<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[190896] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/190896">190896</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2015-10-12 15:41:01 -0700 (Mon, 12 Oct 2015)</dd>
</dl>

<h3>Log Message</h3>
<pre>GC should have a Baker barrier for concurrent copying
https://bugs.webkit.org/show_bug.cgi?id=149852

Reviewed by Geoffrey Garen.

This adds a Baker-style read barrier [1] to copied space accesses. This barrier incurs some
overhead (0%-2% depending on benchmark suite), but what it buys is the ability to make the GC copy
phase concurrent.

The barrier relies on copied space pointers having two &quot;space bits&quot; in the low pointer bits. The
space bits indicate whether the backing store is being copied right now or not, and if it is being
copied, what stage of copying it's in. Two barrier variants are supported:

Read only barrier: if you load a backing store and immediately load from it without doing anything
else, you can just mask off the bits. In the worst case, you'll get the old backing store while
some copying thread is already allocating and populating the new version of the backing store. But
in that case, forwarding to the new backing store will not enable you to load a more up-to-date
value from the backing store. So, just masking the bits is enough. The read-only barrier is only
used in ICs where we know that we are only reading, and opportunistically within the DFG and FTL
thanks to the CopyBarrierOptimizationPhase. We never explicitly emit a read-only barrier in those
compilers; instead the phase will turn a GetButterfly into GetButterflyReadOnly if it proves that a
bunch of requirements are met.

Normal barrier: if the space bits are non-zero, call a slow path. The slow path will either do
nothing (if the copy phase hasn't started yet), or it will copy the backing store and update the
pointer (if the copy phase hasn't gotten around to copying this particular backing store), or it
will wait for the copying thread to finish (if some thread is copying this backing store right
now), or it will do nothing (if by the time we called into the slow path the backing store was
already copied). This is just like Baker's CAR/CDR barrier, but with a lock thrown in to handle
concurrent execution.

This is a 1% slow-down on SunSpider, a 1.5% slow-down on Octane, a 1.5% slow-down on Kraken, and a
0% slow-down on AsmBench. Note that the Octane slow-down is excluding the SplayLatency benchmark.
That benchmark will eventually speed up a lot once we finish doing all of this stuff. Probably, the
JetStream splay-latency will see an even larger speed-up, since our version of the latency tests do
a better job of punishing bad worst-case behavior.

[1] http://dspace.mit.edu/bitstream/handle/1721.1/41976/AI_WP_139.pdf, look for the CAR and CDR
procedures on page 9.

* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generate):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter&lt;AbstractStateType&gt;::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCopyBarrierOptimizationPhase.cpp: Added.
(JSC::DFG::performCopyBarrierOptimization):
* dfg/DFGCopyBarrierOptimizationPhase.h: Added.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetButterfly):
(JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
(JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterflyReadOnly):
(JSC::FTL::DFG::LowerDFGToLLVM::compileConstantStoragePointer):
(JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
(JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
(JSC::FTL::DFG::LowerDFGToLLVM::storageForTransition):
(JSC::FTL::DFG::LowerDFGToLLVM::getById):
(JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
(JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
(JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
(JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
(JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
(JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
(JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationNewObjectWithButterfly):
(JSC::FTL::operationPopulateObjectInOSR):
* ftl/FTLOutput.h:
(JSC::FTL::Output::testNonZero32):
(JSC::FTL::Output::testIsZero64):
(JSC::FTL::Output::testNonZero64):
(JSC::FTL::Output::testIsZeroPtr):
(JSC::FTL::Output::testNonZeroPtr):
(JSC::FTL::Output::select):
(JSC::FTL::Output::extractValue):
* heap/CopyBarrier.h: Copied from Source/JavaScriptCore/heap/CopyWriteBarrier.h.
(JSC::CopyBarrierBase::CopyBarrierBase):
(JSC::CopyBarrierBase::operator!):
(JSC::CopyBarrierBase::operator bool):
(JSC::CopyBarrierBase::getWithoutBarrier):
(JSC::CopyBarrierBase::get):
(JSC::CopyBarrierBase::copyState):
(JSC::CopyBarrierBase::setCopyState):
(JSC::CopyBarrierBase::clear):
(JSC::CopyBarrierBase::set):
(JSC::CopyBarrierBase::setWithoutBarrier):
(JSC::CopyBarrierBase::weakCASWithoutBarrier):
(JSC::CopyBarrier::CopyBarrier):
(JSC::CopyBarrier::getWithoutBarrier):
(JSC::CopyBarrier::get):
(JSC::CopyBarrier::set):
(JSC::CopyBarrier::setWithoutBarrier):
(JSC::CopyBarrier::weakCASWithoutBarrier):
(JSC::CopyWriteBarrier::CopyWriteBarrier): Deleted.
(JSC::CopyWriteBarrier::operator!): Deleted.
(JSC::CopyWriteBarrier::operator bool): Deleted.
(JSC::CopyWriteBarrier::get): Deleted.
(JSC::CopyWriteBarrier::operator*): Deleted.
(JSC::CopyWriteBarrier::operator-&gt;): Deleted.
(JSC::CopyWriteBarrier::set): Deleted.
(JSC::CopyWriteBarrier::setWithoutWriteBarrier): Deleted.
(JSC::CopyWriteBarrier::clear): Deleted.
* heap/CopyVisitorInlines.h:
(JSC::CopyVisitor::checkIfShouldCopy):
* heap/CopyWriteBarrier.h: Removed.
* heap/Heap.cpp:
(JSC::Heap::addToRememberedSet):
(JSC::Heap::copyBarrier):
(JSC::Heap::collectAndSweep):
* heap/Heap.h:
(JSC::Heap::writeBarrierBuffer):
* heap/HeapInlines.h:
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchStructure):
(JSC::AssemblyHelpers::branchIfNotToSpace):
(JSC::AssemblyHelpers::removeSpaceBits):
(JSC::AssemblyHelpers::addressForByteOffset):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::copyBackingStore):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::overrideThingsIfNecessary):
(JSC::DirectArguments::overrideArgument):
(JSC::DirectArguments::copyToArguments):
* runtime/DirectArguments.h:
(JSC::DirectArguments::canAccessIndexQuickly):
(JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::fastSlice):
(JSC::JSArray::fastConcatWith):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finishCreation):
(JSC::JSArrayBufferView::finalize):
* runtime/JSArrayBufferView.h:
(JSC::JSArrayBufferView::vector):
(JSC::JSArrayBufferView::length):
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::neuter):
(JSC::JSArrayBufferView::byteOffset):
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::typedVector):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::visitChildren):
(JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::copyBackingStore):
(JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::slowDownAndWasteMemory):
* runtime/JSMap.h:
(JSC::JSMap::JSMap):
* runtime/JSObject.cpp:
(JSC::JSObject::copyButterfly):
(JSC::JSObject::visitChildren):
(JSC::JSObject::copyBackingStore):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToContiguous):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::setIndexQuicklyToUndecided):
(JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::putIndexedDescriptor):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::growOutOfLineStorage):
(JSC::JSObject::getOwnPropertyDescriptor):
(JSC::JSObject::getEnumerableLength):
* runtime/JSObject.h:
(JSC::JSObject::getArrayLength):
(JSC::JSObject::getVectorLength):
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::canSetIndexQuicklyForPutDirect):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::hasSparseMap):
(JSC::JSObject::inSparseIndexingMode):
(JSC::JSObject::inlineStorage):
(JSC::JSObject::butterfly):
(JSC::JSObject::outOfLineStorage):
(JSC::JSObject::locationForOffset):
(JSC::JSObject::ensureInt32):
(JSC::JSObject::ensureDouble):
(JSC::JSObject::ensureContiguous):
(JSC::JSObject::ensureArrayStorage):
(JSC::JSObject::arrayStorage):
(JSC::JSObject::arrayStorageOrNull):
(JSC::JSObject::ensureLength):
(JSC::JSObject::putDirectWithoutTransition):
* runtime/JSSet.h:
(JSC::JSSet::JSSet):
* runtime/MapData.h:
(JSC::JSIterator&gt;::MapDataImpl):
(JSC::JSIterator&gt;::IteratorData::next):
(JSC::JSIterator&gt;::IteratorData::refreshCursor):
* runtime/MapDataInlines.h:
(JSC::JSIterator&gt;::clear):
(JSC::JSIterator&gt;::find):
(JSC::JSIterator&gt;::add):
(JSC::JSIterator&gt;::remove):
(JSC::JSIterator&gt;::replaceAndPackBackingStore):
(JSC::JSIterator&gt;::replaceBackingStore):
(JSC::JSIterator&gt;::ensureSpaceForAppend):
(JSC::JSIterator&gt;::visitChildren):
(JSC::JSIterator&gt;::copyBackingStore):
* runtime/Options.h:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkPerformanceTestsJetStreamOctane2cryptojs">trunk/PerformanceTests/JetStream/Octane2/crypto.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp">trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGArgumentsEliminationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGLICMPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationsh">trunk/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGTypeCheckHoistingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOperationscpp">trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOutputh">trunk/Source/JavaScriptCore/ftl/FTLOutput.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCopyVisitorInlinesh">trunk/Source/JavaScriptCore/heap/CopyVisitorInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeaph">trunk/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapInlinesh">trunk/Source/JavaScriptCore/heap/HeapInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitAssemblyHelpersh">trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDirectArgumentscpp">trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDirectArgumentsh">trunk/Source/JavaScriptCore/runtime/DirectArguments.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArraycpp">trunk/Source/JavaScriptCore/runtime/JSArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewh">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewInlinesh">trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSMaph">trunk/Source/JavaScriptCore/runtime/JSMap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectcpp">trunk/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSeth">trunk/Source/JavaScriptCore/runtime/JSSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapDatah">trunk/Source/JavaScriptCore/runtime/MapData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapDataInlinesh">trunk/Source/JavaScriptCore/runtime/MapDataInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOptionsh">trunk/Source/JavaScriptCore/runtime/Options.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCopyBarrierOptimizationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCopyBarrierOptimizationPhaseh">trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCopyBarrierh">trunk/Source/JavaScriptCore/heap/CopyBarrier.h</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreheapCopyWriteBarrierh">trunk/Source/JavaScriptCore/heap/CopyWriteBarrier.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkPerformanceTestsJetStreamOctane2cryptojs"></a>
<div class="modfile"><h4>Modified: trunk/PerformanceTests/JetStream/Octane2/crypto.js (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/JetStream/Octane2/crypto.js        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/PerformanceTests/JetStream/Octane2/crypto.js        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -580,11 +580,18 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> // x = x/R mod m (HAC 14.32)
</span><ins>+//var outerCounter = 0;
+//var innerCounter = 0;
+var globalThingy = 0;
</ins><span class="cx"> function montReduce(x) {
</span><span class="cx">   var x_array = x.array;
</span><span class="cx">   while(x.t &lt;= this.mt2)        // pad x so am has enough room later
</span><span class="cx">     x_array[x.t++] = 0;
</span><ins>+  //outerCounter++;
+  globalThingy = 665;
</ins><span class="cx">   for(var i = 0; i &lt; this.m.t; ++i) {
</span><ins>+    //innerCounter++;
+    globalThingy = 666;
</ins><span class="cx">     // faster way of calculating u0 = x[i]*mp mod DV
</span><span class="cx">     var j = x_array[i]&amp;0x7fff;
</span><span class="cx">     var u0 = (j*this.mpl+(((j*this.mph+(x_array[i]&gt;&gt;15)*this.mpl)&amp;this.um)&lt;&lt;15))&amp;BI_DM;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -168,6 +168,7 @@
</span><span class="cx">     dfg/DFGCompilationMode.cpp
</span><span class="cx">     dfg/DFGConstantFoldingPhase.cpp
</span><span class="cx">     dfg/DFGConstantHoistingPhase.cpp
</span><ins>+    dfg/DFGCopyBarrierOptimizationPhase.cpp
</ins><span class="cx">     dfg/DFGCriticalEdgeBreakingPhase.cpp
</span><span class="cx">     dfg/DFGDCEPhase.cpp
</span><span class="cx">     dfg/DFGDesiredIdentifiers.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/ChangeLog        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1,3 +1,309 @@
</span><ins>+2015-10-08  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        GC should have a Baker barrier for concurrent copying
+        https://bugs.webkit.org/show_bug.cgi?id=149852
+
+        Reviewed by Geoffrey Garen.
+
+        This adds a Baker-style read barrier [1] to copied space accesses. This barrier incurs some
+        overhead (0%-2% depending on benchmark suite), but what it buys is the ability to make the GC copy
+        phase concurrent.
+
+        The barrier relies on copied space pointers having two &quot;space bits&quot; in the low pointer bits. The
+        space bits indicate whether the backing store is being copied right now or not, and if it is being
+        copied, what stage of copying it's in. Two barrier variants are supported:
+
+        Read only barrier: if you load a backing store and immediately load from it without doing anything
+        else, you can just mask off the bits. In the worst case, you'll get the old backing store while
+        some copying thread is already allocating and populating the new version of the backing store. But
+        in that case, forwarding to the new backing store will not enable you to load a more up-to-date
+        value from the backing store. So, just masking the bits is enough. The read-only barrier is only
+        used in ICs where we know that we are only reading, and opportunistically within the DFG and FTL
+        thanks to the CopyBarrierOptimizationPhase. We never explicitly emit a read-only barrier in those
+        compilers; instead the phase will turn a GetButterfly into GetButterflyReadOnly if it proves that a
+        bunch of requirements are met.
+
+        Normal barrier: if the space bits are non-zero, call a slow path. The slow path will either do
+        nothing (if the copy phase hasn't started yet), or it will copy the backing store and update the
+        pointer (if the copy phase hasn't gotten around to copying this particular backing store), or it
+        will wait for the copying thread to finish (if some thread is copying this backing store right
+        now), or it will do nothing (if by the time we called into the slow path the backing store was
+        already copied). This is just like Baker's CAR/CDR barrier, but with a lock thrown in to handle
+        concurrent execution.
+
+        This is a 1% slow-down on SunSpider, a 1.5% slow-down on Octane, a 1.5% slow-down on Kraken, and a
+        0% slow-down on AsmBench. Note that the Octane slow-down is excluding the SplayLatency benchmark.
+        That benchmark will eventually speed up a lot once we finish doing all of this stuff. Probably, the
+        JetStream splay-latency will see an even larger speed-up, since our version of the latency tests do
+        a better job of punishing bad worst-case behavior.
+
+        [1] http://dspace.mit.edu/bitstream/handle/1721.1/41976/AI_WP_139.pdf, look for the CAR and CDR
+        procedures on page 9.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generate):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter&lt;AbstractStateType&gt;::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGCopyBarrierOptimizationPhase.cpp: Added.
+        (JSC::DFG::performCopyBarrierOptimization):
+        * dfg/DFGCopyBarrierOptimizationPhase.h: Added.
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::run):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetButterfly):
+        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterfly):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetButterflyReadOnly):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileConstantStoragePointer):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckArray):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiGetByOffset):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileMultiPutByOffset):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetDirectPname):
+        (JSC::FTL::DFG::LowerDFGToLLVM::storageForTransition):
+        (JSC::FTL::DFG::LowerDFGToLLVM::getById):
+        (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyWithBarrier):
+        (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorWithBarrier):
+        (JSC::FTL::DFG::LowerDFGToLLVM::copyBarrier):
+        (JSC::FTL::DFG::LowerDFGToLLVM::loadButterflyReadOnly):
+        (JSC::FTL::DFG::LowerDFGToLLVM::loadVectorReadOnly):
+        (JSC::FTL::DFG::LowerDFGToLLVM::removeSpaceBits):
+        (JSC::FTL::DFG::LowerDFGToLLVM::baseIndex):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationNewObjectWithButterfly):
+        (JSC::FTL::operationPopulateObjectInOSR):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::testNonZero32):
+        (JSC::FTL::Output::testIsZero64):
+        (JSC::FTL::Output::testNonZero64):
+        (JSC::FTL::Output::testIsZeroPtr):
+        (JSC::FTL::Output::testNonZeroPtr):
+        (JSC::FTL::Output::select):
+        (JSC::FTL::Output::extractValue):
+        * heap/CopyBarrier.h: Copied from Source/JavaScriptCore/heap/CopyWriteBarrier.h.
+        (JSC::CopyBarrierBase::CopyBarrierBase):
+        (JSC::CopyBarrierBase::operator!):
+        (JSC::CopyBarrierBase::operator bool):
+        (JSC::CopyBarrierBase::getWithoutBarrier):
+        (JSC::CopyBarrierBase::get):
+        (JSC::CopyBarrierBase::copyState):
+        (JSC::CopyBarrierBase::setCopyState):
+        (JSC::CopyBarrierBase::clear):
+        (JSC::CopyBarrierBase::set):
+        (JSC::CopyBarrierBase::setWithoutBarrier):
+        (JSC::CopyBarrierBase::weakCASWithoutBarrier):
+        (JSC::CopyBarrier::CopyBarrier):
+        (JSC::CopyBarrier::getWithoutBarrier):
+        (JSC::CopyBarrier::get):
+        (JSC::CopyBarrier::set):
+        (JSC::CopyBarrier::setWithoutBarrier):
+        (JSC::CopyBarrier::weakCASWithoutBarrier):
+        (JSC::CopyWriteBarrier::CopyWriteBarrier): Deleted.
+        (JSC::CopyWriteBarrier::operator!): Deleted.
+        (JSC::CopyWriteBarrier::operator bool): Deleted.
+        (JSC::CopyWriteBarrier::get): Deleted.
+        (JSC::CopyWriteBarrier::operator*): Deleted.
+        (JSC::CopyWriteBarrier::operator-&gt;): Deleted.
+        (JSC::CopyWriteBarrier::set): Deleted.
+        (JSC::CopyWriteBarrier::setWithoutWriteBarrier): Deleted.
+        (JSC::CopyWriteBarrier::clear): Deleted.
+        * heap/CopyVisitorInlines.h:
+        (JSC::CopyVisitor::checkIfShouldCopy):
+        * heap/CopyWriteBarrier.h: Removed.
