7 +1453,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!inSparseIndexingMode());
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">     case ArrayWithUndecided:
</span><span class="cx">         return;
</span><span class="lines">@@ -1485,7 +1485,7 @@
</span><span class="cx">     unsigned vectorEnd;
</span><span class="cx">     WriteBarrier&lt;Unknown&gt;* vector;
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">         return;
</span><span class="cx">         
</span><span class="lines">@@ -1547,7 +1547,7 @@
</span><span class="cx">     unsigned vectorEnd;
</span><span class="cx">     unsigned length = copyLength + firstVarArgOffset;
</span><span class="cx">     ASSERT(length == this-&gt;length());
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ArrayClass:
</span><span class="cx">         return;
</span><span class="cx">         
</span><span class="lines">@@ -1602,40 +1602,40 @@
</span><span class="cx">         callFrame-&gt;setArgument(i - firstVarArgOffset, get(exec, i));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;IndexingType indexingType&gt;
</del><ins>+template&lt;IndexingType arrayIndexingType&gt;
</ins><span class="cx"> void JSArray::compactForSorting(unsigned&amp; numDefined, unsigned&amp; newRelevantLength)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!inSparseIndexingMode());
</span><del>-    ASSERT(indexingType == structure()-&gt;indexingType());
</del><ins>+    ASSERT(arrayIndexingType == indexingType());
</ins><span class="cx"> 
</span><del>-    unsigned myRelevantLength = relevantLength&lt;indexingType&gt;();
</del><ins>+    unsigned myRelevantLength = relevantLength&lt;arrayIndexingType&gt;();
</ins><span class="cx">     
</span><span class="cx">     numDefined = 0;
</span><span class="cx">     unsigned numUndefined = 0;
</span><span class="cx">         
</span><span class="cx">     for (; numDefined &lt; myRelevantLength; ++numDefined) {
</span><span class="cx">         ASSERT(numDefined &lt; m_butterfly-&gt;vectorLength());
</span><del>-        if (indexingType == ArrayWithInt32) {
</del><ins>+        if (arrayIndexingType == ArrayWithInt32) {
</ins><span class="cx">             JSValue v = m_butterfly-&gt;contiguousInt32()[numDefined].get();
</span><span class="cx">             if (!v)
</span><span class="cx">                 break;
</span><span class="cx">             ASSERT(v.isInt32());
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><del>-        if (indexingType == ArrayWithDouble) {
</del><ins>+        if (arrayIndexingType == ArrayWithDouble) {
</ins><span class="cx">             double v = m_butterfly-&gt;contiguousDouble()[numDefined];
</span><span class="cx">             if (v != v)
</span><span class="cx">                 break;
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><del>-        JSValue v = indexingData&lt;indexingType&gt;()[numDefined].get();
</del><ins>+        JSValue v = indexingData&lt;arrayIndexingType&gt;()[numDefined].get();
</ins><span class="cx">         if (!v || v.isUndefined())
</span><span class="cx">             break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     for (unsigned i = numDefined; i &lt; myRelevantLength; ++i) {
</span><span class="cx">         ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</span><del>-        if (indexingType == ArrayWithInt32) {
</del><ins>+        if (arrayIndexingType == ArrayWithInt32) {
</ins><span class="cx">             JSValue v = m_butterfly-&gt;contiguousInt32()[i].get();
</span><span class="cx">             if (!v)
</span><span class="cx">                 continue;
</span><span class="lines">@@ -1644,7 +1644,7 @@
</span><span class="cx">             m_butterfly-&gt;contiguousInt32()[numDefined++].setWithoutWriteBarrier(v);
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><del>-        if (indexingType == ArrayWithDouble) {
</del><ins>+        if (arrayIndexingType == ArrayWithDouble) {
</ins><span class="cx">             double v = m_butterfly-&gt;contiguousDouble()[i];
</span><span class="cx">             if (v != v)
</span><span class="cx">                 continue;
</span><span class="lines">@@ -1652,23 +1652,23 @@
</span><span class="cx">             m_butterfly-&gt;contiguousDouble()[numDefined++] = v;
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><del>-        JSValue v = indexingData&lt;indexingType&gt;()[i].get();
</del><ins>+        JSValue v = indexingData&lt;arrayIndexingType&gt;()[i].get();
</ins><span class="cx">         if (v) {
</span><span class="cx">             if (v.isUndefined())
</span><span class="cx">                 ++numUndefined;
</span><span class="cx">             else {
</span><span class="cx">                 ASSERT(numDefined &lt; m_butterfly-&gt;vectorLength());
</span><del>-                indexingData&lt;indexingType&gt;()[numDefined++].setWithoutWriteBarrier(v);
</del><ins>+                indexingData&lt;arrayIndexingType&gt;()[numDefined++].setWithoutWriteBarrier(v);
</ins><span class="cx">             }
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     newRelevantLength = numDefined + numUndefined;
</span><span class="cx">     
</span><del>-    if (hasArrayStorage(indexingType))
</del><ins>+    if (hasArrayStorage(arrayIndexingType))
</ins><span class="cx">         RELEASE_ASSERT(!arrayStorage()-&gt;m_sparseMap);
</span><span class="cx">     
</span><del>-    switch (indexingType) {
</del><ins>+    switch (arrayIndexingType) {
</ins><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithDouble:
</span><span class="cx">         RELEASE_ASSERT(numDefined == newRelevantLength);
</span><span class="lines">@@ -1677,19 +1677,19 @@
</span><span class="cx">     default:
</span><span class="cx">         for (unsigned i = numDefined; i &lt; newRelevantLength; ++i) {
</span><span class="cx">             ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</span><del>-            indexingData&lt;indexingType&gt;()[i].setUndefined();
</del><ins>+            indexingData&lt;arrayIndexingType&gt;()[i].setUndefined();
</ins><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     for (unsigned i = newRelevantLength; i &lt; myRelevantLength; ++i) {
</span><span class="cx">         ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</span><del>-        if (indexingType == ArrayWithDouble)
</del><ins>+        if (arrayIndexingType == ArrayWithDouble)
</ins><span class="cx">             m_butterfly-&gt;contiguousDouble()[i] = QNaN;
</span><span class="cx">         else
</span><del>-            indexingData&lt;indexingType&gt;()[i].clear();
</del><ins>+            indexingData&lt;arrayIndexingType&gt;()[i].clear();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (hasArrayStorage(indexingType))
</del><ins>+    if (hasArrayStorage(arrayIndexingType))
</ins><span class="cx">         arrayStorage()-&gt;m_numValuesInVector = newRelevantLength;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValueInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -645,7 +645,7 @@
</span><span class="cx"> 
</span><span class="cx"> inline JSValue JSValue::toThis(ExecState* exec, ECMAMode ecmaMode) const
</span><span class="cx"> {
</span><del>-    return isCell() ? asCell()-&gt;methodTable()-&gt;toThis(asCell(), exec, ecmaMode) : toThisSlowCase(exec, ecmaMode);
</del><ins>+    return isCell() ? asCell()-&gt;methodTable(exec-&gt;vm())-&gt;toThis(asCell(), exec, ecmaMode) : toThisSlowCase(exec, ecmaMode);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline JSValue JSValue::get(ExecState* exec, PropertyName propertyName) const
</span><span class="lines">@@ -700,7 +700,7 @@
</span><span class="cx">         putToPrimitive(exec, propertyName, value, slot);
</span><span class="cx">         return;
</span><span class="cx">     }
</span><del>-    asCell()-&gt;methodTable()-&gt;put(asCell(), exec, propertyName, value, slot);
</del><ins>+    asCell()-&gt;methodTable(exec-&gt;vm())-&gt;put(asCell(), exec, propertyName, value, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void JSValue::putByIndex(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
</span><span class="lines">@@ -709,7 +709,7 @@
</span><span class="cx">         putToPrimitiveByIndex(exec, propertyName, value, shouldThrow);
</span><span class="cx">         return;
</span><span class="cx">     }
</span><del>-    asCell()-&gt;methodTable()-&gt;putByIndex(asCell(), exec, propertyName, value, shouldThrow);
</del><ins>+    asCell()-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(asCell(), exec, propertyName, value, shouldThrow);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline JSValue JSValue::structureOrUndefined() const
</span><span class="lines">@@ -730,6 +730,7 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE bool JSValue::equalSlowCaseInline(ExecState* exec, JSValue v1, JSValue v2)
</span><span class="cx"> {
</span><ins>+    VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">     do {
</span><span class="cx">         if (v1.isNumber() &amp;&amp; v2.isNumber())
</span><span class="cx">             return v1.asNumber() == v2.asNumber();
</span><span class="lines">@@ -744,13 +745,13 @@
</span><span class="cx">                 return true;
</span><span class="cx">             if (!v2.isCell())
</span><span class="cx">                 return false;
</span><del>-            return v2.asCell()-&gt;structure()-&gt;masqueradesAsUndefined(exec-&gt;lexicalGlobalObject());
</del><ins>+            return v2.asCell()-&gt;structure(vm)-&gt;masqueradesAsUndefined(exec-&gt;lexicalGlobalObject());
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         if (v2.isUndefinedOrNull()) {
</span><span class="cx">             if (!v1.isCell())
</span><span class="cx">                 return false;
</span><del>-            return v1.asCell()-&gt;structure()-&gt;masqueradesAsUndefined(exec-&gt;lexicalGlobalObject());
</del><ins>+            return v1.asCell()-&gt;structure(vm)-&gt;masqueradesAsUndefined(exec-&gt;lexicalGlobalObject());
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         if (v1.isObject()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+COMPILE_ASSERT(sizeof(JSCell) == sizeof(uint64_t), jscell_is_eight_bytes);
</ins><span class="cx"> STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSCell);
</span><span class="cx"> 
</span><span class="cx"> void JSCell::destroy(JSCell* cell)
</span><span class="lines">@@ -90,7 +91,7 @@
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     JSObject* thisObject = cell-&gt;toObject(exec, exec-&gt;lexicalGlobalObject());
</span><del>-    thisObject-&gt;methodTable()-&gt;put(thisObject, exec, identifier, value, slot);
</del><ins>+    thisObject-&gt;methodTable(exec-&gt;vm())-&gt;put(thisObject, exec, identifier, value, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSCell::putByIndex(JSCell* cell, ExecState* exec, unsigned identifier, JSValue value, bool shouldThrow)
</span><span class="lines">@@ -101,19 +102,19 @@
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     JSObject* thisObject = cell-&gt;toObject(exec, exec-&gt;lexicalGlobalObject());
</span><del>-    thisObject-&gt;methodTable()-&gt;putByIndex(thisObject, exec, identifier, value, shouldThrow);
</del><ins>+    thisObject-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObject, exec, identifier, value, shouldThrow);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSCell::deleteProperty(JSCell* cell, ExecState* exec, PropertyName identifier)
</span><span class="cx"> {
</span><span class="cx">     JSObject* thisObject = cell-&gt;toObject(exec, exec-&gt;lexicalGlobalObject());
</span><del>-    return thisObject-&gt;methodTable()-&gt;deleteProperty(thisObject, exec, identifier);
</del><ins>+    return thisObject-&gt;methodTable(exec-&gt;vm())-&gt;deleteProperty(thisObject, exec, identifier);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSCell::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned identifier)
</span><span class="cx"> {
</span><span class="cx">     JSObject* thisObject = cell-&gt;toObject(exec, exec-&gt;lexicalGlobalObject());
</span><del>-    return thisObject-&gt;methodTable()-&gt;deletePropertyByIndex(thisObject, exec, identifier);
</del><ins>+    return thisObject-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObject, exec, identifier);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JSValue JSCell::toThis(JSCell* cell, ExecState* exec, ECMAMode ecmaMode)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -26,7 +26,9 @@
</span><span class="cx"> #include &quot;CallData.h&quot;
</span><span class="cx"> #include &quot;ConstructData.h&quot;
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><ins>+#include &quot;IndexingType.h&quot;
</ins><span class="cx"> #include &quot;JSLock.h&quot;
</span><ins>+#include &quot;JSTypeInfo.h&quot;
</ins><span class="cx"> #include &quot;SlotVisitor.h&quot;
</span><span class="cx"> #include &quot;TypedArrayType.h&quot;
</span><span class="cx"> #include &quot;WriteBarrier.h&quot;
</span><span class="lines">@@ -92,9 +94,12 @@
</span><span class="cx">     bool inherits(const ClassInfo*) const;
</span><span class="cx">     bool isAPIValueWrapper() const;
</span><span class="cx"> 
</span><ins>+    JSType type() const;
+    IndexingType indexingType() const;
</ins><span class="cx">     Structure* structure() const;
</span><ins>+    Structure* structure(VM&amp;) const;
</ins><span class="cx">     void setStructure(VM&amp;, Structure*);
</span><del>-    void clearStructure() { m_structure.clear(); }
</del><ins>+    void clearStructure() { m_structureID = 0; }
</ins><span class="cx"> 
</span><span class="cx">     const char* className();
</span><span class="cx"> 
</span><span class="lines">@@ -121,6 +126,7 @@
</span><span class="cx">     // Object operations, with the toObject operation included.
</span><span class="cx">     const ClassInfo* classInfo() const;
</span><span class="cx">     const MethodTable* methodTable() const;
</span><ins>+    const MethodTable* methodTable(VM&amp;) const;
</ins><span class="cx">     const MethodTable* methodTableForDestruction() const;
</span><span class="cx">     static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&amp;);
</span><span class="cx">     static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
</span><span class="lines">@@ -135,20 +141,34 @@
</span><span class="cx"> 
</span><span class="cx">     JSValue fastGetOwnProperty(VM&amp;, const String&amp;);
</span><span class="cx"> 
</span><del>-    static ptrdiff_t structureOffset()
</del><ins>+    void mark() { m_gcData = 1; }
+    bool isMarked() const { return m_gcData; }
+
+    static ptrdiff_t structureIDOffset()
</ins><span class="cx">     {
</span><del>-        return OBJECT_OFFSETOF(JSCell, m_structure);
</del><ins>+        return OBJECT_OFFSETOF(JSCell, m_structureID);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* structureAddress()
</del><ins>+    static ptrdiff_t typeInfoFlagsOffset()
</ins><span class="cx">     {
</span><del>-        return &amp;m_structure;
</del><ins>+        return OBJECT_OFFSETOF(JSCell, m_flags);
</ins><span class="cx">     }
</span><del>-        
-#if ENABLE(GC_VALIDATION)
-    Structure* unvalidatedStructure() const { return m_structure.unvalidatedGet(); }
-#endif
-        
</del><ins>+
+    static ptrdiff_t typeInfoTypeOffset()
+    {
+        return OBJECT_OFFSETOF(JSCell, m_type);
+    }
+
+    static ptrdiff_t indexingTypeOffset()
+    {
+        return OBJECT_OFFSETOF(JSCell, m_indexingType);
+    }
+
+    static ptrdiff_t gcDataOffset()
+    {
+        return OBJECT_OFFSETOF(JSCell, m_gcData);
+    }
+
</ins><span class="cx">     static const TypedArrayType TypedArrayStorageType = NotTypedArray;
</span><span class="cx"> protected:
</span><span class="cx"> 
</span><span class="lines">@@ -170,8 +190,12 @@
</span><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><del>-        
-    WriteBarrier&lt;Structure&gt; m_structure;
</del><ins>+
+    StructureID m_structureID;
+    IndexingType m_indexingType;
+    JSType m_type;
+    TypeInfo::InlineTypeFlags m_flags;
+    uint8_t m_gcData;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename To, typename From&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCellInlines.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCellInlines.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSCellInlines.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -38,12 +38,17 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> inline JSCell::JSCell(CreatingEarlyCellTag)
</span><ins>+    : m_gcData(0)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(!isCompilationThread());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline JSCell::JSCell(VM&amp; vm, Structure* structure)
-    : m_structure(vm, this, structure)
</del><ins>+inline JSCell::JSCell(VM&amp;, Structure* structure)
+    : m_structureID(structure-&gt;id())
+    , m_indexingType(structure-&gt;indexingType())
+    , m_type(structure-&gt;typeInfo().type())
+    , m_flags(structure-&gt;typeInfo().inlineTypeFlags())
+    , m_gcData(0)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(!isCompilationThread());
</span><span class="cx"> }
</span><span class="lines">@@ -56,7 +61,7 @@
</span><span class="cx"> #else
</span><span class="cx">     UNUSED_PARAM(vm);
</span><span class="cx"> #endif
</span><del>-    ASSERT(m_structure);
</del><ins>+    ASSERT(m_structureID);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void JSCell::finishCreation(VM&amp; vm, Structure* structure, CreatingEarlyCellTag)
</span><span class="lines">@@ -64,23 +69,47 @@
</span><span class="cx"> #if ENABLE(GC_VALIDATION)
</span><span class="cx">     ASSERT(vm.isInitializingObject());
</span><span class="cx">     vm.setInitializingObjectClass(0);
</span><del>-    if (structure)
</del><ins>+    if (structure) {
</ins><span class="cx"> #endif
</span><del>-        m_structure.setEarlyValue(vm, this, structure);
</del><ins>+        m_structureID = structure-&gt;id();
+        m_indexingType = structure-&gt;indexingType();
+        m_type = structure-&gt;typeInfo().type();
+        m_flags = structure-&gt;typeInfo().inlineTypeFlags();
+#if ENABLE(GC_VALIDATION)
+    }
+#else
+    UNUSED_PARAM(vm);
+#endif
</ins><span class="cx">     // Very first set of allocations won't have a real structure.
