<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[204912] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/204912">204912</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2016-08-24 12:00:37 -0700 (Wed, 24 Aug 2016)</dd>
</dl>

<h3>Log Message</h3>
<pre>Unreviewed, roll out <a href="http://trac.webkit.org/projects/webkit/changeset/204901">r204901</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/204897">r204897</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/204866">r204866</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/204856">r204856</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/204854">r204854</a>.

JSTests:

* stress/array-storage-array-unshift.js: Removed.
* stress/contiguous-array-unshift.js: Removed.
* stress/double-array-unshift.js: Removed.
* stress/int32-array-unshift.js: Removed.

Source/bmalloc:

* bmalloc/Allocator.cpp:
(bmalloc::Allocator::allocate):
(bmalloc::Allocator::tryAllocate): Deleted.
(bmalloc::Allocator::allocateImpl): Deleted.
* bmalloc/Allocator.h:
* bmalloc/Cache.h:
(bmalloc::Cache::tryAllocate): Deleted.
* bmalloc/bmalloc.h:
(bmalloc::api::tryMemalign): Deleted.

Source/JavaScriptCore:

* API/JSTypedArray.cpp:
* API/ObjCCallbackFunction.mm:
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* Scripts/builtins/builtins_generate_combined_implementation.py:
(BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
* Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
(BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
* Scripts/builtins/builtins_generate_separate_implementation.py:
(BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::JumpList::link):
(JSC::AbstractMacroAssembler::JumpList::linkTo):
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::add32):
* assembler/MacroAssemblerCodeRef.cpp: Removed.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(JSC::MacroAssemblerCodePtr::dumpWithName):
(JSC::MacroAssemblerCodePtr::dump):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
(JSC::MacroAssemblerCodeRef::dump):
* b3/B3BasicBlock.cpp:
(JSC::B3::BasicBlock::appendBoolConstant): Deleted.
* b3/B3BasicBlock.h:
* b3/B3DuplicateTails.cpp:
* b3/B3StackmapGenerationParams.h:
* b3/testb3.cpp:
(JSC::B3::run):
(JSC::B3::testPatchpointTerminalReturnValue): Deleted.
* bindings/ScriptValue.cpp:
* bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
* bytecode/BytecodeBasicBlock.cpp:
* bytecode/BytecodeLivenessAnalysis.cpp:
* bytecode/BytecodeUseDef.h:
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::callTypeFor): Deleted.
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::callTypeFor):
* bytecode/CallLinkStatus.cpp:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::jitCodeMap):
(JSC::clearLLIntGetByIdCache):
* bytecode/Instruction.h:
* bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* bytecode/ObjectAllocationProfile.h:
(JSC::ObjectAllocationProfile::isNull):
(JSC::ObjectAllocationProfile::initialize):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecode/PolymorphicAccess.cpp:
(JSC::AccessCase::generateImpl):
(JSC::PolymorphicAccess::regenerate):
* bytecode/PolymorphicAccess.h:
* bytecode/PreciseJumpTargets.cpp:
* bytecode/StructureStubInfo.cpp:
* bytecode/StructureStubInfo.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::vm):
* bytecode/UnlinkedCodeBlock.h:
* bytecode/UnlinkedInstructionStream.cpp:
* bytecode/UnlinkedInstructionStream.h:
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCompile.cpp:
* ftl/FTLJITFinalizer.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
(JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
(JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): Deleted.
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::constBool):
(JSC::FTL::Output::add):
(JSC::FTL::Output::shl):
(JSC::FTL::Output::aShr):
(JSC::FTL::Output::lShr):
(JSC::FTL::Output::zeroExt):
(JSC::FTL::Output::equal):
(JSC::FTL::Output::notEqual):
(JSC::FTL::Output::above):
(JSC::FTL::Output::aboveOrEqual):
(JSC::FTL::Output::below):
(JSC::FTL::Output::belowOrEqual):
(JSC::FTL::Output::greaterThan):
(JSC::FTL::Output::greaterThanOrEqual):
(JSC::FTL::Output::lessThan):
(JSC::FTL::Output::lessThanOrEqual):
(JSC::FTL::Output::select):
(JSC::FTL::Output::addIncomingToPhi):
(JSC::FTL::Output::appendSuccessor): Deleted.
* ftl/FTLOutput.h:
* ftl/FTLValueFromBlock.h:
(JSC::FTL::ValueFromBlock::ValueFromBlock):
(JSC::FTL::ValueFromBlock::operator bool): Deleted.
* ftl/FTLWeightedTarget.h:
(JSC::FTL::WeightedTarget::frequentedBlock): Deleted.
* heap/CellContainer.h: Removed.
* heap/CellContainerInlines.h: Removed.
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::ConservativeRoots):
(JSC::ConservativeRoots::~ConservativeRoots):
(JSC::ConservativeRoots::grow):
(JSC::ConservativeRoots::genericAddPointer):
(JSC::ConservativeRoots::genericAddSpan):
* heap/ConservativeRoots.h:
(JSC::ConservativeRoots::roots):
* heap/CopyToken.h:
* heap/FreeList.cpp: Removed.
* heap/FreeList.h: Removed.
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::markRoots):
(JSC::Heap::copyBackingStores):
(JSC::Heap::gatherStackRoots):
(JSC::Heap::gatherJSStackRoots):
(JSC::Heap::gatherScratchBufferRoots):
(JSC::Heap::clearLivenessData):
(JSC::Heap::visitSmallStrings):
(JSC::Heap::visitConservativeRoots):
(JSC::Heap::removeDeadCompilerWorklistEntries):
(JSC::Heap::gatherExtraHeapSnapshotData):
(JSC::Heap::removeDeadHeapSnapshotNodes):
(JSC::Heap::visitProtectedObjects):
(JSC::Heap::visitArgumentBuffers):
(JSC::Heap::visitException):
(JSC::Heap::visitStrongHandles):
(JSC::Heap::visitHandleStack):
(JSC::Heap::visitSamplingProfiler):
(JSC::Heap::traceCodeBlocksAndJITStubRoutines):
(JSC::Heap::converge):
(JSC::Heap::visitWeakHandles):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::clearUnmarkedExecutables):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::collectAllGarbage):
(JSC::Heap::collect):
(JSC::Heap::collectImpl):
(JSC::Heap::suspendCompilerThreads):
(JSC::Heap::willStartCollection):
(JSC::Heap::flushOldStructureIDTables):
(JSC::Heap::flushWriteBarrierBuffer):
(JSC::Heap::stopAllocation):
(JSC::Heap::reapWeakHandles):
(JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
(JSC::Heap::sweepArrayBuffers):
(JSC::Heap::snapshotMarkedSpace):
(JSC::Heap::deleteSourceProviderCaches):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
(JSC::Heap::resetAllocators):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didFinishCollection):
(JSC::Heap::resumeCompilerThreads):
(JSC::Zombify::visit):
(JSC::Heap::collectWithoutAnySweep): Deleted.
(JSC::Heap::prepareForMarking): Deleted.
(JSC::Heap::forEachCodeBlockImpl): Deleted.
* heap/Heap.h:
(JSC::Heap::allocatorForObjectWithoutDestructor):
(JSC::Heap::allocatorForObjectWithDestructor):
(JSC::Heap::storageAllocator):
(JSC::Heap::jitStubRoutines):
(JSC::Heap::codeBlockSet):
(JSC::Heap::allocatorForAuxiliaryData): Deleted.
* heap/HeapCell.h:
(JSC::HeapCell::isZapped):
* heap/HeapCellInlines.h: Removed.
* heap/HeapInlines.h:
(JSC::Heap::heap):
(JSC::Heap::isLive):
(JSC::Heap::isMarked):
(JSC::Heap::testAndSetMarked):
(JSC::Heap::setMarked):
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::allocateObjectOfType):
(JSC::Heap::subspaceForObjectOfType):
(JSC::Heap::allocatorForObjectOfType):
(JSC::Heap::isPointerGCObject):
(JSC::Heap::isValueGCObject):
(JSC::Heap::cellSize): Deleted.
(JSC::Heap::allocateAuxiliary): Deleted.
(JSC::Heap::tryAllocateAuxiliary): Deleted.
(JSC::Heap::tryReallocateAuxiliary): Deleted.
* heap/HeapUtil.h: Removed.
* heap/LargeAllocation.cpp: Removed.
* heap/LargeAllocation.h: Removed.
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::retire):
(JSC::MarkedAllocator::tryAllocateHelper):
(JSC::MarkedAllocator::tryPopFreeList):
(JSC::MarkedAllocator::tryAllocate):
(JSC::MarkedAllocator::allocateSlowCase):
(JSC::MarkedAllocator::allocateBlock):
(JSC::MarkedAllocator::addBlock):
(JSC::MarkedAllocator::removeBlock):
(JSC::MarkedAllocator::reset):
(JSC::MarkedAllocator::MarkedAllocator): Deleted.
(JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl): Deleted.
(JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
(JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
(JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
(JSC::blockHeaderSize): Deleted.
(JSC::MarkedAllocator::blockSizeForBytes): Deleted.
(JSC::MarkedAllocator::tryAllocateBlock): Deleted.
(JSC::MarkedAllocator::setFreeList): Deleted.
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::offsetOfFreeListHead):
(JSC::MarkedAllocator::MarkedAllocator):
(JSC::MarkedAllocator::init):
(JSC::MarkedAllocator::allocate):
(JSC::MarkedAllocator::stopAllocating):
(JSC::MarkedAllocator::offsetOfFreeList): Deleted.
(JSC::MarkedAllocator::offsetOfCellSize): Deleted.
(JSC::MarkedAllocator::tryAllocate): Deleted.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::create):
(JSC::MarkedBlock::MarkedBlock):
(JSC::MarkedBlock::callDestructor):
(JSC::MarkedBlock::specializedSweep):
(JSC::MarkedBlock::sweep):
(JSC::MarkedBlock::sweepHelper):
(JSC::MarkedBlock::stopAllocating):
(JSC::MarkedBlock::clearMarksWithCollectionType):
(JSC::MarkedBlock::resumeAllocating):
(JSC::MarkedBlock::didRetireBlock):
(JSC::MarkedBlock::tryCreate): Deleted.
(JSC::MarkedBlock::sweepHelperSelectScribbleMode): Deleted.
(JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode): Deleted.
(JSC::MarkedBlock::forEachFreeCell): Deleted.
* heap/MarkedBlock.h:
(JSC::MarkedBlock::FreeList::FreeList):
(JSC::MarkedBlock::isEmpty):
(JSC::MarkedBlock::setHasAnyMarked): Deleted.
(JSC::MarkedBlock::hasAnyMarked): Deleted.
(JSC::MarkedBlock::clearHasAnyMarked): Deleted.
(JSC::MarkedBlock::cellAlign): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweep):
(JSC::MarkedSpace::zombifySweep):
(JSC::MarkedSpace::resetAllocators):
(JSC::MarkedSpace::visitWeakSets):
(JSC::MarkedSpace::reapWeakSets):
(JSC::MarkedSpace::forEachAllocator):
(JSC::MarkedSpace::stopAllocating):
(JSC::MarkedSpace::resumeAllocating):
(JSC::MarkedSpace::isPagedOut):
(JSC::MarkedSpace::shrink):
(JSC::MarkedSpace::clearNewlyAllocated):
(JSC::MarkedSpace::clearMarks):
(JSC::MarkedSpace::initializeSizeClassForStepSize): Deleted.
(JSC::MarkedSpace::allocate): Deleted.
(JSC::MarkedSpace::tryAllocate): Deleted.
(JSC::MarkedSpace::allocateLarge): Deleted.
(JSC::MarkedSpace::tryAllocateLarge): Deleted.
(JSC::MarkedSpace::sweepLargeAllocations): Deleted.
(JSC::MarkedSpace::prepareForMarking): Deleted.
(JSC::MarkedSpace::objectCount): Deleted.
(JSC::MarkedSpace::size): Deleted.
(JSC::MarkedSpace::capacity): Deleted.
* heap/MarkedSpace.h:
(JSC::MarkedSpace::blocksWithNewObjects):
(JSC::MarkedSpace::forEachLiveCell):
(JSC::MarkedSpace::forEachDeadCell):
(JSC::MarkedSpace::allocatorFor):
(JSC::MarkedSpace::destructorAllocatorFor):
(JSC::MarkedSpace::auxiliaryAllocatorFor):
(JSC::MarkedSpace::allocateWithoutDestructor):
(JSC::MarkedSpace::allocateWithDestructor):
(JSC::MarkedSpace::allocateAuxiliary):
(JSC::MarkedSpace::forEachBlock):
(JSC::MarkedSpace::objectCount):
(JSC::MarkedSpace::size):
(JSC::MarkedSpace::capacity):
(JSC::MarkedSpace::sizeClassToIndex): Deleted.
(JSC::MarkedSpace::indexToSizeClass): Deleted.
(JSC::MarkedSpace::largeAllocations): Deleted.
(JSC::MarkedSpace::largeAllocationsNurseryOffset): Deleted.
(JSC::MarkedSpace::largeAllocationsOffsetForThisCollection): Deleted.
(JSC::MarkedSpace::largeAllocationsForThisCollectionBegin): Deleted.
(JSC::MarkedSpace::largeAllocationsForThisCollectionEnd): Deleted.
(JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
(JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
(JSC::MarkedSpace::forEachAllocator): Deleted.
(JSC::MarkedSpace::optimalSizeFor): Deleted.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::didStartMarking):
(JSC::SlotVisitor::reset):
(JSC::SlotVisitor::append):
(JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::visitChildren):
(JSC::SlotVisitor::appendJSCellOrAuxiliary): Deleted.
(JSC::SlotVisitor::markAuxiliary): Deleted.
(JSC::SlotVisitor::noteLiveAuxiliaryCell): Deleted.
* heap/SlotVisitor.h:
* heap/WeakBlock.cpp:
(JSC::WeakBlock::create):
(JSC::WeakBlock::WeakBlock):
(JSC::WeakBlock::visit):
(JSC::WeakBlock::reap):
* heap/WeakBlock.h:
(JSC::WeakBlock::disconnectMarkedBlock):
(JSC::WeakBlock::disconnectContainer): Deleted.
* heap/WeakSet.cpp:
(JSC::WeakSet::sweep):
(JSC::WeakSet::addAllocator):
* heap/WeakSet.h:
(JSC::WeakSet::WeakSet):
* heap/WeakSetInlines.h:
(JSC::WeakSet::allocate):
* inspector/InjectedScriptManager.cpp:
* inspector/JSGlobalObjectInspectorController.cpp:
* inspector/JSJavaScriptCallFrame.cpp:
* inspector/ScriptDebugServer.cpp:
* inspector/agents/InspectorDebuggerAgent.cpp:
* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
* interpreter/Interpreter.cpp:
(JSC::StackFrame::sourceID):
(JSC::StackFrame::sourceURL):
(JSC::StackFrame::functionName):
(JSC::loadVarargs):
(JSC::StackFrame::computeLineAndColumn):
(JSC::StackFrame::toString):
* interpreter/Interpreter.h:
(JSC::StackFrame::isNative):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
* jit/JIT.cpp:
(JSC::JIT::compileCTINativeCall): Deleted.
* jit/JIT.h:
(JSC::JIT::compileCTINativeCall):
* jit/JITExceptions.cpp:
(JSC::genericUnwind): Deleted.
* jit/JITExceptions.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitWriteBarrier):
* jit/JITThunks.cpp:
* jit/JITThunks.h:
* jsc.cpp:
(functionDescribeArray):
(main):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntExceptions.cpp:
* llint/LLIntThunks.cpp:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* parser/ModuleAnalyzer.cpp:
* parser/NodeConstructors.h:
* parser/Nodes.h:
* profiler/ProfilerBytecode.cpp:
* profiler/ProfilerBytecode.h:
* profiler/ProfilerBytecodeSequence.cpp:
* runtime/ArrayConventions.h:
(JSC::indexingHeaderForArray):
(JSC::baseIndexingHeaderForArray):
(JSC::indexingHeaderForArrayStorage): Deleted.
(JSC::baseIndexingHeaderForArrayStorage): Deleted.
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/ArrayStorage.h:
(JSC::ArrayStorage::vectorLength):
(JSC::ArrayStorage::sizeFor):
(JSC::ArrayStorage::totalSizeFor): Deleted.
(JSC::ArrayStorage::totalSize): Deleted.
(JSC::ArrayStorage::availableVectorLength): Deleted.
(JSC::ArrayStorage::optimalVectorLength): Deleted.
* runtime/AuxiliaryBarrier.h: Removed.
* runtime/AuxiliaryBarrierInlines.h: Removed.
* runtime/Butterfly.h:
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::availableContiguousVectorLength): Deleted.
(JSC::Butterfly::optimalContiguousVectorLength): Deleted.
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createEmpty):
* runtime/CommonSlowPathsExceptions.cpp:
* runtime/CommonSlowPathsExceptions.h:
* runtime/DataView.cpp:
* runtime/DirectArguments.h:
* runtime/ECMAScriptSpecInternalFunctions.cpp:
* runtime/Error.cpp:
* runtime/Error.h:
* runtime/ErrorInstance.cpp:
* runtime/ErrorInstance.h:
* runtime/Exception.cpp:
* runtime/Exception.h:
* runtime/GeneratorFrame.cpp:
* runtime/GeneratorPrototype.cpp:
* runtime/InternalFunction.cpp:
(JSC::InternalFunction::InternalFunction):
* runtime/IntlCollator.cpp:
* runtime/IntlCollatorConstructor.cpp:
* runtime/IntlCollatorPrototype.cpp:
* runtime/IntlDateTimeFormat.cpp:
* runtime/IntlDateTimeFormatConstructor.cpp:
* runtime/IntlDateTimeFormatPrototype.cpp:
* runtime/IntlNumberFormat.cpp:
* runtime/IntlNumberFormatConstructor.cpp:
* runtime/IntlNumberFormatPrototype.cpp:
* runtime/IntlObject.cpp:
* runtime/IteratorPrototype.cpp:
* runtime/JSArray.cpp:
(JSC::JSArray::setLengthWritable):
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::setLengthWithArrayStorage):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
(JSC::JSArray::tryCreateUninitialized): Deleted.
* runtime/JSArray.h:
(JSC::createContiguousArrayButterfly):
(JSC::createArrayButterfly):
(JSC::JSArray::create):
(JSC::JSArray::tryCreateUninitialized):
* runtime/JSArrayBufferView.h:
* runtime/JSCInlines.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure):
* runtime/JSCallee.cpp:
(JSC::JSCallee::JSCallee):
* runtime/JSCell.cpp:
(JSC::JSCell::estimatedSize):
* runtime/JSCell.h:
(JSC::JSCell::cellStateOffset):
* runtime/JSCellInlines.h:
(JSC::JSCell::vm):
(JSC::ExecState::vm):
(JSC::JSCell::classInfo):
(JSC::JSCell::callDestructor): Deleted.
* runtime/JSFunction.cpp:
(JSC::JSFunction::create):
(JSC::JSFunction::allocateAndInitializeRareData):
(JSC::JSFunction::initializeRareData):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
(JSC::JSFunction::setFunctionName):
(JSC::JSFunction::reifyLength):
(JSC::JSFunction::reifyName):
(JSC::JSFunction::reifyLazyPropertyIfNeeded):
(JSC::JSFunction::reifyBoundNameIfNeeded):
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
(JSC::JSFunction::JSFunction):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::slowDownAndWasteMemory):
* runtime/JSInternalPromise.cpp:
* runtime/JSInternalPromiseConstructor.cpp:
* runtime/JSInternalPromiseDeferred.cpp:
* runtime/JSInternalPromisePrototype.cpp:
* runtime/JSJob.cpp:
* runtime/JSMapIterator.cpp:
* runtime/JSModuleNamespaceObject.cpp:
* runtime/JSModuleRecord.cpp:
* runtime/JSObject.cpp:
(JSC::JSObject::copyButterfly):
(JSC::JSObject::visitButterfly):
(JSC::JSObject::copyBackingStore):
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::createInitialArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::growOutOfLineStorage):
* runtime/JSObject.h:
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
(JSC::JSObject::globalObject): Deleted.
* runtime/JSObjectInlines.h:
* runtime/JSPromise.cpp:
* runtime/JSPromiseConstructor.cpp:
* runtime/JSPromiseDeferred.cpp:
* runtime/JSPromisePrototype.cpp:
* runtime/JSPropertyNameIterator.cpp:
* runtime/JSScope.cpp:
(JSC::JSScope::resolve):
* runtime/JSScope.h:
(JSC::JSScope::vm):
(JSC::JSScope::globalObject): Deleted.
* runtime/JSSetIterator.cpp:
* runtime/JSStringIterator.cpp:
* runtime/JSTemplateRegistryKey.cpp:
* runtime/JSTypedArrayViewConstructor.cpp:
* runtime/JSTypedArrayViewPrototype.cpp:
* runtime/JSWeakMap.cpp:
* runtime/JSWeakSet.cpp:
* runtime/MapConstructor.cpp:
* runtime/MapIteratorPrototype.cpp:
* runtime/MapPrototype.cpp:
* runtime/NativeErrorConstructor.cpp:
* runtime/NativeStdFunctionCell.cpp:
* runtime/Operations.h:
(JSC::scribbleFreeCells): Deleted.
(JSC::scribble): Deleted.
* runtime/Options.h:
* runtime/PropertyTable.cpp:
* runtime/ProxyConstructor.cpp:
* runtime/ProxyObject.cpp:
* runtime/ProxyRevoke.cpp:
* runtime/RegExp.cpp:
(JSC::RegExp::match):
(JSC::RegExp::matchConcurrently):
(JSC::RegExp::matchCompareWithInterpreter):
* runtime/RegExp.h:
* runtime/RegExpConstructor.h:
* runtime/RegExpInlines.h:
(JSC::RegExp::matchInline):
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
(JSC::createRegExpMatchesArray):
* runtime/RegExpPrototype.cpp:
(JSC::genericSplit):
* runtime/RuntimeType.cpp:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::processUnverifiedStackTraces):
* runtime/SetConstructor.cpp:
* runtime/SetIteratorPrototype.cpp:
* runtime/SetPrototype.cpp:
* runtime/StackFrame.cpp: Removed.
* runtime/StackFrame.h: Removed.
* runtime/StringConstructor.cpp:
* runtime/StringIteratorPrototype.cpp:
* runtime/TemplateRegistry.cpp:
* runtime/TestRunnerUtils.cpp:
(JSC::finalizeStatsAtEndOfTesting): Deleted.
* runtime/TestRunnerUtils.h:
* runtime/TypeProfilerLog.cpp:
* runtime/TypeSet.cpp:
* runtime/VM.cpp:
(JSC::VM::ensureStackCapacityForCLoop): Deleted.
(JSC::VM::isSafeToRecurseSoftCLoop): Deleted.
* runtime/VM.h:
* runtime/VMEntryScope.h:
* runtime/VMInlines.h:
(JSC::VM::ensureStackCapacityFor):
(JSC::VM::isSafeToRecurseSoft):
* runtime/WeakMapConstructor.cpp:
* runtime/WeakMapData.cpp:
* runtime/WeakMapPrototype.cpp:
* runtime/WeakSetConstructor.cpp:
* runtime/WeakSetPrototype.cpp:
* testRegExp.cpp:
(testOneRegExp):
* tools/JSDollarVM.cpp:
* tools/JSDollarVMPrototype.cpp:
(JSC::JSDollarVMPrototype::isInObjectSpace):

Source/WebCore:

* ForwardingHeaders/heap/HeapInlines.h: Removed.
* ForwardingHeaders/interpreter/Interpreter.h: Added.
* ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h: Removed.
* Modules/indexeddb/IDBCursorWithValue.cpp:
* Modules/indexeddb/client/TransactionOperation.cpp:
* Modules/indexeddb/server/SQLiteIDBBackingStore.cpp:
* Modules/indexeddb/server/UniqueIDBDatabase.cpp:
* bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp:
* bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp:
* bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp:
* bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp:
* bindings/js/JSClientRectCustom.cpp:
* bindings/js/JSDOMBinding.cpp:
* bindings/js/JSDOMBinding.h:
* bindings/js/JSDeviceMotionEventCustom.cpp:
* bindings/js/JSDeviceOrientationEventCustom.cpp:
* bindings/js/JSErrorEventCustom.cpp:
* bindings/js/JSIDBCursorWithValueCustom.cpp:
* bindings/js/JSIDBIndexCustom.cpp:
* bindings/js/JSPopStateEventCustom.cpp:
* bindings/js/JSWebGL2RenderingContextCustom.cpp:
* bindings/js/JSWorkerGlobalScopeCustom.cpp:
* bindings/js/WorkerScriptController.cpp:
* contentextensions/ContentExtensionParser.cpp:
* dom/ErrorEvent.cpp:
* html/HTMLCanvasElement.cpp:
* html/MediaDocument.cpp:
* inspector/CommandLineAPIModule.cpp:
* loader/EmptyClients.cpp:
* page/CaptionUserPreferences.cpp:
* page/Frame.cpp:
* page/PageGroup.cpp:
* page/UserContentController.cpp:
* platform/mock/mediasource/MockBox.cpp:
* testing/GCObservation.cpp:

Source/WebKit2:

* UIProcess/ViewGestureController.cpp:
* UIProcess/WebPageProxy.cpp:
* UIProcess/WebProcessPool.cpp:
* UIProcess/WebProcessProxy.cpp:
* WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp:
* WebProcess/Plugins/Netscape/JSNPObject.cpp:

Source/WTF:

* wtf/FastMalloc.cpp:
(WTF::tryFastAlignedMalloc): Deleted.
* wtf/FastMalloc.h:
* wtf/ParkingLot.cpp:
(WTF::ParkingLot::forEach):
(WTF::ParkingLot::forEachImpl): Deleted.
* wtf/ParkingLot.h:
(WTF::ParkingLot::parkConditionally):
(WTF::ParkingLot::unparkOne):
(WTF::ParkingLot::forEach): Deleted.
* wtf/ScopedLambda.h:
(WTF::scopedLambdaRef): Deleted.

Tools:

* DumpRenderTree/TestRunner.cpp:
* DumpRenderTree/mac/DumpRenderTree.mm:
(DumpRenderTreeMain):
* Scripts/run-jsc-stress-tests:
* TestWebKitAPI/Tests/WTF/Vector.cpp:
(TestWebKitAPI::TEST):

LayoutTests:

* TestExpectations:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSTypedArraycpp">trunk/Source/JavaScriptCore/API/JSTypedArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIObjCCallbackFunctionmm">trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm</a></li>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreScriptsbuiltinsbuiltins_generate_combined_implementationpy">trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_implementation.py</a></li>
<li><a href="#trunkSourceJavaScriptCoreScriptsbuiltinsbuiltins_generate_internals_wrapper_implementationpy">trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py</a></li>
<li><a href="#trunkSourceJavaScriptCoreScriptsbuiltinsbuiltins_generate_separate_implementationpy">trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerAbstractMacroAssemblerh">trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerh">trunk/Source/JavaScriptCore/assembler/MacroAssembler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerARM64h">trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerCodeRefh">trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3BasicBlockcpp">trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3BasicBlockh">trunk/Source/JavaScriptCore/b3/B3BasicBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3DuplicateTailscpp">trunk/Source/JavaScriptCore/b3/B3DuplicateTails.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3StackmapGenerationParamsh">trunk/Source/JavaScriptCore/b3/B3StackmapGenerationParams.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3testb3cpp">trunk/Source/JavaScriptCore/b3/testb3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebindingsScriptValuecpp">trunk/Source/JavaScriptCore/bindings/ScriptValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeAdaptiveInferredPropertyValueWatchpointBasecpp">trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeBasicBlockcpp">trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeLivenessAnalysiscpp">trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeUseDefh">trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkInfocpp">trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkInfoh">trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCallLinkStatuscpp">trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockh">trunk/Source/JavaScriptCore/bytecode/CodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInstructionh">trunk/Source/JavaScriptCore/bytecode/Instruction.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeLLIntPrototypeLoadAdaptiveStructureWatchpointcpp">trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeObjectAllocationProfileh">trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfile.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeOpcodeh">trunk/Source/JavaScriptCore/bytecode/Opcode.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp">trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePolymorphicAccessh">trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePreciseJumpTargetscpp">trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureStubInfocpp">trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureStubInfoh">trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockh">trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedInstructionStreamcpp">trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeUnlinkedInstructionStreamh">trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCompilecpp">trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLJITFinalizercpp">trunk/Source/JavaScriptCore/ftl/FTLJITFinalizer.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOutputcpp">trunk/Source/JavaScriptCore/ftl/FTLOutput.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOutputh">trunk/Source/JavaScriptCore/ftl/FTLOutput.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLValueFromBlockh">trunk/Source/JavaScriptCore/ftl/FTLValueFromBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLWeightedTargeth">trunk/Source/JavaScriptCore/ftl/FTLWeightedTarget.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapConservativeRootscpp">trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapConservativeRootsh">trunk/Source/JavaScriptCore/heap/ConservativeRoots.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCopyTokenh">trunk/Source/JavaScriptCore/heap/CopyToken.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeaph">trunk/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapCellh">trunk/Source/JavaScriptCore/heap/HeapCell.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapInlinesh">trunk/Source/JavaScriptCore/heap/HeapInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedAllocatorcpp">trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedAllocatorh">trunk/Source/JavaScriptCore/heap/MarkedAllocator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedBlockcpp">trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedBlockh">trunk/Source/JavaScriptCore/heap/MarkedBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedSpacecpp">trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedSpaceh">trunk/Source/JavaScriptCore/heap/MarkedSpace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSlotVisitorcpp">trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSlotVisitorh">trunk/Source/JavaScriptCore/heap/SlotVisitor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapWeakBlockcpp">trunk/Source/JavaScriptCore/heap/WeakBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapWeakBlockh">trunk/Source/JavaScriptCore/heap/WeakBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapWeakSetcpp">trunk/Source/JavaScriptCore/heap/WeakSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapWeakSeth">trunk/Source/JavaScriptCore/heap/WeakSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapWeakSetInlinesh">trunk/Source/JavaScriptCore/heap/WeakSetInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorInjectedScriptManagercpp">trunk/Source/JavaScriptCore/inspector/InjectedScriptManager.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorJSGlobalObjectInspectorControllercpp">trunk/Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorJSJavaScriptCallFramecpp">trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorScriptDebugServercpp">trunk/Source/JavaScriptCore/inspector/ScriptDebugServer.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectoragentsInspectorDebuggerAgentcpp">trunk/Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterCachedCallh">trunk/Source/JavaScriptCore/interpreter/CachedCall.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpreterh">trunk/Source/JavaScriptCore/interpreter/Interpreter.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitAssemblyHelpersh">trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitGCAwareJITStubRoutinecpp">trunk/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITh">trunk/Source/JavaScriptCore/jit/JIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITExceptionscpp">trunk/Source/JavaScriptCore/jit/JITExceptions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITExceptionsh">trunk/Source/JavaScriptCore/jit/JITExceptions.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITThunkscpp">trunk/Source/JavaScriptCore/jit/JITThunks.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITThunksh">trunk/Source/JavaScriptCore/jit/JITThunks.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejsccpp">trunk/Source/JavaScriptCore/jsc.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntDatacpp">trunk/Source/JavaScriptCore/llint/LLIntData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntExceptionscpp">trunk/Source/JavaScriptCore/llint/LLIntExceptions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntThunkscpp">trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntThunksh">trunk/Source/JavaScriptCore/llint/LLIntThunks.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpretercpp">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserModuleAnalyzercpp">trunk/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserNodeConstructorsh">trunk/Source/JavaScriptCore/parser/NodeConstructors.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserNodesh">trunk/Source/JavaScriptCore/parser/Nodes.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerBytecodecpp">trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerBytecodeh">trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreprofilerProfilerBytecodeSequencecpp">trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayConventionsh">trunk/Source/JavaScriptCore/runtime/ArrayConventions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypecpp">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayStorageh">trunk/Source/JavaScriptCore/runtime/ArrayStorage.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeButterflyh">trunk/Source/JavaScriptCore/runtime/Butterfly.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeButterflyInlinesh">trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeClonedArgumentscpp">trunk/Source/JavaScriptCore/runtime/ClonedArguments.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathsExceptionscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathsExceptionsh">trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDataViewcpp">trunk/Source/JavaScriptCore/runtime/DataView.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDirectArgumentsh">trunk/Source/JavaScriptCore/runtime/DirectArguments.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeECMAScriptSpecInternalFunctionscpp">trunk/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeErrorcpp">trunk/Source/JavaScriptCore/runtime/Error.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeErrorh">trunk/Source/JavaScriptCore/runtime/Error.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeErrorInstancecpp">trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeErrorInstanceh">trunk/Source/JavaScriptCore/runtime/ErrorInstance.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExceptioncpp">trunk/Source/JavaScriptCore/runtime/Exception.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExceptionh">trunk/Source/JavaScriptCore/runtime/Exception.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeGeneratorFramecpp">trunk/Source/JavaScriptCore/runtime/GeneratorFrame.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeGeneratorPrototypecpp">trunk/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeInternalFunctioncpp">trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlCollatorcpp">trunk/Source/JavaScriptCore/runtime/IntlCollator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlCollatorConstructorcpp">trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlCollatorPrototypecpp">trunk/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlDateTimeFormatcpp">trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlDateTimeFormatConstructorcpp">trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlDateTimeFormatPrototypecpp">trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlNumberFormatcpp">trunk/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlNumberFormatConstructorcpp">trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlNumberFormatPrototypecpp">trunk/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIntlObjectcpp">trunk/Source/JavaScriptCore/runtime/IntlObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIteratorPrototypecpp">trunk/Source/JavaScriptCore/runtime/IteratorPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArraycpp">trunk/Source/JavaScriptCore/runtime/JSArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayh">trunk/Source/JavaScriptCore/runtime/JSArray.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewh">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCInlinesh">trunk/Source/JavaScriptCore/runtime/JSCInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCJSValuecpp">trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCalleecpp">trunk/Source/JavaScriptCore/runtime/JSCallee.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellcpp">trunk/Source/JavaScriptCore/runtime/JSCell.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellh">trunk/Source/JavaScriptCore/runtime/JSCell.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellInlinesh">trunk/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctionh">trunk/Source/JavaScriptCore/runtime/JSFunction.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSFunctionInlinesh">trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh">trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSInternalPromisecpp">trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSInternalPromiseConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSInternalPromiseDeferredcpp">trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSInternalPromisePrototypecpp">trunk/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSJobcpp">trunk/Source/JavaScriptCore/runtime/JSJob.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSMapIteratorcpp">trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSModuleNamespaceObjectcpp">trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSModuleRecordcpp">trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectcpp">trunk/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectInlinesh">trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromisecpp">trunk/Source/JavaScriptCore/runtime/JSPromise.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromiseConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromiseDeferredcpp">trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromisePrototypecpp">trunk/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorcpp">trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSScopecpp">trunk/Source/JavaScriptCore/runtime/JSScope.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSScopeh">trunk/Source/JavaScriptCore/runtime/JSScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSetIteratorcpp">trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringIteratorcpp">trunk/Source/JavaScriptCore/runtime/JSStringIterator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTemplateRegistryKeycpp">trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypedArrayViewConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypecpp">trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSWeakMapcpp">trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSWeakSetcpp">trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapConstructorcpp">trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapIteratorPrototypecpp">trunk/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapPrototypecpp">trunk/Source/JavaScriptCore/runtime/MapPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeNativeErrorConstructorcpp">trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeNativeStdFunctionCellcpp">trunk/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOperationsh">trunk/Source/JavaScriptCore/runtime/Operations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOptionsh">trunk/Source/JavaScriptCore/runtime/Options.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimePropertyTablecpp">trunk/Source/JavaScriptCore/runtime/PropertyTable.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeProxyConstructorcpp">trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeProxyObjectcpp">trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeProxyRevokecpp">trunk/Source/JavaScriptCore/runtime/ProxyRevoke.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpcpp">trunk/Source/JavaScriptCore/runtime/RegExp.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExph">trunk/Source/JavaScriptCore/runtime/RegExp.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpConstructorh">trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpInlinesh">trunk/Source/JavaScriptCore/runtime/RegExpInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpMatchesArrayh">trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpPrototypecpp">trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRuntimeTypecpp">trunk/Source/JavaScriptCore/runtime/RuntimeType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSamplingProfilercpp">trunk/Source/JavaScriptCore/runtime/SamplingProfiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSetConstructorcpp">trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSetIteratorPrototypecpp">trunk/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSetPrototypecpp">trunk/Source/JavaScriptCore/runtime/SetPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStringConstructorcpp">trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStringIteratorPrototypecpp">trunk/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTemplateRegistrycpp">trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTestRunnerUtilscpp">trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTestRunnerUtilsh">trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeProfilerLogcpp">trunk/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeSetcpp">trunk/Source/JavaScriptCore/runtime/TypeSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMEntryScopeh">trunk/Source/JavaScriptCore/runtime/VMEntryScope.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMInlinesh">trunk/Source/JavaScriptCore/runtime/VMInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakMapConstructorcpp">trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakMapDatacpp">trunk/Source/JavaScriptCore/runtime/WeakMapData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakMapPrototypecpp">trunk/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakSetConstructorcpp">trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWeakSetPrototypecpp">trunk/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretestRegExpcpp">trunk/Source/JavaScriptCore/testRegExp.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretoolsJSDollarVMcpp">trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretoolsJSDollarVMPrototypecpp">trunk/Source/JavaScriptCore/tools/JSDollarVMPrototype.cpp</a></li>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFwtfFastMalloccpp">trunk/Source/WTF/wtf/FastMalloc.cpp</a></li>
<li><a href="#trunkSourceWTFwtfFastMalloch">trunk/Source/WTF/wtf/FastMalloc.h</a></li>
<li><a href="#trunkSourceWTFwtfParkingLotcpp">trunk/Source/WTF/wtf/ParkingLot.cpp</a></li>
<li><a href="#trunkSourceWTFwtfParkingLoth">trunk/Source/WTF/wtf/ParkingLot.h</a></li>
<li><a href="#trunkSourceWTFwtfScopedLambdah">trunk/Source/WTF/wtf/ScopedLambda.h</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModulesindexeddbIDBCursorWithValuecpp">trunk/Source/WebCore/Modules/indexeddb/IDBCursorWithValue.cpp</a></li>
<li><a href="#trunkSourceWebCoreModulesindexeddbclientTransactionOperationcpp">trunk/Source/WebCore/Modules/indexeddb/client/TransactionOperation.cpp</a></li>
<li><a href="#trunkSourceWebCoreModulesindexeddbserverSQLiteIDBBackingStorecpp">trunk/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp</a></li>
<li><a href="#trunkSourceWebCoreModulesindexeddbserverUniqueIDBDatabasecpp">trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSApplePayPaymentAuthorizedEventCustomcpp">trunk/Source/WebCore/bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSApplePayPaymentMethodSelectedEventCustomcpp">trunk/Source/WebCore/bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSApplePayShippingContactSelectedEventCustomcpp">trunk/Source/WebCore/bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSApplePayShippingMethodSelectedEventCustomcpp">trunk/Source/WebCore/bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSClientRectCustomcpp">trunk/Source/WebCore/bindings/js/JSClientRectCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMBindingcpp">trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMBindingh">trunk/Source/WebCore/bindings/js/JSDOMBinding.h</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDeviceMotionEventCustomcpp">trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDeviceOrientationEventCustomcpp">trunk/Source/WebCore/bindings/js/JSDeviceOrientationEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSErrorEventCustomcpp">trunk/Source/WebCore/bindings/js/JSErrorEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSIDBCursorWithValueCustomcpp">trunk/Source/WebCore/bindings/js/JSIDBCursorWithValueCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSIDBIndexCustomcpp">trunk/Source/WebCore/bindings/js/JSIDBIndexCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSPopStateEventCustomcpp">trunk/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSWebGL2RenderingContextCustomcpp">trunk/Source/WebCore/bindings/js/JSWebGL2RenderingContextCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSWorkerGlobalScopeCustomcpp">trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeCustom.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsWorkerScriptControllercpp">trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp</a></li>
<li><a href="#trunkSourceWebCorecontentextensionsContentExtensionParsercpp">trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp</a></li>
<li><a href="#trunkSourceWebCoredomErrorEventcpp">trunk/Source/WebCore/dom/ErrorEvent.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLCanvasElementcpp">trunk/Source/WebCore/html/HTMLCanvasElement.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlMediaDocumentcpp">trunk/Source/WebCore/html/MediaDocument.cpp</a></li>
<li><a href="#trunkSourceWebCoreinspectorCommandLineAPIModulecpp">trunk/Source/WebCore/inspector/CommandLineAPIModule.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderEmptyClientscpp">trunk/Source/WebCore/loader/EmptyClients.cpp</a></li>
<li><a href="#trunkSourceWebCorepageCaptionUserPreferencescpp">trunk/Source/WebCore/page/CaptionUserPreferences.cpp</a></li>
<li><a href="#trunkSourceWebCorepageFramecpp">trunk/Source/WebCore/page/Frame.cpp</a></li>
<li><a href="#trunkSourceWebCorepagePageGroupcpp">trunk/Source/WebCore/page/PageGroup.cpp</a></li>
<li><a href="#trunkSourceWebCorepageUserContentControllercpp">trunk/Source/WebCore/page/UserContentController.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformmockmediasourceMockBoxcpp">trunk/Source/WebCore/platform/mock/mediasource/MockBox.cpp</a></li>
<li><a href="#trunkSourceWebCoretestingGCObservationcpp">trunk/Source/WebCore/testing/GCObservation.cpp</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2UIProcessViewGestureControllercpp">trunk/Source/WebKit2/UIProcess/ViewGestureController.cpp</a></li>
<li><a href="#trunkSourceWebKit2UIProcessWebPageProxycpp">trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp</a></li>
<li><a href="#trunkSourceWebKit2UIProcessWebProcessPoolcpp">trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp</a></li>
<li><a href="#trunkSourceWebKit2UIProcessWebProcessProxycpp">trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp</a></li>
<li><a href="#trunkSourceWebKit2WebProcessInjectedBundleDOMInjectedBundleRangeHandlecpp">trunk/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp</a></li>
<li><a href="#trunkSourceWebKit2WebProcessPluginsNetscapeJSNPObjectcpp">trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp</a></li>
<li><a href="#trunkSourcebmallocChangeLog">trunk/Source/bmalloc/ChangeLog</a></li>
<li><a href="#trunkSourcebmallocbmallocAllocatorcpp">trunk/Source/bmalloc/bmalloc/Allocator.cpp</a></li>
<li><a href="#trunkSourcebmallocbmallocAllocatorh">trunk/Source/bmalloc/bmalloc/Allocator.h</a></li>
<li><a href="#trunkSourcebmallocbmallocCacheh">trunk/Source/bmalloc/bmalloc/Cache.h</a></li>
<li><a href="#trunkSourcebmallocbmallocbmalloch">trunk/Source/bmalloc/bmalloc/bmalloc.h</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsDumpRenderTreeTestRunnercpp">trunk/Tools/DumpRenderTree/TestRunner.cpp</a></li>
<li><a href="#trunkToolsDumpRenderTreemacDumpRenderTreemm">trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm</a></li>
<li><a href="#trunkToolsScriptsrunjscstresstests">trunk/Tools/Scripts/run-jsc-stress-tests</a></li>
<li><a href="#trunkToolsTestWebKitAPITestsWTFVectorcpp">trunk/Tools/TestWebKitAPI/Tests/WTF/Vector.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreForwardingHeadersinterpreterInterpreterh">trunk/Source/WebCore/ForwardingHeaders/interpreter/Interpreter.h</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkJSTestsstressarraystoragearrayunshiftjs">trunk/JSTests/stress/array-storage-array-unshift.js</a></li>
<li><a href="#trunkJSTestsstresscontiguousarrayunshiftjs">trunk/JSTests/stress/contiguous-array-unshift.js</a></li>
<li><a href="#trunkJSTestsstressdoublearrayunshiftjs">trunk/JSTests/stress/double-array-unshift.js</a></li>
<li><a href="#trunkJSTestsstressint32arrayunshiftjs">trunk/JSTests/stress/int32-array-unshift.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreassemblerMacroAssemblerCodeRefcpp">trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCellContainerh">trunk/Source/JavaScriptCore/heap/CellContainer.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCellContainerInlinesh">trunk/Source/JavaScriptCore/heap/CellContainerInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapFreeListcpp">trunk/Source/JavaScriptCore/heap/FreeList.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapFreeListh">trunk/Source/JavaScriptCore/heap/FreeList.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapCellInlinesh">trunk/Source/JavaScriptCore/heap/HeapCellInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapUtilh">trunk/Source/JavaScriptCore/heap/HeapUtil.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapLargeAllocationcpp">trunk/Source/JavaScriptCore/heap/LargeAllocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapLargeAllocationh">trunk/Source/JavaScriptCore/heap/LargeAllocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeAuxiliaryBarrierh">trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeAuxiliaryBarrierInlinesh">trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStackFramecpp">trunk/Source/JavaScriptCore/runtime/StackFrame.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeStackFrameh">trunk/Source/JavaScriptCore/runtime/StackFrame.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersheapHeapInlinesh">trunk/Source/WebCore/ForwardingHeaders/heap/HeapInlines.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersruntimeAuxiliaryBarrierInlinesh">trunk/Source/WebCore/ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/JSTests/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,12 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * stress/array-storage-array-unshift.js: Removed.
+        * stress/contiguous-array-unshift.js: Removed.
+        * stress/double-array-unshift.js: Removed.
+        * stress/int32-array-unshift.js: Removed.
+
</ins><span class="cx"> 2016-08-24  Skachkov Oleksandr  &lt;gskachkov@gmail.com&gt;
</span><span class="cx"> 
</span><span class="cx">         [ES2016] Allow assignment in for-in head in not-strict mode
</span></span></pre></div>
<a id="trunkJSTestsstressarraystoragearrayunshiftjs"></a>
<div class="delfile"><h4>Deleted: trunk/JSTests/stress/array-storage-array-unshift.js (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/array-storage-array-unshift.js        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/JSTests/stress/array-storage-array-unshift.js        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,8 +0,0 @@
</span><del>-//@ runDefault
-var x = [2.5, 1.5];
-x.length = 1000000000;
-x.length = 2;
-Array.prototype.unshift.call(x, 3.5);
-if (x.toString() != &quot;3.5,2.5,1.5&quot;)
-    throw &quot;Error: bad result: &quot; + describe(x);
-
</del></span></pre></div>
<a id="trunkJSTestsstresscontiguousarrayunshiftjs"></a>
<div class="delfile"><h4>Deleted: trunk/JSTests/stress/contiguous-array-unshift.js (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/contiguous-array-unshift.js        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/JSTests/stress/contiguous-array-unshift.js        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +0,0 @@
</span><del>-//@ runDefault
-var x = ['b', 'a'];
-Array.prototype.unshift.call(x, 'c');
-if (x.toString() != &quot;c,b,a&quot;)
-    throw &quot;Error: bad result: &quot; + describe(x);
-
</del></span></pre></div>
<a id="trunkJSTestsstressdoublearrayunshiftjs"></a>
<div class="delfile"><h4>Deleted: trunk/JSTests/stress/double-array-unshift.js (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/double-array-unshift.js        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/JSTests/stress/double-array-unshift.js        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +0,0 @@
</span><del>-//@ runDefault
-var x = [2.5, 1.5];
-Array.prototype.unshift.call(x, 3.5);
-if (x.toString() != &quot;3.5,2.5,1.5&quot;)
-    throw &quot;Error: bad result: &quot; + describe(x);
-
</del></span></pre></div>
<a id="trunkJSTestsstressint32arrayunshiftjs"></a>
<div class="delfile"><h4>Deleted: trunk/JSTests/stress/int32-array-unshift.js (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/int32-array-unshift.js        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/JSTests/stress/int32-array-unshift.js        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +0,0 @@
</span><del>-//@ runDefault
-var x = [2, 1];
-Array.prototype.unshift.call(x, 3);
-if (x.toString() != &quot;3,2,1&quot;)
-    throw &quot;Error: bad result: &quot; + describe(x);
-
</del></span></pre></div>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/LayoutTests/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,9 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * TestExpectations:
+
</ins><span class="cx"> 2016-08-24  Zalan Bujtas  &lt;zalan@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         ASSERTION FAILED: childrenInline() in WebCore::RenderBlockFlow::hasLines
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/LayoutTests/TestExpectations        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1240,5 +1240,3 @@
</span><span class="cx"> webkit.org/b/159755 fast/text/emoji-gender.html [ ImageOnlyFailure ]
</span><span class="cx"> 
</span><span class="cx"> webkit.org/b/160017 js/regress-139548.html [ Slow ]
</span><del>-
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSTypedArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSTypedArray.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSTypedArray.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/API/JSTypedArray.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,7 +32,7 @@
</span><span class="cx"> #include &quot;ClassInfo.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;JSArrayBufferViewInlines.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;JSDataView.h&quot;
</span><span class="cx"> #include &quot;JSGenericTypedArrayViewInlines.h&quot;
</span><span class="cx"> #include &quot;JSTypedArrays.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIObjCCallbackFunctionmm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,8 +31,9 @@
</span><span class="cx"> #import &quot;APICallbackFunction.h&quot;
</span><span class="cx"> #import &quot;APICast.h&quot;
</span><span class="cx"> #import &quot;Error.h&quot;
</span><ins>+#import &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #import &quot;JSCell.h&quot;
</span><del>-#import &quot;JSCInlines.h&quot;
</del><ins>+#import &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #import &quot;JSContextInternal.h&quot;
</span><span class="cx"> #import &quot;JSWrapperMap.h&quot;
</span><span class="cx"> #import &quot;JSValueInternal.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -66,7 +66,6 @@
</span><span class="cx">     assembler/MacroAssembler.cpp
</span><span class="cx">     assembler/MacroAssemblerARM.cpp
</span><span class="cx">     assembler/MacroAssemblerARMv7.cpp
</span><del>-    assembler/MacroAssemblerCodeRef.cpp
</del><span class="cx">     assembler/MacroAssemblerPrinter.cpp
</span><span class="cx">     assembler/MacroAssemblerX86Common.cpp
</span><span class="cx"> 
</span><span class="lines">@@ -446,7 +445,6 @@
</span><span class="cx">     heap/DestructionMode.cpp
</span><span class="cx">     heap/EdenGCActivityCallback.cpp
</span><span class="cx">     heap/FullGCActivityCallback.cpp
</span><del>-    heap/FreeList.cpp
</del><span class="cx">     heap/GCActivityCallback.cpp
</span><span class="cx">     heap/GCLogging.cpp
</span><span class="cx">     heap/HandleSet.cpp
</span><span class="lines">@@ -462,7 +460,6 @@
</span><span class="cx">     heap/HeapVerifier.cpp
</span><span class="cx">     heap/IncrementalSweeper.cpp
</span><span class="cx">     heap/JITStubRoutineSet.cpp
</span><del>-    heap/LargeAllocation.cpp
</del><span class="cx">     heap/LiveObjectList.cpp
</span><span class="cx">     heap/MachineStackMarker.cpp
</span><span class="cx">     heap/MarkStack.cpp
</span><span class="lines">@@ -801,7 +798,6 @@
</span><span class="cx">     runtime/SimpleTypedArrayController.cpp
</span><span class="cx">     runtime/SmallStrings.cpp
</span><span class="cx">     runtime/SparseArrayValueMap.cpp
</span><del>-    runtime/StackFrame.cpp
</del><span class="cx">     runtime/StrictEvalActivation.cpp
</span><span class="cx">     runtime/StringConstructor.cpp
</span><span class="cx">     runtime/StringIteratorPrototype.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,642 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * API/JSTypedArray.cpp:
+        * API/ObjCCallbackFunction.mm:
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/builtins/builtins_generate_combined_implementation.py:
+        (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
+        * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
+        (BuiltinsInternalsWrapperImplementationGenerator.generate_secondary_header_includes):
+        * Scripts/builtins/builtins_generate_separate_implementation.py:
+        (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::JumpList::link):
+        (JSC::AbstractMacroAssembler::JumpList::linkTo):
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::add32):
+        * assembler/MacroAssemblerCodeRef.cpp: Removed.
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
+        (JSC::MacroAssemblerCodePtr::dumpWithName):
+        (JSC::MacroAssemblerCodePtr::dump):
+        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
+        (JSC::MacroAssemblerCodeRef::dump):
+        * b3/B3BasicBlock.cpp:
+        (JSC::B3::BasicBlock::appendBoolConstant): Deleted.
+        * b3/B3BasicBlock.h:
+        * b3/B3DuplicateTails.cpp:
+        * b3/B3StackmapGenerationParams.h:
+        * b3/testb3.cpp:
+        (JSC::B3::run):
+        (JSC::B3::testPatchpointTerminalReturnValue): Deleted.
+        * bindings/ScriptValue.cpp:
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
+        * bytecode/BytecodeBasicBlock.cpp:
+        * bytecode/BytecodeLivenessAnalysis.cpp:
+        * bytecode/BytecodeUseDef.h:
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::callTypeFor): Deleted.
+        * bytecode/CallLinkInfo.h:
+        (JSC::CallLinkInfo::callTypeFor):
+        * bytecode/CallLinkStatus.cpp:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::clearLLIntGetByIdCache): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::jitCodeMap):
+        (JSC::clearLLIntGetByIdCache):
+        * bytecode/Instruction.h:
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::isNull):
+        (JSC::ObjectAllocationProfile::initialize):
+        * bytecode/Opcode.h:
+        (JSC::padOpcodeName):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generateImpl):
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/PolymorphicAccess.h:
+        * bytecode/PreciseJumpTargets.cpp:
+        * bytecode/StructureStubInfo.cpp:
+        * bytecode/StructureStubInfo.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::vm):
+        * bytecode/UnlinkedCodeBlock.h:
+        * bytecode/UnlinkedInstructionStream.cpp:
+        * bytecode/UnlinkedInstructionStream.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCompile.cpp:
+        * ftl/FTLJITFinalizer.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAllocateArrayWithSize):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateCell):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateArrayWithSize): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize): Deleted.
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::constBool):
+        (JSC::FTL::Output::add):
+        (JSC::FTL::Output::shl):
+        (JSC::FTL::Output::aShr):
+        (JSC::FTL::Output::lShr):
+        (JSC::FTL::Output::zeroExt):
+        (JSC::FTL::Output::equal):
+        (JSC::FTL::Output::notEqual):
+        (JSC::FTL::Output::above):
+        (JSC::FTL::Output::aboveOrEqual):
+        (JSC::FTL::Output::below):
+        (JSC::FTL::Output::belowOrEqual):
+        (JSC::FTL::Output::greaterThan):
+        (JSC::FTL::Output::greaterThanOrEqual):
+        (JSC::FTL::Output::lessThan):
+        (JSC::FTL::Output::lessThanOrEqual):
+        (JSC::FTL::Output::select):
+        (JSC::FTL::Output::addIncomingToPhi):
+        (JSC::FTL::Output::appendSuccessor): Deleted.
+        * ftl/FTLOutput.h:
+        * ftl/FTLValueFromBlock.h:
+        (JSC::FTL::ValueFromBlock::ValueFromBlock):
+        (JSC::FTL::ValueFromBlock::operator bool): Deleted.
+        * ftl/FTLWeightedTarget.h:
+        (JSC::FTL::WeightedTarget::frequentedBlock): Deleted.
+        * heap/CellContainer.h: Removed.
+        * heap/CellContainerInlines.h: Removed.
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::ConservativeRoots):
+        (JSC::ConservativeRoots::~ConservativeRoots):
+        (JSC::ConservativeRoots::grow):
+        (JSC::ConservativeRoots::genericAddPointer):
+        (JSC::ConservativeRoots::genericAddSpan):
+        * heap/ConservativeRoots.h:
+        (JSC::ConservativeRoots::roots):
+        * heap/CopyToken.h:
+        * heap/FreeList.cpp: Removed.
+        * heap/FreeList.h: Removed.
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::lastChanceToFinalize):
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        (JSC::Heap::markRoots):
+        (JSC::Heap::copyBackingStores):
+        (JSC::Heap::gatherStackRoots):
+        (JSC::Heap::gatherJSStackRoots):
+        (JSC::Heap::gatherScratchBufferRoots):
+        (JSC::Heap::clearLivenessData):
+        (JSC::Heap::visitSmallStrings):
+        (JSC::Heap::visitConservativeRoots):
+        (JSC::Heap::removeDeadCompilerWorklistEntries):
+        (JSC::Heap::gatherExtraHeapSnapshotData):
+        (JSC::Heap::removeDeadHeapSnapshotNodes):
+        (JSC::Heap::visitProtectedObjects):
+        (JSC::Heap::visitArgumentBuffers):
+        (JSC::Heap::visitException):
+        (JSC::Heap::visitStrongHandles):
+        (JSC::Heap::visitHandleStack):
+        (JSC::Heap::visitSamplingProfiler):
+        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
+        (JSC::Heap::converge):
+        (JSC::Heap::visitWeakHandles):
+        (JSC::Heap::updateObjectCounts):
+        (JSC::Heap::clearUnmarkedExecutables):
+        (JSC::Heap::deleteUnmarkedCompiledCode):
+        (JSC::Heap::collectAllGarbage):
+        (JSC::Heap::collect):
+        (JSC::Heap::collectImpl):
+        (JSC::Heap::suspendCompilerThreads):
+        (JSC::Heap::willStartCollection):
+        (JSC::Heap::flushOldStructureIDTables):
+        (JSC::Heap::flushWriteBarrierBuffer):
+        (JSC::Heap::stopAllocation):
+        (JSC::Heap::reapWeakHandles):
+        (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
+        (JSC::Heap::sweepArrayBuffers):
+        (JSC::Heap::snapshotMarkedSpace):
+        (JSC::Heap::deleteSourceProviderCaches):
+        (JSC::Heap::notifyIncrementalSweeper):
+        (JSC::Heap::writeBarrierCurrentlyExecutingCodeBlocks):
+        (JSC::Heap::resetAllocators):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::didFinishCollection):
+        (JSC::Heap::resumeCompilerThreads):
+        (JSC::Zombify::visit):
+        (JSC::Heap::collectWithoutAnySweep): Deleted.
+        (JSC::Heap::prepareForMarking): Deleted.
+        (JSC::Heap::forEachCodeBlockImpl): Deleted.
+        * heap/Heap.h:
+        (JSC::Heap::allocatorForObjectWithoutDestructor):
+        (JSC::Heap::allocatorForObjectWithDestructor):
+        (JSC::Heap::storageAllocator):
+        (JSC::Heap::jitStubRoutines):
+        (JSC::Heap::codeBlockSet):
+        (JSC::Heap::allocatorForAuxiliaryData): Deleted.
+        * heap/HeapCell.h:
+        (JSC::HeapCell::isZapped):
+        * heap/HeapCellInlines.h: Removed.
+        * heap/HeapInlines.h:
+        (JSC::Heap::heap):
+        (JSC::Heap::isLive):
+        (JSC::Heap::isMarked):
+        (JSC::Heap::testAndSetMarked):
+        (JSC::Heap::setMarked):
+        (JSC::Heap::forEachCodeBlock):
+        (JSC::Heap::allocateObjectOfType):
+        (JSC::Heap::subspaceForObjectOfType):
+        (JSC::Heap::allocatorForObjectOfType):
+        (JSC::Heap::isPointerGCObject):
+        (JSC::Heap::isValueGCObject):
+        (JSC::Heap::cellSize): Deleted.
+        (JSC::Heap::allocateAuxiliary): Deleted.
+        (JSC::Heap::tryAllocateAuxiliary): Deleted.
+        (JSC::Heap::tryReallocateAuxiliary): Deleted.
+        * heap/HeapUtil.h: Removed.
+        * heap/LargeAllocation.cpp: Removed.
+        * heap/LargeAllocation.h: Removed.
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::retire):
+        (JSC::MarkedAllocator::tryAllocateHelper):
+        (JSC::MarkedAllocator::tryPopFreeList):
+        (JSC::MarkedAllocator::tryAllocate):
+        (JSC::MarkedAllocator::allocateSlowCase):
+        (JSC::MarkedAllocator::allocateBlock):
+        (JSC::MarkedAllocator::addBlock):
+        (JSC::MarkedAllocator::removeBlock):
+        (JSC::MarkedAllocator::reset):
+        (JSC::MarkedAllocator::MarkedAllocator): Deleted.
+        (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl): Deleted.
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
+        (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
+        (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
+        (JSC::blockHeaderSize): Deleted.
+        (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
+        (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
+        (JSC::MarkedAllocator::setFreeList): Deleted.
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::offsetOfFreeListHead):
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC::MarkedAllocator::init):
+        (JSC::MarkedAllocator::allocate):
+        (JSC::MarkedAllocator::stopAllocating):
+        (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
+        (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
+        (JSC::MarkedAllocator::tryAllocate): Deleted.
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::create):
+        (JSC::MarkedBlock::MarkedBlock):
+        (JSC::MarkedBlock::callDestructor):
+        (JSC::MarkedBlock::specializedSweep):
+        (JSC::MarkedBlock::sweep):
+        (JSC::MarkedBlock::sweepHelper):
+        (JSC::MarkedBlock::stopAllocating):
+        (JSC::MarkedBlock::clearMarksWithCollectionType):
+        (JSC::MarkedBlock::resumeAllocating):
+        (JSC::MarkedBlock::didRetireBlock):
+        (JSC::MarkedBlock::tryCreate): Deleted.
+        (JSC::MarkedBlock::sweepHelperSelectScribbleMode): Deleted.
+        (JSC::MarkedBlock::sweepHelperSelectStateAndSweepMode): Deleted.
+        (JSC::MarkedBlock::forEachFreeCell): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::FreeList::FreeList):
+        (JSC::MarkedBlock::isEmpty):
+        (JSC::MarkedBlock::setHasAnyMarked): Deleted.
+        (JSC::MarkedBlock::hasAnyMarked): Deleted.
+        (JSC::MarkedBlock::clearHasAnyMarked): Deleted.
+        (JSC::MarkedBlock::cellAlign): Deleted.
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::MarkedSpace):
+        (JSC::MarkedSpace::lastChanceToFinalize):
+        (JSC::MarkedSpace::sweep):
