<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[194863] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/194863">194863</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2016-01-11 13:31:04 -0800 (Mon, 11 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Use a profile to store allocation structures for subclasses of InternalFunctions
https://bugs.webkit.org/show_bug.cgi?id=152942
Reviewed by Michael Saboff.
This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
constructor as a new.target to any other constructor. This means that a user can pass some
non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
current constructor. By using different profiles, we only need to check the profile in InternalFunctions
as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
Additionally, this patch adds subclassing to some omitted classes.
* API/JSObjectRef.cpp:
(JSObjectMakeDate):
(JSObjectMakeRegExp):
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/InternalFunctionAllocationProfile.h: Added.
(JSC::InternalFunctionAllocationProfile::structure):
(JSC::InternalFunctionAllocationProfile::clear):
(JSC::InternalFunctionAllocationProfile::visitAggregate):
(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_create_this):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/BooleanConstructor.cpp:
(JSC::constructWithBooleanConstructor):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
(JSC::constructWithDateConstructor):
* runtime/DateConstructor.h:
* runtime/ErrorConstructor.cpp:
(JSC::Interpreter::constructWithErrorConstructor):
* runtime/FunctionRareData.cpp:
(JSC::FunctionRareData::create):
(JSC::FunctionRareData::visitChildren):
(JSC::FunctionRareData::FunctionRareData):
(JSC::FunctionRareData::initializeObjectAllocationProfile):
(JSC::FunctionRareData::clear):
(JSC::FunctionRareData::finishCreation): Deleted.
(JSC::FunctionRareData::initialize): Deleted.
* runtime/FunctionRareData.h:
(JSC::FunctionRareData::offsetOfObjectAllocationProfile):
(JSC::FunctionRareData::objectAllocationProfile):
(JSC::FunctionRareData::objectAllocationStructure):
(JSC::FunctionRareData::allocationProfileWatchpointSet):
(JSC::FunctionRareData::isObjectAllocationProfileInitialized):
(JSC::FunctionRareData::internalFunctionAllocationStructure):
(JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
(JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
(JSC::FunctionRareData::allocationProfile): Deleted.
(JSC::FunctionRareData::allocationStructure): Deleted.
(JSC::FunctionRareData::isInitialized): Deleted.
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::createSubclassStructure):
* runtime/InternalFunction.h:
* runtime/JSArrayBufferConstructor.cpp:
(JSC::constructArrayBuffer):
* runtime/JSFunction.cpp:
(JSC::JSFunction::allocateRareData):
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):
* runtime/JSFunction.h:
(JSC::JSFunction::rareData):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayView):
* runtime/JSObject.h:
(JSC::JSFinalObject::typeInfo):
(JSC::JSFinalObject::createStructure):
* runtime/JSPromiseConstructor.cpp:
(JSC::constructPromise):
* runtime/JSPromiseConstructor.h:
* runtime/JSWeakMap.cpp:
* runtime/JSWeakSet.cpp:
* runtime/MapConstructor.cpp:
(JSC::constructMap):
* runtime/NativeErrorConstructor.cpp:
(JSC::Interpreter::constructWithNativeErrorConstructor):
* runtime/NumberConstructor.cpp:
(JSC::constructWithNumberConstructor):
* runtime/PrototypeMap.cpp:
(JSC::PrototypeMap::createEmptyStructure):
(JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
(JSC::PrototypeMap::emptyObjectStructureForPrototype):
(JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
* runtime/PrototypeMap.h:
* runtime/RegExpConstructor.cpp:
(JSC::getRegExpStructure):
(JSC::constructRegExp):
(JSC::constructWithRegExpConstructor):
* runtime/RegExpConstructor.h:
* runtime/SetConstructor.cpp:
(JSC::constructSet):
* runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
* runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
* tests/stress/class-subclassing-misc.js:
(A):
(D):
(E):
(WM):
(WS):
(test):
* tests/stress/class-subclassing-typedarray.js: Added.
(test):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreAPIJSObjectRefcpp">trunk/Source/JavaScriptCore/API/JSObjectRef.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeBooleanConstructorcpp">trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDateConstructorcpp">trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDateConstructorh">trunk/Source/JavaScriptCore/runtime/DateConstructor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeErrorConstructorcpp">trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionRareDatacpp">trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionRareDatah">trunk/Source/JavaScriptCore/runtime/FunctionRareData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInternalFunctioncpp">trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInternalFunctionh">trunk/Source/JavaScriptCore/runtime/InternalFunction.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctionh">trunk/Source/JavaScriptCore/runtime/JSFunction.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewConstructorInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromiseConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromiseConstructorh">trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSWeakMapcpp">trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSWeakSetcpp">trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapConstructorcpp">trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeNativeErrorConstructorcpp">trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeNumberConstructorcpp">trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimePrototypeMapcpp">trunk/Source/JavaScriptCore/runtime/PrototypeMap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimePrototypeMaph">trunk/Source/JavaScriptCore/runtime/PrototypeMap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpConstructorcpp">trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpConstructorh">trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSetConstructorcpp">trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakMapConstructorcpp">trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakSetConstructorcpp">trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressclasssubclassingmiscjs">trunk/Source/JavaScriptCore/tests/stress/class-subclassing-misc.js</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCorebytecodeInternalFunctionAllocationProfileh">trunk/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressclasssubclassingtypedarrayjs">trunk/Source/JavaScriptCore/tests/stress/class-subclassing-typedarray.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreAPIJSObjectRefcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSObjectRef.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSObjectRef.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/API/JSObjectRef.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006, 2007, 2008, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Kelvin W Sherlock (ksherlock@gmail.com)
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -212,7 +212,7 @@
</span><span class="cx"> for (size_t i = 0; i < argumentCount; ++i)
</span><span class="cx"> argList.append(toJS(exec, arguments[i]));
</span><span class="cx">
</span><del>- JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), argList);
</del><ins>+ JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), JSValue(), argList);
</ins><span class="cx"> if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
</span><span class="cx"> result = 0;
</span><span class="cx">
</span><span class="lines">@@ -251,7 +251,7 @@
</span><span class="cx"> for (size_t i = 0; i < argumentCount; ++i)
</span><span class="cx"> argList.append(toJS(exec, arguments[i]));
</span><span class="cx">
</span><del>- JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList);
</del><ins>+ JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList);
</ins><span class="cx"> if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
</span><span class="cx"> result = 0;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,3 +1,130 @@
</span><ins>+2016-01-08 Keith Miller <keith_miller@apple.com>
+
+ Use a profile to store allocation structures for subclasses of InternalFunctions
+ https://bugs.webkit.org/show_bug.cgi?id=152942
+
+ Reviewed by Michael Saboff.
+
+ This patch adds InternalFunctionAllocationProfile to FunctionRareData, which holds
+ a cached structure that can be used to quickly allocate any derived class of an InternalFunction.
+ InternalFunctionAllocationProfile ended up being distinct from ObjectAllocationProfile, due to
+ constraints imposed by Reflect.construct. Reflect.construct allows the user to pass an arbitrary
+ constructor as a new.target to any other constructor. This means that a user can pass some
+ non-derived constructor to an InternalFunction (they can even pass another InternalFunction as the
+ new.target). If we use the same profile for both InternalFunctions and JS allocations then we always
+ need to check in both JS code and C++ code that the profiled structure has the same ClassInfo as the
+ current constructor. By using different profiles, we only need to check the profile in InternalFunctions
+ as all JS constructed objects share the same ClassInfo (JSFinalObject). This comes at the relatively
+ low cost of using slightly more memory on FunctionRareData and being slightly more conceptually complex.