+        * heap/Heap.cpp:
+        (JSC::Heap::addToRememberedSet):
+        (JSC::Heap::copyBarrier):
+        (JSC::Heap::collectAndSweep):
+        * heap/Heap.h:
+        (JSC::Heap::writeBarrierBuffer):
+        * heap/HeapInlines.h:
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchStructure):
+        (JSC::AssemblyHelpers::branchIfNotToSpace):
+        (JSC::AssemblyHelpers::removeSpaceBits):
+        (JSC::AssemblyHelpers::addressForByteOffset):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        (JSC::JIT::emit_op_get_direct_pname):
+        (JSC::JIT::emitSlow_op_get_direct_pname):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_get_direct_pname):
+        (JSC::JIT::emitSlow_op_get_direct_pname):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitSlow_op_put_to_scope):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::visitChildren):
+        (JSC::DirectArguments::copyBackingStore):
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::overrideThingsIfNecessary):
+        (JSC::DirectArguments::overrideArgument):
+        (JSC::DirectArguments::copyToArguments):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::canAccessIndexQuickly):
+        (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::push):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::fastConcatWith):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finishCreation):
+        (JSC::JSArrayBufferView::finalize):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::vector):
+        (JSC::JSArrayBufferView::length):
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::neuter):
+        (JSC::JSArrayBufferView::byteOffset):
+        * runtime/JSGenericTypedArrayView.h:
+        (JSC::JSGenericTypedArrayView::typedVector):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::visitChildren):
+        (JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::copyBackingStore):
+        (JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::slowDownAndWasteMemory):
+        * runtime/JSMap.h:
+        (JSC::JSMap::JSMap):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::copyButterfly):
+        (JSC::JSObject::visitChildren):
+        (JSC::JSObject::copyBackingStore):
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::enterDictionaryIndexingMode):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::setIndexQuicklyToUndecided):
+        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putIndexedDescriptor):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putDirectIndexBeyondVectorLength):
+        (JSC::JSObject::getNewVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        (JSC::JSObject::growOutOfLineStorage):
+        (JSC::JSObject::getOwnPropertyDescriptor):
+        (JSC::JSObject::getEnumerableLength):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getArrayLength):
+        (JSC::JSObject::getVectorLength):
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly):
+        (JSC::JSObject::canSetIndexQuickly):
+        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::hasSparseMap):
+        (JSC::JSObject::inSparseIndexingMode):
+        (JSC::JSObject::inlineStorage):
+        (JSC::JSObject::butterfly):
+        (JSC::JSObject::outOfLineStorage):
+        (JSC::JSObject::locationForOffset):
+        (JSC::JSObject::ensureInt32):
+        (JSC::JSObject::ensureDouble):
+        (JSC::JSObject::ensureContiguous):
+        (JSC::JSObject::ensureArrayStorage):
+        (JSC::JSObject::arrayStorage):
+        (JSC::JSObject::arrayStorageOrNull):
+        (JSC::JSObject::ensureLength):
+        (JSC::JSObject::putDirectWithoutTransition):
+        * runtime/JSSet.h:
+        (JSC::JSSet::JSSet):
+        * runtime/MapData.h:
+        (JSC::JSIterator&gt;::MapDataImpl):
+        (JSC::JSIterator&gt;::IteratorData::next):
+        (JSC::JSIterator&gt;::IteratorData::refreshCursor):
+        * runtime/MapDataInlines.h:
+        (JSC::JSIterator&gt;::clear):
+        (JSC::JSIterator&gt;::find):
+        (JSC::JSIterator&gt;::add):
+        (JSC::JSIterator&gt;::remove):
+        (JSC::JSIterator&gt;::replaceAndPackBackingStore):
+        (JSC::JSIterator&gt;::replaceBackingStore):
+        (JSC::JSIterator&gt;::ensureSpaceForAppend):
+        (JSC::JSIterator&gt;::visitChildren):
+        (JSC::JSIterator&gt;::copyBackingStore):
+        * runtime/Options.h:
+
</ins><span class="cx"> 2015-10-12  Saam barati  &lt;sbarati@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Update JSC features.json
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -402,6 +402,7 @@
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGCompilationMode.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGConstantFoldingPhase.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGConstantHoistingPhase.cpp&quot; /&gt;
</span><ins>+    &lt;ClCompile Include=&quot;..\dfg\DFGCopyBarrierOptimizationPhase.cpp&quot; /&gt;
</ins><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGCPSRethreadingPhase.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGCriticalEdgeBreakingPhase.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGCSEPhase.cpp&quot; /&gt;
</span><span class="lines">@@ -1138,6 +1139,7 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGCompilationMode.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGConstantFoldingPhase.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGConstantHoistingPhase.h&quot; /&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\dfg\DFGCopyBarrierOptimizationPhase.h&quot; /&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGCPSRethreadingPhase.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGCriticalEdgeBreakingPhase.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGCSEPhase.h&quot; /&gt;
</span><span class="lines">@@ -1337,11 +1339,11 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopiedBlockInlines.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopiedSpace.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopiedSpaceInlines.h&quot; /&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\heap\CopyBarrier.h&quot; /&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopyToken.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopyVisitor.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopyVisitorInlines.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\CopyWorkList.h&quot; /&gt;
</span><del>-    &lt;ClInclude Include=&quot;..\heap\CopyWriteBarrier.h&quot; /&gt;
</del><span class="cx">     &lt;ClInclude Include=&quot;..\heap\DeferGC.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\EdenGCActivityCallback.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\heap\FullGCActivityCallback.h&quot; /&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -86,6 +86,8 @@
</span><span class="cx">                 0F04396E1B03DC0B009598B7 /* DFGCombinedLiveness.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F04396C1B03DC0B009598B7 /* DFGCombinedLiveness.h */; };
</span><span class="cx">                 0F05C3B41683CF9200BAF45B /* DFGArrayifySlowPathGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F05C3B21683CF8F00BAF45B /* DFGArrayifySlowPathGenerator.h */; };
</span><span class="cx">                 0F0776BF14FF002B00102332 /* JITCompilationEffort.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0776BD14FF002800102332 /* JITCompilationEffort.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+                0F0981F71BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0981F51BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.cpp */; };
+                0F0981F81BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0981F61BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.h */; };
</ins><span class="cx">                 0F0A75221B94BFA900110660 /* InferredType.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0A75201B94BFA900110660 /* InferredType.cpp */; };
</span><span class="cx">                 0F0A75231B94BFA900110660 /* InferredType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0A75211B94BFA900110660 /* InferredType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F0B839C14BCF46300885B4F /* LLIntThunks.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0B839714BCF45A00885B4F /* LLIntThunks.cpp */; };
</span><span class="lines">@@ -408,6 +410,7 @@
</span><span class="cx">                 0F79085619A290B200F6310C /* DFGStructureRegistrationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F79085419A290B200F6310C /* DFGStructureRegistrationPhase.h */; };
</span><span class="cx">                 0F7B294B14C3CD2F007C3DB1 /* DFGCapabilities.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD82E1F14172C2F00179C94 /* DFGCapabilities.h */; };
</span><span class="cx">                 0F7B294D14C3CD4C007C3DB1 /* DFGCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FC0977E1469EBC400CF2442 /* DFGCommon.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+                0F7C11AD1BC3862C00C74CDB /* CopyBarrier.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7C11AC1BC3862C00C74CDB /* CopyBarrier.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F8335B71639C1E6001443B5 /* ArrayAllocationProfile.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F8335B41639C1E3001443B5 /* ArrayAllocationProfile.cpp */; };
</span><span class="cx">                 0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -934,7 +937,6 @@
</span><span class="cx">                 2A4BB7F318A41179008A0FCD /* JSManagedValueInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A4BB7F218A41179008A0FCD /* JSManagedValueInternal.h */; };
</span><span class="cx">                 2A4EC90B1860D6C20094F782 /* WriteBarrierBuffer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */; };
</span><span class="cx">                 2A4EC90C1860D6C20094F782 /* WriteBarrierBuffer.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>-                2A68295B1875F80500B6C3E2 /* CopyWriteBarrier.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><span class="cx">                 2A6F462617E959CE00C45C98 /* HeapOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A6F462517E959CE00C45C98 /* HeapOperation.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */; };
</span><span class="cx">                 2A83638518D7D0EE0000EBCC /* EdenGCActivityCallback.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A83638318D7D0EE0000EBCC /* EdenGCActivityCallback.cpp */; };
</span><span class="lines">@@ -1939,6 +1941,8 @@
</span><span class="cx">                 0F04396C1B03DC0B009598B7 /* DFGCombinedLiveness.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCombinedLiveness.h; path = dfg/DFGCombinedLiveness.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F05C3B21683CF8F00BAF45B /* DFGArrayifySlowPathGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGArrayifySlowPathGenerator.h; path = dfg/DFGArrayifySlowPathGenerator.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F0776BD14FF002800102332 /* JITCompilationEffort.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITCompilationEffort.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><ins>+                0F0981F51BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGCopyBarrierOptimizationPhase.cpp; path = dfg/DFGCopyBarrierOptimizationPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
+                0F0981F61BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCopyBarrierOptimizationPhase.h; path = dfg/DFGCopyBarrierOptimizationPhase.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</ins><span class="cx">                 0F0A75201B94BFA900110660 /* InferredType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InferredType.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F0A75211B94BFA900110660 /* InferredType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InferredType.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F0B839714BCF45A00885B4F /* LLIntThunks.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = LLIntThunks.cpp; path = llint/LLIntThunks.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -2259,6 +2263,7 @@
</span><span class="cx">                 0F7700911402FF280078EB39 /* SamplingCounter.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SamplingCounter.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F79085319A290B200F6310C /* DFGStructureRegistrationPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStructureRegistrationPhase.cpp; path = dfg/DFGStructureRegistrationPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F79085419A290B200F6310C /* DFGStructureRegistrationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStructureRegistrationPhase.h; path = dfg/DFGStructureRegistrationPhase.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><ins>+                0F7C11AC1BC3862C00C74CDB /* CopyBarrier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CopyBarrier.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</ins><span class="cx">                 0F8023E91613832300A0BA45 /* ByValInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ByValInfo.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F8335B41639C1E3001443B5 /* ArrayAllocationProfile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArrayAllocationProfile.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArrayAllocationProfile.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -2755,7 +2760,6 @@
</span><span class="cx">                 2A4BB7F218A41179008A0FCD /* JSManagedValueInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSManagedValueInternal.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WriteBarrierBuffer.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WriteBarrierBuffer.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CopyWriteBarrier.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 2A6F462517E959CE00C45C98 /* HeapOperation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapOperation.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DeferGC.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 2A83638318D7D0EE0000EBCC /* EdenGCActivityCallback.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EdenGCActivityCallback.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -4250,12 +4254,12 @@
</span><span class="cx">                                 C240305314B404C90079EB64 /* CopiedSpace.cpp */,
</span><span class="cx">                                 C2EAA3F8149A830800FCE112 /* CopiedSpace.h */,
</span><span class="cx">                                 C2C8D02B14A3C6B200578E65 /* CopiedSpaceInlines.h */,
</span><ins>+                                0F7C11AC1BC3862C00C74CDB /* CopyBarrier.h */,
</ins><span class="cx">                                 0F5A52CF17ADD717008ECB2D /* CopyToken.h */,
</span><span class="cx">                                 C2239D1216262BDD005AC5FD /* CopyVisitor.cpp */,
</span><span class="cx">                                 C2239D1316262BDD005AC5FD /* CopyVisitor.h */,
</span><span class="cx">                                 C2239D1416262BDD005AC5FD /* CopyVisitorInlines.h */,
</span><span class="cx">                                 C218D13F1655CFD50062BB81 /* CopyWorkList.h */,
</span><del>-                                2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */,
</del><span class="cx">                                 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */,
</span><span class="cx">                                 0F136D4B174AD69B0075B354 /* DeferGC.h */,
</span><span class="cx">                                 2A83638318D7D0EE0000EBCC /* EdenGCActivityCallback.cpp */,
</span><span class="lines">@@ -5247,6 +5251,8 @@
</span><span class="cx">                                 0F3B3A18153E68EF003ED0FF /* DFGConstantFoldingPhase.h */,
</span><span class="cx">                                 0FED67B71B26256D0066CE15 /* DFGConstantHoistingPhase.cpp */,
</span><span class="cx">                                 0FED67B81B26256D0066CE15 /* DFGConstantHoistingPhase.h */,
</span><ins>+                                0F0981F51BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.cpp */,
+                                0F0981F61BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.h */,
</ins><span class="cx">                                 0FBE0F6B16C1DB010082C5E8 /* DFGCPSRethreadingPhase.cpp */,
</span><span class="cx">                                 0FBE0F6C16C1DB010082C5E8 /* DFGCPSRethreadingPhase.h */,
</span><span class="cx">                                 A7D89CE617A0B8CC00773AD8 /* DFGCriticalEdgeBreakingPhase.cpp */,
</span><span class="lines">@@ -6088,7 +6094,6 @@
</span><span class="cx">                                 C2239D1816262BDD005AC5FD /* CopyVisitor.h in Headers */,
</span><span class="cx">                                 C2239D1916262BDD005AC5FD /* CopyVisitorInlines.h in Headers */,
</span><span class="cx">                                 C218D1401655CFD50062BB81 /* CopyWorkList.h in Headers */,
</span><del>-                                2A68295B1875F80500B6C3E2 /* CopyWriteBarrier.h in Headers */,
</del><span class="cx">                                 C4F4B6F41A05C944005CAB76 /* cpp_generator.py in Headers */,
</span><span class="cx">                                 C4F4B6F31A05C944005CAB76 /* cpp_generator_templates.py in Headers */,
</span><span class="cx">                                 5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */,
</span><span class="lines">@@ -6528,6 +6533,7 @@
</span><span class="cx">                                 A7A4AE1017973B4D005612B1 /* JITStubsX86Common.h in Headers */,
</span><span class="cx">                                 0F5EF91F16878F7D003E5C25 /* JITThunks.h in Headers */,
</span><span class="cx">                                 0FC712E317CD8793008CC93C /* JITToDFGDeferredCompilationCallback.h in Headers */,
</span><ins>+                                0F0981F81BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.h in Headers */,
</ins><span class="cx">                                 A76F54A313B28AAB00EF2BCE /* JITWriteBarrier.h in Headers */,
</span><span class="cx">                                 840480131021A1D9008E7F01 /* JSAPIValueWrapper.h in Headers */,
</span><span class="cx">                                 C2CF39C216E15A8100DD69BE /* JSAPIWrapperObject.h in Headers */,
</span><span class="lines">@@ -6774,6 +6780,7 @@
</span><span class="cx">                                 868916B0155F286300CB2B9A /* PrivateName.h in Headers */,
</span><span class="cx">                                 BC18C4500E16F5CD00B34460 /* Profile.h in Headers */,
</span><span class="cx">                                 95CD45770E1C4FDD0085358E /* ProfileGenerator.h in Headers */,
</span><ins>+                                0F7C11AD1BC3862C00C74CDB /* CopyBarrier.h in Headers */,
</ins><span class="cx">                                 BC18C4510E16F5CD00B34460 /* ProfileNode.h in Headers */,
</span><span class="cx">                                 0FF729A5166AD351000F5BA3 /* ProfilerBytecode.h in Headers */,
</span><span class="cx">                                 0FF729B9166AD360000F5BA3 /* ProfilerBytecodes.h in Headers */,
</span><span class="lines">@@ -8124,6 +8131,7 @@
</span><span class="cx">                                 709FB86B1AE335C60039D069 /* WeakSetPrototype.cpp in Sources */,
</span><span class="cx">                                 2A4EC90B1860D6C20094F782 /* WriteBarrierBuffer.cpp in Sources */,
</span><span class="cx">                                 0FC8150B14043C0E00CFA603 /* WriteBarrierSupport.cpp in Sources */,
</span><ins>+                                0F0981F71BC5E565004814F8 /* DFGCopyBarrierOptimizationPhase.cpp in Sources */,
</ins><span class="cx">                                 A7E5AB3A1799E4B200D2833D /* X86Disassembler.cpp in Sources */,
</span><span class="cx">                                 863C6D9C1521111A00585E4E /* YarrCanonicalizeUCS2.cpp in Sources */,
</span><span class="cx">                                 86704B8412DBA33700A9FE7B /* YarrInterpreter.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -607,6 +607,7 @@
</span><span class="cx">                 jit.loadPtr(
</span><span class="cx">                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
</span><span class="cx">                     loadedValueGPR);
</span><ins>+                jit.removeSpaceBits(loadedValueGPR);
</ins><span class="cx">                 storageGPR = loadedValueGPR;
</span><span class="cx">             }
</span><span class="cx"> 
</span><span class="lines">@@ -893,6 +894,7 @@
</span><span class="cx">                     offsetInInlineStorage(m_offset) * sizeof(JSValue)));
</span><span class="cx">         } else {
</span><span class="cx">             jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
</span><ins>+            state.failAndIgnore.append(jit.branchIfNotToSpace(scratchGPR));
</ins><span class="cx">             jit.storeValue(
</span><span class="cx">                 valueRegs,
</span><span class="cx">                 CCallHelpers::Address(
</span><span class="lines">@@ -956,6 +958,7 @@
</span><span class="cx">                 ASSERT(newSize &gt; oldSize);
</span><span class="cx">             
</span><span class="cx">                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
</span><ins>+                slowPath.append(jit.branchIfNotToSpace(scratchGPR3));
</ins><span class="cx">                 jit.loadPtr(&amp;copiedAllocator-&gt;m_currentRemaining, scratchGPR);
</span><span class="cx">                 slowPath.append(
</span><span class="cx">                     jit.branchSubPtr(
</span><span class="lines">@@ -999,8 +1002,10 @@
</span><span class="cx">                     JSObject::offsetOfInlineStorage() +
</span><span class="cx">                     offsetInInlineStorage(m_offset) * sizeof(JSValue)));
</span><span class="cx">         } else {
</span><del>-            if (!scratchGPRHasStorage)
</del><ins>+            if (!scratchGPRHasStorage) {
</ins><span class="cx">                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
</span><ins>+                state.failAndIgnore.append(jit.branchIfNotToSpace(scratchGPR));
+            }
</ins><span class="cx">             jit.storeValue(
</span><span class="cx">                 valueRegs,
</span><span class="cx">                 CCallHelpers::Address(scratchGPR, offsetInButterfly(m_offset) * sizeof(JSValue)));
</span><span class="lines">@@ -1087,6 +1092,7 @@
</span><span class="cx"> 
</span><span class="cx">     case ArrayLength: {
</span><span class="cx">         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
</span><ins>+        jit.removeSpaceBits(scratchGPR);
</ins><span class="cx">         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
</span><span class="cx">         state.failAndIgnore.append(
</span><span class="cx">             jit.branch32(CCallHelpers::LessThan, scratchGPR, CCallHelpers::TrustedImm32(0)));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1968,6 +1968,7 @@
</span><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     case GetButterfly:
</span><ins>+    case GetButterflyReadOnly:
</ins><span class="cx">     case AllocatePropertyStorage:
</span><span class="cx">     case ReallocatePropertyStorage:
</span><span class="cx">         forNode(node).clear(); // The result is not a JS value.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGArgumentsEliminationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -192,6 +192,7 @@
</span><span class="cx">                     break;
</span><span class="cx">                     
</span><span class="cx">                 case GetButterfly:
</span><ins>+                case GetButterflyReadOnly:
</ins><span class="cx">                     // This barely works. The danger is that the GetButterfly is used by something that
</span><span class="cx">                     // does something escaping to a candidate. Fortunately, the only butterfly-using ops
</span><span class="cx">                     // that we exempt here also use the candidate directly. If there ever was a
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -731,6 +731,13 @@
</span><span class="cx">         read(JSObject_butterfly);
</span><span class="cx">         def(HeapLocation(ButterflyLoc, JSObject_butterfly, node-&gt;child1()), LazyNode(node));
</span><span class="cx">         return;
</span><ins>+
+    case GetButterflyReadOnly:
+        // This rule is separate to prevent CSE of GetButterfly with GetButterflyReadOnly. But in reality,
+        // this works because we don't introduce GetButterflyReadOnly until the bitter end of compilation.
+        read(JSObject_butterfly);
+        def(HeapLocation(ButterflyReadOnlyLoc, JSObject_butterfly, node-&gt;child1()), LazyNode(node));
+        return;
</ins><span class="cx">         
</span><span class="cx">     case Arrayify:
</span><span class="cx">     case ArrayifyToStructure:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCopyBarrierOptimizationPhasecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.cpp (0 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.cpp                                (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -0,0 +1,133 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include &quot;config.h&quot;
+#include &quot;DFGCopyBarrierOptimizationPhase.h&quot;
+
+#if ENABLE(DFG_JIT)
+
+#include &quot;DFGClobberize.h&quot;
+#include &quot;DFGDoesGC.h&quot;
+#include &quot;DFGGraph.h&quot;
+#include &quot;DFGPhase.h&quot;
+#include &quot;JSCInlines.h&quot;
+
+namespace JSC { namespace DFG {
+
+namespace {
+
+bool verbose = false;
+
+class CopyBarrierOptimizationPhase : public Phase {
+public:
+    CopyBarrierOptimizationPhase(Graph&amp; graph)
+        : Phase(graph, &quot;copy barrier optimization&quot;)
+    {
+    }
+    
+    bool run()
+    {
+        if (verbose) {
+            dataLog(&quot;Starting copy barrier optimization:\n&quot;);
+            m_graph.dump();
+        }
+
+        // First convert all GetButterfly nodes into GetButterflyReadOnly.
+        for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
+            for (Node* node : *block) {
+                if (node-&gt;op() == GetButterfly)
+                    node-&gt;setOp(GetButterflyReadOnly);
+            }
+        }
+
+        // Anytime we use a GetButterflyReadOnly in a setting that may write to the heap, or if we're in a
+        // new epoch, convert it to a GetButterfly. The epoch gets incremented at basic block boundaries,
+        // anytime we GC, and anytime a barrier on the butterfly may be executed. We traverse the program
+        // in pre-order so that we always see uses after defs. Note that this is a fixpoint because if we
+        // turn a GetButterflyReadOnly into a GetButterfly, then we've introduced a butterfly reallocation.
+        bool changed = true;
+        Epoch currentEpoch = Epoch::first();
+        m_graph.clearEpochs();
+        while (changed) {
+            changed = false;
+            for (BasicBlock* block : m_graph.blocksInPreOrder()) {
+                currentEpoch.bump();
+                for (Node* node : *block) {
+                    bool writesToHeap = writesOverlap(m_graph, node, Heap);
+
+                    bool reallocatesButterfly = false;
+                    if (doesGC(m_graph, node) || writesOverlap(m_graph, node, JSObject_butterfly))
+                        reallocatesButterfly = true;
+                    else {
+                        // This is not an exhaustive list of things that will execute copy barriers. Most
+                        // things that execute copy barriers also do GC or have writes that overlap the
+                        // butterfly heap, and we catch that above.
+                        switch (node-&gt;op()) {
+                        case GetButterfly:
+                        case MultiPutByOffset:
+                            reallocatesButterfly = true;
+                            break;
+                        default:
+                            break;
+                        }
+                    }
+                
+                    m_graph.doToChildren(
+                        node,
+                        [&amp;] (Edge edge) {
+                            if (edge-&gt;op() != GetButterflyReadOnly)
+                                return;
+                        
+                            if (writesToHeap || currentEpoch != edge-&gt;epoch()) {
+                                changed = true;
+                                edge-&gt;setOp(GetButterfly);
+                            }
+                        });
+
+                    if (reallocatesButterfly)
+                        currentEpoch.bump();
+
+                    node-&gt;setEpoch(currentEpoch);
+                }
+            }
+        }
+        
+        // This phase always thinks that it changes the graph. That's OK, because it's a late phase.
+        return true;
+    }
+};
+
+} // anonymous namespace
+
+bool performCopyBarrierOptimization(Graph&amp; graph)
+{
+    SamplingRegion samplingRegion(&quot;DFG Copy Barrier Optimization Phase&quot;);
+    return runPhase&lt;CopyBarrierOptimizationPhase&gt;(graph);
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCopyBarrierOptimizationPhaseh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.h (0 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.h                                (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGCopyBarrierOptimizationPhase.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -0,0 +1,44 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef DFGCopyBarrierOptimizationPhase_h
+#define DFGCopyBarrierOptimizationPhase_h
+
+#if ENABLE(DFG_JIT)
+
+namespace JSC { namespace DFG {
+
+class Graph;
+
+// Converts GetButterfly nodes into GetButterflyReadOnly nodes whenever the butterfly is only used for
+// read-only operations.
+bool performCopyBarrierOptimization(Graph&amp;);
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGCopyBarrierOptimizationPhase_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -98,6 +98,7 @@
</span><span class="cx">     case CheckStructure:
</span><span class="cx">     case GetExecutable:
</span><span class="cx">     case GetButterfly:
</span><ins>+    case GetButterflyReadOnly:
</ins><span class="cx">     case CheckArray:
</span><span class="cx">     case GetScope:
</span><span class="cx">     case LoadArrowFunctionThis:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1065,7 +1065,8 @@
</span><span class="cx">         case CheckCell:
</span><span class="cx">         case CheckHasInstance:
</span><span class="cx">         case CreateThis:
</span><del>-        case GetButterfly: {
</del><ins>+        case GetButterfly:
+        case GetButterflyReadOnly: {
</ins><span class="cx">             fixEdge&lt;CellUse&gt;(node-&gt;child1());
</span><span class="cx">             break;
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -92,6 +92,10 @@
</span><span class="cx">         out.print(&quot;ButterflyLoc&quot;);
</span><span class="cx">         return;
</span><span class="cx">         
</span><ins>+    case ButterflyReadOnlyLoc:
+        out.print(&quot;ButterflyReadOnlyLoc&quot;);
+        return;
+        
</ins><span class="cx">     case CheckHasInstanceLoc:
</span><span class="cx">         out.print(&quot;CheckHasInstanceLoc&quot;);
</span><span class="cx">         return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -39,6 +39,7 @@
</span><span class="cx">     
</span><span class="cx">     ArrayLengthLoc,
</span><span class="cx">     ButterflyLoc,
</span><ins>+    ButterflyReadOnlyLoc,
</ins><span class="cx">     CheckHasInstanceLoc,
</span><span class="cx">     ClosureVariableLoc,
</span><span class="cx">     DirectArgumentsLoc,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGLICMPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -73,6 +73,11 @@
</span><span class="cx">         
</span><span class="cx">         m_graph.m_dominators.computeIfNecessary(m_graph);
</span><span class="cx">         m_graph.m_naturalLoops.computeIfNecessary(m_graph);
</span><ins>+
+        if (verbose) {
+            dataLog(&quot;Graph before LICM:\n&quot;);
+            m_graph.dump();
+        }
</ins><span class="cx">         
</span><span class="cx">         m_data.resize(m_graph.m_naturalLoops.numLoops());
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -187,6 +187,7 @@
</span><span class="cx">     macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
</span><span class="cx">     macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
</span><span class="cx">     macro(GetButterfly, NodeResultStorage) \
</span><ins>+    macro(GetButterflyReadOnly, NodeResultStorage) /* A node used to replace GetButterfly at the bitter end of compilation. */\
</ins><span class="cx">     macro(CheckArray, NodeMustGenerate) \
</span><span class="cx">     macro(Arrayify, NodeMustGenerate) \
</span><span class="cx">     macro(ArrayifyToStructure, NodeMustGenerate) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -643,7 +643,9 @@
</span><span class="cx">     if (UNLIKELY(size &lt; 0))
</span><span class="cx">         return bitwise_cast&lt;char*&gt;(exec-&gt;vm().throwException(exec, createRangeError(exec, ASCIILiteral(&quot;Array size is not a small enough positive integer.&quot;))));
</span><span class="cx"> 
</span><del>-    return bitwise_cast&lt;char*&gt;(JSArray::create(*vm, arrayStructure, size));
</del><ins>+    JSArray* result = JSArray::create(*vm, arrayStructure, size);
+    result-&gt;butterfly(); // Ensure that the backing store is in to-space.
+    return bitwise_cast&lt;char*&gt;(result);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> char* JIT_OPERATION operationNewArrayBuffer(ExecState* exec, Structure* arrayStructure, size_t start, size_t size)
</span><span class="lines">@@ -1176,6 +1178,24 @@
</span><span class="cx">     return exec-&gt;codeBlock()-&gt;stringSwitchJumpTable(tableIndex).offsetForValue(string-&gt;value(exec).impl(), std::numeric_limits&lt;int32_t&gt;::min());
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+char* JIT_OPERATION operationGetButterfly(ExecState* exec, JSCell* cell)
+{
+    VM&amp; vm = exec-&gt;vm();
+    NativeCallFrameTracer tracer(&amp;vm, exec);
+
+    dataLog(&quot;Ran the barrier.\n&quot;);
+
+    return bitwise_cast&lt;char*&gt;(jsCast&lt;JSObject*&gt;(cell)-&gt;butterfly());
+}
+
+char* JIT_OPERATION operationGetArrayBufferVector(ExecState* exec, JSCell* cell)
+{
+    VM&amp; vm = exec-&gt;vm();
+    NativeCallFrameTracer tracer(&amp;vm, exec);
+
+    return bitwise_cast&lt;char*&gt;(jsCast&lt;JSArrayBufferView*&gt;(cell)-&gt;vector());
+}
+
</ins><span class="cx"> void JIT_OPERATION operationNotifyWrite(ExecState* exec, WatchpointSet* set)
</span><span class="cx"> {
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -130,6 +130,8 @@
</span><span class="cx"> char* JIT_OPERATION operationFindSwitchImmTargetForDouble(ExecState*, EncodedJSValue, size_t tableIndex);
</span><span class="cx"> char* JIT_OPERATION operationSwitchString(ExecState*, size_t tableIndex, JSString*);
</span><span class="cx"> int32_t JIT_OPERATION operationSwitchStringAndGetBranchOffset(ExecState*, size_t tableIndex, JSString*);
</span><ins>+char* JIT_OPERATION operationGetButterfly(ExecState*, JSCell*);
+char* JIT_OPERATION operationGetArrayBufferVector(ExecState*, JSCell*);
</ins><span class="cx"> void JIT_OPERATION operationNotifyWrite(ExecState*, WatchpointSet*);
</span><span class="cx"> void JIT_OPERATION operationThrowStackOverflowForVarargs(ExecState*) WTF_INTERNAL;
</span><span class="cx"> int32_t JIT_OPERATION operationSizeOfVarargs(ExecState*, EncodedJSValue arguments, int32_t firstVarArgOffset);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include &quot;DFGCleanUpPhase.h&quot;
</span><span class="cx"> #include &quot;DFGConstantFoldingPhase.h&quot;
</span><span class="cx"> #include &quot;DFGConstantHoistingPhase.h&quot;
</span><ins>+#include &quot;DFGCopyBarrierOptimizationPhase.h&quot;
</ins><span class="cx"> #include &quot;DFGCriticalEdgeBreakingPhase.h&quot;
</span><span class="cx"> #include &quot;DFGDCEPhase.h&quot;
</span><span class="cx"> #include &quot;DFGFailedFinalizer.h&quot;
</span><span class="lines">@@ -358,6 +359,8 @@
</span><span class="cx">         performCleanUp(dfg);
</span><span class="cx">         performCPSRethreading(dfg);
</span><span class="cx">         performDCE(dfg);
</span><ins>+        if (Options::enableCopyBarrierOptimization())
+            performCopyBarrierOptimization(dfg);
</ins><span class="cx">         performPhantomInsertion(dfg);
</span><span class="cx">         performStackLayout(dfg);
</span><span class="cx">         performVirtualRegisterAllocation(dfg);
</span><span class="lines">@@ -437,6 +440,8 @@
</span><span class="cx">             performMovHintRemoval(dfg);
</span><span class="cx">         performCleanUp(dfg);
</span><span class="cx">         performDCE(dfg); // We rely on this to kill dead code that won't be recognized as dead by LLVM.