+        (JSC::MarkedSpace::zombifySweep):
+        (JSC::MarkedSpace::resetAllocators):
+        (JSC::MarkedSpace::visitWeakSets):
+        (JSC::MarkedSpace::reapWeakSets):
+        (JSC::MarkedSpace::forEachAllocator):
+        (JSC::MarkedSpace::stopAllocating):
+        (JSC::MarkedSpace::resumeAllocating):
+        (JSC::MarkedSpace::isPagedOut):
+        (JSC::MarkedSpace::shrink):
+        (JSC::MarkedSpace::clearNewlyAllocated):
+        (JSC::MarkedSpace::clearMarks):
+        (JSC::MarkedSpace::initializeSizeClassForStepSize): Deleted.
+        (JSC::MarkedSpace::allocate): Deleted.
+        (JSC::MarkedSpace::tryAllocate): Deleted.
+        (JSC::MarkedSpace::allocateLarge): Deleted.
+        (JSC::MarkedSpace::tryAllocateLarge): Deleted.
+        (JSC::MarkedSpace::sweepLargeAllocations): Deleted.
+        (JSC::MarkedSpace::prepareForMarking): Deleted.
+        (JSC::MarkedSpace::objectCount): Deleted.
+        (JSC::MarkedSpace::size): Deleted.
+        (JSC::MarkedSpace::capacity): Deleted.
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::blocksWithNewObjects):
+        (JSC::MarkedSpace::forEachLiveCell):
+        (JSC::MarkedSpace::forEachDeadCell):
+        (JSC::MarkedSpace::allocatorFor):
+        (JSC::MarkedSpace::destructorAllocatorFor):
+        (JSC::MarkedSpace::auxiliaryAllocatorFor):
+        (JSC::MarkedSpace::allocateWithoutDestructor):
+        (JSC::MarkedSpace::allocateWithDestructor):
+        (JSC::MarkedSpace::allocateAuxiliary):
+        (JSC::MarkedSpace::forEachBlock):
+        (JSC::MarkedSpace::objectCount):
+        (JSC::MarkedSpace::size):
+        (JSC::MarkedSpace::capacity):
+        (JSC::MarkedSpace::sizeClassToIndex): Deleted.
+        (JSC::MarkedSpace::indexToSizeClass): Deleted.
+        (JSC::MarkedSpace::largeAllocations): Deleted.
+        (JSC::MarkedSpace::largeAllocationsNurseryOffset): Deleted.
+        (JSC::MarkedSpace::largeAllocationsOffsetForThisCollection): Deleted.
+        (JSC::MarkedSpace::largeAllocationsForThisCollectionBegin): Deleted.
+        (JSC::MarkedSpace::largeAllocationsForThisCollectionEnd): Deleted.
+        (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
+        (JSC::MarkedSpace::tryAllocateAuxiliary): Deleted.
+        (JSC::MarkedSpace::forEachAllocator): Deleted.
+        (JSC::MarkedSpace::optimalSizeFor): Deleted.
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::didStartMarking):
+        (JSC::SlotVisitor::reset):
+        (JSC::SlotVisitor::append):
+        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
+        (JSC::SlotVisitor::appendToMarkStack):
+        (JSC::SlotVisitor::visitChildren):
+        (JSC::SlotVisitor::appendJSCellOrAuxiliary): Deleted.
+        (JSC::SlotVisitor::markAuxiliary): Deleted.
+        (JSC::SlotVisitor::noteLiveAuxiliaryCell): Deleted.
+        * heap/SlotVisitor.h:
+        * heap/WeakBlock.cpp:
+        (JSC::WeakBlock::create):
+        (JSC::WeakBlock::WeakBlock):
+        (JSC::WeakBlock::visit):
+        (JSC::WeakBlock::reap):
+        * heap/WeakBlock.h:
+        (JSC::WeakBlock::disconnectMarkedBlock):
+        (JSC::WeakBlock::disconnectContainer): Deleted.
+        * heap/WeakSet.cpp:
+        (JSC::WeakSet::sweep):
+        (JSC::WeakSet::addAllocator):
+        * heap/WeakSet.h:
+        (JSC::WeakSet::WeakSet):
+        * heap/WeakSetInlines.h:
+        (JSC::WeakSet::allocate):
+        * inspector/InjectedScriptManager.cpp:
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        * inspector/JSJavaScriptCallFrame.cpp:
+        * inspector/ScriptDebugServer.cpp:
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::CachedCall):
+        * interpreter/Interpreter.cpp:
+        (JSC::StackFrame::sourceID):
+        (JSC::StackFrame::sourceURL):
+        (JSC::StackFrame::functionName):
+        (JSC::loadVarargs):
+        (JSC::StackFrame::computeLineAndColumn):
+        (JSC::StackFrame::toString):
+        * interpreter/Interpreter.h:
+        (JSC::StackFrame::isNative):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocate):
+        (JSC::AssemblyHelpers::emitAllocateJSCell):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
+        * jit/GCAwareJITStubRoutine.cpp:
+        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileCTINativeCall): Deleted.
+        * jit/JIT.h:
+        (JSC::JIT::compileCTINativeCall):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind): Deleted.
+        * jit/JITExceptions.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emitSlow_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emitSlow_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emitSlow_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emitSlow_op_create_this):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitWriteBarrier):
+        * jit/JITThunks.cpp:
+        * jit/JITThunks.h:
+        * jsc.cpp:
+        (functionDescribeArray):
+        (main):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LLIntExceptions.cpp:
+        * llint/LLIntThunks.cpp:
+        * llint/LLIntThunks.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter.cpp:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/ModuleAnalyzer.cpp:
+        * parser/NodeConstructors.h:
+        * parser/Nodes.h:
+        * profiler/ProfilerBytecode.cpp:
+        * profiler/ProfilerBytecode.h:
+        * profiler/ProfilerBytecodeSequence.cpp:
+        * runtime/ArrayConventions.h:
+        (JSC::indexingHeaderForArray):
+        (JSC::baseIndexingHeaderForArray):
+        (JSC::indexingHeaderForArrayStorage): Deleted.
+        (JSC::baseIndexingHeaderForArrayStorage): Deleted.
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSplice):
+        (JSC::concatAppendOne):
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        * runtime/ArrayStorage.h:
+        (JSC::ArrayStorage::vectorLength):
+        (JSC::ArrayStorage::sizeFor):
+        (JSC::ArrayStorage::totalSizeFor): Deleted.
+        (JSC::ArrayStorage::totalSize): Deleted.
+        (JSC::ArrayStorage::availableVectorLength): Deleted.
+        (JSC::ArrayStorage::optimalVectorLength): Deleted.
+        * runtime/AuxiliaryBarrier.h: Removed.
+        * runtime/AuxiliaryBarrierInlines.h: Removed.
+        * runtime/Butterfly.h:
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::growArrayRight):
+        (JSC::Butterfly::availableContiguousVectorLength): Deleted.
+        (JSC::Butterfly::optimalContiguousVectorLength): Deleted.
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        * runtime/CommonSlowPathsExceptions.cpp:
+        * runtime/CommonSlowPathsExceptions.h:
+        * runtime/DataView.cpp:
+        * runtime/DirectArguments.h:
+        * runtime/ECMAScriptSpecInternalFunctions.cpp:
+        * runtime/Error.cpp:
+        * runtime/Error.h:
+        * runtime/ErrorInstance.cpp:
+        * runtime/ErrorInstance.h:
+        * runtime/Exception.cpp:
+        * runtime/Exception.h:
+        * runtime/GeneratorFrame.cpp:
+        * runtime/GeneratorPrototype.cpp:
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::InternalFunction):
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlCollatorConstructor.cpp:
+        * runtime/IntlCollatorPrototype.cpp:
+        * runtime/IntlDateTimeFormat.cpp:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        * runtime/IntlNumberFormat.cpp:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        * runtime/IntlNumberFormatPrototype.cpp:
+        * runtime/IntlObject.cpp:
+        * runtime/IteratorPrototype.cpp:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLengthWritable):
+        (JSC::JSArray::unshiftCountSlowCase):
+        (JSC::JSArray::setLengthWithArrayStorage):
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::push):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithArrayStorage):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        (JSC::JSArray::tryCreateUninitialized): Deleted.
+        * runtime/JSArray.h:
+        (JSC::createContiguousArrayButterfly):
+        (JSC::createArrayButterfly):
+        (JSC::JSArray::create):
+        (JSC::JSArray::tryCreateUninitialized):
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSCInlines.h:
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpInContextAssumingStructure):
+        * runtime/JSCallee.cpp:
+        (JSC::JSCallee::JSCallee):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::estimatedSize):
+        * runtime/JSCell.h:
+        (JSC::JSCell::cellStateOffset):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::vm):
+        (JSC::ExecState::vm):
+        (JSC::JSCell::classInfo):
+        (JSC::JSCell::callDestructor): Deleted.
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::create):
+        (JSC::JSFunction::allocateAndInitializeRareData):
+        (JSC::JSFunction::initializeRareData):
+        (JSC::JSFunction::getOwnPropertySlot):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::deleteProperty):
+        (JSC::JSFunction::defineOwnProperty):
+        (JSC::JSFunction::setFunctionName):
+        (JSC::JSFunction::reifyLength):
+        (JSC::JSFunction::reifyName):
+        (JSC::JSFunction::reifyLazyPropertyIfNeeded):
+        (JSC::JSFunction::reifyBoundNameIfNeeded):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
+        (JSC::JSFunction::JSFunction):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView&lt;Adaptor&gt;::slowDownAndWasteMemory):
+        * runtime/JSInternalPromise.cpp:
+        * runtime/JSInternalPromiseConstructor.cpp:
+        * runtime/JSInternalPromiseDeferred.cpp:
+        * runtime/JSInternalPromisePrototype.cpp:
+        * runtime/JSJob.cpp:
+        * runtime/JSMapIterator.cpp:
+        * runtime/JSModuleNamespaceObject.cpp:
+        * runtime/JSModuleRecord.cpp:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::copyButterfly):
+        (JSC::JSObject::visitButterfly):
+        (JSC::JSObject::copyBackingStore):
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::createInitialArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+        (JSC::JSObject::putDirectIndexBeyondVectorLength):
+        (JSC::JSObject::getNewVectorLength):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::growOutOfLineStorage):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        (JSC::JSObject::globalObject): Deleted.
+        * runtime/JSObjectInlines.h:
+        * runtime/JSPromise.cpp:
+        * runtime/JSPromiseConstructor.cpp:
+        * runtime/JSPromiseDeferred.cpp:
+        * runtime/JSPromisePrototype.cpp:
+        * runtime/JSPropertyNameIterator.cpp:
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::resolve):
+        * runtime/JSScope.h:
+        (JSC::JSScope::vm):
+        (JSC::JSScope::globalObject): Deleted.
+        * runtime/JSSetIterator.cpp:
+        * runtime/JSStringIterator.cpp:
+        * runtime/JSTemplateRegistryKey.cpp:
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        * runtime/JSWeakMap.cpp:
+        * runtime/JSWeakSet.cpp:
+        * runtime/MapConstructor.cpp:
+        * runtime/MapIteratorPrototype.cpp:
+        * runtime/MapPrototype.cpp:
+        * runtime/NativeErrorConstructor.cpp:
+        * runtime/NativeStdFunctionCell.cpp:
+        * runtime/Operations.h:
+        (JSC::scribbleFreeCells): Deleted.
+        (JSC::scribble): Deleted.
+        * runtime/Options.h:
+        * runtime/PropertyTable.cpp:
+        * runtime/ProxyConstructor.cpp:
+        * runtime/ProxyObject.cpp:
+        * runtime/ProxyRevoke.cpp:
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::match):
+        (JSC::RegExp::matchConcurrently):
+        (JSC::RegExp::matchCompareWithInterpreter):
+        * runtime/RegExp.h:
+        * runtime/RegExpConstructor.h:
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        (JSC::createRegExpMatchesArray):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::genericSplit):
+        * runtime/RuntimeType.cpp:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        * runtime/SetConstructor.cpp:
+        * runtime/SetIteratorPrototype.cpp:
+        * runtime/SetPrototype.cpp:
+        * runtime/StackFrame.cpp: Removed.
+        * runtime/StackFrame.h: Removed.
+        * runtime/StringConstructor.cpp:
+        * runtime/StringIteratorPrototype.cpp:
+        * runtime/TemplateRegistry.cpp:
+        * runtime/TestRunnerUtils.cpp:
+        (JSC::finalizeStatsAtEndOfTesting): Deleted.
+        * runtime/TestRunnerUtils.h:
+        * runtime/TypeProfilerLog.cpp:
+        * runtime/TypeSet.cpp:
+        * runtime/VM.cpp:
+        (JSC::VM::ensureStackCapacityForCLoop): Deleted.
+        (JSC::VM::isSafeToRecurseSoftCLoop): Deleted.
+        * runtime/VM.h:
+        * runtime/VMEntryScope.h:
+        * runtime/VMInlines.h:
+        (JSC::VM::ensureStackCapacityFor):
+        (JSC::VM::isSafeToRecurseSoft):
+        * runtime/WeakMapConstructor.cpp:
+        * runtime/WeakMapData.cpp:
+        * runtime/WeakMapPrototype.cpp:
+        * runtime/WeakSetConstructor.cpp:
+        * runtime/WeakSetPrototype.cpp:
+        * testRegExp.cpp:
+        (testOneRegExp):
+        * tools/JSDollarVM.cpp:
+        * tools/JSDollarVMPrototype.cpp:
+        (JSC::JSDollarVMPrototype::isInObjectSpace):
+
</ins><span class="cx"> 2016-08-23  Filip Pizlo  &lt;fpizlo@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         js/regress/put-by-id-transition-with-indexing-header.html and svg/carto.net/window.svg fail in debug after r204854
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -88,11 +88,6 @@
</span><span class="cx">                 0F04396D1B03DC0B009598B7 /* DFGCombinedLiveness.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F04396B1B03DC0B009598B7 /* DFGCombinedLiveness.cpp */; };
</span><span class="cx">                 0F04396E1B03DC0B009598B7 /* DFGCombinedLiveness.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F04396C1B03DC0B009598B7 /* DFGCombinedLiveness.h */; };
</span><span class="cx">                 0F05C3B41683CF9200BAF45B /* DFGArrayifySlowPathGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F05C3B21683CF8F00BAF45B /* DFGArrayifySlowPathGenerator.h */; };
</span><del>-                0F070A471D543A8B006E7232 /* CellContainer.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F070A421D543A89006E7232 /* CellContainer.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F070A481D543A90006E7232 /* CellContainerInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F070A431D543A89006E7232 /* CellContainerInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F070A491D543A93006E7232 /* HeapCellInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F070A441D543A89006E7232 /* HeapCellInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F070A4A1D543A95006E7232 /* LargeAllocation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F070A451D543A89006E7232 /* LargeAllocation.cpp */; };
-                0F070A4B1D543A98006E7232 /* LargeAllocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F070A461D543A89006E7232 /* LargeAllocation.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><span class="cx">                 0F0776BF14FF002B00102332 /* JITCompilationEffort.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0776BD14FF002800102332 /* JITCompilationEffort.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F0A75221B94BFA900110660 /* InferredType.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0A75201B94BFA900110660 /* InferredType.cpp */; };
</span><span class="cx">                 0F0A75231B94BFA900110660 /* InferredType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0A75211B94BFA900110660 /* InferredType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -328,8 +323,6 @@
</span><span class="cx">                 0F38B01817CFE75500B144D3 /* DFGCompilationKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F38B01417CFE75500B144D3 /* DFGCompilationKey.h */; };
</span><span class="cx">                 0F38B01917CFE75500B144D3 /* DFGCompilationMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F38B01517CFE75500B144D3 /* DFGCompilationMode.cpp */; };
</span><span class="cx">                 0F38B01A17CFE75500B144D3 /* DFGCompilationMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F38B01617CFE75500B144D3 /* DFGCompilationMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>-                0F38D2A21D44196800680499 /* AuxiliaryBarrier.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F38D2A01D44196600680499 /* AuxiliaryBarrier.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F38D2A31D44196D00680499 /* AuxiliaryBarrierInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F38D2A11D44196600680499 /* AuxiliaryBarrierInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><span class="cx">                 0F392C891B46188400844728 /* DFGOSRExitFuzz.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F392C871B46188400844728 /* DFGOSRExitFuzz.cpp */; };
</span><span class="cx">                 0F392C8A1B46188400844728 /* DFGOSRExitFuzz.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F392C881B46188400844728 /* DFGOSRExitFuzz.h */; };
</span><span class="cx">                 0F3A1BF91A9ECB7D000DE01A /* DFGPutStackSinkingPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3A1BF71A9ECB7D000DE01A /* DFGPutStackSinkingPhase.cpp */; };
</span><span class="lines">@@ -371,9 +364,9 @@
</span><span class="cx">                 0F4680CA14BBB16C00BFE272 /* LLIntCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680C514BBB16900BFE272 /* LLIntCommon.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F4680CB14BBB17200BFE272 /* LLIntOfflineAsmConfig.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680C614BBB16900BFE272 /* LLIntOfflineAsmConfig.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F4680CC14BBB17A00BFE272 /* LowLevelInterpreter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F4680C714BBB16900BFE272 /* LowLevelInterpreter.cpp */; };
</span><del>-                0F4680CD14BBB17D00BFE272 /* LowLevelInterpreter.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680C814BBB16900BFE272 /* LowLevelInterpreter.h */; };
</del><ins>+                0F4680CD14BBB17D00BFE272 /* LowLevelInterpreter.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680C814BBB16900BFE272 /* LowLevelInterpreter.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 0F4680D214BBD16500BFE272 /* LLIntData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F4680CE14BBB3D100BFE272 /* LLIntData.cpp */; };
</span><del>-                0F4680D314BBD16700BFE272 /* LLIntData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680CF14BBB3D100BFE272 /* LLIntData.h */; };
</del><ins>+                0F4680D314BBD16700BFE272 /* LLIntData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680CF14BBB3D100BFE272 /* LLIntData.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 0F4680D414BBD24900BFE272 /* HostCallReturnValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F4680D014BBC5F800BFE272 /* HostCallReturnValue.cpp */; };
</span><span class="cx">                 0F4680D514BBD24B00BFE272 /* HostCallReturnValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4680D114BBC5F800BFE272 /* HostCallReturnValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F485321187750560083B687 /* DFGArithMode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F48531F187750560083B687 /* DFGArithMode.cpp */; };
</span><span class="lines">@@ -393,8 +386,6 @@
</span><span class="cx">                 0F4F29DF18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F4F29DD18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.cpp */; };
</span><span class="cx">                 0F4F29E018B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4F29DE18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.h */; };
</span><span class="cx">                 0F50AF3C193E8B3900674EE8 /* DFGStructureClobberState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F50AF3B193E8B3900674EE8 /* DFGStructureClobberState.h */; };
</span><del>-                0F5513A61D5A682C00C32BD8 /* FreeList.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5513A51D5A682A00C32BD8 /* FreeList.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F5513A81D5A68CD00C32BD8 /* FreeList.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5513A71D5A68CB00C32BD8 /* FreeList.cpp */; };
</del><span class="cx">                 0F5541B11613C1FB00CE3E25 /* SpecialPointer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5541AF1613C1FB00CE3E25 /* SpecialPointer.cpp */; };
</span><span class="cx">                 0F5541B21613C1FB00CE3E25 /* SpecialPointer.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5541B01613C1FB00CE3E25 /* SpecialPointer.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0F55989817C86C5800A1E543 /* ToNativeFromValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F55989717C86C5600A1E543 /* ToNativeFromValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -467,9 +458,6 @@
</span><span class="cx">                 0F6B8AE51C4EFE1700969052 /* B3FixSSA.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F6B8AE11C4EFE1700969052 /* B3FixSSA.h */; };
</span><span class="cx">                 0F6C73501AC9F99F00BE1682 /* VariableWriteFireDetail.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F6C734E1AC9F99F00BE1682 /* VariableWriteFireDetail.cpp */; };
</span><span class="cx">                 0F6C73511AC9F99F00BE1682 /* VariableWriteFireDetail.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F6C734F1AC9F99F00BE1682 /* VariableWriteFireDetail.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>-                0F6DB7E91D6124B500CDBF8E /* StackFrame.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F6DB7E81D6124B200CDBF8E /* StackFrame.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F6DB7EA1D6124B800CDBF8E /* StackFrame.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F6DB7E71D6124B200CDBF8E /* StackFrame.cpp */; };
-                0F6DB7EC1D617D1100CDBF8E /* MacroAssemblerCodeRef.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F6DB7EB1D617D0F00CDBF8E /* MacroAssemblerCodeRef.cpp */; };
</del><span class="cx">                 0F6E845A19030BEF00562741 /* DFGVariableAccessData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F6E845919030BEF00562741 /* DFGVariableAccessData.cpp */; };
</span><span class="cx">                 0F6FC750196110A800E1D02D /* ComplexGetStatus.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F6FC74E196110A800E1D02D /* ComplexGetStatus.cpp */; };
</span><span class="cx">                 0F6FC751196110A800E1D02D /* ComplexGetStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F6FC74F196110A800E1D02D /* ComplexGetStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -585,7 +573,6 @@
</span><span class="cx">                 0FA7A8EB18B413C80052371D /* Reg.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FA7A8E918B413C80052371D /* Reg.cpp */; };
</span><span class="cx">                 0FA7A8EC18B413C80052371D /* Reg.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FA7A8EA18B413C80052371D /* Reg.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0FA7A8EE18CE4FD80052371D /* ScratchRegisterAllocator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FA7A8ED18CE4FD80052371D /* ScratchRegisterAllocator.cpp */; };
</span><del>-                0FADE6731D4D23BE00768457 /* HeapUtil.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FADE6721D4D23BC00768457 /* HeapUtil.h */; };
</del><span class="cx">                 0FAF7EFD165BA91B000C8455 /* JITDisassembler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FAF7EFA165BA919000C8455 /* JITDisassembler.cpp */; };
</span><span class="cx">                 0FAF7EFE165BA91F000C8455 /* JITDisassembler.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FAF7EFB165BA919000C8455 /* JITDisassembler.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0FB105851675480F00F8AB6E /* ExitKind.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB105821675480C00F8AB6E /* ExitKind.cpp */; };
</span><span class="lines">@@ -1004,7 +991,7 @@
</span><span class="cx">                 14280865107EC11A0013E7B2 /* BooleanPrototype.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BC7952340E15EB5600A898AB /* BooleanPrototype.cpp */; };
</span><span class="cx">                 14280870107EC1340013E7B2 /* JSWrapperObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 65C7A1710A8EAACB00FA37EA /* JSWrapperObject.cpp */; };
</span><span class="cx">                 14280875107EC13E0013E7B2 /* JSLock.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 65EA4C99092AF9E20093D800 /* JSLock.cpp */; };
</span><del>-                1429D77C0ED20D7300B89619 /* Interpreter.h in Headers */ = {isa = PBXBuildFile; fileRef = 1429D77B0ED20D7300B89619 /* Interpreter.h */; };
</del><ins>+                1429D77C0ED20D7300B89619 /* Interpreter.h in Headers */ = {isa = PBXBuildFile; fileRef = 1429D77B0ED20D7300B89619 /* Interpreter.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 1429D7D40ED2128200B89619 /* Interpreter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1429D7D30ED2128200B89619 /* Interpreter.cpp */; };
</span><span class="cx">                 1429D8780ED21ACD00B89619 /* ExceptionHelpers.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1429D8770ED21ACD00B89619 /* ExceptionHelpers.cpp */; };
</span><span class="cx">                 1429D8DD0ED2205B00B89619 /* CallFrame.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1429D8DB0ED2205B00B89619 /* CallFrame.cpp */; };
</span><span class="lines">@@ -1464,7 +1451,7 @@
</span><span class="cx">                 969A07980ED1D3AE00F1F681 /* EvalCodeCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 969A07920ED1D3AE00F1F681 /* EvalCodeCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 969A07990ED1D3AE00F1F681 /* Instruction.h in Headers */ = {isa = PBXBuildFile; fileRef = 969A07930ED1D3AE00F1F681 /* Instruction.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 969A079A0ED1D3AE00F1F681 /* Opcode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 969A07940ED1D3AE00F1F681 /* Opcode.cpp */; };
</span><del>-                969A079B0ED1D3AE00F1F681 /* Opcode.h in Headers */ = {isa = PBXBuildFile; fileRef = 969A07950ED1D3AE00F1F681 /* Opcode.h */; };
</del><ins>+                969A079B0ED1D3AE00F1F681 /* Opcode.h in Headers */ = {isa = PBXBuildFile; fileRef = 969A07950ED1D3AE00F1F681 /* Opcode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 978801401471AD920041B016 /* JSDateMath.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9788FC221471AD0C0068CE2D /* JSDateMath.cpp */; };
</span><span class="cx">                 978801411471AD920041B016 /* JSDateMath.h in Headers */ = {isa = PBXBuildFile; fileRef = 9788FC231471AD0C0068CE2D /* JSDateMath.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 990DA67F1C8E316A00295159 /* generate_objc_protocol_type_conversions_implementation.py in Headers */ = {isa = PBXBuildFile; fileRef = 990DA67E1C8E311D00295159 /* generate_objc_protocol_type_conversions_implementation.py */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -2155,8 +2142,6 @@
</span><span class="cx">                 FED94F2E171E3E2300BE77A4 /* Watchdog.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FED94F2B171E3E2300BE77A4 /* Watchdog.cpp */; };
</span><span class="cx">                 FED94F2F171E3E2300BE77A4 /* Watchdog.h in Headers */ = {isa = PBXBuildFile; fileRef = FED94F2C171E3E2300BE77A4 /* Watchdog.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 FEF040511AAE662D00BD28B0 /* CompareAndSwapTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FEF040501AAE662D00BD28B0 /* CompareAndSwapTest.cpp */; };
</span><del>-                D9722752DC54459B9125B539 /* JSModuleLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */; };
-                13FECE06D3B445FCB6C93461 /* JSModuleLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1879510614C540FFB561C124 /* JSModuleLoader.cpp */; };
</del><span class="cx">                 FEFD6FC61D5E7992008F2F0B /* JSStringInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> /* End PBXBuildFile section */
</span><span class="cx"> 
</span><span class="lines">@@ -2320,11 +2305,6 @@
</span><span class="cx">                 0F04396B1B03DC0B009598B7 /* DFGCombinedLiveness.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGCombinedLiveness.cpp; path = dfg/DFGCombinedLiveness.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F04396C1B03DC0B009598B7 /* DFGCombinedLiveness.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCombinedLiveness.h; path = dfg/DFGCombinedLiveness.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F05C3B21683CF8F00BAF45B /* DFGArrayifySlowPathGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGArrayifySlowPathGenerator.h; path = dfg/DFGArrayifySlowPathGenerator.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                0F070A421D543A89006E7232 /* CellContainer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CellContainer.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F070A431D543A89006E7232 /* CellContainerInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CellContainerInlines.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F070A441D543A89006E7232 /* HeapCellInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapCellInlines.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F070A451D543A89006E7232 /* LargeAllocation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LargeAllocation.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F070A461D543A89006E7232 /* LargeAllocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LargeAllocation.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 0F0776BD14FF002800102332 /* JITCompilationEffort.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITCompilationEffort.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F0A75201B94BFA900110660 /* InferredType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InferredType.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F0A75211B94BFA900110660 /* InferredType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InferredType.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -2559,8 +2539,6 @@
</span><span class="cx">                 0F38B01417CFE75500B144D3 /* DFGCompilationKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCompilationKey.h; path = dfg/DFGCompilationKey.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F38B01517CFE75500B144D3 /* DFGCompilationMode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGCompilationMode.cpp; path = dfg/DFGCompilationMode.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F38B01617CFE75500B144D3 /* DFGCompilationMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGCompilationMode.h; path = dfg/DFGCompilationMode.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                0F38D2A01D44196600680499 /* AuxiliaryBarrier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AuxiliaryBarrier.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F38D2A11D44196600680499 /* AuxiliaryBarrierInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AuxiliaryBarrierInlines.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 0F392C871B46188400844728 /* DFGOSRExitFuzz.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGOSRExitFuzz.cpp; path = dfg/DFGOSRExitFuzz.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F392C881B46188400844728 /* DFGOSRExitFuzz.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGOSRExitFuzz.h; path = dfg/DFGOSRExitFuzz.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F3A1BF71A9ECB7D000DE01A /* DFGPutStackSinkingPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGPutStackSinkingPhase.cpp; path = dfg/DFGPutStackSinkingPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -2622,8 +2600,6 @@
</span><span class="cx">                 0F4F29DD18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStaticExecutionCountEstimationPhase.cpp; path = dfg/DFGStaticExecutionCountEstimationPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F4F29DE18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStaticExecutionCountEstimationPhase.h; path = dfg/DFGStaticExecutionCountEstimationPhase.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F50AF3B193E8B3900674EE8 /* DFGStructureClobberState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStructureClobberState.h; path = dfg/DFGStructureClobberState.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                0F5513A51D5A682A00C32BD8 /* FreeList.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FreeList.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F5513A71D5A68CB00C32BD8 /* FreeList.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FreeList.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 0F5541AF1613C1FB00CE3E25 /* SpecialPointer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SpecialPointer.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F5541B01613C1FB00CE3E25 /* SpecialPointer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SpecialPointer.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F55989717C86C5600A1E543 /* ToNativeFromValue.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ToNativeFromValue.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -2698,9 +2674,6 @@
</span><span class="cx">                 0F6B8AE11C4EFE1700969052 /* B3FixSSA.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3FixSSA.h; path = b3/B3FixSSA.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F6C734E1AC9F99F00BE1682 /* VariableWriteFireDetail.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VariableWriteFireDetail.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F6C734F1AC9F99F00BE1682 /* VariableWriteFireDetail.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableWriteFireDetail.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                0F6DB7E71D6124B200CDBF8E /* StackFrame.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StackFrame.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F6DB7E81D6124B200CDBF8E /* StackFrame.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StackFrame.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                0F6DB7EB1D617D0F00CDBF8E /* MacroAssemblerCodeRef.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MacroAssemblerCodeRef.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 0F6E845919030BEF00562741 /* DFGVariableAccessData.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGVariableAccessData.cpp; path = dfg/DFGVariableAccessData.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F6FC74E196110A800E1D02D /* ComplexGetStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ComplexGetStatus.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0F6FC74F196110A800E1D02D /* ComplexGetStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ComplexGetStatus.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -2813,7 +2786,6 @@
</span><span class="cx">                 0FA7A8E918B413C80052371D /* Reg.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Reg.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FA7A8EA18B413C80052371D /* Reg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Reg.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FA7A8ED18CE4FD80052371D /* ScratchRegisterAllocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScratchRegisterAllocator.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                0FADE6721D4D23BC00768457 /* HeapUtil.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapUtil.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 0FAF7EFA165BA919000C8455 /* JITDisassembler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITDisassembler.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FAF7EFB165BA919000C8455 /* JITDisassembler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITDisassembler.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FB105821675480C00F8AB6E /* ExitKind.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExitKind.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -4475,8 +4447,6 @@
</span><span class="cx">                 FEDA50D51B97F4D9009A3B4F /* PingPongStackOverflowTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = PingPongStackOverflowTest.h; path = API/tests/PingPongStackOverflowTest.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 FEF040501AAE662D00BD28B0 /* CompareAndSwapTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = CompareAndSwapTest.cpp; path = API/tests/CompareAndSwapTest.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 FEF040521AAEC4ED00BD28B0 /* CompareAndSwapTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CompareAndSwapTest.h; path = API/tests/CompareAndSwapTest.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><del>-                77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSModuleLoader.h; path = JSModuleLoader.h; sourceTree = &quot;&lt;group&gt;&quot;; };
-                1879510614C540FFB561C124 /* JSModuleLoader.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSModuleLoader.cpp; path = JSModuleLoader.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</del><span class="cx">                 FEFD6FC51D5E7970008F2F0B /* JSStringInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringInlines.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx"> /* End PBXFileReference section */
</span><span class="cx"> 
</span><span class="lines">@@ -5252,8 +5222,6 @@
</span><span class="cx">                         children = (
</span><span class="cx">                                 0F9630351D4192C3005609D9 /* AllocatorAttributes.cpp */,
</span><span class="cx">                                 0F9630361D4192C3005609D9 /* AllocatorAttributes.h */,
</span><del>-                                0F070A421D543A89006E7232 /* CellContainer.h */,
-                                0F070A431D543A89006E7232 /* CellContainerInlines.h */,
</del><span class="cx">                                 0F1C3DD91BBCE09E00E523E4 /* CellState.h */,
</span><span class="cx">                                 0FD8A31117D4326C00CA2C40 /* CodeBlockSet.cpp */,
</span><span class="cx">                                 0FD8A31217D4326C00CA2C40 /* CodeBlockSet.h */,
</span><span class="lines">@@ -5278,8 +5246,6 @@
</span><span class="cx">                                 0F9630381D4192C3005609D9 /* DestructionMode.h */,
</span><span class="cx">                                 2A83638318D7D0EE0000EBCC /* EdenGCActivityCallback.cpp */,
</span><span class="cx">                                 2A83638418D7D0EE0000EBCC /* EdenGCActivityCallback.h */,
</span><del>-                                0F5513A71D5A68CB00C32BD8 /* FreeList.cpp */,
-                                0F5513A51D5A682A00C32BD8 /* FreeList.h */,
</del><span class="cx">                                 2A83638718D7D0FE0000EBCC /* FullGCActivityCallback.cpp */,
</span><span class="cx">                                 2A83638818D7D0FE0000EBCC /* FullGCActivityCallback.h */,
</span><span class="cx">                                 2AACE63A18CA5A0300ED0191 /* GCActivityCallback.cpp */,
</span><span class="lines">@@ -5305,7 +5271,6 @@
</span><span class="cx">                                 14BA7A9613AADFF8005B7C2C /* Heap.h */,
</span><span class="cx">                                 DC3D2B0B1D34376E00BA918C /* HeapCell.cpp */,
</span><span class="cx">                                 DC3D2B091D34316100BA918C /* HeapCell.h */,
</span><del>-                                0F070A441D543A89006E7232 /* HeapCellInlines.h */,
</del><span class="cx">                                 0F32BD0E1BB34F190093A57F /* HeapHelperPool.cpp */,
</span><span class="cx">                                 0F32BD0F1BB34F190093A57F /* HeapHelperPool.h */,
</span><span class="cx">                                 C2DA778218E259990066FCB6 /* HeapInlines.h */,
</span><span class="lines">@@ -5323,7 +5288,6 @@
</span><span class="cx">                                 C24D31E1161CD695002AA4DB /* HeapStatistics.h */,
</span><span class="cx">                                 C2E526BB1590EF000054E48D /* HeapTimer.cpp */,
</span><span class="cx">                                 C2E526BC1590EF000054E48D /* HeapTimer.h */,
</span><del>-                                0FADE6721D4D23BC00768457 /* HeapUtil.h */,
</del><span class="cx">                                 FE7BA60D1A1A7CEC00F1F7B4 /* HeapVerifier.cpp */,
</span><span class="cx">                                 FE7BA60E1A1A7CEC00F1F7B4 /* HeapVerifier.h */,
</span><span class="cx">                                 C25F8BCB157544A900245B71 /* IncrementalSweeper.cpp */,
</span><span class="lines">@@ -5330,8 +5294,6 @@
</span><span class="cx">                                 C25F8BCC157544A900245B71 /* IncrementalSweeper.h */,
</span><span class="cx">                                 0F766D2915A8CC34008F363E /* JITStubRoutineSet.cpp */,
</span><span class="cx">                                 0F766D2A15A8CC34008F363E /* JITStubRoutineSet.h */,
</span><del>-                                0F070A451D543A89006E7232 /* LargeAllocation.cpp */,
-                                0F070A461D543A89006E7232 /* LargeAllocation.h */,
</del><span class="cx">                                 0F431736146BAC65007E3890 /* ListableHandler.h */,
</span><span class="cx">                                 FE3913511B794AC900EDAF71 /* LiveObjectData.h */,
</span><span class="cx">                                 FE3913521B794AC900EDAF71 /* LiveObjectList.cpp */,
</span><span class="lines">@@ -5689,8 +5651,6 @@
</span><span class="cx">                                 F692A84D0255597D01FF60F7 /* ArrayPrototype.cpp */,
</span><span class="cx">                                 F692A84E0255597D01FF60F7 /* ArrayPrototype.h */,
</span><span class="cx">                                 0FB7F38A15ED8E3800F167B2 /* ArrayStorage.h */,
</span><del>-                                0F38D2A01D44196600680499 /* AuxiliaryBarrier.h */,
-                                0F38D2A11D44196600680499 /* AuxiliaryBarrierInlines.h */,
</del><span class="cx">                                 52678F8C1A031009006A306D /* BasicBlockLocation.cpp */,
</span><span class="cx">                                 52678F8D1A031009006A306D /* BasicBlockLocation.h */,
</span><span class="cx">                                 147B83AA0E6DB8C9004775A4 /* BatchedTransitionOptimizer.h */,
</span><span class="lines">@@ -5857,6 +5817,7 @@
</span><span class="cx">                                 70DC3E081B2DF2C700054299 /* IteratorPrototype.h */,
</span><span class="cx">                                 93ADFCE60CCBD7AC00D30B08 /* JSArray.cpp */,
</span><span class="cx">                                 938772E5038BFE19008635CE /* JSArray.h */,
</span><ins>+                                539FB8B91C99DA7C00940FA1 /* JSArrayInlines.h */,
</ins><span class="cx">                                 0F2B66B417B6B5AB00A7AE3F /* JSArrayBuffer.cpp */,
</span><span class="cx">                                 0F2B66B517B6B5AB00A7AE3F /* JSArrayBuffer.h */,
</span><span class="cx">                                 0F2B66B617B6B5AB00A7AE3F /* JSArrayBufferConstructor.cpp */,
</span><span class="lines">@@ -5866,7 +5827,6 @@
</span><span class="cx">                                 0F2B66BA17B6B5AB00A7AE3F /* JSArrayBufferView.cpp */,
</span><span class="cx">                                 0F2B66BB17B6B5AB00A7AE3F /* JSArrayBufferView.h */,
</span><span class="cx">                                 0F2B66BC17B6B5AB00A7AE3F /* JSArrayBufferViewInlines.h */,
</span><del>-                                539FB8B91C99DA7C00940FA1 /* JSArrayInlines.h */,
</del><span class="cx">                                 86FA9E8F142BBB2D001773B7 /* JSBoundFunction.cpp */,
</span><span class="cx">                                 86FA9E90142BBB2E001773B7 /* JSBoundFunction.h */,