+
+ Additionally, this patch adds subclassing to some omitted classes.
+
+ * API/JSObjectRef.cpp:
+ (JSObjectMakeDate):
+ (JSObjectMakeRegExp):
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/InternalFunctionAllocationProfile.h: Added.
+ (JSC::InternalFunctionAllocationProfile::structure):
+ (JSC::InternalFunctionAllocationProfile::clear):
+ (JSC::InternalFunctionAllocationProfile::visitAggregate):
+ (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_create_this):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_create_this):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/BooleanConstructor.cpp:
+ (JSC::constructWithBooleanConstructor):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/DateConstructor.cpp:
+ (JSC::constructDate):
+ (JSC::constructWithDateConstructor):
+ * runtime/DateConstructor.h:
+ * runtime/ErrorConstructor.cpp:
+ (JSC::Interpreter::constructWithErrorConstructor):
+ * runtime/FunctionRareData.cpp:
+ (JSC::FunctionRareData::create):
+ (JSC::FunctionRareData::visitChildren):
+ (JSC::FunctionRareData::FunctionRareData):
+ (JSC::FunctionRareData::initializeObjectAllocationProfile):
+ (JSC::FunctionRareData::clear):
+ (JSC::FunctionRareData::finishCreation): Deleted.
+ (JSC::FunctionRareData::initialize): Deleted.
+ * runtime/FunctionRareData.h:
+ (JSC::FunctionRareData::offsetOfObjectAllocationProfile):
+ (JSC::FunctionRareData::objectAllocationProfile):
+ (JSC::FunctionRareData::objectAllocationStructure):
+ (JSC::FunctionRareData::allocationProfileWatchpointSet):
+ (JSC::FunctionRareData::isObjectAllocationProfileInitialized):
+ (JSC::FunctionRareData::internalFunctionAllocationStructure):
+ (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
+ (JSC::FunctionRareData::offsetOfAllocationProfile): Deleted.
+ (JSC::FunctionRareData::allocationProfile): Deleted.
+ (JSC::FunctionRareData::allocationStructure): Deleted.
+ (JSC::FunctionRareData::isInitialized): Deleted.
+ * runtime/InternalFunction.cpp:
+ (JSC::InternalFunction::createSubclassStructure):
+ * runtime/InternalFunction.h:
+ * runtime/JSArrayBufferConstructor.cpp:
+ (JSC::constructArrayBuffer):
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::allocateRareData):
+ (JSC::JSFunction::allocateAndInitializeRareData):
+ (JSC::JSFunction::initializeRareData):
+ * runtime/JSFunction.h:
+ (JSC::JSFunction::rareData):
+ * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+ (JSC::constructGenericTypedArrayView):
+ * runtime/JSObject.h:
+ (JSC::JSFinalObject::typeInfo):
+ (JSC::JSFinalObject::createStructure):
+ * runtime/JSPromiseConstructor.cpp:
+ (JSC::constructPromise):
+ * runtime/JSPromiseConstructor.h:
+ * runtime/JSWeakMap.cpp:
+ * runtime/JSWeakSet.cpp:
+ * runtime/MapConstructor.cpp:
+ (JSC::constructMap):
+ * runtime/NativeErrorConstructor.cpp:
+ (JSC::Interpreter::constructWithNativeErrorConstructor):
+ * runtime/NumberConstructor.cpp:
+ (JSC::constructWithNumberConstructor):
+ * runtime/PrototypeMap.cpp:
+ (JSC::PrototypeMap::createEmptyStructure):
+ (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+ (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
+ * runtime/PrototypeMap.h:
+ * runtime/RegExpConstructor.cpp:
+ (JSC::getRegExpStructure):
+ (JSC::constructRegExp):
+ (JSC::constructWithRegExpConstructor):
+ * runtime/RegExpConstructor.h:
+ * runtime/SetConstructor.cpp:
+ (JSC::constructSet):
+ * runtime/WeakMapConstructor.cpp:
+ (JSC::constructWeakMap):
+ * runtime/WeakSetConstructor.cpp:
+ (JSC::constructWeakSet):
+ * tests/stress/class-subclassing-misc.js:
+ (A):
+ (D):
+ (E):
+ (WM):
+ (WS):
+ (test):
+ * tests/stress/class-subclassing-typedarray.js: Added.
+ (test):
+
</ins><span class="cx"> 2016-01-11 Per Arne Vollan <peavo@outlook.com>
</span><span class="cx">
</span><span class="cx"> [B3][Win64] Compile error.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1174,6 +1174,7 @@
</span><span class="cx"> 5370B4F51BF26202005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5370B4F31BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.cpp */; };
</span><span class="cx"> 5370B4F61BF26205005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 5370B4F41BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h */; };
</span><span class="cx"> 53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; };
</span><ins>+ 53F6BF6D1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 5D53726F0E1C54880021E549 /* Tracing.h in Headers */ = {isa = PBXBuildFile; fileRef = 5D53726E0E1C54880021E549 /* Tracing.h */; };
</span><span class="cx"> 5D5D8AD10E0D0EBE00F9C692 /* libedit.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */; };
</span><span class="cx"> 5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
</span><span class="lines">@@ -3288,6 +3289,7 @@
</span><span class="cx"> 53917E7C1B791106000EBD33 /* JSTypedArrayViewPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSTypedArrayViewPrototype.h; sourceTree = "<group>"; };
</span><span class="cx"> 53917E831B791CB8000EBD33 /* TypedArrayPrototype.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; name = TypedArrayPrototype.js; path = builtins/TypedArrayPrototype.js; sourceTree = SOURCE_ROOT; };
</span><span class="cx"> 53F256E11B87E28000B4B768 /* JSTypedArrayViewPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSTypedArrayViewPrototype.cpp; sourceTree = "<group>"; };
</span><ins>+ 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InternalFunctionAllocationProfile.h; sourceTree = "<group>"; };
</ins><span class="cx"> 5540758418F4A37500602A5D /* CompileRuntimeToLLVMIR.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = CompileRuntimeToLLVMIR.xcconfig; sourceTree = "<group>"; };
</span><span class="cx"> 593D43CCA0BBE06D89C59707 /* MapDataInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MapDataInlines.h; sourceTree = "<group>"; };
</span><span class="cx"> 5D53726D0E1C546B0021E549 /* Tracing.d */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Tracing.d; sourceTree = "<group>"; };
</span><span class="lines">@@ -6511,6 +6513,7 @@
</span><span class="cx"> 0F24E55317F0B71C00ABB217 /* InlineCallFrameSet.cpp */,
</span><span class="cx"> 0F24E55417F0B71C00ABB217 /* InlineCallFrameSet.h */,
</span><span class="cx"> 969A07930ED1D3AE00F1F681 /* Instruction.h */,
</span><ins>+ 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */,
</ins><span class="cx"> BCFD8C900EEB2EE700283848 /* JumpTable.cpp */,
</span><span class="cx"> BCFD8C910EEB2EE700283848 /* JumpTable.h */,
</span><span class="cx"> 0FB5467814F5C468002C2989 /* LazyOperandValueProfile.cpp */,
</span><span class="lines">@@ -7058,6 +7061,7 @@
</span><span class="cx"> 0F0B83A714BCF50700885B4F /* CodeType.h in Headers */,
</span><span class="cx"> A53243981856A489002ED692 /* CombinedDomains.json in Headers */,
</span><span class="cx"> BC18C3F30E16F5CD00B34460 /* CommonIdentifiers.h in Headers */,
</span><ins>+ 53F6BF6D1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h in Headers */,
</ins><span class="cx"> 0F15F15F14B7A73E005DE37D /* CommonSlowPaths.h in Headers */,
</span><span class="cx"> 6553A33217A1F1EE008CF6F3 /* CommonSlowPathsExceptions.h in Headers */,
</span><span class="cx"> 0FD82E39141AB14D00179C94 /* CompactJITCodeMap.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInternalFunctionAllocationProfileh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h (0 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -0,0 +1,64 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef InternalFunctionAllocationProfile_h
+#define InternalFunctionAllocationProfile_h
+
+#include "JSGlobalObject.h"
+#include "ObjectPrototype.h"
+#include "SlotVisitor.h"
+#include "WriteBarrier.h"
+
+namespace JSC {
+
+class InternalFunctionAllocationProfile {
+public:
+ Structure* structure() { return m_structure.get(); }
+ Structure* createAllocationStructureFromBase(VM&, JSCell* owner, JSObject* prototype, Structure* base);
+
+ void clear() { m_structure.clear(); }
+ void visitAggregate(SlotVisitor& visitor) { visitor.append(&m_structure); }
+
+private:
+ WriteBarrier<Structure> m_structure;
+};
+
+inline Structure* InternalFunctionAllocationProfile::createAllocationStructureFromBase(VM& vm, JSCell* owner, JSObject* prototype, Structure* baseStructure)
+{
+ ASSERT(prototype != baseStructure->storedPrototype());
+ ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo());
+
+ Structure* structure = vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseStructure);
+
+ // Ensure that if another thread sees the structure, it will see it properly created.