</span><ins>+        if (Options::enableCopyBarrierOptimization())
+            performCopyBarrierOptimization(dfg);
</ins><span class="cx">         performStackLayout(dfg);
</span><span class="cx">         performLivenessAnalysis(dfg);
</span><span class="cx">         performOSRAvailabilityAnalysis(dfg);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -442,7 +442,8 @@
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">             
</span><del>-        case GetButterfly: 
</del><ins>+        case GetButterfly:
+        case GetButterflyReadOnly:
</ins><span class="cx">         case GetIndexedPropertyStorage:
</span><span class="cx">         case AllocatePropertyStorage:
</span><span class="cx">         case ReallocatePropertyStorage: {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -191,6 +191,7 @@
</span><span class="cx">     case CheckStructure:
</span><span class="cx">     case GetExecutable:
</span><span class="cx">     case GetButterfly:
</span><ins>+    case GetButterflyReadOnly:
</ins><span class="cx">     case CheckArray:
</span><span class="cx">     case Arrayify:
</span><span class="cx">     case ArrayifyToStructure:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -4388,6 +4388,11 @@
</span><span class="cx">         m_jit.loadPtr(
</span><span class="cx">             MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfVector()),
</span><span class="cx">             storageReg);
</span><ins>+
+        addSlowPathGenerator(
+            slowPathCall(
+                m_jit.branchIfNotToSpace(storageReg),
+                this, operationGetArrayBufferVector, storageReg, baseReg));
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -4408,9 +4413,11 @@
</span><span class="cx">         MacroAssembler::NotEqual,
</span><span class="cx">         MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfMode()),
</span><span class="cx">         TrustedImm32(WastefulTypedArray));
</span><del>-    
</del><ins>+
</ins><span class="cx">     m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
</span><ins>+    m_jit.removeSpaceBits(dataGPR);
</ins><span class="cx">     m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
</span><ins>+    m_jit.removeSpaceBits(vectorGPR);
</ins><span class="cx">     m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), dataGPR);
</span><span class="cx">     m_jit.loadPtr(MacroAssembler::Address(dataGPR, ArrayBuffer::offsetOfData()), dataGPR);
</span><span class="cx">     m_jit.subPtr(dataGPR, vectorGPR);
</span><span class="lines">@@ -4421,7 +4428,7 @@
</span><span class="cx">     m_jit.move(TrustedImmPtr(0), vectorGPR);
</span><span class="cx">     
</span><span class="cx">     done.link(&amp;m_jit);
</span><del>-    
</del><ins>+
</ins><span class="cx">     int32Result(vectorGPR, node);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -5489,6 +5496,36 @@
</span><span class="cx">     storageResult(scratchGPR1, node);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void SpeculativeJIT::compileGetButterfly(Node* node)
+{
+    SpeculateCellOperand base(this, node-&gt;child1());
+    GPRTemporary result(this, Reuse, base);
+    
+    GPRReg baseGPR = base.gpr();
+    GPRReg resultGPR = result.gpr();
+    
+    m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::butterflyOffset()), resultGPR);
+
+    switch (node-&gt;op()) {
+    case GetButterfly:
+        addSlowPathGenerator(
+            slowPathCall(
+                m_jit.branchIfNotToSpace(resultGPR),
+                this, operationGetButterfly, resultGPR, baseGPR));
+        break;
+
+    case GetButterflyReadOnly:
+        m_jit.removeSpaceBits(resultGPR);
+        break;
+
+    default:
+        DFG_CRASH(m_jit.graph(), node, &quot;Bad node type&quot;);
+        break;
+    }
+    
+    storageResult(resultGPR, node);
+}
+
</ins><span class="cx"> GPRReg SpeculativeJIT::temporaryRegisterForPutByVal(GPRTemporary&amp; temporary, ArrayMode arrayMode)
</span><span class="cx"> {
</span><span class="cx">     if (!putByValWillNeedExtraRegister(arrayMode))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -2147,6 +2147,7 @@
</span><span class="cx">     
</span><span class="cx">     void compileAllocatePropertyStorage(Node*);
</span><span class="cx">     void compileReallocatePropertyStorage(Node*);
</span><ins>+    void compileGetButterfly(Node*);
</ins><span class="cx">     
</span><span class="cx"> #if USE(JSVALUE32_64)
</span><span class="cx">     template&lt;typename BaseOperandType, typename PropertyOperandType, typename ValueOperandType, typename TagType&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -4023,18 +4023,10 @@
</span><span class="cx">         compileReallocatePropertyStorage(node);
</span><span class="cx">         break;
</span><span class="cx">         
</span><del>-    case GetButterfly: {
-        SpeculateCellOperand base(this, node-&gt;child1());
-        GPRTemporary result(this, Reuse, base);
-        
-        GPRReg baseGPR = base.gpr();
-        GPRReg resultGPR = result.gpr();
-        
-        m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::butterflyOffset()), resultGPR);
-        
-        storageResult(resultGPR, node);
</del><ins>+    case GetButterfly:
+    case GetButterflyReadOnly:
+        compileGetButterfly(node);
</ins><span class="cx">         break;
</span><del>-    }
</del><span class="cx"> 
</span><span class="cx">     case GetIndexedPropertyStorage: {
</span><span class="cx">         compileGetIndexedPropertyStorage(node);
</span><span class="lines">@@ -4623,10 +4615,16 @@
</span><span class="cx">         GPRReg indexGPR = index.gpr();
</span><span class="cx">         GPRReg enumeratorGPR = enumerator.gpr();
</span><span class="cx"> 
</span><ins>+        MacroAssembler::JumpList slowPath;
+
</ins><span class="cx">         // Check the structure
</span><span class="cx">         m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR);
</span><del>-        MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, 
-            scratchGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset()));
</del><ins>+        slowPath.append(
+            m_jit.branch32(
+                MacroAssembler::NotEqual, 
+                scratchGPR,
+                MacroAssembler::Address(
+                    enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset())));
</ins><span class="cx">         
</span><span class="cx">         // Compute the offset
</span><span class="cx">         // If index is less than the enumerator's cached inline storage, then it's an inline access
</span><span class="lines">@@ -4648,14 +4646,15 @@
</span><span class="cx">         m_jit.signExtend32ToPtr(scratchGPR, scratchGPR);
</span><span class="cx">         // We use resultPayloadGPR as a temporary here. We have to make sure clobber it after getting the 
</span><span class="cx">         // value out of indexGPR and enumeratorGPR because resultPayloadGPR could reuse either of those registers.
</span><del>-        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), resultPayloadGPR); 
</del><ins>+        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), resultPayloadGPR);
+        slowPath.append(m_jit.branchIfNotToSpace(resultPayloadGPR));
</ins><span class="cx">         int32_t offsetOfFirstProperty = static_cast&lt;int32_t&gt;(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
</span><span class="cx">         m_jit.load32(MacroAssembler::BaseIndex(resultPayloadGPR, scratchGPR, MacroAssembler::TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTagGPR);
</span><span class="cx">         m_jit.load32(MacroAssembler::BaseIndex(resultPayloadGPR, scratchGPR, MacroAssembler::TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayloadGPR);
</span><span class="cx"> 
</span><span class="cx">         done.link(&amp;m_jit);
</span><span class="cx"> 
</span><del>-        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, propertyGPR));
</del><ins>+        addSlowPathGenerator(slowPathCall(slowPath, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, propertyGPR));
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">         jsValueResult(resultTagGPR, resultPayloadGPR, node);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -4037,18 +4037,10 @@
</span><span class="cx">         compileReallocatePropertyStorage(node);
</span><span class="cx">         break;
</span><span class="cx">         
</span><del>-    case GetButterfly: {
-        SpeculateCellOperand base(this, node-&gt;child1());
-        GPRTemporary result(this, Reuse, base);
-        
-        GPRReg baseGPR = base.gpr();
-        GPRReg resultGPR = result.gpr();
-        
-        m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::butterflyOffset()), resultGPR);
-        
-        storageResult(resultGPR, node);
</del><ins>+    case GetButterfly:
+    case GetButterflyReadOnly:
+        compileGetButterfly(node);
</ins><span class="cx">         break;
</span><del>-    }
</del><span class="cx"> 
</span><span class="cx">     case GetIndexedPropertyStorage: {
</span><span class="cx">         compileGetIndexedPropertyStorage(node);
</span><span class="lines">@@ -4644,10 +4636,16 @@
</span><span class="cx">         GPRReg scratch1GPR = scratch1.gpr();
</span><span class="cx">         GPRReg scratch2GPR = scratch2.gpr();
</span><span class="cx"> 
</span><ins>+        MacroAssembler::JumpList slowPath;
+
</ins><span class="cx">         // Check the structure
</span><span class="cx">         m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratch1GPR);
</span><del>-        MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, 
-            scratch1GPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset()));
</del><ins>+        slowPath.append(
+            m_jit.branch32(
+                MacroAssembler::NotEqual, 
+                scratch1GPR,
+                MacroAssembler::Address(
+                    enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset())));
</ins><span class="cx">         
</span><span class="cx">         // Compute the offset
</span><span class="cx">         // If index is less than the enumerator's cached inline storage, then it's an inline access
</span><span class="lines">@@ -4661,6 +4659,7 @@
</span><span class="cx">         // Otherwise it's out of line
</span><span class="cx">         outOfLineAccess.link(&amp;m_jit);
</span><span class="cx">         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratch2GPR);
</span><ins>+        slowPath.append(m_jit.branchIfNotToSpace(scratch2GPR));
</ins><span class="cx">         m_jit.move(indexGPR, scratch1GPR);
</span><span class="cx">         m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratch1GPR);
</span><span class="cx">         m_jit.neg32(scratch1GPR);
</span><span class="lines">@@ -4670,7 +4669,7 @@
</span><span class="cx"> 
</span><span class="cx">         done.link(&amp;m_jit);
</span><span class="cx"> 
</span><del>-        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByVal, resultGPR, baseGPR, propertyGPR));
</del><ins>+        addSlowPathGenerator(slowPathCall(slowPath, this, operationGetByVal, resultGPR, baseGPR, propertyGPR));
</ins><span class="cx"> 
</span><span class="cx">         jsValueResult(resultGPR, node);
</span><span class="cx">         break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGTypeCheckHoistingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -247,6 +247,7 @@
</span><span class="cx">                 case AllocatePropertyStorage:
</span><span class="cx">                 case ReallocatePropertyStorage:
</span><span class="cx">                 case GetButterfly:
</span><ins>+                case GetButterflyReadOnly:
</ins><span class="cx">                 case GetByVal:
</span><span class="cx">                 case PutByValDirect:
</span><span class="cx">                 case PutByVal:
</span><span class="lines">@@ -325,6 +326,7 @@
</span><span class="cx">                 case PutStructure:
</span><span class="cx">                 case ReallocatePropertyStorage:
</span><span class="cx">                 case GetButterfly:
</span><ins>+                case GetButterflyReadOnly:
</ins><span class="cx">                 case GetByVal:
</span><span class="cx">                 case PutByValDirect:
</span><span class="cx">                 case PutByVal:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -68,6 +68,7 @@
</span><span class="cx">     case ArrayifyToStructure:
</span><span class="cx">     case PutStructure:
</span><span class="cx">     case GetButterfly:
</span><ins>+    case GetButterflyReadOnly:
</ins><span class="cx">     case NewObject:
</span><span class="cx">     case NewArray:
</span><span class="cx">     case NewArrayBuffer:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -566,6 +566,9 @@
</span><span class="cx">         case GetButterfly:
</span><span class="cx">             compileGetButterfly();
</span><span class="cx">             break;
</span><ins>+        case GetButterflyReadOnly:
+            compileGetButterflyReadOnly();
+            break;
</ins><span class="cx">         case ConstantStoragePointer:
</span><span class="cx">             compileConstantStoragePointer();
</span><span class="cx">             break;
</span><span class="lines">@@ -2282,8 +2285,13 @@
</span><span class="cx">     
</span><span class="cx">     void compileGetButterfly()
</span><span class="cx">     {
</span><del>-        setStorage(m_out.loadPtr(lowCell(m_node-&gt;child1()), m_heaps.JSObject_butterfly));
</del><ins>+        setStorage(loadButterflyWithBarrier(lowCell(m_node-&gt;child1())));
</ins><span class="cx">     }
</span><ins>+
+    void compileGetButterflyReadOnly()
+    {
+        setStorage(loadButterflyReadOnly(lowCell(m_node-&gt;child1())));
+    }
</ins><span class="cx">     
</span><span class="cx">     void compileConstantStoragePointer()
</span><span class="cx">     {
</span><span class="lines">@@ -2317,7 +2325,7 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><del>-        setStorage(m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector));
</del><ins>+        setStorage(loadVectorWithBarrier(cell));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compileCheckArray()
</span><span class="lines">@@ -2337,27 +2345,25 @@
</span><span class="cx">     {
</span><span class="cx">         LValue basePtr = lowCell(m_node-&gt;child1());    
</span><span class="cx"> 
</span><del>-        LBasicBlock simpleCase = FTL_NEW_BLOCK(m_out, (&quot;wasteless typed array&quot;));
-        LBasicBlock wastefulCase = FTL_NEW_BLOCK(m_out, (&quot;wasteful typed array&quot;));
-        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;continuation branch&quot;));
</del><ins>+        LBasicBlock simpleCase = FTL_NEW_BLOCK(m_out, (&quot;GetTypedArrayByteOffset wasteless typed array&quot;));
+        LBasicBlock wastefulCase = FTL_NEW_BLOCK(m_out, (&quot;GetTypedArrayByteOffset wasteful typed array&quot;));
+        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;GetTypedArrayByteOffset continuation&quot;));
</ins><span class="cx">         
</span><span class="cx">         LValue mode = m_out.load32(basePtr, m_heaps.JSArrayBufferView_mode);
</span><span class="cx">         m_out.branch(
</span><span class="cx">             m_out.notEqual(mode, m_out.constInt32(WastefulTypedArray)),
</span><span class="cx">             unsure(simpleCase), unsure(wastefulCase));
</span><span class="cx"> 
</span><del>-        // begin simple case        
</del><span class="cx">         LBasicBlock lastNext = m_out.appendTo(simpleCase, wastefulCase);
</span><span class="cx"> 
</span><span class="cx">         ValueFromBlock simpleOut = m_out.anchor(m_out.constIntPtr(0));
</span><span class="cx"> 
</span><span class="cx">         m_out.jump(continuation);
</span><span class="cx"> 
</span><del>-        // begin wasteful case
</del><span class="cx">         m_out.appendTo(wastefulCase, continuation);
</span><span class="cx"> 
</span><del>-        LValue vectorPtr = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
-        LValue butterflyPtr = m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly);
</del><ins>+        LValue vectorPtr = loadVectorReadOnly(basePtr);
+        LValue butterflyPtr = loadButterflyReadOnly(basePtr);
</ins><span class="cx">         LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
</span><span class="cx">         LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
</span><span class="cx"> 
</span><span class="lines">@@ -2366,7 +2372,6 @@
</span><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><span class="cx"> 
</span><del>-        // output
</del><span class="cx">         setInt32(m_out.castToInt32(m_out.phi(m_out.intPtr, simpleOut, wastefulOut)));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -4050,7 +4055,7 @@
</span><span class="cx">                 else
</span><span class="cx">                     propertyBase = weakPointer(method.prototype()-&gt;value().asCell());
</span><span class="cx">                 if (!isInlineOffset(method.offset()))
</span><del>-                    propertyBase = m_out.loadPtr(propertyBase, m_heaps.JSObject_butterfly);
</del><ins>+                    propertyBase = loadButterflyReadOnly(propertyBase);
</ins><span class="cx">                 result = loadProperty(
</span><span class="cx">                     propertyBase, data.identifierNumber, method.offset());
</span><span class="cx">                 break;
</span><span class="lines">@@ -4118,7 +4123,7 @@
</span><span class="cx">                 if (isInlineOffset(variant.offset()))
</span><span class="cx">                     storage = base;
</span><span class="cx">                 else
</span><del>-                    storage = m_out.loadPtr(base, m_heaps.JSObject_butterfly);
</del><ins>+                    storage = loadButterflyWithBarrier(base);
</ins><span class="cx">             } else {
</span><span class="cx">                 m_graph.m_plan.transitions.addLazily(
</span><span class="cx">                     codeBlock(), m_node-&gt;origin.semantic.codeOriginOwner(),
</span><span class="lines">@@ -5352,7 +5357,7 @@
</span><span class="cx">         m_out.jump(continuation);
</span><span class="cx"> 
</span><span class="cx">         m_out.appendTo(outOfLineLoad, slowCase);
</span><del>-        LValue storage = m_out.loadPtr(base, m_heaps.JSObject_butterfly);
</del><ins>+        LValue storage = loadButterflyReadOnly(base);
</ins><span class="cx">         LValue realIndex = m_out.signExt(
</span><span class="cx">             m_out.neg(m_out.sub(index, m_out.load32(enumerator, m_heaps.JSPropertyNameEnumerator_cachedInlineCapacity))), 
</span><span class="cx">             m_out.int64);
</span><span class="lines">@@ -5999,14 +6004,14 @@
</span><span class="cx">             return object;
</span><span class="cx">         
</span><span class="cx">         if (previousStructure-&gt;outOfLineCapacity() == nextStructure-&gt;outOfLineCapacity())
</span><del>-            return m_out.loadPtr(object, m_heaps.JSObject_butterfly);
</del><ins>+            return loadButterflyWithBarrier(object);
</ins><span class="cx">         
</span><span class="cx">         LValue result;
</span><span class="cx">         if (!previousStructure-&gt;outOfLineCapacity())
</span><span class="cx">             result = allocatePropertyStorage(object, previousStructure);
</span><span class="cx">         else {
</span><span class="cx">             result = reallocatePropertyStorage(
</span><del>-                object, m_out.loadPtr(object, m_heaps.JSObject_butterfly),
</del><ins>+                object, loadButterflyWithBarrier(object),
</ins><span class="cx">                 previousStructure, nextStructure);
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -6120,7 +6125,60 @@
</span><span class="cx">         
</span><span class="cx">         return call;
</span><span class="cx">     }
</span><ins>+
+    LValue loadButterflyWithBarrier(LValue object)
+    {
+        return copyBarrier(
+            object, m_out.loadPtr(object, m_heaps.JSObject_butterfly), operationGetButterfly);
+    }
</ins><span class="cx">     
</span><ins>+    LValue loadVectorWithBarrier(LValue object)
+    {
+        return copyBarrier(
+            object, m_out.loadPtr(object, m_heaps.JSArrayBufferView_vector),
+            operationGetArrayBufferVector);
+    }
+    
+    LValue copyBarrier(LValue object, LValue pointer, P_JITOperation_EC slowPathFunction)
+    {
+        LBasicBlock slowPath = FTL_NEW_BLOCK(m_out, (&quot;loadButterflyWithBarrier slow path&quot;));
+        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;loadButterflyWithBarrier continuation&quot;));
+
+        ValueFromBlock fastResult = m_out.anchor(pointer);
+        m_out.branch(
+            m_out.testIsZeroPtr(pointer, m_out.constIntPtr(CopyBarrierBase::spaceBits)),
+            usually(continuation), rarely(slowPath));
+
+        LBasicBlock lastNext = m_out.appendTo(slowPath, continuation);
+
+        LValue call = lazySlowPath(
+            [=] (const Vector&lt;Location&gt;&amp; locations) -&gt; RefPtr&lt;LazySlowPath::Generator&gt; {
+                return createLazyCallGenerator(
+                    slowPathFunction, locations[0].directGPR(), locations[1].directGPR());
+            }, object);
+        ValueFromBlock slowResult = m_out.anchor(call);
+        m_out.jump(continuation);
+
+        m_out.appendTo(continuation, lastNext);
+        return m_out.phi(m_out.intPtr, fastResult, slowResult);
+    }
+
+    LValue loadButterflyReadOnly(LValue object)
+    {
+        return removeSpaceBits(m_out.loadPtr(object, m_heaps.JSObject_butterfly));
+    }
+
+    LValue loadVectorReadOnly(LValue object)
+    {
+        return removeSpaceBits(m_out.loadPtr(object, m_heaps.JSArrayBufferView_vector));
+    }
+
+    LValue removeSpaceBits(LValue storage)
+    {
+        return m_out.bitAnd(
+            storage, m_out.constIntPtr(~static_cast&lt;intptr_t&gt;(CopyBarrierBase::spaceBits)));
+    }
+    
</ins><span class="cx">     TypedPointer baseIndex(IndexedAbstractHeap&amp; heap, LValue storage, LValue index, Edge edge, ptrdiff_t offset = 0)
</span><span class="cx">     {
</span><span class="cx">         return m_out.baseIndex(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -48,7 +48,9 @@
</span><span class="cx">     Butterfly* butterfly = Butterfly::create(
</span><span class="cx">         vm, nullptr, 0, structure-&gt;outOfLineCapacity(), false, IndexingHeader(), 0);
</span><span class="cx">     
</span><del>-    return JSFinalObject::create(exec, structure, butterfly);
</del><ins>+    JSObject* result = JSFinalObject::create(exec, structure, butterfly);
+    result-&gt;butterfly(); // Ensure that the butterfly is in to-space.
+    return result;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> extern &quot;C&quot; void JIT_OPERATION operationPopulateObjectInOSR(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOutputh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOutput.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOutput.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/ftl/FTLOutput.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -362,6 +362,8 @@
</span><span class="cx">     LValue testNonZero32(LValue value, LValue mask) { return notZero32(bitAnd(value, mask)); }
</span><span class="cx">     LValue testIsZero64(LValue value, LValue mask) { return isZero64(bitAnd(value, mask)); }
</span><span class="cx">     LValue testNonZero64(LValue value, LValue mask) { return notZero64(bitAnd(value, mask)); }
</span><ins>+    LValue testIsZeroPtr(LValue value, LValue mask) { return isNull(bitAnd(value, mask)); }
+    LValue testNonZeroPtr(LValue value, LValue mask) { return notNull(bitAnd(value, mask)); }
</ins><span class="cx">     
</span><span class="cx">     LValue select(LValue value, LValue taken, LValue notTaken) { return buildSelect(m_builder, value, taken, notTaken); }
</span><span class="cx">     LValue extractValue(LValue aggVal, unsigned index) { return buildExtractValue(m_builder, aggVal, index); }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCopyBarrierhfromrev190603trunkSourceJavaScriptCoreheapCopyWriteBarrierh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/heap/CopyBarrier.h (from rev 190603, trunk/Source/JavaScriptCore/heap/CopyWriteBarrier.h) (0 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CopyBarrier.h                                (rev 0)
+++ trunk/Source/JavaScriptCore/heap/CopyBarrier.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -0,0 +1,181 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef CopyBarrier_h
+#define CopyBarrier_h
+
+#include &quot;Heap.h&quot;
+
+namespace JSC {
+
+enum class CopyState {
+    // The backing store is not planned to get copied in this epoch. If you keep a pointer to the backing
+    // store on the stack, it will not get copied. If you don't keep it on the stack, it may get copied
+    // starting at the next handshake (that is, it may transition from ToSpace to CopyPlanned, but
+    // CopyPlanned means ToSpace prior to the handshake that starts the copy phase).
+    ToSpace,
+
+    // The marking phase has selected this backing store to be copied. If we are not yet in the copying
+    // phase, this backing store is still in to-space. All that is needed in such a case is to mask off the
+    // low bits. If we are in the copying phase, this means that the object points to from-space. The
+    // barrier should first copy the object - or wait for copying to finish - before using the object.
+    CopyPlanned,
+
+    // The object is being copied right now. Anyone wanting to use the object must wait for the object to
+    // finish being copied. Notifications about copying use the ParkingLot combined with these bits. If the
+    // state is CopyingAndWaiting, then when the copying finishes, whatever thread was doing it will
+    // unparkAll() on the address of the CopyBarrierBase. So, to wait for copying to finish, CAS this to
+    // CopyingAndWaiting and then parkConditionally on the barrier address.
+    Copying,
+
+    // The object is being copied right now, and there are one or more threads parked. Those threads want
+    // to be unparked when copying is done. So, whichever thread does the copying needs to call unparkAll()
+    // on the barrier address after copying is done.
+    CopyingAndWaiting
+};
+
+class CopyBarrierBase {
+public:
+    static const unsigned spaceBits = 3;
+
+    CopyBarrierBase()
+        : m_value(nullptr)
+    {
+    }
+    
+    bool operator!() const { return !m_value; }
+    
+    explicit operator bool() const { return m_value; }
+
+    void* getWithoutBarrier() const
+    {
+        return m_value;
+    }
+
+    // When we are in the concurrent copying phase, this method may lock the barrier object (i.e. the field
+    // pointing to copied space) and call directly into the owning object's copyBackingStore() method.
+    void* get(const JSCell* owner) const
+    {
+        void* result = m_value;
+        if (UNLIKELY(bitwise_cast&lt;uintptr_t&gt;(result) &amp; spaceBits))
+            return Heap::copyBarrier(owner, m_value);
+        return result;
+    }
+
+    CopyState copyState() const
+    {
+        return static_cast&lt;CopyState&gt;(bitwise_cast&lt;uintptr_t&gt;(m_value) &amp; spaceBits);
+    }
+
+    // This only works when you know that there is nobody else concurrently messing with this CopyBarrier.
+    // That's hard to guarantee, though there are a few unusual places where this ends up being safe.
+    // Usually you want to use CopyBarrier::weakCAS().