</span><span class="cx">                                 657CF45619BF6662004ACBF2 /* JSCallee.cpp */,
</span><span class="lines">@@ -5935,8 +5895,6 @@
</span><span class="cx">                                 A74DEF90182D991400522C22 /* JSMapIterator.h */,
</span><span class="cx">                                 E3D239C61B829C1C00BBEF67 /* JSModuleEnvironment.cpp */,
</span><span class="cx">                                 E3D239C71B829C1C00BBEF67 /* JSModuleEnvironment.h */,
</span><del>-                                1879510614C540FFB561C124 /* JSModuleLoader.cpp */,
-                                77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */,
</del><span class="cx">                                 E318CBBE1B8AEF5100A2929D /* JSModuleNamespaceObject.cpp */,
</span><span class="cx">                                 E318CBBF1B8AEF5100A2929D /* JSModuleNamespaceObject.h */,
</span><span class="cx">                                 E39DA4A41B7E8B7C0084F33A /* JSModuleRecord.cpp */,
</span><span class="lines">@@ -6129,8 +6087,6 @@
</span><span class="cx">                                 0F0CD4C315F6B6B50032F1C0 /* SparseArrayValueMap.cpp */,
</span><span class="cx">                                 0FB7F39215ED8E3800F167B2 /* SparseArrayValueMap.h */,
</span><span class="cx">                                 0F3AC751183EA1040032029F /* StackAlignment.h */,
</span><del>-                                0F6DB7E71D6124B200CDBF8E /* StackFrame.cpp */,
-                                0F6DB7E81D6124B200CDBF8E /* StackFrame.h */,
</del><span class="cx">                                 A730B6111250068F009D25B1 /* StrictEvalActivation.cpp */,
</span><span class="cx">                                 A730B6101250068F009D25B1 /* StrictEvalActivation.h */,
</span><span class="cx">                                 BC18C3C00E16EE3300B34460 /* StringConstructor.cpp */,
</span><span class="lines">@@ -6216,6 +6172,8 @@
</span><span class="cx">                                 709FB8661AE335C60039D069 /* WeakSetPrototype.h */,
</span><span class="cx">                                 A7DCB77912E3D90500911940 /* WriteBarrier.h */,
</span><span class="cx">                                 C2B6D75218A33793004A9301 /* WriteBarrierInlines.h */,
</span><ins>+                                77B25CB2C3094A92A38E1DB3 /* JSModuleLoader.h */,
+                                1879510614C540FFB561C124 /* JSModuleLoader.cpp */,
</ins><span class="cx">                         );
</span><span class="cx">                         path = runtime;
</span><span class="cx">                         sourceTree = &quot;&lt;group&gt;&quot;;
</span><span class="lines">@@ -6658,7 +6616,6 @@
</span><span class="cx">                                 8640923C156EED3B00566CB2 /* MacroAssemblerARM64.h */,
</span><span class="cx">                                 A729009B17976C6000317298 /* MacroAssemblerARMv7.cpp */,
</span><span class="cx">                                 86ADD1440FDDEA980006EEC2 /* MacroAssemblerARMv7.h */,
</span><del>-                                0F6DB7EB1D617D0F00CDBF8E /* MacroAssemblerCodeRef.cpp */,
</del><span class="cx">                                 863B23DF0FC60E6200703AA4 /* MacroAssemblerCodeRef.h */,
</span><span class="cx">                                 86C568DE11A213EE0007F7F0 /* MacroAssemblerMIPS.h */,
</span><span class="cx">                                 FE68C6351B90DDD90042BCB3 /* MacroAssemblerPrinter.cpp */,
</span><span class="lines">@@ -7265,7 +7222,6 @@
</span><span class="cx">                                 99DA00A91BD5993100F4575C /* builtins_generate_separate_header.py in Headers */,
</span><span class="cx">                                 0F338E111BF0276C0013C88F /* B3OpaqueByproduct.h in Headers */,
</span><span class="cx">                                 FEA0C4031CDD7D1D00481991 /* FunctionWhitelist.h in Headers */,
</span><del>-                                0F6DB7E91D6124B500CDBF8E /* StackFrame.h in Headers */,
</del><span class="cx">                                 99DA00AA1BD5993100F4575C /* builtins_generate_separate_implementation.py in Headers */,
</span><span class="cx">                                 99DA00A31BD5993100F4575C /* builtins_generator.py in Headers */,
</span><span class="cx">                                 412952781D2CF6BC00E78B89 /* builtins_generate_internals_wrapper_implementation.py in Headers */,
</span><span class="lines">@@ -7357,7 +7313,6 @@
</span><span class="cx">                                 0F338E1C1BF286EA0013C88F /* B3BlockInsertionSet.h in Headers */,
</span><span class="cx">                                 0F9495881C57F47500413A48 /* B3StackSlot.h in Headers */,
</span><span class="cx">                                 C4F4B6F31A05C944005CAB76 /* cpp_generator_templates.py in Headers */,
</span><del>-                                0F38D2A21D44196800680499 /* AuxiliaryBarrier.h in Headers */,
</del><span class="cx">                                 5DE6E5B30E1728EC00180407 /* create_hash_table in Headers */,
</span><span class="cx">                                 9959E92B1BD17FA4001AA413 /* cssmin.py in Headers */,
</span><span class="cx">                                 2A111246192FCE79005EE18D /* CustomGetterSetter.h in Headers */,
</span><span class="lines">@@ -7583,7 +7538,6 @@
</span><span class="cx">                                 0FFFC96014EF90BD00C72532 /* DFGVirtualRegisterAllocationPhase.h in Headers */,
</span><span class="cx">                                 0FC97F4218202119002C9B26 /* DFGWatchpointCollectionPhase.h in Headers */,
</span><span class="cx">                                 0FDB2CE8174830A2007B3C1B /* DFGWorklist.h in Headers */,
</span><del>-                                0F070A491D543A93006E7232 /* HeapCellInlines.h in Headers */,
</del><span class="cx">                                 0FE050181AA9091100D33B33 /* DirectArguments.h in Headers */,
</span><span class="cx">                                 0FE050161AA9091100D33B33 /* DirectArgumentsOffset.h in Headers */,
</span><span class="cx">                                 0FF42731158EBD54004CB9FF /* Disassembler.h in Headers */,
</span><span class="lines">@@ -7713,7 +7667,6 @@
</span><span class="cx">                                 0FE0501A1AA9091100D33B33 /* GenericArgumentsInlines.h in Headers */,
</span><span class="cx">                                 FE3A06C01C11041A00390FDD /* JITRightShiftGenerator.h in Headers */,
</span><span class="cx">                                 708EBE241CE8F35800453146 /* IntlObjectInlines.h in Headers */,
</span><del>-                                0F070A481D543A90006E7232 /* CellContainerInlines.h in Headers */,
</del><span class="cx">                                 0FE0501B1AA9091100D33B33 /* GenericOffset.h in Headers */,
</span><span class="cx">                                 0F2B66E017B6B5AB00A7AE3F /* GenericTypedArrayView.h in Headers */,
</span><span class="cx">                                 0F2B66E117B6B5AB00A7AE3F /* GenericTypedArrayViewInlines.h in Headers */,
</span><span class="lines">@@ -7799,7 +7752,6 @@
</span><span class="cx">                                 A1587D6E1B4DC14100D69849 /* IntlDateTimeFormat.h in Headers */,
</span><span class="cx">                                 FE187A0F1C030D6C0038BBCA /* SnippetOperand.h in Headers */,
</span><span class="cx">                                 A1587D701B4DC14100D69849 /* IntlDateTimeFormatConstructor.h in Headers */,
</span><del>-                                0FADE6731D4D23BE00768457 /* HeapUtil.h in Headers */,
</del><span class="cx">                                 A1587D751B4DC1C600D69849 /* IntlDateTimeFormatConstructor.lut.h in Headers */,
</span><span class="cx">                                 A5398FAB1C750DA40060A963 /* HeapProfiler.h in Headers */,
</span><span class="cx">                                 A1587D721B4DC14100D69849 /* IntlDateTimeFormatPrototype.h in Headers */,
</span><span class="lines">@@ -7923,7 +7875,6 @@
</span><span class="cx">                                 C25D709C16DE99F400FCA6BC /* JSManagedValue.h in Headers */,
</span><span class="cx">                                 2A4BB7F318A41179008A0FCD /* JSManagedValueInternal.h in Headers */,
</span><span class="cx">                                 A700874217CBE8EB00C3E643 /* JSMap.h in Headers */,
</span><del>-                                0F38D2A31D44196D00680499 /* AuxiliaryBarrierInlines.h in Headers */,
</del><span class="cx">                                 A74DEF96182D991400522C22 /* JSMapIterator.h in Headers */,
</span><span class="cx">                                 9959E92D1BD17FA4001AA413 /* jsmin.py in Headers */,
</span><span class="cx">                                 E3D239C91B829C1C00BBEF67 /* JSModuleEnvironment.h in Headers */,
</span><span class="lines">@@ -7961,7 +7912,6 @@
</span><span class="cx">                                 BC18C4270E16F5CD00B34460 /* JSString.h in Headers */,
</span><span class="cx">                                 86E85539111B9968001AF51E /* JSStringBuilder.h in Headers */,
</span><span class="cx">                                 70EC0EC31AA0D7DA00B6AAFA /* JSStringIterator.h in Headers */,
</span><del>-                                0F070A471D543A8B006E7232 /* CellContainer.h in Headers */,
</del><span class="cx">                                 2600B5A7152BAAA70091EE5F /* JSStringJoiner.h in Headers */,
</span><span class="cx">                                 BC18C4280E16F5CD00B34460 /* JSStringRef.h in Headers */,
</span><span class="cx">                                 43AB26C61C1A535900D82AE6 /* B3MathExtras.h in Headers */,
</span><span class="lines">@@ -8032,7 +7982,6 @@
</span><span class="cx">                                 14B723B812D7DA6F003BD5ED /* MachineStackMarker.h in Headers */,
</span><span class="cx">                                 86C36EEA0EE1289D00B3DF59 /* MacroAssembler.h in Headers */,
</span><span class="cx">                                 43422A671C16267800E2EB98 /* B3ReduceDoubleToFloat.h in Headers */,
</span><del>-                                0F070A4B1D543A98006E7232 /* LargeAllocation.h in Headers */,
</del><span class="cx">                                 86D3B2C610156BDE002865E7 /* MacroAssemblerARM.h in Headers */,
</span><span class="cx">                                 A1A009C01831A22D00CF8711 /* MacroAssemblerARM64.h in Headers */,
</span><span class="cx">                                 86ADD1460FDDEA980006EEC2 /* MacroAssemblerARMv7.h in Headers */,
</span><span class="lines">@@ -8080,7 +8029,6 @@
</span><span class="cx">                                 BC18C4440E16F5CD00B34460 /* NumberPrototype.h in Headers */,
</span><span class="cx">                                 996B73211BDA08EF00331B84 /* NumberPrototype.lut.h in Headers */,
</span><span class="cx">                                 142D3939103E4560007DCB52 /* NumericStrings.h in Headers */,
</span><del>-                                0F5513A61D5A682C00C32BD8 /* FreeList.h in Headers */,
</del><span class="cx">                                 A5EA710C19F6DE820098F5EC /* objc_generator.py in Headers */,
</span><span class="cx">                                 C4F4B6F61A05C984005CAB76 /* objc_generator_templates.py in Headers */,
</span><span class="cx">                                 86F3EEBD168CDE930077B92A /* ObjCCallbackFunction.h in Headers */,
</span><span class="lines">@@ -8862,7 +8810,6 @@
</span><span class="cx">                                 0FEC856F1BDACDC70080FF74 /* AirArg.cpp in Sources */,
</span><span class="cx">                                 0F4DE1CE1C4C1B54004D6C11 /* AirFixObviousSpills.cpp in Sources */,
</span><span class="cx">                                 0FEC85711BDACDC70080FF74 /* AirBasicBlock.cpp in Sources */,
</span><del>-                                0F070A4A1D543A95006E7232 /* LargeAllocation.cpp in Sources */,
</del><span class="cx">                                 0FEC85731BDACDC70080FF74 /* AirCCallSpecial.cpp in Sources */,
</span><span class="cx">                                 0FEC85751BDACDC70080FF74 /* AirCode.cpp in Sources */,
</span><span class="cx">                                 0F4570381BE44C910062A629 /* AirEliminateDeadCode.cpp in Sources */,
</span><span class="lines">@@ -9281,7 +9228,6 @@
</span><span class="cx">                                 0FE34C191C4B39AE0003A512 /* AirLogRegisterPressure.cpp in Sources */,
</span><span class="cx">                                 A1B9E2391B4E0D6700BC7FED /* IntlCollator.cpp in Sources */,
</span><span class="cx">                                 A1B9E23B1B4E0D6700BC7FED /* IntlCollatorConstructor.cpp in Sources */,
</span><del>-                                0F6DB7EA1D6124B800CDBF8E /* StackFrame.cpp in Sources */,
</del><span class="cx">                                 A1B9E23D1B4E0D6700BC7FED /* IntlCollatorPrototype.cpp in Sources */,
</span><span class="cx">                                 A1587D6D1B4DC14100D69849 /* IntlDateTimeFormat.cpp in Sources */,
</span><span class="cx">                                 A1587D6F1B4DC14100D69849 /* IntlDateTimeFormatConstructor.cpp in Sources */,
</span><span class="lines">@@ -9305,13 +9251,11 @@
</span><span class="cx">                                 146FE51211A710430087AE66 /* JITCall32_64.cpp in Sources */,
</span><span class="cx">                                 0F8F94441667635400D61971 /* JITCode.cpp in Sources */,
</span><span class="cx">                                 0FAF7EFD165BA91B000C8455 /* JITDisassembler.cpp in Sources */,
</span><del>-                                0F6DB7EC1D617D1100CDBF8E /* MacroAssemblerCodeRef.cpp in Sources */,
</del><span class="cx">                                 0F46808314BA573100BFE272 /* JITExceptions.cpp in Sources */,
</span><span class="cx">                                 0FB14E1E18124ACE009B6B4D /* JITInlineCacheGenerator.cpp in Sources */,
</span><span class="cx">                                 BCDD51EB0FB8DF74004A8BDC /* JITOpcodes.cpp in Sources */,
</span><span class="cx">                                 A71236E51195F33C00BD2174 /* JITOpcodes32_64.cpp in Sources */,
</span><span class="cx">                                 0F24E54C17EE274900ABB217 /* JITOperations.cpp in Sources */,
</span><del>-                                0F5513A81D5A68CD00C32BD8 /* FreeList.cpp in Sources */,
</del><span class="cx">                                 FE99B24A1C24C3D700C82159 /* JITNegGenerator.cpp in Sources */,
</span><span class="cx">                                 86CC85C40EE7A89400288682 /* JITPropertyAccess.cpp in Sources */,
</span><span class="cx">                                 A7C1E8E4112E72EF00A37F98 /* JITPropertyAccess32_64.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreScriptsbuiltinsbuiltins_generate_combined_implementationpy"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_implementation.py (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_implementation.py        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_implementation.py        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -72,9 +72,6 @@
</span><span class="cx">                 (&quot;JavaScriptCore&quot;, &quot;builtins/BuiltinExecutables.h&quot;),
</span><span class="cx">             ),
</span><span class="cx">             ([&quot;JavaScriptCore&quot;, &quot;WebCore&quot;],
</span><del>-                (&quot;JavaScriptCore&quot;, &quot;heap/HeapInlines.h&quot;),
-            ),
-            ([&quot;JavaScriptCore&quot;, &quot;WebCore&quot;],
</del><span class="cx">                 (&quot;JavaScriptCore&quot;, &quot;runtime/Executable.h&quot;),
</span><span class="cx">             ),
</span><span class="cx">             ([&quot;JavaScriptCore&quot;, &quot;WebCore&quot;],
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreScriptsbuiltinsbuiltins_generate_internals_wrapper_implementationpy"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -68,9 +68,6 @@
</span><span class="cx">                 (&quot;WebCore&quot;, &quot;WebCoreJSClientData.h&quot;),
</span><span class="cx">             ),
</span><span class="cx">             ([&quot;WebCore&quot;],
</span><del>-                (&quot;JavaScriptCore&quot;, &quot;heap/HeapInlines.h&quot;),
-            ),
-            ([&quot;WebCore&quot;],
</del><span class="cx">                 (&quot;JavaScriptCore&quot;, &quot;heap/SlotVisitorInlines.h&quot;),
</span><span class="cx">             ),
</span><span class="cx">             ([&quot;WebCore&quot;],
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreScriptsbuiltinsbuiltins_generate_separate_implementationpy"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -84,9 +84,6 @@
</span><span class="cx">                 (&quot;JavaScriptCore&quot;, &quot;builtins/BuiltinExecutables.h&quot;),
</span><span class="cx">             ),
</span><span class="cx">             ([&quot;JavaScriptCore&quot;, &quot;WebCore&quot;],
</span><del>-                (&quot;JavaScriptCore&quot;, &quot;heap/HeapInlines.h&quot;),
-            ),
-            ([&quot;JavaScriptCore&quot;, &quot;WebCore&quot;],
</del><span class="cx">                 (&quot;JavaScriptCore&quot;, &quot;runtime/Executable.h&quot;),
</span><span class="cx">             ),
</span><span class="cx">             ([&quot;JavaScriptCore&quot;, &quot;WebCore&quot;],
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerAbstractMacroAssemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -725,18 +725,20 @@
</span><span class="cx">                 append(jump);
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        void link(AbstractMacroAssemblerType* masm) const
</del><ins>+        void link(AbstractMacroAssemblerType* masm)
</ins><span class="cx">         {
</span><span class="cx">             size_t size = m_jumps.size();
</span><span class="cx">             for (size_t i = 0; i &lt; size; ++i)
</span><span class="cx">                 m_jumps[i].link(masm);
</span><ins>+            m_jumps.clear();
</ins><span class="cx">         }
</span><span class="cx">         
</span><del>-        void linkTo(Label label, AbstractMacroAssemblerType* masm) const
</del><ins>+        void linkTo(Label label, AbstractMacroAssemblerType* masm)
</ins><span class="cx">         {
</span><span class="cx">             size_t size = m_jumps.size();
</span><span class="cx">             for (size_t i = 0; i &lt; size; ++i)
</span><span class="cx">                 m_jumps[i].linkTo(label, masm);
</span><ins>+            m_jumps.clear();
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         void append(Jump jump)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssembler.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssembler.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssembler.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,8 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(ASSEMBLER)
</span><span class="cx"> 
</span><del>-#include &quot;JSCJSValue.h&quot;
-
</del><span class="cx"> #if CPU(ARM_THUMB2)
</span><span class="cx"> #include &quot;MacroAssemblerARMv7.h&quot;
</span><span class="cx"> namespace JSC { typedef MacroAssemblerARMv7 MacroAssemblerBase; };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerARM64h"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -166,10 +166,7 @@
</span><span class="cx">             m_assembler.add&lt;32&gt;(dest, src, UInt12(imm.m_value));
</span><span class="cx">         else if (isUInt12(-imm.m_value))
</span><span class="cx">             m_assembler.sub&lt;32&gt;(dest, src, UInt12(-imm.m_value));
</span><del>-        else if (src != dest) {
-            move(imm, dest);
-            add32(src, dest);
-        } else {
</del><ins>+        else {
</ins><span class="cx">             move(imm, getCachedDataTempRegisterIDAndInvalidate());
</span><span class="cx">             m_assembler.add&lt;32&gt;(dest, src, dataTempRegister);
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerCodeRefcpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,68 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include &quot;config.h&quot;
-#include &quot;MacroAssemblerCodeRef.h&quot;
-
-#include &quot;JSCInlines.h&quot;
-#include &quot;LLIntData.h&quot;
-
-namespace JSC {
-
-MacroAssemblerCodePtr MacroAssemblerCodePtr::createLLIntCodePtr(OpcodeID codeId)
-{
-    return createFromExecutableAddress(LLInt::getCodePtr(codeId));
-}
-
-void MacroAssemblerCodePtr::dumpWithName(const char* name, PrintStream&amp; out) const
-{
-    if (!m_value) {
-        out.print(name, &quot;(null)&quot;);
-        return;
-    }
-    if (executableAddress() == dataLocation()) {
-        out.print(name, &quot;(&quot;, RawPointer(executableAddress()), &quot;)&quot;);
-        return;
-    }
-    out.print(name, &quot;(executable = &quot;, RawPointer(executableAddress()), &quot;, dataLocation = &quot;, RawPointer(dataLocation()), &quot;)&quot;);
-}
-
-void MacroAssemblerCodePtr::dump(PrintStream&amp; out) const
-{
-    dumpWithName(&quot;CodePtr&quot;, out);
-}
-
-MacroAssemblerCodeRef MacroAssemblerCodeRef::createLLIntCodeRef(OpcodeID codeId)
-{
-    return createSelfManagedCodeRef(MacroAssemblerCodePtr::createFromExecutableAddress(LLInt::getCodePtr(codeId)));
-}
-
-void MacroAssemblerCodeRef::dump(PrintStream&amp; out) const
-{
-    m_codePtr.dumpWithName(&quot;CodeRef&quot;, out);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreassemblerMacroAssemblerCodeRefh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,6 +28,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Disassembler.h&quot;
</span><span class="cx"> #include &quot;ExecutableAllocator.h&quot;
</span><ins>+#include &quot;LLIntData.h&quot;
</ins><span class="cx"> #include &lt;wtf/DataLog.h&gt;
</span><span class="cx"> #include &lt;wtf/PassRefPtr.h&gt;
</span><span class="cx"> #include &lt;wtf/PrintStream.h&gt;
</span><span class="lines">@@ -52,8 +53,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-enum OpcodeID : unsigned;
-
</del><span class="cx"> // FunctionPtr:
</span><span class="cx"> //
</span><span class="cx"> // FunctionPtr should be used to wrap pointers to C/C++ functions in JSC
</span><span class="lines">@@ -274,7 +273,10 @@
</span><span class="cx">         return result;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    static MacroAssemblerCodePtr createLLIntCodePtr(OpcodeID codeId);
</del><ins>+    static MacroAssemblerCodePtr createLLIntCodePtr(OpcodeID codeId)
+    {
+        return createFromExecutableAddress(LLInt::getCodePtr(codeId));
+    }
</ins><span class="cx"> 
</span><span class="cx">     explicit MacroAssemblerCodePtr(ReturnAddressPtr ra)
</span><span class="cx">         : m_value(ra.value())
</span><span class="lines">@@ -297,9 +299,23 @@
</span><span class="cx">         return m_value == other.m_value;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void dumpWithName(const char* name, PrintStream&amp; out) const;
</del><ins>+    void dumpWithName(const char* name, PrintStream&amp; out) const
+    {
+        if (!m_value) {
+            out.print(name, &quot;(null)&quot;);
+            return;
+        }
+        if (executableAddress() == dataLocation()) {
+            out.print(name, &quot;(&quot;, RawPointer(executableAddress()), &quot;)&quot;);
+            return;
+        }
+        out.print(name, &quot;(executable = &quot;, RawPointer(executableAddress()), &quot;, dataLocation = &quot;, RawPointer(dataLocation()), &quot;)&quot;);
+    }
</ins><span class="cx">     
</span><del>-    void dump(PrintStream&amp; out) const;
</del><ins>+    void dump(PrintStream&amp; out) const
+    {
+        dumpWithName(&quot;CodePtr&quot;, out);
+    }
</ins><span class="cx">     
</span><span class="cx">     enum EmptyValueTag { EmptyValue };
</span><span class="cx">     enum DeletedValueTag { DeletedValue };
</span><span class="lines">@@ -373,7 +389,10 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     // Helper for creating self-managed code refs from LLInt.
</span><del>-    static MacroAssemblerCodeRef createLLIntCodeRef(OpcodeID codeId);
</del><ins>+    static MacroAssemblerCodeRef createLLIntCodeRef(OpcodeID codeId)
+    {
+        return createSelfManagedCodeRef(MacroAssemblerCodePtr::createFromExecutableAddress(LLInt::getCodePtr(codeId)));
+    }
</ins><span class="cx"> 
</span><span class="cx">     ExecutableMemoryHandle* executableMemory() const
</span><span class="cx">     {
</span><span class="lines">@@ -399,7 +418,10 @@
</span><span class="cx">     
</span><span class="cx">     explicit operator bool() const { return !!m_codePtr; }
</span><span class="cx">     
</span><del>-    void dump(PrintStream&amp; out) const;
</del><ins>+    void dump(PrintStream&amp; out) const
+    {
+        m_codePtr.dumpWithName(&quot;CodeRef&quot;, out);
+    }
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     MacroAssemblerCodePtr m_codePtr;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3BasicBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/b3/B3BasicBlock.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -85,11 +85,6 @@
</span><span class="cx">     return appendIntConstant(proc, likeValue-&gt;origin(), likeValue-&gt;type(), value);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-Value* BasicBlock::appendBoolConstant(Procedure&amp; proc, Origin origin, bool value)
-{
-    return appendIntConstant(proc, origin, Int32, value ? 1 : 0);
-}
-
</del><span class="cx"> void BasicBlock::clearSuccessors()
</span><span class="cx"> {
</span><span class="cx">     m_successors.clear();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3BasicBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3BasicBlock.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3BasicBlock.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/b3/B3BasicBlock.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -82,7 +82,6 @@
</span><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE Value* appendIntConstant(Procedure&amp;, Origin, Type, int64_t value);
</span><span class="cx">     Value* appendIntConstant(Procedure&amp;, Value* likeValue, int64_t value);
</span><del>-    Value* appendBoolConstant(Procedure&amp;, Origin, bool);
</del><span class="cx"> 
</span><span class="cx">     void removeLast(Procedure&amp;);
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3DuplicateTailscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3DuplicateTails.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3DuplicateTails.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/b3/B3DuplicateTails.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -71,12 +71,8 @@
</span><span class="cx">         IndexSet&lt;BasicBlock&gt; candidates;
</span><span class="cx"> 
</span><span class="cx">         for (BasicBlock* block : m_proc) {
</span><del>-            if (block-&gt;size() &gt; m_maxSize)
</del><ins>+            if (block-&gt;size() &gt; m_maxSize || block-&gt;numSuccessors() &gt; m_maxSuccessors)
</ins><span class="cx">                 continue;
</span><del>-            if (block-&gt;numSuccessors() &gt; m_maxSuccessors)
-                continue;
-            if (block-&gt;last()-&gt;type() != Void) // Demoting doesn't handle terminals with values.
-                continue;
</del><span class="cx"> 
</span><span class="cx">             candidates.add(block);
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3StackmapGenerationParamsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3StackmapGenerationParams.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3StackmapGenerationParams.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/b3/B3StackmapGenerationParams.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -92,7 +92,7 @@
</span><span class="cx">     // This is computed lazily, so it won't work if you capture StackmapGenerationParams by value.
</span><span class="cx">     // Returns true if the successor at the given index is going to be emitted right after the
</span><span class="cx">     // patchpoint.
</span><del>-    JS_EXPORT_PRIVATE bool fallsThroughToSuccessor(unsigned successorIndex) const;
</del><ins>+    bool fallsThroughToSuccessor(unsigned successorIndex) const;
</ins><span class="cx"> 
</span><span class="cx">     // This is provided for convenience; it means that you don't have to capture it if you don't want to.
</span><span class="cx">     JS_EXPORT_PRIVATE Procedure&amp; proc() const;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3testb3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/testb3.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/testb3.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/b3/testb3.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -12920,80 +12920,6 @@
</span><span class="cx">     CHECK(terminal.args[2].kind() == Air::Arg::BitImm || terminal.args[2].kind() == Air::Arg::BitImm64);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void testPatchpointTerminalReturnValue(bool successIsRare)
-{
-    // This is a unit test for how FTL's heap allocation fast paths behave.
-    Procedure proc;
-    
-    BasicBlock* root = proc.addBlock();
-    BasicBlock* success = proc.addBlock();
-    BasicBlock* slowPath = proc.addBlock();
-    BasicBlock* continuation = proc.addBlock();
-    
-    Value* arg = root-&gt;appendNew&lt;Value&gt;(
-        proc, Trunc, Origin(),
-        root-&gt;appendNew&lt;ArgumentRegValue&gt;(proc, Origin(), GPRInfo::argumentGPR0));
-    
-    PatchpointValue* patchpoint = root-&gt;appendNew&lt;PatchpointValue&gt;(proc, Int32, Origin());
-    patchpoint-&gt;effects.terminal = true;
-    patchpoint-&gt;clobber(RegisterSet::macroScratchRegisters());
-    
-    if (successIsRare) {
-        root-&gt;appendSuccessor(FrequentedBlock(success, FrequencyClass::Rare));
-        root-&gt;appendSuccessor(slowPath);
-    } else {
-        root-&gt;appendSuccessor(success);
-        root-&gt;appendSuccessor(FrequentedBlock(slowPath, FrequencyClass::Rare));
-    }
-    
-    patchpoint-&gt;appendSomeRegister(arg);
-    
-    patchpoint-&gt;setGenerator(
-        [&amp;] (CCallHelpers&amp; jit, const StackmapGenerationParams&amp; params) {
-            AllowMacroScratchRegisterUsage allowScratch(jit);
-            
-            CCallHelpers::Jump jumpToSlow =
-                jit.branch32(CCallHelpers::Above, params[1].gpr(), CCallHelpers::TrustedImm32(42));
-            
-            jit.add32(CCallHelpers::TrustedImm32(31), params[1].gpr(), params[0].gpr());
-            
-            CCallHelpers::Jump jumpToSuccess;
-            if (!params.fallsThroughToSuccessor(0))
-                jumpToSuccess = jit.jump();
-            
-            Vector&lt;Box&lt;CCallHelpers::Label&gt;&gt; labels = params.successorLabels();
-            
-            params.addLatePath(
-                [=] (CCallHelpers&amp; jit) {
-                    jumpToSlow.linkTo(*labels[1], &amp;jit);
-                    if (jumpToSuccess.isSet())
-                        jumpToSuccess.linkTo(*labels[0], &amp;jit);
-                });
-        });
-    
-    UpsilonValue* successUpsilon = success-&gt;appendNew&lt;UpsilonValue&gt;(proc, Origin(), patchpoint);
-    success-&gt;appendNew&lt;Value&gt;(proc, Jump, Origin());
-    success-&gt;setSuccessors(continuation);
-    
-    UpsilonValue* slowPathUpsilon = slowPath-&gt;appendNew&lt;UpsilonValue&gt;(
-        proc, Origin(), slowPath-&gt;appendNew&lt;Const32Value&gt;(proc, Origin(), 666));
-    slowPath-&gt;appendNew&lt;Value&gt;(proc, Jump, Origin());
-    slowPath-&gt;setSuccessors(continuation);
-    
-    Value* phi = continuation-&gt;appendNew&lt;Value&gt;(proc, Phi, Int32, Origin());
-    successUpsilon-&gt;setPhi(phi);
-    slowPathUpsilon-&gt;setPhi(phi);
-    continuation-&gt;appendNew&lt;Value&gt;(proc, Return, Origin(), phi);
-    
-    auto code = compile(proc);
-    CHECK_EQ(invoke&lt;int&gt;(*code, 0), 31);
-    CHECK_EQ(invoke&lt;int&gt;(*code, 1), 32);
-    CHECK_EQ(invoke&lt;int&gt;(*code, 41), 72);
-    CHECK_EQ(invoke&lt;int&gt;(*code, 42), 73);
-    CHECK_EQ(invoke&lt;int&gt;(*code, 43), 666);
-    CHECK_EQ(invoke&lt;int&gt;(*code, -1), 666);
-}
-
</del><span class="cx"> // Make sure the compiler does not try to optimize anything out.
</span><span class="cx"> NEVER_INLINE double zero()
</span><span class="cx"> {
</span><span class="lines">@@ -14411,8 +14337,6 @@
</span><span class="cx">     RUN(testEntrySwitchLoop());
</span><span class="cx"> 
</span><span class="cx">     RUN(testSomeEarlyRegister());
</span><del>-    RUN(testPatchpointTerminalReturnValue(true));
-    RUN(testPatchpointTerminalReturnValue(false));
</del><span class="cx">     
</span><span class="cx">     if (isX86()) {
</span><span class="cx">         RUN(testBranchBitAndImmFusion(Identity, Int64, 1, Air::BranchTest32, Air::Arg::Tmp));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebindingsScriptValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bindings/ScriptValue.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bindings/ScriptValue.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bindings/ScriptValue.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,8 +32,8 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;APICast.h&quot;
</span><span class="cx"> #include &quot;InspectorValues.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;JSLock.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> using namespace Inspector;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeAdaptiveInferredPropertyValueWatchpointBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,8 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;AdaptiveInferredPropertyValueWatchpointBase.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCellInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeBasicBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #include &quot;BytecodeBasicBlock.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &quot;PreciseJumpTargets.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeLivenessAnalysiscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,7 +31,6 @@
</span><span class="cx"> #include &quot;BytecodeUseDef.h&quot;
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;FullBytecodeLiveness.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;PreciseJumpTargets.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeUseDefh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #define BytecodeUseDef_h
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkInfocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,7 +30,6 @@
</span><span class="cx"> #include &quot;DFGOperations.h&quot;
</span><span class="cx"> #include &quot;DFGThunks.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;Opcode.h&quot;
</del><span class="cx"> #include &quot;Repatch.h&quot;
</span><span class="cx"> #include &lt;wtf/ListDump.h&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -37,22 +36,6 @@
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-CallLinkInfo::CallType CallLinkInfo::callTypeFor(OpcodeID opcodeID)
-{
-    if (opcodeID == op_call || opcodeID == op_call_eval)
-        return Call;
-    if (opcodeID == op_call_varargs)
-        return CallVarargs;
-    if (opcodeID == op_construct)
-        return Construct;
-    if (opcodeID == op_construct_varargs)
-        return ConstructVarargs;
-    if (opcodeID == op_tail_call)
-        return TailCall;
-    ASSERT(opcodeID == op_tail_call_varargs || op_tail_call_forward_arguments);
-    return TailCallVarargs;
-}
-
</del><span class="cx"> CallLinkInfo::CallLinkInfo()
</span><span class="cx">     : m_hasSeenShouldRepatch(false)
</span><span class="cx">     , m_hasSeenClosure(false)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include &quot;CodeSpecializationKind.h&quot;
</span><span class="cx"> #include &quot;JITWriteBarrier.h&quot;
</span><span class="cx"> #include &quot;JSFunction.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &quot;PolymorphicCallStubRoutine.h&quot;
</span><span class="cx"> #include &quot;WriteBarrier.h&quot;
</span><span class="cx"> #include &lt;wtf/SentinelLinkedList.h&gt;
</span><span class="lines">@@ -39,13 +40,26 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> 
</span><del>-enum OpcodeID : unsigned;
</del><span class="cx"> struct CallFrameShuffleData;
</span><span class="cx"> 
</span><span class="cx"> class CallLinkInfo : public BasicRawSentinelNode&lt;CallLinkInfo&gt; {
</span><span class="cx"> public:
</span><span class="cx">     enum CallType { None, Call, CallVarargs, Construct, ConstructVarargs, TailCall, TailCallVarargs };
</span><del>-    static CallType callTypeFor(OpcodeID opcodeID);
</del><ins>+    static CallType callTypeFor(OpcodeID opcodeID)
+    {
+        if (opcodeID == op_call || opcodeID == op_call_eval)
+            return Call;
+        if (opcodeID == op_call_varargs)
+            return CallVarargs;
+        if (opcodeID == op_construct)
+            return Construct;
+        if (opcodeID == op_construct_varargs)
+            return ConstructVarargs;
+        if (opcodeID == op_tail_call)
+            return TailCall;
+        ASSERT(opcodeID == op_tail_call_varargs || op_tail_call_forward_arguments);
+        return TailCallVarargs;
+    }
</ins><span class="cx"> 
</span><span class="cx">     static bool isVarargsCallType(CallType callType)
</span><span class="cx">     {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCallLinkStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,7 +30,6 @@
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;DFGJITCode.h&quot;
</span><span class="cx"> #include &quot;InlineCallFrame.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;LLIntCallLinkInfo.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &lt;wtf/CommaPrinter.h&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -51,7 +51,6 @@
</span><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSLexicalEnvironment.h&quot;
</span><span class="cx"> #include &quot;JSModuleEnvironment.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> #include &quot;LLIntEntrypoint.h&quot;
</span><span class="cx"> #include &quot;LLIntPrototypeLoadAdaptiveStructureWatchpoint.h&quot;
</span><span class="cx"> #include &quot;LowLevelInterpreter.h&quot;
</span><span class="lines">@@ -1911,7 +1910,7 @@
</span><span class="cx">         m_rareData-&gt;m_liveCalleeLocalsAtYield = other.m_rareData-&gt;m_liveCalleeLocalsAtYield;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    heap()-&gt;m_codeBlocks-&gt;add(this);
</del><ins>+    heap()-&gt;m_codeBlocks.add(this);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> CodeBlock::CodeBlock(VM* vm, Structure* structure, ScriptExecutable* ownerExecutable, UnlinkedCodeBlock* unlinkedCodeBlock,
</span><span class="lines">@@ -2403,7 +2402,7 @@
</span><span class="cx">     if (Options::dumpGeneratedBytecodes())
</span><span class="cx">         dumpBytecode();
</span><span class="cx">     
</span><del>-    heap()-&gt;m_codeBlocks-&gt;add(this);
</del><ins>+    heap()-&gt;m_codeBlocks.add(this);
</ins><span class="cx">     heap()-&gt;reportExtraMemoryAllocated(m_instructions.size() * sizeof(Instruction));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2440,7 +2439,7 @@
</span><span class="cx"> {
</span><span class="cx">     Base::finishCreation(vm);
</span><span class="cx"> 
</span><del>-    heap()-&gt;m_codeBlocks-&gt;add(this);
</del><ins>+    heap()-&gt;m_codeBlocks.add(this);
</ins><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="lines">@@ -2844,14 +2843,6 @@
</span><span class="cx">     codeBlock-&gt;determineLiveness(visitor);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void CodeBlock::clearLLIntGetByIdCache(Instruction* instruction)
-{
-    instruction[0].u.opcode = LLInt::getOpcode(op_get_by_id);
-    instruction[4].u.pointer = nullptr;
-    instruction[5].u.pointer = nullptr;
-    instruction[6].u.pointer = nullptr;
-}
-
</del><span class="cx"> void CodeBlock::finalizeLLIntInlineCaches()
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -297,8 +297,6 @@
</span><span class="cx">     {
</span><span class="cx">         return m_jitCodeMap.get();
</span><span class="cx">     }
</span><del>-    
-    static void clearLLIntGetByIdCache(Instruction*);
</del><span class="cx"> 
</span><span class="cx">     unsigned bytecodeOffset(Instruction* returnAddress)
</span><span class="cx">     {
</span><span class="lines">@@ -1305,6 +1303,14 @@
</span><span class="cx"> };
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><ins>+inline void clearLLIntGetByIdCache(Instruction* instruction)
+{
+    instruction[0].u.opcode = LLInt::getOpcode(op_get_by_id);
+    instruction[4].u.pointer = nullptr;
+    instruction[5].u.pointer = nullptr;
+    instruction[6].u.pointer = nullptr;
+}
+
</ins><span class="cx"> inline Register&amp; ExecState::r(int index)
</span><span class="cx"> {
</span><span class="cx">     CodeBlock* codeBlock = this-&gt;codeBlock();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInstructionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/Instruction.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/Instruction.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/Instruction.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;BasicBlockLocation.h&quot;
</span><span class="cx"> #include &quot;MacroAssembler.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &quot;PutByIdFlags.h&quot;
</span><span class="cx"> #include &quot;SymbolTable.h&quot;
</span><span class="cx"> #include &quot;TypeLocation.h&quot;
</span><span class="lines">@@ -51,12 +52,6 @@
</span><span class="cx"> struct LLIntCallLinkInfo;
</span><span class="cx"> struct ValueProfile;
</span><span class="cx"> 
</span><del>-#if ENABLE(COMPUTED_GOTO_OPCODES)
-typedef void* Opcode;
-#else
-typedef OpcodeID Opcode;
-#endif
-
</del><span class="cx"> struct Instruction {
</span><span class="cx">     Instruction()
</span><span class="cx">     {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeLLIntPrototypeLoadAdaptiveStructureWatchpointcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;Instruction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -59,7 +59,7 @@
</span><span class="cx"> 
</span><span class="cx">     StringFireDetail stringDetail(out.toCString().data());
</span><span class="cx"> 
</span><del>-    CodeBlock::clearLLIntGetByIdCache(m_getByIdInstruction);
</del><ins>+    clearLLIntGetByIdCache(m_getByIdInstruction);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeObjectAllocationProfileh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfile.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfile.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfile.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx">     {
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    bool isNull() { return !m_structure; }
</del><ins>+    bool isNull() { return !m_allocator; }
</ins><span class="cx"> 
</span><span class="cx">     void initialize(VM&amp; vm, JSCell* owner, JSObject* prototype, unsigned inferredInlineCapacity)
</span><span class="cx">     {
</span><span class="lines">@@ -80,15 +80,14 @@
</span><span class="cx">         ASSERT(inlineCapacity &lt;= JSFinalObject::maxInlineCapacity());
</span><span class="cx"> 
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
</span><del>-        MarkedAllocator* allocator = vm.heap.allocatorForObjectWithoutDestructor(allocationSize);
-        
</del><ins>+        MarkedAllocator* allocator = &amp;vm.heap.allocatorForObjectWithoutDestructor(allocationSize);
+        ASSERT(allocator-&gt;cellSize());
+
</ins><span class="cx">         // Take advantage of extra inline capacity available in the size class.
</span><del>-        if (allocator) {
-            size_t slop = (allocator-&gt;cellSize() - allocationSize) / sizeof(WriteBarrier&lt;Unknown&gt;);