</span><del>-    ASSERT(m_structure || !vm.structureStructure);
</del><ins>+    ASSERT(m_structureID || !vm.structureStructure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline JSType JSCell::type() const
+{
+    return m_type;
+}
+
+inline IndexingType JSCell::indexingType() const
+{
+    return m_indexingType;
+}
+
</ins><span class="cx"> inline Structure* JSCell::structure() const
</span><span class="cx"> {
</span><del>-    return m_structure.get();
</del><ins>+    return Heap::heap(this)-&gt;structureIDTable().get(m_structureID);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline Structure* JSCell::structure(VM&amp; vm) const
+{
+    return vm.heap.structureIDTable().get(m_structureID);
+}
+
</ins><span class="cx"> inline void JSCell::visitChildren(JSCell* cell, SlotVisitor&amp; visitor)
</span><span class="cx"> {
</span><span class="cx">     MARK_LOG_PARENT(visitor, cell);
</span><span class="cx"> 
</span><del>-    visitor.append(&amp;cell-&gt;m_structure);
</del><ins>+    Structure* structure = cell-&gt;structure(visitor.vm());
+    visitor.appendUnbarrieredPointer(&amp;structure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T&gt;
</span><span class="lines">@@ -116,37 +145,41 @@
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::isObject() const
</span><span class="cx"> {
</span><del>-    return m_structure-&gt;isObject();
</del><ins>+    return TypeInfo::isObject(m_type);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::isString() const
</span><span class="cx"> {
</span><del>-    return m_structure-&gt;typeInfo().type() == StringType;
</del><ins>+    return m_type == StringType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::isGetterSetter() const
</span><span class="cx"> {
</span><del>-    return m_structure-&gt;typeInfo().type() == GetterSetterType;
</del><ins>+    return m_type == GetterSetterType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::isProxy() const
</span><span class="cx"> {
</span><del>-    return structure()-&gt;typeInfo().type() == ProxyType;
</del><ins>+    return m_type == ProxyType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::isAPIValueWrapper() const
</span><span class="cx"> {
</span><del>-    return m_structure-&gt;typeInfo().type() == APIValueWrapperType;
</del><ins>+    return m_type == APIValueWrapperType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void JSCell::setStructure(VM&amp; vm, Structure* structure)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(structure-&gt;typeInfo().overridesVisitChildren() == this-&gt;structure()-&gt;typeInfo().overridesVisitChildren());
</span><del>-    ASSERT(structure-&gt;classInfo() == m_structure-&gt;classInfo());
-    ASSERT(!m_structure
-        || m_structure-&gt;transitionWatchpointSetHasBeenInvalidated()
-        || m_structure.get() == structure);
-    m_structure.set(vm, this, structure);
</del><ins>+    ASSERT(structure-&gt;classInfo() == this-&gt;structure()-&gt;classInfo());
+    ASSERT(!this-&gt;structure()
+        || this-&gt;structure()-&gt;transitionWatchpointSetHasBeenInvalidated()
+        || Heap::heap(this)-&gt;structureIDTable().get(structure-&gt;id()) == structure);
+    vm.heap.writeBarrier(this, structure);
+    m_structureID = structure-&gt;id();
+    m_flags = structure-&gt;typeInfo().inlineTypeFlags();
+    m_type = structure-&gt;typeInfo().type();
+    m_indexingType = structure-&gt;indexingType();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline const MethodTable* JSCell::methodTableForDestruction() const
</span><span class="lines">@@ -156,12 +189,22 @@
</span><span class="cx"> 
</span><span class="cx"> inline const MethodTable* JSCell::methodTable() const
</span><span class="cx"> {
</span><del>-    if (Structure* rootStructure = m_structure-&gt;structure())
</del><ins>+    Structure* structure = this-&gt;structure();
+    if (Structure* rootStructure = structure-&gt;structure())
</ins><span class="cx">         RELEASE_ASSERT(rootStructure == rootStructure-&gt;structure());
</span><span class="cx"> 
</span><del>-    return &amp;classInfo()-&gt;methodTable;
</del><ins>+    return &amp;structure-&gt;classInfo()-&gt;methodTable;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline const MethodTable* JSCell::methodTable(VM&amp; vm) const
+{
+    Structure* structure = this-&gt;structure(vm);
+    if (Structure* rootStructure = structure-&gt;structure())
+        RELEASE_ASSERT(rootStructure == rootStructure-&gt;structure());
+
+    return &amp;structure-&gt;classInfo()-&gt;methodTable;
+}
+
</ins><span class="cx"> inline bool JSCell::inherits(const ClassInfo* info) const
</span><span class="cx"> {
</span><span class="cx">     return classInfo()-&gt;isSubClassOf(info);
</span><span class="lines">@@ -197,6 +240,22 @@
</span><span class="cx">     return MixedTriState;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline void Heap::writeBarrier(const JSCell* from, JSCell* to)
+{
+#if ENABLE(WRITE_BARRIER_PROFILING)
+    WriteBarrierCounters::countWriteBarrier();
+#endif
+    if (!from || !from-&gt;isMarked()) {
+        ASSERT(!from || !isMarked(from));
+        return;
+    }
+    if (!to || to-&gt;isMarked()) {
+        ASSERT(!to || isMarked(to));
+        return;
+    }
+    addToRememberedSet(from);
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // JSCellInlines_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDataViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSDataView.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDataView.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSDataView.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -113,7 +113,7 @@
</span><span class="cx">     VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx"> {
</span><span class="cx">     return Structure::create(
</span><del>-        vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info(),
</del><ins>+        vm, globalObject, prototype, TypeInfo(DataViewType, StructureFlags), info(),
</ins><span class="cx">         NonArray);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDestructibleObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -31,13 +31,10 @@
</span><span class="cx"> 
</span><span class="cx"> inline const ClassInfo* JSCell::classInfo() const
</span><span class="cx"> {
</span><del>-    if (MarkedBlock::blockFor(this)-&gt;destructorType() == MarkedBlock::Normal)
</del><ins>+    MarkedBlock* block = MarkedBlock::blockFor(this);
+    if (block-&gt;destructorType() == MarkedBlock::Normal)
</ins><span class="cx">         return static_cast&lt;const JSDestructibleObject*&gt;(this)-&gt;classInfo();
</span><del>-#if ENABLE(GC_VALIDATION)
-    return m_structure.unvalidatedGet()-&gt;classInfo();
-#else
-    return m_structure-&gt;classInfo();
-#endif
</del><ins>+    return structure(*block-&gt;vm())-&gt;classInfo();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -391,14 +391,15 @@
</span><span class="cx"> {
</span><span class="cx">     JSFunction* thisObject = jsCast&lt;JSFunction*&gt;(object);
</span><span class="cx">     if (!thisObject-&gt;isHostOrBuiltinFunction() &amp;&amp; (mode == IncludeDontEnumProperties)) {
</span><ins>+        VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">         // Make sure prototype has been reified.
</span><span class="cx">         PropertySlot slot(thisObject);
</span><del>-        thisObject-&gt;methodTable()-&gt;getOwnPropertySlot(thisObject, exec, exec-&gt;propertyNames().prototype, slot);
</del><ins>+        thisObject-&gt;methodTable(vm)-&gt;getOwnPropertySlot(thisObject, exec, vm.propertyNames-&gt;prototype, slot);
</ins><span class="cx"> 
</span><del>-        propertyNames.add(exec-&gt;propertyNames().arguments);
-        propertyNames.add(exec-&gt;propertyNames().caller);
-        propertyNames.add(exec-&gt;propertyNames().length);
-        propertyNames.add(exec-&gt;propertyNames().name);
</del><ins>+        propertyNames.add(vm.propertyNames-&gt;arguments);
+        propertyNames.add(vm.propertyNames-&gt;caller);
+        propertyNames.add(vm.propertyNames-&gt;length);
+        propertyNames.add(vm.propertyNames-&gt;name);
</ins><span class="cx">     }
</span><span class="cx">     Base::getOwnNonIndexPropertyNames(thisObject, exec, propertyNames, mode);
</span><span class="cx"> }
</span><span class="lines">@@ -414,7 +415,7 @@
</span><span class="cx">         // Make sure prototype has been reified, such that it can only be overwritten
</span><span class="cx">         // following the rules set out in ECMA-262 8.12.9.
</span><span class="cx">         PropertySlot slot(thisObject);
</span><del>-        thisObject-&gt;methodTable()-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</del><ins>+        thisObject-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</ins><span class="cx">         thisObject-&gt;m_allocationProfile.clear();
</span><span class="cx">         thisObject-&gt;m_allocationProfileWatchpoint.fireAll();
</span><span class="cx">         // Don't allow this to be cached, since a [[Put]] must clear m_allocationProfile.
</span><span class="lines">@@ -461,7 +462,7 @@
</span><span class="cx">         // Make sure prototype has been reified, such that it can only be overwritten
</span><span class="cx">         // following the rules set out in ECMA-262 8.12.9.
</span><span class="cx">         PropertySlot slot(thisObject);
</span><del>-        thisObject-&gt;methodTable()-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</del><ins>+        thisObject-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</ins><span class="cx">         thisObject-&gt;m_allocationProfile.clear();
</span><span class="cx">         thisObject-&gt;m_allocationProfileWatchpoint.fireAll();
</span><span class="cx">         return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx">     
</span><span class="cx">     static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx">     {
</span><del>-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info(), NonArray);
</del><ins>+        return Structure::create(vm, globalObject, prototype, TypeInfo(typeForTypedArrayType(Adaptor::typeValue), StructureFlags), info(), NonArray);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     static const ClassInfo s_info; // This is never accessed directly, since that would break linkage on some compilers.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -57,10 +57,9 @@
</span><span class="cx"> 
</span><span class="cx"> JSCell* getCallableObjectSlow(JSCell* cell)
</span><span class="cx"> {
</span><del>-    Structure* structure = cell-&gt;structure();
-    if (structure-&gt;typeInfo().type() == JSFunctionType)
</del><ins>+    if (cell-&gt;type() == JSFunctionType)
</ins><span class="cx">         return cell;
</span><del>-    if (structure-&gt;classInfo()-&gt;isSubClassOf(InternalFunction::info()))
</del><ins>+    if (cell-&gt;structure()-&gt;classInfo()-&gt;isSubClassOf(InternalFunction::info()))
</ins><span class="cx">         return cell;
</span><span class="cx">     return 0;
</span><span class="cx"> }
</span><span class="lines">@@ -129,7 +128,7 @@
</span><span class="cx">             WriteBarrier&lt;Unknown&gt;* currentSource;
</span><span class="cx">             size_t count;
</span><span class="cx">             
</span><del>-            switch (structure-&gt;indexingType()) {
</del><ins>+            switch (this-&gt;indexingType()) {
</ins><span class="cx">             case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">             case ALL_INT32_INDEXING_TYPES:
</span><span class="lines">@@ -190,7 +189,7 @@
</span><span class="cx">         butterfly-&gt;base(preCapacity, propertyCapacity), capacityInBytes);
</span><span class="cx">     
</span><span class="cx">     // Mark the array if appropriate.
</span><del>-    switch (structure-&gt;indexingType()) {
</del><ins>+    switch (this-&gt;indexingType()) {
</ins><span class="cx">     case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">         visitor.appendValues(butterfly-&gt;contiguous().data(), butterfly-&gt;publicLength());
</span><span class="cx">         break;
</span><span class="lines">@@ -248,11 +247,12 @@
</span><span class="cx">     
</span><span class="cx">     JSCell::visitChildren(thisObject, visitor);
</span><span class="cx"> 
</span><ins>+    Structure* structure = thisObject-&gt;structure();
</ins><span class="cx">     Butterfly* butterfly = thisObject-&gt;butterfly();
</span><span class="cx">     if (butterfly)
</span><del>-        thisObject-&gt;visitButterfly(visitor, butterfly, thisObject-&gt;structure()-&gt;outOfLineSize());
</del><ins>+        thisObject-&gt;visitButterfly(visitor, butterfly, structure-&gt;outOfLineSize());
</ins><span class="cx"> 
</span><del>-    size_t storageSize = thisObject-&gt;structure()-&gt;inlineSize();
</del><ins>+    size_t storageSize = structure-&gt;inlineSize();
</ins><span class="cx">     visitor.appendValues(thisObject-&gt;inlineStorage(), storageSize);
</span><span class="cx"> 
</span><span class="cx"> #if !ASSERT_DISABLED
</span><span class="lines">@@ -274,9 +274,9 @@
</span><span class="cx">     // getOwnPropertySlotByIndex().
</span><span class="cx">     
</span><span class="cx">     if (i &gt; MAX_ARRAY_INDEX)
</span><del>-        return thisObject-&gt;methodTable()-&gt;getOwnPropertySlot(thisObject, exec, Identifier::from(exec, i), slot);
</del><ins>+        return thisObject-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(thisObject, exec, Identifier::from(exec, i), slot);
</ins><span class="cx">     
</span><del>-    switch (thisObject-&gt;structure()-&gt;indexingType()) {
</del><ins>+    switch (thisObject-&gt;indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         break;
</span><span class="lines">@@ -358,10 +358,10 @@
</span><span class="cx">     // Check if there are any setters or getters in the prototype chain
</span><span class="cx">     JSValue prototype;
</span><span class="cx">     if (propertyName != exec-&gt;propertyNames().underscoreProto) {
</span><del>-        for (JSObject* obj = thisObject; !obj-&gt;structure()-&gt;hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
</del><ins>+        for (JSObject* obj = thisObject; !obj-&gt;structure(vm)-&gt;hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
</ins><span class="cx">             prototype = obj-&gt;prototype();
</span><span class="cx">             if (prototype.isNull()) {
</span><del>-                ASSERT(!thisObject-&gt;structure()-&gt;prototypeChainMayInterceptStoreTo(exec-&gt;vm(), propertyName));
</del><ins>+                ASSERT(!thisObject-&gt;structure(vm)-&gt;prototypeChainMayInterceptStoreTo(exec-&gt;vm(), propertyName));
</ins><span class="cx">                 if (!thisObject-&gt;putDirectInternal&lt;PutModePut&gt;(vm, propertyName, value, 0, slot, getCallableObject(value))
</span><span class="cx">                     &amp;&amp; slot.isStrictMode())
</span><span class="cx">                     throwTypeError(exec, ASCIILiteral(StrictModeReadonlyPropertyWriteError));
</span><span class="lines">@@ -374,10 +374,10 @@
</span><span class="cx">     for (obj = thisObject; ; obj = asObject(prototype)) {
</span><span class="cx">         unsigned attributes;
</span><span class="cx">         JSCell* specificValue;
</span><del>-        PropertyOffset offset = obj-&gt;structure()-&gt;get(vm, propertyName, attributes, specificValue);
</del><ins>+        PropertyOffset offset = obj-&gt;structure(vm)-&gt;get(vm, propertyName, attributes, specificValue);
</ins><span class="cx">         if (isValidOffset(offset)) {
</span><span class="cx">             if (attributes &amp; ReadOnly) {
</span><del>-                ASSERT(thisObject-&gt;structure()-&gt;prototypeChainMayInterceptStoreTo(exec-&gt;vm(), propertyName) || obj == thisObject);
</del><ins>+                ASSERT(thisObject-&gt;structure(vm)-&gt;prototypeChainMayInterceptStoreTo(exec-&gt;vm(), propertyName) || obj == thisObject);
</ins><span class="cx">                 if (slot.isStrictMode())
</span><span class="cx">                     exec-&gt;vm().throwException(exec, createTypeError(exec, ASCIILiteral(StrictModeReadonlyPropertyWriteError)));
</span><span class="cx">                 return;
</span><span class="lines">@@ -406,7 +406,7 @@
</span><span class="cx">             break;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    ASSERT(!thisObject-&gt;structure()-&gt;prototypeChainMayInterceptStoreTo(exec-&gt;vm(), propertyName) || obj == thisObject);
</del><ins>+    ASSERT(!thisObject-&gt;structure(vm)-&gt;prototypeChainMayInterceptStoreTo(exec-&gt;vm(), propertyName) || obj == thisObject);
</ins><span class="cx">     if (!thisObject-&gt;putDirectInternal&lt;PutModePut&gt;(vm, propertyName, value, 0, slot, getCallableObject(value)) &amp;&amp; slot.isStrictMode())
</span><span class="cx">         throwTypeError(exec, ASCIILiteral(StrictModeReadonlyPropertyWriteError));
</span><span class="cx">     return;
</span><span class="lines">@@ -422,7 +422,7 @@
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    switch (thisObject-&gt;structure()-&gt;indexingType()) {
</del><ins>+    switch (thisObject-&gt;indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         break;
</span><span class="cx">         
</span><span class="lines">@@ -553,7 +553,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    Butterfly* newButterfly = storage-&gt;butterfly()-&gt;resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(0));
</del><ins>+    Butterfly* newButterfly = storage-&gt;butterfly()-&gt;resizeArray(vm, this, structure(vm), 0, ArrayStorage::sizeFor(0));
</ins><span class="cx">     RELEASE_ASSERT(newButterfly);
</span><span class="cx">     newButterfly-&gt;arrayStorage()-&gt;m_indexBias = 0;
</span><span class="cx">     newButterfly-&gt;arrayStorage()-&gt;setVectorLength(0);
</span><span class="lines">@@ -565,7 +565,7 @@
</span><span class="cx"> 
</span><span class="cx"> void JSObject::enterDictionaryIndexingMode(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">     case ALL_INT32_INDEXING_TYPES:
</span><span class="lines">@@ -589,7 +589,7 @@
</span><span class="cx">     if (mayInterceptIndexedAccesses())
</span><span class="cx">         return;
</span><span class="cx">     
</span><del>-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AddIndexedAccessors));
</del><ins>+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AddIndexedAccessors));
</ins><span class="cx">     
</span><span class="cx">     if (!vm.prototypeMap.isPrototype(this))
</span><span class="cx">         return;
</span><span class="lines">@@ -600,7 +600,7 @@
</span><span class="cx"> Butterfly* JSObject::createInitialIndexedStorage(VM&amp; vm, unsigned length, size_t elementSize)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><del>-    IndexingType oldType = structure()-&gt;indexingType();
</del><ins>+    IndexingType oldType = indexingType();
</ins><span class="cx">     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
</span><span class="cx">     ASSERT(!structure()-&gt;needsSlowPutIndexing());
</span><span class="cx">     ASSERT(!indexingShouldBeSparse());
</span><span class="lines">@@ -617,7 +617,7 @@
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), AllocateUndecided);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), AllocateUndecided);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly;
</span><span class="cx"> }
</span><span class="lines">@@ -626,7 +626,7 @@
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), AllocateInt32);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), AllocateInt32);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly-&gt;contiguousInt32();
</span><span class="cx"> }
</span><span class="lines">@@ -637,7 +637,7 @@
</span><span class="cx">     Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(double));
</span><span class="cx">     for (unsigned i = newButterfly-&gt;vectorLength(); i--;)
</span><span class="cx">         newButterfly-&gt;contiguousDouble()[i] = QNaN;
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), AllocateDouble);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), AllocateDouble);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly-&gt;contiguousDouble();
</span><span class="cx"> }
</span><span class="lines">@@ -646,7 +646,7 @@
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), AllocateContiguous);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly-&gt;contiguous();
</span><span class="cx"> }
</span><span class="lines">@@ -654,10 +654,11 @@
</span><span class="cx"> ArrayStorage* JSObject::createArrayStorage(VM&amp; vm, unsigned length, unsigned vectorLength)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    IndexingType oldType = structure()-&gt;indexingType();
</del><ins>+    Structure* structure = this-&gt;structure(vm);
+    IndexingType oldType = indexingType();
</ins><span class="cx">     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
</span><span class="cx">     Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
</span><del>-        m_butterfly.get(), vm, this, structure(), structure()-&gt;outOfLineCapacity(), false, 0,
</del><ins>+        m_butterfly.get(), vm, this, structure, structure-&gt;outOfLineCapacity(), false, 0,
</ins><span class="cx">         ArrayStorage::sizeFor(vectorLength));
</span><span class="cx">     RELEASE_ASSERT(newButterfly);
</span><span class="cx"> 
</span><span class="lines">@@ -667,7 +668,7 @@
</span><span class="cx">     result-&gt;m_sparseMap.clear();
</span><span class="cx">     result-&gt;m_numValuesInVector = 0;
</span><span class="cx">     result-&gt;m_indexBias = 0;
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), structure()-&gt;suggestedArrayStorageTransition());
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure, structure-&gt;suggestedArrayStorageTransition());
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="lines">@@ -679,34 +680,35 @@
</span><span class="cx"> 
</span><span class="cx"> ContiguousJSValues JSObject::convertUndecidedToInt32(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    ASSERT(hasUndecided(structure()-&gt;indexingType()));
-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AllocateInt32));
</del><ins>+    ASSERT(hasUndecided(indexingType()));
+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateInt32));
</ins><span class="cx">     return m_butterfly-&gt;contiguousInt32();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousDoubles JSObject::convertUndecidedToDouble(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    ASSERT(hasUndecided(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasUndecided(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     for (unsigned i = m_butterfly-&gt;vectorLength(); i--;)
</span><span class="cx">         m_butterfly-&gt;contiguousDouble()[i] = QNaN;
</span><span class="cx">     
</span><del>-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AllocateDouble));
</del><ins>+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateDouble));
</ins><span class="cx">     return m_butterfly-&gt;contiguousDouble();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousJSValues JSObject::convertUndecidedToContiguous(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    ASSERT(hasUndecided(structure()-&gt;indexingType()));
-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AllocateContiguous));
</del><ins>+    ASSERT(hasUndecided(indexingType()));
+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
</ins><span class="cx">     return m_butterfly-&gt;contiguous();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::constructConvertedArrayStorageWithoutCopyingElements(VM&amp; vm, unsigned neededLength)
</span><span class="cx"> {
</span><ins>+    Structure* structure = this-&gt;structure(vm);
</ins><span class="cx">     unsigned publicLength = m_butterfly-&gt;publicLength();
</span><del>-    unsigned propertyCapacity = structure()-&gt;outOfLineCapacity();
-    unsigned propertySize = structure()-&gt;outOfLineSize();
</del><ins>+    unsigned propertyCapacity = structure-&gt;outOfLineCapacity();
+    unsigned propertySize = structure-&gt;outOfLineSize();
</ins><span class="cx">     
</span><span class="cx">     Butterfly* newButterfly = Butterfly::createUninitialized(
</span><span class="cx">         vm, this, 0, propertyCapacity, true, ArrayStorage::sizeFor(neededLength));
</span><span class="lines">@@ -729,12 +731,12 @@
</span><span class="cx"> ArrayStorage* JSObject::convertUndecidedToArrayStorage(VM&amp; vm, NonPropertyTransition transition, unsigned neededLength)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    ASSERT(hasUndecided(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasUndecided(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     ArrayStorage* storage = constructConvertedArrayStorageWithoutCopyingElements(vm, neededLength);
</span><span class="cx">     // No need to copy elements.