+    void setCopyState(CopyState copyState)
+    {
+        WTF::storeStoreFence();
+        uintptr_t value = bitwise_cast&lt;uintptr_t&gt;(m_value);
+        value &amp;= ~static_cast&lt;uintptr_t&gt;(spaceBits);
+        value |= static_cast&lt;uintptr_t&gt;(copyState);
+        m_value = bitwise_cast&lt;void*&gt;(value);
+    }
+
+    void clear() { m_value = nullptr; }
+
+protected:
+    CopyBarrierBase(VM&amp; vm, const JSCell* owner, void* value)
+    {
+        this-&gt;set(vm, owner, value);
+    }
+    
+    void set(VM&amp; vm, const JSCell* owner, void* value)
+    {
+        this-&gt;m_value = value;
+        vm.heap.writeBarrier(owner);
+    }
+    
+    void setWithoutBarrier(void* value)
+    {
+        this-&gt;m_value = value;
+    }
+
+    bool weakCASWithoutBarrier(
+        void* oldPointer, CopyState oldCopyState, void* newPointer, CopyState newCopyState)
+    {
+        uintptr_t oldValue = bitwise_cast&lt;uintptr_t&gt;(oldPointer) | static_cast&lt;uintptr_t&gt;(oldCopyState);
+        uintptr_t newValue = bitwise_cast&lt;uintptr_t&gt;(newPointer) | static_cast&lt;uintptr_t&gt;(newCopyState);
+        return WTF::weakCompareAndSwap(
+            &amp;m_value, bitwise_cast&lt;void*&gt;(oldValue), bitwise_cast&lt;void*&gt;(newValue));
+    }
+
+private:
+    mutable void* m_value;
+};
+
+template &lt;typename T&gt;
+class CopyBarrier : public CopyBarrierBase {
+public:
+    CopyBarrier()
+    {
+    }
+    
+    CopyBarrier(VM&amp; vm, const JSCell* owner, T&amp; value)
+        : CopyBarrierBase(vm, owner, &amp;value)
+    {
+    }
+    
+    CopyBarrier(VM&amp; vm, const JSCell* owner, T* value)
+        : CopyBarrierBase(vm, owner, value)
+    {
+    }
+
+    T* getWithoutBarrier() const
+    {
+        return bitwise_cast&lt;T*&gt;(CopyBarrierBase::getWithoutBarrier());
+    }
+    
+    T* get(const JSCell* owner) const
+    {
+        return bitwise_cast&lt;T*&gt;(CopyBarrierBase::get(owner));
+    }
+    
+    void set(VM&amp; vm, const JSCell* owner, T* value)
+    {
+        CopyBarrierBase::set(vm, owner, value);
+    }
+    
+    void setWithoutBarrier(T* value)
+    {
+        CopyBarrierBase::setWithoutBarrier(value);
+    }
+
+    bool weakCASWithoutBarrier(T* oldPointer, CopyState oldCopyState, T* newPointer, CopyState newCopyState)
+    {
+        return CopyBarrierBase::weakCASWithoutBarrier(oldPointer, oldCopyState, newPointer, newCopyState);
+    }
+};
+
+} // namespace JSC
+
+#endif // CopyBarrier_h
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCopyVisitorInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CopyVisitorInlines.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CopyVisitorInlines.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/heap/CopyVisitorInlines.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -33,6 +33,8 @@
</span><span class="cx"> 
</span><span class="cx"> inline bool CopyVisitor::checkIfShouldCopy(void* oldPtr)
</span><span class="cx"> {
</span><ins>+    if (!oldPtr)
+        return false;
</ins><span class="cx">     CopiedBlock* block = CopiedSpace::blockFor(oldPtr);
</span><span class="cx">     if (block-&gt;isOversize() || block-&gt;isPinned())
</span><span class="cx">         return false;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCopyWriteBarrierh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/CopyWriteBarrier.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CopyWriteBarrier.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/heap/CopyWriteBarrier.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1,89 +0,0 @@
</span><del>-/*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef CopyWriteBarrier_h
-#define CopyWriteBarrier_h
-
-#include &quot;Heap.h&quot;
-
-namespace JSC {
-
-template &lt;typename T&gt;
-class CopyWriteBarrier {
-public:
-    CopyWriteBarrier()
-        : m_value(0)
-    {
-    }
-    
-    CopyWriteBarrier(VM&amp; vm, const JSCell* owner, T&amp; value)
-    {
-        this-&gt;set(vm, owner, &amp;value);
-    }
-    
-    CopyWriteBarrier(VM&amp; vm, const JSCell* owner, T* value)
-    {
-        this-&gt;set(vm, owner, value);
-    }
-    
-    bool operator!() const { return !m_value; }
-    
-    explicit operator bool() const { return m_value; }
-    
-    T* get() const
-    {
-        return m_value;
-    }
-    
-    T* operator*() const
-    {
-        return get();
-    }
-    
-    T* operator-&gt;() const
-    {
-        return get();
-    }
-    
-    void set(VM&amp; vm, const JSCell* owner, T* value)
-    {
-        this-&gt;m_value = value;
-        vm.heap.writeBarrier(owner);
-    }
-    
-    void setWithoutWriteBarrier(T* value)
-    {
-        this-&gt;m_value = value;
-    }
-    
-    void clear() { m_value = 0; }
-
-private:
-    T* m_value;
-};
-
-} // namespace JSC
-
-#endif // CopyWriteBarrier_h
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1000,6 +1000,12 @@
</span><span class="cx">     m_slotVisitor.appendToMarkStack(const_cast&lt;JSCell*&gt;(cell));
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void* Heap::copyBarrier(const JSCell*, void*&amp; pointer)
+{
+    // Do nothing for now.
+    return pointer;
+}
+
</ins><span class="cx"> void Heap::collectAndSweep(HeapOperation collectionType)
</span><span class="cx"> {
</span><span class="cx">     if (!m_isSafeToCollect)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/heap/Heap.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -108,6 +108,8 @@
</span><span class="cx">     void writeBarrier(const JSCell*, JSValue);
</span><span class="cx">     void writeBarrier(const JSCell*, JSCell*);
</span><span class="cx"> 
</span><ins>+    JS_EXPORT_PRIVATE static void* copyBarrier(const JSCell* owner, void*&amp; copiedSpacePointer);
+
</ins><span class="cx">     WriteBarrierBuffer&amp; writeBarrierBuffer() { return m_writeBarrierBuffer; }
</span><span class="cx">     void flushWriteBarrierBuffer(JSCell*);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/HeapInlines.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapInlines.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/heap/HeapInlines.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef HeapInlines_h
</span><span class="cx"> #define HeapInlines_h
</span><span class="cx"> 
</span><ins>+#include &quot;CopyBarrier.h&quot;
</ins><span class="cx"> #include &quot;Heap.h&quot;
</span><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="cx"> #include &quot;Structure.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><ins>+#include &quot;CopyBarrier.h&quot;
</ins><span class="cx"> #include &quot;FPRInfo.h&quot;
</span><span class="cx"> #include &quot;GPRInfo.h&quot;
</span><span class="cx"> #include &quot;InlineCallFrame.h&quot;
</span><span class="lines">@@ -754,6 +755,16 @@
</span><span class="cx">         return branchPtr(condition, leftHandSide, TrustedImmPtr(structure));
</span><span class="cx"> #endif
</span><span class="cx">     }
</span><ins>+
+    Jump branchIfNotToSpace(GPRReg storageGPR)
+    {
+        return branchTest32(NonZero, storageGPR, TrustedImm32(CopyBarrierBase::spaceBits));
+    }
+
+    void removeSpaceBits(GPRReg storageGPR)
+    {
+        andPtr(TrustedImmPtr(~static_cast&lt;uintptr_t&gt;(CopyBarrierBase::spaceBits)), storageGPR);
+    }
</ins><span class="cx">     
</span><span class="cx">     static Address addressForByteOffset(ptrdiff_t byteOffset)
</span><span class="cx">     {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -180,6 +180,8 @@
</span><span class="cx">         
</span><span class="cx">         if (Options::eagerlyUpdateTopCallFrame())
</span><span class="cx">             updateTopCallFrame();
</span><ins>+
+        unsigned bytecodeOffset = m_bytecodeOffset;
</ins><span class="cx">         
</span><span class="cx">         switch (opcodeID) {
</span><span class="cx">         DEFINE_SLOW_OP(del_by_val)
</span><span class="lines">@@ -314,6 +316,9 @@
</span><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">         }
</span><ins>+
+        if (false)
+            dataLog(&quot;At &quot;, bytecodeOffset, &quot;: &quot;, m_slowCases.size(), &quot;\n&quot;);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     RELEASE_ASSERT(m_callLinkInfoIndex == m_callCompilationInfo.size());
</span><span class="lines">@@ -433,6 +438,9 @@
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+        if (false)
+            dataLog(&quot;At &quot;, firstTo, &quot; slow: &quot;, iter - m_slowCases.begin(), &quot;\n&quot;);
+
</ins><span class="cx">         RELEASE_ASSERT_WITH_MESSAGE(iter == m_slowCases.end() || firstTo != iter-&gt;to, &quot;Not enough jumps linked in slow case codegen.&quot;);
</span><span class="cx">         RELEASE_ASSERT_WITH_MESSAGE(firstTo == (iter - 1)-&gt;to, &quot;Too many jumps linked in slow case codegen.&quot;);
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1153,6 +1153,7 @@
</span><span class="cx">     
</span><span class="cx">     linkSlowCaseIfNotJSCell(iter, base); // base cell check
</span><span class="cx">     linkSlowCase(iter); // base array check
</span><ins>+    linkSlowCase(iter); // read barrier
</ins><span class="cx">     linkSlowCase(iter); // vector length check
</span><span class="cx">     linkSlowCase(iter); // empty value
</span><span class="cx">     
</span><span class="lines">@@ -1196,6 +1197,7 @@
</span><span class="cx">     // Otherwise it's out of line
</span><span class="cx">     outOfLineAccess.link(this);
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
</span><ins>+    addSlowCase(branchIfNotToSpace(regT0));
</ins><span class="cx">     sub32(Address(regT2, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), regT1);
</span><span class="cx">     neg32(regT1);
</span><span class="cx">     signExtend32ToPtr(regT1, regT1);
</span><span class="lines">@@ -1212,6 +1214,7 @@
</span><span class="cx">     int base = currentInstruction[2].u.operand;
</span><span class="cx">     linkSlowCaseIfNotJSCell(iter, base);
</span><span class="cx">     linkSlowCase(iter);
</span><ins>+    linkSlowCase(iter);
</ins><span class="cx"> 
</span><span class="cx">     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_direct_pname);
</span><span class="cx">     slowPathCall.call();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1174,6 +1174,7 @@
</span><span class="cx">     // Otherwise it's out of line
</span><span class="cx">     outOfLineAccess.link(this);
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
</span><ins>+    addSlowCase(branchIfNotToSpace(regT0));
</ins><span class="cx">     sub32(Address(regT1, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), regT2);
</span><span class="cx">     neg32(regT2);
</span><span class="cx">     int32_t offsetOfFirstProperty = static_cast&lt;int32_t&gt;(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
</span><span class="lines">@@ -1190,6 +1191,7 @@
</span><span class="cx">     int base = currentInstruction[2].u.operand;
</span><span class="cx">     linkSlowCaseIfNotJSCell(iter, base);
</span><span class="cx">     linkSlowCase(iter);
</span><ins>+    linkSlowCase(iter);
</ins><span class="cx"> 
</span><span class="cx">     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_direct_pname);
</span><span class="cx">     slowPathCall.call();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -165,6 +165,7 @@
</span><span class="cx">     
</span><span class="cx">     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
</span><ins>+    slowCases.append(branchIfNotToSpace(regT2));
</ins><span class="cx">     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
</span><span class="cx">     loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
</span><span class="cx">     slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
</span><span class="lines">@@ -178,6 +179,7 @@
</span><span class="cx">     
</span><span class="cx">     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
</span><ins>+    slowCases.append(branchIfNotToSpace(regT2));
</ins><span class="cx">     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
</span><span class="cx">     load64(BaseIndex(regT2, regT1, TimesEight), regT0);
</span><span class="cx">     slowCases.append(branchTest64(Zero, regT0));
</span><span class="lines">@@ -193,6 +195,7 @@
</span><span class="cx">     badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
</span><span class="cx"> 
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
</span><ins>+    slowCases.append(branchIfNotToSpace(regT2));
</ins><span class="cx">     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
</span><span class="cx"> 
</span><span class="cx">     load64(BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()), regT0);
</span><span class="lines">@@ -251,6 +254,7 @@
</span><span class="cx">     notString.link(this);
</span><span class="cx">     nonCell.link(this);
</span><span class="cx">     
</span><ins>+    linkSlowCase(iter); // read barrier
</ins><span class="cx">     linkSlowCase(iter); // vector length check
</span><span class="cx">     linkSlowCase(iter); // empty value
</span><span class="cx">     
</span><span class="lines">@@ -323,6 +327,7 @@
</span><span class="cx">     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
</span><span class="cx">     
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
</span><ins>+    slowCases.append(branchIfNotToSpace(regT2));
</ins><span class="cx">     Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
</span><span class="cx"> 
</span><span class="cx">     Label storeResult = label();
</span><span class="lines">@@ -378,6 +383,7 @@
</span><span class="cx">     
</span><span class="cx">     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
</span><span class="cx">     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
</span><ins>+    slowCases.append(branchIfNotToSpace(regT2));
</ins><span class="cx">     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
</span><span class="cx"> 
</span><span class="cx">     Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
</span><span class="lines">@@ -448,8 +454,9 @@
</span><span class="cx">     linkSlowCase(iter); // property int32 check
</span><span class="cx">     linkSlowCase(iter); // base not array check
</span><span class="cx">     
</span><ins>+    linkSlowCase(iter); // read barrier
</ins><span class="cx">     linkSlowCase(iter); // out of bounds
</span><del>-
</del><ins>+    
</ins><span class="cx">     JITArrayMode mode = chooseArrayMode(profile);
</span><span class="cx">     switch (mode) {
</span><span class="cx">     case JITInt32:
</span><span class="lines">@@ -780,6 +787,7 @@
</span><span class="cx">                 isOutOfLine.link(this);
</span><span class="cx">             }
</span><span class="cx">             loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
</span><ins>+            addSlowCase(branchIfNotToSpace(scratch));
</ins><span class="cx">             neg32(offset);
</span><span class="cx">             signExtend32ToPtr(offset, offset);
</span><span class="cx">             load64(BaseIndex(scratch, offset, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)), result);
</span><span class="lines">@@ -859,8 +867,10 @@
</span><span class="cx">     if (resolveType == GlobalVar || resolveType == ClosureVar)
</span><span class="cx">         return;
</span><span class="cx"> 
</span><del>-    if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks)
-        linkSlowCase(iter);
</del><ins>+    if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks) {
+        linkSlowCase(iter); // bad structure
+        linkSlowCase(iter); // read barrier
+    }
</ins><span class="cx"> 
</span><span class="cx">     if (resolveType == GlobalLexicalVarWithVarInjectionChecks) // Var injections check.
</span><span class="cx">         linkSlowCase(iter);
</span><span class="lines">@@ -869,6 +879,7 @@
</span><span class="cx">         // GlobalProperty/GlobalPropertyWithVarInjectionChecks
</span><span class="cx">         linkSlowCase(iter); // emitLoadWithStructureCheck
</span><span class="cx">         linkSlowCase(iter); // emitLoadWithStructureCheck
</span><ins>+        linkSlowCase(iter); // read barrier
</ins><span class="cx">         // GlobalLexicalVar
</span><span class="cx">         linkSlowCase(iter); // TDZ check.
</span><span class="cx">         // GlobalLexicalVarWithVarInjectionChecks.
</span><span class="lines">@@ -922,6 +933,7 @@
</span><span class="cx">             emitGetVirtualRegister(value, regT2);
</span><span class="cx">             
</span><span class="cx">             loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
</span><ins>+            addSlowCase(branchIfNotToSpace(regT0));
</ins><span class="cx">             loadPtr(operandSlot, regT1);
</span><span class="cx">             negPtr(regT1);
</span><span class="cx">             storePtr(regT2, BaseIndex(regT0, regT1, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)));
</span><span class="lines">@@ -1015,14 +1027,17 @@
</span><span class="cx">          || resolveType == LocalClosureVar)
</span><span class="cx">         &amp;&amp; currentInstruction[5].u.watchpointSet-&gt;state() != IsInvalidated)
</span><span class="cx">         linkCount++;
</span><del>-    if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks)
-        linkCount++;
</del><ins>+    if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks) {
+        linkCount++; // bad structure
+        linkCount++; // read barrier
+    }
</ins><span class="cx">     if (getPutInfo.initializationMode() != Initialization &amp;&amp; (resolveType == GlobalLexicalVar || resolveType == GlobalLexicalVarWithVarInjectionChecks)) // TDZ check.
</span><span class="cx">         linkCount++;
</span><span class="cx">     if (resolveType == UnresolvedProperty || resolveType == UnresolvedPropertyWithVarInjectionChecks) {
</span><span class="cx">         // GlobalProperty/GlobalPropertyWithVarInjectionsCheck
</span><span class="cx">         linkCount++; // emitLoadWithStructureCheck
</span><span class="cx">         linkCount++; // emitLoadWithStructureCheck
</span><ins>+        linkCount++; // read barrier
</ins><span class="cx"> 
</span><span class="cx">         // GlobalLexicalVar
</span><span class="cx">         bool needsTDZCheck = getPutInfo.initializationMode() != Initialization;
</span><span class="lines">@@ -1440,23 +1455,24 @@
</span><span class="cx">     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
</span><span class="cx">     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
</span><span class="cx">     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
</span><del>-    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), base);
</del><ins>+    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+    slowCases.append(branchIfNotToSpace(scratch));
</ins><span class="cx">     
</span><span class="cx">     switch (elementSize(type)) {
</span><span class="cx">     case 1:
</span><span class="cx">         if (isSigned(type))
</span><del>-            load8SignedExtendTo32(BaseIndex(base, property, TimesOne), resultPayload);
</del><ins>+            load8SignedExtendTo32(BaseIndex(scratch, property, TimesOne), resultPayload);
</ins><span class="cx">         else
</span><del>-            load8(BaseIndex(base, property, TimesOne), resultPayload);
</del><ins>+            load8(BaseIndex(scratch, property, TimesOne), resultPayload);
</ins><span class="cx">         break;
</span><span class="cx">     case 2:
</span><span class="cx">         if (isSigned(type))
</span><del>-            load16SignedExtendTo32(BaseIndex(base, property, TimesTwo), resultPayload);
</del><ins>+            load16SignedExtendTo32(BaseIndex(scratch, property, TimesTwo), resultPayload);
</ins><span class="cx">         else
</span><del>-            load16(BaseIndex(base, property, TimesTwo), resultPayload);
</del><ins>+            load16(BaseIndex(scratch, property, TimesTwo), resultPayload);
</ins><span class="cx">         break;
</span><span class="cx">     case 4:
</span><del>-        load32(BaseIndex(base, property, TimesFour), resultPayload);
</del><ins>+        load32(BaseIndex(scratch, property, TimesFour), resultPayload);
</ins><span class="cx">         break;
</span><span class="cx">     default:
</span><span class="cx">         CRASH();
</span><span class="lines">@@ -1511,15 +1527,16 @@
</span><span class="cx">     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
</span><span class="cx">     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
</span><span class="cx">     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
</span><del>-    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), base);
</del><ins>+    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+    slowCases.append(branchIfNotToSpace(scratch));
</ins><span class="cx">     
</span><span class="cx">     switch (elementSize(type)) {
</span><span class="cx">     case 4:
</span><del>-        loadFloat(BaseIndex(base, property, TimesFour), fpRegT0);
</del><ins>+        loadFloat(BaseIndex(scratch, property, TimesFour), fpRegT0);
</ins><span class="cx">         convertFloatToDouble(fpRegT0, fpRegT0);
</span><span class="cx">         break;
</span><span class="cx">     case 8: {
</span><del>-        loadDouble(BaseIndex(base, property, TimesEight), fpRegT0);
</del><ins>+        loadDouble(BaseIndex(scratch, property, TimesEight), fpRegT0);
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     default:
</span><span class="lines">@@ -1579,6 +1596,7 @@
</span><span class="cx">     // We would be loading this into base as in get_by_val, except that the slow
</span><span class="cx">     // path expects the base to be unclobbered.
</span><span class="cx">     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
</span><ins>+    slowCases.append(branchIfNotToSpace(lateScratch));
</ins><span class="cx">     
</span><span class="cx">     if (isClamped(type)) {
</span><span class="cx">         ASSERT(elementSize(type) == 1);
</span><span class="lines">@@ -1664,6 +1682,7 @@
</span><span class="cx">     // We would be loading this into base as in get_by_val, except that the slow
</span><span class="cx">     // path expects the base to be unclobbered.