-            inlineCapacity += slop;
-            if (inlineCapacity &gt; JSFinalObject::maxInlineCapacity())
-                inlineCapacity = JSFinalObject::maxInlineCapacity();
-        }
</del><ins>+        size_t slop = (allocator-&gt;cellSize() - allocationSize) / sizeof(WriteBarrier&lt;Unknown&gt;);
+        inlineCapacity += slop;
+        if (inlineCapacity &gt; JSFinalObject::maxInlineCapacity())
+            inlineCapacity = JSFinalObject::maxInlineCapacity();
</ins><span class="cx"> 
</span><span class="cx">         Structure* structure = vm.prototypeMap.emptyObjectStructureForPrototype(prototype, inlineCapacity);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeOpcodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/Opcode.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/Opcode.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/Opcode.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> #define OPCODE_ID_ENUM(opcode, length) opcode,
</span><del>-    enum OpcodeID : unsigned { FOR_EACH_OPCODE_ID(OPCODE_ID_ENUM) };
</del><ins>+    typedef enum { FOR_EACH_OPCODE_ID(OPCODE_ID_ENUM) } OpcodeID;
</ins><span class="cx"> #undef OPCODE_ID_ENUM
</span><span class="cx"> 
</span><span class="cx"> const int maxOpcodeLength = 9;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePolymorphicAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1206,18 +1206,19 @@
</span><span class="cx">             size_t newSize = newStructure()-&gt;outOfLineCapacity() * sizeof(JSValue);
</span><span class="cx">             
</span><span class="cx">             if (allocatingInline) {
</span><del>-                MarkedAllocator* allocator = vm.heap.allocatorForAuxiliaryData(newSize);
-                
-                if (!allocator) {
-                    // Yuck, this case would suck!
-                    slowPath.append(jit.jump());
-                }
-                
-                jit.move(CCallHelpers::TrustedImmPtr(allocator), scratchGPR2);
-                jit.emitAllocate(scratchGPR, allocator, scratchGPR2, scratchGPR3, slowPath);
-                jit.addPtr(CCallHelpers::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR);
-                
-                if (reallocating) {
</del><ins>+                CopiedAllocator* copiedAllocator = &amp;vm.heap.storageAllocator();
+
+                if (!reallocating) {
+                    jit.loadPtr(&amp;copiedAllocator-&gt;m_currentRemaining, scratchGPR);
+                    slowPath.append(
+                        jit.branchSubPtr(
+                            CCallHelpers::Signed, CCallHelpers::TrustedImm32(newSize), scratchGPR));
+                    jit.storePtr(scratchGPR, &amp;copiedAllocator-&gt;m_currentRemaining);
+                    jit.negPtr(scratchGPR);
+                    jit.addPtr(
+                        CCallHelpers::AbsoluteAddress(&amp;copiedAllocator-&gt;m_currentPayloadEnd), scratchGPR);
+                    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(JSValue)), scratchGPR);
+                } else {
</ins><span class="cx">                     // Handle the case where we are reallocating (i.e. the old structure/butterfly
</span><span class="cx">                     // already had out-of-line property storage).
</span><span class="cx">                     size_t oldSize = structure()-&gt;outOfLineCapacity() * sizeof(JSValue);
</span><span class="lines">@@ -1224,7 +1225,15 @@
</span><span class="cx">                     ASSERT(newSize &gt; oldSize);
</span><span class="cx">             
</span><span class="cx">                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
</span><del>-                    
</del><ins>+                    jit.loadPtr(&amp;copiedAllocator-&gt;m_currentRemaining, scratchGPR);
+                    slowPath.append(
+                        jit.branchSubPtr(
+                            CCallHelpers::Signed, CCallHelpers::TrustedImm32(newSize), scratchGPR));
+                    jit.storePtr(scratchGPR, &amp;copiedAllocator-&gt;m_currentRemaining);
+                    jit.negPtr(scratchGPR);
+                    jit.addPtr(
+                        CCallHelpers::AbsoluteAddress(&amp;copiedAllocator-&gt;m_currentPayloadEnd), scratchGPR);
+                    jit.addPtr(CCallHelpers::TrustedImm32(sizeof(JSValue)), scratchGPR);
</ins><span class="cx">                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
</span><span class="cx">                     // scratchGPR2 = available
</span><span class="cx">                     for (size_t offset = 0; offset &lt; oldSize; offset += sizeof(void*)) {
</span><span class="lines">@@ -1650,7 +1659,6 @@
</span><span class="cx">         // Cascade through the list, preferring newer entries.
</span><span class="cx">         for (unsigned i = cases.size(); i--;) {
</span><span class="cx">             fallThrough.link(&amp;jit);
</span><del>-            fallThrough.clear();
</del><span class="cx">             cases[i]-&gt;generateWithGuard(state, fallThrough);
</span><span class="cx">         }
</span><span class="cx">         state.failAndRepatch.append(fallThrough);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePolymorphicAccessh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,10 +29,10 @@
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeOrigin.h&quot;
</span><del>-#include &quot;JITStubRoutine.h&quot;
</del><span class="cx"> #include &quot;JSFunctionInlines.h&quot;
</span><span class="cx"> #include &quot;MacroAssembler.h&quot;
</span><span class="cx"> #include &quot;ObjectPropertyConditionSet.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &quot;ScratchRegisterAllocator.h&quot;
</span><span class="cx"> #include &quot;Structure.h&quot;
</span><span class="cx"> #include &lt;wtf/Vector.h&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePreciseJumpTargetscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;PreciseJumpTargets.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureStubInfocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #include &quot;StructureStubInfo.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;JSObject.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;PolymorphicAccess.h&quot;
</span><span class="cx"> #include &quot;Repatch.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureStubInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include &quot;JITStubRoutine.h&quot;
</span><span class="cx"> #include &quot;MacroAssembler.h&quot;
</span><span class="cx"> #include &quot;ObjectPropertyConditionSet.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &quot;Options.h&quot;
</span><span class="cx"> #include &quot;RegisterSet.h&quot;
</span><span class="cx"> #include &quot;Structure.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -88,6 +88,11 @@
</span><span class="cx">     ASSERT(m_constructorKind == static_cast&lt;unsigned&gt;(info.constructorKind()));
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+VM* UnlinkedCodeBlock::vm() const
+{
+    return MarkedBlock::blockFor(this)-&gt;vm();
+}
+
</ins><span class="cx"> void UnlinkedCodeBlock::visitChildren(JSCell* cell, SlotVisitor&amp; visitor)
</span><span class="cx"> {
</span><span class="cx">     UnlinkedCodeBlock* thisObject = jsCast&lt;UnlinkedCodeBlock*&gt;(cell);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -268,6 +268,8 @@
</span><span class="cx">     void addExceptionHandler(const UnlinkedHandlerInfo&amp; handler) { createRareDataIfNecessary(); return m_rareData-&gt;m_exceptionHandlers.append(handler); }
</span><span class="cx">     UnlinkedHandlerInfo&amp; exceptionHandler(int index) { ASSERT(m_rareData); return m_rareData-&gt;m_exceptionHandlers[index]; }
</span><span class="cx"> 
</span><ins>+    VM* vm() const;
+
</ins><span class="cx">     UnlinkedArrayProfile addArrayProfile() { return m_arrayProfileCount++; }
</span><span class="cx">     unsigned numberOfArrayProfiles() { return m_arrayProfileCount; }
</span><span class="cx">     UnlinkedArrayAllocationProfile addArrayAllocationProfile() { return m_arrayAllocationProfileCount++; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedInstructionStreamcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,6 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;UnlinkedInstructionStream.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;Opcode.h&quot;
-
</del><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> static void append8(unsigned char*&amp; ptr, unsigned char value)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeUnlinkedInstructionStreamh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/bytecode/UnlinkedInstructionStream.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #ifndef UnlinkedInstructionStream_h
</span><span class="cx"> #define UnlinkedInstructionStream_h
</span><span class="cx"> 
</span><del>-#include &quot;Opcode.h&quot;
</del><span class="cx"> #include &quot;UnlinkedCodeBlock.h&quot;
</span><span class="cx"> #include &lt;wtf/RefCountedArray.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -914,6 +914,7 @@
</span><span class="cx">         return bitwise_cast&lt;char*&gt;(exec-&gt;vm().throwException(exec, createRangeError(exec, ASCIILiteral(&quot;Array size is not a small enough positive integer.&quot;))));
</span><span class="cx"> 
</span><span class="cx">     JSArray* result = JSArray::create(*vm, arrayStructure, size);
</span><ins>+    result-&gt;butterfly(); // Ensure that the backing store is in to-space.
</ins><span class="cx">     return bitwise_cast&lt;char*&gt;(result);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -94,7 +94,7 @@
</span><span class="cx">     GPRReg scratch2GPR = scratch2.gpr();
</span><span class="cx"> 
</span><span class="cx">     ASSERT(vectorLength &gt;= numElements);
</span><del>-    vectorLength = Butterfly::optimalContiguousVectorLength(structure, vectorLength);
</del><ins>+    vectorLength = std::max(BASE_VECTOR_LEN, vectorLength);
</ins><span class="cx">     
</span><span class="cx">     JITCompiler::JumpList slowCases;
</span><span class="cx"> 
</span><span class="lines">@@ -104,29 +104,23 @@
</span><span class="cx">     size += outOfLineCapacity * sizeof(JSValue);
</span><span class="cx"> 
</span><span class="cx">     if (size) {
</span><del>-        if (MarkedAllocator* allocator = m_jit.vm()-&gt;heap.allocatorForAuxiliaryData(size)) {
-            m_jit.move(TrustedImmPtr(allocator), scratchGPR);
-            m_jit.emitAllocate(storageGPR, allocator, scratchGPR, scratch2GPR, slowCases);
-            
-            m_jit.addPtr(
-                TrustedImm32(outOfLineCapacity * sizeof(JSValue) + sizeof(IndexingHeader)),
-                storageGPR);
-        } else
-            slowCases.append(m_jit.jump());
</del><ins>+        slowCases.append(
+            emitAllocateBasicStorage(TrustedImm32(size), storageGPR));
+        if (hasIndexingHeader)
+            m_jit.subPtr(TrustedImm32(vectorLength * sizeof(JSValue)), storageGPR);
+        else
+            m_jit.addPtr(TrustedImm32(sizeof(IndexingHeader)), storageGPR);
</ins><span class="cx">     } else
</span><span class="cx">         m_jit.move(TrustedImmPtr(0), storageGPR);
</span><span class="cx"> 
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
</span><del>-    MarkedAllocator* allocatorPtr = m_jit.vm()-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
-    if (allocatorPtr) {
-        m_jit.move(TrustedImmPtr(allocatorPtr), scratchGPR);
-        emitAllocateJSObject(resultGPR, allocatorPtr, scratchGPR, TrustedImmPtr(structure), storageGPR, scratch2GPR, slowCases);
-        
-        if (hasIndexingHeader)
-            m_jit.store32(TrustedImm32(vectorLength), MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
-    } else
-        slowCases.append(m_jit.jump());
</del><ins>+    MarkedAllocator* allocatorPtr = &amp;m_jit.vm()-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
+    m_jit.move(TrustedImmPtr(allocatorPtr), scratchGPR);
+    emitAllocateJSObject(resultGPR, scratchGPR, TrustedImmPtr(structure), storageGPR, scratch2GPR, slowCases);
</ins><span class="cx"> 
</span><ins>+    if (hasIndexingHeader)
+        m_jit.store32(TrustedImm32(vectorLength), MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
+
</ins><span class="cx">     // I want a slow path that also loads out the storage pointer, and that's
</span><span class="cx">     // what this custom CallArrayAllocatorSlowPathGenerator gives me. It's a lot
</span><span class="cx">     // of work for a very small piece of functionality. :-/
</span><span class="lines">@@ -134,20 +128,14 @@
</span><span class="cx">         slowCases, this, operationNewRawObject, resultGPR, storageGPR,
</span><span class="cx">         structure, vectorLength));
</span><span class="cx"> 
</span><del>-    if (numElements &lt; vectorLength) {
</del><ins>+    if (hasDouble(structure-&gt;indexingType()) &amp;&amp; numElements &lt; vectorLength) {
</ins><span class="cx"> #if USE(JSVALUE64)
</span><del>-        if (hasDouble(structure-&gt;indexingType()))
-            m_jit.move(TrustedImm64(bitwise_cast&lt;int64_t&gt;(PNaN)), scratchGPR);
-        else
-            m_jit.move(TrustedImm64(JSValue::encode(JSValue())), scratchGPR);
</del><ins>+        m_jit.move(TrustedImm64(bitwise_cast&lt;int64_t&gt;(PNaN)), scratchGPR);
</ins><span class="cx">         for (unsigned i = numElements; i &lt; vectorLength; ++i)
</span><span class="cx">             m_jit.store64(scratchGPR, MacroAssembler::Address(storageGPR, sizeof(double) * i));
</span><span class="cx"> #else
</span><span class="cx">         EncodedValueDescriptor value;
</span><del>-        if (hasDouble(structure-&gt;indexingType()))
-            value.asInt64 = JSValue::encode(JSValue(JSValue::EncodeAsDouble, PNaN));
-        else
-            value.asInt64 = JSValue::encode(JSValue());
</del><ins>+        value.asInt64 = JSValue::encode(JSValue(JSValue::EncodeAsDouble, PNaN));
</ins><span class="cx">         for (unsigned i = numElements; i &lt; vectorLength; ++i) {
</span><span class="cx">             m_jit.store32(TrustedImm32(value.asBits.tag), MacroAssembler::Address(storageGPR, sizeof(double) * i + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
</span><span class="cx">             m_jit.store32(TrustedImm32(value.asBits.payload), MacroAssembler::Address(storageGPR, sizeof(double) * i + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
</span><span class="lines">@@ -3834,10 +3822,9 @@
</span><span class="cx">     GPRReg scratchGPR = scratch.gpr();
</span><span class="cx">     
</span><span class="cx">     JITCompiler::JumpList slowPath;
</span><del>-    MarkedAllocator* markedAllocator = m_jit.vm()-&gt;heap.allocatorForObjectWithDestructor(sizeof(JSRopeString));
-    RELEASE_ASSERT(markedAllocator);
-    m_jit.move(TrustedImmPtr(markedAllocator), allocatorGPR);
-    emitAllocateJSCell(resultGPR, markedAllocator, allocatorGPR, TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()), scratchGPR, slowPath);
</del><ins>+    MarkedAllocator&amp; markedAllocator = m_jit.vm()-&gt;heap.allocatorForObjectWithDestructor(sizeof(JSRopeString));
+    m_jit.move(TrustedImmPtr(&amp;markedAllocator), allocatorGPR);
+    emitAllocateJSCell(resultGPR, allocatorGPR, TrustedImmPtr(m_jit.vm()-&gt;stringStructure.get()), scratchGPR, slowPath);
</ins><span class="cx">         
</span><span class="cx">     m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, JSString::offsetOfValue()));
</span><span class="cx">     for (unsigned i = 0; i &lt; numOpGPRs; ++i)
</span><span class="lines">@@ -6859,14 +6846,7 @@
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::compileAllocatePropertyStorage(Node* node)
</span><span class="cx"> {
</span><del>-    ASSERT(!node-&gt;transition()-&gt;previous-&gt;outOfLineCapacity());
-    ASSERT(initialOutOfLineCapacity == node-&gt;transition()-&gt;next-&gt;outOfLineCapacity());
-    
-    size_t size = initialOutOfLineCapacity * sizeof(JSValue);
-
-    MarkedAllocator* allocator = m_jit.vm()-&gt;heap.allocatorForAuxiliaryData(size);
-
-    if (!allocator || node-&gt;transition()-&gt;previous-&gt;couldHaveIndexingHeader()) {
</del><ins>+    if (node-&gt;transition()-&gt;previous-&gt;couldHaveIndexingHeader()) {
</ins><span class="cx">         SpeculateCellOperand base(this, node-&gt;child1());
</span><span class="cx">         
</span><span class="cx">         GPRReg baseGPR = base.gpr();
</span><span class="lines">@@ -6883,18 +6863,18 @@
</span><span class="cx">     
</span><span class="cx">     SpeculateCellOperand base(this, node-&gt;child1());
</span><span class="cx">     GPRTemporary scratch1(this);
</span><del>-    GPRTemporary scratch2(this);
-    GPRTemporary scratch3(this);
</del><span class="cx">         
</span><span class="cx">     GPRReg baseGPR = base.gpr();
</span><span class="cx">     GPRReg scratchGPR1 = scratch1.gpr();
</span><del>-    GPRReg scratchGPR2 = scratch2.gpr();
-    GPRReg scratchGPR3 = scratch3.gpr();
</del><span class="cx">         
</span><del>-    m_jit.move(JITCompiler::TrustedImmPtr(allocator), scratchGPR2);
-    JITCompiler::JumpList slowPath;
-    m_jit.emitAllocate(scratchGPR1, allocator, scratchGPR2, scratchGPR3, slowPath);
-    m_jit.addPtr(JITCompiler::TrustedImm32(size + sizeof(IndexingHeader)), scratchGPR1);
</del><ins>+    ASSERT(!node-&gt;transition()-&gt;previous-&gt;outOfLineCapacity());
+    ASSERT(initialOutOfLineCapacity == node-&gt;transition()-&gt;next-&gt;outOfLineCapacity());
+    
+    JITCompiler::Jump slowPath =
+        emitAllocateBasicStorage(
+            TrustedImm32(initialOutOfLineCapacity * sizeof(JSValue)), scratchGPR1);
+
+    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(IndexingHeader)), scratchGPR1);
</ins><span class="cx">         
</span><span class="cx">     addSlowPathGenerator(
</span><span class="cx">         slowPathCall(slowPath, this, operationAllocatePropertyStorageWithInitialCapacity, scratchGPR1));
</span><span class="lines">@@ -6909,10 +6889,8 @@
</span><span class="cx">     size_t oldSize = node-&gt;transition()-&gt;previous-&gt;outOfLineCapacity() * sizeof(JSValue);
</span><span class="cx">     size_t newSize = oldSize * outOfLineGrowthFactor;
</span><span class="cx">     ASSERT(newSize == node-&gt;transition()-&gt;next-&gt;outOfLineCapacity() * sizeof(JSValue));
</span><del>-    
-    MarkedAllocator* allocator = m_jit.vm()-&gt;heap.allocatorForAuxiliaryData(newSize);
</del><span class="cx"> 
</span><del>-    if (!allocator || node-&gt;transition()-&gt;previous-&gt;couldHaveIndexingHeader()) {
</del><ins>+    if (node-&gt;transition()-&gt;previous-&gt;couldHaveIndexingHeader()) {
</ins><span class="cx">         SpeculateCellOperand base(this, node-&gt;child1());
</span><span class="cx">         
</span><span class="cx">         GPRReg baseGPR = base.gpr();
</span><span class="lines">@@ -6931,20 +6909,17 @@
</span><span class="cx">     StorageOperand oldStorage(this, node-&gt;child2());
</span><span class="cx">     GPRTemporary scratch1(this);
</span><span class="cx">     GPRTemporary scratch2(this);
</span><del>-    GPRTemporary scratch3(this);
</del><span class="cx">         
</span><span class="cx">     GPRReg baseGPR = base.gpr();
</span><span class="cx">     GPRReg oldStorageGPR = oldStorage.gpr();
</span><span class="cx">     GPRReg scratchGPR1 = scratch1.gpr();
</span><span class="cx">     GPRReg scratchGPR2 = scratch2.gpr();
</span><del>-    GPRReg scratchGPR3 = scratch3.gpr();
-    
-    JITCompiler::JumpList slowPath;
-    m_jit.move(JITCompiler::TrustedImmPtr(allocator), scratchGPR2);
-    m_jit.emitAllocate(scratchGPR1, allocator, scratchGPR2, scratchGPR3, slowPath);
-    
-    m_jit.addPtr(JITCompiler::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR1);
</del><span class="cx">         
</span><ins>+    JITCompiler::Jump slowPath =
+        emitAllocateBasicStorage(TrustedImm32(newSize), scratchGPR1);
+
+    m_jit.addPtr(JITCompiler::TrustedImm32(sizeof(IndexingHeader)), scratchGPR1);
+        
</ins><span class="cx">     addSlowPathGenerator(
</span><span class="cx">         slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR1, newSize / sizeof(JSValue)));
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -2555,21 +2555,18 @@
</span><span class="cx"> 
</span><span class="cx">     // Allocator for a cell of a specific size.
</span><span class="cx">     template &lt;typename StructureType&gt; // StructureType can be GPR or ImmPtr.
</span><del>-    void emitAllocateJSCell(
-        GPRReg resultGPR, MarkedAllocator* allocator, GPRReg allocatorGPR, StructureType structure,
</del><ins>+    void emitAllocateJSCell(GPRReg resultGPR, GPRReg allocatorGPR, StructureType structure,
</ins><span class="cx">         GPRReg scratchGPR, MacroAssembler::JumpList&amp; slowPath)
</span><span class="cx">     {
</span><del>-        m_jit.emitAllocateJSCell(resultGPR, allocator, allocatorGPR, structure, scratchGPR, slowPath);
</del><ins>+        m_jit.emitAllocateJSCell(resultGPR, allocatorGPR, structure, scratchGPR, slowPath);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Allocator for an object of a specific size.
</span><span class="cx">     template &lt;typename StructureType, typename StorageType&gt; // StructureType and StorageType can be GPR or ImmPtr.
</span><del>-    void emitAllocateJSObject(
-        GPRReg resultGPR, MarkedAllocator* allocator, GPRReg allocatorGPR, StructureType structure,
</del><ins>+    void emitAllocateJSObject(GPRReg resultGPR, GPRReg allocatorGPR, StructureType structure,
</ins><span class="cx">         StorageType storage, GPRReg scratchGPR, MacroAssembler::JumpList&amp; slowPath)
</span><span class="cx">     {
</span><del>-        m_jit.emitAllocateJSObject(
-            resultGPR, allocator, allocatorGPR, structure, storage, scratchGPR, slowPath);
</del><ins>+        m_jit.emitAllocateJSObject(resultGPR, allocatorGPR, structure, storage, scratchGPR, slowPath);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     template &lt;typename ClassType, typename StructureType, typename StorageType&gt; // StructureType and StorageType can be GPR or ImmPtr.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -4068,7 +4068,7 @@
</span><span class="cx">         m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
</span><span class="cx">         m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</span><span class="cx">         slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
</span><del>-        emitAllocateJSObject(resultGPR, nullptr, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</del><ins>+        emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</ins><span class="cx"> 
</span><span class="cx">         addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR, node-&gt;inlineCapacity()));
</span><span class="cx">         
</span><span class="lines">@@ -4089,10 +4089,10 @@
</span><span class="cx">         
</span><span class="cx">         Structure* structure = node-&gt;structure();
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(structure-&gt;inlineCapacity());
</span><del>-        MarkedAllocator* allocatorPtr = m_jit.vm()-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</del><ins>+        MarkedAllocator* allocatorPtr = &amp;m_jit.vm()-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</ins><span class="cx"> 
</span><span class="cx">         m_jit.move(TrustedImmPtr(allocatorPtr), allocatorGPR);
</span><del>-        emitAllocateJSObject(resultGPR, allocatorPtr, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
</del><ins>+        emitAllocateJSObject(resultGPR, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
</ins><span class="cx"> 
</span><span class="cx">         addSlowPathGenerator(slowPathCall(slowPath, this, operationNewObject, resultGPR, structure));
</span><span class="cx">         
</span><span class="lines">@@ -5396,40 +5396,37 @@
</span><span class="cx">     GPRReg storageGPR = storage.gpr();
</span><span class="cx">     GPRReg scratchGPR = scratch.gpr();
</span><span class="cx">     GPRReg scratch2GPR = scratch2.gpr();
</span><del>-            
</del><ins>+    
</ins><span class="cx">     MacroAssembler::JumpList slowCases;
</span><span class="cx">     if (shouldConvertLargeSizeToArrayStorage)
</span><span class="cx">         slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, sizeGPR, TrustedImm32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)));
</span><del>-            
</del><ins>+    
</ins><span class="cx">     ASSERT((1 &lt;&lt; 3) == sizeof(JSValue));
</span><span class="cx">     m_jit.move(sizeGPR, scratchGPR);
</span><span class="cx">     m_jit.lshift32(TrustedImm32(3), scratchGPR);
</span><span class="cx">     m_jit.add32(TrustedImm32(sizeof(IndexingHeader)), scratchGPR, resultGPR);
</span><del>-    m_jit.emitAllocateVariableSized(
-        storageGPR, m_jit.vm()-&gt;heap.subspaceForAuxiliaryData(), resultGPR, scratchGPR,
-        scratch2GPR, slowCases);
-    m_jit.addPtr(TrustedImm32(sizeof(IndexingHeader)), storageGPR);
</del><ins>+    slowCases.append(
+        emitAllocateBasicStorage(resultGPR, storageGPR));
+    m_jit.subPtr(scratchGPR, storageGPR);
</ins><span class="cx">     Structure* structure = globalObject-&gt;arrayStructureForIndexingTypeDuringAllocation(indexingType);
</span><span class="cx">     emitAllocateJSObject&lt;JSArray&gt;(resultGPR, TrustedImmPtr(structure), storageGPR, scratchGPR, scratch2GPR, slowCases);
</span><del>-            
</del><ins>+    
</ins><span class="cx">     m_jit.store32(sizeGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
</span><span class="cx">     m_jit.store32(sizeGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
</span><del>-            
-    JSValue hole;
-    if (hasDouble(indexingType))
-        hole = JSValue(JSValue::EncodeAsDouble, PNaN);
-    else
-        hole = JSValue();
-            
-    m_jit.move(sizeGPR, scratchGPR);
-    MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, scratchGPR);
-    MacroAssembler::Label loop = m_jit.label();
-    m_jit.sub32(TrustedImm32(1), scratchGPR);
-    m_jit.store32(TrustedImm32(hole.u.asBits.tag), MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-    m_jit.store32(TrustedImm32(hole.u.asBits.payload), MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-    m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &amp;m_jit);
-    done.link(&amp;m_jit);
</del><span class="cx">     
</span><ins>+    if (hasDouble(indexingType)) {
+        JSValue nan = JSValue(JSValue::EncodeAsDouble, PNaN);
+        
+        m_jit.move(sizeGPR, scratchGPR);
+        MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, scratchGPR);
+        MacroAssembler::Label loop = m_jit.label();
+        m_jit.sub32(TrustedImm32(1), scratchGPR);
+        m_jit.store32(TrustedImm32(nan.u.asBits.tag), MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+        m_jit.store32(TrustedImm32(nan.u.asBits.payload), MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
+        m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &amp;m_jit);
+        done.link(&amp;m_jit);
+    }
+    
</ins><span class="cx">     addSlowPathGenerator(std::make_unique&lt;CallArrayAllocatorWithVariableSizeSlowPathGenerator&gt;(
</span><span class="cx">         slowCases, this, operationNewArrayWithSize, resultGPR,
</span><span class="cx">         structure,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -4013,7 +4013,7 @@
</span><span class="cx">         m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
</span><span class="cx">         m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
</span><span class="cx">         slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
</span><del>-        emitAllocateJSObject(resultGPR, nullptr, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</del><ins>+        emitAllocateJSObject(resultGPR, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
</ins><span class="cx"> 
</span><span class="cx">         addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR, node-&gt;inlineCapacity()));
</span><span class="cx">         
</span><span class="lines">@@ -4034,10 +4034,10 @@
</span><span class="cx"> 
</span><span class="cx">         Structure* structure = node-&gt;structure();
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(structure-&gt;inlineCapacity());
</span><del>-        MarkedAllocator* allocatorPtr = m_jit.vm()-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</del><ins>+        MarkedAllocator* allocatorPtr = &amp;m_jit.vm()-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</ins><span class="cx"> 
</span><span class="cx">         m_jit.move(TrustedImmPtr(allocatorPtr), allocatorGPR);
</span><del>-        emitAllocateJSObject(resultGPR, allocatorPtr, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
</del><ins>+        emitAllocateJSObject(resultGPR, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
</ins><span class="cx"> 
</span><span class="cx">         addSlowPathGenerator(slowPathCall(slowPath, this, operationNewObject, resultGPR, structure));
</span><span class="cx">         
</span><span class="lines">@@ -5272,7 +5272,7 @@
</span><span class="cx"> 
</span><span class="cx">         unsigned bytecodeIndex = node-&gt;origin.semantic.bytecodeIndex;
</span><span class="cx">         auto triggerIterator = m_jit.jitCode()-&gt;tierUpEntryTriggers.find(bytecodeIndex);
</span><del>-        DFG_ASSERT(m_jit.graph(), node, triggerIterator != m_jit.jitCode()-&gt;tierUpEntryTriggers.end());
</del><ins>+        RELEASE_ASSERT(triggerIterator != m_jit.jitCode()-&gt;tierUpEntryTriggers.end());
</ins><span class="cx">         uint8_t* forceEntryTrigger = &amp;(m_jit.jitCode()-&gt;tierUpEntryTriggers.find(bytecodeIndex)-&gt;value);
</span><span class="cx"> 
</span><span class="cx">         MacroAssembler::Jump forceOSREntry = m_jit.branchTest8(MacroAssembler::NonZero, MacroAssembler::AbsoluteAddress(forceEntryTrigger));
</span><span class="lines">@@ -5459,34 +5459,31 @@
</span><span class="cx">     MacroAssembler::JumpList slowCases;
</span><span class="cx">     if (shouldConvertLargeSizeToArrayStorage)
</span><span class="cx">         slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, sizeGPR, TrustedImm32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)));
</span><del>-            
</del><ins>+    
</ins><span class="cx">     ASSERT((1 &lt;&lt; 3) == sizeof(JSValue));
</span><span class="cx">     m_jit.move(sizeGPR, scratchGPR);
</span><span class="cx">     m_jit.lshift32(TrustedImm32(3), scratchGPR);
</span><span class="cx">     m_jit.add32(TrustedImm32(sizeof(IndexingHeader)), scratchGPR, resultGPR);
</span><del>-    m_jit.emitAllocateVariableSized(
-        storageGPR, m_jit.vm()-&gt;heap.subspaceForAuxiliaryData(), resultGPR, scratchGPR,
-        scratch2GPR, slowCases);
-    m_jit.addPtr(TrustedImm32(sizeof(IndexingHeader)), storageGPR);
</del><ins>+    slowCases.append(
+        emitAllocateBasicStorage(resultGPR, storageGPR));
+    m_jit.subPtr(scratchGPR, storageGPR);
</ins><span class="cx">     Structure* structure = globalObject-&gt;arrayStructureForIndexingTypeDuringAllocation(indexingType);
</span><del>-            
</del><span class="cx">     emitAllocateJSObject&lt;JSArray&gt;(resultGPR, TrustedImmPtr(structure), storageGPR, scratchGPR, scratch2GPR, slowCases);
</span><span class="cx">     
</span><span class="cx">     m_jit.store32(sizeGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
</span><span class="cx">     m_jit.store32(sizeGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfVectorLength()));
</span><del>-            
-    if (hasDouble(indexingType))
</del><ins>+    
+    if (hasDouble(indexingType)) {
</ins><span class="cx">         m_jit.move(TrustedImm64(bitwise_cast&lt;int64_t&gt;(PNaN)), scratchGPR);
</span><del>-    else
-        m_jit.move(TrustedImm64(JSValue::encode(JSValue())), scratchGPR);
-    m_jit.move(sizeGPR, scratch2GPR);
-    MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, scratch2GPR);
-    MacroAssembler::Label loop = m_jit.label();
-    m_jit.sub32(TrustedImm32(1), scratch2GPR);
-    m_jit.store64(scratchGPR, MacroAssembler::BaseIndex(storageGPR, scratch2GPR, MacroAssembler::TimesEight));
-    m_jit.branchTest32(MacroAssembler::NonZero, scratch2GPR).linkTo(loop, &amp;m_jit);
-    done.link(&amp;m_jit);
-            
</del><ins>+        m_jit.move(sizeGPR, scratch2GPR);
+        MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, scratch2GPR);
+        MacroAssembler::Label loop = m_jit.label();
+        m_jit.sub32(TrustedImm32(1), scratch2GPR);
+        m_jit.store64(scratchGPR, MacroAssembler::BaseIndex(storageGPR, scratch2GPR, MacroAssembler::TimesEight));
+        m_jit.branchTest32(MacroAssembler::NonZero, scratch2GPR).linkTo(loop, &amp;m_jit);
+        done.link(&amp;m_jit);
+    }
+    
</ins><span class="cx">     addSlowPathGenerator(std::make_unique&lt;CallArrayAllocatorWithVariableSizeSlowPathGenerator&gt;(
</span><span class="cx">         slowCases, this, operationNewArrayWithSize, resultGPR,
</span><span class="cx">         structure,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -40,7 +40,6 @@
</span><span class="cx"> #include &quot;RegExpConstructor.h&quot;
</span><span class="cx"> #include &quot;StringPrototype.h&quot;
</span><span class="cx"> #include &lt;cstdlib&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx"> 
</span><span class="lines">@@ -421,7 +420,7 @@
</span><span class="cx">                     dataLog(&quot;Giving up because of pattern limit.\n&quot;);
</span><span class="cx">                 break;
</span><span class="cx">             }
</span><del>-            
</del><ins>+
</ins><span class="cx">             unsigned lastIndex;
</span><span class="cx">             if (regExp-&gt;globalOrSticky()) {
</span><span class="cx">                 // This will only work if we can prove what the value of lastIndex is. To do this
</span><span class="lines">@@ -469,7 +468,7 @@
</span><span class="cx">             FrozenValue* constructorFrozenValue = m_graph.freeze(constructor);
</span><span class="cx"> 
</span><span class="cx">             MatchResult result;
</span><del>-            Vector&lt;int&gt; ovector;
</del><ins>+            Vector&lt;int, 32&gt; ovector;
</ins><span class="cx">             // We have to call the kind of match function that the main thread would have called.
</span><span class="cx">             // Otherwise, we might not have the desired Yarr code compiled, and the match will fail.
</span><span class="cx">             if (m_node-&gt;op() == RegExpExec) {
</span><span class="lines">@@ -515,8 +514,7 @@
</span><span class="cx">                     }
</span><span class="cx"> 
</span><span class="cx">                     unsigned publicLength = resultArray.size();
</span><del>-                    unsigned vectorLength =
-                        Butterfly::optimalContiguousVectorLength(structure, publicLength);
</del><ins>+                    unsigned vectorLength = std::max(BASE_VECTOR_LEN, publicLength);
</ins><span class="cx"> 
</span><span class="cx">                     UniquedStringImpl* indexUID = vm().propertyNames-&gt;index.impl();
</span><span class="cx">                     UniquedStringImpl* inputUID = vm().propertyNames-&gt;input.impl();
</span><span class="lines">@@ -651,7 +649,7 @@
</span><span class="cx">             bool ok = true;
</span><span class="cx">             do {
</span><span class="cx">                 MatchResult result;
</span><del>-                Vector&lt;int&gt; ovector;
</del><ins>+                Vector&lt;int, 32&gt; ovector;
</ins><span class="cx">                 // Model which version of match() is called by the main thread.
</span><span class="cx">                 if (replace.isEmpty() &amp;&amp; regExp-&gt;global()) {
</span><span class="cx">                     if (!regExp-&gt;matchConcurrently(vm(), string, startPosition, result)) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -76,6 +76,7 @@
</span><span class="cx">     macro(JSString_value, JSString::offsetOfValue()) \
</span><span class="cx">     macro(JSSymbolTableObject_symbolTable, JSSymbolTableObject::offsetOfSymbolTable()) \
</span><span class="cx">     macro(JSWrapperObject_internalValue, JSWrapperObject::internalValueOffset()) \
</span><ins>+    macro(MarkedAllocator_freeListHead, MarkedAllocator::offsetOfFreeListHead()) \
</ins><span class="cx">     macro(RegExpConstructor_cachedResult_lastRegExp, RegExpConstructor::offsetOfCachedResult() + RegExpCachedResult::offsetOfLastRegExp()) \
</span><span class="cx">     macro(RegExpConstructor_cachedResult_lastInput, RegExpConstructor::offsetOfCachedResult() + RegExpCachedResult::offsetOfLastInput()) \
</span><span class="cx">     macro(RegExpConstructor_cachedResult_result_start, RegExpConstructor::offsetOfCachedResult() + RegExpCachedResult::offsetOfResult() + OBJECT_OFFSETOF(MatchResult, start)) \
</span><span class="lines">@@ -108,7 +109,8 @@
</span><span class="cx">     macro(JSEnvironmentRecord_variables, JSEnvironmentRecord::offsetOfVariables(), sizeof(EncodedJSValue)) \
</span><span class="cx">     macro(JSPropertyNameEnumerator_cachedPropertyNamesVectorContents, 0, sizeof(WriteBarrier&lt;JSString&gt;)) \
</span><span class="cx">     macro(JSRopeString_fibers, JSRopeString::offsetOfFibers(), sizeof(WriteBarrier&lt;JSString&gt;)) \
</span><del>-    macro(MarkedSpace_Subspace_allocatorForSizeStep, OBJECT_OFFSETOF(MarkedSpace::Subspace, allocatorForSizeStep), sizeof(MarkedAllocator*)) \
</del><ins>+    macro(MarkedSpace_Subspace_impreciseAllocators, OBJECT_OFFSETOF(MarkedSpace::Subspace, impreciseAllocators), sizeof(MarkedAllocator)) \
+    macro(MarkedSpace_Subspace_preciseAllocators, OBJECT_OFFSETOF(MarkedSpace::Subspace, preciseAllocators), sizeof(MarkedAllocator)) \
</ins><span class="cx">     macro(ScopedArguments_overflowStorage, ScopedArguments::overflowStorageOffset(), sizeof(EncodedJSValue)) \
</span><span class="cx">     macro(WriteBarrierBuffer_bufferContents, 0, sizeof(JSCell*)) \
</span><span class="cx">     macro(characters8, 0, sizeof(LChar)) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCompilecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -42,7 +42,6 @@
</span><span class="cx"> #include &quot;FTLJITCode.h&quot;
</span><span class="cx"> #include &quot;FTLThunks.h&quot;
</span><span class="cx"> #include &quot;JITSubGenerator.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;LinkBuffer.h&quot;
</span><span class="cx"> #include &quot;PCToCodeOriginMap.h&quot;
</span><span class="cx"> #include &quot;ScratchRegisterAllocator.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLJITFinalizercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLJITFinalizer.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLJITFinalizer.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLJITFinalizer.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> #include &quot;DFGPlan.h&quot;
</span><span class="cx"> #include &quot;FTLState.h&quot;
</span><span class="cx"> #include &quot;FTLThunks.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;ProfilerDatabase.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace FTL {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -3806,7 +3806,7 @@
</span><span class="cx">                 size, m_out.constInt32(DirectArguments::allocationSize(minCapacity)));
</span><span class="cx">             
</span><span class="cx">             fastObject = allocateVariableSizedObject&lt;DirectArguments&gt;(
</span><del>-                m_out.zeroExtPtr(size), structure, m_out.intPtrZero, slowPath);
</del><ins>+                size, structure, m_out.intPtrZero, slowPath);
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         m_out.store32(length.value, fastObject, m_heaps.DirectArguments_length);
</span><span class="lines">@@ -3907,7 +3907,7 @@
</span><span class="cx">             LValue arrayLength = lowInt32(m_node-&gt;child1());
</span><span class="cx">             LBasicBlock loopStart = m_out.newBlock();
</span><span class="cx">             bool shouldLargeArraySizeCreateArrayStorage = false;
</span><del>-            LValue array = allocateArrayWithSize(arrayLength, ArrayWithContiguous, shouldLargeArraySizeCreateArrayStorage);
</del><ins>+            LValue array = compileAllocateArrayWithSize(arrayLength, ArrayWithContiguous, shouldLargeArraySizeCreateArrayStorage);
</ins><span class="cx"> 
</span><span class="cx">             LValue butterfly = m_out.loadPtr(array, m_heaps.JSObject_butterfly);
</span><span class="cx">             ValueFromBlock startLength = m_out.anchor(arrayLength);
</span><span class="lines">@@ -4080,7 +4080,7 @@
</span><span class="cx">             m_out.constIntPtr(m_node-&gt;numConstants())));
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    LValue allocateArrayWithSize(LValue publicLength, IndexingType indexingType, bool shouldLargeArraySizeCreateArrayStorage = true)
</del><ins>+    LValue compileAllocateArrayWithSize(LValue publicLength, IndexingType indexingType, bool shouldLargeArraySizeCreateArrayStorage = true)
</ins><span class="cx">     {
</span><span class="cx">         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node-&gt;origin.semantic);
</span><span class="cx">         Structure* structure = globalObject-&gt;arrayStructureForIndexingTypeDuringAllocation(indexingType);
</span><span class="lines">@@ -4091,40 +4091,33 @@
</span><span class="cx">             || hasContiguous(structure-&gt;indexingType()));
</span><span class="cx"> 
</span><span class="cx">         LBasicBlock fastCase = m_out.newBlock();
</span><del>-        LBasicBlock largeCase = m_out.newBlock();
</del><ins>+        LBasicBlock largeCase = shouldLargeArraySizeCreateArrayStorage ? m_out.newBlock() : nullptr;
</ins><span class="cx">         LBasicBlock failCase = m_out.newBlock();
</span><span class="cx">         LBasicBlock continuation = m_out.newBlock();
</span><del>-        LBasicBlock slowCase = m_out.newBlock();
</del><ins>+        LBasicBlock lastNext = nullptr;
+        if (shouldLargeArraySizeCreateArrayStorage) {
+            m_out.branch(
+                m_out.aboveOrEqual(publicLength, m_out.constInt32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)),
+                rarely(largeCase), usually(fastCase));
+            lastNext = m_out.appendTo(fastCase, largeCase);
+        }
+
</ins><span class="cx">         
</span><del>-        LBasicBlock lastNext = m_out.insertNewBlocksBefore(fastCase);
-        
-        LValue predicate;
-        if (shouldLargeArraySizeCreateArrayStorage)
-            predicate = m_out.aboveOrEqual(publicLength, m_out.constInt32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH));
-        else
-            predicate = m_out.booleanFalse;
-        
-        m_out.branch(predicate, rarely(largeCase), usually(fastCase));
-        
-        m_out.appendTo(fastCase, largeCase);
-
</del><span class="cx">         // We don't round up to BASE_VECTOR_LEN for new Array(blah).
</span><span class="cx">         LValue vectorLength = publicLength;
</span><del>-            
</del><ins>+        
</ins><span class="cx">         LValue payloadSize =
</span><span class="cx">             m_out.shl(m_out.zeroExt(vectorLength, pointerType()), m_out.constIntPtr(3));
</span><del>-            
</del><ins>+        
</ins><span class="cx">         LValue butterflySize = m_out.add(
</span><span class="cx">             payloadSize, m_out.constIntPtr(sizeof(IndexingHeader)));
</span><del>-            
-        LValue allocator = allocatorForSize(
-            vm().heap.subspaceForAuxiliaryData(), butterflySize, failCase);
-        LValue startOfStorage = allocateHeapCell(allocator, failCase);
-            
-        LValue butterfly = m_out.add(startOfStorage, m_out.constIntPtr(sizeof(IndexingHeader)));
-            
</del><ins>+        