</span><span class="cx">     
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), transition);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, storage-&gt;butterfly());
</span><span class="cx">     return storage;
</span><span class="cx"> }
</span><span class="lines">@@ -746,12 +748,12 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertUndecidedToArrayStorage(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    return convertUndecidedToArrayStorage(vm, structure()-&gt;suggestedArrayStorageTransition());
</del><ins>+    return convertUndecidedToArrayStorage(vm, structure(vm)-&gt;suggestedArrayStorageTransition());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousDoubles JSObject::convertInt32ToDouble(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    ASSERT(hasInt32(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasInt32(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     for (unsigned i = m_butterfly-&gt;vectorLength(); i--;) {
</span><span class="cx">         WriteBarrier&lt;Unknown&gt;* current = &amp;m_butterfly-&gt;contiguousInt32()[i];
</span><span class="lines">@@ -765,21 +767,21 @@
</span><span class="cx">         *currentAsDouble = v.asInt32();
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AllocateDouble));
</del><ins>+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateDouble));
</ins><span class="cx">     return m_butterfly-&gt;contiguousDouble();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousJSValues JSObject::convertInt32ToContiguous(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    ASSERT(hasInt32(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasInt32(indexingType()));
</ins><span class="cx">     
</span><del>-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AllocateContiguous));
</del><ins>+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
</ins><span class="cx">     return m_butterfly-&gt;contiguous();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertInt32ToArrayStorage(VM&amp; vm, NonPropertyTransition transition, unsigned neededLength)
</span><span class="cx"> {
</span><del>-    ASSERT(hasInt32(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasInt32(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, neededLength);
</span><span class="lines">@@ -791,7 +793,7 @@
</span><span class="cx">         newStorage-&gt;m_numValuesInVector++;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), transition);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newStorage-&gt;butterfly());
</span><span class="cx">     return newStorage;
</span><span class="cx"> }
</span><span class="lines">@@ -803,13 +805,13 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertInt32ToArrayStorage(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    return convertInt32ToArrayStorage(vm, structure()-&gt;suggestedArrayStorageTransition());
</del><ins>+    return convertInt32ToArrayStorage(vm, structure(vm)-&gt;suggestedArrayStorageTransition());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;JSObject::DoubleToContiguousMode mode&gt;
</span><span class="cx"> ContiguousJSValues JSObject::genericConvertDoubleToContiguous(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    ASSERT(hasDouble(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasDouble(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     for (unsigned i = m_butterfly-&gt;vectorLength(); i--;) {
</span><span class="cx">         double* current = &amp;m_butterfly-&gt;contiguousDouble()[i];
</span><span class="lines">@@ -832,7 +834,7 @@
</span><span class="cx">         currentAsValue-&gt;setWithoutWriteBarrier(v);
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    setStructure(vm, Structure::nonPropertyTransition(vm, structure(), AllocateContiguous));
</del><ins>+    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
</ins><span class="cx">     return m_butterfly-&gt;contiguous();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -849,7 +851,7 @@
</span><span class="cx"> ArrayStorage* JSObject::convertDoubleToArrayStorage(VM&amp; vm, NonPropertyTransition transition, unsigned neededLength)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    ASSERT(hasDouble(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasDouble(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, neededLength);
</span><span class="cx">     for (unsigned i = m_butterfly-&gt;publicLength(); i--;) {
</span><span class="lines">@@ -860,7 +862,7 @@
</span><span class="cx">         newStorage-&gt;m_numValuesInVector++;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), transition);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newStorage-&gt;butterfly());
</span><span class="cx">     return newStorage;
</span><span class="cx"> }
</span><span class="lines">@@ -872,13 +874,13 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertDoubleToArrayStorage(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    return convertDoubleToArrayStorage(vm, structure()-&gt;suggestedArrayStorageTransition());
</del><ins>+    return convertDoubleToArrayStorage(vm, structure(vm)-&gt;suggestedArrayStorageTransition());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertContiguousToArrayStorage(VM&amp; vm, NonPropertyTransition transition, unsigned neededLength)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    ASSERT(hasContiguous(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasContiguous(indexingType()));
</ins><span class="cx">     
</span><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, neededLength);
</span><span class="cx">     for (unsigned i = m_butterfly-&gt;publicLength(); i--;) {
</span><span class="lines">@@ -889,7 +891,7 @@
</span><span class="cx">         newStorage-&gt;m_numValuesInVector++;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), transition);
</del><ins>+    Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</ins><span class="cx">     setStructureAndButterfly(vm, newStructure, newStorage-&gt;butterfly());
</span><span class="cx">     return newStorage;
</span><span class="cx"> }
</span><span class="lines">@@ -901,7 +903,7 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertContiguousToArrayStorage(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    return convertContiguousToArrayStorage(vm, structure()-&gt;suggestedArrayStorageTransition());
</del><ins>+    return convertContiguousToArrayStorage(vm, structure(vm)-&gt;suggestedArrayStorageTransition());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSObject::convertUndecidedForValue(VM&amp; vm, JSValue value)
</span><span class="lines">@@ -975,9 +977,9 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(inherits(info()));
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><del>-        if (UNLIKELY(indexingShouldBeSparse() || structure()-&gt;needsSlowPutIndexing()))
</del><ins>+        if (UNLIKELY(indexingShouldBeSparse() || structure(vm)-&gt;needsSlowPutIndexing()))
</ins><span class="cx">             return ContiguousJSValues();
</span><span class="cx">         return createInitialInt32(vm, 0);
</span><span class="cx">         
</span><span class="lines">@@ -999,9 +1001,9 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(inherits(info()));
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><del>-        if (UNLIKELY(indexingShouldBeSparse() || structure()-&gt;needsSlowPutIndexing()))
</del><ins>+        if (UNLIKELY(indexingShouldBeSparse() || structure(vm)-&gt;needsSlowPutIndexing()))
</ins><span class="cx">             return ContiguousDoubles();
</span><span class="cx">         return createInitialDouble(vm, 0);
</span><span class="cx">         
</span><span class="lines">@@ -1025,9 +1027,9 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(inherits(info()));
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><del>-        if (UNLIKELY(indexingShouldBeSparse() || structure()-&gt;needsSlowPutIndexing()))
</del><ins>+        if (UNLIKELY(indexingShouldBeSparse() || structure(vm)-&gt;needsSlowPutIndexing()))
</ins><span class="cx">             return ContiguousJSValues();
</span><span class="cx">         return createInitialContiguous(vm, 0);
</span><span class="cx">         
</span><span class="lines">@@ -1065,7 +1067,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(inherits(info()));
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         if (UNLIKELY(indexingShouldBeSparse()))
</span><span class="cx">             return ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm);
</span><span class="lines">@@ -1073,22 +1075,22 @@
</span><span class="cx">         
</span><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         ASSERT(!indexingShouldBeSparse());
</span><del>-        ASSERT(!structure()-&gt;needsSlowPutIndexing());
</del><ins>+        ASSERT(!structure(vm)-&gt;needsSlowPutIndexing());
</ins><span class="cx">         return convertUndecidedToArrayStorage(vm);
</span><span class="cx">         
</span><span class="cx">     case ALL_INT32_INDEXING_TYPES:
</span><span class="cx">         ASSERT(!indexingShouldBeSparse());
</span><del>-        ASSERT(!structure()-&gt;needsSlowPutIndexing());
</del><ins>+        ASSERT(!structure(vm)-&gt;needsSlowPutIndexing());
</ins><span class="cx">         return convertInt32ToArrayStorage(vm);
</span><span class="cx">         
</span><span class="cx">     case ALL_DOUBLE_INDEXING_TYPES:
</span><span class="cx">         ASSERT(!indexingShouldBeSparse());
</span><del>-        ASSERT(!structure()-&gt;needsSlowPutIndexing());
</del><ins>+        ASSERT(!structure(vm)-&gt;needsSlowPutIndexing());
</ins><span class="cx">         return convertDoubleToArrayStorage(vm);
</span><span class="cx">         
</span><span class="cx">     case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">         ASSERT(!indexingShouldBeSparse());
</span><del>-        ASSERT(!structure()-&gt;needsSlowPutIndexing());
</del><ins>+        ASSERT(!structure(vm)-&gt;needsSlowPutIndexing());
</ins><span class="cx">         return convertContiguousToArrayStorage(vm);
</span><span class="cx">         
</span><span class="cx">     default:
</span><span class="lines">@@ -1099,7 +1101,7 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES: {
</span><span class="cx">         createArrayStorage(vm, 0, 0);
</span><span class="cx">         SparseArrayValueMap* map = allocateSparseIndexMap(vm);
</span><span class="lines">@@ -1130,7 +1132,7 @@
</span><span class="cx"> 
</span><span class="cx"> void JSObject::switchToSlowPutArrayStorage(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         convertUndecidedToArrayStorage(vm, AllocateSlowPutArrayStorage);
</span><span class="cx">         break;
</span><span class="lines">@@ -1149,7 +1151,7 @@
</span><span class="cx">         
</span><span class="cx">     case NonArrayWithArrayStorage:
</span><span class="cx">     case ArrayWithArrayStorage: {
</span><del>-        Structure* newStructure = Structure::nonPropertyTransition(vm, structure(), SwitchToSlowPutArrayStorage);
</del><ins>+        Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), SwitchToSlowPutArrayStorage);
</ins><span class="cx">         setStructure(vm, newStructure);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="lines">@@ -1166,7 +1168,7 @@
</span><span class="cx">     if (prototype.isObject())
</span><span class="cx">         vm.prototypeMap.addPrototype(asObject(prototype));
</span><span class="cx">     
</span><del>-    Structure* newStructure = Structure::changePrototypeTransition(vm, structure(), prototype);
</del><ins>+    Structure* newStructure = Structure::changePrototypeTransition(vm, structure(vm), prototype);
</ins><span class="cx">     setStructure(vm, newStructure);
</span><span class="cx">     
</span><span class="cx">     if (!newStructure-&gt;anyObjectInChainMayInterceptIndexedAccesses())
</span><span class="lines">@@ -1177,10 +1179,10 @@
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    if (!hasIndexedProperties(structure()-&gt;indexingType()))
</del><ins>+    if (!hasIndexedProperties(indexingType()))
</ins><span class="cx">         return;
</span><span class="cx">     
</span><del>-    if (shouldUseSlowPut(structure()-&gt;indexingType()))
</del><ins>+    if (shouldUseSlowPut(indexingType()))
</ins><span class="cx">         return;
</span><span class="cx">     
</span><span class="cx">     switchToSlowPutArrayStorage(vm);
</span><span class="lines">@@ -1188,7 +1190,7 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::setPrototypeWithCycleCheck(ExecState* exec, JSValue prototype)
</span><span class="cx"> {
</span><del>-    ASSERT(methodTable()-&gt;toThis(this, exec, NotStrictMode) == this);
</del><ins>+    ASSERT(methodTable(exec-&gt;vm())-&gt;toThis(this, exec, NotStrictMode) == this);
</ins><span class="cx">     JSValue nextPrototype = prototype;
</span><span class="cx">     while (nextPrototype &amp;&amp; nextPrototype.isObject()) {
</span><span class="cx">         if (nextPrototype == this)
</span><span class="lines">@@ -1227,12 +1229,13 @@
</span><span class="cx">     // getters and setters, though, we also need to change our Structure
</span><span class="cx">     // if we override an existing non-getter or non-setter.
</span><span class="cx">     if (slot.type() != PutPropertySlot::NewProperty)
</span><del>-        setStructure(vm, Structure::attributeChangeTransition(vm, structure(), propertyName, attributes));
</del><ins>+        setStructure(vm, Structure::attributeChangeTransition(vm, structure(vm), propertyName, attributes));
</ins><span class="cx"> 
</span><ins>+    Structure* structure = this-&gt;structure(vm);
</ins><span class="cx">     if (attributes &amp; ReadOnly)
</span><del>-        structure()-&gt;setContainsReadOnlyProperties();
</del><ins>+        structure-&gt;setContainsReadOnlyProperties();
</ins><span class="cx"> 
</span><del>-    structure()-&gt;setHasGetterSetterProperties(propertyName == vm.propertyNames-&gt;underscoreProto);
</del><ins>+    structure-&gt;setHasGetterSetterProperties(propertyName == vm.propertyNames-&gt;underscoreProto);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::hasProperty(ExecState* exec, PropertyName propertyName) const
</span><span class="lines">@@ -1254,24 +1257,25 @@
</span><span class="cx">     
</span><span class="cx">     unsigned i = propertyName.asIndex();
</span><span class="cx">     if (i != PropertyName::NotAnIndex)
</span><del>-        return thisObject-&gt;methodTable()-&gt;deletePropertyByIndex(thisObject, exec, i);
</del><ins>+        return thisObject-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObject, exec, i);
</ins><span class="cx"> 
</span><span class="cx">     if (!thisObject-&gt;staticFunctionsReified())
</span><span class="cx">         thisObject-&gt;reifyStaticFunctionsForDelete(exec);
</span><span class="cx"> 
</span><span class="cx">     unsigned attributes;
</span><span class="cx">     JSCell* specificValue;
</span><del>-    if (isValidOffset(thisObject-&gt;structure()-&gt;get(exec-&gt;vm(), propertyName, attributes, specificValue))) {
-        if (attributes &amp; DontDelete &amp;&amp; !exec-&gt;vm().isInDefineOwnProperty())
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    if (isValidOffset(thisObject-&gt;structure(vm)-&gt;get(vm, propertyName, attributes, specificValue))) {
+        if (attributes &amp; DontDelete &amp;&amp; !vm.isInDefineOwnProperty())
</ins><span class="cx">             return false;
</span><del>-        thisObject-&gt;removeDirect(exec-&gt;vm(), propertyName);
</del><ins>+        thisObject-&gt;removeDirect(vm, propertyName);
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Look in the static hashtable of properties
</span><span class="cx">     const HashEntry* entry = thisObject-&gt;findPropertyHashEntry(exec, propertyName);
</span><span class="cx">     if (entry) {
</span><del>-        if (entry-&gt;attributes() &amp; DontDelete &amp;&amp; !exec-&gt;vm().isInDefineOwnProperty())
</del><ins>+        if (entry-&gt;attributes() &amp; DontDelete &amp;&amp; !vm.isInDefineOwnProperty())
</ins><span class="cx">             return false; // this builtin property can't be deleted
</span><span class="cx"> 
</span><span class="cx">         PutPropertySlot slot(thisObject);
</span><span class="lines">@@ -1284,7 +1288,7 @@
</span><span class="cx"> bool JSObject::hasOwnProperty(ExecState* exec, PropertyName propertyName) const
</span><span class="cx"> {
</span><span class="cx">     PropertySlot slot(this);
</span><del>-    return const_cast&lt;JSObject*&gt;(this)-&gt;methodTable()-&gt;getOwnPropertySlot(const_cast&lt;JSObject*&gt;(this), exec, propertyName, slot);
</del><ins>+    return const_cast&lt;JSObject*&gt;(this)-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(const_cast&lt;JSObject*&gt;(this), exec, propertyName, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned i)
</span><span class="lines">@@ -1292,9 +1296,9 @@
</span><span class="cx">     JSObject* thisObject = jsCast&lt;JSObject*&gt;(cell);
</span><span class="cx">     
</span><span class="cx">     if (i &gt; MAX_ARRAY_INDEX)
</span><del>-        return thisObject-&gt;methodTable()-&gt;deleteProperty(thisObject, exec, Identifier::from(exec, i));
</del><ins>+        return thisObject-&gt;methodTable(exec-&gt;vm())-&gt;deleteProperty(thisObject, exec, Identifier::from(exec, i));
</ins><span class="cx">     
</span><del>-    switch (thisObject-&gt;structure()-&gt;indexingType()) {
</del><ins>+    switch (thisObject-&gt;indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         return true;
</span><span class="lines">@@ -1367,7 +1371,7 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::getPrimitiveNumber(ExecState* exec, double&amp; number, JSValue&amp; result) const
</span><span class="cx"> {
</span><del>-    result = methodTable()-&gt;defaultValue(this, exec, PreferNumber);
</del><ins>+    result = methodTable(exec-&gt;vm())-&gt;defaultValue(this, exec, PreferNumber);
</ins><span class="cx">     number = result.toNumber(exec);
</span><span class="cx">     return !result.isString();
</span><span class="cx"> }
</span><span class="lines">@@ -1410,12 +1414,13 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::hasInstance(ExecState* exec, JSValue value)
</span><span class="cx"> {
</span><del>-    TypeInfo info = structure()-&gt;typeInfo();
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    TypeInfo info = structure(vm)-&gt;typeInfo();
</ins><span class="cx">     if (info.implementsDefaultHasInstance())
</span><span class="cx">         return defaultHasInstance(exec, value, get(exec, exec-&gt;propertyNames().prototype));
</span><span class="cx">     if (info.implementsHasInstance())
</span><del>-        return methodTable()-&gt;customHasInstance(this, exec, value);
-    exec-&gt;vm().throwException(exec, createInvalidParameterError(exec, &quot;instanceof&quot; , this));
</del><ins>+        return methodTable(vm)-&gt;customHasInstance(this, exec, value);
+    vm.throwException(exec, createInvalidParameterError(exec, &quot;instanceof&quot; , this));
</ins><span class="cx">     return false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1439,8 +1444,9 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::getPropertySpecificValue(ExecState* exec, PropertyName propertyName, JSCell*&amp; specificValue) const
</span><span class="cx"> {
</span><ins>+    VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">     unsigned attributes;
</span><del>-    if (isValidOffset(structure()-&gt;get(exec-&gt;vm(), propertyName, attributes, specificValue)))
</del><ins>+    if (isValidOffset(structure(vm)-&gt;get(vm, propertyName, attributes, specificValue)))
</ins><span class="cx">         return true;
</span><span class="cx"> 
</span><span class="cx">     // This could be a function within the static table? - should probably
</span><span class="lines">@@ -1453,18 +1459,19 @@
</span><span class="cx"> void JSObject::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray&amp; propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx">     propertyNames.setBaseObject(object);
</span><del>-    object-&gt;methodTable()-&gt;getOwnPropertyNames(object, exec, propertyNames, mode);
</del><ins>+    object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(object, exec, propertyNames, mode);
</ins><span class="cx"> 
</span><span class="cx">     if (object-&gt;prototype().isNull())
</span><span class="cx">         return;
</span><span class="cx"> 
</span><ins>+    VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">     JSObject* prototype = asObject(object-&gt;prototype());
</span><span class="cx">     while(1) {
</span><del>-        if (prototype-&gt;structure()-&gt;typeInfo().overridesGetPropertyNames()) {
-            prototype-&gt;methodTable()-&gt;getPropertyNames(prototype, exec, propertyNames, mode);
</del><ins>+        if (prototype-&gt;structure(vm)-&gt;typeInfo().overridesGetPropertyNames()) {
+            prototype-&gt;methodTable(vm)-&gt;getPropertyNames(prototype, exec, propertyNames, mode);
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><del>-        prototype-&gt;methodTable()-&gt;getOwnPropertyNames(prototype, exec, propertyNames, mode);
</del><ins>+        prototype-&gt;methodTable(vm)-&gt;getOwnPropertyNames(prototype, exec, propertyNames, mode);
</ins><span class="cx">         JSValue nextProto = prototype-&gt;prototype();
</span><span class="cx">         if (nextProto.isNull())
</span><span class="cx">             break;
</span><span class="lines">@@ -1478,7 +1485,7 @@
</span><span class="cx">     // FIXME: Filling PropertyNameArray with an identifier for every integer
</span><span class="cx">     // is incredibly inefficient for large arrays. We need a different approach,
</span><span class="cx">     // which almost certainly means a different structure for PropertyNameArray.