</span><span class="cx">     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
</span><ins>+    slowCases.append(branchIfNotToSpace(lateScratch));
</ins><span class="cx">     
</span><span class="cx">     switch (elementSize(type)) {
</span><span class="cx">     case 4:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -220,6 +220,8 @@
</span><span class="cx"> const PutByIdSecondaryTypeObjectOrOther = 0x38
</span><span class="cx"> const PutByIdSecondaryTypeTop = 0x40
</span><span class="cx"> 
</span><ins>+const CopyBarrierSpaceBits = 3
+
</ins><span class="cx"> const CallOpCodeSize = 9
</span><span class="cx"> 
</span><span class="cx"> if X86_64 or ARM64 or C_LOOP
</span><span class="lines">@@ -661,6 +663,10 @@
</span><span class="cx">     end
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+macro copyBarrier(value, slow)
+    btpnz value, CopyBarrierSpaceBits, slow
+end
+
</ins><span class="cx"> macro functionPrologue()
</span><span class="cx">     if X86 or X86_WIN or X86_64 or X86_64_WIN
</span><span class="cx">         push cfr
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1188,9 +1188,10 @@
</span><span class="cx">     dispatch(3)
</span><span class="cx"> 
</span><span class="cx"> 
</span><del>-macro loadPropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value)
</del><ins>+macro loadPropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value, slow)
</ins><span class="cx">     bilt propertyOffsetAsInt, firstOutOfLineOffset, .isInline
</span><span class="cx">     loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
</span><ins>+    copyBarrier(objectAndStorage, slow)
</ins><span class="cx">     negi propertyOffsetAsInt
</span><span class="cx">     sxi2q propertyOffsetAsInt, propertyOffsetAsInt
</span><span class="cx">     jmp .ready
</span><span class="lines">@@ -1201,9 +1202,10 @@
</span><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> 
</span><del>-macro storePropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value)
</del><ins>+macro storePropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value, slow)
</ins><span class="cx">     bilt propertyOffsetAsInt, firstOutOfLineOffset, .isInline
</span><span class="cx">     loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
</span><ins>+    copyBarrier(objectAndStorage, slow)
</ins><span class="cx">     negi propertyOffsetAsInt
</span><span class="cx">     sxi2q propertyOffsetAsInt, propertyOffsetAsInt
</span><span class="cx">     jmp .ready
</span><span class="lines">@@ -1222,7 +1224,7 @@
</span><span class="cx">     bineq t2, t1, .opGetByIdSlow
</span><span class="cx">     loadisFromInstruction(5, t1)
</span><span class="cx">     loadisFromInstruction(1, t2)
</span><del>-    loadPropertyAtVariableOffset(t1, t3, t0)
</del><ins>+    loadPropertyAtVariableOffset(t1, t3, t0, .opGetByIdSlow)
</ins><span class="cx">     storeq t0, [cfr, t2, 8]
</span><span class="cx">     valueProfile(t0, 8, t1)
</span><span class="cx">     dispatch(9)
</span><span class="lines">@@ -1243,6 +1245,7 @@
</span><span class="cx">     btiz t2, IndexingShapeMask, .opGetArrayLengthSlow
</span><span class="cx">     loadisFromInstruction(1, t1)
</span><span class="cx">     loadp JSObject::m_butterfly[t3], t0
</span><ins>+    copyBarrier(t0, .opGetArrayLengthSlow)
</ins><span class="cx">     loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0
</span><span class="cx">     bilt t0, 0, .opGetArrayLengthSlow
</span><span class="cx">     orq tagTypeNumber, t0
</span><span class="lines">@@ -1382,7 +1385,7 @@
</span><span class="cx">     loadisFromInstruction(3, t1)
</span><span class="cx">     loadConstantOrVariable(t1, t2)
</span><span class="cx">     loadisFromInstruction(5, t1)
</span><del>-    storePropertyAtVariableOffset(t1, t0, t2)
</del><ins>+    storePropertyAtVariableOffset(t1, t0, t2, .opPutByIdSlow)
</ins><span class="cx">     dispatch(9)
</span><span class="cx"> 
</span><span class="cx"> .opPutByIdSlow:
</span><span class="lines">@@ -1401,6 +1404,7 @@
</span><span class="cx">     loadConstantOrVariableInt32(t3, t1, .opGetByValSlow)
</span><span class="cx">     sxi2q t1, t1
</span><span class="cx">     loadp JSObject::m_butterfly[t0], t3
</span><ins>+    copyBarrier(t3, .opGetByValSlow)
</ins><span class="cx">     andi IndexingShapeMask, t2
</span><span class="cx">     bieq t2, Int32Shape, .opGetByValIsContiguous
</span><span class="cx">     bineq t2, ContiguousShape, .opGetByValNotContiguous
</span><span class="lines">@@ -1471,6 +1475,7 @@
</span><span class="cx">     loadConstantOrVariableInt32(t0, t3, .opPutByValSlow)
</span><span class="cx">     sxi2q t3, t3
</span><span class="cx">     loadp JSObject::m_butterfly[t1], t0
</span><ins>+    copyBarrier(t0, .opPutByValSlow)
</ins><span class="cx">     andi IndexingShapeMask, t2
</span><span class="cx">     bineq t2, Int32Shape, .opPutByValNotInt32
</span><span class="cx">     contiguousPutByVal(
</span><span class="lines">@@ -1991,9 +1996,9 @@
</span><span class="cx">     bpneq t2, t1, slowPath
</span><span class="cx"> end
</span><span class="cx"> 
</span><del>-macro getProperty()
</del><ins>+macro getProperty(slow)
</ins><span class="cx">     loadisFromInstruction(6, t1)
</span><del>-    loadPropertyAtVariableOffset(t1, t0, t2)
</del><ins>+    loadPropertyAtVariableOffset(t1, t0, t2, slow)
</ins><span class="cx">     valueProfile(t2, 7, t0)
</span><span class="cx">     loadisFromInstruction(1, t0)
</span><span class="cx">     storeq t2, [cfr, t0, 8]
</span><span class="lines">@@ -2024,7 +2029,7 @@
</span><span class="cx"> #gGlobalProperty:
</span><span class="cx">     bineq t0, GlobalProperty, .gGlobalVar
</span><span class="cx">     loadWithStructureCheck(2, .gDynamic)
</span><del>-    getProperty()
</del><ins>+    getProperty(.gDynamic)
</ins><span class="cx">     dispatch(8)
</span><span class="cx"> 
</span><span class="cx"> .gGlobalVar:
</span><span class="lines">@@ -2049,7 +2054,7 @@
</span><span class="cx"> .gGlobalPropertyWithVarInjectionChecks:
</span><span class="cx">     bineq t0, GlobalPropertyWithVarInjectionChecks, .gGlobalVarWithVarInjectionChecks
</span><span class="cx">     loadWithStructureCheck(2, .gDynamic)
</span><del>-    getProperty()
</del><ins>+    getProperty(.gDynamic)
</ins><span class="cx">     dispatch(8)
</span><span class="cx"> 
</span><span class="cx"> .gGlobalVarWithVarInjectionChecks:
</span><span class="lines">@@ -2079,11 +2084,11 @@
</span><span class="cx">     dispatch(8)
</span><span class="cx"> 
</span><span class="cx"> 
</span><del>-macro putProperty()
</del><ins>+macro putProperty(slow)
</ins><span class="cx">     loadisFromInstruction(3, t1)
</span><span class="cx">     loadConstantOrVariable(t1, t2)
</span><span class="cx">     loadisFromInstruction(6, t1)
</span><del>-    storePropertyAtVariableOffset(t1, t0, t2)
</del><ins>+    storePropertyAtVariableOffset(t1, t0, t2, slow)
</ins><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> macro putGlobalVariable()
</span><span class="lines">@@ -2141,7 +2146,7 @@
</span><span class="cx">     bineq t0, GlobalProperty, .pGlobalVar
</span><span class="cx">     writeBarrierOnOperands(1, 3)
</span><span class="cx">     loadWithStructureCheck(1, .pDynamic)
</span><del>-    putProperty()
</del><ins>+    putProperty(.pDynamic)
</ins><span class="cx">     dispatch(7)
</span><span class="cx"> 
</span><span class="cx"> .pGlobalVar:
</span><span class="lines">@@ -2168,7 +2173,7 @@
</span><span class="cx">     bineq t0, GlobalPropertyWithVarInjectionChecks, .pGlobalVarWithVarInjectionChecks
</span><span class="cx">     writeBarrierOnOperands(1, 3)
</span><span class="cx">     loadWithStructureCheck(1, .pDynamic)
</span><del>-    putProperty()
</del><ins>+    putProperty(.pDynamic)
</ins><span class="cx">     dispatch(7)
</span><span class="cx"> 
</span><span class="cx"> .pGlobalVarWithVarInjectionChecks:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDirectArgumentscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -97,7 +97,7 @@
</span><span class="cx">     if (thisObject-&gt;m_overrides) {
</span><span class="cx">         visitor.copyLater(
</span><span class="cx">             thisObject, DirectArgumentsOverridesCopyToken,
</span><del>-            thisObject-&gt;m_overrides.get(), thisObject-&gt;overridesSize());
</del><ins>+            thisObject-&gt;m_overrides.getWithoutBarrier(), thisObject-&gt;overridesSize());
</ins><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -108,14 +108,11 @@
</span><span class="cx">     
</span><span class="cx">     RELEASE_ASSERT(token == DirectArgumentsOverridesCopyToken);
</span><span class="cx">     
</span><del>-    bool* oldOverrides = thisObject-&gt;m_overrides.get();
-    if (!oldOverrides)
-        return;
-    
</del><ins>+    void* oldOverrides = thisObject-&gt;m_overrides.getWithoutBarrier();
</ins><span class="cx">     if (visitor.checkIfShouldCopy(oldOverrides)) {
</span><span class="cx">         bool* newOverrides = static_cast&lt;bool*&gt;(visitor.allocateNewSpace(thisObject-&gt;overridesSize()));
</span><span class="cx">         memcpy(newOverrides, oldOverrides, thisObject-&gt;m_length);
</span><del>-        thisObject-&gt;m_overrides.setWithoutWriteBarrier(newOverrides);
</del><ins>+        thisObject-&gt;m_overrides.setWithoutBarrier(newOverrides);
</ins><span class="cx">         visitor.didCopy(oldOverrides, thisObject-&gt;overridesSize());
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="lines">@@ -135,9 +132,10 @@
</span><span class="cx">     
</span><span class="cx">     void* backingStore;
</span><span class="cx">     RELEASE_ASSERT(vm.heap.tryAllocateStorage(this, overridesSize(), &amp;backingStore));
</span><del>-    m_overrides.set(vm, this, static_cast&lt;bool*&gt;(backingStore));
</del><ins>+    bool* overrides = static_cast&lt;bool*&gt;(backingStore);
+    m_overrides.set(vm, this, overrides);
</ins><span class="cx">     for (unsigned i = m_length; i--;)
</span><del>-        m_overrides.get()[i] = false;
</del><ins>+        overrides[i] = false;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void DirectArguments::overrideThingsIfNecessary(VM&amp; vm)
</span><span class="lines">@@ -149,7 +147,7 @@
</span><span class="cx"> void DirectArguments::overrideArgument(VM&amp; vm, unsigned index)
</span><span class="cx"> {
</span><span class="cx">     overrideThingsIfNecessary(vm);
</span><del>-    m_overrides.get()[index] = true;
</del><ins>+    m_overrides.get(this)[index] = true;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void DirectArguments::copyToArguments(ExecState* exec, VirtualRegister firstElementDest, unsigned offset, unsigned length)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDirectArgumentsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DirectArguments.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DirectArguments.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/DirectArguments.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -73,7 +73,7 @@
</span><span class="cx">     
</span><span class="cx">     bool canAccessIndexQuickly(uint32_t i) const
</span><span class="cx">     {
</span><del>-        return i &lt; m_length &amp;&amp; (!m_overrides || !m_overrides.get()[i]);
</del><ins>+        return i &lt; m_length &amp;&amp; (!m_overrides || !m_overrides.get(this)[i]);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     bool canAccessArgumentIndexQuicklyInDFG(uint32_t i) const
</span><span class="lines">@@ -148,7 +148,7 @@
</span><span class="cx">     WriteBarrier&lt;JSFunction&gt; m_callee;
</span><span class="cx">     uint32_t m_length; // Always the actual length of captured arguments and never what was stored into the length property.
</span><span class="cx">     uint32_t m_minCapacity; // The max of this and length determines the capacity of this object. It may be the actual capacity, or maybe something smaller. We arrange it this way to be kind to the JITs.
</span><del>-    CopyWriteBarrier&lt;bool&gt; m_overrides; // If non-null, it means that length, callee, and caller are fully materialized properties.
</del><ins>+    CopyBarrier&lt;bool&gt; m_overrides; // If non-null, it means that length, callee, and caller are fully materialized properties.
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -392,6 +392,7 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException)
</span><span class="cx"> {
</span><ins>+    Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="cx">         if (!newLength)
</span><span class="lines">@@ -408,7 +409,7 @@
</span><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithDouble:
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        if (newLength == m_butterfly-&gt;publicLength())
</del><ins>+        if (newLength == butterfly-&gt;publicLength())
</ins><span class="cx">             return true;
</span><span class="cx">         if (newLength &gt;= MAX_ARRAY_INDEX // This case ensures that we can do fast push.
</span><span class="cx">             || (newLength &gt;= MIN_SPARSE_ARRAY_INDEX
</span><span class="lines">@@ -417,12 +418,12 @@
</span><span class="cx">                 exec, newLength, throwException,
</span><span class="cx">                 ensureArrayStorage(exec-&gt;vm()));
</span><span class="cx">         }
</span><del>-        if (newLength &gt; m_butterfly-&gt;publicLength()) {
</del><ins>+        if (newLength &gt; butterfly-&gt;publicLength()) {
</ins><span class="cx">             ensureLength(exec-&gt;vm(), newLength);
</span><span class="cx">             return true;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        unsigned lengthToClear = m_butterfly-&gt;publicLength() - newLength;
</del><ins>+        unsigned lengthToClear = butterfly-&gt;publicLength() - newLength;
</ins><span class="cx">         unsigned costToAllocateNewButterfly = 64; // a heuristic.
</span><span class="cx">         if (lengthToClear &gt; newLength &amp;&amp; lengthToClear &gt; costToAllocateNewButterfly) {
</span><span class="cx">             reallocateAndShrinkButterfly(exec-&gt;vm(), newLength);
</span><span class="lines">@@ -430,13 +431,13 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         if (indexingType() == ArrayWithDouble) {
</span><del>-            for (unsigned i = m_butterfly-&gt;publicLength(); i-- &gt; newLength;)
-                m_butterfly-&gt;contiguousDouble()[i] = PNaN;
</del><ins>+            for (unsigned i = butterfly-&gt;publicLength(); i-- &gt; newLength;)
+                butterfly-&gt;contiguousDouble()[i] = PNaN;
</ins><span class="cx">         } else {
</span><del>-            for (unsigned i = m_butterfly-&gt;publicLength(); i-- &gt; newLength;)
-                m_butterfly-&gt;contiguous()[i].clear();
</del><ins>+            for (unsigned i = butterfly-&gt;publicLength(); i-- &gt; newLength;)
+                butterfly-&gt;contiguous()[i].clear();
</ins><span class="cx">         }
</span><del>-        m_butterfly-&gt;setPublicLength(newLength);
</del><ins>+        butterfly-&gt;setPublicLength(newLength);
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="lines">@@ -452,51 +453,53 @@
</span><span class="cx"> 
</span><span class="cx"> JSValue JSArray::pop(ExecState* exec)
</span><span class="cx"> {
</span><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    
</ins><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="cx">         return jsUndefined();
</span><span class="cx">         
</span><span class="cx">     case ArrayWithUndecided:
</span><del>-        if (!m_butterfly-&gt;publicLength())
</del><ins>+        if (!butterfly-&gt;publicLength())
</ins><span class="cx">             return jsUndefined();
</span><span class="cx">         // We have nothing but holes. So, drop down to the slow version.
</span><span class="cx">         break;
</span><span class="cx">         
</span><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        unsigned length = m_butterfly-&gt;publicLength();
</del><ins>+        unsigned length = butterfly-&gt;publicLength();
</ins><span class="cx">         
</span><span class="cx">         if (!length--)
</span><span class="cx">             return jsUndefined();
</span><span class="cx">         
</span><del>-        RELEASE_ASSERT(length &lt; m_butterfly-&gt;vectorLength());
-        JSValue value = m_butterfly-&gt;contiguous()[length].get();
</del><ins>+        RELEASE_ASSERT(length &lt; butterfly-&gt;vectorLength());
+        JSValue value = butterfly-&gt;contiguous()[length].get();
</ins><span class="cx">         if (value) {
</span><del>-            m_butterfly-&gt;contiguous()[length].clear();
-            m_butterfly-&gt;setPublicLength(length);
</del><ins>+            butterfly-&gt;contiguous()[length].clear();
+            butterfly-&gt;setPublicLength(length);
</ins><span class="cx">             return value;
</span><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ArrayWithDouble: {
</span><del>-        unsigned length = m_butterfly-&gt;publicLength();
</del><ins>+        unsigned length = butterfly-&gt;publicLength();
</ins><span class="cx">         
</span><span class="cx">         if (!length--)
</span><span class="cx">             return jsUndefined();
</span><span class="cx">         
</span><del>-        RELEASE_ASSERT(length &lt; m_butterfly-&gt;vectorLength());
-        double value = m_butterfly-&gt;contiguousDouble()[length];
</del><ins>+        RELEASE_ASSERT(length &lt; butterfly-&gt;vectorLength());
+        double value = butterfly-&gt;contiguousDouble()[length];
</ins><span class="cx">         if (value == value) {
</span><del>-            m_butterfly-&gt;contiguousDouble()[length] = PNaN;
-            m_butterfly-&gt;setPublicLength(length);
</del><ins>+            butterfly-&gt;contiguousDouble()[length] = PNaN;
+            butterfly-&gt;setPublicLength(length);
</ins><span class="cx">             return JSValue(JSValue::EncodeAsDouble, value);
</span><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ARRAY_WITH_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-        ArrayStorage* storage = m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = butterfly-&gt;arrayStorage();
</ins><span class="cx">     
</span><span class="cx">         unsigned length = storage-&gt;length();
</span><span class="cx">         if (!length) {
</span><span class="lines">@@ -547,6 +550,8 @@
</span><span class="cx"> //  - pushing to an array of length 2^32-1 stores the property, but throws a range error.
</span><span class="cx"> void JSArray::push(ExecState* exec, JSValue value)
</span><span class="cx"> {
</span><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    
</ins><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass: {
</span><span class="cx">         createInitialUndecided(exec-&gt;vm(), 0);
</span><span class="lines">@@ -566,11 +571,11 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        unsigned length = m_butterfly-&gt;publicLength();
-        ASSERT(length &lt;= m_butterfly-&gt;vectorLength());
-        if (length &lt; m_butterfly-&gt;vectorLength()) {
-            m_butterfly-&gt;contiguousInt32()[length].setWithoutWriteBarrier(value);
-            m_butterfly-&gt;setPublicLength(length + 1);
</del><ins>+        unsigned length = butterfly-&gt;publicLength();
+        ASSERT(length &lt;= butterfly-&gt;vectorLength());
+        if (length &lt; butterfly-&gt;vectorLength()) {
+            butterfly-&gt;contiguousInt32()[length].setWithoutWriteBarrier(value);
+            butterfly-&gt;setPublicLength(length + 1);
</ins><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -586,11 +591,11 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        unsigned length = m_butterfly-&gt;publicLength();
-        ASSERT(length &lt;= m_butterfly-&gt;vectorLength());
-        if (length &lt; m_butterfly-&gt;vectorLength()) {
-            m_butterfly-&gt;contiguous()[length].set(exec-&gt;vm(), this, value);
-            m_butterfly-&gt;setPublicLength(length + 1);
</del><ins>+        unsigned length = butterfly-&gt;publicLength();
+        ASSERT(length &lt;= butterfly-&gt;vectorLength());
+        if (length &lt; butterfly-&gt;vectorLength()) {
+            butterfly-&gt;contiguous()[length].set(exec-&gt;vm(), this, value);
+            butterfly-&gt;setPublicLength(length + 1);
</ins><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -618,11 +623,11 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        unsigned length = m_butterfly-&gt;publicLength();
-        ASSERT(length &lt;= m_butterfly-&gt;vectorLength());
-        if (length &lt; m_butterfly-&gt;vectorLength()) {
-            m_butterfly-&gt;contiguousDouble()[length] = valueAsDouble;
-            m_butterfly-&gt;setPublicLength(length + 1);
</del><ins>+        unsigned length = butterfly-&gt;publicLength();
+        ASSERT(length &lt;= butterfly-&gt;vectorLength());
+        if (length &lt; butterfly-&gt;vectorLength()) {
+            butterfly-&gt;contiguousDouble()[length] = valueAsDouble;
+            butterfly-&gt;setPublicLength(length + 1);
</ins><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -648,7 +653,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ArrayWithArrayStorage: {
</span><del>-        ArrayStorage* storage = m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = butterfly-&gt;arrayStorage();
</ins><span class="cx"> 
</span><span class="cx">         // Fast case - push within vector, always update m_length &amp; m_numValuesInVector.
</span><span class="cx">         unsigned length = storage-&gt;length();
</span><span class="lines">@@ -696,9 +701,9 @@
</span><span class="cx"> 
</span><span class="cx">         auto&amp; resultButterfly = *resultArray-&gt;butterfly();
</span><span class="cx">         if (arrayType == ArrayWithDouble)
</span><del>-            memcpy(resultButterfly.contiguousDouble().data(), m_butterfly-&gt;contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
</del><ins>+            memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get(this)-&gt;contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
</ins><span class="cx">         else
</span><del>-            memcpy(resultButterfly.contiguous().data(), m_butterfly-&gt;contiguous().data() + startIndex, sizeof(JSValue) * count);
</del><ins>+            memcpy(resultButterfly.contiguous().data(), m_butterfly.get(this)-&gt;contiguous().data() + startIndex, sizeof(JSValue) * count);
</ins><span class="cx">         resultButterfly.setPublicLength(count);
</span><span class="cx"> 
</span><span class="cx">         return resultArray;
</span><span class="lines">@@ -715,8 +720,8 @@
</span><span class="cx">     VM&amp; vm = exec.vm();
</span><span class="cx">     ASSERT(newArrayType == fastConcatType(vm, *this, otherArray));
</span><span class="cx"> 
</span><del>-    unsigned thisArraySize = m_butterfly-&gt;publicLength();
-    unsigned otherArraySize = otherArray.m_butterfly-&gt;publicLength();
</del><ins>+    unsigned thisArraySize = m_butterfly.get(this)-&gt;publicLength();
+    unsigned otherArraySize = otherArray.m_butterfly.get(this)-&gt;publicLength();
</ins><span class="cx">     ASSERT(thisArraySize + otherArraySize &lt; MIN_SPARSE_ARRAY_INDEX);
</span><span class="cx"> 
</span><span class="cx">     Structure* resultStructure = exec.lexicalGlobalObject()-&gt;arrayStructureForIndexingTypeDuringAllocation(newArrayType);
</span><span class="lines">@@ -728,11 +733,11 @@
</span><span class="cx">     auto&amp; otherButterfly = *otherArray.butterfly();
</span><span class="cx">     if (newArrayType == ArrayWithDouble) {
</span><span class="cx">         auto buffer = resultButterfly.contiguousDouble().data();
</span><del>-        memcpy(buffer, m_butterfly-&gt;contiguousDouble().data(), sizeof(JSValue) * thisArraySize);
</del><ins>+        memcpy(buffer, m_butterfly.get(this)-&gt;contiguousDouble().data(), sizeof(JSValue) * thisArraySize);
</ins><span class="cx">         memcpy(buffer + thisArraySize, otherButterfly.contiguousDouble().data(), sizeof(JSValue) * otherArraySize);
</span><span class="cx">     } else {
</span><span class="cx">         auto buffer = resultButterfly.contiguous().data();
</span><del>-        memcpy(buffer, m_butterfly-&gt;contiguous().data(), sizeof(JSValue) * thisArraySize);
</del><ins>+        memcpy(buffer, m_butterfly.get(this)-&gt;contiguous().data(), sizeof(JSValue) * thisArraySize);
</ins><span class="cx">         memcpy(buffer + thisArraySize, otherButterfly.contiguous().data(), sizeof(JSValue) * otherArraySize);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -805,8 +810,9 @@
</span><span class="cx">         // Adjust the Butterfly and the index bias. We only need to do this here because we're changing
</span><span class="cx">         // the start of the Butterfly, which needs to point at the first indexed property in the used
</span><span class="cx">         // portion of the vector.
</span><del>-        m_butterfly.setWithoutWriteBarrier(m_butterfly-&gt;shift(structure(), count));
-        storage = m_butterfly-&gt;arrayStorage();
</del><ins>+        Butterfly* butterfly = m_butterfly.get(this)-&gt;shift(structure(), count);
+        m_butterfly.setWithoutBarrier(butterfly);
+        storage = butterfly-&gt;arrayStorage();
</ins><span class="cx">         storage-&gt;m_indexBias += count;
</span><span class="cx"> 
</span><span class="cx">         // Since we're consuming part of the vector by moving its beginning to the left,
</span><span class="lines">@@ -848,6 +854,8 @@
</span><span class="cx"> {
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     RELEASE_ASSERT(count &gt; 0);
</span><ins>+
+    Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">     
</span><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="lines">@@ -859,7 +867,7 @@
</span><span class="cx">         
</span><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        unsigned oldLength = m_butterfly-&gt;publicLength();
</del><ins>+        unsigned oldLength = butterfly-&gt;publicLength();
</ins><span class="cx">         RELEASE_ASSERT(count &lt;= oldLength);
</span><span class="cx">         
</span><span class="cx">         // We may have to walk the entire array to do the shift. We're willing to do
</span><span class="lines">@@ -874,28 +882,28 @@
</span><span class="cx">         unsigned end = oldLength - count;
</span><span class="cx">         if (this-&gt;structure(vm)-&gt;holesMustForwardToPrototype(vm)) {
</span><span class="cx">             for (unsigned i = startIndex; i &lt; end; ++i) {
</span><del>-                JSValue v = m_butterfly-&gt;contiguous()[i + count].get();
</del><ins>+                JSValue v = butterfly-&gt;contiguous()[i + count].get();
</ins><span class="cx">                 if (UNLIKELY(!v)) {
</span><span class="cx">                     startIndex = i;
</span><span class="cx">                     return shiftCountWithArrayStorage(vm, startIndex, count, ensureArrayStorage(vm));
</span><span class="cx">                 }
</span><del>-                m_butterfly-&gt;contiguous()[i].setWithoutWriteBarrier(v);
</del><ins>+                butterfly-&gt;contiguous()[i].setWithoutWriteBarrier(v);
</ins><span class="cx">             }
</span><span class="cx">         } else {
</span><del>-            memmove(m_butterfly-&gt;contiguous().data() + startIndex, 
-                m_butterfly-&gt;contiguous().data() + startIndex + count, 
</del><ins>+            memmove(butterfly-&gt;contiguous().data() + startIndex, 
+                butterfly-&gt;contiguous().data() + startIndex + count, 
</ins><span class="cx">                 sizeof(JSValue) * (end - startIndex));
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         for (unsigned i = end; i &lt; oldLength; ++i)
</span><del>-            m_butterfly-&gt;contiguous()[i].clear();
</del><ins>+            butterfly-&gt;contiguous()[i].clear();
</ins><span class="cx">         
</span><del>-        m_butterfly-&gt;setPublicLength(oldLength - count);
</del><ins>+        butterfly-&gt;setPublicLength(oldLength - count);
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ArrayWithDouble: {
</span><del>-        unsigned oldLength = m_butterfly-&gt;publicLength();
</del><ins>+        unsigned oldLength = butterfly-&gt;publicLength();
</ins><span class="cx">         RELEASE_ASSERT(count &lt;= oldLength);
</span><span class="cx">         
</span><span class="cx">         // We may have to walk the entire array to do the shift. We're willing to do
</span><span class="lines">@@ -910,22 +918,22 @@
</span><span class="cx">         unsigned end = oldLength - count;
</span><span class="cx">         if (this-&gt;structure(vm)-&gt;holesMustForwardToPrototype(vm)) {
</span><span class="cx">             for (unsigned i = startIndex; i &lt; end; ++i) {
</span><del>-                double v = m_butterfly-&gt;contiguousDouble()[i + count];
</del><ins>+                double v = butterfly-&gt;contiguousDouble()[i + count];
</ins><span class="cx">                 if (UNLIKELY(v != v)) {
</span><span class="cx">                     startIndex = i;
</span><span class="cx">                     return shiftCountWithArrayStorage(vm, startIndex, count, ensureArrayStorage(vm));
</span><span class="cx">                 }
</span><del>-                m_butterfly-&gt;contiguousDouble()[i] = v;
</del><ins>+                butterfly-&gt;contiguousDouble()[i] = v;
</ins><span class="cx">             }
</span><span class="cx">         } else {
</span><del>-            memmove(m_butterfly-&gt;contiguousDouble().data() + startIndex,
-                m_butterfly-&gt;contiguousDouble().data() + startIndex + count,
</del><ins>+            memmove(butterfly-&gt;contiguousDouble().data() + startIndex,
+                butterfly-&gt;contiguousDouble().data() + startIndex + count,
</ins><span class="cx">                 sizeof(JSValue) * (end - startIndex));
</span><span class="cx">         }
</span><span class="cx">         for (unsigned i = end; i &lt; oldLength; ++i)
</span><del>-            m_butterfly-&gt;contiguousDouble()[i] = PNaN;
</del><ins>+            butterfly-&gt;contiguousDouble()[i] = PNaN;
</ins><span class="cx">         
</span><del>-        m_butterfly-&gt;setPublicLength(oldLength - count);
</del><ins>+        butterfly-&gt;setPublicLength(oldLength - count);
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="lines">@@ -986,6 +994,8 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::unshiftCountWithAnyIndexingType(ExecState* exec, unsigned startIndex, unsigned count)
</span><span class="cx"> {
</span><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    
</ins><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="cx">     case ArrayWithUndecided:
</span><span class="lines">@@ -994,7 +1004,7 @@
</span><span class="cx"> 
</span><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        unsigned oldLength = m_butterfly-&gt;publicLength();
</del><ins>+        unsigned oldLength = butterfly-&gt;publicLength();
</ins><span class="cx">         
</span><span class="cx">         // We may have to walk the entire array to do the unshift. We're willing to do so
</span><span class="cx">         // only if it's not horribly slow.
</span><span class="lines">@@ -1002,19 +1012,20 @@
</span><span class="cx">             return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(exec-&gt;vm()));
</span><span class="cx">         
</span><span class="cx">         ensureLength(exec-&gt;vm(), oldLength + count);
</span><ins>+        butterfly = m_butterfly.get(this);
</ins><span class="cx"> 
</span><span class="cx">         // We have to check for holes before we start moving things around so that we don't get halfway 
</span><span class="cx">         // through shifting and then realize we should have been in ArrayStorage mode.