+ WTF::storeStoreFence();
+
+ m_structure.set(vm, owner, structure);
+ return m_structure.get();
+}
+
+} // namespace JSC
+
+#endif /* InternalFunctionAllocationProfile_h */
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -3273,7 +3273,7 @@
</span><span class="cx"> bool alreadyEmitted = false;
</span><span class="cx"> if (function) {
</span><span class="cx"> if (FunctionRareData* rareData = function->rareData()) {
</span><del>- if (Structure* structure = rareData->allocationStructure()) {
</del><ins>+ if (Structure* structure = rareData->objectAllocationStructure()) {
</ins><span class="cx"> m_graph.freeze(rareData);
</span><span class="cx"> m_graph.watchpoints().addLazily(rareData->allocationProfileWatchpointSet());
</span><span class="cx"> // The callee is still live up to this point.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -165,7 +165,7 @@
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><del>- return constructEmptyObject(exec, jsCast<JSFunction*>(constructor)->rareData(exec, inlineCapacity)->allocationProfile()->structure());
</del><ins>+ return constructEmptyObject(exec, jsCast<JSFunction*>(constructor)->rareData(exec, inlineCapacity)->objectAllocationProfile()->structure());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationValueBitAnd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2011 Intel Corporation. All rights reserved.
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -3709,8 +3709,8 @@
</span><span class="cx">
</span><span class="cx"> m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
</span><span class="cx"> slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
</span><del>- m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
- m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</del><ins>+ m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
+ m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</ins><span class="cx"> slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
</span><span class="cx"> emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -3741,8 +3741,8 @@
</span><span class="cx">
</span><span class="cx"> m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
</span><span class="cx"> slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
</span><del>- m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
- m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</del><ins>+ m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
+ m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</ins><span class="cx"> slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
</span><span class="cx"> emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2012-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009, 2012-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2010 Patrick Gansterer <paroga@paroga.com>
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -714,8 +714,8 @@
</span><span class="cx"> emitGetVirtualRegister(callee, calleeReg);
</span><span class="cx"> loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
</span><span class="cx"> addSlowCase(branchTestPtr(Zero, rareDataReg));
</span><del>- loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
- loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
</del><ins>+ loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+ loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
</ins><span class="cx"> addSlowCase(branchTestPtr(Zero, allocatorReg));
</span><span class="cx">
</span><span class="cx"> loadPtr(cachedFunction, cachedFunctionReg);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2012, 2013, 2014, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009, 2012-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2010 Patrick Gansterer <paroga@paroga.com>
</span><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -972,8 +972,8 @@
</span><span class="cx"> emitLoadPayload(callee, calleeReg);
</span><span class="cx"> loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
</span><span class="cx"> addSlowCase(branchTestPtr(Zero, rareDataReg));
</span><del>- loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
- loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
</del><ins>+ loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+ loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
</ins><span class="cx"> addSlowCase(branchTestPtr(Zero, allocatorReg));
</span><span class="cx">
</span><span class="cx"> loadPtr(cachedFunction, cachedFunctionReg);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-# Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+# Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> #
</span><span class="cx"> # Redistribution and use in source and binary forms, with or without
</span><span class="cx"> # modification, are permitted provided that the following conditions
</span><span class="lines">@@ -693,8 +693,8 @@
</span><span class="cx"> loadp PayloadOffset[cfr, t0, 8], t0
</span><span class="cx"> loadp JSFunction::m_rareData[t0], t5
</span><span class="cx"> btpz t5, .opCreateThisSlow
</span><del>- loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t5], t1
- loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t5], t2
</del><ins>+ loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_allocator[t5], t1
+ loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_structure[t5], t2
</ins><span class="cx"> btpz t1, .opCreateThisSlow
</span><span class="cx"> loadpFromInstruction(4, t5)
</span><span class="cx"> bpeq t5, 1, .hasSeenMultipleCallee
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-# Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+# Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> #
</span><span class="cx"> # Redistribution and use in source and binary forms, with or without
</span><span class="cx"> # modification, are permitted provided that the following conditions
</span><span class="lines">@@ -599,8 +599,8 @@
</span><span class="cx"> loadp [cfr, t0, 8], t0
</span><span class="cx"> loadp JSFunction::m_rareData[t0], t3
</span><span class="cx"> btpz t3, .opCreateThisSlow
</span><del>- loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_allocator[t3], t1
- loadp FunctionRareData::m_allocationProfile + ObjectAllocationProfile::m_structure[t3], t2
</del><ins>+ loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_allocator[t3], t1
+ loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_structure[t3], t2
</ins><span class="cx"> btpz t1, .opCreateThisSlow
</span><span class="cx"> loadpFromInstruction(4, t3)
</span><span class="cx"> bpeq t3, 1, .hasSeenMultipleCallee
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeBooleanConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -49,13 +49,8 @@
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructWithBooleanConstructor(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue boolean = jsBoolean(exec->argument(0).toBoolean(exec));