</span><del>-    switch (object-&gt;structure()-&gt;indexingType()) {
</del><ins>+    switch (object-&gt;indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         break;
</span><span class="lines">@@ -1537,15 +1544,16 @@
</span><span class="cx">         RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    object-&gt;methodTable()-&gt;getOwnNonIndexPropertyNames(object, exec, propertyNames, mode);
</del><ins>+    object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnNonIndexPropertyNames(object, exec, propertyNames, mode);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSObject::getOwnNonIndexPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray&amp; propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx">     getClassPropertyNames(exec, object-&gt;classInfo(), propertyNames, mode, object-&gt;staticFunctionsReified());
</span><span class="cx"> 
</span><ins>+    VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">     bool canCachePropertiesFromStructure = !propertyNames.size();
</span><del>-    object-&gt;structure()-&gt;getPropertyNamesFromStructure(exec-&gt;vm(), propertyNames, mode);
</del><ins>+    object-&gt;structure(vm)-&gt;getPropertyNamesFromStructure(vm, propertyNames, mode);
</ins><span class="cx"> 
</span><span class="cx">     if (canCachePropertiesFromStructure)
</span><span class="cx">         propertyNames.setNumCacheableSlotsForObject(object, propertyNames.size());
</span><span class="lines">@@ -1577,7 +1585,7 @@
</span><span class="cx">     if (isSealed(vm))
</span><span class="cx">         return;
</span><span class="cx">     preventExtensions(vm);
</span><del>-    setStructure(vm, Structure::sealTransition(vm, structure()));
</del><ins>+    setStructure(vm, Structure::sealTransition(vm, structure(vm)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSObject::freeze(VM&amp; vm)
</span><span class="lines">@@ -1585,14 +1593,14 @@
</span><span class="cx">     if (isFrozen(vm))
</span><span class="cx">         return;
</span><span class="cx">     preventExtensions(vm);
</span><del>-    setStructure(vm, Structure::freezeTransition(vm, structure()));
</del><ins>+    setStructure(vm, Structure::freezeTransition(vm, structure(vm)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSObject::preventExtensions(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     enterDictionaryIndexingMode(vm);
</span><span class="cx">     if (isExtensible())
</span><del>-        setStructure(vm, Structure::preventExtensionsTransition(vm, structure()));
</del><ins>+        setStructure(vm, Structure::preventExtensionsTransition(vm, structure(vm)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> // This presently will flatten to an uncachable dictionary; this is suitable
</span><span class="lines">@@ -1605,12 +1613,12 @@
</span><span class="cx">     // If this object's ClassInfo has no static properties, then nothing to reify!
</span><span class="cx">     // We can safely set the flag to avoid the expensive check again in the future.
</span><span class="cx">     if (!classInfo()-&gt;hasStaticProperties()) {
</span><del>-        structure()-&gt;setStaticFunctionsReified();
</del><ins>+        structure(vm)-&gt;setStaticFunctionsReified();
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (!structure()-&gt;isUncacheableDictionary())
-        setStructure(vm, Structure::toUncacheableDictionaryTransition(vm, structure()));
</del><ins>+    if (!structure(vm)-&gt;isUncacheableDictionary())
+        setStructure(vm, Structure::toUncacheableDictionaryTransition(vm, structure(vm)));
</ins><span class="cx"> 
</span><span class="cx">     for (const ClassInfo* info = classInfo(); info; info = info-&gt;parentClass) {
</span><span class="cx">         const HashTable* hashTable = info-&gt;propHashTable(globalObject()-&gt;globalExec());
</span><span class="lines">@@ -1623,24 +1631,25 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    structure()-&gt;setStaticFunctionsReified();
</del><ins>+    structure(vm)-&gt;setStaticFunctionsReified();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::removeDirect(VM&amp; vm, PropertyName propertyName)
</span><span class="cx"> {
</span><del>-    if (!isValidOffset(structure()-&gt;get(vm, propertyName)))
</del><ins>+    Structure* structure = this-&gt;structure(vm);
+    if (!isValidOffset(structure-&gt;get(vm, propertyName)))
</ins><span class="cx">         return false;
</span><span class="cx"> 
</span><span class="cx">     PropertyOffset offset;
</span><del>-    if (structure()-&gt;isUncacheableDictionary()) {
-        offset = structure()-&gt;removePropertyWithoutTransition(vm, propertyName);
</del><ins>+    if (structure-&gt;isUncacheableDictionary()) {
+        offset = structure-&gt;removePropertyWithoutTransition(vm, propertyName);
</ins><span class="cx">         if (offset == invalidOffset)
</span><span class="cx">             return false;
</span><span class="cx">         putDirectUndefined(offset);
</span><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    setStructure(vm, Structure::removePropertyTransition(vm, structure(), propertyName, offset));
</del><ins>+    setStructure(vm, Structure::removePropertyTransition(vm, structure, propertyName, offset));
</ins><span class="cx">     if (offset == invalidOffset)
</span><span class="cx">         return false;
</span><span class="cx">     putDirectUndefined(offset);
</span><span class="lines">@@ -1869,7 +1878,7 @@
</span><span class="cx"> template&lt;IndexingType indexingShape&gt;
</span><span class="cx"> void JSObject::putByIndexBeyondVectorLengthWithoutAttributes(ExecState* exec, unsigned i, JSValue value)
</span><span class="cx"> {
</span><del>-    ASSERT((structure()-&gt;indexingType() &amp; IndexingShapeMask) == indexingShape);
</del><ins>+    ASSERT((indexingType() &amp; IndexingShapeMask) == indexingShape);
</ins><span class="cx">     ASSERT(!indexingShouldBeSparse());
</span><span class="cx">     
</span><span class="cx">     // For us to get here, the index is either greater than the public length, or greater than
</span><span class="lines">@@ -1998,7 +2007,7 @@
</span><span class="cx">     // i should be a valid array index that is outside of the current vector.
</span><span class="cx">     ASSERT(i &lt;= MAX_ARRAY_INDEX);
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES: {
</span><span class="cx">         if (indexingShouldBeSparse()) {
</span><span class="cx">             putByIndexBeyondVectorLengthWithArrayStorage(
</span><span class="lines">@@ -2011,7 +2020,7 @@
</span><span class="cx">                 exec, i, value, shouldThrow, createArrayStorage(vm, 0, 0));
</span><span class="cx">             break;
</span><span class="cx">         }
</span><del>-        if (structure()-&gt;needsSlowPutIndexing()) {
</del><ins>+        if (structure(exec-&gt;vm())-&gt;needsSlowPutIndexing()) {
</ins><span class="cx">             ArrayStorage* storage = createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, i + 1));
</span><span class="cx">             storage-&gt;m_vector[i].set(vm, this, value);
</span><span class="cx">             storage-&gt;m_numValuesInVector++;
</span><span class="lines">@@ -2066,7 +2075,7 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     
</span><span class="cx">     // i should be a valid array index that is outside of the current vector.
</span><del>-    ASSERT(hasArrayStorage(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasArrayStorage(indexingType()));
</ins><span class="cx">     ASSERT(arrayStorage() == storage);
</span><span class="cx">     ASSERT(i &gt;= storage-&gt;vectorLength() || attributes);
</span><span class="cx">     ASSERT(i &lt;= MAX_ARRAY_INDEX);
</span><span class="lines">@@ -2148,7 +2157,7 @@
</span><span class="cx">     if (attributes &amp; (ReadOnly | Accessor))
</span><span class="cx">         notifyPresenceOfIndexedAccessors(vm);
</span><span class="cx">     
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES: {
</span><span class="cx">         if (indexingShouldBeSparse() || attributes) {
</span><span class="cx">             return putDirectIndexBeyondVectorLengthWithArrayStorage(
</span><span class="lines">@@ -2159,7 +2168,7 @@
</span><span class="cx">             return putDirectIndexBeyondVectorLengthWithArrayStorage(
</span><span class="cx">                 exec, i, value, attributes, mode, createArrayStorage(vm, 0, 0));
</span><span class="cx">         }
</span><del>-        if (structure()-&gt;needsSlowPutIndexing()) {
</del><ins>+        if (structure(exec-&gt;vm())-&gt;needsSlowPutIndexing()) {
</ins><span class="cx">             ArrayStorage* storage = createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, i + 1));
</span><span class="cx">             storage-&gt;m_vector[i].set(vm, this, value);
</span><span class="cx">             storage-&gt;m_numValuesInVector++;
</span><span class="lines">@@ -2282,7 +2291,7 @@
</span><span class="cx">     unsigned vectorLength;
</span><span class="cx">     unsigned length;
</span><span class="cx">     
</span><del>-    if (hasIndexedProperties(structure()-&gt;indexingType())) {
</del><ins>+    if (hasIndexedProperties(indexingType())) {
</ins><span class="cx">         vectorLength = m_butterfly-&gt;vectorLength();
</span><span class="cx">         length = m_butterfly-&gt;publicLength();
</span><span class="cx">     } else {
</span><span class="lines">@@ -2321,7 +2330,7 @@
</span><span class="cx"> 
</span><span class="cx"> unsigned JSObject::countElements()
</span><span class="cx"> {
</span><del>-    switch (structure()-&gt;indexingType()) {
</del><ins>+    switch (indexingType()) {
</ins><span class="cx">     case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">     case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         return 0;
</span><span class="lines">@@ -2360,10 +2369,11 @@
</span><span class="cx">     unsigned newVectorLength = getNewVectorLength(newLength);
</span><span class="cx"> 
</span><span class="cx">     // Fast case - there is no precapacity. In these cases a realloc makes sense.
</span><ins>+    Structure* structure = this-&gt;structure(vm);
</ins><span class="cx">     if (LIKELY(!indexBias)) {
</span><span class="cx">         DeferGC deferGC(vm.heap);
</span><span class="cx">         Butterfly* newButterfly = storage-&gt;butterfly()-&gt;growArrayRight(
</span><del>-            vm, this, structure(), structure()-&gt;outOfLineCapacity(), true,
</del><ins>+            vm, this, structure, structure-&gt;outOfLineCapacity(), true,
</ins><span class="cx">             ArrayStorage::sizeFor(vectorLength), ArrayStorage::sizeFor(newVectorLength));
</span><span class="cx">         if (!newButterfly)
</span><span class="cx">             return false;
</span><span class="lines">@@ -2377,7 +2387,7 @@
</span><span class="cx">     unsigned newIndexBias = std::min(indexBias &gt;&gt; 1, MAX_STORAGE_VECTOR_LENGTH - newVectorLength);
</span><span class="cx">     Butterfly* newButterfly = storage-&gt;butterfly()-&gt;resizeArray(
</span><span class="cx">         vm, this,
</span><del>-        structure()-&gt;outOfLineCapacity(), true, ArrayStorage::sizeFor(vectorLength),
</del><ins>+        structure-&gt;outOfLineCapacity(), true, ArrayStorage::sizeFor(vectorLength),
</ins><span class="cx">         newIndexBias, true, ArrayStorage::sizeFor(newVectorLength));
</span><span class="cx">     if (!newButterfly)
</span><span class="cx">         return false;
</span><span class="lines">@@ -2390,7 +2400,7 @@
</span><span class="cx"> void JSObject::ensureLengthSlow(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><del>-    ASSERT(hasContiguous(structure()-&gt;indexingType()) || hasInt32(structure()-&gt;indexingType()) || hasDouble(structure()-&gt;indexingType()) || hasUndecided(structure()-&gt;indexingType()));
</del><ins>+    ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
</ins><span class="cx">     ASSERT(length &gt; m_butterfly-&gt;vectorLength());
</span><span class="cx">     
</span><span class="cx">     unsigned newVectorLength = std::min(
</span><span class="lines">@@ -2405,7 +2415,7 @@
</span><span class="cx"> 
</span><span class="cx">     m_butterfly-&gt;setVectorLength(newVectorLength);
</span><span class="cx"> 
</span><del>-    if (hasDouble(structure()-&gt;indexingType())) {
</del><ins>+    if (hasDouble(indexingType())) {
</ins><span class="cx">         for (unsigned i = oldVectorLength; i &lt; newVectorLength; ++i)
</span><span class="cx">             m_butterfly-&gt;contiguousDouble().data()[i] = QNaN;
</span><span class="cx">     }
</span><span class="lines">@@ -2418,16 +2428,16 @@
</span><span class="cx">     // It's important that this function not rely on structure(), for the property
</span><span class="cx">     // capacity, since we might have already mutated the structure in-place.
</span><span class="cx">     
</span><del>-    return m_butterfly-&gt;growPropertyStorage(vm, this, structure(), oldSize, newSize);
</del><ins>+    return m_butterfly-&gt;growPropertyStorage(vm, this, structure(vm), oldSize, newSize);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::getOwnPropertyDescriptor(ExecState* exec, PropertyName propertyName, PropertyDescriptor&amp; descriptor)
</span><span class="cx"> {
</span><span class="cx">     JSC::PropertySlot slot(this);
</span><del>-    if (!methodTable()-&gt;getOwnPropertySlot(this, exec, propertyName, slot))
</del><ins>+    if (!methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(this, exec, propertyName, slot))
</ins><span class="cx">         return false;
</span><span class="cx">     /* Workaround, JSDOMWindow::getOwnPropertySlot searches the prototype chain. :-( */
</span><del>-    if (slot.slotBase() != this &amp;&amp; slot.slotBase() &amp;&amp; slot.slotBase()-&gt;methodTable()-&gt;toThis(slot.slotBase(), exec, NotStrictMode) != this)
</del><ins>+    if (slot.slotBase() != this &amp;&amp; slot.slotBase() &amp;&amp; slot.slotBase()-&gt;methodTable(exec-&gt;vm())-&gt;toThis(slot.slotBase(), exec, NotStrictMode) != this)
</ins><span class="cx">         return false;
</span><span class="cx">     if (slot.isAccessor())
</span><span class="cx">         descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes());
</span><span class="lines">@@ -2458,7 +2468,7 @@
</span><span class="cx">             newValue = oldDescriptor.value();
</span><span class="cx">         target-&gt;putDirect(vm, propertyName, newValue, attributes &amp; ~Accessor);
</span><span class="cx">         if (attributes &amp; ReadOnly)
</span><del>-            target-&gt;structure()-&gt;setContainsReadOnlyProperties();
</del><ins>+            target-&gt;structure(vm)-&gt;setContainsReadOnlyProperties();
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx">     attributes &amp;= ~ReadOnly;
</span><span class="lines">@@ -2548,7 +2558,7 @@
</span><span class="cx">     // A generic descriptor is simply changing the attributes of an existing property
</span><span class="cx">     if (descriptor.isGenericDescriptor()) {
</span><span class="cx">         if (!current.attributesEqual(descriptor)) {
</span><del>-            methodTable()-&gt;deleteProperty(this, exec, propertyName);
</del><ins>+            methodTable(exec-&gt;vm())-&gt;deleteProperty(this, exec, propertyName);
</ins><span class="cx">             return putDescriptor(exec, this, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
</span><span class="cx">         }
</span><span class="cx">         return true;
</span><span class="lines">@@ -2561,7 +2571,7 @@
</span><span class="cx">                 exec-&gt;vm().throwException(exec, createTypeError(exec, ASCIILiteral(&quot;Attempting to change access mechanism for an unconfigurable property.&quot;)));
</span><span class="cx">             return false;
</span><span class="cx">         }
</span><del>-        methodTable()-&gt;deleteProperty(this, exec, propertyName);
</del><ins>+        methodTable(exec-&gt;vm())-&gt;deleteProperty(this, exec, propertyName);
</ins><span class="cx">         return putDescriptor(exec, this, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -2583,7 +2593,7 @@
</span><span class="cx">         }
</span><span class="cx">         if (current.attributesEqual(descriptor) &amp;&amp; !descriptor.value())
</span><span class="cx">             return true;
</span><del>-        methodTable()-&gt;deleteProperty(this, exec, propertyName);
</del><ins>+        methodTable(exec-&gt;vm())-&gt;deleteProperty(this, exec, propertyName);
</ins><span class="cx">         return putDescriptor(exec, this, propertyName, descriptor, descriptor.attributesOverridingCurrent(current), current);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -2611,7 +2621,7 @@
</span><span class="cx">         getterSetter-&gt;setGetter(exec-&gt;vm(), descriptor.getterObject());
</span><span class="cx">     if (current.attributesEqual(descriptor))
</span><span class="cx">         return true;
</span><del>-    methodTable()-&gt;deleteProperty(this, exec, propertyName);
</del><ins>+    methodTable(exec-&gt;vm())-&gt;deleteProperty(this, exec, propertyName);
</ins><span class="cx">     unsigned attrs = descriptor.attributesOverridingCurrent(current);
</span><span class="cx">     putDirectAccessor(exec, propertyName, getterSetter, attrs | Accessor);
</span><span class="cx">     return true;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx"> 
</span><span class="cx"> inline JSCell* getJSFunction(JSValue value)
</span><span class="cx"> {
</span><del>-    if (value.isCell() &amp;&amp; (value.asCell()-&gt;structure()-&gt;typeInfo().type() == JSFunctionType))
</del><ins>+    if (value.isCell() &amp;&amp; (value.asCell()-&gt;type() == JSFunctionType))
</ins><span class="cx">         return value.asCell();
</span><span class="cx">     return 0;
</span><span class="cx"> }
</span><span class="lines">@@ -135,14 +135,14 @@
</span><span class="cx"> 
</span><span class="cx">     unsigned getArrayLength() const
</span><span class="cx">     {
</span><del>-        if (!hasIndexedProperties(structure()-&gt;indexingType()))
</del><ins>+        if (!hasIndexedProperties(indexingType()))
</ins><span class="cx">             return 0;
</span><span class="cx">         return m_butterfly-&gt;publicLength();
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     unsigned getVectorLength()
</span><span class="cx">     {
</span><del>-        if (!hasIndexedProperties(structure()-&gt;indexingType()))
</del><ins>+        if (!hasIndexedProperties(indexingType()))
</ins><span class="cx">             return 0;
</span><span class="cx">         return m_butterfly-&gt;vectorLength();
</span><span class="cx">     }
</span><span class="lines">@@ -156,7 +156,7 @@
</span><span class="cx">             setIndexQuickly(exec-&gt;vm(), propertyName, value);
</span><span class="cx">             return;
</span><span class="cx">         }
</span><del>-        methodTable()-&gt;putByIndex(this, exec, propertyName, value, shouldThrow);
</del><ins>+        methodTable(exec-&gt;vm())-&gt;putByIndex(this, exec, propertyName, value, shouldThrow);
</ins><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     // This is similar to the putDirect* methods:
</span><span class="lines">@@ -187,7 +187,7 @@
</span><span class="cx">     
</span><span class="cx">     bool canGetIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             return false;
</span><span class="lines">@@ -212,7 +212,7 @@
</span><span class="cx">         
</span><span class="cx">     JSValue getIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="cx">             return jsNumber(m_butterfly-&gt;contiguous()[i].get().asInt32());
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="lines">@@ -229,7 +229,7 @@
</span><span class="cx">         
</span><span class="cx">     JSValue tryGetIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             break;
</span><span class="lines">@@ -268,7 +268,7 @@
</span><span class="cx">         if (JSValue result = tryGetIndexQuickly(i))
</span><span class="cx">             return result;
</span><span class="cx">         PropertySlot slot(this);
</span><del>-        if (methodTable()-&gt;getOwnPropertySlotByIndex(this, exec, i, slot))
</del><ins>+        if (methodTable(exec-&gt;vm())-&gt;getOwnPropertySlotByIndex(this, exec, i, slot))
</ins><span class="cx">             return slot.getValue(exec, i);
</span><span class="cx">         return JSValue();
</span><span class="cx">     }
</span><span class="lines">@@ -282,7 +282,7 @@
</span><span class="cx">         
</span><span class="cx">     bool canSetIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             return false;
</span><span class="lines">@@ -304,7 +304,7 @@
</span><span class="cx">         
</span><span class="cx">     bool canSetIndexQuicklyForPutDirect(unsigned i)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             return false;
</span><span class="lines">@@ -321,7 +321,7 @@
</span><span class="cx">         
</span><span class="cx">     void setIndexQuickly(VM&amp; vm, unsigned i, JSValue v)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_INT32_INDEXING_TYPES: {
</span><span class="cx">             ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</span><span class="cx">             if (!v.isInt32()) {
</span><span class="lines">@@ -372,7 +372,7 @@
</span><span class="cx">         
</span><span class="cx">     void initializeIndex(VM&amp; vm, unsigned i, JSValue v)
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES: {
</span><span class="cx">             setIndexQuicklyToUndecided(vm, i, v);
</span><span class="cx">             break;
</span><span class="lines">@@ -421,7 +421,7 @@
</span><span class="cx">         
</span><span class="cx">     bool hasSparseMap()
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="lines">@@ -438,7 +438,7 @@
</span><span class="cx">         
</span><span class="cx">     bool inSparseIndexingMode()
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="lines">@@ -494,31 +494,35 @@
</span><span class="cx">     // This get function only looks at the property map.