</span><span class="cx">         for (unsigned i = oldLength; i-- &gt; startIndex;) {
</span><del>-            JSValue v = m_butterfly-&gt;contiguous()[i].get();
</del><ins>+            JSValue v = butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">             if (UNLIKELY(!v))
</span><span class="cx">                 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(exec-&gt;vm()));
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         for (unsigned i = oldLength; i-- &gt; startIndex;) {
</span><del>-            JSValue v = m_butterfly-&gt;contiguous()[i].get();
</del><ins>+            JSValue v = butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">             ASSERT(v);
</span><del>-            m_butterfly-&gt;contiguous()[i + count].setWithoutWriteBarrier(v);
</del><ins>+            butterfly-&gt;contiguous()[i + count].setWithoutWriteBarrier(v);
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         // NOTE: we're leaving being garbage in the part of the array that we shifted out
</span><span class="lines">@@ -1026,7 +1037,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ArrayWithDouble: {
</span><del>-        unsigned oldLength = m_butterfly-&gt;publicLength();
</del><ins>+        unsigned oldLength = butterfly-&gt;publicLength();
</ins><span class="cx">         
</span><span class="cx">         // We may have to walk the entire array to do the unshift. We're willing to do so
</span><span class="cx">         // only if it's not horribly slow.
</span><span class="lines">@@ -1034,19 +1045,20 @@
</span><span class="cx">             return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(exec-&gt;vm()));
</span><span class="cx">         
</span><span class="cx">         ensureLength(exec-&gt;vm(), oldLength + count);
</span><ins>+        butterfly = m_butterfly.get(this);
</ins><span class="cx">         
</span><span class="cx">         // We have to check for holes before we start moving things around so that we don't get halfway 
</span><span class="cx">         // through shifting and then realize we should have been in ArrayStorage mode.
</span><span class="cx">         for (unsigned i = oldLength; i-- &gt; startIndex;) {
</span><del>-            double v = m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+            double v = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">             if (UNLIKELY(v != v))
</span><span class="cx">                 return unshiftCountWithArrayStorage(exec, startIndex, count, ensureArrayStorage(exec-&gt;vm()));
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         for (unsigned i = oldLength; i-- &gt; startIndex;) {
</span><del>-            double v = m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+            double v = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">             ASSERT(v == v);
</span><del>-            m_butterfly-&gt;contiguousDouble()[i + count] = v;
</del><ins>+            butterfly-&gt;contiguousDouble()[i + count] = v;
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         // NOTE: we're leaving being garbage in the part of the array that we shifted out
</span><span class="lines">@@ -1072,6 +1084,8 @@
</span><span class="cx">     unsigned i = 0;
</span><span class="cx">     unsigned vectorEnd;
</span><span class="cx">     WriteBarrier&lt;Unknown&gt;* vector;
</span><ins>+
+    Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">     
</span><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="lines">@@ -1085,16 +1099,16 @@
</span><span class="cx">         
</span><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        vectorEnd = m_butterfly-&gt;publicLength();
-        vector = m_butterfly-&gt;contiguous().data();
</del><ins>+        vectorEnd = butterfly-&gt;publicLength();
+        vector = butterfly-&gt;contiguous().data();
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ArrayWithDouble: {
</span><span class="cx">         vector = 0;
</span><span class="cx">         vectorEnd = 0;
</span><del>-        for (; i &lt; m_butterfly-&gt;publicLength(); ++i) {
-            double v = butterfly()-&gt;contiguousDouble()[i];
</del><ins>+        for (; i &lt; butterfly-&gt;publicLength(); ++i) {
+            double v = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">             if (v != v)
</span><span class="cx">                 break;
</span><span class="cx">             args.append(JSValue(JSValue::EncodeAsDouble, v));
</span><span class="lines">@@ -1103,7 +1117,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     case ARRAY_WITH_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-        ArrayStorage* storage = m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = butterfly-&gt;arrayStorage();
</ins><span class="cx">         
</span><span class="cx">         vector = storage-&gt;m_vector;
</span><span class="cx">         vectorEnd = min(storage-&gt;length(), storage-&gt;vectorLength());
</span><span class="lines">@@ -1141,6 +1155,8 @@
</span><span class="cx">     // FIXME: What prevents this from being called with a RuntimeArray? The length function will always return 0 in that case.
</span><span class="cx">     ASSERT(length == this-&gt;length());
</span><span class="cx"> 
</span><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    
</ins><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="cx">         return;
</span><span class="lines">@@ -1153,17 +1169,17 @@
</span><span class="cx">         
</span><span class="cx">     case ArrayWithInt32:
</span><span class="cx">     case ArrayWithContiguous: {
</span><del>-        vector = m_butterfly-&gt;contiguous().data();
-        vectorEnd = m_butterfly-&gt;publicLength();
</del><ins>+        vector = butterfly-&gt;contiguous().data();
+        vectorEnd = butterfly-&gt;publicLength();
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ArrayWithDouble: {
</span><span class="cx">         vector = 0;
</span><span class="cx">         vectorEnd = 0;
</span><del>-        for (; i &lt; m_butterfly-&gt;publicLength(); ++i) {
-            ASSERT(i &lt; butterfly()-&gt;vectorLength());
-            double v = m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+        for (; i &lt; butterfly-&gt;publicLength(); ++i) {
+            ASSERT(i &lt; butterfly-&gt;vectorLength());
+            double v = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">             if (v != v)
</span><span class="cx">                 break;
</span><span class="cx">             exec-&gt;r(firstElementDest + i - offset) = JSValue(JSValue::EncodeAsDouble, v);
</span><span class="lines">@@ -1172,7 +1188,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ARRAY_WITH_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-        ArrayStorage* storage = m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = butterfly-&gt;arrayStorage();
</ins><span class="cx">         vector = storage-&gt;m_vector;
</span><span class="cx">         vectorEnd = min(length, storage-&gt;vectorLength());
</span><span class="cx">         break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -88,10 +88,10 @@
</span><span class="cx">     VM&amp; vm, Structure* structure, PassRefPtr&lt;ArrayBuffer&gt; arrayBuffer,
</span><span class="cx">     unsigned byteOffset, unsigned length)
</span><span class="cx">     : m_structure(structure)
</span><del>-    , m_vector(static_cast&lt;uint8_t*&gt;(arrayBuffer-&gt;data()) + byteOffset)
</del><span class="cx">     , m_length(length)
</span><span class="cx">     , m_mode(WastefulTypedArray)
</span><span class="cx"> {
</span><ins>+    m_vector = static_cast&lt;uint8_t*&gt;(arrayBuffer-&gt;data()) + byteOffset;
</ins><span class="cx">     IndexingHeader indexingHeader;
</span><span class="cx">     indexingHeader.setArrayBuffer(arrayBuffer.get());
</span><span class="cx">     m_butterfly = Butterfly::create(vm, 0, 0, 0, true, indexingHeader, 0);
</span><span class="lines">@@ -101,19 +101,19 @@
</span><span class="cx">     Structure* structure, PassRefPtr&lt;ArrayBuffer&gt; arrayBuffer,
</span><span class="cx">     unsigned byteOffset, unsigned length, DataViewTag)
</span><span class="cx">     : m_structure(structure)
</span><del>-    , m_vector(static_cast&lt;uint8_t*&gt;(arrayBuffer-&gt;data()) + byteOffset)
</del><span class="cx">     , m_length(length)
</span><span class="cx">     , m_mode(DataViewMode)
</span><span class="cx">     , m_butterfly(0)
</span><span class="cx"> {
</span><ins>+    m_vector = static_cast&lt;uint8_t*&gt;(arrayBuffer-&gt;data()) + byteOffset;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JSArrayBufferView::JSArrayBufferView(VM&amp; vm, ConstructionContext&amp; context)
</span><span class="cx">     : Base(vm, context.structure(), context.butterfly())
</span><del>-    , m_vector(context.vector())
</del><span class="cx">     , m_length(context.length())
</span><span class="cx">     , m_mode(context.mode())
</span><span class="cx"> {
</span><ins>+    m_vector.setWithoutBarrier(static_cast&lt;char*&gt;(context.vector()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSArrayBufferView::finishCreation(VM&amp; vm)
</span><span class="lines">@@ -215,7 +215,7 @@
</span><span class="cx">     JSArrayBufferView* thisObject = static_cast&lt;JSArrayBufferView*&gt;(cell);
</span><span class="cx">     ASSERT(thisObject-&gt;m_mode == OversizeTypedArray || thisObject-&gt;m_mode == WastefulTypedArray);
</span><span class="cx">     if (thisObject-&gt;m_mode == OversizeTypedArray)
</span><del>-        fastFree(thisObject-&gt;m_vector);
</del><ins>+        fastFree(thisObject-&gt;m_vector.getWithoutBarrier());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -161,7 +161,7 @@
</span><span class="cx">     PassRefPtr&lt;ArrayBufferView&gt; impl();
</span><span class="cx">     void neuter();
</span><span class="cx">     
</span><del>-    void* vector() { return m_vector; }
</del><ins>+    void* vector() { return m_vector.get(this); }
</ins><span class="cx">     unsigned byteOffset();
</span><span class="cx">     unsigned length() const { return m_length; }
</span><span class="cx"> 
</span><span class="lines">@@ -177,7 +177,7 @@
</span><span class="cx"> protected:
</span><span class="cx">     ArrayBuffer* existingBufferInButterfly();
</span><span class="cx"> 
</span><del>-    void* m_vector;
</del><ins>+    CopyBarrier&lt;char&gt; m_vector; // this is really a void*, but void would not work here.
</ins><span class="cx">     uint32_t m_length;
</span><span class="cx">     TypedArrayMode m_mode;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasArrayBuffer());
</span><span class="cx">     m_length = 0;
</span><del>-    m_vector = 0;
</del><ins>+    m_vector.clear();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline unsigned JSArrayBufferView::byteOffset()
</span><span class="lines">@@ -68,7 +68,7 @@
</span><span class="cx">         return 0;
</span><span class="cx">     
</span><span class="cx">     ptrdiff_t delta =
</span><del>-        static_cast&lt;uint8_t*&gt;(m_vector) - static_cast&lt;uint8_t*&gt;(buffer()-&gt;data());
</del><ins>+        bitwise_cast&lt;uint8_t*&gt;(m_vector.get(this)) - static_cast&lt;uint8_t*&gt;(buffer()-&gt;data());
</ins><span class="cx">     
</span><span class="cx">     unsigned result = static_cast&lt;unsigned&gt;(delta);
</span><span class="cx">     ASSERT(static_cast&lt;ptrdiff_t&gt;(result) == delta);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -108,11 +108,11 @@
</span><span class="cx">     
</span><span class="cx">     const typename Adaptor::Type* typedVector() const
</span><span class="cx">     {
</span><del>-        return static_cast&lt;const typename Adaptor::Type*&gt;(m_vector);
</del><ins>+        return bitwise_cast&lt;const typename Adaptor::Type*&gt;(m_vector.get(this));
</ins><span class="cx">     }
</span><span class="cx">     typename Adaptor::Type* typedVector()
</span><span class="cx">     {
</span><del>-        return static_cast&lt;typename Adaptor::Type*&gt;(m_vector);
</del><ins>+        return bitwise_cast&lt;typename Adaptor::Type*&gt;(m_vector.get(this));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // These methods are meant to match indexed access methods that JSObject
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -441,7 +441,7 @@
</span><span class="cx">     switch (thisObject-&gt;m_mode) {
</span><span class="cx">     case FastTypedArray: {
</span><span class="cx">         if (thisObject-&gt;m_vector)
</span><del>-            visitor.copyLater(thisObject, TypedArrayVectorCopyToken, thisObject-&gt;m_vector, thisObject-&gt;byteSize());
</del><ins>+            visitor.copyLater(thisObject, TypedArrayVectorCopyToken, thisObject-&gt;m_vector.getWithoutBarrier(), thisObject-&gt;byteSize());
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="lines">@@ -468,12 +468,12 @@
</span><span class="cx">     JSGenericTypedArrayView* thisObject = jsCast&lt;JSGenericTypedArrayView*&gt;(cell);
</span><span class="cx">     
</span><span class="cx">     if (token == TypedArrayVectorCopyToken
</span><del>-        &amp;&amp; visitor.checkIfShouldCopy(thisObject-&gt;m_vector)) {
</del><ins>+        &amp;&amp; visitor.checkIfShouldCopy(thisObject-&gt;m_vector.getWithoutBarrier())) {
</ins><span class="cx">         ASSERT(thisObject-&gt;m_vector);
</span><del>-        void* oldVector = thisObject-&gt;m_vector;
</del><ins>+        void* oldVector = thisObject-&gt;m_vector.get(thisObject);
</ins><span class="cx">         void* newVector = visitor.allocateNewSpace(thisObject-&gt;byteSize());
</span><span class="cx">         memcpy(newVector, oldVector, thisObject-&gt;byteSize());
</span><del>-        thisObject-&gt;m_vector = newVector;
</del><ins>+        thisObject-&gt;m_vector.setWithoutBarrier(static_cast&lt;char*&gt;(newVector));
</ins><span class="cx">         visitor.didCopy(oldVector, thisObject-&gt;byteSize());
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -508,8 +508,8 @@
</span><span class="cx">         &amp;&amp; !thisObject-&gt;butterfly() &amp;&amp; size &gt;= sizeof(IndexingHeader)) {
</span><span class="cx">         ASSERT(thisObject-&gt;m_vector);
</span><span class="cx">         // Reuse already allocated memory if at all possible.
</span><del>-        thisObject-&gt;m_butterfly.setWithoutWriteBarrier(
-            static_cast&lt;IndexingHeader*&gt;(thisObject-&gt;m_vector)-&gt;butterfly());
</del><ins>+        thisObject-&gt;m_butterfly.setWithoutBarrier(
+            bitwise_cast&lt;IndexingHeader*&gt;(thisObject-&gt;m_vector.get(thisObject))-&gt;butterfly());
</ins><span class="cx">     } else {
</span><span class="cx">         VM&amp; vm = *heap-&gt;vm();
</span><span class="cx">         thisObject-&gt;m_butterfly.set(vm, thisObject, Butterfly::createOrGrowArrayRight(
</span><span class="lines">@@ -521,14 +521,14 @@
</span><span class="cx">     
</span><span class="cx">     switch (thisObject-&gt;m_mode) {
</span><span class="cx">     case FastTypedArray:
</span><del>-        buffer = ArrayBuffer::create(thisObject-&gt;m_vector, thisObject-&gt;byteLength());
</del><ins>+        buffer = ArrayBuffer::create(thisObject-&gt;m_vector.get(thisObject), thisObject-&gt;byteLength());
</ins><span class="cx">         break;
</span><span class="cx">         
</span><span class="cx">     case OversizeTypedArray:
</span><span class="cx">         // FIXME: consider doing something like &quot;subtracting&quot; from extra memory
</span><span class="cx">         // cost, since right now this case will cause the GC to think that we reallocated
</span><span class="cx">         // the whole buffer.
</span><del>-        buffer = ArrayBuffer::createAdopted(thisObject-&gt;m_vector, thisObject-&gt;byteLength());
</del><ins>+        buffer = ArrayBuffer::createAdopted(thisObject-&gt;m_vector.get(thisObject), thisObject-&gt;byteLength());
</ins><span class="cx">         break;
</span><span class="cx">         
</span><span class="cx">     default:
</span><span class="lines">@@ -537,7 +537,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     thisObject-&gt;butterfly()-&gt;indexingHeader()-&gt;setArrayBuffer(buffer.get());
</span><del>-    thisObject-&gt;m_vector = buffer-&gt;data();
</del><ins>+    thisObject-&gt;m_vector.setWithoutBarrier(static_cast&lt;char*&gt;(buffer-&gt;data()));
</ins><span class="cx">     thisObject-&gt;m_mode = WastefulTypedArray;
</span><span class="cx">     heap-&gt;addReference(thisObject, buffer.get());
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSMaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSMap.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSMap.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSMap.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -117,7 +117,7 @@
</span><span class="cx"> private:
</span><span class="cx">     JSMap(VM&amp; vm, Structure* structure)
</span><span class="cx">         : Base(vm, structure)
</span><del>-        , m_mapData(vm)
</del><ins>+        , m_mapData(vm, this)
</ins><span class="cx">     {
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.cpp (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.cpp        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.cpp        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -150,7 +150,7 @@
</span><span class="cx">             memcpy(currentTarget, currentSource, count * sizeof(EncodedJSValue));
</span><span class="cx">         }
</span><span class="cx">         
</span><del>-        m_butterfly.setWithoutWriteBarrier(newButterfly);
</del><ins>+        m_butterfly.setWithoutBarrier(newButterfly);
</ins><span class="cx">         visitor.didCopy(butterfly-&gt;base(preCapacity, propertyCapacity), capacityInBytes);
</span><span class="cx">     } 
</span><span class="cx"> }
</span><span class="lines">@@ -206,7 +206,7 @@
</span><span class="cx">     
</span><span class="cx">     JSCell::visitChildren(thisObject, visitor);
</span><span class="cx"> 
</span><del>-    Butterfly* butterfly = thisObject-&gt;butterfly();
</del><ins>+    Butterfly* butterfly = thisObject-&gt;m_butterfly.getWithoutBarrier();
</ins><span class="cx">     if (butterfly)
</span><span class="cx">         thisObject-&gt;visitButterfly(visitor, butterfly, thisObject-&gt;structure(visitor.vm())-&gt;outOfLineSize());
</span><span class="cx"> 
</span><span class="lines">@@ -223,7 +223,7 @@
</span><span class="cx">     if (token != ButterflyCopyToken)
</span><span class="cx">         return;
</span><span class="cx">     
</span><del>-    Butterfly* butterfly = thisObject-&gt;butterfly();
</del><ins>+    Butterfly* butterfly = thisObject-&gt;m_butterfly.getWithoutBarrier();
</ins><span class="cx">     if (butterfly)
</span><span class="cx">         thisObject-&gt;copyButterfly(visitor, butterfly, thisObject-&gt;structure()-&gt;outOfLineSize());
</span><span class="cx"> }
</span><span class="lines">@@ -341,7 +341,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-        ArrayStorage* storage = thisObject-&gt;m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = thisObject-&gt;m_butterfly.get(thisObject)-&gt;arrayStorage();
</ins><span class="cx">         if (i &gt;= storage-&gt;length())
</span><span class="cx">             return false;
</span><span class="cx">         
</span><span class="lines">@@ -514,7 +514,7 @@
</span><span class="cx">         
</span><span class="cx">     case NonArrayWithArrayStorage:
</span><span class="cx">     case ArrayWithArrayStorage: {
</span><del>-        ArrayStorage* storage = thisObject-&gt;m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = thisObject-&gt;m_butterfly.get(thisObject)-&gt;arrayStorage();
</ins><span class="cx">         
</span><span class="cx">         if (propertyName &gt;= storage-&gt;vectorLength())
</span><span class="cx">             break;
</span><span class="lines">@@ -536,7 +536,7 @@
</span><span class="cx">         
</span><span class="cx">     case NonArrayWithSlowPutArrayStorage:
</span><span class="cx">     case ArrayWithSlowPutArrayStorage: {
</span><del>-        ArrayStorage* storage = thisObject-&gt;m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = thisObject-&gt;m_butterfly.get(thisObject)-&gt;arrayStorage();
</ins><span class="cx">         
</span><span class="cx">         if (propertyName &gt;= storage-&gt;vectorLength())
</span><span class="cx">             break;
</span><span class="lines">@@ -613,7 +613,7 @@
</span><span class="cx">         enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(vm, ensureArrayStorageSlow(vm));
</span><span class="cx">         break;
</span><span class="cx">     case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-        enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(vm, m_butterfly-&gt;arrayStorage());
</del><ins>+        enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(vm, m_butterfly.get(this)-&gt;arrayStorage());
</ins><span class="cx">         break;
</span><span class="cx">         
</span><span class="cx">     default:
</span><span class="lines">@@ -643,7 +643,7 @@
</span><span class="cx">     ASSERT(!indexingShouldBeSparse());
</span><span class="cx">     unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
</span><span class="cx">     Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
</span><del>-        m_butterfly.get(), vm, this, structure(), structure()-&gt;outOfLineCapacity(), false, 0,
</del><ins>+        m_butterfly.get(this), vm, this, structure(), structure()-&gt;outOfLineCapacity(), false, 0,
</ins><span class="cx">         elementSize * vectorLength);
</span><span class="cx">     newButterfly-&gt;setPublicLength(length);
</span><span class="cx">     newButterfly-&gt;setVectorLength(vectorLength);
</span><span class="lines">@@ -695,7 +695,7 @@
</span><span class="cx">     IndexingType oldType = indexingType();
</span><span class="cx">     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
</span><span class="cx">     Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
</span><del>-        m_butterfly.get(), vm, this, structure, structure-&gt;outOfLineCapacity(), false, 0,
</del><ins>+        m_butterfly.get(this), vm, this, structure, structure-&gt;outOfLineCapacity(), false, 0,
</ins><span class="cx">         ArrayStorage::sizeFor(vectorLength));
</span><span class="cx">     RELEASE_ASSERT(newButterfly);
</span><span class="cx"> 
</span><span class="lines">@@ -719,31 +719,32 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasUndecided(indexingType()));
</span><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateInt32));
</span><del>-    return m_butterfly-&gt;contiguousInt32();
</del><ins>+    return m_butterfly.get(this)-&gt;contiguousInt32();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousDoubles JSObject::convertUndecidedToDouble(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasUndecided(indexingType()));
</span><ins>+
+    Butterfly* butterfly = m_butterfly.get(this);
+    for (unsigned i = butterfly-&gt;vectorLength(); i--;)
+        butterfly-&gt;contiguousDouble()[i] = PNaN;
</ins><span class="cx">     
</span><del>-    for (unsigned i = m_butterfly-&gt;vectorLength(); i--;)
-        m_butterfly-&gt;contiguousDouble()[i] = PNaN;
-    
</del><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateDouble));
</span><del>-    return m_butterfly-&gt;contiguousDouble();
</del><ins>+    return m_butterfly.get(this)-&gt;contiguousDouble();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousJSValues JSObject::convertUndecidedToContiguous(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasUndecided(indexingType()));
</span><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
</span><del>-    return m_butterfly-&gt;contiguous();
</del><ins>+    return m_butterfly.get(this)-&gt;contiguous();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::constructConvertedArrayStorageWithoutCopyingElements(VM&amp; vm, unsigned neededLength)
</span><span class="cx"> {
</span><span class="cx">     Structure* structure = this-&gt;structure(vm);
</span><del>-    unsigned publicLength = m_butterfly-&gt;publicLength();
</del><ins>+    unsigned publicLength = m_butterfly.get(this)-&gt;publicLength();
</ins><span class="cx">     unsigned propertyCapacity = structure-&gt;outOfLineCapacity();
</span><span class="cx">     unsigned propertySize = structure-&gt;outOfLineSize();
</span><span class="cx">     
</span><span class="lines">@@ -752,7 +753,7 @@
</span><span class="cx">     
</span><span class="cx">     memcpy(
</span><span class="cx">         newButterfly-&gt;propertyStorage() - propertySize,
</span><del>-        m_butterfly-&gt;propertyStorage() - propertySize,
</del><ins>+        m_butterfly.get(this)-&gt;propertyStorage() - propertySize,
</ins><span class="cx">         propertySize * sizeof(EncodedJSValue));
</span><span class="cx">     
</span><span class="cx">     ArrayStorage* newStorage = newButterfly-&gt;arrayStorage();
</span><span class="lines">@@ -770,7 +771,7 @@
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     ASSERT(hasUndecided(indexingType()));
</span><span class="cx"> 
</span><del>-    unsigned vectorLength = m_butterfly-&gt;vectorLength();
</del><ins>+    unsigned vectorLength = m_butterfly.get(this)-&gt;vectorLength();
</ins><span class="cx">     ArrayStorage* storage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><span class="cx">     // No need to copy elements.