+        LValue endOfStorage = allocateBasicStorageAndGetEnd(butterflySize, failCase);
+        
+        LValue butterfly = m_out.sub(endOfStorage, payloadSize);
+        
</ins><span class="cx">         LValue object = allocateObject&lt;JSArray&gt;(structure, butterfly, failCase);
</span><del>-            
</del><ins>+        
</ins><span class="cx">         m_out.store32(publicLength, butterfly, m_heaps.Butterfly_publicLength);
</span><span class="cx">         m_out.store32(vectorLength, butterfly, m_heaps.Butterfly_vectorLength);
</span><span class="cx"> 
</span><span class="lines">@@ -4134,21 +4127,27 @@
</span><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         
</span><span class="cx">         LValue structureValue;
</span><del>-        
-        m_out.appendTo(largeCase, failCase);
-        ValueFromBlock largeStructure = m_out.anchor(
-            m_out.constIntPtr(
</del><ins>+        if (shouldLargeArraySizeCreateArrayStorage) {
+            LBasicBlock slowCase = m_out.newBlock();
+
+            m_out.appendTo(largeCase, failCase);
+            ValueFromBlock largeStructure = m_out.anchor(m_out.constIntPtr(
</ins><span class="cx">                 globalObject-&gt;arrayStructureForIndexingTypeDuringAllocation(ArrayWithArrayStorage)));
</span><del>-        m_out.jump(slowCase);
-        
-        m_out.appendTo(failCase, slowCase);
-        ValueFromBlock failStructure = m_out.anchor(m_out.constIntPtr(structure));
-        m_out.jump(slowCase);
-        
-        m_out.appendTo(slowCase, continuation);
-        structureValue = m_out.phi(
-            pointerType(), largeStructure, failStructure);
</del><ins>+            m_out.jump(slowCase);
</ins><span class="cx"> 
</span><ins>+            m_out.appendTo(failCase, slowCase);
+            ValueFromBlock failStructure = m_out.anchor(m_out.constIntPtr(structure));
+            m_out.jump(slowCase);
+
+            m_out.appendTo(slowCase, continuation);
+            structureValue = m_out.phi(
+                pointerType(), largeStructure, failStructure);
+        } else {
+            ASSERT(!lastNext);
+            lastNext = m_out.appendTo(failCase, continuation);
+            structureValue = m_out.constIntPtr(structure);
+        }
+
</ins><span class="cx">         LValue slowResultValue = lazySlowPath(
</span><span class="cx">             [=] (const Vector&lt;Location&gt;&amp; locations) -&gt; RefPtr&lt;LazySlowPath::Generator&gt; {
</span><span class="cx">                 return createLazyCallGenerator(
</span><span class="lines">@@ -4172,7 +4171,7 @@
</span><span class="cx">             m_node-&gt;indexingType());
</span><span class="cx">         
</span><span class="cx">         if (!globalObject-&gt;isHavingABadTime() &amp;&amp; !hasAnyArrayStorage(m_node-&gt;indexingType())) {
</span><del>-            setJSValue(allocateArrayWithSize(publicLength, m_node-&gt;indexingType()));
</del><ins>+            setJSValue(compileAllocateArrayWithSize(publicLength, m_node-&gt;indexingType()));
</ins><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -4441,12 +4440,13 @@
</span><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
</span><span class="cx">         
</span><del>-        MarkedAllocator* allocator =
</del><ins>+        MarkedAllocator&amp; allocator =
</ins><span class="cx">             vm().heap.allocatorForObjectWithDestructor(sizeof(JSRopeString));
</span><del>-        DFG_ASSERT(m_graph, m_node, allocator);
</del><span class="cx">         
</span><span class="cx">         LValue result = allocateCell(
</span><del>-            m_out.constIntPtr(allocator), vm().stringStructure.get(), slowPath);
</del><ins>+            m_out.constIntPtr(&amp;allocator),
+            vm().stringStructure.get(),
+            slowPath);
</ins><span class="cx">         
</span><span class="cx">         m_out.storePtr(m_out.intPtrZero, result, m_heaps.JSString_value);
</span><span class="cx">         for (unsigned i = 0; i &lt; numKids; ++i)
</span><span class="lines">@@ -6953,8 +6953,7 @@
</span><span class="cx">             
</span><span class="cx">             if (structure-&gt;outOfLineCapacity() || hasIndexedProperties(structure-&gt;indexingType())) {
</span><span class="cx">                 size_t allocationSize = JSFinalObject::allocationSize(structure-&gt;inlineCapacity());
</span><del>-                MarkedAllocator* cellAllocator = vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
-                DFG_ASSERT(m_graph, m_node, cellAllocator);
</del><ins>+                MarkedAllocator* allocator = &amp;vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
</ins><span class="cx"> 
</span><span class="cx">                 bool hasIndexingHeader = hasIndexedProperties(structure-&gt;indexingType());
</span><span class="cx">                 unsigned indexingHeaderSize = 0;
</span><span class="lines">@@ -6979,7 +6978,7 @@
</span><span class="cx">                     indexingPayloadSizeInBytes =
</span><span class="cx">                         m_out.mul(m_out.zeroExtPtr(vectorLength), m_out.intPtrEight);
</span><span class="cx">                 }
</span><del>-                
</del><ins>+
</ins><span class="cx">                 LValue butterflySize = m_out.add(
</span><span class="cx">                     m_out.constIntPtr(
</span><span class="cx">                         structure-&gt;outOfLineCapacity() * sizeof(JSValue) + indexingHeaderSize),
</span><span class="lines">@@ -6990,19 +6989,16 @@
</span><span class="cx">                 
</span><span class="cx">                 LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
</span><span class="cx">                 
</span><del>-                LValue startOfStorage = allocateHeapCell(
-                    allocatorForSize(vm().heap.subspaceForAuxiliaryData(), butterflySize, slowPath),
-                    slowPath);
</del><ins>+                LValue endOfStorage = allocateBasicStorageAndGetEnd(butterflySize, slowPath);
</ins><span class="cx"> 
</span><span class="cx">                 LValue fastButterflyValue = m_out.add(
</span><del>-                    startOfStorage,
-                    m_out.constIntPtr(
-                        structure-&gt;outOfLineCapacity() * sizeof(JSValue) + sizeof(IndexingHeader)));
</del><ins>+                    m_out.sub(endOfStorage, indexingPayloadSizeInBytes),
+                    m_out.constIntPtr(sizeof(IndexingHeader) - indexingHeaderSize));
</ins><span class="cx"> 
</span><span class="cx">                 m_out.store32(vectorLength, fastButterflyValue, m_heaps.Butterfly_vectorLength);
</span><span class="cx">                 
</span><span class="cx">                 LValue fastObjectValue = allocateObject(
</span><del>-                    m_out.constIntPtr(cellAllocator), structure, fastButterflyValue, slowPath);
</del><ins>+                    m_out.constIntPtr(allocator), structure, fastButterflyValue, slowPath);
</ins><span class="cx"> 
</span><span class="cx">                 ValueFromBlock fastObject = m_out.anchor(fastObjectValue);
</span><span class="cx">                 ValueFromBlock fastButterfly = m_out.anchor(fastButterflyValue);
</span><span class="lines">@@ -7791,11 +7787,10 @@
</span><span class="cx"> 
</span><span class="cx">     void initializeArrayElements(IndexingType indexingType, LValue vectorLength, LValue butterfly)
</span><span class="cx">     {
</span><del>-        LValue hole;
-        if (hasDouble(indexingType))
-            hole = m_out.constInt64(bitwise_cast&lt;int64_t&gt;(PNaN));
-        else
-            hole = m_out.constInt64(JSValue::encode(JSValue()));
</del><ins>+        if (!hasDouble(indexingType)) {
+            // The GC already initialized everything to JSValue() for us.
+            return;
+        }
</ins><span class="cx"> 
</span><span class="cx">         // Doubles must be initialized to PNaN.
</span><span class="cx">         LBasicBlock initLoop = m_out.newBlock();
</span><span class="lines">@@ -7810,7 +7805,9 @@
</span><span class="cx">         LValue index = m_out.phi(Int32, originalIndex);
</span><span class="cx">         LValue pointer = m_out.phi(pointerType(), originalPointer);
</span><span class="cx">         
</span><del>-        m_out.store64(hole, TypedPointer(m_heaps.indexedDoubleProperties.atAnyIndex(), pointer));
</del><ins>+        m_out.store64(
+            m_out.constInt64(bitwise_cast&lt;int64_t&gt;(PNaN)),
+            TypedPointer(m_heaps.indexedDoubleProperties.atAnyIndex(), pointer));
</ins><span class="cx">         
</span><span class="cx">         LValue nextIndex = m_out.sub(index, m_out.int32One);
</span><span class="cx">         m_out.addIncomingToPhi(index, m_out.anchor(nextIndex));
</span><span class="lines">@@ -7871,12 +7868,13 @@
</span><span class="cx">         LBasicBlock continuation = m_out.newBlock();
</span><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
</span><del>-
-        size_t sizeInBytes = sizeInValues * sizeof(JSValue);
-        MarkedAllocator* allocator = vm().heap.allocatorForAuxiliaryData(sizeInBytes);
-        LValue startOfStorage = allocateHeapCell(m_out.constIntPtr(allocator), slowPath);
</del><ins>+        
+        LValue endOfStorage = allocateBasicStorageAndGetEnd(
+            m_out.constIntPtr(sizeInValues * sizeof(JSValue)), slowPath);
+        
</ins><span class="cx">         ValueFromBlock fastButterfly = m_out.anchor(
</span><del>-            m_out.add(m_out.constIntPtr(sizeInBytes + sizeof(IndexingHeader)), startOfStorage));
</del><ins>+            m_out.add(m_out.constIntPtr(sizeof(IndexingHeader)), endOfStorage));
+        
</ins><span class="cx">         m_out.jump(continuation);
</span><span class="cx">         
</span><span class="cx">         m_out.appendTo(slowPath, continuation);
</span><span class="lines">@@ -8445,64 +8443,29 @@
</span><span class="cx">         setJSValue(patchpoint);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    LValue allocateHeapCell(LValue allocator, LBasicBlock slowPath)
</del><ins>+    LValue allocateCell(LValue allocator, LBasicBlock slowPath)
</ins><span class="cx">     {
</span><del>-        MarkedAllocator* actualAllocator = nullptr;
-        if (allocator-&gt;hasIntPtr())
-            actualAllocator = bitwise_cast&lt;MarkedAllocator*&gt;(allocator-&gt;asIntPtr());
-        
-        if (!actualAllocator) {
-            // This means that either we know that the allocator is null or we don't know what the
-            // allocator is. In either case, we need the null check.
-            LBasicBlock haveAllocator = m_out.newBlock();
-            LBasicBlock lastNext = m_out.insertNewBlocksBefore(haveAllocator);
-            m_out.branch(allocator, usually(haveAllocator), rarely(slowPath));
-            m_out.appendTo(haveAllocator, lastNext);
</del><ins>+        LBasicBlock success = m_out.newBlock();
+    
+        LValue result;
+        LValue condition;
+        if (Options::forceGCSlowPaths()) {
+            result = m_out.intPtrZero;
+            condition = m_out.booleanFalse;
+        } else {
+            result = m_out.loadPtr(
+                allocator, m_heaps.MarkedAllocator_freeListHead);
+            condition = m_out.notNull(result);
</ins><span class="cx">         }
</span><ins>+        m_out.branch(condition, usually(success), rarely(slowPath));
</ins><span class="cx">         
</span><del>-        LBasicBlock continuation = m_out.newBlock();
</del><ins>+        m_out.appendTo(success);
</ins><span class="cx">         
</span><del>-        LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
-        
-        PatchpointValue* patchpoint = m_out.patchpoint(pointerType());
-        patchpoint-&gt;effects.terminal = true;
-        patchpoint-&gt;appendSomeRegister(allocator);
-        patchpoint-&gt;numGPScratchRegisters++;
-        patchpoint-&gt;resultConstraint = ValueRep::SomeEarlyRegister;
-        
-        m_out.appendSuccessor(usually(continuation));
-        m_out.appendSuccessor(rarely(slowPath));
-        
-        patchpoint-&gt;setGenerator(
-            [=] (CCallHelpers&amp; jit, const StackmapGenerationParams&amp; params) {
-                CCallHelpers::JumpList jumpToSlowPath;
-                
-                // We use a patchpoint to emit the allocation path because whenever we mess with
-                // allocation paths, we already reason about them at the machine code level. We know
-                // exactly what instruction sequence we want. We're confident that no compiler
-                // optimization could make this code better. So, it's best to have the code in
-                // AssemblyHelpers::emitAllocate(). That way, the same optimized path is shared by
-                // all of the compiler tiers.
-                jit.emitAllocateWithNonNullAllocator(
-                    params[0].gpr(), actualAllocator, params[1].gpr(), params.gpScratch(0),
-                    jumpToSlowPath);
-                
-                CCallHelpers::Jump jumpToSuccess;
-                if (!params.fallsThroughToSuccessor(0))
-                    jumpToSuccess = jit.jump();
-                
-                Vector&lt;Box&lt;CCallHelpers::Label&gt;&gt; labels = params.successorLabels();
-                
-                params.addLatePath(
-                    [=] (CCallHelpers&amp; jit) {
-                        jumpToSlowPath.linkTo(*labels[1], &amp;jit);
-                        if (jumpToSuccess.isSet())
-                            jumpToSuccess.linkTo(*labels[0], &amp;jit);
-                    });
-            });
-        
-        m_out.appendTo(continuation, lastNext);
-        return patchpoint;
</del><ins>+        m_out.storePtr(
+            m_out.loadPtr(result, m_heaps.JSCell_freeListNext),
+            allocator, m_heaps.MarkedAllocator_freeListHead);
+
+        return result;
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void storeStructure(LValue object, Structure* structure)
</span><span class="lines">@@ -8515,7 +8478,7 @@
</span><span class="cx"> 
</span><span class="cx">     LValue allocateCell(LValue allocator, Structure* structure, LBasicBlock slowPath)
</span><span class="cx">     {
</span><del>-        LValue result = allocateHeapCell(allocator, slowPath);
</del><ins>+        LValue result = allocateCell(allocator, slowPath);
</ins><span class="cx">         storeStructure(result, structure);
</span><span class="cx">         return result;
</span><span class="cx">     }
</span><span class="lines">@@ -8532,7 +8495,7 @@
</span><span class="cx">     LValue allocateObject(
</span><span class="cx">         size_t size, Structure* structure, LValue butterfly, LBasicBlock slowPath)
</span><span class="cx">     {
</span><del>-        MarkedAllocator* allocator = vm().heap.allocatorForObjectOfType&lt;ClassType&gt;(size);
</del><ins>+        MarkedAllocator* allocator = &amp;vm().heap.allocatorForObjectOfType&lt;ClassType&gt;(size);
</ins><span class="cx">         return allocateObject(m_out.constIntPtr(allocator), structure, butterfly, slowPath);
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -8543,60 +8506,46 @@
</span><span class="cx">             ClassType::allocationSize(0), structure, butterfly, slowPath);
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    LValue allocatorForSize(LValue subspace, LValue size, LBasicBlock slowPath)
</del><ins>+    template&lt;typename ClassType&gt;
+    LValue allocateVariableSizedObject(
+        LValue size, Structure* structure, LValue butterfly, LBasicBlock slowPath)
</ins><span class="cx">     {
</span><del>-        static_assert(!(MarkedSpace::sizeStep &amp; (MarkedSpace::sizeStep - 1)), &quot;MarkedSpace::sizeStep must be a power of two.&quot;);
</del><ins>+        static_assert(!(MarkedSpace::preciseStep &amp; (MarkedSpace::preciseStep - 1)), &quot;MarkedSpace::preciseStep must be a power of two.&quot;);
+        static_assert(!(MarkedSpace::impreciseStep &amp; (MarkedSpace::impreciseStep - 1)), &quot;MarkedSpace::impreciseStep must be a power of two.&quot;);
+
+        LValue subspace = m_out.constIntPtr(&amp;vm().heap.subspaceForObjectOfType&lt;ClassType&gt;());
</ins><span class="cx">         
</span><del>-        // Try to do some constant-folding here.
-        if (subspace-&gt;hasIntPtr() &amp;&amp; size-&gt;hasIntPtr()) {
-            MarkedSpace::Subspace* actualSubspace = bitwise_cast&lt;MarkedSpace::Subspace*&gt;(subspace-&gt;asIntPtr());
-            size_t actualSize = size-&gt;asIntPtr();
-            
-            MarkedAllocator* actualAllocator = MarkedSpace::allocatorFor(*actualSubspace, actualSize);
-            if (!actualAllocator) {
-                LBasicBlock continuation = m_out.newBlock();
-                LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
-                m_out.jump(slowPath);
-                m_out.appendTo(continuation, lastNext);
-                return m_out.intPtrZero;
-            }
-            
-            return m_out.constIntPtr(actualAllocator);
-        }
-        
-        unsigned stepShift = getLSBSet(MarkedSpace::sizeStep);
-        
</del><ins>+        LBasicBlock smallCaseBlock = m_out.newBlock();
+        LBasicBlock largeOrOversizeCaseBlock = m_out.newBlock();
+        LBasicBlock largeCaseBlock = m_out.newBlock();
</ins><span class="cx">         LBasicBlock continuation = m_out.newBlock();
</span><span class="cx">         
</span><del>-        LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
</del><ins>+        LValue uproundedSize = m_out.add(size, m_out.constInt32(MarkedSpace::preciseStep - 1));
+        LValue isSmall = m_out.below(uproundedSize, m_out.constInt32(MarkedSpace::preciseCutoff));
+        m_out.branch(isSmall, unsure(smallCaseBlock), unsure(largeOrOversizeCaseBlock));
</ins><span class="cx">         
</span><del>-        LValue sizeClassIndex = m_out.lShr(
-            m_out.add(size, m_out.constIntPtr(MarkedSpace::sizeStep - 1)),
-            m_out.constInt32(stepShift));
</del><ins>+        LBasicBlock lastNext = m_out.appendTo(smallCaseBlock, largeOrOversizeCaseBlock);
+        TypedPointer address = m_out.baseIndex(
+            m_heaps.MarkedSpace_Subspace_preciseAllocators, subspace,
+            m_out.zeroExtPtr(m_out.lShr(uproundedSize, m_out.constInt32(getLSBSet(MarkedSpace::preciseStep)))));
+        ValueFromBlock smallAllocator = m_out.anchor(address.value());
+        m_out.jump(continuation);
</ins><span class="cx">         
</span><ins>+        m_out.appendTo(largeOrOversizeCaseBlock, largeCaseBlock);
</ins><span class="cx">         m_out.branch(
</span><del>-            m_out.above(sizeClassIndex, m_out.constIntPtr(MarkedSpace::largeCutoff &gt;&gt; stepShift)),
-            rarely(slowPath), usually(continuation));
</del><ins>+            m_out.below(uproundedSize, m_out.constInt32(MarkedSpace::impreciseCutoff)),
+            usually(largeCaseBlock), rarely(slowPath));
</ins><span class="cx">         
</span><ins>+        m_out.appendTo(largeCaseBlock, continuation);
+        address = m_out.baseIndex(
+            m_heaps.MarkedSpace_Subspace_impreciseAllocators, subspace,
+            m_out.zeroExtPtr(m_out.lShr(uproundedSize, m_out.constInt32(getLSBSet(MarkedSpace::impreciseStep)))));
+        ValueFromBlock largeAllocator = m_out.anchor(address.value());
+        m_out.jump(continuation);
+        
</ins><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><ins>+        LValue allocator = m_out.phi(pointerType(), smallAllocator, largeAllocator);
</ins><span class="cx">         
</span><del>-        return m_out.loadPtr(
-            m_out.baseIndex(
-                m_heaps.MarkedSpace_Subspace_allocatorForSizeStep,
-                subspace, m_out.sub(sizeClassIndex, m_out.intPtrOne)));
-    }
-    
-    LValue allocatorForSize(MarkedSpace::Subspace&amp; subspace, LValue size, LBasicBlock slowPath)
-    {
-        return allocatorForSize(m_out.constIntPtr(&amp;subspace), size, slowPath);
-    }
-    
-    template&lt;typename ClassType&gt;
-    LValue allocateVariableSizedObject(
-        LValue size, Structure* structure, LValue butterfly, LBasicBlock slowPath)
-    {
-        LValue allocator = allocatorForSize(
-            vm().heap.subspaceForObjectOfType&lt;ClassType&gt;(), size, slowPath);
</del><span class="cx">         return allocateObject(allocator, structure, butterfly, slowPath);
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -8629,12 +8578,8 @@
</span><span class="cx">     LValue allocateObject(Structure* structure)
</span><span class="cx">     {
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(structure-&gt;inlineCapacity());
</span><del>-        MarkedAllocator* allocator = vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
</del><ins>+        MarkedAllocator* allocator = &amp;vm().heap.allocatorForObjectWithoutDestructor(allocationSize);
</ins><span class="cx">         
</span><del>-        // FIXME: If the allocator is null, we could simply emit a normal C call to the allocator
-        // instead of putting it on the slow path.
-        // https://bugs.webkit.org/show_bug.cgi?id=161062
-        
</del><span class="cx">         LBasicBlock slowPath = m_out.newBlock();
</span><span class="cx">         LBasicBlock continuation = m_out.newBlock();
</span><span class="cx">         
</span><span class="lines">@@ -8679,35 +8624,35 @@
</span><span class="cx">     ArrayValues allocateJSArray(
</span><span class="cx">         Structure* structure, unsigned numElements, LBasicBlock slowPath)
</span><span class="cx">     {
</span><del>-        DFG_ASSERT(
-            m_graph, m_node,
</del><ins>+        ASSERT(
</ins><span class="cx">             hasUndecided(structure-&gt;indexingType())
</span><span class="cx">             || hasInt32(structure-&gt;indexingType())
</span><span class="cx">             || hasDouble(structure-&gt;indexingType())
</span><span class="cx">             || hasContiguous(structure-&gt;indexingType()));
</span><del>-        DFG_ASSERT(m_graph, m_node, !structure-&gt;outOfLineCapacity());
</del><span class="cx">         
</span><del>-        unsigned vectorLength = Butterfly::optimalContiguousVectorLength(0lu, numElements);
</del><ins>+        unsigned vectorLength = std::max(BASE_VECTOR_LEN, numElements);
</ins><span class="cx">         
</span><del>-        MarkedAllocator* allocator = vm().heap.allocatorForAuxiliaryData(
-            sizeof(JSValue) * vectorLength + sizeof(IndexingHeader));
-        LValue startOfStorage = allocateHeapCell(m_out.constIntPtr(allocator), slowPath);
</del><ins>+        LValue endOfStorage = allocateBasicStorageAndGetEnd(
+            m_out.constIntPtr(sizeof(JSValue) * vectorLength + sizeof(IndexingHeader)),
+            slowPath);
</ins><span class="cx">         
</span><del>-        LValue butterfly = m_out.add(startOfStorage, m_out.constIntPtr(sizeof(IndexingHeader)));
</del><ins>+        LValue butterfly = m_out.sub(
+            endOfStorage, m_out.constIntPtr(sizeof(JSValue) * vectorLength));
</ins><span class="cx">         
</span><del>-        LValue object = allocateObject&lt;JSArray&gt;(structure, butterfly, slowPath);
</del><ins>+        LValue object = allocateObject&lt;JSArray&gt;(
+            structure, butterfly, slowPath);
</ins><span class="cx">         
</span><span class="cx">         m_out.store32(m_out.constInt32(numElements), butterfly, m_heaps.Butterfly_publicLength);
</span><span class="cx">         m_out.store32(m_out.constInt32(vectorLength), butterfly, m_heaps.Butterfly_vectorLength);
</span><del>-
-        LValue hole;
-        if (hasDouble(structure-&gt;indexingType()))
-            hole = m_out.constInt64(bitwise_cast&lt;int64_t&gt;(PNaN));
-        else
-            hole = m_out.constInt64(JSValue::encode(JSValue()));
-        for (unsigned i = numElements; i &lt; vectorLength; ++i)
-            m_out.store64(hole, butterfly, m_heaps.indexedDoubleProperties[i]);
</del><span class="cx">         
</span><ins>+        if (hasDouble(structure-&gt;indexingType())) {
+            for (unsigned i = numElements; i &lt; vectorLength; ++i) {
+                m_out.store64(
+                    m_out.constInt64(bitwise_cast&lt;int64_t&gt;(PNaN)),
+                    butterfly, m_heaps.indexedDoubleProperties[i]);
+            }
+        }
+        
</ins><span class="cx">         return ArrayValues(object, butterfly);
</span><span class="cx">     }
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOutputcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOutput.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOutput.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLOutput.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -100,9 +100,7 @@
</span><span class="cx"> 
</span><span class="cx"> LValue Output::constBool(bool value)
</span><span class="cx"> {
</span><del>-    if (value)
-        return booleanTrue;
-    return booleanFalse;
</del><ins>+    return m_block-&gt;appendNew&lt;B3::Const32Value&gt;(m_proc, origin(), value);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::constInt32(int32_t value)
</span><span class="lines">@@ -127,10 +125,6 @@
</span><span class="cx"> 
</span><span class="cx"> LValue Output::add(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    if (Value* result = left-&gt;addConstant(m_proc, right)) {
-        m_block-&gt;append(result);
-        return result;
-    }
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::Add, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -211,28 +205,16 @@
</span><span class="cx"> 
</span><span class="cx"> LValue Output::shl(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    if (Value* result = left-&gt;shlConstant(m_proc, right)) {
-        m_block-&gt;append(result);
-        return result;
-    }
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::Shl, origin(), left, castToInt32(right));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::aShr(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    if (Value* result = left-&gt;sShrConstant(m_proc, right)) {
-        m_block-&gt;append(result);
-        return result;
-    }
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::SShr, origin(), left, castToInt32(right));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::lShr(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    if (Value* result = left-&gt;zShrConstant(m_proc, right)) {
-        m_block-&gt;append(result);
-        return result;
-    }
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::ZShr, origin(), left, castToInt32(right));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -361,8 +343,6 @@
</span><span class="cx"> {
</span><span class="cx">     if (value-&gt;type() == type)
</span><span class="cx">         return value;
</span><del>-    if (value-&gt;hasInt32())
-        return m_block-&gt;appendIntConstant(m_proc, origin(), Int64, static_cast&lt;uint64_t&gt;(static_cast&lt;uint32_t&gt;(value-&gt;asInt32())));
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::ZExt32, origin(), value);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -473,81 +453,51 @@
</span><span class="cx"> 
</span><span class="cx"> LValue Output::equal(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;equalConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::Equal, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::notEqual(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;notEqualConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::NotEqual, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::above(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;aboveConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::Above, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::aboveOrEqual(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;aboveEqualConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::AboveEqual, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::below(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;belowConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::Below, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::belowOrEqual(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;belowEqualConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::BelowEqual, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::greaterThan(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;greaterThanConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::GreaterThan, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::greaterThanOrEqual(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;greaterEqualConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::GreaterEqual, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::lessThan(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;lessThanConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::LessThan, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> LValue Output::lessThanOrEqual(LValue left, LValue right)
</span><span class="cx"> {
</span><del>-    TriState result = left-&gt;lessEqualConstant(right);
-    if (result != MixedTriState)
-        return constBool(result == TrueTriState);
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::LessEqual, origin(), left, right);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -633,12 +583,6 @@
</span><span class="cx"> 
</span><span class="cx"> LValue Output::select(LValue value, LValue taken, LValue notTaken)
</span><span class="cx"> {
</span><del>-    if (value-&gt;hasInt32()) {
-        if (value-&gt;asInt32())
-            return taken;
-        else
-            return notTaken;
-    }
</del><span class="cx">     return m_block-&gt;appendNew&lt;B3::Value&gt;(m_proc, B3::Select, origin(), value, taken, notTaken);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -677,11 +621,6 @@
</span><span class="cx">     m_block-&gt;appendNewControlValue(m_proc, B3::Oops, origin());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void Output::appendSuccessor(WeightedTarget target)
-{
-    m_block-&gt;appendSuccessor(target.frequentedBlock());
-}
-
</del><span class="cx"> CheckValue* Output::speculate(LValue value)
</span><span class="cx"> {
</span><span class="cx">     return m_block-&gt;appendNew&lt;B3::CheckValue&gt;(m_proc, B3::Check, origin(), value);
</span><span class="lines">@@ -802,8 +741,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Output::addIncomingToPhi(LValue phi, ValueFromBlock value)
</span><span class="cx"> {
</span><del>-    if (value)
-        value.value()-&gt;as&lt;B3::UpsilonValue&gt;()-&gt;setPhi(phi);
</del><ins>+    value.value()-&gt;as&lt;B3::UpsilonValue&gt;()-&gt;setPhi(phi);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } } // namespace JSC::FTL
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOutputh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOutput.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOutput.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLOutput.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -398,8 +398,6 @@
</span><span class="cx">     void ret(LValue);
</span><span class="cx"> 
</span><span class="cx">     void unreachable();
</span><del>-    
-    void appendSuccessor(WeightedTarget);
</del><span class="cx"> 
</span><span class="cx">     B3::CheckValue* speculate(LValue);
</span><span class="cx">     B3::CheckValue* speculateAdd(LValue, LValue);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLValueFromBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLValueFromBlock.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLValueFromBlock.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLValueFromBlock.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -45,8 +45,6 @@
</span><span class="cx">         , m_block(block)
</span><span class="cx">     {
</span><span class="cx">     }
</span><del>-    
-    explicit operator bool() const { return m_value || m_block; }
</del><span class="cx"> 
</span><span class="cx">     LValue value() const { return m_value; }
</span><span class="cx">     LBasicBlock block() const { return m_block; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLWeightedTargeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLWeightedTarget.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLWeightedTarget.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/ftl/FTLWeightedTarget.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -55,11 +55,6 @@
</span><span class="cx">     LBasicBlock target() const { return m_target; }
</span><span class="cx">     Weight weight() const { return m_weight; }
</span><span class="cx">     
</span><del>-    B3::FrequentedBlock frequentedBlock() const
-    {
-        return B3::FrequentedBlock(target(), weight().frequencyClass());
-    }
-    
</del><span class="cx"> private:
</span><span class="cx">     LBasicBlock m_target;
</span><span class="cx">     Weight m_weight;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCellContainerh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/CellContainer.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CellContainer.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/CellContainer.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,90 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include &lt;wtf/StdLibExtras.h&gt;
-
-namespace JSC {
-
-class HeapCell;
-class LargeAllocation;
-class MarkedBlock;
-class WeakSet;
-
-// This is how we abstract over either MarkedBlock&amp; or LargeAllocation&amp;. Put things in here as you
-// find need for them.
-
-class CellContainer {
-public:
-    CellContainer()
-        : m_encodedPointer(0)
-    {
-    }
-    
-    CellContainer(MarkedBlock&amp; markedBlock)
-        : m_encodedPointer(bitwise_cast&lt;uintptr_t&gt;(&amp;markedBlock))
-    {
-    }
-    
-    CellContainer(LargeAllocation&amp; largeAllocation)
-        : m_encodedPointer(bitwise_cast&lt;uintptr_t&gt;(&amp;largeAllocation) | isLargeAllocationBit)
-    {
-    }
-    
-    explicit operator bool() const { return !!m_encodedPointer; }
-    
-    bool isMarkedBlock() const { return m_encodedPointer &amp;&amp; !(m_encodedPointer &amp; isLargeAllocationBit); }
-    bool isLargeAllocation() const { return m_encodedPointer &amp; isLargeAllocationBit; }
-    
-    MarkedBlock&amp; markedBlock() const
-    {
-        ASSERT(isMarkedBlock());
-        return *bitwise_cast&lt;MarkedBlock*&gt;(m_encodedPointer);
-    }
-    
-    LargeAllocation&amp; largeAllocation() const
-    {
-        ASSERT(isLargeAllocation());
-        return *bitwise_cast&lt;LargeAllocation*&gt;(m_encodedPointer - isLargeAllocationBit);
-    }
-    
-    bool isMarkedOrRetired() const;
-    bool isMarked(HeapCell*) const;
-    bool isMarkedOrNewlyAllocated(HeapCell*) const;
-    
-    void setHasAnyMarked();
-    
-    size_t cellSize() const;
-    
-    WeakSet&amp; weakSet() const;
-    
-private:
-    static const uintptr_t isLargeAllocationBit = 1;
-    uintptr_t m_encodedPointer;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCellContainerInlinesh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/CellContainerInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CellContainerInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/CellContainerInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,77 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include &quot;CellContainer.h&quot;
-#include &quot;JSCell.h&quot;
-#include &quot;LargeAllocation.h&quot;
-#include &quot;MarkedBlock.h&quot;
-
-namespace JSC {
-
-inline bool CellContainer::isMarkedOrRetired() const
-{
-    if (isLargeAllocation())
-        return true;
-    return markedBlock().isMarkedOrRetired();
-}
-
-inline bool CellContainer::isMarked(HeapCell* cell) const
-{
-    if (isLargeAllocation())
-        return largeAllocation().isMarked();
-    return markedBlock().isMarked(cell);
-}
-
-inline bool CellContainer::isMarkedOrNewlyAllocated(HeapCell* cell) const
-{
-    if (isLargeAllocation())
-        return largeAllocation().isMarkedOrNewlyAllocated();
-    return markedBlock().isMarkedOrNewlyAllocated(cell);
-}
-
-inline void CellContainer::setHasAnyMarked()
-{
-    if (!isLargeAllocation())
-        markedBlock().setHasAnyMarked();
-}
-
-inline size_t CellContainer::cellSize() const
-{
-    if (isLargeAllocation())
-        return largeAllocation().cellSize();
-    return markedBlock().cellSize();
-}
-
-inline WeakSet&amp; CellContainer::weakSet() const
-{
-    if (isLargeAllocation())
-        return largeAllocation().weakSet();
-    return markedBlock().weakSet();
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapConservativeRootscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,8 +31,6 @@
</span><span class="cx"> #include &quot;CopiedSpace.h&quot;
</span><span class="cx"> #include &quot;CopiedSpaceInlines.h&quot;
</span><span class="cx"> #include &quot;HeapInlines.h&quot;
</span><del>-#include &quot;HeapUtil.h&quot;
-#include &quot;JITStubRoutineSet.h&quot;
</del><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="lines">@@ -41,11 +39,12 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-ConservativeRoots::ConservativeRoots(Heap&amp; heap)
</del><ins>+ConservativeRoots::ConservativeRoots(MarkedBlockSet* blocks, CopiedSpace* copiedSpace)
</ins><span class="cx">     : m_roots(m_inlineRoots)
</span><span class="cx">     , m_size(0)
</span><span class="cx">     , m_capacity(inlineCapacity)
</span><del>-    , m_heap(heap)
</del><ins>+    , m_blocks(blocks)
+    , m_copiedSpace(copiedSpace)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -52,16 +51,16 @@
</span><span class="cx"> ConservativeRoots::~ConservativeRoots()
</span><span class="cx"> {
</span><span class="cx">     if (m_roots != m_inlineRoots)
</span><del>-        OSAllocator::decommitAndRelease(m_roots, m_capacity * sizeof(HeapCell*));
</del><ins>+        OSAllocator::decommitAndRelease(m_roots, m_capacity * sizeof(JSCell*));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void ConservativeRoots::grow()
</span><span class="cx"> {
</span><span class="cx">     size_t newCapacity = m_capacity == inlineCapacity ? nonInlineCapacity : m_capacity * 2;
</span><del>-    HeapCell** newRoots = static_cast&lt;HeapCell**&gt;(OSAllocator::reserveAndCommit(newCapacity * sizeof(HeapCell*)));
-    memcpy(newRoots, m_roots, m_size * sizeof(HeapCell*));
</del><ins>+    JSCell** newRoots = static_cast&lt;JSCell**&gt;(OSAllocator::reserveAndCommit(newCapacity * sizeof(JSCell*)));
+    memcpy(newRoots, m_roots, m_size * sizeof(JSCell*));
</ins><span class="cx">     if (m_roots != m_inlineRoots)
</span><del>-        OSAllocator::decommitAndRelease(m_roots, m_capacity * sizeof(HeapCell*));
</del><ins>+        OSAllocator::decommitAndRelease(m_roots, m_capacity * sizeof(JSCell*));
</ins><span class="cx">     m_capacity = newCapacity;
</span><span class="cx">     m_roots = newRoots;
</span><span class="cx"> }
</span><span class="lines">@@ -71,16 +70,15 @@
</span><span class="cx"> {
</span><span class="cx">     markHook.mark(p);
</span><span class="cx"> 
</span><del>-    m_heap.storageSpace().pinIfNecessary(p);
</del><ins>+    m_copiedSpace-&gt;pinIfNecessary(p);
</ins><span class="cx"> 
</span><del>-    HeapUtil::findGCObjectPointersForMarking(
-        m_heap, filter, p,
-        [&amp;] (void* p) {
-            if (m_size == m_capacity)
-                grow();
-            
-            m_roots[m_size++] = bitwise_cast&lt;HeapCell*&gt;(p);
-        });
</del><ins>+    if (!Heap::isPointerGCObject(filter, *m_blocks, p))
+        return;
+
+    if (m_size == m_capacity)
+        grow();
+
+    m_roots[m_size++] = static_cast&lt;JSCell*&gt;(p);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename MarkHook&gt;
</span><span class="lines">@@ -96,7 +94,7 @@
</span><span class="cx">     RELEASE_ASSERT(isPointerAligned(begin));
</span><span class="cx">     RELEASE_ASSERT(isPointerAligned(end));
</span><span class="cx"> 
</span><del>-    TinyBloomFilter filter = m_heap.objectSpace().blocks().filter(); // Make a local copy of filter to show the compiler it won't alias, and can be register-allocated.
</del><ins>+    TinyBloomFilter filter = m_blocks-&gt;filter(); // Make a local copy of filter to show the compiler it won't alias, and can be register-allocated.
</ins><span class="cx">     for (char** it = static_cast&lt;char**&gt;(begin); it != static_cast&lt;char**&gt;(end); ++it)
</span><span class="cx">         genericAddPointer(*it, filter, markHook);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapConservativeRootsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/ConservativeRoots.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/ConservativeRoots.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/ConservativeRoots.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,12 +31,12 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> class CodeBlockSet;
</span><del>-class HeapCell;
</del><span class="cx"> class JITStubRoutineSet;
</span><ins>+class JSCell;
</ins><span class="cx"> 
</span><span class="cx"> class ConservativeRoots {
</span><span class="cx"> public:
</span><del>-    ConservativeRoots(Heap&amp;);
</del><ins>+    ConservativeRoots(MarkedBlockSet*, CopiedSpace*);
</ins><span class="cx">     ~ConservativeRoots();
</span><span class="cx"> 
</span><span class="cx">     void add(void* begin, void* end);
</span><span class="lines">@@ -44,11 +44,11 @@
</span><span class="cx">     void add(void* begin, void* end, JITStubRoutineSet&amp;, CodeBlockSet&amp;);
</span><span class="cx">     
</span><span class="cx">     size_t size();
</span><del>-    HeapCell** roots();
</del><ins>+    JSCell** roots();
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     static const size_t inlineCapacity = 128;
</span><del>-    static const size_t nonInlineCapacity = 8192 / sizeof(HeapCell*);
</del><ins>+    static const size_t nonInlineCapacity = 8192 / sizeof(JSCell*);
</ins><span class="cx">     
</span><span class="cx">     template&lt;typename MarkHook&gt;
</span><span class="cx">     void genericAddPointer(void*, TinyBloomFilter, MarkHook&amp;);
</span><span class="lines">@@ -58,11 +58,12 @@
</span><span class="cx">     
</span><span class="cx">     void grow();
</span><span class="cx"> 
</span><del>-    HeapCell** m_roots;
</del><ins>+    JSCell** m_roots;
</ins><span class="cx">     size_t m_size;
</span><span class="cx">     size_t m_capacity;
</span><del>-    Heap&amp; m_heap;
-    HeapCell* m_inlineRoots[inlineCapacity];
</del><ins>+    MarkedBlockSet* m_blocks;
+    CopiedSpace* m_copiedSpace;
+    JSCell* m_inlineRoots[inlineCapacity];
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> inline size_t ConservativeRoots::size()
</span><span class="lines">@@ -70,7 +71,7 @@
</span><span class="cx">     return m_size;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline HeapCell** ConservativeRoots::roots()
</del><ins>+inline JSCell** ConservativeRoots::roots()
</ins><span class="cx"> {
</span><span class="cx">     return m_roots;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCopyTokenh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CopyToken.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CopyToken.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/CopyToken.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> enum CopyToken {
</span><ins>+    ButterflyCopyToken,
</ins><span class="cx">     TypedArrayVectorCopyToken,
</span><span class="cx">     MapBackingStoreCopyToken,
</span><span class="cx">     DirectArgumentsOverridesCopyToken
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapFreeListcpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/FreeList.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/FreeList.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/FreeList.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,37 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include &quot;config.h&quot;
-#include &quot;FreeList.h&quot;
-