</span><span class="cx">     JSValue getDirect(VM&amp; vm, PropertyName propertyName) const
</span><span class="cx">     {
</span><del>-        PropertyOffset offset = structure()-&gt;get(vm, propertyName);
-        checkOffset(offset, structure()-&gt;inlineCapacity());
</del><ins>+        Structure* structure = this-&gt;structure(vm);
+        PropertyOffset offset = structure-&gt;get(vm, propertyName);
+        checkOffset(offset, structure-&gt;inlineCapacity());
</ins><span class="cx">         return offset != invalidOffset ? getDirect(offset) : JSValue();
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     JSValue getDirect(VM&amp; vm, PropertyName propertyName, unsigned&amp; attributes) const
</span><span class="cx">     {
</span><span class="cx">         JSCell* specific;
</span><del>-        PropertyOffset offset = structure()-&gt;get(vm, propertyName, attributes, specific);
-        checkOffset(offset, structure()-&gt;inlineCapacity());
</del><ins>+        Structure* structure = this-&gt;structure(vm);
+        PropertyOffset offset = structure-&gt;get(vm, propertyName, attributes, specific);
+        checkOffset(offset, structure-&gt;inlineCapacity());
</ins><span class="cx">         return offset != invalidOffset ? getDirect(offset) : JSValue();
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     PropertyOffset getDirectOffset(VM&amp; vm, PropertyName propertyName)
</span><span class="cx">     {
</span><del>-        PropertyOffset offset = structure()-&gt;get(vm, propertyName);
-        checkOffset(offset, structure()-&gt;inlineCapacity());
</del><ins>+        Structure* structure = this-&gt;structure(vm);
+        PropertyOffset offset = structure-&gt;get(vm, propertyName);
+        checkOffset(offset, structure-&gt;inlineCapacity());
</ins><span class="cx">         return offset;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     PropertyOffset getDirectOffset(VM&amp; vm, PropertyName propertyName, unsigned&amp; attributes)
</span><span class="cx">     {
</span><span class="cx">         JSCell* specific;
</span><del>-        PropertyOffset offset = structure()-&gt;get(vm, propertyName, attributes, specific);
-        checkOffset(offset, structure()-&gt;inlineCapacity());
</del><ins>+        Structure* structure = this-&gt;structure(vm);
+        PropertyOffset offset = structure-&gt;get(vm, propertyName, attributes, specific);
+        checkOffset(offset, structure-&gt;inlineCapacity());
</ins><span class="cx">         return offset;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -596,8 +600,8 @@
</span><span class="cx">     void seal(VM&amp;);
</span><span class="cx">     void freeze(VM&amp;);
</span><span class="cx">     JS_EXPORT_PRIVATE void preventExtensions(VM&amp;);
</span><del>-    bool isSealed(VM&amp; vm) { return structure()-&gt;isSealed(vm); }
-    bool isFrozen(VM&amp; vm) { return structure()-&gt;isFrozen(vm); }
</del><ins>+    bool isSealed(VM&amp; vm) { return structure(vm)-&gt;isSealed(vm); }
+    bool isFrozen(VM&amp; vm) { return structure(vm)-&gt;isFrozen(vm); }
</ins><span class="cx">     bool isExtensible() { return structure()-&gt;isExtensible(); }
</span><span class="cx">     bool indexingShouldBeSparse()
</span><span class="cx">     {
</span><span class="lines">@@ -618,7 +622,7 @@
</span><span class="cx"> 
</span><span class="cx">     void flattenDictionaryObject(VM&amp; vm)
</span><span class="cx">     {
</span><del>-        structure()-&gt;flattenDictionaryStructure(vm, this);
</del><ins>+        structure(vm)-&gt;flattenDictionaryStructure(vm, this);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     JSGlobalObject* globalObject() const
</span><span class="lines">@@ -645,7 +649,7 @@
</span><span class="cx">     // contiguous, array storage).
</span><span class="cx">     ContiguousJSValues ensureInt32(VM&amp; vm)
</span><span class="cx">     {
</span><del>-        if (LIKELY(hasInt32(structure()-&gt;indexingType())))
</del><ins>+        if (LIKELY(hasInt32(indexingType())))
</ins><span class="cx">             return m_butterfly-&gt;contiguousInt32();
</span><span class="cx">             
</span><span class="cx">         return ensureInt32Slow(vm);
</span><span class="lines">@@ -657,7 +661,7 @@
</span><span class="cx">     // or array storage).
</span><span class="cx">     ContiguousDoubles ensureDouble(VM&amp; vm)
</span><span class="cx">     {
</span><del>-        if (LIKELY(hasDouble(structure()-&gt;indexingType())))
</del><ins>+        if (LIKELY(hasDouble(indexingType())))
</ins><span class="cx">             return m_butterfly-&gt;contiguousDouble();
</span><span class="cx">             
</span><span class="cx">         return ensureDoubleSlow(vm);
</span><span class="lines">@@ -667,7 +671,7 @@
</span><span class="cx">     // indexing should be sparse or because we're having a bad time.
</span><span class="cx">     ContiguousJSValues ensureContiguous(VM&amp; vm)
</span><span class="cx">     {
</span><del>-        if (LIKELY(hasContiguous(structure()-&gt;indexingType())))
</del><ins>+        if (LIKELY(hasContiguous(indexingType())))
</ins><span class="cx">             return m_butterfly-&gt;contiguous();
</span><span class="cx">             
</span><span class="cx">         return ensureContiguousSlow(vm);
</span><span class="lines">@@ -678,7 +682,7 @@
</span><span class="cx">     // attempts to convert each double to an int32.
</span><span class="cx">     ContiguousJSValues rageEnsureContiguous(VM&amp; vm)
</span><span class="cx">     {
</span><del>-        if (LIKELY(hasContiguous(structure()-&gt;indexingType())))
</del><ins>+        if (LIKELY(hasContiguous(indexingType())))
</ins><span class="cx">             return m_butterfly-&gt;contiguous();
</span><span class="cx">             
</span><span class="cx">         return rageEnsureContiguousSlow(vm);
</span><span class="lines">@@ -690,7 +694,7 @@
</span><span class="cx">     // already.
</span><span class="cx">     ArrayStorage* ensureArrayStorage(VM&amp; vm)
</span><span class="cx">     {
</span><del>-        if (LIKELY(hasArrayStorage(structure()-&gt;indexingType())))
</del><ins>+        if (LIKELY(hasArrayStorage(indexingType())))
</ins><span class="cx">             return m_butterfly-&gt;arrayStorage();
</span><span class="cx">             
</span><span class="cx">         return ensureArrayStorageSlow(vm);
</span><span class="lines">@@ -738,7 +742,7 @@
</span><span class="cx">     // storage. This will assert otherwise.
</span><span class="cx">     ArrayStorage* arrayStorage()
</span><span class="cx">     {
</span><del>-        ASSERT(hasArrayStorage(structure()-&gt;indexingType()));
</del><ins>+        ASSERT(hasArrayStorage(indexingType()));
</ins><span class="cx">         return m_butterfly-&gt;arrayStorage();
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="lines">@@ -746,7 +750,7 @@
</span><span class="cx">     // object is in a mode where it has array storage.
</span><span class="cx">     ArrayStorage* arrayStorageOrNull()
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><span class="cx">             return m_butterfly-&gt;arrayStorage();
</span><span class="cx">                 
</span><span class="lines">@@ -813,7 +817,7 @@
</span><span class="cx">     void ensureLength(VM&amp; vm, unsigned length)
</span><span class="cx">     {
</span><span class="cx">         ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><del>-        ASSERT(hasContiguous(structure()-&gt;indexingType()) || hasInt32(structure()-&gt;indexingType()) || hasDouble(structure()-&gt;indexingType()) || hasUndecided(structure()-&gt;indexingType()));
</del><ins>+        ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
</ins><span class="cx">             
</span><span class="cx">         if (m_butterfly-&gt;vectorLength() &lt; length)
</span><span class="cx">             ensureLengthSlow(vm, length);
</span><span class="lines">@@ -851,7 +855,7 @@
</span><span class="cx"> 
</span><span class="cx">     ContiguousJSValues currentIndexingData()
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">             return m_butterfly-&gt;contiguous();
</span><span class="lines">@@ -868,7 +872,7 @@
</span><span class="cx">     JSValue getHolyIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><span class="cx">         ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">             return m_butterfly-&gt;contiguous()[i].get();
</span><span class="lines">@@ -908,7 +912,7 @@
</span><span class="cx"> 
</span><span class="cx">     unsigned currentRelevantLength()
</span><span class="cx">     {
</span><del>-        switch (structure()-&gt;indexingType()) {
</del><ins>+        switch (indexingType()) {
</ins><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES:
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="lines">@@ -980,6 +984,10 @@
</span><span class="cx">     
</span><span class="cx"> protected:
</span><span class="cx">     CopyWriteBarrier&lt;Butterfly&gt; m_butterfly;
</span><ins>+#if USE(JSVALUE32_64)
+private:
+    uint32_t m_padding;
+#endif
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> // JSNonFinalObject is a type of JSObject that has some internal storage,
</span><span class="lines">@@ -1106,35 +1114,35 @@
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::isGlobalObject() const
</span><span class="cx"> {
</span><del>-    return structure()-&gt;typeInfo().type() == GlobalObjectType;
</del><ins>+    return type() == GlobalObjectType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::isVariableObject() const
</span><span class="cx"> {
</span><del>-    return structure()-&gt;typeInfo().type() &gt;= VariableObjectType;
</del><ins>+    return type() &gt;= VariableObjectType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::isStaticScopeObject() const
</span><span class="cx"> {
</span><del>-    JSType type = structure()-&gt;typeInfo().type();
</del><ins>+    JSType type = this-&gt;type();
</ins><span class="cx">     return type == NameScopeObjectType || type == ActivationObjectType;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::isNameScopeObject() const
</span><span class="cx"> {
</span><del>-    return structure()-&gt;typeInfo().type() == NameScopeObjectType;
</del><ins>+    return type() == NameScopeObjectType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::isActivationObject() const
</span><span class="cx"> {
</span><del>-    return structure()-&gt;typeInfo().type() == ActivationObjectType;
</del><ins>+    return type() == ActivationObjectType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::isErrorInstance() const
</span><span class="cx"> {
</span><del>-    return structure()-&gt;typeInfo().type() == ErrorInstanceType;
</del><ins>+    return type() == ErrorInstanceType;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void JSObject::setStructureAndButterfly(VM&amp; vm, Structure* structure, Butterfly* butterfly)
</span><span class="lines">@@ -1198,10 +1206,12 @@
</span><span class="cx"> {
</span><span class="cx">     unsigned attributes;
</span><span class="cx">     JSCell* specific;
</span><del>-    PropertyOffset offset = structure()-&gt;get(exec-&gt;vm(), propertyName, attributes, specific);
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    Structure* structure = this-&gt;structure(vm);
+    PropertyOffset offset = structure-&gt;get(vm, propertyName, attributes, specific);
</ins><span class="cx">     if (LIKELY(isValidOffset(offset))) {
</span><span class="cx">         JSValue value = getDirect(offset);
</span><del>-        if (structure()-&gt;hasGetterSetterProperties() &amp;&amp; value.isGetterSetter())
</del><ins>+        if (structure-&gt;hasGetterSetterProperties() &amp;&amp; value.isGetterSetter())
</ins><span class="cx">             fillGetterPropertySlot(slot, value, attributes, offset);
</span><span class="cx">         else
</span><span class="cx">             slot.setValue(this, attributes, value, offset);
</span><span class="lines">@@ -1221,9 +1231,10 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE bool JSObject::fastGetOwnPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot&amp; slot)
</span><span class="cx"> {
</span><del>-    if (!structure()-&gt;typeInfo().overridesGetOwnPropertySlot())
</del><ins>+    VM&amp; vm = exec-&gt;vm();
+    if (!structure(vm)-&gt;typeInfo().overridesGetOwnPropertySlot())
</ins><span class="cx">         return asObject(this)-&gt;inlineGetOwnPropertySlot(exec, propertyName, slot);
</span><del>-    return methodTable()-&gt;getOwnPropertySlot(this, exec, propertyName, slot);
</del><ins>+    return methodTable(vm)-&gt;getOwnPropertySlot(this, exec, propertyName, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> // It may seem crazy to inline a function this large but it makes a big difference
</span><span class="lines">@@ -1245,7 +1256,7 @@
</span><span class="cx"> {
</span><span class="cx">     JSObject* object = this;
</span><span class="cx">     while (true) {
</span><del>-        if (object-&gt;methodTable()-&gt;getOwnPropertySlotByIndex(object, exec, propertyName, slot))
</del><ins>+        if (object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlotByIndex(object, exec, propertyName, slot))
</ins><span class="cx">             return true;
</span><span class="cx">         JSValue prototype = object-&gt;prototype();
</span><span class="cx">         if (!prototype.isObject())
</span><span class="lines">@@ -1280,15 +1291,16 @@
</span><span class="cx">     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
</span><span class="cx">     ASSERT(propertyName.asIndex() == PropertyName::NotAnIndex);
</span><span class="cx"> 
</span><del>-    if (structure()-&gt;isDictionary()) {
</del><ins>+    Structure* structure = this-&gt;structure(vm);
+    if (structure-&gt;isDictionary()) {
</ins><span class="cx">         unsigned currentAttributes;
</span><span class="cx">         JSCell* currentSpecificFunction;
</span><del>-        PropertyOffset offset = structure()-&gt;get(vm, propertyName, currentAttributes, currentSpecificFunction);
</del><ins>+        PropertyOffset offset = structure-&gt;get(vm, propertyName, currentAttributes, currentSpecificFunction);
</ins><span class="cx">         if (offset != invalidOffset) {
</span><span class="cx">             // If there is currently a specific function, and there now either isn't,
</span><span class="cx">             // or the new value is different, then despecify.
</span><span class="cx">             if (currentSpecificFunction &amp;&amp; (specificFunction != currentSpecificFunction))
</span><del>-                structure()-&gt;despecifyDictionaryFunction(vm, propertyName);
</del><ins>+                structure-&gt;despecifyDictionaryFunction(vm, propertyName);
</ins><span class="cx">             if ((mode == PutModePut) &amp;&amp; currentAttributes &amp; ReadOnly)
</span><span class="cx">                 return false;
</span><span class="cx"> 
</span><span class="lines">@@ -1309,24 +1321,24 @@
</span><span class="cx"> 
</span><span class="cx">         DeferGC deferGC(vm.heap);
</span><span class="cx">         Butterfly* newButterfly = butterfly();
</span><del>-        if (structure()-&gt;putWillGrowOutOfLineStorage())
-            newButterfly = growOutOfLineStorage(vm, structure()-&gt;outOfLineCapacity(), structure()-&gt;suggestedNewOutOfLineStorageCapacity());
-        offset = structure()-&gt;addPropertyWithoutTransition(vm, propertyName, attributes, specificFunction);
-        setStructureAndButterfly(vm, structure(), newButterfly);
</del><ins>+        if (this-&gt;structure()-&gt;putWillGrowOutOfLineStorage())
+            newButterfly = growOutOfLineStorage(vm, this-&gt;structure()-&gt;outOfLineCapacity(), this-&gt;structure()-&gt;suggestedNewOutOfLineStorageCapacity());
+        offset = this-&gt;structure()-&gt;addPropertyWithoutTransition(vm, propertyName, attributes, specificFunction);
+        setStructureAndButterfly(vm, this-&gt;structure(), newButterfly);
</ins><span class="cx"> 
</span><span class="cx">         validateOffset(offset);
</span><del>-        ASSERT(structure()-&gt;isValidOffset(offset));
</del><ins>+        ASSERT(this-&gt;structure()-&gt;isValidOffset(offset));
</ins><span class="cx">         putDirect(vm, offset, value);
</span><span class="cx">         // See comment on setNewProperty call below.
</span><span class="cx">         if (!specificFunction)
</span><span class="cx">             slot.setNewProperty(this, offset);
</span><span class="cx">         if (attributes &amp; ReadOnly)
</span><del>-            structure()-&gt;setContainsReadOnlyProperties();
</del><ins>+            this-&gt;structure()-&gt;setContainsReadOnlyProperties();
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     PropertyOffset offset;
</span><del>-    size_t currentCapacity = structure()-&gt;outOfLineCapacity();
</del><ins>+    size_t currentCapacity = this-&gt;structure()-&gt;outOfLineCapacity();
</ins><span class="cx">     if (Structure* structure = Structure::addPropertyTransitionToExistingStructure(this-&gt;structure(), propertyName, attributes, specificFunction, offset)) {
</span><span class="cx">         DeferGC deferGC(vm.heap);
</span><span class="cx">         Butterfly* newButterfly = butterfly();
</span><span class="lines">@@ -1348,7 +1360,7 @@
</span><span class="cx"> 
</span><span class="cx">     unsigned currentAttributes;
</span><span class="cx">     JSCell* currentSpecificFunction;
</span><del>-    offset = structure()-&gt;get(vm, propertyName, currentAttributes, currentSpecificFunction);
</del><ins>+    offset = structure-&gt;get(vm, propertyName, currentAttributes, currentSpecificFunction);
</ins><span class="cx">     if (offset != invalidOffset) {
</span><span class="cx">         if ((mode == PutModePut) &amp;&amp; currentAttributes &amp; ReadOnly)
</span><span class="cx">             return false;
</span><span class="lines">@@ -1369,7 +1381,7 @@
</span><span class="cx">                 return true;
</span><span class="cx">             }
</span><span class="cx">             // case (2) Despecify, fall through to (3).