</span><span class="cx">     
</span><span class="lines">@@ -787,9 +788,10 @@
</span><span class="cx"> ContiguousDoubles JSObject::convertInt32ToDouble(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasInt32(indexingType()));
</span><del>-    
-    for (unsigned i = m_butterfly-&gt;vectorLength(); i--;) {
-        WriteBarrier&lt;Unknown&gt;* current = &amp;m_butterfly-&gt;contiguousInt32()[i];
</del><ins>+
+    Butterfly* butterfly = m_butterfly.get(this);
+    for (unsigned i = butterfly-&gt;vectorLength(); i--;) {
+        WriteBarrier&lt;Unknown&gt;* current = &amp;butterfly-&gt;contiguousInt32()[i];
</ins><span class="cx">         double* currentAsDouble = bitwise_cast&lt;double*&gt;(current);
</span><span class="cx">         JSValue v = current-&gt;get();
</span><span class="cx">         if (!v) {
</span><span class="lines">@@ -801,7 +803,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateDouble));
</span><del>-    return m_butterfly-&gt;contiguousDouble();
</del><ins>+    return m_butterfly.get(this)-&gt;contiguousDouble();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousJSValues JSObject::convertInt32ToContiguous(VM&amp; vm)
</span><span class="lines">@@ -809,7 +811,7 @@
</span><span class="cx">     ASSERT(hasInt32(indexingType()));
</span><span class="cx">     
</span><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
</span><del>-    return m_butterfly-&gt;contiguous();
</del><ins>+    return m_butterfly.get(this)-&gt;contiguous();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertInt32ToArrayStorage(VM&amp; vm, NonPropertyTransition transition)
</span><span class="lines">@@ -817,10 +819,11 @@
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     ASSERT(hasInt32(indexingType()));
</span><span class="cx"> 
</span><del>-    unsigned vectorLength = m_butterfly-&gt;vectorLength();
</del><ins>+    unsigned vectorLength = m_butterfly.get(this)-&gt;vectorLength();
</ins><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><del>-    for (unsigned i = 0; i &lt; m_butterfly-&gt;publicLength(); i++) {
-        JSValue v = m_butterfly-&gt;contiguous()[i].get();
</del><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    for (unsigned i = 0; i &lt; butterfly-&gt;publicLength(); i++) {
+        JSValue v = butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">         if (v) {
</span><span class="cx">             newStorage-&gt;m_vector[i].setWithoutWriteBarrier(v);
</span><span class="cx">             newStorage-&gt;m_numValuesInVector++;
</span><span class="lines">@@ -841,9 +844,10 @@
</span><span class="cx"> ContiguousJSValues JSObject::convertDoubleToContiguous(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasDouble(indexingType()));
</span><del>-    
-    for (unsigned i = m_butterfly-&gt;vectorLength(); i--;) {
-        double* current = &amp;m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+
+    Butterfly* butterfly = m_butterfly.get(this);
+    for (unsigned i = butterfly-&gt;vectorLength(); i--;) {
+        double* current = &amp;butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">         WriteBarrier&lt;Unknown&gt;* currentAsValue = bitwise_cast&lt;WriteBarrier&lt;Unknown&gt;*&gt;(current);
</span><span class="cx">         double value = *current;
</span><span class="cx">         if (value != value) {
</span><span class="lines">@@ -855,7 +859,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
</span><del>-    return m_butterfly-&gt;contiguous();
</del><ins>+    return m_butterfly.get(this)-&gt;contiguous();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::convertDoubleToArrayStorage(VM&amp; vm, NonPropertyTransition transition)
</span><span class="lines">@@ -863,10 +867,11 @@
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     ASSERT(hasDouble(indexingType()));
</span><span class="cx"> 
</span><del>-    unsigned vectorLength = m_butterfly-&gt;vectorLength();
</del><ins>+    unsigned vectorLength = m_butterfly.get(this)-&gt;vectorLength();
</ins><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><del>-    for (unsigned i = 0; i &lt; m_butterfly-&gt;publicLength(); i++) {
-        double value = m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    for (unsigned i = 0; i &lt; butterfly-&gt;publicLength(); i++) {
+        double value = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">         if (value == value) {
</span><span class="cx">             newStorage-&gt;m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
</span><span class="cx">             newStorage-&gt;m_numValuesInVector++;
</span><span class="lines">@@ -889,10 +894,11 @@
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     ASSERT(hasContiguous(indexingType()));
</span><span class="cx"> 
</span><del>-    unsigned vectorLength = m_butterfly-&gt;vectorLength();
</del><ins>+    unsigned vectorLength = m_butterfly.get(this)-&gt;vectorLength();
</ins><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><del>-    for (unsigned i = 0; i &lt; m_butterfly-&gt;publicLength(); i++) {
-        JSValue v = m_butterfly-&gt;contiguous()[i].get();
</del><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    for (unsigned i = 0; i &lt; butterfly-&gt;publicLength(); i++) {
+        JSValue v = butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">         if (v) {
</span><span class="cx">             newStorage-&gt;m_vector[i].setWithoutWriteBarrier(v);
</span><span class="cx">             newStorage-&gt;m_numValuesInVector++;
</span><span class="lines">@@ -957,8 +963,8 @@
</span><span class="cx"> 
</span><span class="cx"> void JSObject::setIndexQuicklyToUndecided(VM&amp; vm, unsigned index, JSValue value)
</span><span class="cx"> {
</span><del>-    ASSERT(index &lt; m_butterfly-&gt;publicLength());
-    ASSERT(index &lt; m_butterfly-&gt;vectorLength());
</del><ins>+    ASSERT(index &lt; m_butterfly.get(this)-&gt;publicLength());
+    ASSERT(index &lt; m_butterfly.get(this)-&gt;vectorLength());
</ins><span class="cx">     convertUndecidedForValue(vm, value);
</span><span class="cx">     setIndexQuickly(vm, index, value);
</span><span class="cx"> }
</span><span class="lines">@@ -1114,7 +1120,7 @@
</span><span class="cx">         return enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(vm, convertContiguousToArrayStorage(vm));
</span><span class="cx">         
</span><span class="cx">     case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-        return enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(vm, m_butterfly-&gt;arrayStorage());
</del><ins>+        return enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(vm, m_butterfly.get(this)-&gt;arrayStorage());
</ins><span class="cx">         
</span><span class="cx">     default:
</span><span class="cx">         CRASH();
</span><span class="lines">@@ -1356,7 +1362,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-        ArrayStorage* storage = thisObject-&gt;m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = thisObject-&gt;m_butterfly.get(thisObject)-&gt;arrayStorage();
</ins><span class="cx">         
</span><span class="cx">         if (i &lt; storage-&gt;vectorLength()) {
</span><span class="cx">             WriteBarrier&lt;Unknown&gt;&amp; valueSlot = storage-&gt;m_vector[i];
</span><span class="lines">@@ -1546,7 +1552,7 @@
</span><span class="cx">         }
</span><span class="cx">             
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-            ArrayStorage* storage = object-&gt;m_butterfly-&gt;arrayStorage();
</del><ins>+            ArrayStorage* storage = object-&gt;m_butterfly.get(object)-&gt;arrayStorage();
</ins><span class="cx">             
</span><span class="cx">             unsigned usedVectorLength = std::min(storage-&gt;length(), storage-&gt;vectorLength());
</span><span class="cx">             for (unsigned i = 0; i &lt; usedVectorLength; ++i) {
</span><span class="lines">@@ -1699,7 +1705,7 @@
</span><span class="cx"> void JSObject::putIndexedDescriptor(ExecState* exec, SparseArrayEntry* entryInMap, const PropertyDescriptor&amp; descriptor, PropertyDescriptor&amp; oldDescriptor)
</span><span class="cx"> {
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><del>-    auto map = m_butterfly-&gt;arrayStorage()-&gt;m_sparseMap.get();
</del><ins>+    auto map = m_butterfly.get(this)-&gt;arrayStorage()-&gt;m_sparseMap.get();
</ins><span class="cx"> 
</span><span class="cx">     if (descriptor.isDataDescriptor()) {
</span><span class="cx">         if (descriptor.value())
</span><span class="lines">@@ -1758,7 +1764,7 @@
</span><span class="cx">     if (descriptor.attributes() &amp; (ReadOnly | Accessor))
</span><span class="cx">         notifyPresenceOfIndexedAccessors(exec-&gt;vm());
</span><span class="cx"> 
</span><del>-    SparseArrayValueMap* map = m_butterfly-&gt;arrayStorage()-&gt;m_sparseMap.get();
</del><ins>+    SparseArrayValueMap* map = m_butterfly.get(this)-&gt;arrayStorage()-&gt;m_sparseMap.get();
</ins><span class="cx">     RELEASE_ASSERT(map);
</span><span class="cx"> 
</span><span class="cx">     // 1. Let current be the result of calling the [[GetOwnProperty]] internal method of O with property name P.
</span><span class="lines">@@ -1790,8 +1796,9 @@
</span><span class="cx">         entryInMap-&gt;get(defaults);
</span><span class="cx"> 
</span><span class="cx">         putIndexedDescriptor(exec, entryInMap, descriptor, defaults);
</span><del>-        if (index &gt;= m_butterfly-&gt;arrayStorage()-&gt;length())
-            m_butterfly-&gt;arrayStorage()-&gt;setLength(index + 1);
</del><ins>+        Butterfly* butterfly = m_butterfly.get(this);
+        if (index &gt;= butterfly-&gt;arrayStorage()-&gt;length())
+            butterfly-&gt;arrayStorage()-&gt;setLength(index + 1);
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -1911,17 +1918,19 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT((indexingType() &amp; IndexingShapeMask) == indexingShape);
</span><span class="cx">     ASSERT(!indexingShouldBeSparse());
</span><ins>+
+    Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">     
</span><span class="cx">     // For us to get here, the index is either greater than the public length, or greater than
</span><span class="cx">     // or equal to the vector length.
</span><del>-    ASSERT(i &gt;= m_butterfly-&gt;vectorLength());
</del><ins>+    ASSERT(i &gt;= butterfly-&gt;vectorLength());
</ins><span class="cx">     
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     
</span><span class="cx">     if (i &gt;= MAX_ARRAY_INDEX - 1
</span><span class="cx">         || (i &gt;= MIN_SPARSE_ARRAY_INDEX
</span><del>-            &amp;&amp; !isDenseEnoughForVector(i, countElements&lt;indexingShape&gt;(butterfly())))
-        || indexIsSufficientlyBeyondLengthForSparseMap(i, m_butterfly-&gt;vectorLength())) {
</del><ins>+            &amp;&amp; !isDenseEnoughForVector(i, countElements&lt;indexingShape&gt;(butterfly)))
+        || indexIsSufficientlyBeyondLengthForSparseMap(i, butterfly-&gt;vectorLength())) {
</ins><span class="cx">         ASSERT(i &lt;= MAX_ARRAY_INDEX);
</span><span class="cx">         ensureArrayStorageSlow(vm);
</span><span class="cx">         SparseArrayValueMap* map = allocateSparseIndexMap(vm);
</span><span class="lines">@@ -1932,24 +1941,25 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     ensureLength(vm, i + 1);
</span><ins>+    butterfly = m_butterfly.get(this);
</ins><span class="cx"> 
</span><del>-    RELEASE_ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</del><ins>+    RELEASE_ASSERT(i &lt; butterfly-&gt;vectorLength());
</ins><span class="cx">     switch (indexingShape) {
</span><span class="cx">     case Int32Shape:
</span><span class="cx">         ASSERT(value.isInt32());
</span><del>-        m_butterfly-&gt;contiguousInt32()[i].setWithoutWriteBarrier(value);
</del><ins>+        butterfly-&gt;contiguousInt32()[i].setWithoutWriteBarrier(value);
</ins><span class="cx">         break;
</span><span class="cx">         
</span><span class="cx">     case DoubleShape: {
</span><span class="cx">         ASSERT(value.isNumber());
</span><span class="cx">         double valueAsDouble = value.asNumber();
</span><span class="cx">         ASSERT(valueAsDouble == valueAsDouble);
</span><del>-        m_butterfly-&gt;contiguousDouble()[i] = valueAsDouble;
</del><ins>+        butterfly-&gt;contiguousDouble()[i] = valueAsDouble;
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ContiguousShape:
</span><del>-        m_butterfly-&gt;contiguous()[i].set(vm, this, value);
</del><ins>+        butterfly-&gt;contiguous()[i].set(vm, this, value);
</ins><span class="cx">         break;
</span><span class="cx">         
</span><span class="cx">     default:
</span><span class="lines">@@ -2223,7 +2233,7 @@
</span><span class="cx">         
</span><span class="cx">     case ALL_INT32_INDEXING_TYPES: {
</span><span class="cx">         if (attributes) {
</span><del>-            if (i &lt; m_butterfly-&gt;vectorLength())
</del><ins>+            if (i &lt; m_butterfly.get(this)-&gt;vectorLength())
</ins><span class="cx">                 return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
</span><span class="cx">             return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertInt32ToArrayStorage(vm));
</span><span class="cx">         }
</span><span class="lines">@@ -2237,7 +2247,7 @@
</span><span class="cx">         
</span><span class="cx">     case ALL_DOUBLE_INDEXING_TYPES: {
</span><span class="cx">         if (attributes) {
</span><del>-            if (i &lt; m_butterfly-&gt;vectorLength())
</del><ins>+            if (i &lt; m_butterfly.get(this)-&gt;vectorLength())
</ins><span class="cx">                 return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
</span><span class="cx">             return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertDoubleToArrayStorage(vm));
</span><span class="cx">         }
</span><span class="lines">@@ -2256,7 +2266,7 @@
</span><span class="cx">         
</span><span class="cx">     case ALL_CONTIGUOUS_INDEXING_TYPES: {
</span><span class="cx">         if (attributes) {
</span><del>-            if (i &lt; m_butterfly-&gt;vectorLength())
</del><ins>+            if (i &lt; m_butterfly.get(this)-&gt;vectorLength())
</ins><span class="cx">                 return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
</span><span class="cx">             return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertContiguousToArrayStorage(vm));
</span><span class="cx">         }
</span><span class="lines">@@ -2266,7 +2276,7 @@
</span><span class="cx"> 
</span><span class="cx">     case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><span class="cx">         if (attributes) {
</span><del>-            if (i &lt; m_butterfly-&gt;vectorLength())
</del><ins>+            if (i &lt; m_butterfly.get(this)-&gt;vectorLength())
</ins><span class="cx">                 return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
</span><span class="cx">         }
</span><span class="cx">         return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, arrayStorage());
</span><span class="lines">@@ -2347,8 +2357,8 @@
</span><span class="cx">     unsigned length;
</span><span class="cx">     
</span><span class="cx">     if (hasIndexedProperties(indexingType())) {
</span><del>-        vectorLength = m_butterfly-&gt;vectorLength();
-        length = m_butterfly-&gt;publicLength();
</del><ins>+        vectorLength = m_butterfly.get(this)-&gt;vectorLength();
+        length = m_butterfly.get(this)-&gt;publicLength();
</ins><span class="cx">     } else {
</span><span class="cx">         vectorLength = 0;
</span><span class="cx">         length = 0;
</span><span class="lines">@@ -2454,25 +2464,28 @@
</span><span class="cx"> 
</span><span class="cx"> void JSObject::ensureLengthSlow(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><ins>+    Butterfly* butterfly = m_butterfly.get(this);
+    
</ins><span class="cx">     ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><span class="cx">     ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
</span><del>-    ASSERT(length &gt; m_butterfly-&gt;vectorLength());
</del><ins>+    ASSERT(length &gt; butterfly-&gt;vectorLength());
</ins><span class="cx">     
</span><span class="cx">     unsigned newVectorLength = std::min(
</span><span class="cx">         length &lt;&lt; 1,
</span><span class="cx">         MAX_STORAGE_VECTOR_LENGTH);
</span><del>-    unsigned oldVectorLength = m_butterfly-&gt;vectorLength();
</del><ins>+    unsigned oldVectorLength = butterfly-&gt;vectorLength();
</ins><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    m_butterfly.set(vm, this, m_butterfly-&gt;growArrayRight(
</del><ins>+    butterfly = butterfly-&gt;growArrayRight(
</ins><span class="cx">         vm, this, structure(), structure()-&gt;outOfLineCapacity(), true,
</span><span class="cx">         oldVectorLength * sizeof(EncodedJSValue),
</span><del>-        newVectorLength * sizeof(EncodedJSValue)));
</del><ins>+        newVectorLength * sizeof(EncodedJSValue));
+    m_butterfly.set(vm, this, butterfly);
</ins><span class="cx"> 
</span><del>-    m_butterfly-&gt;setVectorLength(newVectorLength);
</del><ins>+    butterfly-&gt;setVectorLength(newVectorLength);
</ins><span class="cx"> 
</span><span class="cx">     if (hasDouble(indexingType())) {
</span><span class="cx">         for (unsigned i = oldVectorLength; i &lt; newVectorLength; ++i)
</span><del>-            m_butterfly-&gt;contiguousDouble().data()[i] = PNaN;
</del><ins>+            butterfly-&gt;contiguousDouble().data()[i] = PNaN;
</ins><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2485,10 +2498,10 @@
</span><span class="cx">     ASSERT(!m_butterfly-&gt;indexingHeader()-&gt;preCapacity(structure()));
</span><span class="cx"> 
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    Butterfly* newButterfly = m_butterfly-&gt;resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(length));
</del><ins>+    Butterfly* newButterfly = m_butterfly.get(this)-&gt;resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(length));
</ins><span class="cx">     m_butterfly.set(vm, this, newButterfly);
</span><del>-    m_butterfly-&gt;setVectorLength(length);
-    m_butterfly-&gt;setPublicLength(length);
</del><ins>+    newButterfly-&gt;setVectorLength(length);
+    newButterfly-&gt;setPublicLength(length);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> Butterfly* JSObject::growOutOfLineStorage(VM&amp; vm, size_t oldSize, size_t newSize)
</span><span class="lines">@@ -2498,7 +2511,7 @@
</span><span class="cx">     // It's important that this function not rely on structure(), for the property
</span><span class="cx">     // capacity, since we might have already mutated the structure in-place.
</span><span class="cx">     
</span><del>-    return Butterfly::createOrGrowPropertyStorage(m_butterfly.get(), vm, this, structure(vm), oldSize, newSize);
</del><ins>+    return Butterfly::createOrGrowPropertyStorage(m_butterfly.get(this), vm, this, structure(vm), oldSize, newSize);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::getOwnPropertyDescriptor(ExecState* exec, PropertyName propertyName, PropertyDescriptor&amp; descriptor)
</span><span class="lines">@@ -2785,7 +2798,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-        ArrayStorage* storage = object-&gt;m_butterfly-&gt;arrayStorage();
</del><ins>+        ArrayStorage* storage = object-&gt;m_butterfly.get(object)-&gt;arrayStorage();
</ins><span class="cx">         if (storage-&gt;m_sparseMap.get())
</span><span class="cx">             return 0;
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -30,7 +30,7 @@
</span><span class="cx"> #include &quot;CallFrame.h&quot;
</span><span class="cx"> #include &quot;ClassInfo.h&quot;
</span><span class="cx"> #include &quot;CommonIdentifiers.h&quot;
</span><del>-#include &quot;CopyWriteBarrier.h&quot;
</del><ins>+#include &quot;CopyBarrier.h&quot;
</ins><span class="cx"> #include &quot;CustomGetterSetter.h&quot;
</span><span class="cx"> #include &quot;DeferGC.h&quot;
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><span class="lines">@@ -131,14 +131,14 @@
</span><span class="cx">     {
</span><span class="cx">         if (!hasIndexedProperties(indexingType()))
</span><span class="cx">             return 0;
</span><del>-        return m_butterfly-&gt;publicLength();
</del><ins>+        return m_butterfly.get(this)-&gt;publicLength();
</ins><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     unsigned getVectorLength()
</span><span class="cx">     {
</span><span class="cx">         if (!hasIndexedProperties(indexingType()))
</span><span class="cx">             return 0;
</span><del>-        return m_butterfly-&gt;vectorLength();
</del><ins>+        return m_butterfly.get(this)-&gt;vectorLength();
</ins><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&amp;);
</span><span class="lines">@@ -181,23 +181,24 @@
</span><span class="cx">     
</span><span class="cx">     bool canGetIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><ins>+        Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">         switch (indexingType()) {
</span><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             return false;
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><del>-            return i &lt; m_butterfly-&gt;vectorLength() &amp;&amp; m_butterfly-&gt;contiguous()[i];
</del><ins>+            return i &lt; butterfly-&gt;vectorLength() &amp;&amp; butterfly-&gt;contiguous()[i];
</ins><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES: {
</span><del>-            if (i &gt;= m_butterfly-&gt;vectorLength())
</del><ins>+            if (i &gt;= butterfly-&gt;vectorLength())
</ins><span class="cx">                 return false;
</span><del>-            double value = m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+            double value = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">             if (value != value)
</span><span class="cx">                 return false;
</span><span class="cx">             return true;
</span><span class="cx">         }
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            return i &lt; m_butterfly-&gt;arrayStorage()-&gt;vectorLength() &amp;&amp; m_butterfly-&gt;arrayStorage()-&gt;m_vector[i];
</del><ins>+            return i &lt; butterfly-&gt;arrayStorage()-&gt;vectorLength() &amp;&amp; butterfly-&gt;arrayStorage()-&gt;m_vector[i];
</ins><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             return false;
</span><span class="lines">@@ -206,15 +207,16 @@
</span><span class="cx">         
</span><span class="cx">     JSValue getIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><ins>+        Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">         switch (indexingType()) {
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><del>-            return jsNumber(m_butterfly-&gt;contiguous()[i].get().asInt32());
</del><ins>+            return jsNumber(butterfly-&gt;contiguous()[i].get().asInt32());
</ins><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><del>-            return m_butterfly-&gt;contiguous()[i].get();
</del><ins>+            return butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES:
</span><del>-            return JSValue(JSValue::EncodeAsDouble, m_butterfly-&gt;contiguousDouble()[i]);
</del><ins>+            return JSValue(JSValue::EncodeAsDouble, butterfly-&gt;contiguousDouble()[i]);
</ins><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            return m_butterfly-&gt;arrayStorage()-&gt;m_vector[i].get();
</del><ins>+            return butterfly-&gt;arrayStorage()-&gt;m_vector[i].get();
</ins><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             return JSValue();
</span><span class="lines">@@ -223,32 +225,33 @@
</span><span class="cx">         
</span><span class="cx">     JSValue tryGetIndexQuickly(unsigned i) const
</span><span class="cx">     {
</span><ins>+        Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">         switch (indexingType()) {
</span><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="cx">             break;
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES:
</span><del>-            if (i &lt; m_butterfly-&gt;publicLength()) {
-                JSValue result = m_butterfly-&gt;contiguous()[i].get();
</del><ins>+            if (i &lt; butterfly-&gt;publicLength()) {
+                JSValue result = butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">                 ASSERT(result.isInt32() || !result);
</span><span class="cx">                 return result;
</span><span class="cx">             }
</span><span class="cx">             break;
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><del>-            if (i &lt; m_butterfly-&gt;publicLength())
-                return m_butterfly-&gt;contiguous()[i].get();
</del><ins>+            if (i &lt; butterfly-&gt;publicLength())
+                return butterfly-&gt;contiguous()[i].get();
</ins><span class="cx">             break;
</span><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES: {
</span><del>-            if (i &gt;= m_butterfly-&gt;publicLength())
</del><ins>+            if (i &gt;= butterfly-&gt;publicLength())
</ins><span class="cx">                 break;
</span><del>-            double result = m_butterfly-&gt;contiguousDouble()[i];
</del><ins>+            double result = butterfly-&gt;contiguousDouble()[i];
</ins><span class="cx">             if (result != result)
</span><span class="cx">                 break;
</span><span class="cx">             return JSValue(JSValue::EncodeAsDouble, result);
</span><span class="cx">         }
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            if (i &lt; m_butterfly-&gt;arrayStorage()-&gt;vectorLength())
-                return m_butterfly-&gt;arrayStorage()-&gt;m_vector[i].get();
</del><ins>+            if (i &lt; butterfly-&gt;arrayStorage()-&gt;vectorLength())
+                return butterfly-&gt;arrayStorage()-&gt;m_vector[i].get();
</ins><span class="cx">             break;
</span><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="lines">@@ -276,6 +279,7 @@
</span><span class="cx">         
</span><span class="cx">     bool canSetIndexQuickly(unsigned i)
</span><span class="cx">     {
</span><ins>+        Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">         switch (indexingType()) {
</span><span class="cx">         case ALL_BLANK_INDEXING_TYPES:
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES:
</span><span class="lines">@@ -285,11 +289,11 @@
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">         case NonArrayWithArrayStorage:
</span><span class="cx">         case ArrayWithArrayStorage:
</span><del>-            return i &lt; m_butterfly-&gt;vectorLength();
</del><ins>+            return i &lt; butterfly-&gt;vectorLength();
</ins><span class="cx">         case NonArrayWithSlowPutArrayStorage:
</span><span class="cx">         case ArrayWithSlowPutArrayStorage:
</span><del>-            return i &lt; m_butterfly-&gt;arrayStorage()-&gt;vectorLength()