</span><del>-
- JSValue prototype = JSValue();
- JSValue newTarget = exec->newTarget();
- if (newTarget != exec->callee())
- prototype = newTarget.get(exec, exec->propertyNames().prototype);
-
- BooleanObject* obj = BooleanObject::create(exec->vm(), Structure::createSubclassStructure(exec->vm(), asInternalFunction(exec->callee())->globalObject()->booleanObjectStructure(), prototype));
</del><ins>+ Structure* booleanStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), asInternalFunction(exec->callee())->globalObject()->booleanObjectStructure());
+ BooleanObject* obj = BooleanObject::create(exec->vm(), booleanStructure);
</ins><span class="cx"> obj->setInternalValue(exec->vm(), boolean);
</span><span class="cx"> return JSValue::encode(obj);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -230,7 +230,7 @@
</span><span class="cx"> cacheWriteBarrier.setWithoutWriteBarrier(JSCell::seenMultipleCalleeObjects());
</span><span class="cx">
</span><span class="cx"> size_t inlineCapacity = pc[3].u.operand;
</span><del>- Structure* structure = constructor->rareData(exec, inlineCapacity)->allocationProfile()->structure();
</del><ins>+ Structure* structure = constructor->rareData(exec, inlineCapacity)->objectAllocationProfile()->structure();
</ins><span class="cx"> RETURN(constructEmptyObject(exec, structure));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDateConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2011 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2011, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -149,7 +149,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // ECMA 15.9.3
</span><del>-JSObject* constructDate(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args)
</del><ins>+JSObject* constructDate(ExecState* exec, JSGlobalObject* globalObject, JSValue newTarget, const ArgList& args)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> int numArgs = args.size();
</span><span class="lines">@@ -171,13 +171,15 @@
</span><span class="cx"> } else
</span><span class="cx"> value = millisecondsFromComponents(exec, args, WTF::LocalTime);
</span><span class="cx">
</span><del>- return DateInstance::create(vm, globalObject->dateStructure(), value);
</del><ins>+ Structure* dateStructure = InternalFunction::createSubclassStructure(exec, newTarget, globalObject->dateStructure());
+
+ return DateInstance::create(vm, dateStructure, value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructWithDateConstructor(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> ArgList args(exec);
</span><del>- return JSValue::encode(constructDate(exec, asInternalFunction(exec->callee())->globalObject(), args));
</del><ins>+ return JSValue::encode(constructDate(exec, asInternalFunction(exec->callee())->globalObject(), exec->newTarget(), args));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ConstructType DateConstructor::getConstructData(JSCell*, ConstructData& constructData)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDateConstructorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DateConstructor.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DateConstructor.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/DateConstructor.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2008, 2011 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008, 2011, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -57,7 +57,7 @@
</span><span class="cx"> static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
</span><span class="cx"> };
</span><span class="cx">
</span><del>-JSObject* constructDate(ExecState*, JSGlobalObject*, const ArgList&);
</del><ins>+JSObject* constructDate(ExecState*, JSGlobalObject*, JSValue newTarget, const ArgList&);
</ins><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL dateNow(ExecState*);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeErrorConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003, 2008, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -51,7 +51,7 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL Interpreter::constructWithErrorConstructor(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue message = exec->argumentCount() ? exec->argument(0) : jsUndefined();
</span><del>- Structure* errorStructure = asInternalFunction(exec->callee())->globalObject()->errorStructure();
</del><ins>+ Structure* errorStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), asInternalFunction(exec->callee())->globalObject()->errorStructure());
</ins><span class="cx"> return JSValue::encode(ErrorInstance::create(exec, errorStructure, message, nullptr, TypeNothing, false));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionRareDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/FunctionRareData.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,10 +32,10 @@
</span><span class="cx">
</span><span class="cx"> const ClassInfo FunctionRareData::s_info = { "FunctionRareData", 0, 0, CREATE_METHOD_TABLE(FunctionRareData) };
</span><span class="cx">
</span><del>-FunctionRareData* FunctionRareData::create(VM& vm, JSObject* prototype, size_t inlineCapacity)
</del><ins>+FunctionRareData* FunctionRareData::create(VM& vm)
</ins><span class="cx"> {
</span><span class="cx"> FunctionRareData* rareData = new (NotNull, allocateCell<FunctionRareData>(vm.heap)) FunctionRareData(vm);
</span><del>- rareData->finishCreation(vm, prototype, inlineCapacity);
</del><ins>+ rareData->finishCreation(vm);
</ins><span class="cx"> return rareData;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -54,12 +54,13 @@
</span><span class="cx"> {
</span><span class="cx"> FunctionRareData* rareData = jsCast<FunctionRareData*>(cell);
</span><span class="cx">
</span><del>- rareData->m_allocationProfile.visitAggregate(visitor);
</del><ins>+ rareData->m_objectAllocationProfile.visitAggregate(visitor);
+ rareData->m_internalFunctionAllocationProfile.visitAggregate(visitor);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> FunctionRareData::FunctionRareData(VM& vm)
</span><span class="cx"> : Base(vm, vm.functionRareDataStructure.get())
</span><del>- , m_allocationProfile()
</del><ins>+ , m_objectAllocationProfile()
</ins><span class="cx"> // We initialize blind so that changes to the prototype after function creation but before
</span><span class="cx"> // the optimizer kicks in don't disable optimizations. Once the optimizer kicks in, the
</span><span class="cx"> // watchpoint will start watching and any changes will both force deoptimization and disable
</span><span class="lines">@@ -69,7 +70,7 @@
</span><span class="cx"> // was clobbered exactly once, but that seems like overkill. In almost all cases it will be
</span><span class="cx"> // clobbered once, and if it's clobbered more than once, that will probably only occur
</span><span class="cx"> // before we started optimizing, anyway.