</span><del>-            setStructure(vm, Structure::despecifyFunctionTransition(vm, structure(), propertyName));
</del><ins>+            setStructure(vm, Structure::despecifyFunctionTransition(vm, structure, propertyName));
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         // case (3) set the slot, do the put, return.
</span><span class="lines">@@ -1381,7 +1393,7 @@
</span><span class="cx">     if ((mode == PutModePut) &amp;&amp; !isExtensible())
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><del>-    Structure* structure = Structure::addPropertyTransition(vm, this-&gt;structure(), propertyName, attributes, specificFunction, offset, slot.context());
</del><ins>+    structure = Structure::addPropertyTransition(vm, structure, propertyName, attributes, specificFunction, offset, slot.context());
</ins><span class="cx">     
</span><span class="cx">     validateOffset(offset);
</span><span class="cx">     ASSERT(structure-&gt;isValidOffset(offset));
</span><span class="lines">@@ -1415,7 +1427,7 @@
</span><span class="cx"> inline void JSObject::setStructureAndReallocateStorageIfNecessary(VM&amp; vm, Structure* newStructure)
</span><span class="cx"> {
</span><span class="cx">     setStructureAndReallocateStorageIfNecessary(
</span><del>-        vm, structure()-&gt;outOfLineCapacity(), newStructure);
</del><ins>+        vm, structure(vm)-&gt;outOfLineCapacity(), newStructure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSObject::putOwnDataProperty(VM&amp; vm, PropertyName propertyName, JSValue value, PutPropertySlot&amp; slot)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -54,7 +54,7 @@
</span><span class="cx">        
</span><span class="cx">         static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx">         {
</span><del>-            return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, OverridesVisitChildren), info());
</del><ins>+            return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         static void visitChildren(JSCell*, SlotVisitor&amp;);
</span><span class="lines">@@ -76,6 +76,8 @@
</span><span class="cx">         DECLARE_EXPORT_INFO;
</span><span class="cx"> 
</span><span class="cx">     protected:
</span><ins>+        static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal;
+
</ins><span class="cx">         void finishCreation(VM&amp; vm, PropertyNameArrayData* propertyNameArrayData, JSObject* object)
</span><span class="cx">         {
</span><span class="cx">             Base::finishCreation(vm);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSProxy.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSProxy.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSProxy.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -73,55 +73,55 @@
</span><span class="cx"> bool JSProxy::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot&amp; slot)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(object);
</span><del>-    return thisObject-&gt;target()-&gt;methodTable()-&gt;getOwnPropertySlot(thisObject-&gt;target(), exec, propertyName, slot);
</del><ins>+    return thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(thisObject-&gt;target(), exec, propertyName, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSProxy::getOwnPropertySlotByIndex(JSObject* object, ExecState* exec, unsigned propertyName, PropertySlot&amp; slot)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(object);
</span><del>-    return thisObject-&gt;target()-&gt;methodTable()-&gt;getOwnPropertySlotByIndex(thisObject-&gt;target(), exec, propertyName, slot);
</del><ins>+    return thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlotByIndex(thisObject-&gt;target(), exec, propertyName, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSProxy::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot&amp; slot)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(cell);
</span><del>-    thisObject-&gt;target()-&gt;methodTable()-&gt;put(thisObject-&gt;target(), exec, propertyName, value, slot);
</del><ins>+    thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;put(thisObject-&gt;target(), exec, propertyName, value, slot);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSProxy::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(cell);
</span><del>-    thisObject-&gt;target()-&gt;methodTable()-&gt;putByIndex(thisObject-&gt;target(), exec, propertyName, value, shouldThrow);
</del><ins>+    thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;putByIndex(thisObject-&gt;target(), exec, propertyName, value, shouldThrow);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSProxy::defineOwnProperty(JSObject* object, ExecState* exec, PropertyName propertyName, const PropertyDescriptor&amp; descriptor, bool shouldThrow)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(object);
</span><del>-    return thisObject-&gt;target()-&gt;methodTable()-&gt;defineOwnProperty(thisObject-&gt;target(), exec, propertyName, descriptor, shouldThrow);
</del><ins>+    return thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(thisObject-&gt;target(), exec, propertyName, descriptor, shouldThrow);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSProxy::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(cell);
</span><del>-    return thisObject-&gt;target()-&gt;methodTable()-&gt;deleteProperty(thisObject-&gt;target(), exec, propertyName);
</del><ins>+    return thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;deleteProperty(thisObject-&gt;target(), exec, propertyName);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSProxy::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(cell);
</span><del>-    return thisObject-&gt;target()-&gt;methodTable()-&gt;deletePropertyByIndex(thisObject-&gt;target(), exec, propertyName);
</del><ins>+    return thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;deletePropertyByIndex(thisObject-&gt;target(), exec, propertyName);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSProxy::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray&amp; propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(object);
</span><del>-    thisObject-&gt;target()-&gt;methodTable()-&gt;getPropertyNames(thisObject-&gt;target(), exec, propertyNames, mode);
</del><ins>+    thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;getPropertyNames(thisObject-&gt;target(), exec, propertyNames, mode);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSProxy::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray&amp; propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx">     JSProxy* thisObject = jsCast&lt;JSProxy*&gt;(object);
</span><del>-    thisObject-&gt;target()-&gt;methodTable()-&gt;getOwnPropertyNames(thisObject-&gt;target(), exec, propertyNames, mode);
</del><ins>+    thisObject-&gt;target()-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(thisObject-&gt;target(), exec, propertyNames, mode);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSScope.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSScope.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSScope.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -111,7 +111,7 @@
</span><span class="cx"> JSObject* JSScope::objectAtScope(JSScope* scope)
</span><span class="cx"> {
</span><span class="cx">     JSObject* object = scope;
</span><del>-    if (object-&gt;structure()-&gt;typeInfo().type() == WithScopeType)
</del><ins>+    if (object-&gt;type() == WithScopeType)
</ins><span class="cx">         return jsCast&lt;JSWithScope*&gt;(object)-&gt;object();
</span><span class="cx"> 
</span><span class="cx">     return object;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSString.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSString.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSString.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -163,7 +163,7 @@
</span><span class="cx"> 
</span><span class="cx">         static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue proto)
</span><span class="cx">         {
</span><del>-            return Structure::create(vm, globalObject, proto, TypeInfo(StringType, OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero), info());
</del><ins>+            return Structure::create(vm, globalObject, proto, TypeInfo(StringType, StructureFlags), info());
</ins><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         static size_t offsetOfLength() { return OBJECT_OFFSETOF(JSString, m_length); }
</span><span class="lines">@@ -181,6 +181,8 @@
</span><span class="cx">         };
</span><span class="cx"> 
</span><span class="cx">     protected:
</span><ins>+        static const unsigned StructureFlags = OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | StructureIsImmortal;
+
</ins><span class="cx">         friend class JSValue;
</span><span class="cx">             
</span><span class="cx">         bool isRope() const { return m_value.isNull(); }
</span><span class="lines">@@ -526,7 +528,7 @@
</span><span class="cx">         return false;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    inline bool isJSString(JSValue v) { return v.isCell() &amp;&amp; v.asCell()-&gt;classInfo() == JSString::info(); }
</del><ins>+    inline bool isJSString(JSValue v) { return v.isCell() &amp;&amp; v.asCell()-&gt;type() == StringType; }
</ins><span class="cx"> 
</span><span class="cx">     // --- JSValue inlines ----------------------------
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSType.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSType.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSType.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -23,7 +23,7 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-enum JSType {
</del><ins>+enum JSType : uint8_t {
</ins><span class="cx">     UnspecifiedType,
</span><span class="cx">     UndefinedType,
</span><span class="cx">     BooleanType,
</span><span class="lines">@@ -55,7 +55,19 @@
</span><span class="cx">     ErrorInstanceType,
</span><span class="cx">     ProxyType,
</span><span class="cx">     WithScopeType,
</span><ins>+    ArgumentsType,
</ins><span class="cx"> 
</span><ins>+    Int8ArrayType,
+    Int16ArrayType,
+    Int32ArrayType,
+    Uint8ArrayType,
+    Uint8ClampedArrayType,
+    Uint16ArrayType,
+    Uint32ArrayType,
+    Float32ArrayType,
+    Float64ArrayType,
+    DataViewType,
+
</ins><span class="cx">     NameScopeObjectType,
</span><span class="cx">     // VariableObjectType must be less than MOST of the types of its subclasses and only its subclasses.
</span><span class="cx">     // We use &gt;=VariableObjectType checks to test for Global &amp; Activation objects, but exclude NameScopes.
</span><span class="lines">@@ -64,6 +76,8 @@
</span><span class="cx">     ActivationObjectType,
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+COMPILE_ASSERT(sizeof(JSType) == sizeof(uint8_t), sizeof_jstype_is_one_byte);
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypeInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -44,21 +44,31 @@
</span><span class="cx">     static const unsigned OverridesGetOwnPropertySlot = 1 &lt;&lt; 5;
</span><span class="cx">     static const unsigned InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero = 1 &lt;&lt; 6;
</span><span class="cx">     static const unsigned OverridesVisitChildren = 1 &lt;&lt; 7;
</span><ins>+
</ins><span class="cx">     static const unsigned OverridesGetPropertyNames = 1 &lt;&lt; 8;
</span><span class="cx">     static const unsigned ProhibitsPropertyCaching = 1 &lt;&lt; 9;
</span><span class="cx">     static const unsigned HasImpureGetOwnPropertySlot = 1 &lt;&lt; 10;
</span><span class="cx">     static const unsigned NewImpurePropertyFiresWatchpoints = 1 &lt;&lt; 11;
</span><span class="cx">     static const unsigned StructureHasRareData = 1 &lt;&lt; 12;
</span><ins>+    static const unsigned StructureIsImmortal = 1 &lt;&lt; 13;
</ins><span class="cx"> 
</span><span class="cx">     class TypeInfo {
</span><span class="cx">     public:
</span><ins>+        typedef uint8_t InlineTypeFlags;
+        typedef uint8_t OutOfLineTypeFlags;
+
</ins><span class="cx">         TypeInfo(JSType type, unsigned flags = 0)
</span><ins>+            : TypeInfo(type, flags &amp; 0xff, flags &gt;&gt; 8)
+        {
+        }
+        
+        TypeInfo(JSType type, InlineTypeFlags inlineTypeFlags, OutOfLineTypeFlags outOfLineTypeFlags)
</ins><span class="cx">             : m_type(type)
</span><del>-            , m_flags(flags &amp; 0xff)
-            , m_flags2(flags &gt;&gt; 8)
</del><ins>+            , m_flags(inlineTypeFlags)
+            , m_flags2(outOfLineTypeFlags)
</ins><span class="cx">         {
</span><span class="cx">             ASSERT(static_cast&lt;int&gt;(type) &lt;= 0xff);
</span><del>-            ASSERT(type &gt;= CompoundType || !(flags &amp; OverridesVisitChildren));
</del><ins>+            ASSERT(m_type &gt;= CompoundType || !(m_flags &amp; OverridesVisitChildren));
</ins><span class="cx">             // No object that doesn't ImplementsHasInstance should override it!
</span><span class="cx">             ASSERT((m_flags &amp; (ImplementsHasInstance | OverridesHasInstance)) != OverridesHasInstance);
</span><span class="cx">             // ImplementsDefaultHasInstance means (ImplementsHasInstance &amp; !OverridesHasInstance)
</span><span class="lines">@@ -67,7 +77,8 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         JSType type() const { return static_cast&lt;JSType&gt;(m_type); }
</span><del>-        bool isObject() const { return type() &gt;= ObjectType; }
</del><ins>+        bool isObject() const { return isObject(type()); }
+        static bool isObject(JSType type) { return type &gt;= ObjectType; }
</ins><span class="cx">         bool isFinalObject() const { return type() == FinalObjectType; }
</span><span class="cx">         bool isNumberObject() const { return type() == NumberObjectType; }
</span><span class="cx">         bool isName() const { return type() == NameInstanceType; }
</span><span class="lines">@@ -86,6 +97,7 @@
</span><span class="cx">         bool hasImpureGetOwnPropertySlot() const { return isSetOnFlags2(HasImpureGetOwnPropertySlot); }
</span><span class="cx">         bool newImpurePropertyFiresWatchpoints() const { return isSetOnFlags2(NewImpurePropertyFiresWatchpoints); }
</span><span class="cx">         bool structureHasRareData() const { return isSetOnFlags2(StructureHasRareData); }
</span><ins>+        bool structureIsImmortal() const { return isSetOnFlags2(StructureIsImmortal); }
</ins><span class="cx"> 
</span><span class="cx">         static ptrdiff_t flagsOffset()
</span><span class="cx">         {
</span><span class="lines">@@ -97,6 +109,9 @@
</span><span class="cx">             return OBJECT_OFFSETOF(TypeInfo, m_type);
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+        InlineTypeFlags inlineTypeFlags() const { return m_flags; }
+        OutOfLineTypeFlags outOfLineTypeFlags() const { return m_flags2; }
+
</ins><span class="cx">     private:
</span><span class="cx">         friend class LLIntOffsetsExtractor;
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapData.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapData.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/MapData.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -96,7 +96,7 @@
</span><span class="cx">     void clear();
</span><span class="cx"> 
</span><span class="cx">     DECLARE_INFO;
</span><del>-    static const unsigned StructureFlags = OverridesVisitChildren | Base::StructureFlags;
</del><ins>+    static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal | Base::StructureFlags;
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     typedef WTF::UnsignedWithZeroKeyHashTraits&lt;int32_t&gt; IndexTraits;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -206,7 +206,7 @@
</span><span class="cx">     if (!exec-&gt;argument(0).isObject())
</span><span class="cx">         return throwVMError(exec, createTypeError(exec, ASCIILiteral(&quot;Requested property names of a value that is not an object.&quot;)));
</span><span class="cx">     PropertyNameArray properties(exec);
</span><del>-    asObject(exec-&gt;argument(0))-&gt;methodTable()-&gt;getOwnPropertyNames(asObject(exec-&gt;argument(0)), exec, properties, IncludeDontEnumProperties);
</del><ins>+    asObject(exec-&gt;argument(0))-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(asObject(exec-&gt;argument(0)), exec, properties, IncludeDontEnumProperties);
</ins><span class="cx">     JSArray* names = constructEmptyArray(exec, 0);
</span><span class="cx">     size_t numProperties = properties.size();
</span><span class="cx">     for (size_t i = 0; i &lt; numProperties; i++)
</span><span class="lines">@@ -220,7 +220,7 @@
</span><span class="cx">     if (!exec-&gt;argument(0).isObject())
</span><span class="cx">         return throwVMError(exec, createTypeError(exec, ASCIILiteral(&quot;Requested keys of a value that is not an object.&quot;)));
</span><span class="cx">     PropertyNameArray properties(exec);
</span><del>-    asObject(exec-&gt;argument(0))-&gt;methodTable()-&gt;getOwnPropertyNames(asObject(exec-&gt;argument(0)), exec, properties, ExcludeDontEnumProperties);
</del><ins>+    asObject(exec-&gt;argument(0))-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(asObject(exec-&gt;argument(0)), exec, properties, ExcludeDontEnumProperties);
</ins><span class="cx">     JSArray* keys = constructEmptyArray(exec, 0);
</span><span class="cx">     size_t numProperties = properties.size();
</span><span class="cx">     for (size_t i = 0; i &lt; numProperties; i++)
</span><span class="lines">@@ -324,14 +324,14 @@
</span><span class="cx">         return JSValue::encode(jsNull());
</span><span class="cx">     ASSERT((descriptor.attributes() &amp; Accessor) || (!descriptor.isAccessorDescriptor()));
</span><span class="cx">     ASSERT(!exec-&gt;hadException());
</span><del>-    O-&gt;methodTable()-&gt;defineOwnProperty(O, exec, Identifier(exec, propertyName), descriptor, true);
</del><ins>+    O-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(O, exec, Identifier(exec, propertyName), descriptor, true);
</ins><span class="cx">     return JSValue::encode(O);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static JSValue defineProperties(ExecState* exec, JSObject* object, JSObject* properties)
</span><span class="cx"> {
</span><span class="cx">     PropertyNameArray propertyNames(exec);
</span><del>-    asObject(properties)-&gt;methodTable()-&gt;getOwnPropertyNames(asObject(properties), exec, propertyNames, ExcludeDontEnumProperties);
</del><ins>+    asObject(properties)-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(asObject(properties), exec, propertyNames, ExcludeDontEnumProperties);
</ins><span class="cx">     size_t numProperties = propertyNames.size();
</span><span class="cx">     Vector&lt;PropertyDescriptor&gt; descriptors;
</span><span class="cx">     MarkedArgumentBuffer markBuffer;
</span><span class="lines">@@ -354,7 +354,7 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     for (size_t i = 0; i &lt; numProperties; i++) {
</span><del>-        object-&gt;methodTable()-&gt;defineOwnProperty(object, exec, propertyNames[i], descriptors[i], true);
</del><ins>+        object-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(object, exec, propertyNames[i], descriptors[i], true);
</ins><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return jsNull();
</span><span class="cx">     }
</span><span class="lines">@@ -398,7 +398,7 @@
</span><span class="cx"> 
</span><span class="cx">     // 2. For each named own property name P of O,
</span><span class="cx">     PropertyNameArray properties(exec);
</span><del>-    object-&gt;methodTable()-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</del><ins>+    object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</ins><span class="cx">     PropertyNameArray::const_iterator end = properties.end();
</span><span class="cx">     for (PropertyNameArray::const_iterator iter = properties.begin(); iter != end; ++iter) {
</span><span class="cx">         // a. Let desc be the result of calling the [[GetOwnProperty]] internal method of O with P.
</span><span class="lines">@@ -408,7 +408,7 @@
</span><span class="cx">         // b. If desc.[[Configurable]] is true, set desc.[[Configurable]] to false.
</span><span class="cx">         desc.setConfigurable(false);
</span><span class="cx">         // c. Call the [[DefineOwnProperty]] internal method of O with P, desc, and true as arguments.
</span><del>-        object-&gt;methodTable()-&gt;defineOwnProperty(object, exec, *iter, desc, true);
</del><ins>+        object-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(object, exec, *iter, desc, true);
</ins><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return JSValue::encode(obj);
</span><span class="cx">     }
</span><span class="lines">@@ -428,14 +428,14 @@
</span><span class="cx">         return throwVMError(exec, createTypeError(exec, ASCIILiteral(&quot;Object.freeze can only be called on Objects.&quot;)));
</span><span class="cx">     JSObject* object = asObject(obj);
</span><span class="cx"> 
</span><del>-    if (isJSFinalObject(object) &amp;&amp; !hasIndexedProperties(object-&gt;structure()-&gt;indexingType())) {
</del><ins>+    if (isJSFinalObject(object) &amp;&amp; !hasIndexedProperties(object-&gt;indexingType())) {
</ins><span class="cx">         object-&gt;freeze(exec-&gt;vm());
</span><span class="cx">         return JSValue::encode(obj);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // 2. For each named own property name P of O,
</span><span class="cx">     PropertyNameArray properties(exec);
</span><del>-    object-&gt;methodTable()-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</del><ins>+    object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</ins><span class="cx">     PropertyNameArray::const_iterator end = properties.end();
</span><span class="cx">     for (PropertyNameArray::const_iterator iter = properties.begin(); iter != end; ++iter) {
</span><span class="cx">         // a. Let desc be the result of calling the [[GetOwnProperty]] internal method of O with P.