-                &amp;&amp; !!m_butterfly-&gt;arrayStorage()-&gt;m_vector[i];
</del><ins>+            return i &lt; butterfly-&gt;arrayStorage()-&gt;vectorLength()
+                &amp;&amp; !!butterfly-&gt;arrayStorage()-&gt;m_vector[i];
</ins><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             return false;
</span><span class="lines">@@ -306,7 +310,7 @@
</span><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES:
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            return i &lt; m_butterfly-&gt;vectorLength();
</del><ins>+            return i &lt; m_butterfly.get(this)-&gt;vectorLength();
</ins><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             return false;
</span><span class="lines">@@ -315,9 +319,10 @@
</span><span class="cx">         
</span><span class="cx">     void setIndexQuickly(VM&amp; vm, unsigned i, JSValue v)
</span><span class="cx">     {
</span><ins>+        Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">         switch (indexingType()) {
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES: {
</span><del>-            ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</del><ins>+            ASSERT(i &lt; butterfly-&gt;vectorLength());
</ins><span class="cx">             if (!v.isInt32()) {
</span><span class="cx">                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
</span><span class="cx">                 return;
</span><span class="lines">@@ -325,14 +330,14 @@
</span><span class="cx">             FALLTHROUGH;
</span><span class="cx">         }
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES: {
</span><del>-            ASSERT(i &lt; m_butterfly-&gt;vectorLength());
-            m_butterfly-&gt;contiguous()[i].set(vm, this, v);
-            if (i &gt;= m_butterfly-&gt;publicLength())
-                m_butterfly-&gt;setPublicLength(i + 1);
</del><ins>+            ASSERT(i &lt; butterfly-&gt;vectorLength());
+            butterfly-&gt;contiguous()[i].set(vm, this, v);
+            if (i &gt;= butterfly-&gt;publicLength())
+                butterfly-&gt;setPublicLength(i + 1);
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES: {
</span><del>-            ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</del><ins>+            ASSERT(i &lt; butterfly-&gt;vectorLength());
</ins><span class="cx">             if (!v.isNumber()) {
</span><span class="cx">                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
</span><span class="cx">                 return;
</span><span class="lines">@@ -342,13 +347,13 @@
</span><span class="cx">                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
</span><span class="cx">                 return;
</span><span class="cx">             }
</span><del>-            m_butterfly-&gt;contiguousDouble()[i] = value;
-            if (i &gt;= m_butterfly-&gt;publicLength())
-                m_butterfly-&gt;setPublicLength(i + 1);
</del><ins>+            butterfly-&gt;contiguousDouble()[i] = value;
+            if (i &gt;= butterfly-&gt;publicLength())
+                butterfly-&gt;setPublicLength(i + 1);
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-            ArrayStorage* storage = m_butterfly-&gt;arrayStorage();
</del><ins>+            ArrayStorage* storage = butterfly-&gt;arrayStorage();
</ins><span class="cx">             WriteBarrier&lt;Unknown&gt;&amp; x = storage-&gt;m_vector[i];
</span><span class="cx">             JSValue old = x.get();
</span><span class="cx">             x.set(vm, this, v);
</span><span class="lines">@@ -371,14 +376,15 @@
</span><span class="cx"> 
</span><span class="cx">     void initializeIndex(VM&amp; vm, unsigned i, JSValue v, IndexingType indexingType)
</span><span class="cx">     {
</span><ins>+        Butterfly* butterfly = m_butterfly.get(this);
</ins><span class="cx">         switch (indexingType) {
</span><span class="cx">         case ALL_UNDECIDED_INDEXING_TYPES: {
</span><span class="cx">             setIndexQuicklyToUndecided(vm, i, v);
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         case ALL_INT32_INDEXING_TYPES: {
</span><del>-            ASSERT(i &lt; m_butterfly-&gt;publicLength());
-            ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</del><ins>+            ASSERT(i &lt; butterfly-&gt;publicLength());
+            ASSERT(i &lt; butterfly-&gt;vectorLength());
</ins><span class="cx">             if (!v.isInt32()) {
</span><span class="cx">                 convertInt32ToDoubleOrContiguousWhilePerformingSetIndex(vm, i, v);
</span><span class="cx">                 break;
</span><span class="lines">@@ -386,14 +392,14 @@
</span><span class="cx">             FALLTHROUGH;
</span><span class="cx">         }
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES: {
</span><del>-            ASSERT(i &lt; m_butterfly-&gt;publicLength());
-            ASSERT(i &lt; m_butterfly-&gt;vectorLength());
-            m_butterfly-&gt;contiguous()[i].set(vm, this, v);
</del><ins>+            ASSERT(i &lt; butterfly-&gt;publicLength());
+            ASSERT(i &lt; butterfly-&gt;vectorLength());
+            butterfly-&gt;contiguous()[i].set(vm, this, v);
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         case ALL_DOUBLE_INDEXING_TYPES: {
</span><del>-            ASSERT(i &lt; m_butterfly-&gt;publicLength());
-            ASSERT(i &lt; m_butterfly-&gt;vectorLength());
</del><ins>+            ASSERT(i &lt; butterfly-&gt;publicLength());
+            ASSERT(i &lt; butterfly-&gt;vectorLength());
</ins><span class="cx">             if (!v.isNumber()) {
</span><span class="cx">                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
</span><span class="cx">                 return;
</span><span class="lines">@@ -403,11 +409,11 @@
</span><span class="cx">                 convertDoubleToContiguousWhilePerformingSetIndex(vm, i, v);
</span><span class="cx">                 return;
</span><span class="cx">             }
</span><del>-            m_butterfly-&gt;contiguousDouble()[i] = value;
</del><ins>+            butterfly-&gt;contiguousDouble()[i] = value;
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
</span><del>-            ArrayStorage* storage = m_butterfly-&gt;arrayStorage();
</del><ins>+            ArrayStorage* storage = butterfly-&gt;arrayStorage();
</ins><span class="cx">             ASSERT(i &lt; storage-&gt;length());
</span><span class="cx">             ASSERT(i &lt; storage-&gt;m_numValuesInVector);
</span><span class="cx">             storage-&gt;m_vector[i].set(vm, this, v);
</span><span class="lines">@@ -428,7 +434,7 @@
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">             return false;
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            return !!m_butterfly-&gt;arrayStorage()-&gt;m_sparseMap;
</del><ins>+            return !!m_butterfly.get(this)-&gt;arrayStorage()-&gt;m_sparseMap;
</ins><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             return false;
</span><span class="lines">@@ -445,7 +451,7 @@
</span><span class="cx">         case ALL_CONTIGUOUS_INDEXING_TYPES:
</span><span class="cx">             return false;
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            return m_butterfly-&gt;arrayStorage()-&gt;inSparseMode();
</del><ins>+            return m_butterfly.get(this)-&gt;arrayStorage()-&gt;inSparseMode();
</ins><span class="cx">         default:
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             return false;
</span><span class="lines">@@ -550,11 +556,11 @@
</span><span class="cx">         return inlineStorageUnsafe();
</span><span class="cx">     }
</span><span class="cx">         
</span><del>-    const Butterfly* butterfly() const { return m_butterfly.get(); }
-    Butterfly* butterfly() { return m_butterfly.get(); }
</del><ins>+    const Butterfly* butterfly() const { return m_butterfly.get(this); }
+    Butterfly* butterfly() { return m_butterfly.get(this); }
</ins><span class="cx">         
</span><del>-    ConstPropertyStorage outOfLineStorage() const { return m_butterfly-&gt;propertyStorage(); }
-    PropertyStorage outOfLineStorage() { return m_butterfly-&gt;propertyStorage(); }
</del><ins>+    ConstPropertyStorage outOfLineStorage() const { return m_butterfly.get(this)-&gt;propertyStorage(); }
+    PropertyStorage outOfLineStorage() { return m_butterfly.get(this)-&gt;propertyStorage(); }
</ins><span class="cx"> 
</span><span class="cx">     const WriteBarrierBase&lt;Unknown&gt;* locationForOffset(PropertyOffset offset) const
</span><span class="cx">     {
</span><span class="lines">@@ -656,7 +662,7 @@
</span><span class="cx">     ContiguousJSValues ensureInt32(VM&amp; vm)
</span><span class="cx">     {
</span><span class="cx">         if (LIKELY(hasInt32(indexingType())))
</span><del>-            return m_butterfly-&gt;contiguousInt32();
</del><ins>+            return m_butterfly.get(this)-&gt;contiguousInt32();
</ins><span class="cx">             
</span><span class="cx">         return ensureInt32Slow(vm);
</span><span class="cx">     }
</span><span class="lines">@@ -668,7 +674,7 @@
</span><span class="cx">     ContiguousDoubles ensureDouble(VM&amp; vm)
</span><span class="cx">     {
</span><span class="cx">         if (LIKELY(hasDouble(indexingType())))
</span><del>-            return m_butterfly-&gt;contiguousDouble();
</del><ins>+            return m_butterfly.get(this)-&gt;contiguousDouble();
</ins><span class="cx">             
</span><span class="cx">         return ensureDoubleSlow(vm);
</span><span class="cx">     }
</span><span class="lines">@@ -678,7 +684,7 @@
</span><span class="cx">     ContiguousJSValues ensureContiguous(VM&amp; vm)
</span><span class="cx">     {
</span><span class="cx">         if (LIKELY(hasContiguous(indexingType())))
</span><del>-            return m_butterfly-&gt;contiguous();
</del><ins>+            return m_butterfly.get(this)-&gt;contiguous();
</ins><span class="cx">             
</span><span class="cx">         return ensureContiguousSlow(vm);
</span><span class="cx">     }
</span><span class="lines">@@ -690,7 +696,7 @@
</span><span class="cx">     ArrayStorage* ensureArrayStorage(VM&amp; vm)
</span><span class="cx">     {
</span><span class="cx">         if (LIKELY(hasAnyArrayStorage(indexingType())))
</span><del>-            return m_butterfly-&gt;arrayStorage();
</del><ins>+            return m_butterfly.get(this)-&gt;arrayStorage();
</ins><span class="cx"> 
</span><span class="cx">         return ensureArrayStorageSlow(vm);
</span><span class="cx">     }
</span><span class="lines">@@ -736,7 +742,7 @@
</span><span class="cx">     ArrayStorage* arrayStorage()
</span><span class="cx">     {
</span><span class="cx">         ASSERT(hasAnyArrayStorage(indexingType()));
</span><del>-        return m_butterfly-&gt;arrayStorage();
</del><ins>+        return m_butterfly.get(this)-&gt;arrayStorage();
</ins><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     // Call this if you want to predicate some actions on whether or not the
</span><span class="lines">@@ -745,7 +751,7 @@
</span><span class="cx">     {
</span><span class="cx">         switch (indexingType()) {
</span><span class="cx">         case ALL_ARRAY_STORAGE_INDEXING_TYPES:
</span><del>-            return m_butterfly-&gt;arrayStorage();
</del><ins>+            return m_butterfly.get(this)-&gt;arrayStorage();
</ins><span class="cx">                 
</span><span class="cx">         default:
</span><span class="cx">             return 0;
</span><span class="lines">@@ -809,12 +815,12 @@
</span><span class="cx">     {
</span><span class="cx">         ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><span class="cx">         ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
</span><del>-            
-        if (m_butterfly-&gt;vectorLength() &lt; length)
</del><ins>+
+        if (m_butterfly.get(this)-&gt;vectorLength() &lt; length)
</ins><span class="cx">             ensureLengthSlow(vm, length);
</span><span class="cx">             
</span><del>-        if (m_butterfly-&gt;publicLength() &lt; length)
-            m_butterfly-&gt;setPublicLength(length);
</del><ins>+        if (m_butterfly.get(this)-&gt;publicLength() &lt; length)
+            m_butterfly.get(this)-&gt;setPublicLength(length);
</ins><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     // Call this if you want to shrink the butterfly backing store, and you're
</span><span class="lines">@@ -874,7 +880,7 @@
</span><span class="cx">     JS_EXPORT_PRIVATE ArrayStorage* ensureArrayStorageSlow(VM&amp;);
</span><span class="cx"> 
</span><span class="cx"> protected:
</span><del>-    CopyWriteBarrier&lt;Butterfly&gt; m_butterfly;
</del><ins>+    CopyBarrier&lt;Butterfly&gt; m_butterfly;
</ins><span class="cx"> #if USE(JSVALUE32_64)
</span><span class="cx"> private:
</span><span class="cx">     uint32_t m_padding;
</span><span class="lines">@@ -1348,7 +1354,7 @@
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     ASSERT(!value.isGetterSetter() &amp;&amp; !(attributes &amp; Accessor));
</span><span class="cx">     ASSERT(!value.isCustomGetterSetter());
</span><del>-    Butterfly* newButterfly = m_butterfly.get();
</del><ins>+    Butterfly* newButterfly = m_butterfly.get(this);
</ins><span class="cx">     if (structure()-&gt;putWillGrowOutOfLineStorage())
</span><span class="cx">         newButterfly = growOutOfLineStorage(vm, structure()-&gt;outOfLineCapacity(), structure()-&gt;suggestedNewOutOfLineStorageCapacity());
</span><span class="cx">     Structure* structure = this-&gt;structure();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSet.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSet.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/JSSet.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -112,7 +112,7 @@
</span><span class="cx"> private:
</span><span class="cx">     JSSet(VM&amp; vm, Structure* structure)
</span><span class="cx">         : Base(vm, structure)
</span><del>-        , m_setData(vm)
</del><ins>+        , m_setData(vm, this)
</ins><span class="cx">     {
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapData.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapData.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/MapData.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef MapData_h
</span><span class="cx"> #define MapData_h
</span><span class="cx"> 
</span><ins>+#include &quot;CopyBarrier.h&quot;
</ins><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="cx"> #include &quot;WeakGCMapInlines.h&quot;
</span><span class="cx"> #include &lt;wtf/HashFunctions.h&gt;
</span><span class="lines">@@ -94,7 +95,7 @@
</span><span class="cx">         JSValue value;
</span><span class="cx">     };
</span><span class="cx"> 
</span><del>-    MapDataImpl(VM&amp;);
</del><ins>+    MapDataImpl(VM&amp;, JSCell* owner);
</ins><span class="cx"> 
</span><span class="cx">     void set(ExecState*, JSCell* owner, KeyType, JSValue);
</span><span class="cx">     JSValue get(ExecState*, KeyType);
</span><span class="lines">@@ -136,16 +137,17 @@
</span><span class="cx">     int32_t m_capacity;
</span><span class="cx">     int32_t m_size;
</span><span class="cx">     int32_t m_deletedCount;
</span><del>-    Entry* m_entries;
</del><ins>+    JSCell* m_owner;
+    CopyBarrier&lt;Entry&gt; m_entries;
</ins><span class="cx">     WeakGCMap&lt;JSIterator*, JSIterator&gt; m_iterators;
</span><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Entry, typename JSIterator&gt;
</span><del>-ALWAYS_INLINE MapDataImpl&lt;Entry, JSIterator&gt;::MapDataImpl(VM&amp; vm)
</del><ins>+ALWAYS_INLINE MapDataImpl&lt;Entry, JSIterator&gt;::MapDataImpl(VM&amp; vm, JSCell* owner)
</ins><span class="cx">     : m_capacity(0)
</span><span class="cx">     , m_size(0)
</span><span class="cx">     , m_deletedCount(0)
</span><del>-    , m_entries(nullptr)
</del><ins>+    , m_owner(owner)
</ins><span class="cx">     , m_iterators(vm)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="lines">@@ -182,7 +184,7 @@
</span><span class="cx"> {
</span><span class="cx">     if (!ensureSlot())
</span><span class="cx">         return false;
</span><del>-    Entry* entry = &amp;m_mapData-&gt;m_entries[m_index];
</del><ins>+    Entry* entry = &amp;m_mapData-&gt;m_entries.get(m_mapData-&gt;m_owner)[m_index];
</ins><span class="cx">     pair = WTF::KeyValuePair&lt;JSValue, JSValue&gt;(entry-&gt;key().get(), entry-&gt;value().get());
</span><span class="cx">     m_index += 1;
</span><span class="cx">     return true;
</span><span class="lines">@@ -204,7 +206,7 @@
</span><span class="cx">     if (isFinished())
</span><span class="cx">         return m_index;
</span><span class="cx"> 
</span><del>-    Entry* entries = m_mapData-&gt;m_entries;
</del><ins>+    Entry* entries = m_mapData-&gt;m_entries.get(m_mapData-&gt;m_owner);
</ins><span class="cx">     size_t end = m_mapData-&gt;m_size;
</span><span class="cx">     while (static_cast&lt;size_t&gt;(m_index) &lt; end &amp;&amp; !entries[m_index].key())
</span><span class="cx">         m_index++;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapDataInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapDataInlines.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapDataInlines.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/MapDataInlines.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx">     m_capacity = 0;
</span><span class="cx">     m_size = 0;
</span><span class="cx">     m_deletedCount = 0;
</span><del>-    m_entries = nullptr;
</del><ins>+    m_entries.clear();
</ins><span class="cx">     m_iterators.forEach([](JSIterator* iterator, JSIterator*) {
</span><span class="cx">         iterator-&gt;iteratorData()-&gt;didRemoveAllEntries();
</span><span class="cx">     });
</span><span class="lines">@@ -60,25 +60,25 @@
</span><span class="cx">         auto iter = m_stringKeyedTable.find(asString(key.value)-&gt;value(exec).impl());
</span><span class="cx">         if (iter == m_stringKeyedTable.end())
</span><span class="cx">             return 0;
</span><del>-        return &amp;m_entries[iter-&gt;value];
</del><ins>+        return &amp;m_entries.get(m_owner)[iter-&gt;value];
</ins><span class="cx">     }
</span><span class="cx">     if (key.value.isSymbol()) {
</span><span class="cx">         auto iter = m_symbolKeyedTable.find(asSymbol(key.value)-&gt;privateName().uid());
</span><span class="cx">         if (iter == m_symbolKeyedTable.end())
</span><span class="cx">             return 0;
</span><del>-        return &amp;m_entries[iter-&gt;value];
</del><ins>+        return &amp;m_entries.get(m_owner)[iter-&gt;value];
</ins><span class="cx">     }
</span><span class="cx">     if (key.value.isCell()) {
</span><span class="cx">         auto iter = m_cellKeyedTable.find(key.value.asCell());
</span><span class="cx">         if (iter == m_cellKeyedTable.end())
</span><span class="cx">             return 0;
</span><del>-        return &amp;m_entries[iter-&gt;value];
</del><ins>+        return &amp;m_entries.get(m_owner)[iter-&gt;value];
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     auto iter = m_valueKeyedTable.find(JSValue::encode(key.value));
</span><span class="cx">     if (iter == m_valueKeyedTable.end())
</span><span class="cx">         return 0;
</span><del>-    return &amp;m_entries[iter-&gt;value];
</del><ins>+    return &amp;m_entries.get(m_owner)[iter-&gt;value];
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Entry, typename JSIterator&gt;
</span><span class="lines">@@ -93,14 +93,14 @@
</span><span class="cx"> {
</span><span class="cx">     typename Map::iterator location = map.find(key);
</span><span class="cx">     if (location != map.end())
</span><del>-        return &amp;m_entries[location-&gt;value];
</del><ins>+        return &amp;m_entries.get(m_owner)[location-&gt;value];
</ins><span class="cx"> 
</span><span class="cx">     if (!ensureSpaceForAppend(exec, owner))
</span><span class="cx">         return 0;
</span><span class="cx"> 
</span><span class="cx">     auto result = map.add(key, m_size);
</span><span class="cx">     RELEASE_ASSERT(result.isNewEntry);
</span><del>-    Entry* entry = &amp;m_entries[m_size++];
</del><ins>+    Entry* entry = &amp;m_entries.get(m_owner)[m_size++];
</ins><span class="cx">     new (entry) Entry();
</span><span class="cx">     entry-&gt;setKey(exec-&gt;vm(), owner, keyValue.value);
</span><span class="cx">     return entry;
</span><span class="lines">@@ -164,7 +164,7 @@
</span><span class="cx">         location = iter-&gt;value;
</span><span class="cx">         m_valueKeyedTable.remove(iter);
</span><span class="cx">     }
</span><del>-    m_entries[location].clear();
</del><ins>+    m_entries.get(m_owner)[location].clear();
</ins><span class="cx">     m_deletedCount++;
</span><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="lines">@@ -176,7 +176,7 @@
</span><span class="cx">     int32_t newEnd = 0;
</span><span class="cx">     RELEASE_ASSERT(newCapacity &gt; 0);
</span><span class="cx">     for (int32_t i = 0; i &lt; m_size; i++) {
</span><del>-        Entry&amp; entry = m_entries[i];
</del><ins>+        Entry&amp; entry = m_entries.getWithoutBarrier()[i];
</ins><span class="cx">         if (!entry.key()) {
</span><span class="cx">             m_iterators.forEach([newEnd](JSIterator* iterator, JSIterator*) {
</span><span class="cx">                 iterator-&gt;iteratorData()-&gt;didRemoveEntry(newEnd);
</span><span class="lines">@@ -195,20 +195,20 @@
</span><span class="cx"> 
</span><span class="cx">     // Fixup for the hashmaps
</span><span class="cx">     for (auto ptr = m_valueKeyedTable.begin(); ptr != m_valueKeyedTable.end(); ++ptr)
</span><del>-        ptr-&gt;value = m_entries[ptr-&gt;value].key().get().asInt32();
</del><ins>+        ptr-&gt;value = m_entries.getWithoutBarrier()[ptr-&gt;value].key().get().asInt32();
</ins><span class="cx">     for (auto ptr = m_cellKeyedTable.begin(); ptr != m_cellKeyedTable.end(); ++ptr)
</span><del>-        ptr-&gt;value = m_entries[ptr-&gt;value].key().get().asInt32();
</del><ins>+        ptr-&gt;value = m_entries.getWithoutBarrier()[ptr-&gt;value].key().get().asInt32();
</ins><span class="cx">     for (auto ptr = m_stringKeyedTable.begin(); ptr != m_stringKeyedTable.end(); ++ptr)
</span><del>-        ptr-&gt;value = m_entries[ptr-&gt;value].key().get().asInt32();
</del><ins>+        ptr-&gt;value = m_entries.getWithoutBarrier()[ptr-&gt;value].key().get().asInt32();
</ins><span class="cx">     for (auto ptr = m_symbolKeyedTable.begin(); ptr != m_symbolKeyedTable.end(); ++ptr)
</span><del>-        ptr-&gt;value = m_entries[ptr-&gt;value].key().get().asInt32();
</del><ins>+        ptr-&gt;value = m_entries.getWithoutBarrier()[ptr-&gt;value].key().get().asInt32();
</ins><span class="cx"> 
</span><span class="cx">     ASSERT((m_size - newEnd) == m_deletedCount);
</span><span class="cx">     m_deletedCount = 0;
</span><span class="cx"> 
</span><span class="cx">     m_capacity = newCapacity;
</span><span class="cx">     m_size = newEnd;
</span><del>-    m_entries = destination;
</del><ins>+    m_entries.setWithoutBarrier(destination);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Entry, typename JSIterator&gt;
</span><span class="lines">@@ -217,9 +217,9 @@
</span><span class="cx">     ASSERT(!shouldPack());
</span><span class="cx">     RELEASE_ASSERT(newCapacity &gt; 0);
</span><span class="cx">     ASSERT(newCapacity &gt;= m_capacity);
</span><del>-    memcpy(destination, m_entries, sizeof(Entry) * m_size);
</del><ins>+    memcpy(destination, m_entries.getWithoutBarrier(), sizeof(Entry) * m_size);
</ins><span class="cx">     m_capacity = newCapacity;
</span><del>-    m_entries = destination;
</del><ins>+    m_entries.setWithoutBarrier(destination);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Entry, typename JSIterator&gt;
</span><span class="lines">@@ -236,6 +236,8 @@
</span><span class="cx">         return false;
</span><span class="cx">     }
</span><span class="cx">     Entry* newEntries = static_cast&lt;Entry*&gt;(newStorage);
</span><ins>+    // Do a read barrier to ensure that m_entries points to to-space for the remainder of this GC epoch.
+    m_entries.get(m_owner); 
</ins><span class="cx">     if (shouldPack())
</span><span class="cx">         replaceAndPackBackingStore(newEntries, requiredSize);
</span><span class="cx">     else
</span><span class="lines">@@ -247,7 +249,7 @@
</span><span class="cx"> template&lt;typename Entry, typename JSIterator&gt;
</span><span class="cx"> inline void MapDataImpl&lt;Entry, JSIterator&gt;::visitChildren(JSCell* owner, SlotVisitor&amp; visitor)
</span><span class="cx"> {
</span><del>-    Entry* entries = m_entries;
</del><ins>+    Entry* entries = m_entries.getWithoutBarrier();
</ins><span class="cx">     if (!entries)
</span><span class="cx">         return;
</span><span class="cx">     if (m_deletedCount) {
</span><span class="lines">@@ -261,14 +263,14 @@
</span><span class="cx">         visitor.appendValues(reinterpret_cast&lt;WriteBarrier&lt;Unknown&gt;*&gt;(&amp;entries[0]), m_size * (sizeof(Entry) / sizeof(WriteBarrier&lt;Unknown&gt;)));
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    visitor.copyLater(owner, MapBackingStoreCopyToken, entries, capacityInBytes());
</del><ins>+    visitor.copyLater(owner, MapBackingStoreCopyToken, m_entries.getWithoutBarrier(), capacityInBytes());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Entry, typename JSIterator&gt;
</span><span class="cx"> inline void MapDataImpl&lt;Entry, JSIterator&gt;::copyBackingStore(CopyVisitor&amp; visitor, CopyToken token)
</span><span class="cx"> {
</span><del>-    if (token == MapBackingStoreCopyToken &amp;&amp; visitor.checkIfShouldCopy(m_entries)) {
-        Entry* oldEntries = m_entries;
</del><ins>+    if (token == MapBackingStoreCopyToken &amp;&amp; visitor.checkIfShouldCopy(m_entries.getWithoutBarrier())) {
+        Entry* oldEntries = m_entries.getWithoutBarrier();
</ins><span class="cx">         Entry* newEntries = static_cast&lt;Entry*&gt;(visitor.allocateNewSpace(capacityInBytes()));
</span><span class="cx">         if (shouldPack())
</span><span class="cx">             replaceAndPackBackingStore(newEntries, m_capacity);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Options.h (190895 => 190896)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Options.h        2015-10-12 22:40:36 UTC (rev 190895)
+++ trunk/Source/JavaScriptCore/runtime/Options.h        2015-10-12 22:41:01 UTC (rev 190896)
</span><span class="lines">@@ -203,6 +203,7 @@
</span><span class="cx">     v(bool, createPreHeaders, true, nullptr) \
</span><span class="cx">     v(bool, enableMovHintRemoval, true, nullptr) \
</span><span class="cx">     v(bool, enableObjectAllocationSinking, true, nullptr) \
</span><ins>+    v(bool, enableCopyBarrierOptimization, true, nullptr) \
</ins><span class="cx">     \
</span><span class="cx">     v(bool, enableConcurrentJIT, true, &quot;allows the DFG / FTL compilation in threads other than the executing JS thread&quot;) \
</span><span class="cx">     v(unsigned, numberOfDFGCompilerThreads, computeNumberOfWorkerThreads(2, 2) - 1, nullptr) \
</span></span></pre>
</div>
</div>

</body>
</html>