</span><del>- , m_allocationProfileWatchpoint(ClearWatchpoint)
</del><ins>+ , m_objectAllocationProfileWatchpoint(ClearWatchpoint)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -77,21 +78,16 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void FunctionRareData::finishCreation(VM& vm, JSObject* prototype, size_t inlineCapacity)
</del><ins>+void FunctionRareData::initializeObjectAllocationProfile(VM& vm, JSObject* prototype, size_t inlineCapacity)
</ins><span class="cx"> {
</span><del>- Base::finishCreation(vm);
- initialize(vm, prototype, inlineCapacity);
</del><ins>+ m_objectAllocationProfile.initialize(vm, this, prototype, inlineCapacity);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-void FunctionRareData::initialize(VM& vm, JSObject* prototype, size_t inlineCapacity)
-{
- m_allocationProfile.initialize(vm, this, prototype, inlineCapacity);
-}
-
</del><span class="cx"> void FunctionRareData::clear(const char* reason)
</span><span class="cx"> {
</span><del>- m_allocationProfile.clear();
- m_allocationProfileWatchpoint.fireAll(reason);
</del><ins>+ m_objectAllocationProfile.clear();
+ m_internalFunctionAllocationProfile.clear();
+ m_objectAllocationProfileWatchpoint.fireAll(reason);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionRareDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionRareData.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionRareData.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/FunctionRareData.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef FunctionRareData_h
</span><span class="cx"> #define FunctionRareData_h
</span><span class="cx">
</span><ins>+#include "InternalFunctionAllocationProfile.h"
</ins><span class="cx"> #include "JSCell.h"
</span><span class="cx"> #include "ObjectAllocationProfile.h"
</span><span class="cx"> #include "Watchpoint.h"
</span><span class="lines">@@ -49,7 +50,7 @@
</span><span class="cx"> typedef JSCell Base;
</span><span class="cx"> static const unsigned StructureFlags = StructureIsImmortal | Base::StructureFlags;
</span><span class="cx">
</span><del>- static FunctionRareData* create(VM&, JSObject* prototype, size_t inlineCapacity);
</del><ins>+ static FunctionRareData* create(VM&);
</ins><span class="cx">
</span><span class="cx"> static const bool needsDestruction = true;
</span><span class="cx"> static void destroy(JSCell*);
</span><span class="lines">@@ -60,42 +61,59 @@
</span><span class="cx">
</span><span class="cx"> DECLARE_INFO;
</span><span class="cx">
</span><del>- static inline ptrdiff_t offsetOfAllocationProfile()
</del><ins>+ static inline ptrdiff_t offsetOfObjectAllocationProfile()
</ins><span class="cx"> {
</span><del>- return OBJECT_OFFSETOF(FunctionRareData, m_allocationProfile);
</del><ins>+ return OBJECT_OFFSETOF(FunctionRareData, m_objectAllocationProfile);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- ObjectAllocationProfile* allocationProfile()
</del><ins>+ ObjectAllocationProfile* objectAllocationProfile()
</ins><span class="cx"> {
</span><del>- return &m_allocationProfile;
</del><ins>+ return &m_objectAllocationProfile;
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- Structure* allocationStructure() { return m_allocationProfile.structure(); }
</del><ins>+ Structure* objectAllocationStructure() { return m_objectAllocationProfile.structure(); }
</ins><span class="cx">
</span><span class="cx"> InlineWatchpointSet& allocationProfileWatchpointSet()
</span><span class="cx"> {
</span><del>- return m_allocationProfileWatchpoint;
</del><ins>+ return m_objectAllocationProfileWatchpoint;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void clear(const char* reason);
</span><span class="cx">
</span><del>- void initialize(VM&, JSObject* prototype, size_t inlineCapacity);
</del><ins>+ void initializeObjectAllocationProfile(VM&, JSObject* prototype, size_t inlineCapacity);
</ins><span class="cx">
</span><del>- bool isInitialized() { return !m_allocationProfile.isNull(); }
</del><ins>+ bool isObjectAllocationProfileInitialized() { return !m_objectAllocationProfile.isNull(); }
</ins><span class="cx">
</span><ins>+ Structure* internalFunctionAllocationStructure() { return m_internalFunctionAllocationProfile.structure(); }
+ Structure* createInternalFunctionAllocationStructureFromBase(VM& vm, JSObject* prototype, Structure* baseStructure)
+ {
+ return m_internalFunctionAllocationProfile.createAllocationStructureFromBase(vm, this, prototype, baseStructure);
+ }
+
</ins><span class="cx"> protected:
</span><span class="cx"> FunctionRareData(VM&);
</span><span class="cx"> ~FunctionRareData();
</span><span class="cx">
</span><del>- void finishCreation(VM&, JSObject* prototype, size_t inlineCapacity);
- using Base::finishCreation;
-
</del><span class="cx"> private:
</span><span class="cx">
</span><span class="cx"> friend class LLIntOffsetsExtractor;
</span><span class="cx">
</span><del>- ObjectAllocationProfile m_allocationProfile;
- InlineWatchpointSet m_allocationProfileWatchpoint;
</del><ins>+ // Ideally, there would only be one allocation profile for subclassing but due to Reflect.construct we
+ // have two. There are some pros and cons in comparison to our current system to using the same profile
+ // for both JS constructors and subclasses of builtin constructors:
+ //
+ // 1) + Uses less memory.
+ // 2) + Conceptually simplier as there is only one profile.
+ // 3) - We would need a check in all JSFunction object creations (both with classes and without) that the
+ // new.target's profiled structure has a JSFinalObject ClassInfo. This is needed, for example, if we have
+ // `Reflect.construct(Array, args, myConstructor)` since myConstructor will be the new.target of Array
+ // the Array constructor will set the allocation profile of myConstructor to hold an Array structure
+ //
+ // We don't really care about 1) since this memory is rare and small in total. 2) is unfortunate but is
+ // probably outweighed by the cost of 3).
+ ObjectAllocationProfile m_objectAllocationProfile;
+ InlineWatchpointSet m_objectAllocationProfileWatchpoint;
+ InternalFunctionAllocationProfile m_internalFunctionAllocationProfile;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInternalFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
</span><span class="cx"> * Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2004, 2007, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004, 2007, 2008, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -78,4 +78,39 @@
</span><span class="cx"> return name(exec);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+Structure* InternalFunction::createSubclassStructure(ExecState* exec, JSValue newTarget, Structure* baseClass)
+{
+
+ VM& vm = exec->vm();
+ // We allow newTarget == JSValue() because the API needs to be able to create classes without having a real JS frame.
+ // Since we don't allow subclassing in the API we just treat newTarget == JSValue() as newTarget == exec->callee()
+ ASSERT(!newTarget || newTarget.isFunction());
+
+ if (newTarget && newTarget != exec->callee()) {
+ // newTarget may be an InternalFunction if we were called from Reflect.construct.
+ JSFunction* targetFunction = jsDynamicCast<JSFunction*>(newTarget);
+
+ if (LIKELY(targetFunction)) {
+ Structure* structure = targetFunction->rareData(vm)->internalFunctionAllocationStructure();
+ if (LIKELY(structure && structure->classInfo() == baseClass->classInfo()))
+ return structure;
+
+ // Note, Reflect.construct might cause the profile to churn but we don't care.
+ JSObject* prototype = jsDynamicCast<JSObject*>(newTarget.get(exec, exec->propertyNames().prototype));
+ if (prototype)
+ return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, prototype, baseClass);
+ } else {
+ JSObject* prototype = jsDynamicCast<JSObject*>(newTarget.get(exec, exec->propertyNames().prototype));
+ if (prototype) {
+ // This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target.
+ // Thus, we don't care about the cost of looking up the structure from our hash table every time.
+ return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseClass);
+ }
+ }
+ }
+
+ return baseClass;
+}
+
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInternalFunctionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InternalFunction.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InternalFunction.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/InternalFunction.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2006, 2007, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003, 2006, 2007, 2008, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
</span><span class="cx"> * Copyright (C) 2007 Maks Orlovich
</span><span class="cx"> *
</span><span class="lines">@@ -47,6 +47,8 @@
</span><span class="cx"> return Structure::create(vm, globalObject, proto, TypeInfo(ObjectType, StructureFlags), info());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ static Structure* createSubclassStructure(ExecState*, JSValue newTarget, Structure*);
+
</ins><span class="cx"> protected:
</span><span class="cx"> JS_EXPORT_PRIVATE InternalFunction(VM&, Structure*);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -93,10 +93,10 @@
</span><span class="cx"> RefPtr<ArrayBuffer> buffer = ArrayBuffer::create(length, 1);
</span><span class="cx"> if (!buffer)
</span><span class="cx"> return throwVMError(exec, createOutOfMemoryError(exec));
</span><ins>+
+ Structure* arrayBufferStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), constructor->globalObject()->arrayBufferStructure());
+ JSArrayBuffer* result = JSArrayBuffer::create(exec->vm(), arrayBufferStructure, buffer.release());
</ins><span class="cx">
</span><del>- JSArrayBuffer* result = JSArrayBuffer::create(
- exec->vm(), constructor->globalObject()->arrayBufferStructure(), buffer.release());
-
</del><span class="cx"> return JSValue::encode(result);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
</span><span class="cx"> * Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2009, 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
</span><span class="cx"> * Copyright (C) 2007 Maks Orlovich
</span><span class="cx"> * Copyright (C) 2015 Canon Inc. All rights reserved.