-namespace JSC {
-
-void FreeList::dump(PrintStream&amp; out) const
-{
-    out.print(&quot;{head = &quot;, RawPointer(head), &quot;, payloadEnd = &quot;, RawPointer(payloadEnd), &quot;, remaining = &quot;, remaining, &quot;, originalSize = &quot;, originalSize, &quot;}&quot;);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapFreeListh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/FreeList.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/FreeList.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/FreeList.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,91 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include &lt;wtf/PrintStream.h&gt;
-
-namespace JSC {
-
-struct FreeCell {
-    FreeCell* next;
-};
-        
-// This representation of a FreeList is convenient for the MarkedAllocator.
-
-struct FreeList {
-    FreeCell* head { nullptr };
-    char* payloadEnd { nullptr };
-    unsigned remaining { 0 };
-    unsigned originalSize { 0 };
-    
-    FreeList()
-    {
-    }
-    
-    static FreeList list(FreeCell* head, unsigned bytes)
-    {
-        FreeList result;
-        result.head = head;
-        result.remaining = 0;
-        result.originalSize = bytes;
-        return result;
-    }
-    
-    static FreeList bump(char* payloadEnd, unsigned remaining)
-    {
-        FreeList result;
-        result.payloadEnd = payloadEnd;
-        result.remaining = remaining;
-        result.originalSize = remaining;
-        return result;
-    }
-    
-    bool operator==(const FreeList&amp; other) const
-    {
-        return head == other.head
-            &amp;&amp; payloadEnd == other.payloadEnd
-            &amp;&amp; remaining == other.remaining
-            &amp;&amp; originalSize == other.originalSize;
-    }
-    
-    bool operator!=(const FreeList&amp; other) const
-    {
-        return !(*this == other);
-    }
-    
-    explicit operator bool() const
-    {
-        return *this != FreeList();
-    }
-    
-    bool allocationWillFail() const { return !head &amp;&amp; !remaining; }
-    bool allocationWillSucceed() const { return !allocationWillFail(); }
-    
-    void dump(PrintStream&amp;) const;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -40,7 +40,6 @@
</span><span class="cx"> #include &quot;HeapVerifier.h&quot;
</span><span class="cx"> #include &quot;IncrementalSweeper.h&quot;
</span><span class="cx"> #include &quot;Interpreter.h&quot;
</span><del>-#include &quot;JITStubRoutineSet.h&quot;
</del><span class="cx"> #include &quot;JITWorklist.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="lines">@@ -48,7 +47,6 @@
</span><span class="cx"> #include &quot;JSVirtualMachineInternal.h&quot;
</span><span class="cx"> #include &quot;SamplingProfiler.h&quot;
</span><span class="cx"> #include &quot;ShadowChicken.h&quot;
</span><del>-#include &quot;SuperSampler.h&quot;
</del><span class="cx"> #include &quot;TypeProfilerLog.h&quot;
</span><span class="cx"> #include &quot;UnlinkedCodeBlock.h&quot;
</span><span class="cx"> #include &quot;VM.h&quot;
</span><span class="lines">@@ -76,9 +74,152 @@
</span><span class="cx"> namespace {
</span><span class="cx"> 
</span><span class="cx"> static const size_t largeHeapSize = 32 * MB; // About 1.5X the average webpage.
</span><del>-const size_t smallHeapSize = 1 * MB; // Matches the FastMalloc per-thread cache.
</del><ins>+static const size_t smallHeapSize = 1 * MB; // Matches the FastMalloc per-thread cache.
</ins><span class="cx"> 
</span><del>-size_t minHeapSize(HeapType heapType, size_t ramSize)
</del><ins>+#define ENABLE_GC_LOGGING 0
+
+#if ENABLE(GC_LOGGING)
+#if COMPILER(CLANG)
+#define DEFINE_GC_LOGGING_GLOBAL(type, name, arguments) \
+_Pragma(&quot;clang diagnostic push&quot;) \
+_Pragma(&quot;clang diagnostic ignored \&quot;-Wglobal-constructors\&quot;&quot;) \
+_Pragma(&quot;clang diagnostic ignored \&quot;-Wexit-time-destructors\&quot;&quot;) \
+static type name arguments; \
+_Pragma(&quot;clang diagnostic pop&quot;)
+#else
+#define DEFINE_GC_LOGGING_GLOBAL(type, name, arguments) \
+static type name arguments;
+#endif // COMPILER(CLANG)
+
+struct GCTimer {
+    GCTimer(const char* name)
+        : name(name)
+    {
+    }
+    ~GCTimer()
+    {
+        logData(allCollectionData, &quot;(All)&quot;);
+        logData(edenCollectionData, &quot;(Eden)&quot;);
+        logData(fullCollectionData, &quot;(Full)&quot;);
+    }
+
+    struct TimeRecord {
+        TimeRecord()
+            : time(0)
+            , min(std::numeric_limits&lt;double&gt;::infinity())
+            , max(0)
+            , count(0)
+        {
+        }
+
+        double time;
+        double min;
+        double max;
+        size_t count;
+    };
+
+    void logData(const TimeRecord&amp; data, const char* extra)
+    {
+        dataLogF(&quot;[%d] %s (Parent: %s) %s: %.2lfms (avg. %.2lf, min. %.2lf, max. %.2lf, count %lu)\n&quot;, 
+            getCurrentProcessID(),
+            name,
+            parent ? parent-&gt;name : &quot;nullptr&quot;,
+            extra, 
+            data.time * 1000, 
+            data.time * 1000 / data.count, 
+            data.min * 1000, 
+            data.max * 1000,
+            data.count);
+    }
+
+    void updateData(TimeRecord&amp; data, double duration)
+    {
+        if (duration &lt; data.min)
+            data.min = duration;
+        if (duration &gt; data.max)
+            data.max = duration;
+        data.count++;
+        data.time += duration;
+    }
+
+    void didFinishPhase(HeapOperation collectionType, double duration)
+    {
+        TimeRecord&amp; data = collectionType == EdenCollection ? edenCollectionData : fullCollectionData;
+        updateData(data, duration);
+        updateData(allCollectionData, duration);
+    }
+
+    static GCTimer* s_currentGlobalTimer;
+
+    TimeRecord allCollectionData;
+    TimeRecord fullCollectionData;
+    TimeRecord edenCollectionData;
+    const char* name;
+    GCTimer* parent { nullptr };
+};
+
+GCTimer* GCTimer::s_currentGlobalTimer = nullptr;
+
+struct GCTimerScope {
+    GCTimerScope(GCTimer&amp; timer, HeapOperation collectionType)
+        : timer(timer)
+        , start(WTF::monotonicallyIncreasingTime())
+        , collectionType(collectionType)
+    {
+        timer.parent = GCTimer::s_currentGlobalTimer;
+        GCTimer::s_currentGlobalTimer = &amp;timer;
+    }
+    ~GCTimerScope()
+    {
+        double delta = WTF::monotonicallyIncreasingTime() - start;
+        timer.didFinishPhase(collectionType, delta);
+        GCTimer::s_currentGlobalTimer = timer.parent;
+    }
+    GCTimer&amp; timer;
+    double start;
+    HeapOperation collectionType;
+};
+
+struct GCCounter {
+    GCCounter(const char* name)
+        : name(name)
+        , count(0)
+        , total(0)
+        , min(10000000)
+        , max(0)
+    {
+    }
+    
+    void add(size_t amount)
+    {
+        count++;
+        total += amount;
+        if (amount &lt; min)
+            min = amount;
+        if (amount &gt; max)
+            max = amount;
+    }
+    ~GCCounter()
+    {
+        dataLogF(&quot;[%d] %s: %zu values (avg. %zu, min. %zu, max. %zu)\n&quot;, getCurrentProcessID(), name, total, total / count, min, max);
+    }
+    const char* name;
+    size_t count;
+    size_t total;
+    size_t min;
+    size_t max;
+};
+
+#define GCPHASE(name) DEFINE_GC_LOGGING_GLOBAL(GCTimer, name##Timer, (#name)); GCTimerScope name##TimerScope(name##Timer, m_operationInProgress)
+#define GCCOUNTER(name, value) do { DEFINE_GC_LOGGING_GLOBAL(GCCounter, name##Counter, (#name)); name##Counter.add(value); } while (false)
+    
+#else
+
+#define GCPHASE(name) do { } while (false)
+#define GCCOUNTER(name, value) do { } while (false)
+#endif
+
+static inline size_t minHeapSize(HeapType heapType, size_t ramSize)
</ins><span class="cx"> {
</span><span class="cx">     if (heapType == LargeHeap)
</span><span class="cx">         return min(largeHeapSize, ramSize / 4);
</span><span class="lines">@@ -85,7 +226,7 @@
</span><span class="cx">     return smallHeapSize;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-size_t proportionalHeapSize(size_t heapSize, size_t ramSize)
</del><ins>+static inline size_t proportionalHeapSize(size_t heapSize, size_t ramSize)
</ins><span class="cx"> {
</span><span class="cx">     // Try to stay under 1/2 RAM size to leave room for the DOM, rendering, networking, etc.
</span><span class="cx">     if (heapSize &lt; ramSize / 4)
</span><span class="lines">@@ -95,12 +236,12 @@
</span><span class="cx">     return 1.25 * heapSize;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool isValidSharedInstanceThreadState(VM* vm)
</del><ins>+static inline bool isValidSharedInstanceThreadState(VM* vm)
</ins><span class="cx"> {
</span><span class="cx">     return vm-&gt;currentThreadIsHoldingAPILock();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool isValidThreadState(VM* vm)
</del><ins>+static inline bool isValidThreadState(VM* vm)
</ins><span class="cx"> {
</span><span class="cx">     if (vm-&gt;atomicStringTable() != wtfThreadData().atomicStringTable())
</span><span class="cx">         return false;
</span><span class="lines">@@ -111,7 +252,7 @@
</span><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void recordType(TypeCountSet&amp; set, JSCell* cell)
</del><ins>+static inline void recordType(TypeCountSet&amp; set, JSCell* cell)
</ins><span class="cx"> {
</span><span class="cx">     const char* typeName = &quot;[unknown]&quot;;
</span><span class="cx">     const ClassInfo* info = cell-&gt;classInfo();
</span><span class="lines">@@ -120,32 +261,6 @@
</span><span class="cx">     set.add(typeName);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool measurePhaseTiming()
-{
-    return false;
-}
-
-class TimingScope {
-public:
-    TimingScope(const char* name)
-        : m_name(name)
-    {
-        if (measurePhaseTiming())
-            m_before = monotonicallyIncreasingTimeMS();
-    }
-    
-    ~TimingScope()
-    {
-        if (measurePhaseTiming()) {
-            double after = monotonicallyIncreasingTimeMS();
-            dataLog(&quot;[GC] &quot;, m_name, &quot; took: &quot;, after - m_before, &quot; ms.\n&quot;);
-        }
-    }
-private:
-    double m_before;
-    const char* m_name;
-};
-
</del><span class="cx"> } // anonymous namespace
</span><span class="cx"> 
</span><span class="cx"> Heap::Heap(VM* vm, HeapType heapType)
</span><span class="lines">@@ -172,8 +287,6 @@
</span><span class="cx">     , m_machineThreads(this)
</span><span class="cx">     , m_slotVisitor(*this)
</span><span class="cx">     , m_handleSet(vm)
</span><del>-    , m_codeBlocks(std::make_unique&lt;CodeBlockSet&gt;())
-    , m_jitStubRoutines(std::make_unique&lt;JITStubRoutineSet&gt;())
</del><span class="cx">     , m_isSafeToCollect(false)
</span><span class="cx">     , m_writeBarrierBuffer(256)
</span><span class="cx">     , m_vm(vm)
</span><span class="lines">@@ -218,7 +331,7 @@
</span><span class="cx">     RELEASE_ASSERT(m_operationInProgress == NoOperation);
</span><span class="cx"> 
</span><span class="cx">     m_arrayBuffers.lastChanceToFinalize();
</span><del>-    m_codeBlocks-&gt;lastChanceToFinalize();
</del><ins>+    m_codeBlocks.lastChanceToFinalize();
</ins><span class="cx">     m_objectSpace.lastChanceToFinalize();
</span><span class="cx">     releaseDelayedReleasedObjects();
</span><span class="cx"> 
</span><span class="lines">@@ -321,6 +434,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::finalizeUnconditionalFinalizers()
</span><span class="cx"> {
</span><ins>+    GCPHASE(FinalizeUnconditionalFinalizers);
</ins><span class="cx">     m_slotVisitor.finalizeUnconditionalFinalizers();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -346,19 +460,15 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::markRoots(double gcStartTime, void* stackOrigin, void* stackTop, MachineThreads::RegisterState&amp; calleeSavedRegisters)
</span><span class="cx"> {
</span><del>-    TimingScope markRootsTimingScope(&quot;Heap::markRoots&quot;);
-    
</del><ins>+    GCPHASE(MarkRoots);
</ins><span class="cx">     ASSERT(isValidThreadState(m_vm));
</span><span class="cx"> 
</span><span class="cx">     // We gather conservative roots before clearing mark bits because conservative
</span><span class="cx">     // gathering uses the mark bits to determine whether a reference is valid.
</span><del>-    ConservativeRoots conservativeRoots(*this);
-    {
-        SuperSamplerScope superSamplerScope(false);
-        gatherStackRoots(conservativeRoots, stackOrigin, stackTop, calleeSavedRegisters);
-        gatherJSStackRoots(conservativeRoots);
-        gatherScratchBufferRoots(conservativeRoots);
-    }
</del><ins>+    ConservativeRoots conservativeRoots(&amp;m_objectSpace.blocks(), &amp;m_storageSpace);
+    gatherStackRoots(conservativeRoots, stackOrigin, stackTop, calleeSavedRegisters);
+    gatherJSStackRoots(conservativeRoots);
+    gatherScratchBufferRoots(conservativeRoots);
</ins><span class="cx"> 
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx">     DFG::rememberCodeBlocks(*m_vm);
</span><span class="lines">@@ -418,7 +528,6 @@
</span><span class="cx">     HeapRootVisitor heapRootVisitor(m_slotVisitor);
</span><span class="cx"> 
</span><span class="cx">     {
</span><del>-        SuperSamplerScope superSamplerScope(false);
</del><span class="cx">         ParallelModeEnabler enabler(m_slotVisitor);
</span><span class="cx"> 
</span><span class="cx">         m_slotVisitor.donateAndDrain();
</span><span class="lines">@@ -452,7 +561,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::copyBackingStores()
</span><span class="cx"> {
</span><del>-    SuperSamplerScope superSamplerScope(true);
</del><ins>+    GCPHASE(CopyBackingStores);
</ins><span class="cx">     if (m_operationInProgress == EdenCollection)
</span><span class="cx">         m_storageSpace.startedCopying&lt;EdenCollection&gt;();
</span><span class="cx">     else {
</span><span class="lines">@@ -489,6 +598,12 @@
</span><span class="cx">                         
</span><span class="cx">                         CopyWorkList&amp; workList = block-&gt;workList();
</span><span class="cx">                         for (CopyWorklistItem item : workList) {
</span><ins>+                            if (item.token() == ButterflyCopyToken) {
+                                JSObject::copyBackingStore(
+                                    item.cell(), copyVisitor, ButterflyCopyToken);
+                                continue;
+                            }
+                            
</ins><span class="cx">                             item.cell()-&gt;methodTable()-&gt;copyBackingStore(
</span><span class="cx">                                 item.cell(), copyVisitor, item.token());
</span><span class="cx">                         }
</span><span class="lines">@@ -504,14 +619,16 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::gatherStackRoots(ConservativeRoots&amp; roots, void* stackOrigin, void* stackTop, MachineThreads::RegisterState&amp; calleeSavedRegisters)
</span><span class="cx"> {
</span><del>-    m_jitStubRoutines-&gt;clearMarks();
-    m_machineThreads.gatherConservativeRoots(roots, *m_jitStubRoutines, *m_codeBlocks, stackOrigin, stackTop, calleeSavedRegisters);
</del><ins>+    GCPHASE(GatherStackRoots);
+    m_jitStubRoutines.clearMarks();
+    m_machineThreads.gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks, stackOrigin, stackTop, calleeSavedRegisters);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::gatherJSStackRoots(ConservativeRoots&amp; roots)
</span><span class="cx"> {
</span><span class="cx"> #if !ENABLE(JIT)
</span><del>-    m_vm-&gt;interpreter-&gt;cloopStack().gatherConservativeRoots(roots, *m_jitStubRoutines, *m_codeBlocks);
</del><ins>+    GCPHASE(GatherJSStackRoots);
+    m_vm-&gt;interpreter-&gt;cloopStack().gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks);
</ins><span class="cx"> #else
</span><span class="cx">     UNUSED_PARAM(roots);
</span><span class="cx"> #endif
</span><span class="lines">@@ -520,6 +637,7 @@
</span><span class="cx"> void Heap::gatherScratchBufferRoots(ConservativeRoots&amp; roots)
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><ins>+    GCPHASE(GatherScratchBufferRoots);
</ins><span class="cx">     m_vm-&gt;gatherConservativeRoots(roots);
</span><span class="cx"> #else
</span><span class="cx">     UNUSED_PARAM(roots);
</span><span class="lines">@@ -528,8 +646,9 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::clearLivenessData()
</span><span class="cx"> {
</span><ins>+    GCPHASE(ClearLivenessData);
</ins><span class="cx">     if (m_operationInProgress == FullCollection)
</span><del>-        m_codeBlocks-&gt;clearMarksForFullCollection();
</del><ins>+        m_codeBlocks.clearMarksForFullCollection();
</ins><span class="cx"> 
</span><span class="cx">     m_objectSpace.clearNewlyAllocated();
</span><span class="cx">     m_objectSpace.clearMarks();
</span><span class="lines">@@ -544,6 +663,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitSmallStrings()
</span><span class="cx"> {
</span><ins>+    GCPHASE(VisitSmallStrings);
</ins><span class="cx">     if (!m_vm-&gt;smallStrings.needsToBeVisited(m_operationInProgress))
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="lines">@@ -555,6 +675,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitConservativeRoots(ConservativeRoots&amp; roots)
</span><span class="cx"> {
</span><ins>+    GCPHASE(VisitConservativeRoots);
</ins><span class="cx">     m_slotVisitor.append(roots);
</span><span class="cx"> 
</span><span class="cx">     if (Options::logGC() == GCLogging::Verbose)
</span><span class="lines">@@ -577,6 +698,7 @@
</span><span class="cx"> void Heap::removeDeadCompilerWorklistEntries()
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><ins>+    GCPHASE(FinalizeDFGWorklists);
</ins><span class="cx">     for (auto worklist : m_suspendedCompilerWorklists)
</span><span class="cx">         worklist-&gt;removeDeadPlans(*m_vm);
</span><span class="cx"> #endif
</span><span class="lines">@@ -610,6 +732,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::gatherExtraHeapSnapshotData(HeapProfiler&amp; heapProfiler)
</span><span class="cx"> {
</span><ins>+    GCPHASE(GatherExtraHeapSnapshotData);
</ins><span class="cx">     if (HeapSnapshotBuilder* builder = heapProfiler.activeSnapshotBuilder()) {
</span><span class="cx">         HeapIterationScope heapIterationScope(*this);
</span><span class="cx">         GatherHeapSnapshotData functor(*builder);
</span><span class="lines">@@ -635,6 +758,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::removeDeadHeapSnapshotNodes(HeapProfiler&amp; heapProfiler)
</span><span class="cx"> {
</span><ins>+    GCPHASE(RemoveDeadHeapSnapshotNodes);
</ins><span class="cx">     if (HeapSnapshot* snapshot = heapProfiler.mostRecentSnapshot()) {
</span><span class="cx">         HeapIterationScope heapIterationScope(*this);
</span><span class="cx">         RemoveDeadHeapSnapshotNodes functor(*snapshot);
</span><span class="lines">@@ -645,6 +769,8 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitProtectedObjects(HeapRootVisitor&amp; heapRootVisitor)
</span><span class="cx"> {
</span><ins>+    GCPHASE(VisitProtectedObjects);
+
</ins><span class="cx">     for (auto&amp; pair : m_protectedValues)
</span><span class="cx">         heapRootVisitor.visit(&amp;pair.key);
</span><span class="cx"> 
</span><span class="lines">@@ -656,6 +782,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitArgumentBuffers(HeapRootVisitor&amp; visitor)
</span><span class="cx"> {
</span><ins>+    GCPHASE(MarkingArgumentBuffers);
</ins><span class="cx">     if (!m_markListSet || !m_markListSet-&gt;size())
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="lines">@@ -669,6 +796,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitException(HeapRootVisitor&amp; visitor)
</span><span class="cx"> {
</span><ins>+    GCPHASE(MarkingException);
</ins><span class="cx">     if (!m_vm-&gt;exception() &amp;&amp; !m_vm-&gt;lastException())
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="lines">@@ -683,6 +811,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitStrongHandles(HeapRootVisitor&amp; visitor)
</span><span class="cx"> {
</span><ins>+    GCPHASE(VisitStrongHandles);
</ins><span class="cx">     m_handleSet.visitStrongHandles(visitor);
</span><span class="cx"> 
</span><span class="cx">     if (Options::logGC() == GCLogging::Verbose)
</span><span class="lines">@@ -693,6 +822,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitHandleStack(HeapRootVisitor&amp; visitor)
</span><span class="cx"> {
</span><ins>+    GCPHASE(VisitHandleStack);
</ins><span class="cx">     m_handleStack.visit(visitor);
</span><span class="cx"> 
</span><span class="cx">     if (Options::logGC() == GCLogging::Verbose)
</span><span class="lines">@@ -706,6 +836,7 @@
</span><span class="cx"> #if ENABLE(SAMPLING_PROFILER)
</span><span class="cx">     if (SamplingProfiler* samplingProfiler = m_vm-&gt;samplingProfiler()) {
</span><span class="cx">         ASSERT(samplingProfiler-&gt;getLock().isLocked());
</span><ins>+        GCPHASE(VisitSamplingProfiler);
</ins><span class="cx">         samplingProfiler-&gt;visit(m_slotVisitor);
</span><span class="cx">         if (Options::logGC() == GCLogging::Verbose)
</span><span class="cx">             dataLog(&quot;Sampling Profiler data:\n&quot;, m_slotVisitor);
</span><span class="lines">@@ -723,7 +854,8 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::traceCodeBlocksAndJITStubRoutines()
</span><span class="cx"> {
</span><del>-    m_jitStubRoutines-&gt;traceMarkedStubRoutines(m_slotVisitor);
</del><ins>+    GCPHASE(TraceCodeBlocksAndJITStubRoutines);
+    m_jitStubRoutines.traceMarkedStubRoutines(m_slotVisitor);
</ins><span class="cx"> 
</span><span class="cx">     if (Options::logGC() == GCLogging::Verbose)
</span><span class="cx">         dataLog(&quot;Code Blocks and JIT Stub Routines:\n&quot;, m_slotVisitor);
</span><span class="lines">@@ -733,11 +865,13 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::converge()
</span><span class="cx"> {
</span><ins>+    GCPHASE(Convergence);
</ins><span class="cx">     m_slotVisitor.drainFromShared(SlotVisitor::MasterDrain);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::visitWeakHandles(HeapRootVisitor&amp; visitor)
</span><span class="cx"> {
</span><ins>+    GCPHASE(VisitingLiveWeakHandles);
</ins><span class="cx">     while (true) {
</span><span class="cx">         m_objectSpace.visitWeakSets(visitor);
</span><span class="cx">         harvestWeakReferences();
</span><span class="lines">@@ -758,6 +892,8 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::updateObjectCounts(double gcStartTime)
</span><span class="cx"> {
</span><ins>+    GCCOUNTER(VisitedValueCount, m_slotVisitor.visitCount() + threadVisitCount());
+
</ins><span class="cx">     if (Options::logGC() == GCLogging::Verbose) {
</span><span class="cx">         size_t visitCount = m_slotVisitor.visitCount();
</span><span class="cx">         visitCount += threadVisitCount();
</span><span class="lines">@@ -897,6 +1033,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::clearUnmarkedExecutables()
</span><span class="cx"> {
</span><ins>+    GCPHASE(ClearUnmarkedExecutables);
</ins><span class="cx">     for (unsigned i = m_executables.size(); i--;) {
</span><span class="cx">         ExecutableBase* current = m_executables[i];
</span><span class="cx">         if (isMarked(current))
</span><span class="lines">@@ -914,9 +1051,10 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::deleteUnmarkedCompiledCode()
</span><span class="cx"> {
</span><ins>+    GCPHASE(DeleteCodeBlocks);
</ins><span class="cx">     clearUnmarkedExecutables();
</span><del>-    m_codeBlocks-&gt;deleteUnmarkedAndUnreferenced(m_operationInProgress);
-    m_jitStubRoutines-&gt;deleteUnmarkedJettisonedStubRoutines();
</del><ins>+    m_codeBlocks.deleteUnmarkedAndUnreferenced(m_operationInProgress);
+    m_jitStubRoutines.deleteUnmarkedJettisonedStubRoutines();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::addToRememberedSet(const JSCell* cell)
</span><span class="lines">@@ -935,11 +1073,10 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::collectAllGarbage()
</span><span class="cx"> {
</span><del>-    SuperSamplerScope superSamplerScope(false);
</del><span class="cx">     if (!m_isSafeToCollect)
</span><span class="cx">         return;
</span><span class="cx"> 
</span><del>-    collectWithoutAnySweep(FullCollection);
</del><ins>+    collect(FullCollection);
</ins><span class="cx"> 
</span><span class="cx">     DeferGCForAWhile deferGC(*this);
</span><span class="cx">     if (UNLIKELY(Options::useImmortalObjects()))
</span><span class="lines">@@ -953,20 +1090,8 @@
</span><span class="cx">     sweepAllLogicallyEmptyWeakBlocks();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void Heap::collect(HeapOperation collectionType)
</del><ins>+NEVER_INLINE void Heap::collect(HeapOperation collectionType)
</ins><span class="cx"> {
</span><del>-    SuperSamplerScope superSamplerScope(false);
-    if (!m_isSafeToCollect)
-        return;
-
-    collectWithoutAnySweep(collectionType);
-
-    DeferGCForAWhile deferGC(*this);
-    m_objectSpace.sweepLargeAllocations();
-}
-
-NEVER_INLINE void Heap::collectWithoutAnySweep(HeapOperation collectionType)
-{
</del><span class="cx">     void* stackTop;
</span><span class="cx">     ALLOCATE_AND_GET_REGISTER_STATE(registers);
</span><span class="cx"> 
</span><span class="lines">@@ -977,8 +1102,6 @@
</span><span class="cx"> 
</span><span class="cx"> NEVER_INLINE void Heap::collectImpl(HeapOperation collectionType, void* stackOrigin, void* stackTop, MachineThreads::RegisterState&amp; calleeSavedRegisters)
</span><span class="cx"> {
</span><del>-    TimingScope collectImplTimingScope(&quot;Heap::collectImpl&quot;);
-    
</del><span class="cx"> #if ENABLE(ALLOCATION_LOGGING)
</span><span class="cx">     dataLogF(&quot;JSC GC starting collection.\n&quot;);
</span><span class="cx"> #endif
</span><span class="lines">@@ -1011,6 +1134,7 @@
</span><span class="cx"> 
</span><span class="cx">     suspendCompilerThreads();
</span><span class="cx">     willStartCollection(collectionType);
</span><ins>+    GCPHASE(Collect);
</ins><span class="cx"> 
</span><span class="cx">     double gcStartTime = WTF::monotonicallyIncreasingTime();
</span><span class="cx">     if (m_verifier) {
</span><span class="lines">@@ -1024,12 +1148,9 @@
</span><span class="cx"> 
</span><span class="cx">     flushOldStructureIDTables();
</span><span class="cx">     stopAllocation();
</span><del>-    prepareForMarking();
</del><span class="cx">     flushWriteBarrierBuffer();
</span><span class="cx"> 
</span><span class="cx">     markRoots(gcStartTime, stackOrigin, stackTop, calleeSavedRegisters);
</span><del>-    
-    TimingScope lateTimingScope(&quot;Heap::collectImpl after markRoots&quot;);
</del><span class="cx"> 
</span><span class="cx">     if (m_verifier) {
</span><span class="cx">         m_verifier-&gt;gatherLiveObjects(HeapVerifier::Phase::AfterMarking);
</span><span class="lines">@@ -1043,7 +1164,9 @@
</span><span class="cx">     pruneStaleEntriesFromWeakGCMaps();
</span><span class="cx">     sweepArrayBuffers();
</span><span class="cx">     snapshotMarkedSpace();
</span><ins>+
</ins><span class="cx">     copyBackingStores();
</span><ins>+
</ins><span class="cx">     finalizeUnconditionalFinalizers();
</span><span class="cx">     removeDeadCompilerWorklistEntries();
</span><span class="cx">     deleteUnmarkedCompiledCode();
</span><span class="lines">@@ -1056,7 +1179,7 @@
</span><span class="cx">     updateAllocationLimits();
</span><span class="cx">     didFinishCollection(gcStartTime);
</span><span class="cx">     resumeCompilerThreads();
</span><del>-    
</del><ins>+
</ins><span class="cx">     if (m_verifier) {
</span><span class="cx">         m_verifier-&gt;trimDeadObjects();
</span><span class="cx">         m_verifier-&gt;verify(HeapVerifier::Phase::AfterGC);
</span><span class="lines">@@ -1071,6 +1194,7 @@
</span><span class="cx"> void Heap::suspendCompilerThreads()
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><ins>+    GCPHASE(SuspendCompilerThreads);
</ins><span class="cx">     ASSERT(m_suspendedCompilerWorklists.isEmpty());
</span><span class="cx">     for (unsigned i = DFG::numberOfWorklists(); i--;) {
</span><span class="cx">         if (DFG::Worklist* worklist = DFG::worklistForIndexOrNull(i)) {
</span><span class="lines">@@ -1083,6 +1207,8 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::willStartCollection(HeapOperation collectionType)
</span><span class="cx"> {
</span><ins>+    GCPHASE(StartingCollection);
+    
</ins><span class="cx">     if (Options::logGC())
</span><span class="cx">         dataLog(&quot;=&gt; &quot;);
</span><span class="cx">     
</span><span class="lines">@@ -1120,11 +1246,13 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::flushOldStructureIDTables()
</span><span class="cx"> {
</span><ins>+    GCPHASE(FlushOldStructureIDTables);
</ins><span class="cx">     m_structureIDTable.flushOldTables();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::flushWriteBarrierBuffer()
</span><span class="cx"> {
</span><ins>+    GCPHASE(FlushWriteBarrierBuffer);
</ins><span class="cx">     if (m_operationInProgress == EdenCollection) {
</span><span class="cx">         m_writeBarrierBuffer.flush(*this);
</span><span class="cx">         return;
</span><span class="lines">@@ -1134,23 +1262,21 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::stopAllocation()
</span><span class="cx"> {
</span><ins>+    GCPHASE(StopAllocation);
</ins><span class="cx">     m_objectSpace.stopAllocating();
</span><span class="cx">     if (m_operationInProgress == FullCollection)
</span><span class="cx">         m_storageSpace.didStartFullCollection();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void Heap::prepareForMarking()
-{
-    m_objectSpace.prepareForMarking();
-}
-
</del><span class="cx"> void Heap::reapWeakHandles()
</span><span class="cx"> {
</span><ins>+    GCPHASE(ReapingWeakHandles);
</ins><span class="cx">     m_objectSpace.reapWeakSets();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::pruneStaleEntriesFromWeakGCMaps()
</span><span class="cx"> {
</span><ins>+    GCPHASE(PruningStaleEntriesFromWeakGCMaps);
</ins><span class="cx">     if (m_operationInProgress != FullCollection)
</span><span class="cx">         return;
</span><span class="cx">     for (auto&amp; pruneCallback : m_weakGCMaps.values())
</span><span class="lines">@@ -1159,6 +1285,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::sweepArrayBuffers()
</span><span class="cx"> {
</span><ins>+    GCPHASE(SweepingArrayBuffers);
</ins><span class="cx">     m_arrayBuffers.sweep();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -1179,10 +1306,8 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::snapshotMarkedSpace()
</span><span class="cx"> {
</span><del>-    // FIXME: This should probably be renamed. It's not actually snapshotting all of MarkedSpace.
-    // This is used by IncrementalSweeper, so it only needs to snapshot blocks. However, if we ever
-    // wanted to add other snapshotting login, we'd probably put it here.
-    
</del><ins>+    GCPHASE(SnapshotMarkedSpace);
+
</ins><span class="cx">     if (m_operationInProgress == EdenCollection) {
</span><span class="cx">         m_blockSnapshot.appendVector(m_objectSpace.blocksWithNewObjects());
</span><span class="cx">         // Sort and deduplicate the block snapshot since we might be appending to an unfinished work list.
</span><span class="lines">@@ -1197,11 +1322,14 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::deleteSourceProviderCaches()
</span><span class="cx"> {
</span><ins>+    GCPHASE(DeleteSourceProviderCaches);
</ins><span class="cx">     m_vm-&gt;clearSourceProviderCaches();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::notifyIncrementalSweeper()
</span><span class="cx"> {
</span><ins>+    GCPHASE(NotifyIncrementalSweeper);
+
</ins><span class="cx">     if (m_operationInProgress == FullCollection) {
</span><span class="cx">         if (!m_logicallyEmptyWeakBlocks.isEmpty())
</span><span class="cx">             m_indexOfNextLogicallyEmptyWeakBlockToSweep = 0;
</span><span class="lines">@@ -1212,23 +1340,20 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::writeBarrierCurrentlyExecutingCodeBlocks()
</span><span class="cx"> {
</span><del>-    m_codeBlocks-&gt;writeBarrierCurrentlyExecutingCodeBlocks(this);
</del><ins>+    GCPHASE(WriteBarrierCurrentlyExecutingCodeBlocks);
+    m_codeBlocks.writeBarrierCurrentlyExecutingCodeBlocks(this);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::resetAllocators()
</span><span class="cx"> {
</span><ins>+    GCPHASE(ResetAllocators);
</ins><span class="cx">     m_objectSpace.resetAllocators();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Heap::updateAllocationLimits()
</span><span class="cx"> {
</span><del>-    static const bool verbose = false;
</del><ins>+    GCPHASE(UpdateAllocationLimits);
</ins><span class="cx">     
</span><del>-    if (verbose) {
-        dataLog(&quot;\n&quot;);
-        dataLog(&quot;bytesAllocatedThisCycle = &quot;, m_bytesAllocatedThisCycle, &quot;\n&quot;);
-    }
-    
</del><span class="cx">     // Calculate our current heap size threshold for the purpose of figuring out when we should
</span><span class="cx">     // run another collection. This isn't the same as either size() or capacity(), though it should
</span><span class="cx">     // be somewhere between the two. The key is to match the size calculations involved calls to
</span><span class="lines">@@ -1244,8 +1369,6 @@
</span><span class="cx">     // of fragmentation, this may be substantial. Fortunately, marked space rarely fragments because
</span><span class="cx">     // cells usually have a narrow range of sizes. So, the underestimation is probably OK.
</span><span class="cx">     currentHeapSize += m_totalBytesVisited;
</span><del>-    if (verbose)
-        dataLog(&quot;totalBytesVisited = &quot;, m_totalBytesVisited, &quot;, currentHeapSize = &quot;, currentHeapSize, &quot;\n&quot;);
</del><span class="cx"> 
</span><span class="cx">     // For copied space, we use the capacity of storage space. This is because copied space may get
</span><span class="cx">     // badly fragmented between full collections. This arises when each eden collection evacuates
</span><span class="lines">@@ -1261,15 +1384,10 @@
</span><span class="cx">     // https://bugs.webkit.org/show_bug.cgi?id=150268
</span><span class="cx">     ASSERT(m_totalBytesCopied &lt;= m_storageSpace.size());
</span><span class="cx">     currentHeapSize += m_storageSpace.capacity();
</span><del>-    if (verbose)
-        dataLog(&quot;storageSpace.capacity() = &quot;, m_storageSpace.capacity(), &quot;, currentHeapSize = &quot;, currentHeapSize, &quot;\n&quot;);
</del><span class="cx"> 
</span><span class="cx">     // It's up to the user to ensure that extraMemorySize() ends up corresponding to allocation-time
</span><span class="cx">     // extra memory reporting.
</span><span class="cx">     currentHeapSize += extraMemorySize();
</span><del>-
-    if (verbose)
-        dataLog(&quot;extraMemorySize() = &quot;, extraMemorySize(), &quot;, currentHeapSize = &quot;, currentHeapSize, &quot;\n&quot;);
</del><span class="cx">     
</span><span class="cx">     if (Options::gcMaxHeapSize() &amp;&amp; currentHeapSize &gt; Options::gcMaxHeapSize())
</span><span class="cx">         HeapStatistics::exitWithFailure();
</span><span class="lines">@@ -1279,38 +1397,29 @@
</span><span class="cx">         // the new allocation limit based on the current size of the heap, with a
</span><span class="cx">         // fixed minimum.
</span><span class="cx">         m_maxHeapSize = max(minHeapSize(m_heapType, m_ramSize), proportionalHeapSize(currentHeapSize, m_ramSize));
</span><del>-        if (verbose)
-            dataLog(&quot;Full: maxHeapSize = &quot;, m_maxHeapSize, &quot;\n&quot;);
</del><span class="cx">         m_maxEdenSize = m_maxHeapSize - currentHeapSize;
</span><del>-        if (verbose)
-            dataLog(&quot;Full: maxEdenSize = &quot;, m_maxEdenSize, &quot;\n&quot;);
</del><span class="cx">         m_sizeAfterLastFullCollect = currentHeapSize;
</span><del>-        if (verbose)
-            dataLog(&quot;Full: sizeAfterLastFullCollect = &quot;, currentHeapSize, &quot;\n&quot;);
</del><span class="cx">         m_bytesAbandonedSinceLastFullCollect = 0;
</span><del>-        if (verbose)
-            dataLog(&quot;Full: bytesAbandonedSinceLastFullCollect = &quot;, 0, &quot;\n&quot;);
</del><span class="cx">     } else {
</span><ins>+        static const bool verbose = false;
+        
</ins><span class="cx">         ASSERT(currentHeapSize &gt;= m_sizeAfterLastCollect);
</span><del>-        // Theoretically, we shouldn't ever scan more memory than the heap size we planned to have.
-        // But we are sloppy, so we have to defend against the overflow.
-        m_maxEdenSize = currentHeapSize &gt; m_maxHeapSize ? 0 : m_maxHeapSize - currentHeapSize;
-        if (verbose)
-            dataLog(&quot;Eden: maxEdenSize = &quot;, m_maxEdenSize, &quot;\n&quot;);
</del><ins>+        m_maxEdenSize = m_maxHeapSize - currentHeapSize;
</ins><span class="cx">         m_sizeAfterLastEdenCollect = currentHeapSize;
</span><ins>+        if (verbose) {
+            dataLog(&quot;Max heap size: &quot;, m_maxHeapSize, &quot;\n&quot;);
+            dataLog(&quot;Current heap size: &quot;, currentHeapSize, &quot;\n&quot;);
+            dataLog(&quot;Size after last eden collection: &quot;, m_sizeAfterLastEdenCollect, &quot;\n&quot;);
+        }
+        double edenToOldGenerationRatio = (double)m_maxEdenSize / (double)m_maxHeapSize;
</ins><span class="cx">         if (verbose)
</span><del>-            dataLog(&quot;Eden: sizeAfterLastEdenCollect = &quot;, currentHeapSize, &quot;\n&quot;);
-        double edenToOldGenerationRatio = (double)m_maxEdenSize / (double)m_maxHeapSize;
</del><ins>+            dataLog(&quot;Eden to old generation ratio: &quot;, edenToOldGenerationRatio, &quot;\n&quot;);
</ins><span class="cx">         double minEdenToOldGenerationRatio = 1.0 / 3.0;
</span><span class="cx">         if (edenToOldGenerationRatio &lt; minEdenToOldGenerationRatio)
</span><span class="cx">             m_shouldDoFullCollection = true;
</span><span class="cx">         // This seems suspect at first, but what it does is ensure that the nursery size is fixed.
</span><span class="cx">         m_maxHeapSize += currentHeapSize - m_sizeAfterLastCollect;
</span><del>-        if (verbose)
-            dataLog(&quot;Eden: maxHeapSize = &quot;, m_maxHeapSize, &quot;\n&quot;);
</del><span class="cx">         m_maxEdenSize = m_maxHeapSize - currentHeapSize;
</span><del>-        if (verbose)
-            dataLog(&quot;Eden: maxEdenSize = &quot;, m_maxEdenSize, &quot;\n&quot;);
</del><span class="cx">         if (m_fullActivityCallback) {
</span><span class="cx">             ASSERT(currentHeapSize &gt;= m_sizeAfterLastFullCollect);
</span><span class="cx">             m_fullActivityCallback-&gt;didAllocate(currentHeapSize - m_sizeAfterLastFullCollect);
</span><span class="lines">@@ -1318,8 +1427,6 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     m_sizeAfterLastCollect = currentHeapSize;
</span><del>-    if (verbose)
-        dataLog(&quot;sizeAfterLastCollect = &quot;, m_sizeAfterLastCollect, &quot;\n&quot;);
</del><span class="cx">     m_bytesAllocatedThisCycle = 0;
</span><span class="cx"> 
</span><span class="cx">     if (Options::logGC())
</span><span class="lines">@@ -1328,6 +1435,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Heap::didFinishCollection(double gcStartTime)
</span><span class="cx"> {
</span><ins>+    GCPHASE(FinishingCollection);
</ins><span class="cx">     double gcEndTime = WTF::monotonicallyIncreasingTime();
</span><span class="cx">     HeapOperation operation = m_operationInProgress;
</span><span class="cx">     if (m_operationInProgress == FullCollection)
</span><span class="lines">@@ -1363,6 +1471,7 @@
</span><span class="cx"> void Heap::resumeCompilerThreads()
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><ins>+    GCPHASE(ResumeCompilerThreads);
</ins><span class="cx">     for (auto worklist : m_suspendedCompilerWorklists)
</span><span class="cx">         worklist-&gt;resumeAllThreads();
</span><span class="cx">     m_suspendedCompilerWorklists.clear();
</span><span class="lines">@@ -1471,7 +1580,7 @@
</span><span class="cx">         if (cell-&gt;isZapped())
</span><span class="cx">             current++;
</span><span class="cx"> 
</span><del>-        void* limit = static_cast&lt;void*&gt;(reinterpret_cast&lt;char*&gt;(cell) + cell-&gt;cellSize());
</del><ins>+        void* limit = static_cast&lt;void*&gt;(reinterpret_cast&lt;char*&gt;(cell) + MarkedBlock::blockFor(cell)-&gt;cellSize());
</ins><span class="cx">         for (; current &lt; limit; current++)
</span><span class="cx">             *current = zombifiedBits;
</span><span class="cx">     }
</span><span class="lines">@@ -1577,12 +1686,4 @@
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void Heap::forEachCodeBlockImpl(const ScopedLambda&lt;bool(CodeBlock*)&gt;&amp; func)
-{
-    // We don't know the full set of CodeBlocks until compilation has terminated.
-    completeAllJITPlans();
-
-    return m_codeBlocks-&gt;iterate(func);
-}
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/Heap.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -23,6 +23,7 @@
</span><span class="cx"> #define Heap_h
</span><span class="cx"> 
</span><span class="cx"> #include &quot;ArrayBuffer.h&quot;
</span><ins>+#include &quot;CodeBlockSet.h&quot;
</ins><span class="cx"> #include &quot;CopyVisitor.h&quot;
</span><span class="cx"> #include &quot;GCIncomingRefCountedSet.h&quot;
</span><span class="cx"> #include &quot;HandleSet.h&quot;
</span><span class="lines">@@ -29,6 +30,7 @@
</span><span class="cx"> #include &quot;HandleStack.h&quot;
</span><span class="cx"> #include &quot;HeapObserver.h&quot;
</span><span class="cx"> #include &quot;HeapOperation.h&quot;
</span><ins>+#include &quot;JITStubRoutineSet.h&quot;
</ins><span class="cx"> #include &quot;ListableHandler.h&quot;
</span><span class="cx"> #include &quot;MachineStackMarker.h&quot;
</span><span class="cx"> #include &quot;MarkedAllocator.h&quot;
</span><span class="lines">@@ -51,7 +53,6 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> class CodeBlock;
</span><del>-class CodeBlockSet;
</del><span class="cx"> class CopiedSpace;
</span><span class="cx"> class EdenGCActivityCallback;
</span><span class="cx"> class ExecutableBase;
</span><span class="lines">@@ -64,7 +65,6 @@
</span><span class="cx"> class HeapVerifier;
</span><span class="cx"> class IncrementalSweeper;
</span><span class="cx"> class JITStubRoutine;
</span><del>-class JITStubRoutineSet;
</del><span class="cx"> class JSCell;
</span><span class="cx"> class JSValue;
</span><span class="cx"> class LLIntOffsetsExtractor;
</span><span class="lines">@@ -83,8 +83,6 @@
</span><span class="cx"> 
</span><span class="cx"> enum HeapType { SmallHeap, LargeHeap };
</span><span class="cx"> 
</span><del>-class HeapUtil;
-
</del><span class="cx"> class Heap {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(Heap);
</span><span class="cx"> public:
</span><span class="lines">@@ -91,7 +89,7 @@
</span><span class="cx">     friend class JIT;
</span><span class="cx">     friend class DFG::SpeculativeJIT;
</span><span class="cx">     static Heap* heap(const JSValue); // 0 for immediate values
</span><del>-    static Heap* heap(const HeapCell*);
</del><ins>+    static Heap* heap(const JSCell*);
</ins><span class="cx"> 
</span><span class="cx">     // This constant determines how many blocks we iterate between checks of our 