</span><span class="lines">@@ -449,7 +449,7 @@
</span><span class="cx">         // c. If desc.[[Configurable]] is true, set desc.[[Configurable]] to false.
</span><span class="cx">         desc.setConfigurable(false);
</span><span class="cx">         // d. Call the [[DefineOwnProperty]] internal method of O with P, desc, and true as arguments.
</span><del>-        object-&gt;methodTable()-&gt;defineOwnProperty(object, exec, *iter, desc, true);
</del><ins>+        object-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(object, exec, *iter, desc, true);
</ins><span class="cx">         if (exec-&gt;hadException())
</span><span class="cx">             return JSValue::encode(obj);
</span><span class="cx">     }
</span><span class="lines">@@ -483,7 +483,7 @@
</span><span class="cx"> 
</span><span class="cx">     // 2. For each named own property name P of O,
</span><span class="cx">     PropertyNameArray properties(exec);
</span><del>-    object-&gt;methodTable()-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</del><ins>+    object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</ins><span class="cx">     PropertyNameArray::const_iterator end = properties.end();
</span><span class="cx">     for (PropertyNameArray::const_iterator iter = properties.begin(); iter != end; ++iter) {
</span><span class="cx">         // a. Let desc be the result of calling the [[GetOwnProperty]] internal method of O with P.
</span><span class="lines">@@ -513,7 +513,7 @@
</span><span class="cx"> 
</span><span class="cx">     // 2. For each named own property name P of O,
</span><span class="cx">     PropertyNameArray properties(exec);
</span><del>-    object-&gt;methodTable()-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</del><ins>+    object-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertyNames(object, exec, properties, IncludeDontEnumProperties);
</ins><span class="cx">     PropertyNameArray::const_iterator end = properties.end();
</span><span class="cx">     for (PropertyNameArray::const_iterator iter = properties.begin(); iter != end; ++iter) {
</span><span class="cx">         // a. Let desc be the result of calling the [[GetOwnProperty]] internal method of O with P.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeObjectPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/ObjectPrototype.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -123,7 +123,7 @@
</span><span class="cx">     descriptor.setGetter(get);
</span><span class="cx">     descriptor.setEnumerable(true);
</span><span class="cx">     descriptor.setConfigurable(true);
</span><del>-    thisObject-&gt;methodTable()-&gt;defineOwnProperty(thisObject, exec, Identifier(exec, exec-&gt;argument(0).toString(exec)-&gt;value(exec)), descriptor, false);
</del><ins>+    thisObject-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(thisObject, exec, Identifier(exec, exec-&gt;argument(0).toString(exec)-&gt;value(exec)), descriptor, false);
</ins><span class="cx"> 
</span><span class="cx">     return JSValue::encode(jsUndefined());
</span><span class="cx"> }
</span><span class="lines">@@ -143,7 +143,7 @@
</span><span class="cx">     descriptor.setSetter(set);
</span><span class="cx">     descriptor.setEnumerable(true);
</span><span class="cx">     descriptor.setConfigurable(true);
</span><del>-    thisObject-&gt;methodTable()-&gt;defineOwnProperty(thisObject, exec, Identifier(exec, exec-&gt;argument(0).toString(exec)-&gt;value(exec)), descriptor, false);
</del><ins>+    thisObject-&gt;methodTable(exec-&gt;vm())-&gt;defineOwnProperty(thisObject, exec, Identifier(exec, exec-&gt;argument(0).toString(exec)-&gt;value(exec)), descriptor, false);
</ins><span class="cx"> 
</span><span class="cx">     return JSValue::encode(jsUndefined());
</span><span class="cx"> }
</span><span class="lines">@@ -214,14 +214,14 @@
</span><span class="cx">         return JSValue::encode(jsNontrivialString(exec, String(thisValue.isUndefined() ? ASCIILiteral(&quot;[object Undefined]&quot;) : ASCIILiteral(&quot;[object Null]&quot;))));
</span><span class="cx">     JSObject* thisObject = thisValue.toObject(exec);
</span><span class="cx"> 
</span><del>-    JSString* result = thisObject-&gt;structure()-&gt;objectToStringValue();
</del><ins>+    JSString* result = thisObject-&gt;structure(exec-&gt;vm())-&gt;objectToStringValue();
</ins><span class="cx">     if (!result) {
</span><del>-        RefPtr&lt;StringImpl&gt; newString = WTF::tryMakeString(&quot;[object &quot;, thisObject-&gt;methodTable()-&gt;className(thisObject), &quot;]&quot;);
</del><ins>+        RefPtr&lt;StringImpl&gt; newString = WTF::tryMakeString(&quot;[object &quot;, thisObject-&gt;methodTable(exec-&gt;vm())-&gt;className(thisObject), &quot;]&quot;);
</ins><span class="cx">         if (!newString)
</span><span class="cx">             return JSValue::encode(throwOutOfMemoryError(exec));
</span><span class="cx"> 
</span><span class="cx">         result = jsNontrivialString(exec, newString.release());
</span><del>-        thisObject-&gt;structure()-&gt;setObjectToStringValue(exec-&gt;vm(), thisObject, result);
</del><ins>+        thisObject-&gt;structure(exec-&gt;vm())-&gt;setObjectToStringValue(exec-&gt;vm(), thisObject, result);
</ins><span class="cx">     }
</span><span class="cx">     return JSValue::encode(result);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Operations.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Operations.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Operations.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -68,11 +68,11 @@
</span><span class="cx">     if (v.isObject()) {
</span><span class="cx">         // Return &quot;undefined&quot; for objects that should be treated
</span><span class="cx">         // as null when doing comparisons.
</span><del>-        if (asObject(v)-&gt;structure()-&gt;masqueradesAsUndefined(globalObject))
</del><ins>+        if (asObject(v)-&gt;structure(vm)-&gt;masqueradesAsUndefined(globalObject))
</ins><span class="cx">             return vm.smallStrings.undefinedString();
</span><span class="cx">         CallData callData;
</span><span class="cx">         JSObject* object = asObject(v);
</span><del>-        if (object-&gt;methodTable()-&gt;getCallData(object, callData) != CallTypeNone)
</del><ins>+        if (object-&gt;methodTable(vm)-&gt;getCallData(object, callData) != CallTypeNone)
</ins><span class="cx">             return vm.smallStrings.functionString();
</span><span class="cx">     }
</span><span class="cx">     return vm.smallStrings.objectString();
</span><span class="lines">@@ -88,15 +88,15 @@
</span><span class="cx">     if (!v.isCell())
</span><span class="cx">         return v.isNull();
</span><span class="cx"> 
</span><del>-    JSType type = v.asCell()-&gt;structure()-&gt;typeInfo().type();
</del><ins>+    JSType type = v.asCell()-&gt;type();
</ins><span class="cx">     if (type == StringType)
</span><span class="cx">         return false;
</span><span class="cx">     if (type &gt;= ObjectType) {
</span><del>-        if (asObject(v)-&gt;structure()-&gt;masqueradesAsUndefined(callFrame-&gt;lexicalGlobalObject()))
</del><ins>+        if (asObject(v)-&gt;structure(callFrame-&gt;vm())-&gt;masqueradesAsUndefined(callFrame-&gt;lexicalGlobalObject()))
</ins><span class="cx">             return false;
</span><span class="cx">         CallData callData;
</span><span class="cx">         JSObject* object = asObject(v);
</span><del>-        if (object-&gt;methodTable()-&gt;getCallData(object, callData) != CallTypeNone)
</del><ins>+        if (object-&gt;methodTable(callFrame-&gt;vm())-&gt;getCallData(object, callData) != CallTypeNone)
</ins><span class="cx">             return false;
</span><span class="cx">     }
</span><span class="cx">     return true;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Operations.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Operations.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Operations.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -204,6 +204,7 @@
</span><span class="cx"> 
</span><span class="cx"> inline size_t normalizePrototypeChainForChainAccess(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier&amp; propertyName, PropertyOffset&amp; slotOffset)
</span><span class="cx"> {
</span><ins>+    VM&amp; vm = callFrame-&gt;vm();
</ins><span class="cx">     JSCell* cell = base.asCell();
</span><span class="cx">     size_t count = 0;
</span><span class="cx">         
</span><span class="lines">@@ -230,10 +231,10 @@
</span><span class="cx"> 
</span><span class="cx">         // Since we're accessing a prototype in a loop, it's a good bet that it
</span><span class="cx">         // should not be treated as a dictionary.
</span><del>-        if (cell-&gt;structure()-&gt;isDictionary()) {
</del><ins>+        if (cell-&gt;structure(vm)-&gt;isDictionary()) {
</ins><span class="cx">             asObject(cell)-&gt;flattenDictionaryObject(callFrame-&gt;vm());
</span><span class="cx">             if (slotBase == cell)
</span><del>-                slotOffset = cell-&gt;structure()-&gt;get(callFrame-&gt;vm(), propertyName); 
</del><ins>+                slotOffset = cell-&gt;structure(vm)-&gt;get(callFrame-&gt;vm(), propertyName); 
</ins><span class="cx">         }
</span><span class="cx">             
</span><span class="cx">         ++count;
</span><span class="lines">@@ -244,12 +245,13 @@
</span><span class="cx"> 
</span><span class="cx"> inline size_t normalizePrototypeChain(CallFrame* callFrame, JSCell* base)
</span><span class="cx"> {
</span><ins>+    VM&amp; vm = callFrame-&gt;vm();
</ins><span class="cx">     size_t count = 0;
</span><span class="cx">     while (1) {
</span><span class="cx">         if (base-&gt;isProxy())
</span><span class="cx">             return InvalidPrototypeChain;
</span><span class="cx">             
</span><del>-        JSValue v = base-&gt;structure()-&gt;prototypeForLookup(callFrame);
</del><ins>+        JSValue v = base-&gt;structure(vm)-&gt;prototypeForLookup(callFrame);
</ins><span class="cx">         if (v.isNull())
</span><span class="cx">             return count;
</span><span class="cx"> 
</span><span class="lines">@@ -257,7 +259,7 @@
</span><span class="cx"> 
</span><span class="cx">         // Since we're accessing a prototype in a loop, it's a good bet that it
</span><span class="cx">         // should not be treated as a dictionary.
</span><del>-        if (base-&gt;structure()-&gt;isDictionary())
</del><ins>+        if (base-&gt;structure(vm)-&gt;isDictionary())
</ins><span class="cx">             asObject(base)-&gt;flattenDictionaryObject(callFrame-&gt;vm());
</span><span class="cx"> 
</span><span class="cx">         ++count;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimePropertyMapHashTableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/PropertyMapHashTable.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -138,7 +138,7 @@
</span><span class="cx"> 
</span><span class="cx">     static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx">     {
</span><del>-        return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, OverridesVisitChildren), info());
</del><ins>+        return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     static void visitChildren(JSCell*, SlotVisitor&amp;);
</span><span class="lines">@@ -202,6 +202,9 @@
</span><span class="cx">     void checkConsistency();
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><ins>+protected:
+    static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal;
+
</ins><span class="cx"> private:
</span><span class="cx">     PropertyTable(VM&amp;, unsigned initialCapacity);
</span><span class="cx">     PropertyTable(VM&amp;, JSCell*, const PropertyTable&amp;);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExp.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExp.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/RegExp.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx"> 
</span><span class="cx">         static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype)
</span><span class="cx">         {
</span><del>-            return Structure::create(vm, globalObject, prototype, TypeInfo(LeafType, 0), info());
</del><ins>+            return Structure::create(vm, globalObject, prototype, TypeInfo(LeafType, StructureFlags), info());
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         DECLARE_INFO;
</span><span class="lines">@@ -85,6 +85,8 @@
</span><span class="cx">         RegExpKey key() { return RegExpKey(m_flags, m_patternString); }
</span><span class="cx"> 
</span><span class="cx">     protected:
</span><ins>+        static const unsigned StructureFlags = StructureIsImmortal;
+
</ins><span class="cx">         void finishCreation(VM&amp;);
</span><span class="cx"> 
</span><span class="cx">     private:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSparseArrayValueMaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -69,7 +69,7 @@
</span><span class="cx">     
</span><span class="cx">     void finishCreation(VM&amp;);
</span><span class="cx"> 
</span><del>-    static const unsigned StructureFlags = OverridesVisitChildren | JSCell::StructureFlags;
</del><ins>+    static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal | JSCell::StructureFlags;
</ins><span class="cx"> 
</span><span class="cx"> public:
</span><span class="cx">     DECLARE_EXPORT_INFO;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Structure.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -157,13 +157,13 @@
</span><span class="cx"> 
</span><span class="cx"> Structure::Structure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo&amp; typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
</span><span class="cx">     : JSCell(vm, vm.structureStructure.get())
</span><ins>+    , m_blob(vm.heap.structureIDTable().allocateID(this), indexingType, typeInfo)
+    , m_outOfLineTypeFlags(typeInfo.outOfLineTypeFlags())
</ins><span class="cx">     , m_globalObject(vm, this, globalObject, WriteBarrier&lt;JSGlobalObject&gt;::MayBeNull)
</span><span class="cx">     , m_prototype(vm, this, prototype)
</span><span class="cx">     , m_classInfo(classInfo)
</span><span class="cx">     , m_transitionWatchpointSet(IsWatched)
</span><span class="cx">     , m_offset(invalidOffset)
</span><del>-    , m_typeInfo(typeInfo)
-    , m_indexingType(indexingType)
</del><span class="cx">     , m_inlineCapacity(inlineCapacity)
</span><span class="cx">     , m_dictionaryKind(NoneDictionaryKind)
</span><span class="cx">     , m_isPinnedPropertyTable(false)
</span><span class="lines">@@ -191,8 +191,6 @@
</span><span class="cx">     , m_classInfo(info())
</span><span class="cx">     , m_transitionWatchpointSet(IsWatched)
</span><span class="cx">     , m_offset(invalidOffset)
</span><del>-    , m_typeInfo(CompoundType, OverridesVisitChildren)
-    , m_indexingType(0)
</del><span class="cx">     , m_inlineCapacity(0)
</span><span class="cx">     , m_dictionaryKind(NoneDictionaryKind)
</span><span class="cx">     , m_isPinnedPropertyTable(false)
</span><span class="lines">@@ -205,6 +203,10 @@
</span><span class="cx">     , m_didTransition(false)
</span><span class="cx">     , m_staticFunctionReified(false)
</span><span class="cx"> {
</span><ins>+    TypeInfo typeInfo = TypeInfo(CompoundType, OverridesVisitChildren | StructureIsImmortal);
+    m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), 0, typeInfo);
+    m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
+
</ins><span class="cx">     ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo-&gt;hasStaticSetterOrReadonlyProperties(vm));
</span><span class="cx">     ASSERT(hasGetterSetterProperties() || !m_classInfo-&gt;hasStaticSetterOrReadonlyProperties(vm));
</span><span class="cx"> }
</span><span class="lines">@@ -215,8 +217,6 @@
</span><span class="cx">     , m_classInfo(previous-&gt;m_classInfo)
</span><span class="cx">     , m_transitionWatchpointSet(IsWatched)
</span><span class="cx">     , m_offset(invalidOffset)
</span><del>-    , m_typeInfo(previous-&gt;typeInfo().type(), previous-&gt;typeInfo().flags() &amp; ~StructureHasRareData)
-    , m_indexingType(previous-&gt;indexingTypeIncludingHistory())
</del><span class="cx">     , m_inlineCapacity(previous-&gt;m_inlineCapacity)
</span><span class="cx">     , m_dictionaryKind(previous-&gt;m_dictionaryKind)
</span><span class="cx">     , m_isPinnedPropertyTable(false)
</span><span class="lines">@@ -229,6 +229,11 @@
</span><span class="cx">     , m_didTransition(true)
</span><span class="cx">     , m_staticFunctionReified(previous-&gt;m_staticFunctionReified)
</span><span class="cx"> {
</span><ins>+    TypeInfo typeInfo = TypeInfo(previous-&gt;typeInfo().type(), previous-&gt;typeInfo().flags() &amp; ~StructureHasRareData);
+    m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), previous-&gt;indexingTypeIncludingHistory(), typeInfo);
+    m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
+
+    ASSERT(!previous-&gt;typeInfo().structureIsImmortal());
</ins><span class="cx">     if (previous-&gt;typeInfo().structureHasRareData() &amp;&amp; previous-&gt;rareData()-&gt;needsCloning())
</span><span class="cx">         cloneRareDataFrom(vm, previous);
</span><span class="cx">     else if (previous-&gt;previousID())
</span><span class="lines">@@ -241,6 +246,13 @@
</span><span class="cx">     ASSERT(hasGetterSetterProperties() || !m_classInfo-&gt;hasStaticSetterOrReadonlyProperties(vm));
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+Structure::~Structure()
+{
+    if (typeInfo().structureIsImmortal())
+        return;
+    Heap::heap(this)-&gt;structureIDTable().deallocateID(this, m_blob.structureID());
+}
+
</ins><span class="cx"> void Structure::destroy(JSCell* cell)
</span><span class="cx"> {
</span><span class="cx">     static_cast&lt;Structure*&gt;(cell)-&gt;Structure::~Structure();
</span><span class="lines">@@ -638,7 +650,7 @@
</span><span class="cx">     Structure* transition = create(vm, structure);
</span><span class="cx">     transition-&gt;setPreviousID(vm, transition, structure);
</span><span class="cx">     transition-&gt;m_attributesInPrevious = attributes;
</span><del>-    transition-&gt;m_indexingType = indexingType;
</del><ins>+    transition-&gt;m_blob.setIndexingType(indexingType);
</ins><span class="cx">     transition-&gt;propertyTable().set(vm, transition, structure-&gt;takePropertyTableOrCloneIfPinned(vm, transition));
</span><span class="cx">     transition-&gt;m_offset = structure-&gt;m_offset;
</span><span class="cx">     checkOffset(transition-&gt;m_offset, transition-&gt;inlineCapacity());
</span><span class="lines">@@ -769,16 +781,22 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!typeInfo().structureHasRareData());
</span><span class="cx">     StructureRareData* rareData = StructureRareData::create(vm, previous());
</span><del>-    m_typeInfo = TypeInfo(typeInfo().type(), typeInfo().flags() | StructureHasRareData);
</del><ins>+    TypeInfo oldTypeInfo = typeInfo();
+    TypeInfo newTypeInfo = TypeInfo(oldTypeInfo.type(), oldTypeInfo.flags() | StructureHasRareData);
+    m_outOfLineTypeFlags = newTypeInfo.outOfLineTypeFlags();
</ins><span class="cx">     m_previousOrRareData.set(vm, this, rareData);
</span><ins>+    ASSERT(typeInfo().structureHasRareData());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Structure::cloneRareDataFrom(VM&amp; vm, const Structure* other)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(other-&gt;typeInfo().structureHasRareData());
</span><span class="cx">     StructureRareData* newRareData = StructureRareData::clone(vm, other-&gt;rareData());
</span><del>-    m_typeInfo = TypeInfo(typeInfo().type(), typeInfo().flags() | StructureHasRareData);
</del><ins>+    TypeInfo oldTypeInfo = typeInfo();
+    TypeInfo newTypeInfo = TypeInfo(oldTypeInfo.type(), oldTypeInfo.flags() | StructureHasRareData);
+    m_outOfLineTypeFlags = newTypeInfo.outOfLineTypeFlags();
</ins><span class="cx">     m_previousOrRareData.set(vm, this, newRareData);
</span><ins>+    ASSERT(typeInfo().structureHasRareData());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> #if DUMP_PROPERTYMAP_STATS
</span><span class="lines">@@ -1019,7 +1037,7 @@
</span><span class="cx">         if (prototype.isNull())
</span><span class="cx">             return false;
</span><span class="cx">         
</span><del>-        current = prototype.asCell()-&gt;structure();
</del><ins>+        current = prototype.asCell()-&gt;structure(vm);
</ins><span class="cx">         
</span><span class="cx">         unsigned attributes;
</span><span class="cx">         JSCell* specificValue;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Structure.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Structure.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/Structure.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> #include &quot;PropertyOffset.h&quot;
</span><span class="cx"> #include &quot;Protect.h&quot;
</span><span class="cx"> #include &quot;PutPropertySlot.h&quot;
</span><ins>+#include &quot;StructureIDBlob.h&quot;
</ins><span class="cx"> #include &quot;StructureRareData.h&quot;
</span><span class="cx"> #include &quot;StructureTransitionTable.h&quot;
</span><span class="cx"> #include &quot;JSTypeInfo.h&quot;
</span><span class="lines">@@ -79,6 +80,8 @@
</span><span class="cx">     
</span><span class="cx">     static Structure* create(VM&amp;, JSGlobalObject*, JSValue prototype, const TypeInfo&amp;, const ClassInfo*, IndexingType = NonArray, unsigned inlineCapacity = 0);
</span><span class="cx"> 
</span><ins>+    ~Structure();
+
</ins><span class="cx"> protected:
</span><span class="cx">     void finishCreation(VM&amp; vm)
</span><span class="cx">     {
</span><span class="lines">@@ -96,6 +99,10 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> public:
</span><ins>+    StructureID id() const { return m_blob.structureID(); }
+    int32_t objectInitializationBlob() const { return m_blob.blobExcludingStructureID(); }
+    int64_t idBlob() const { return m_blob.blob(); }
+
</ins><span class="cx">     static void dumpStatistics();
</span><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE static Structure* addPropertyTransition(VM&amp;, Structure*, PropertyName, unsigned attributes, JSCell* specificValue, PropertyOffset&amp;, PutPropertySlot::Context = PutPropertySlot::UnknownContext);
</span><span class="lines">@@ -144,11 +151,11 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Type accessors.