</span><span class="lines">@@ -131,6 +131,19 @@
</span><span class="cx"> return function;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+FunctionRareData* JSFunction::allocateRareData(VM& vm)
+{
+ ASSERT(!m_rareData);
+ FunctionRareData* rareData = FunctionRareData::create(vm);
+
+ // A DFG compilation thread may be trying to read the rare data
+ // We want to ensure that it sees it properly allocated
+ WTF::storeStoreFence();
+
+ m_rareData.set(vm, this, rareData);
+ return m_rareData.get();
+}
+
</ins><span class="cx"> FunctionRareData* JSFunction::allocateAndInitializeRareData(ExecState* exec, size_t inlineCapacity)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!m_rareData);
</span><span class="lines">@@ -138,7 +151,8 @@
</span><span class="cx"> JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
</span><span class="cx"> if (!prototype)
</span><span class="cx"> prototype = globalObject()->objectPrototype();
</span><del>- FunctionRareData* rareData = FunctionRareData::create(vm, prototype, inlineCapacity);
</del><ins>+ FunctionRareData* rareData = FunctionRareData::create(vm);
+ rareData->initializeObjectAllocationProfile(globalObject()->vm(), prototype, inlineCapacity);
</ins><span class="cx">
</span><span class="cx"> // A DFG compilation thread may be trying to read the rare data
</span><span class="cx"> // We want to ensure that it sees it properly allocated
</span><span class="lines">@@ -155,7 +169,7 @@
</span><span class="cx"> JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
</span><span class="cx"> if (!prototype)
</span><span class="cx"> prototype = globalObject()->objectPrototype();
</span><del>- m_rareData->initialize(globalObject()->vm(), prototype, inlineCapacity);
</del><ins>+ m_rareData->initializeObjectAllocationProfile(globalObject()->vm(), prototype, inlineCapacity);
</ins><span class="cx"> return m_rareData.get();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003, 2006-2009, 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
</span><span class="cx"> * Copyright (C) 2007 Maks Orlovich
</span><span class="cx"> *
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> class NativeExecutable;
</span><span class="cx"> class SourceCode;
</span><span class="cx"> class WebAssemblyExecutable;
</span><ins>+class InternalFunction;
</ins><span class="cx"> namespace DFG {
</span><span class="cx"> class SpeculativeJIT;
</span><span class="cx"> class JITCompiler;
</span><span class="lines">@@ -55,6 +56,7 @@
</span><span class="cx"> friend class DFG::SpeculativeJIT;
</span><span class="cx"> friend class DFG::JITCompiler;
</span><span class="cx"> friend class VM;
</span><ins>+ friend class InternalFunction;
</ins><span class="cx">
</span><span class="cx"> public:
</span><span class="cx"> typedef JSCallee Base;
</span><span class="lines">@@ -115,11 +117,18 @@
</span><span class="cx"> return OBJECT_OFFSETOF(JSFunction, m_rareData);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ FunctionRareData* rareData(VM& vm)
+ {
+ if (UNLIKELY(!m_rareData))
+ return allocateRareData(vm);
+ return m_rareData.get();
+ }
+
</ins><span class="cx"> FunctionRareData* rareData(ExecState* exec, unsigned inlineCapacity)
</span><span class="cx"> {
</span><span class="cx"> if (UNLIKELY(!m_rareData))
</span><span class="cx"> return allocateAndInitializeRareData(exec, inlineCapacity);
</span><del>- if (UNLIKELY(!m_rareData->isInitialized()))
</del><ins>+ if (UNLIKELY(!m_rareData->isObjectAllocationProfileInitialized()))
</ins><span class="cx"> return initializeRareData(exec, inlineCapacity);
</span><span class="cx"> return m_rareData.get();
</span><span class="cx"> }
</span><span class="lines">@@ -152,6 +161,7 @@
</span><span class="cx"> void finishCreation(VM&, NativeExecutable*, int length, const String& name);
</span><span class="cx"> using Base::finishCreation;
</span><span class="cx">
</span><ins>+ FunctionRareData* allocateRareData(VM&);
</ins><span class="cx"> FunctionRareData* allocateAndInitializeRareData(ExecState*, size_t inlineCapacity);
</span><span class="cx"> FunctionRareData* initializeRareData(ExecState*, size_t inlineCapacity);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewConstructorInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -218,9 +218,7 @@
</span><span class="cx"> template<typename ViewClass>
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
</span><span class="cx"> {
</span><del>- Structure* structure =
- asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(
- ViewClass::TypedArrayStorageType);
</del><ins>+ Structure* structure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType));
</ins><span class="cx">
</span><span class="cx"> size_t argCount = exec->argumentCount();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
</span><span class="cx"> * Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- * Copyright (C) 2003-2009, 2012-2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2009, 2012-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -936,6 +936,9 @@
</span><span class="cx"> {
</span><span class="cx"> return sizeof(JSObject) + inlineCapacity * sizeof(WriteBarrierBase<Unknown>);
</span><span class="cx"> }
</span><ins>+
+ static inline const TypeInfo typeInfo() { return TypeInfo(FinalObjectType, StructureFlags); }
+ static const IndexingType defaultIndexingType = NonArray;
</ins><span class="cx">
</span><span class="cx"> static const unsigned defaultSize = 64;
</span><span class="cx"> static inline unsigned defaultInlineCapacity()
</span><span class="lines">@@ -953,7 +956,7 @@
</span><span class="cx"> static JSFinalObject* create(VM&, Structure*);
</span><span class="cx"> static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, unsigned inlineCapacity)
</span><span class="cx"> {
</span><del>- return Structure::create(vm, globalObject, prototype, TypeInfo(FinalObjectType, StructureFlags), info(), NonArray, inlineCapacity);
</del><ins>+ return Structure::create(vm, globalObject, prototype, typeInfo(), info(), defaultIndexingType, inlineCapacity);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromiseConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -101,11 +101,8 @@
</span><span class="cx"> if (newTarget.isUndefined())
</span><span class="cx"> return throwVMTypeError(exec);
</span><span class="cx">
</span><del>- JSPromise* promise = JSPromise::create(vm, globalObject->promiseStructure());
- if (!jsDynamicCast<JSPromiseConstructor*>(newTarget)) {
- JSValue proto = asObject(newTarget)->getDirect(vm, vm.propertyNames->prototype);
- asObject(promise)->setPrototypeWithCycleCheck(exec, proto);
- }
</del><ins>+ Structure* promiseStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->promiseStructure());
+ JSPromise* promise = JSPromise::create(vm, promiseStructure);
</ins><span class="cx"> promise->initialize(exec, globalObject, exec->argument(0));
</span><span class="cx">
</span><span class="cx"> return JSValue::encode(promise);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromiseConstructorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSWeakMapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSWeakSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -53,14 +53,8 @@
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructMap(ExecState* exec)
</span><span class="cx"> {
</span><del>- JSValue prototype = JSValue();
- JSValue newTarget = exec->newTarget();
-
- if (newTarget != exec->callee())
- prototype = newTarget.get(exec, exec->propertyNames().prototype);
-
</del><span class="cx"> JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
</span><del>- Structure* mapStructure = Structure::createSubclassStructure(exec->vm(), globalObject->mapStructure(), prototype);
</del><ins>+ Structure* mapStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->mapStructure());
</ins><span class="cx"> JSMap* map = JSMap::create(exec, mapStructure);
</span><span class="cx"> JSValue iterable = exec->argument(0);
</span><span class="cx"> if (iterable.isUndefinedOrNull())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeNativeErrorConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- * Copyright (C) 2003, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003, 2008, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="cx"> * modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -63,7 +63,7 @@
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL Interpreter::constructWithNativeErrorConstructor(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSValue message = exec->argument(0);
</span><del>- Structure* errorStructure = static_cast<NativeErrorConstructor*>(exec->callee())->errorStructure();
</del><ins>+ Structure* errorStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), jsCast<NativeErrorConstructor*>(exec->callee())->errorStructure());
</ins><span class="cx"> ASSERT(errorStructure);
</span><span class="cx"> return JSValue::encode(ErrorInstance::create(exec, errorStructure, message, nullptr, TypeNothing, false));
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeNumberConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -81,14 +81,8 @@
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructWithNumberConstructor(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> double n = exec->argumentCount() ? exec->uncheckedArgument(0).toNumber(exec) : 0;
</span><ins>+ NumberObject* object = NumberObject::create(exec->vm(), InternalFunction::createSubclassStructure(exec, exec->newTarget(), asInternalFunction(exec->callee())->globalObject()->numberObjectStructure()));
</ins><span class="cx">
</span><del>- JSValue prototype = JSValue();
- JSValue newTarget = exec->newTarget();
- if (newTarget != exec->callee())
- prototype = newTarget.get(exec, exec->propertyNames().prototype);
-
- NumberObject* object = NumberObject::create(exec->vm(), Structure::createSubclassStructure(exec->vm(), asInternalFunction(exec->callee())->globalObject()->numberObjectStructure(), prototype));
-
</del><span class="cx"> object->setInternalValue(exec->vm(), jsNumber(n));
</span><span class="cx"> return JSValue::encode(object);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimePrototypeMapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/PrototypeMap.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/PrototypeMap.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/PrototypeMap.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "PrototypeMap.h"
</span><span class="cx">
</span><ins>+#include "IndexingType.h"
</ins><span class="cx"> #include "JSGlobalObject.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx">
</span><span class="lines">@@ -52,24 +53,35 @@
</span><span class="cx"> // used as a prototype.
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Structure* PrototypeMap::emptyObjectStructureForPrototype(JSObject* prototype, unsigned inlineCapacity)
</del><ins>+inline Structure* PrototypeMap::createEmptyStructure(JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
</ins><span class="cx"> {
</span><del>- auto key = std::make_pair(prototype, inlineCapacity);
</del><ins>+ auto key = std::make_pair(prototype, std::make_pair(inlineCapacity, classInfo));
</ins><span class="cx"> if (Structure* structure = m_structures.get(key)) {
</span><span class="cx"> ASSERT(isPrototype(prototype));
</span><span class="cx"> return structure;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> addPrototype(prototype);
</span><del>- Structure* structure = JSFinalObject::createStructure(
- prototype->globalObject()->vm(), prototype->globalObject(), prototype, inlineCapacity);
</del><ins>+ Structure* structure = Structure::create(
+ prototype->globalObject()->vm(), prototype->globalObject(), prototype, typeInfo, classInfo, indexingType, inlineCapacity);
</ins><span class="cx"> m_structures.set(key, Weak<Structure>(structure));
</span><span class="cx"> return structure;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+Structure* PrototypeMap::emptyStructureForPrototypeFromBaseStructure(JSObject* prototype, Structure* baseStructure)
+{
+ // We currently do not have inline capacity static analysis for subclasses and all internal function constructors have a default inline capacity of 0.
+ return createEmptyStructure(prototype, baseStructure->typeInfo(), baseStructure->classInfo(), baseStructure->indexingType(), 0);
+}
+
+Structure* PrototypeMap::emptyObjectStructureForPrototype(JSObject* prototype, unsigned inlineCapacity)
+{
+ return createEmptyStructure(prototype, JSFinalObject::typeInfo(), JSFinalObject::info(), JSFinalObject::defaultIndexingType, inlineCapacity);
+}
+
</ins><span class="cx"> void PrototypeMap::clearEmptyObjectStructureForPrototype(JSObject* object, unsigned inlineCapacity)
</span><span class="cx"> {
</span><del>- m_structures.remove(std::make_pair(object, inlineCapacity));
</del><ins>+ m_structures.remove(std::make_pair(object, std::make_pair(inlineCapacity, JSFinalObject::info())));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimePrototypeMaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/PrototypeMap.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/PrototypeMap.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/PrototypeMap.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -45,13 +45,16 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE Structure* emptyObjectStructureForPrototype(JSObject*, unsigned inlineCapacity);
</span><ins>+ JS_EXPORT_PRIVATE Structure* emptyStructureForPrototypeFromBaseStructure(JSObject*, Structure*);
</ins><span class="cx"> void clearEmptyObjectStructureForPrototype(JSObject*, unsigned inlineCapacity);
</span><span class="cx"> JS_EXPORT_PRIVATE void addPrototype(JSObject*);
</span><span class="cx"> TriState isPrototype(JSObject*) const; // Returns a conservative estimate.
</span><span class="cx">
</span><span class="cx"> private:
</span><ins>+ Structure* createEmptyStructure(JSObject* prototype, const TypeInfo&, const ClassInfo*, IndexingType, unsigned inlineCapacity);
+
</ins><span class="cx"> WeakGCMap<JSObject*, JSObject> m_prototypes;
</span><del>- typedef WeakGCMap<std::pair<JSObject*, unsigned>, Structure> StructureMap;
</del><ins>+ typedef WeakGCMap<std::pair<JSObject*, std::pair<unsigned, const ClassInfo*>>, Structure> StructureMap;
</ins><span class="cx"> StructureMap m_structures;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -243,18 +243,17 @@
</span><span class="cx"> constructor->setMultiline(JSValue::decode(value).toBoolean(exec));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-inline Structure* getRegExpStructure(ExecState* exec, JSGlobalObject* globalObject, bool callAsConstructor)
</del><ins>+inline Structure* getRegExpStructure(ExecState* exec, JSGlobalObject* globalObject, JSValue newTarget)
</ins><span class="cx"> {
</span><span class="cx"> Structure* structure = globalObject->regExpStructure();
</span><del>- if (callAsConstructor && exec->newTarget() != exec->callee()) {
- JSValue prototype = exec->newTarget().get(exec, exec->propertyNames().prototype);
- structure = Structure::createSubclassStructure(exec->vm(), structure, prototype);
</del><ins>+ if (newTarget != jsUndefined()) {
+ structure = InternalFunction::createSubclassStructure(exec, newTarget, structure);
</ins><span class="cx"> }
</span><span class="cx"> return structure;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // ECMA 15.10.4
</span><del>-JSObject* constructRegExp(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, bool callAsConstructor)
</del><ins>+JSObject* constructRegExp(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, JSValue newTarget)
</ins><span class="cx"> {
</span><span class="cx"> JSValue arg0 = args.at(0);
</span><span class="cx"> JSValue arg1 = args.at(1);
</span><span class="lines">@@ -263,10 +262,10 @@
</span><span class="cx"> if (!arg1.isUndefined())
</span><span class="cx"> return exec->vm().throwException(exec, createTypeError(exec, ASCIILiteral("Cannot supply flags when constructing one RegExp from another.")));
</span><span class="cx"> // If called as a function, this just returns the first argument (see 15.10.3.1).