</span><del>-    const TypeInfo&amp; typeInfo() const { ASSERT(structure()-&gt;classInfo() == info()); return m_typeInfo; }
</del><ins>+    TypeInfo typeInfo() const { ASSERT(structure()-&gt;classInfo() == info()); return m_blob.typeInfo(m_outOfLineTypeFlags); }
</ins><span class="cx">     bool isObject() const { return typeInfo().isObject(); }
</span><span class="cx"> 
</span><del>-    IndexingType indexingType() const { return m_indexingType &amp; AllArrayTypes; }
-    IndexingType indexingTypeIncludingHistory() const { return m_indexingType; }
</del><ins>+    IndexingType indexingType() const { return m_blob.indexingType() &amp; AllArrayTypes; }
+    IndexingType indexingTypeIncludingHistory() const { return m_blob.indexingType(); }
</ins><span class="cx">         
</span><span class="cx">     bool mayInterceptIndexedAccesses() const
</span><span class="cx">     {
</span><span class="lines">@@ -310,6 +317,11 @@
</span><span class="cx"> 
</span><span class="cx">     const ClassInfo* classInfo() const { return m_classInfo; }
</span><span class="cx"> 
</span><ins>+    static ptrdiff_t structureIDOffset()
+    {
+        return OBJECT_OFFSETOF(Structure, m_blob) + StructureIDBlob::structureIDOffset();
+    }
+
</ins><span class="cx">     static ptrdiff_t prototypeOffset()
</span><span class="cx">     {
</span><span class="cx">         return OBJECT_OFFSETOF(Structure, m_prototype);
</span><span class="lines">@@ -320,16 +332,6 @@
</span><span class="cx">         return OBJECT_OFFSETOF(Structure, m_globalObject);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    static ptrdiff_t typeInfoFlagsOffset()
-    {
-        return OBJECT_OFFSETOF(Structure, m_typeInfo) + TypeInfo::flagsOffset();
-    }
-
-    static ptrdiff_t typeInfoTypeOffset()
-    {
-        return OBJECT_OFFSETOF(Structure, m_typeInfo) + TypeInfo::typeOffset();
-    }
-        
</del><span class="cx">     static ptrdiff_t classInfoOffset()
</span><span class="cx">     {
</span><span class="cx">         return OBJECT_OFFSETOF(Structure, m_classInfo);
</span><span class="lines">@@ -337,7 +339,7 @@
</span><span class="cx">         
</span><span class="cx">     static ptrdiff_t indexingTypeOffset()
</span><span class="cx">     {
</span><del>-        return OBJECT_OFFSETOF(Structure, m_indexingType);
</del><ins>+        return OBJECT_OFFSETOF(Structure, m_blob) + StructureIDBlob::indexingTypeOffset();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     static Structure* createStructure(VM&amp;);
</span><span class="lines">@@ -478,7 +480,12 @@
</span><span class="cx">     static const int s_maxTransitionLengthForNonEvalPutById = 512;
</span><span class="cx"> 
</span><span class="cx">     static const unsigned maxSpecificFunctionThrashCount = 3;
</span><del>-        
</del><ins>+    
+    // These need to be properly aligned at the beginning of the 'Structure'
+    // part of the object.
+    StructureIDBlob m_blob;
+    TypeInfo::OutOfLineTypeFlags m_outOfLineTypeFlags;
+
</ins><span class="cx">     WriteBarrier&lt;JSGlobalObject&gt; m_globalObject;
</span><span class="cx">     WriteBarrier&lt;Unknown&gt; m_prototype;
</span><span class="cx">     mutable WriteBarrier&lt;StructureChain&gt; m_cachedPrototypeChain;
</span><span class="lines">@@ -502,8 +509,6 @@
</span><span class="cx">     // m_offset does not account for anonymous slots
</span><span class="cx">     PropertyOffset m_offset;
</span><span class="cx"> 
</span><del>-    TypeInfo m_typeInfo;
-    IndexingType m_indexingType;
</del><span class="cx">     uint8_t m_inlineCapacity;
</span><span class="cx">     
</span><span class="cx">     ConcurrentJITLock m_lock;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureChainh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StructureChain.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureChain.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/StructureChain.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -55,7 +55,10 @@
</span><span class="cx">         WriteBarrier&lt;Structure&gt;* head() { return m_vector.get(); }
</span><span class="cx">         static void visitChildren(JSCell*, SlotVisitor&amp;);
</span><span class="cx"> 
</span><del>-        static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype) { return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, OverridesVisitChildren), info()); }
</del><ins>+        static Structure* createStructure(VM&amp; vm, JSGlobalObject* globalObject, JSValue prototype)
+        {
+            return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+        }
</ins><span class="cx">         
</span><span class="cx">         DECLARE_INFO;
</span><span class="cx"> 
</span><span class="lines">@@ -64,6 +67,8 @@
</span><span class="cx">         static void destroy(JSCell*);
</span><span class="cx"> 
</span><span class="cx">     protected:
</span><ins>+        static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal;
+
</ins><span class="cx">         void finishCreation(VM&amp; vm, Structure* head)
</span><span class="cx">         {
</span><span class="cx">             Base::finishCreation(vm);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureIDBlobh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/StructureIDBlob.h (0 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureIDBlob.h                                (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/StructureIDBlob.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -0,0 +1,94 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef StructureIDBlob_h
+#define StructureIDBlob_h
+
+#include &quot;IndexingType.h&quot;
+#include &quot;JSTypeInfo.h&quot;
+#include &quot;StructureIDTable.h&quot;
+
+namespace JSC {
+
+class StructureIDBlob {
+    friend class LLIntOffsetsExtractor;
+public:
+    StructureIDBlob()
+    {
+        u.doubleWord = 0xbbadbeef;
+    }
+
+    StructureIDBlob(StructureID structureID, IndexingType indexingType, const TypeInfo&amp; typeInfo)
+    {
+        u.fields.structureID = structureID;
+        u.fields.indexingType = indexingType;
+        u.fields.type = typeInfo.type();
+        u.fields.inlineTypeFlags = typeInfo.inlineTypeFlags();
+        u.fields.defaultGCData = 0;
+    }
+
+    void operator=(const StructureIDBlob&amp; other) { u.doubleWord = other.u.doubleWord; }
+    
+    StructureID structureID() const { return u.fields.structureID; }
+    IndexingType indexingType() const { return u.fields.indexingType; }
+    void setIndexingType(IndexingType indexingType) { u.fields.indexingType = indexingType; }
+    JSType type() const { return u.fields.type; }
+    TypeInfo::InlineTypeFlags inlineTypeFlags() const { return u.fields.inlineTypeFlags; }
+    
+    TypeInfo typeInfo(TypeInfo::OutOfLineTypeFlags outOfLineTypeFlags) const { return TypeInfo(type(), inlineTypeFlags(), outOfLineTypeFlags); }
+    
+    int32_t blobExcludingStructureID() const { return u.words.word2; }
+    int64_t blob() const { return u.doubleWord; }
+    
+    static ptrdiff_t structureIDOffset()
+    {
+        return OBJECT_OFFSETOF(StructureIDBlob, u.fields.structureID);
+    }
+
+    static ptrdiff_t indexingTypeOffset()
+    {
+        return OBJECT_OFFSETOF(StructureIDBlob, u.fields.indexingType);
+    }
+
+private:
+    union {
+        struct {
+            StructureID structureID;
+            IndexingType indexingType;
+            JSType type;
+            TypeInfo::InlineTypeFlags inlineTypeFlags;
+            uint8_t defaultGCData;
+        } fields;
+        struct {
+            int32_t word1;
+            int32_t word2;
+        } words;
+        int64_t doubleWord;
+    } u;
+};
+
+} // namespace JSC
+
+#endif // StructureIDBlob_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureIDTablecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/StructureIDTable.cpp (0 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureIDTable.cpp                                (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/StructureIDTable.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -0,0 +1,127 @@
</span><ins>+/*
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include &quot;config.h&quot;
+#include &quot;StructureIDTable.h&quot;
+
+#include &lt;limits.h&gt;
+#include &lt;wtf/Atomics.h&gt;
+#include &lt;wtf/DataLog.h&gt;
+
+namespace JSC {
+
+StructureIDTable::StructureIDTable()
+    : m_firstFreeOffset(0)
+    , m_table(new StructureOrOffset[s_initialSize])
+    , m_size(0)
+    , m_capacity(s_initialSize)
+{
+    // We pre-allocate the first offset so that the null Structure
+    // can still be represented as the StructureID '0'.
+    allocateID(0);
+}
+
+StructureIDTable::~StructureIDTable()
+{
+    delete [] m_table;
+}
+
+void StructureIDTable::resize(size_t newCapacity)
+{
+    // Create the new table.
+    StructureOrOffset* newTable = new StructureOrOffset[newCapacity];
+
+    // Copy the contents of the old table to the new table.
+    memcpy(newTable, m_table, m_capacity * sizeof(StructureOrOffset));
+
+    // Store fence to make sure we've copied everything before doing the swap.
+    WTF::storeStoreFence();
+
+    // Swap the old and new tables.
+    StructureOrOffset* oldTable = m_table;
+    m_table = newTable;
+
+    // Put the old table (now labeled as new) into the list of old tables.
+    m_oldTables.append(oldTable);
+
+    // Update the capacity.
+    m_capacity = newCapacity;
+}
+
+void StructureIDTable::flushOldTables()
+{
+    for (unsigned i = 0; i &lt; m_oldTables.size(); ++i)
+        delete [] m_oldTables[i];
+    m_oldTables.clear();
+}
+
+StructureID StructureIDTable::allocateID(Structure* structure)
+{
+#if USE(JSVALUE64)
+    if (!m_firstFreeOffset) {
+        RELEASE_ASSERT(m_capacity &lt;= UINT_MAX);
+        if (m_size == m_capacity)
+            resize(m_capacity * 2);
+        ASSERT(m_size &lt; m_capacity);
+
+        StructureOrOffset newEntry;
+        newEntry.structure = structure;
+
+        if (m_size == s_unusedID) {
+            m_size++;
+            return allocateID(structure);
+        }
+
+        StructureID result = m_size;
+        m_table[result] = newEntry;
+        m_size++;
+        return result;
+    }
+
+    ASSERT(m_firstFreeOffset != s_unusedID);
+
+    StructureID result = m_firstFreeOffset;
+    m_firstFreeOffset = m_table[m_firstFreeOffset].offset;
+    m_table[result].structure = structure;
+    return result;
+#else
+    return structure;
+#endif
+}
+
+void StructureIDTable::deallocateID(Structure* structure, StructureID structureID)
+{
+#if USE(JSVALUE64)
+    ASSERT(structureID != s_unusedID);
+    RELEASE_ASSERT(m_table[structureID].structure == structure);
+    m_table[structureID].offset = m_firstFreeOffset;
+    m_firstFreeOffset = structureID;
+#else
+    UNUSED_PARAM(structure);
+    UNUSED_PARAM(structureID);
+#endif
+}
+
+} // namespace JSC
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStructureIDTableh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/runtime/StructureIDTable.h (0 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StructureIDTable.h                                (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/StructureIDTable.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -0,0 +1,90 @@
</span><ins>+/*
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef StructureIDTable_h
+#define StructureIDTable_h
+
+#include &quot;UnusedPointer.h&quot;
+#include &lt;wtf/Vector.h&gt;
+
+namespace JSC {
+
+class Structure;
+
+#if USE(JSVALUE64)
+typedef uint32_t StructureID;
+#else
+typedef Structure* StructureID;
+#endif
+
+class StructureIDTable {
+    friend class LLIntOffsetsExtractor;
+public:
+    StructureIDTable();
+    ~StructureIDTable();
+
+    void** base() { return reinterpret_cast&lt;void**&gt;(&amp;m_table); }
+
+    Structure* get(StructureID);
+    void deallocateID(Structure*, StructureID);
+    StructureID allocateID(Structure*);
+
+    void flushOldTables();
+
+private:
+    void resize(size_t newCapacity);
+    
+    union StructureOrOffset {
+        Structure* structure;
+        StructureID offset;
+    };
+
+    static const size_t s_initialSize = 256;
+
+    Vector&lt;StructureOrOffset*&gt; m_oldTables;
+
+    uint32_t m_firstFreeOffset;
+    StructureOrOffset* m_table;
+
+    size_t m_size;
+    size_t m_capacity;
+
+#if USE(JSVALUE64)
+    static const StructureID s_unusedID = unusedPointer;
+#endif
+};
+
+inline Structure* StructureIDTable::get(StructureID structureID)
+{
+#if USE(JSVALUE64)
+    return m_table[structureID].structure;
+#else
+    return structureID;
+#endif
+}
+
+} // namespace JSC
+
+#endif // StructureIDTable_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSymbolTableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SymbolTable.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SymbolTable.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/SymbolTable.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -476,6 +476,9 @@
</span><span class="cx"> 
</span><span class="cx">     DECLARE_EXPORT_INFO;
</span><span class="cx"> 
</span><ins>+protected:
+    static const unsigned StructureFlags = StructureIsImmortal | Base::StructureFlags;
+
</ins><span class="cx"> private:
</span><span class="cx">     class WatchpointCleanup : public UnconditionalFinalizer {
</span><span class="cx">     public:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypedArrayTypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypedArrayType.cpp (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypedArrayType.cpp        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/TypedArrayType.cpp        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -32,34 +32,37 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-const ClassInfo* classInfoForType(TypedArrayType type)
</del><ins>+JSType typeForTypedArrayType(TypedArrayType type)
</ins><span class="cx"> {
</span><span class="cx">     switch (type) {
</span><span class="cx">     case NotTypedArray:
</span><del>-        return 0;
</del><ins>+        RELEASE_ASSERT_NOT_REACHED();
+        return UnspecifiedType;
</ins><span class="cx">     case TypeInt8:
</span><del>-        return JSInt8Array::info();
</del><ins>+        return Int8ArrayType;
</ins><span class="cx">     case TypeUint8:
</span><del>-        return JSUint8Array::info();
</del><ins>+        return Uint8ArrayType;
</ins><span class="cx">     case TypeUint8Clamped:
</span><del>-        return JSUint8ClampedArray::info();
</del><ins>+        return Uint8ClampedArrayType;
</ins><span class="cx">     case TypeInt16:
</span><del>-        return JSInt16Array::info();
</del><ins>+        return Int16ArrayType;
</ins><span class="cx">     case TypeUint16:
</span><del>-        return JSUint16Array::info();
</del><ins>+        return Uint16ArrayType;
</ins><span class="cx">     case TypeInt32:
</span><del>-        return JSInt32Array::info();
</del><ins>+        return Int32ArrayType;
</ins><span class="cx">     case TypeUint32:
</span><del>-        return JSUint32Array::info();
</del><ins>+        return Uint32ArrayType;
</ins><span class="cx">     case TypeFloat32:
</span><del>-        return JSFloat32Array::info();
</del><ins>+        return Float32ArrayType;
</ins><span class="cx">     case TypeFloat64:
</span><del>-        return JSFloat64Array::info();
</del><ins>+        return Float64ArrayType;
</ins><span class="cx">     case TypeDataView:
</span><del>-        return JSDataView::info();
</del><ins>+        return DataViewType;
+
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+        return UnspecifiedType;
</ins><span class="cx">     }
</span><del>-    RELEASE_ASSERT_NOT_REACHED();
-    return 0;
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> const ClassInfo* constructorClassInfoForType(TypedArrayType type)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypedArrayTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypedArrayType.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypedArrayType.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/TypedArrayType.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef TypedArrayType_h
</span><span class="cx"> #define TypedArrayType_h
</span><span class="cx"> 
</span><ins>+#include &quot;JSType.h&quot;
</ins><span class="cx"> #include &lt;wtf/PrintStream.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -100,8 +101,8 @@
</span><span class="cx">     return static_cast&lt;size_t&gt;(1) &lt;&lt; logElementSize(type);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-const ClassInfo* classInfoForType(TypedArrayType);
</del><span class="cx"> const ClassInfo* constructorClassInfoForType(TypedArrayType);
</span><ins>+JSType typeForTypedArrayType(TypedArrayType);
</ins><span class="cx"> 
</span><span class="cx"> inline bool isInt(TypedArrayType type)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakMapDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakMapData.h (164763 => 164764)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakMapData.h        2014-02-27 01:26:36 UTC (rev 164763)
+++ trunk/Source/JavaScriptCore/runtime/WeakMapData.h        2014-02-27 01:27:18 UTC (rev 164764)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx"> 
</span><span class="cx">     DECLARE_INFO;
</span><span class="cx"> 
</span><del>-    static const unsigned StructureFlags = OverridesVisitChildren | Base::StructureFlags;
</del><ins>+    static const unsigned StructureFlags = OverridesVisitChildren | StructureIsImmortal | Base::StructureFlags;
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     WeakMapData(VM&amp;);
</span></span></pre>
</div>
</div>

</body>
</html>