</span><del>- if (callAsConstructor) {
</del><ins>+ if (newTarget != jsUndefined()) {
</ins><span class="cx"> RegExp* regExp = static_cast<RegExpObject*>(asObject(arg0))->regExp();
</span><span class="cx">
</span><del>- return RegExpObject::create(exec->vm(), getRegExpStructure(exec, globalObject, callAsConstructor), regExp);
</del><ins>+ return RegExpObject::create(exec->vm(), getRegExpStructure(exec, globalObject, newTarget), regExp);
</ins><span class="cx"> }
</span><span class="cx"> return asObject(arg0);
</span><span class="cx"> }
</span><span class="lines">@@ -289,13 +288,13 @@
</span><span class="cx"> if (!regExp->isValid())
</span><span class="cx"> return vm.throwException(exec, createSyntaxError(exec, regExp->errorMessage()));
</span><span class="cx">
</span><del>- return RegExpObject::create(vm, getRegExpStructure(exec, globalObject, callAsConstructor), regExp);
</del><ins>+ return RegExpObject::create(vm, getRegExpStructure(exec, globalObject, newTarget), regExp);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructWithRegExpConstructor(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> ArgList args(exec);
</span><del>- return JSValue::encode(constructRegExp(exec, asInternalFunction(exec->callee())->globalObject(), args, true));
</del><ins>+ return JSValue::encode(constructRegExp(exec, asInternalFunction(exec->callee())->globalObject(), args, exec->newTarget()));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ConstructType RegExpConstructor::getConstructData(JSCell*, ConstructData& constructData)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpConstructorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">
</span><span class="cx"> RegExpConstructor* asRegExpConstructor(JSValue);
</span><span class="cx">
</span><del>-JSObject* constructRegExp(ExecState*, JSGlobalObject*, const ArgList&, bool callAsConstructor = false);
</del><ins>+JSObject* constructRegExp(ExecState*, JSGlobalObject*, const ArgList&, JSValue newTarget = jsUndefined());
</ins><span class="cx">
</span><span class="cx"> inline RegExpConstructor* asRegExpConstructor(JSValue value)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSetConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -54,14 +54,8 @@
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructSet(ExecState* exec)
</span><span class="cx"> {
</span><del>- JSValue prototype = JSValue();
- JSValue newTarget = exec->newTarget();
-
- if (newTarget != exec->callee())
- prototype = newTarget.get(exec, exec->propertyNames().prototype);
-
</del><span class="cx"> JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
</span><del>- Structure* setStructure = Structure::createSubclassStructure(exec->vm(), globalObject->setStructure(), prototype);
</del><ins>+ Structure* setStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->setStructure());
</ins><span class="cx"> JSSet* set = JSSet::create(exec, setStructure);
</span><span class="cx"> JSValue iterable = exec->argument(0);
</span><span class="cx"> if (iterable.isUndefinedOrNull())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakMapConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -54,7 +54,7 @@
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructWeakMap(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
</span><del>- Structure* weakMapStructure = globalObject->weakMapStructure();
</del><ins>+ Structure* weakMapStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->weakMapStructure());
</ins><span class="cx"> JSWeakMap* weakMap = JSWeakMap::create(exec, weakMapStructure);
</span><span class="cx"> JSValue iterable = exec->argument(0);
</span><span class="cx"> if (iterable.isUndefinedOrNull())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakSetConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -54,7 +54,7 @@
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL constructWeakSet(ExecState* exec)
</span><span class="cx"> {
</span><span class="cx"> JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
</span><del>- Structure* weakSetStructure = globalObject->weakSetStructure();
</del><ins>+ Structure* weakSetStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->weakSetStructure());
</ins><span class="cx"> JSWeakSet* weakSet = JSWeakSet::create(exec, weakSetStructure);
</span><span class="cx"> JSValue iterable = exec->argument(0);
</span><span class="cx"> if (iterable.isUndefinedOrNull())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressclasssubclassingmiscjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/class-subclassing-misc.js (194862 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/class-subclassing-misc.js 2016-01-11 21:28:40 UTC (rev 194862)
+++ trunk/Source/JavaScriptCore/tests/stress/class-subclassing-misc.js 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -1,17 +1,34 @@
</span><span class="cx"> // This file tests subclassing various misc constructors.
</span><span class="cx">
</span><ins>+class A extends ArrayBuffer { }
</ins><span class="cx"> class B extends Boolean { }
</span><ins>+class D extends Date { }
+class E extends Error { }
</ins><span class="cx"> class N extends Number { }
</span><span class="cx"> class M extends Map { }
</span><span class="cx"> class R extends RegExp { }
</span><span class="cx"> class S extends Set { }
</span><ins>+class WM extends WeakMap { }
+class WS extends WeakSet { }
</ins><span class="cx">
</span><span class="cx"> function test() {
</span><span class="cx">
</span><ins>+ a = new A(10);
+ if (!(a instanceof ArrayBuffer && a instanceof A))
+ throw "a has incorrect prototype chain";
+
</ins><span class="cx"> b = new B(true);
</span><span class="cx"> if (!(b instanceof Boolean && b instanceof B))
</span><span class="cx"> throw "b has incorrect prototype chain";
</span><del>-
</del><ins>+
+ d = new D();
+ if (!(d instanceof Date && d instanceof D))
+ throw "d has incorrect prototype chain";
+
+ e = new E();
+ if (!(e instanceof Error && e instanceof E))
+ throw "e has incorrect prototype chain";
+
</ins><span class="cx"> n = new N(10);
</span><span class="cx"> if (!(n instanceof Number && n instanceof N))
</span><span class="cx"> throw "n has incorrect prototype chain";
</span><span class="lines">@@ -27,6 +44,14 @@
</span><span class="cx"> s = new S();
</span><span class="cx"> if (!(s instanceof Set && s instanceof S))
</span><span class="cx"> throw "s has incorrect prototype chain";
</span><ins>+
+ wm = new WM();
+ if (!(wm instanceof WeakMap && wm instanceof WM))
+ throw "wm has incorrect prototype chain";
+
+ ws = new WS();
+ if (!(ws instanceof WeakSet && ws instanceof WS))
+ throw "ws has incorrect prototype chain";
</ins><span class="cx"> }
</span><span class="cx"> noInline(test);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressclasssubclassingtypedarrayjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/class-subclassing-typedarray.js (0 => 194863)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/class-subclassing-typedarray.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/class-subclassing-typedarray.js 2016-01-11 21:31:04 UTC (rev 194863)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+"use strict";
+
+let typedArrays = [Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Uint16Array, Int32Array, Uint32Array, Float32Array, Float64Array];
+
+let subclasses = typedArrays.map(constructor => class extends constructor { });
+
+function checkSubclass(constructor) {
+ let inst = new constructor(10);
+ inst[11] = 10;
+ if (!(inst instanceof constructor && inst instanceof constructor.__proto__ && inst[11] === undefined))
+ throw "subclass of " + constructor.__proto__ + " was incorrect";
+}
+
+function test() {
+ subclasses.forEach(checkSubclass);
+}
+
+for (var i = 0; i < 10000; i++)
+ test();
</ins></span></pre>
</div>
</div>
</body>
</html>