</span><span class="cx">     // deadline when calling Heap::isPagedOut. Decreasing it will cause us to detect 
</span><span class="lines">@@ -103,9 +101,12 @@
</span><span class="cx">     static bool isMarked(const void*);
</span><span class="cx">     static bool testAndSetMarked(const void*);
</span><span class="cx">     static void setMarked(const void*);
</span><del>-    
-    static size_t cellSize(const void*);
</del><span class="cx"> 
</span><ins>+    // This function must be run after stopAllocation() is called and 
+    // before liveness data is cleared to be accurate.
+    static bool isPointerGCObject(TinyBloomFilter, MarkedBlockSet&amp;, void* pointer);
+    static bool isValueGCObject(TinyBloomFilter, MarkedBlockSet&amp;, JSValue);
+
</ins><span class="cx">     void writeBarrier(const JSCell*);
</span><span class="cx">     void writeBarrier(const JSCell*, JSValue);
</span><span class="cx">     void writeBarrier(const JSCell*, JSCell*);
</span><span class="lines">@@ -146,14 +147,10 @@
</span><span class="cx">     MarkedSpace::Subspace&amp; subspaceForObjectDestructor() { return m_objectSpace.subspaceForObjectsWithDestructor(); }
</span><span class="cx">     MarkedSpace::Subspace&amp; subspaceForAuxiliaryData() { return m_objectSpace.subspaceForAuxiliaryData(); }
</span><span class="cx">     template&lt;typename ClassType&gt; MarkedSpace::Subspace&amp; subspaceForObjectOfType();
</span><del>-    MarkedAllocator* allocatorForObjectWithoutDestructor(size_t bytes) { return m_objectSpace.allocatorFor(bytes); }
-    MarkedAllocator* allocatorForObjectWithDestructor(size_t bytes) { return m_objectSpace.destructorAllocatorFor(bytes); }
-    template&lt;typename ClassType&gt; MarkedAllocator* allocatorForObjectOfType(size_t bytes);
-    MarkedAllocator* allocatorForAuxiliaryData(size_t bytes) { return m_objectSpace.auxiliaryAllocatorFor(bytes); }
</del><ins>+    MarkedAllocator&amp; allocatorForObjectWithoutDestructor(size_t bytes) { return m_objectSpace.allocatorFor(bytes); }
+    MarkedAllocator&amp; allocatorForObjectWithDestructor(size_t bytes) { return m_objectSpace.destructorAllocatorFor(bytes); }
+    template&lt;typename ClassType&gt; MarkedAllocator&amp; allocatorForObjectOfType(size_t bytes);
</ins><span class="cx">     CopiedAllocator&amp; storageAllocator() { return m_storageSpace.allocator(); }
</span><del>-    void* allocateAuxiliary(JSCell* intendedOwner, size_t);
-    void* tryAllocateAuxiliary(JSCell* intendedOwner, size_t);
-    void* tryReallocateAuxiliary(JSCell* intendedOwner, void* oldBase, size_t oldSize, size_t newSize);
</del><span class="cx">     CheckedBoolean tryAllocateStorage(JSCell* intendedOwner, size_t, void**);
</span><span class="cx">     CheckedBoolean tryReallocateStorage(JSCell* intendedOwner, void**, size_t, size_t);
</span><span class="cx">     void ascribeOwner(JSCell* intendedOwner, void*);
</span><span class="lines">@@ -233,7 +230,7 @@
</span><span class="cx">     void didAllocate(size_t);
</span><span class="cx">     bool isPagedOut(double deadline);
</span><span class="cx">     
</span><del>-    const JITStubRoutineSet&amp; jitStubRoutines() { return *m_jitStubRoutines; }
</del><ins>+    const JITStubRoutineSet&amp; jitStubRoutines() { return m_jitStubRoutines; }
</ins><span class="cx">     
</span><span class="cx">     void addReference(JSCell*, ArrayBuffer*);
</span><span class="cx">     
</span><span class="lines">@@ -241,7 +238,7 @@
</span><span class="cx"> 
</span><span class="cx">     StructureIDTable&amp; structureIDTable() { return m_structureIDTable; }
</span><span class="cx"> 
</span><del>-    CodeBlockSet&amp; codeBlockSet() { return *m_codeBlocks; }
</del><ins>+    CodeBlockSet&amp; codeBlockSet() { return m_codeBlocks; }
</ins><span class="cx"> 
</span><span class="cx"> #if USE(FOUNDATION)
</span><span class="cx">     template&lt;typename T&gt; void releaseSoon(RetainPtr&lt;T&gt;&amp;&amp;);
</span><span class="lines">@@ -270,7 +267,6 @@
</span><span class="cx">     friend class GCLogging;
</span><span class="cx">     friend class GCThread;
</span><span class="cx">     friend class HandleSet;
</span><del>-    friend class HeapUtil;
</del><span class="cx">     friend class HeapVerifier;
</span><span class="cx">     friend class JITStubRoutine;
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="lines">@@ -287,8 +283,6 @@
</span><span class="cx">     template&lt;typename T&gt; friend void* allocateCell(Heap&amp;);
</span><span class="cx">     template&lt;typename T&gt; friend void* allocateCell(Heap&amp;, size_t);
</span><span class="cx"> 
</span><del>-    void collectWithoutAnySweep(HeapOperation collectionType = AnyCollection);
-
</del><span class="cx">     void* allocateWithDestructor(size_t); // For use with objects with destructors.
</span><span class="cx">     void* allocateWithoutDestructor(size_t); // For use with objects without destructors.
</span><span class="cx">     template&lt;typename ClassType&gt; void* allocateObjectOfType(size_t); // Chooses one of the methods above based on type.
</span><span class="lines">@@ -310,7 +304,6 @@
</span><span class="cx">     void flushOldStructureIDTables();
</span><span class="cx">     void flushWriteBarrierBuffer();
</span><span class="cx">     void stopAllocation();
</span><del>-    void prepareForMarking();
</del><span class="cx">     
</span><span class="cx">     void markRoots(double gcStartTime, void* stackOrigin, void* stackTop, MachineThreads::RegisterState&amp;);
</span><span class="cx">     void gatherStackRoots(ConservativeRoots&amp;, void* stackOrigin, void* stackTop, MachineThreads::RegisterState&amp;);
</span><span class="lines">@@ -369,8 +362,6 @@
</span><span class="cx">     size_t threadBytesVisited();
</span><span class="cx">     size_t threadBytesCopied();
</span><span class="cx"> 
</span><del>-    void forEachCodeBlockImpl(const ScopedLambda&lt;bool(CodeBlock*)&gt;&amp;);
-
</del><span class="cx">     const HeapType m_heapType;
</span><span class="cx">     const size_t m_ramSize;
</span><span class="cx">     const size_t m_minBytesPerCycle;
</span><span class="lines">@@ -417,8 +408,8 @@
</span><span class="cx"> 
</span><span class="cx">     HandleSet m_handleSet;
</span><span class="cx">     HandleStack m_handleStack;
</span><del>-    std::unique_ptr&lt;CodeBlockSet&gt; m_codeBlocks;
-    std::unique_ptr&lt;JITStubRoutineSet&gt; m_jitStubRoutines;
</del><ins>+    CodeBlockSet m_codeBlocks;
+    JITStubRoutineSet m_jitStubRoutines;
</ins><span class="cx">     FinalizerOwner m_finalizerOwner;
</span><span class="cx">     
</span><span class="cx">     bool m_isSafeToCollect;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapCellh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/HeapCell.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapCell.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/HeapCell.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -25,17 +25,8 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><del>-#include &quot;DestructionMode.h&quot;
-
</del><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-class CellContainer;
-class Heap;
-class LargeAllocation;
-class MarkedBlock;
-class VM;
-struct AllocatorAttributes;
-
</del><span class="cx"> class HeapCell {
</span><span class="cx"> public:
</span><span class="cx">     enum Kind : int8_t {
</span><span class="lines">@@ -47,25 +38,6 @@
</span><span class="cx">     
</span><span class="cx">     void zap() { *reinterpret_cast&lt;uintptr_t**&gt;(this) = 0; }
</span><span class="cx">     bool isZapped() const { return !*reinterpret_cast&lt;uintptr_t* const*&gt;(this); }
</span><del>-    
-    bool isLargeAllocation() const;
-    CellContainer cellContainer() const;
-    MarkedBlock&amp; markedBlock() const;
-    LargeAllocation&amp; largeAllocation() const;
-
-    // If you want performance and you know that your cell is small, you can do this instead:
-    // ASSERT(!cell-&gt;isLargeAllocation());
-    // cell-&gt;markedBlock().vm()
-    // We currently only use this hack for callees to make ExecState::vm() fast. It's not
-    // recommended to use it for too many other things, since the large allocation cutoff is
-    // a runtime option and its default value is small (400 bytes).
-    Heap* heap() const;
-    VM* vm() const;
-    
-    size_t cellSize() const;
-    AllocatorAttributes allocatorAttributes() const;
-    DestructionMode destructionMode() const;
-    Kind cellKind() const;
</del><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapCellInlinesh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/HeapCellInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapCellInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/HeapCellInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,92 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include &quot;CellContainer.h&quot;
-#include &quot;HeapCell.h&quot;
-#include &quot;LargeAllocation.h&quot;
-#include &quot;MarkedBlock.h&quot;
-
-namespace JSC {
-
-ALWAYS_INLINE bool HeapCell::isLargeAllocation() const
-{
-    return LargeAllocation::isLargeAllocation(const_cast&lt;HeapCell*&gt;(this));
-}
-
-ALWAYS_INLINE CellContainer HeapCell::cellContainer() const
-{
-    if (isLargeAllocation())
-        return largeAllocation();
-    return markedBlock();
-}
-
-ALWAYS_INLINE MarkedBlock&amp; HeapCell::markedBlock() const
-{
-    return *MarkedBlock::blockFor(this);
-}
-
-ALWAYS_INLINE LargeAllocation&amp; HeapCell::largeAllocation() const
-{
-    return *LargeAllocation::fromCell(const_cast&lt;HeapCell*&gt;(this));
-}
-
-ALWAYS_INLINE Heap* HeapCell::heap() const
-{
-    return Heap::heap(this);
-}
-
-ALWAYS_INLINE VM* HeapCell::vm() const
-{
-    return heap()-&gt;vm();
-}
-    
-ALWAYS_INLINE size_t HeapCell::cellSize() const
-{
-    if (isLargeAllocation())
-        return largeAllocation().cellSize();
-    return markedBlock().cellSize();
-}
-
-ALWAYS_INLINE AllocatorAttributes HeapCell::allocatorAttributes() const
-{
-    if (isLargeAllocation())
-        return largeAllocation().attributes();
-    return markedBlock().attributes();
-}
-
-ALWAYS_INLINE DestructionMode HeapCell::destructionMode() const
-{
-    return allocatorAttributes().destruction;
-}
-
-ALWAYS_INLINE HeapCell::Kind HeapCell::cellKind() const
-{
-    return allocatorAttributes().cellKind;
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/HeapInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/HeapInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,9 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CopyBarrier.h&quot;
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><del>-#include &quot;HeapCellInlines.h&quot;
-#include &quot;IndexingHeader.h&quot;
-#include &quot;JSCallee.h&quot;
</del><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="cx"> #include &quot;Structure.h&quot;
</span><span class="cx"> #include &lt;type_traits&gt;
</span><span class="lines">@@ -62,11 +59,9 @@
</span><span class="cx">     return m_operationInProgress == FullCollection || m_operationInProgress == EdenCollection;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE Heap* Heap::heap(const HeapCell* cell)
</del><ins>+inline Heap* Heap::heap(const JSCell* cell)
</ins><span class="cx"> {
</span><del>-    if (cell-&gt;isLargeAllocation())
-        return cell-&gt;largeAllocation().heap();
-    return cell-&gt;markedBlock().heap();
</del><ins>+    return MarkedBlock::blockFor(cell)-&gt;heap();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline Heap* Heap::heap(const JSValue v)
</span><span class="lines">@@ -76,44 +71,26 @@
</span><span class="cx">     return heap(v.asCell());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline bool Heap::isLive(const void* rawCell)
</del><ins>+inline bool Heap::isLive(const void* cell)
</ins><span class="cx"> {
</span><del>-    HeapCell* cell = bitwise_cast&lt;HeapCell*&gt;(rawCell);
-    if (cell-&gt;isLargeAllocation())
-        return cell-&gt;largeAllocation().isLive();
-    return cell-&gt;markedBlock().isLiveCell(cell);
</del><ins>+    return MarkedBlock::blockFor(cell)-&gt;isLiveCell(cell);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE bool Heap::isMarked(const void* rawCell)
</del><ins>+inline bool Heap::isMarked(const void* cell)
</ins><span class="cx"> {
</span><del>-    HeapCell* cell = bitwise_cast&lt;HeapCell*&gt;(rawCell);
-    if (cell-&gt;isLargeAllocation())
-        return cell-&gt;largeAllocation().isMarked();
-    return cell-&gt;markedBlock().isMarked(cell);
</del><ins>+    return MarkedBlock::blockFor(cell)-&gt;isMarked(cell);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE bool Heap::testAndSetMarked(const void* rawCell)
</del><ins>+inline bool Heap::testAndSetMarked(const void* cell)
</ins><span class="cx"> {
</span><del>-    HeapCell* cell = bitwise_cast&lt;HeapCell*&gt;(rawCell);
-    if (cell-&gt;isLargeAllocation())
-        return cell-&gt;largeAllocation().testAndSetMarked();
-    return cell-&gt;markedBlock().testAndSetMarked(cell);
</del><ins>+    return MarkedBlock::blockFor(cell)-&gt;testAndSetMarked(cell);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void Heap::setMarked(const void* rawCell)
</del><ins>+inline void Heap::setMarked(const void* cell)
</ins><span class="cx"> {
</span><del>-    HeapCell* cell = bitwise_cast&lt;HeapCell*&gt;(rawCell);
-    if (cell-&gt;isLargeAllocation())
-        cell-&gt;largeAllocation().setMarked();
-    else
-        cell-&gt;markedBlock().setMarked(cell);
</del><ins>+    MarkedBlock::blockFor(cell)-&gt;setMarked(cell);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE size_t Heap::cellSize(const void* rawCell)
-{
-    return bitwise_cast&lt;HeapCell*&gt;(rawCell)-&gt;cellSize();
-}
-
</del><span class="cx"> inline void Heap::writeBarrier(const JSCell* from, JSValue to)
</span><span class="cx"> {
</span><span class="cx"> #if ENABLE(WRITE_BARRIER_PROFILING)
</span><span class="lines">@@ -188,9 +165,12 @@
</span><span class="cx">         deprecatedReportExtraMemorySlowCase(size);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;typename Functor&gt; inline void Heap::forEachCodeBlock(const Functor&amp; func)
</del><ins>+template&lt;typename Functor&gt; inline void Heap::forEachCodeBlock(const Functor&amp; functor)
</ins><span class="cx"> {
</span><del>-    forEachCodeBlockImpl(scopedLambdaRef&lt;bool(CodeBlock*)&gt;(func));
</del><ins>+    // We don't know the full set of CodeBlocks until compilation has terminated.
+    completeAllJITPlans();
+
+    return m_codeBlocks.iterate&lt;Functor&gt;(functor);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Functor&gt; inline void Heap::forEachProtectedCell(const Functor&amp; functor)
</span><span class="lines">@@ -219,7 +199,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename ClassType&gt;
</span><del>-inline void* Heap::allocateObjectOfType(size_t bytes)
</del><ins>+void* Heap::allocateObjectOfType(size_t bytes)
</ins><span class="cx"> {
</span><span class="cx">     // JSCell::classInfo() expects objects allocated with normal destructor to derive from JSDestructibleObject.
</span><span class="cx">     ASSERT((!ClassType::needsDestruction || (ClassType::StructureFlags &amp; StructureIsImmortal) || std::is_convertible&lt;ClassType, JSDestructibleObject&gt;::value));
</span><span class="lines">@@ -230,7 +210,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename ClassType&gt;
</span><del>-inline MarkedSpace::Subspace&amp; Heap::subspaceForObjectOfType()
</del><ins>+MarkedSpace::Subspace&amp; Heap::subspaceForObjectOfType()
</ins><span class="cx"> {
</span><span class="cx">     // JSCell::classInfo() expects objects allocated with normal destructor to derive from JSDestructibleObject.
</span><span class="cx">     ASSERT((!ClassType::needsDestruction || (ClassType::StructureFlags &amp; StructureIsImmortal) || std::is_convertible&lt;ClassType, JSDestructibleObject&gt;::value));
</span><span class="lines">@@ -241,52 +221,16 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename ClassType&gt;
</span><del>-inline MarkedAllocator* Heap::allocatorForObjectOfType(size_t bytes)
</del><ins>+MarkedAllocator&amp; Heap::allocatorForObjectOfType(size_t bytes)
</ins><span class="cx"> {
</span><span class="cx">     // JSCell::classInfo() expects objects allocated with normal destructor to derive from JSDestructibleObject.
</span><span class="cx">     ASSERT((!ClassType::needsDestruction || (ClassType::StructureFlags &amp; StructureIsImmortal) || std::is_convertible&lt;ClassType, JSDestructibleObject&gt;::value));
</span><del>-
-    MarkedAllocator* result;
</del><ins>+    
</ins><span class="cx">     if (ClassType::needsDestruction)
</span><del>-        result = allocatorForObjectWithDestructor(bytes);
-    else
-        result = allocatorForObjectWithoutDestructor(bytes);
-    
-    ASSERT(result || !ClassType::info()-&gt;isSubClassOf(JSCallee::info()));
-    return result;
</del><ins>+        return allocatorForObjectWithDestructor(bytes);
+    return allocatorForObjectWithoutDestructor(bytes);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void* Heap::allocateAuxiliary(JSCell* intendedOwner, size_t bytes)
-{
-    void* result = m_objectSpace.allocateAuxiliary(bytes);
-#if ENABLE(ALLOCATION_LOGGING)
-    dataLogF(&quot;JSC GC allocating %lu bytes of auxiliary for %p: %p.\n&quot;, bytes, intendedOwner, result);
-#else
-    UNUSED_PARAM(intendedOwner);
-#endif
-    return result;
-}
-
-inline void* Heap::tryAllocateAuxiliary(JSCell* intendedOwner, size_t bytes)
-{
-    void* result = m_objectSpace.tryAllocateAuxiliary(bytes);
-#if ENABLE(ALLOCATION_LOGGING)
-    dataLogF(&quot;JSC GC allocating %lu bytes of auxiliary for %p: %p.\n&quot;, bytes, intendedOwner, result);
-#else
-    UNUSED_PARAM(intendedOwner);
-#endif
-    return result;
-}
-
-inline void* Heap::tryReallocateAuxiliary(JSCell* intendedOwner, void* oldBase, size_t oldSize, size_t newSize)
-{
-    void* newBase = tryAllocateAuxiliary(intendedOwner, newSize);
-    if (!newBase)
-        return nullptr;
-    memcpy(newBase, oldBase, oldSize);
-    return newBase;
-}
-
</del><span class="cx"> inline CheckedBoolean Heap::tryAllocateStorage(JSCell* intendedOwner, size_t bytes, void** outPtr)
</span><span class="cx"> {
</span><span class="cx">     CheckedBoolean result = m_storageSpace.tryAllocate(bytes, outPtr);
</span><span class="lines">@@ -410,6 +354,33 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline bool Heap::isPointerGCObject(TinyBloomFilter filter, MarkedBlockSet&amp; markedBlockSet, void* pointer)
+{
+    MarkedBlock* candidate = MarkedBlock::blockFor(pointer);
+    if (filter.ruleOut(bitwise_cast&lt;Bits&gt;(candidate))) {
+        ASSERT(!candidate || !markedBlockSet.set().contains(candidate));
+        return false;
+    }
+
+    if (!MarkedBlock::isAtomAligned(pointer))
+        return false;
+
+    if (!markedBlockSet.set().contains(candidate))
+        return false;
+
+    if (!candidate-&gt;isLiveCell(pointer))
+        return false;
+
+    return true;
+}
+
+inline bool Heap::isValueGCObject(TinyBloomFilter filter, MarkedBlockSet&amp; markedBlockSet, JSValue value)
+{
+    if (!value.isCell())
+        return false;
+    return isPointerGCObject(filter, markedBlockSet, static_cast&lt;void*&gt;(value.asCell()));
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // HeapInlines_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapUtilh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/HeapUtil.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapUtil.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/HeapUtil.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,186 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-namespace JSC {
-
-// Are you tired of waiting for all of WebKit to build because you changed the implementation of a
-// function in HeapInlines.h?  Does it bother you that you're waiting on rebuilding the JS DOM
-// bindings even though your change is in a function called from only 2 .cpp files?  Then HeapUtil.h
-// is for you!  Everything in this class should be a static method that takes a Heap&amp; if needed.
-// This is a friend of Heap, so you can access all of Heap's privates.
-//
-// This ends up being an issue because Heap exposes a lot of methods that ought to be inline for
-// performance or that must be inline because they are templates.  This class ought to contain
-// methods that are used for the implementation of the collector, or for unusual clients that need
-// to reach deep into the collector for some reason.  Don't put things in here that would cause you
-// to have to include it from more than a handful of places, since that would defeat the purpose.
-// This class isn't here to look pretty.  It's to let us hack the GC more easily!
-
-class HeapUtil {
-public:
-    // This function must be run after stopAllocation() is called and 
-    // before liveness data is cleared to be accurate.
-    template&lt;typename Func&gt;
-    static void findGCObjectPointersForMarking(
-        Heap&amp; heap, TinyBloomFilter filter, void* passedPointer,
-        const Func&amp; func)
-    {
-        const HashSet&lt;MarkedBlock*&gt;&amp; set = heap.objectSpace().blocks().set();
-        
-        char* pointer = static_cast&lt;char*&gt;(passedPointer);
-        
-        // It could point to a large allocation.
-        if (heap.objectSpace().largeAllocationsForThisCollectionSize()) {
-            if (heap.objectSpace().largeAllocationsForThisCollectionBegin()[0]-&gt;aboveLowerBound(pointer)
-                &amp;&amp; heap.objectSpace().largeAllocationsForThisCollectionEnd()[-1]-&gt;belowUpperBound(pointer)) {
-                LargeAllocation** result = approximateBinarySearch&lt;LargeAllocation*&gt;(
-                    heap.objectSpace().largeAllocationsForThisCollectionBegin(),
-                    heap.objectSpace().largeAllocationsForThisCollectionSize(),
-                    LargeAllocation::fromCell(pointer),
-                    [] (LargeAllocation** ptr) -&gt; LargeAllocation* { return *ptr; });
-                if (result) {
-                    if (result &gt; heap.objectSpace().largeAllocationsForThisCollectionBegin()
-                        &amp;&amp; result[-1]-&gt;contains(pointer))
-                        func(result[-1]-&gt;cell());
-                    if (result[0]-&gt;contains(pointer))
-                        func(result[0]-&gt;cell());
-                    if (result + 1 &lt; heap.objectSpace().largeAllocationsForThisCollectionEnd()
-                        &amp;&amp; result[1]-&gt;contains(pointer))
-                        func(result[1]-&gt;cell());
-                }
-            }
-        }
-    
-        MarkedBlock* candidate = MarkedBlock::blockFor(pointer);
-        // It's possible for a butterfly pointer to point past the end of a butterfly. Check this now.
-        if (pointer &lt;= bitwise_cast&lt;char*&gt;(candidate) + sizeof(IndexingHeader)) {
-            // We may be interested in the last cell of the previous MarkedBlock.
-            char* previousPointer = pointer - sizeof(IndexingHeader) - 1;
-            MarkedBlock* previousCandidate = MarkedBlock::blockFor(previousPointer);
-            if (!filter.ruleOut(bitwise_cast&lt;Bits&gt;(previousCandidate))
-                &amp;&amp; set.contains(previousCandidate)
-                &amp;&amp; previousCandidate-&gt;cellKind() == HeapCell::Auxiliary) {
-                previousPointer = static_cast&lt;char*&gt;(previousCandidate-&gt;cellAlign(previousPointer));
-                if (previousCandidate-&gt;isLiveCell(previousPointer))
-                    func(previousPointer);
-            }
-        }
-    
-        if (filter.ruleOut(bitwise_cast&lt;Bits&gt;(candidate))) {
-            ASSERT(!candidate || !set.contains(candidate));
-            return;
-        }
-    
-        if (!set.contains(candidate))
-            return;
-
-        auto tryPointer = [&amp;] (void* pointer) {
-            if (candidate-&gt;isLiveCell(pointer))
-                func(pointer);
-        };
-    
-        if (candidate-&gt;cellKind() == HeapCell::JSCell) {
-            if (!MarkedBlock::isAtomAligned(pointer))
-                return;
-        
-            tryPointer(pointer);
-            return;
-        }
-    
-        // A butterfly could point into the middle of an object.
-        char* alignedPointer = static_cast&lt;char*&gt;(candidate-&gt;cellAlign(pointer));
-        tryPointer(alignedPointer);
-    
-        // Also, a butterfly could point at the end of an object plus sizeof(IndexingHeader). In that
-        // case, this is pointing to the object to the right of the one we should be marking.
-        if (candidate-&gt;atomNumber(alignedPointer) &gt; MarkedBlock::firstAtom()
-            &amp;&amp; pointer &lt;= alignedPointer + sizeof(IndexingHeader))
-            tryPointer(alignedPointer - candidate-&gt;cellSize());
-    }
-    
-    static bool isPointerGCObjectJSCell(
-        Heap&amp; heap, TinyBloomFilter filter, const void* pointer)
-    {
-        // It could point to a large allocation.
-        const Vector&lt;LargeAllocation*&gt;&amp; largeAllocations = heap.objectSpace().largeAllocations();
-        if (!largeAllocations.isEmpty()) {
-            if (largeAllocations[0]-&gt;aboveLowerBound(pointer)
-                &amp;&amp; largeAllocations.last()-&gt;belowUpperBound(pointer)) {
-                LargeAllocation*const* result = approximateBinarySearch&lt;LargeAllocation*const&gt;(
-                    largeAllocations.begin(), largeAllocations.size(),
-                    LargeAllocation::fromCell(pointer),
-                    [] (LargeAllocation*const* ptr) -&gt; LargeAllocation* { return *ptr; });
-                if (result) {
-                    if (result &gt; largeAllocations.begin()
-                        &amp;&amp; result[-1]-&gt;cell() == pointer
-                        &amp;&amp; result[-1]-&gt;attributes().cellKind == HeapCell::JSCell)
-                        return true;
-                    if (result[0]-&gt;cell() == pointer
-                        &amp;&amp; result[0]-&gt;attributes().cellKind == HeapCell::JSCell)
-                        return true;
-                    if (result + 1 &lt; largeAllocations.end()
-                        &amp;&amp; result[1]-&gt;cell() == pointer
-                        &amp;&amp; result[1]-&gt;attributes().cellKind == HeapCell::JSCell)
-                        return true;
-                }
-            }
-        }
-    
-        const HashSet&lt;MarkedBlock*&gt;&amp; set = heap.objectSpace().blocks().set();
-        
-        MarkedBlock* candidate = MarkedBlock::blockFor(pointer);
-        if (filter.ruleOut(bitwise_cast&lt;Bits&gt;(candidate))) {
-            ASSERT(!candidate || !set.contains(candidate));
-            return false;
-        }
-        
-        if (!MarkedBlock::isAtomAligned(pointer))
-            return false;
-        
-        if (!set.contains(candidate))
-            return false;
-        
-        if (candidate-&gt;cellKind() != HeapCell::JSCell)
-            return false;
-        
-        if (!candidate-&gt;isLiveCell(pointer))
-            return false;
-        
-        return true;
-    }
-    
-    static bool isValueGCObject(
-        Heap&amp; heap, TinyBloomFilter filter, JSValue value)
-    {
-        if (!value.isCell())
-            return false;
-        return isPointerGCObjectJSCell(heap, filter, static_cast&lt;void*&gt;(value.asCell()));
-    }
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapLargeAllocationcpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/LargeAllocation.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/LargeAllocation.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/LargeAllocation.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,123 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include &quot;config.h&quot;
-#include &quot;LargeAllocation.h&quot;
-
-#include &quot;Heap.h&quot;
-#include &quot;JSCInlines.h&quot;
-#include &quot;Operations.h&quot;
-
-namespace JSC {
-
-LargeAllocation* LargeAllocation::tryCreate(Heap&amp; heap, size_t size, const AllocatorAttributes&amp; attributes)
-{
-    void* space = tryFastAlignedMalloc(alignment, headerSize() + size);
-    if (!space)
-        return nullptr;
-    if (scribbleFreeCells())
-        scribble(space, size);
-    return new (NotNull, space) LargeAllocation(heap, size, attributes);
-}
-
-LargeAllocation::LargeAllocation(Heap&amp; heap, size_t size, const AllocatorAttributes&amp; attributes)
-    : m_cellSize(size)
-    , m_isNewlyAllocated(true)
-    , m_hasValidCell(true)
-    , m_attributes(attributes)
-    , m_weakSet(heap.vm(), *this)
-{
-    m_isMarked.store(0);
-}
-
-void LargeAllocation::lastChanceToFinalize()
-{
-    m_weakSet.lastChanceToFinalize();
-    clearMarksWithCollectionType&lt;FullCollection&gt;();
-    clearNewlyAllocated();
-    sweep();
-}
-
-void LargeAllocation::shrink()
-{
-    m_weakSet.shrink();
-}
-
-void LargeAllocation::visitWeakSet(HeapRootVisitor&amp; visitor)
-{
-    m_weakSet.visit(visitor);
-}
-
-void LargeAllocation::reapWeakSet()
-{
-    return m_weakSet.reap();
-}
-
-void LargeAllocation::clearMarks()
-{
-    if (heap()-&gt;operationInProgress() == JSC::EdenCollection)
-        this-&gt;clearMarksWithCollectionType&lt;EdenCollection&gt;();
-    else
-        this-&gt;clearMarksWithCollectionType&lt;FullCollection&gt;();
-}
-
-template &lt;HeapOperation collectionType&gt;
-void LargeAllocation::clearMarksWithCollectionType()
-{
-    ASSERT(collectionType == FullCollection || collectionType == EdenCollection);
-    
-    if (collectionType == FullCollection)
-        clearMarked();
-}
-
-bool LargeAllocation::isEmpty()
-{
-    return !isMarked() &amp;&amp; m_weakSet.isEmpty() &amp;&amp; !isNewlyAllocated();
-}
-
-void LargeAllocation::sweep()
-{
-    m_weakSet.sweep();
-    
-    if (m_hasValidCell &amp;&amp; !isLive()) {
-        if (m_attributes.destruction == NeedsDestruction)
-            static_cast&lt;JSCell*&gt;(cell())-&gt;callDestructor(*vm());
-        m_hasValidCell = false;
-    }
-}
-
-void LargeAllocation::destroy()
-{
-    this-&gt;~LargeAllocation();
-    fastAlignedFree(this);
-}
-
-void LargeAllocation::dump(PrintStream&amp; out) const
-{
-    out.print(RawPointer(this), &quot;:(cell at &quot;, RawPointer(cell()), &quot; with size &quot;, m_cellSize, &quot; and attributes &quot;, m_attributes, &quot;)&quot;);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapLargeAllocationh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/heap/LargeAllocation.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/LargeAllocation.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/LargeAllocation.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,152 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include &quot;MarkedBlock.h&quot;
-#include &quot;WeakSet.h&quot;
-
-namespace JSC {
-
-// WebKit has a good malloc that already knows what to do for large allocations. The GC shouldn't
-// have to think about such things. That's where LargeAllocation comes in. We will allocate large
-// objects directly using malloc, and put the LargeAllocation header just before them. We can detect
-// when a HeapCell* is a LargeAllocation because it will have the MarkedBlock::atomSize / 2 bit set.
-
-class LargeAllocation {
-public:
-    static LargeAllocation* tryCreate(Heap&amp;, size_t, const AllocatorAttributes&amp;);
-    
-    static LargeAllocation* fromCell(const void* cell)
-    {
-        return bitwise_cast&lt;LargeAllocation*&gt;(bitwise_cast&lt;char*&gt;(cell) - headerSize());
-    }
-    
-    HeapCell* cell() const
-    {
-        return bitwise_cast&lt;HeapCell*&gt;(bitwise_cast&lt;char*&gt;(this) + headerSize());
-    }
-    
-    static bool isLargeAllocation(HeapCell* cell)
-    {
-        return bitwise_cast&lt;uintptr_t&gt;(cell) &amp; halfAlignment;
-    }
-    
-    void lastChanceToFinalize();
-    
-    Heap* heap() const { return m_weakSet.heap(); }
-    VM* vm() const { return m_weakSet.vm(); }
-    WeakSet&amp; weakSet() { return m_weakSet; }
-    
-    void shrink();
-    
-    void visitWeakSet(HeapRootVisitor&amp;);
-    void reapWeakSet();
-    
-    void clearNewlyAllocated() { m_isNewlyAllocated = false; }
-    void clearMarks();
-    template&lt;HeapOperation collectionType&gt;
-    void clearMarksWithCollectionType();
-    
-    bool isNewlyAllocated() const { return m_isNewlyAllocated; }
-    ALWAYS_INLINE bool isMarked() { return m_isMarked.load(std::memory_order_relaxed); }
-    bool isMarkedOrNewlyAllocated() { return isMarked() || isNewlyAllocated(); }
-    bool isLive() { return isMarkedOrNewlyAllocated(); }
-    
-    bool hasValidCell() const { return m_hasValidCell; }
-    
-    bool isEmpty();
-    
-    size_t cellSize() const { return m_cellSize; }
-    
-    bool aboveLowerBound(const void* rawPtr)
-    {
-        char* ptr = bitwise_cast&lt;char*&gt;(rawPtr);
-        char* begin = bitwise_cast&lt;char*&gt;(cell());
-        return ptr &gt;= begin;
-    }
-    
-    bool belowUpperBound(const void* rawPtr)
-    {
-        char* ptr = bitwise_cast&lt;char*&gt;(rawPtr);
-        char* begin = bitwise_cast&lt;char*&gt;(cell());
-        char* end = begin + cellSize();
-        // We cannot #include IndexingHeader.h because reasons. The fact that IndexingHeader is 8
-        // bytes is wired deep into our engine, so this isn't so bad.
-        size_t sizeOfIndexingHeader = 8;
-        return ptr &lt;= end + sizeOfIndexingHeader;
-    }
-    
-    bool contains(const void* rawPtr)
-    {
-        return aboveLowerBound(rawPtr) &amp;&amp; belowUpperBound(rawPtr);
-    }
-    
-    const AllocatorAttributes&amp; attributes() const { return m_attributes; }
-    
-    ALWAYS_INLINE bool testAndSetMarked()
-    {
-        // This method is usually called when the object is already marked. This avoids us
-        // having to CAS in that case. It's profitable to reduce the total amount of CAS
-        // traffic.
-        if (isMarked())
-            return true;
-        return !m_isMarked.compareExchangeStrong(false, true);
-    }
-    ALWAYS_INLINE bool testAndSetMarked(HeapCell*) { return testAndSetMarked(); }
-    void setMarked() { m_isMarked.store(true); }
-    void clearMarked() { m_isMarked.store(false); }
-    
-    void setHasAnyMarked() { }
-    
-    void sweep();
-    
-    void destroy();
-    
-    void dump(PrintStream&amp;) const;
-    
-private:
-    LargeAllocation(Heap&amp;, size_t, const AllocatorAttributes&amp;);
-    
-    static const unsigned alignment = MarkedBlock::atomSize;
-    static const unsigned halfAlignment = alignment / 2;
-
-    static unsigned headerSize();
-    
-    size_t m_cellSize;
-    bool m_isNewlyAllocated;
-    bool m_hasValidCell;
-    Atomic&lt;bool&gt; m_isMarked;
-    AllocatorAttributes m_attributes;
-    WeakSet m_weakSet;
-};
-
-inline unsigned LargeAllocation::headerSize()
-{
-    return ((sizeof(LargeAllocation) + halfAlignment - 1) &amp; ~(halfAlignment - 1)) | halfAlignment;
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedAllocatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,23 +30,11 @@
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><span class="cx"> #include &quot;IncrementalSweeper.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;SuperSampler.h&quot;
</del><span class="cx"> #include &quot;VM.h&quot;
</span><span class="cx"> #include &lt;wtf/CurrentTime.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-MarkedAllocator::MarkedAllocator(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, const AllocatorAttributes&amp; attributes)
-    : m_currentBlock(0)
-    , m_lastActiveBlock(0)
-    , m_nextBlockToSweep(0)
-    , m_cellSize(static_cast&lt;unsigned&gt;(cellSize))
-    , m_attributes(attributes)
-    , m_heap(heap)
-    , m_markedSpace(markedSpace)
-{
-}
-
</del><span class="cx"> static bool isListPagedOut(double deadline, DoublyLinkedList&lt;MarkedBlock&gt;&amp; list)
</span><span class="cx"> {
</span><span class="cx">     unsigned itersSinceLastTimeCheck = 0;
</span><span class="lines">@@ -71,7 +59,7 @@
</span><span class="cx">     return false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void MarkedAllocator::retire(MarkedBlock* block, FreeList&amp; freeList)
</del><ins>+void MarkedAllocator::retire(MarkedBlock* block, MarkedBlock::FreeList&amp; freeList)
</ins><span class="cx"> {
</span><span class="cx">     m_blockList.remove(block);
</span><span class="cx">     m_retiredBlocks.push(block);
</span><span class="lines">@@ -78,7 +66,7 @@
</span><span class="cx">     block-&gt;didRetireBlock(freeList);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void* MarkedAllocator::tryAllocateWithoutCollectingImpl(size_t bytes)
</del><ins>+inline void* MarkedAllocator::tryAllocateHelper(size_t bytes)
</ins><span class="cx"> {
</span><span class="cx">     if (m_currentBlock) {
</span><span class="cx">         ASSERT(m_currentBlock == m_nextBlockToSweep);
</span><span class="lines">@@ -85,17 +73,16 @@
</span><span class="cx">         m_currentBlock-&gt;didConsumeFreeList();
</span><span class="cx">         m_nextBlockToSweep = m_currentBlock-&gt;next();
</span><span class="cx">     }
</span><del>-    
-    setFreeList(FreeList());
</del><span class="cx"> 
</span><span class="cx">     MarkedBlock* next;
</span><span class="cx">     for (MarkedBlock*&amp; block = m_nextBlockToSweep; block; block = next) {
</span><span class="cx">         next = block-&gt;next();
</span><span class="cx"> 
</span><del>-        FreeList freeList = block-&gt;sweep(MarkedBlock::SweepToFreeList);
</del><ins>+        MarkedBlock::FreeList freeList = block-&gt;sweep(MarkedBlock::SweepToFreeList);
</ins><span class="cx">         
</span><del>-        double utilization = ((double)MarkedBlock::blockSize - (double)freeList.originalSize) / (double)MarkedBlock::blockSize;
</del><ins>+        double utilization = ((double)MarkedBlock::blockSize - (double)freeList.bytes) / (double)MarkedBlock::blockSize;
</ins><span class="cx">         if (utilization &gt;= Options::minMarkedBlockUtilization()) {
</span><ins>+            ASSERT(freeList.bytes || !freeList.head);
</ins><span class="cx">             retire(block, freeList);
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><span class="lines">@@ -104,37 +91,40 @@
</span><span class="cx">             block-&gt;stopAllocating(freeList);
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><del>-        
</del><ins>+
</ins><span class="cx">         m_currentBlock = block;
</span><del>-        setFreeList(freeList);
</del><ins>+        m_freeList = freeList;
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    if (!m_freeList) {
</del><ins>+    if (!m_freeList.head) {
</ins><span class="cx">         m_currentBlock = 0;
</span><span class="cx">         return 0;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void* result;
-    if (m_freeList.remaining) {
-        unsigned cellSize = m_cellSize;
-        m_freeList.remaining -= cellSize;
-        result = m_freeList.payloadEnd - m_freeList.remaining - cellSize;
-    } else {
-        FreeCell* head = m_freeList.head;
-        m_freeList.head = head-&gt;next;
-        result = head;
-    }
-    RELEASE_ASSERT(result);
</del><ins>+    ASSERT(m_freeList.head);
+    void* head = tryPopFreeList(bytes);
+    ASSERT(head);
</ins><span class="cx">     m_markedSpace-&gt;didAllocateInBlock(m_currentBlock);
</span><del>-    return result;
</del><ins>+    return head;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void* MarkedAllocator::tryAllocateWithoutCollecting(size_t bytes)
</del><ins>+inline void* MarkedAllocator::tryPopFreeList(size_t bytes)
</ins><span class="cx"> {
</span><ins>+    ASSERT(m_currentBlock);
+    if (bytes &gt; m_currentBlock-&gt;cellSize())
+        return 0;
+
+    MarkedBlock::FreeCell* head = m_freeList.head;
+    m_freeList.head = head-&gt;next;
+    return head;
+}
+
+inline void* MarkedAllocator::tryAllocate(size_t bytes)
+{
</ins><span class="cx">     ASSERT(!m_heap-&gt;isBusy());
</span><span class="cx">     m_heap-&gt;m_operationInProgress = Allocation;
</span><del>-    void* result = tryAllocateWithoutCollectingImpl(bytes);
</del><ins>+    void* result = tryAllocateHelper(bytes);
</ins><span class="cx"> 
</span><span class="cx">     m_heap-&gt;m_operationInProgress = NoOperation;
</span><span class="cx">     ASSERT(result || !m_currentBlock);
</span><span class="lines">@@ -158,31 +148,20 @@
</span><span class="cx"> 
</span><span class="cx"> void* MarkedAllocator::allocateSlowCase(size_t bytes)
</span><span class="cx"> {
</span><del>-    bool crashOnFailure = true;
-    return allocateSlowCaseImpl(bytes, crashOnFailure);
-}
-
-void* MarkedAllocator::tryAllocateSlowCase(size_t bytes)
-{
-    bool crashOnFailure = false;
-    return allocateSlowCaseImpl(bytes, crashOnFailure);
-}
-
-void* MarkedAllocator::allocateSlowCaseImpl(size_t bytes, bool crashOnFailure)
-{
</del><span class="cx">     ASSERT(m_heap-&gt;vm()-&gt;currentThreadIsHoldingAPILock());
</span><span class="cx">     doTestCollectionsIfNeeded();
</span><span class="cx"> 
</span><span class="cx">     ASSERT(!m_markedSpace-&gt;isIterating());
</span><del>-    m_heap-&gt;didAllocate(m_freeList.originalSize);
</del><ins>+    ASSERT(!m_freeList.head);
+    m_heap-&gt;didAllocate(m_freeList.bytes);
</ins><span class="cx">     
</span><del>-    void* result = tryAllocateWithoutCollecting(bytes);
</del><ins>+    void* result = tryAllocate(bytes);
</ins><span class="cx">     
</span><span class="cx">     if (LIKELY(result != 0))
</span><span class="cx">         return result;
</span><span class="cx">     
</span><span class="cx">     if (m_heap-&gt;collectIfNecessaryOrDefer()) {
</span><del>-        result = tryAllocateWithoutCollecting(bytes);
</del><ins>+        result = tryAllocate(bytes);
</ins><span class="cx">         if (result)
</span><span class="cx">             return result;
</span><span class="cx">     }
</span><span class="lines">@@ -189,42 +168,31 @@
</span><span class="cx"> 
</span><span class="cx">     ASSERT(!m_heap-&gt;shouldCollect());
</span><span class="cx">     
</span><del>-    MarkedBlock* block = tryAllocateBlock();
-    if (!block) {
-        if (crashOnFailure)
-            RELEASE_ASSERT_NOT_REACHED();
-        else
-            return nullptr;
-    }
</del><ins>+    MarkedBlock* block = allocateBlock(bytes);
+    ASSERT(block);
</ins><span class="cx">     addBlock(block);
</span><span class="cx">         
</span><del>-    result = tryAllocateWithoutCollecting(bytes);
</del><ins>+    result = tryAllocate(bytes);
</ins><span class="cx">     ASSERT(result);
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-static size_t blockHeaderSize()
</del><ins>+MarkedBlock* MarkedAllocator::allocateBlock(size_t bytes)
</ins><span class="cx"> {
</span><del>-    return WTF::roundUpToMultipleOf&lt;MarkedBlock::atomSize&gt;(sizeof(MarkedBlock));
-}
-
-size_t MarkedAllocator::blockSizeForBytes(size_t bytes)
-{
</del><span class="cx">     size_t minBlockSize = MarkedBlock::blockSize;
</span><del>-    size_t minAllocationSize = blockHeaderSize() + WTF::roundUpToMultipleOf&lt;MarkedBlock::atomSize&gt;(bytes);
</del><ins>+    size_t minAllocationSize = WTF::roundUpToMultipleOf&lt;MarkedBlock::atomSize&gt;(sizeof(MarkedBlock)) + WTF::roundUpToMultipleOf&lt;MarkedBlock::atomSize&gt;(bytes);
</ins><span class="cx">     minAllocationSize = WTF::roundUpToMultipleOf(WTF::pageSize(), minAllocationSize);
</span><del>-    return std::max(minBlockSize, minAllocationSize);
-}
</del><ins>+    size_t blockSize = std::max(minBlockSize, minAllocationSize);
</ins><span class="cx"> 
</span><del>-MarkedBlock* MarkedAllocator::tryAllocateBlock()
-{
-    return MarkedBlock::tryCreate(*m_heap, this, MarkedBlock::blockSize, m_cellSize, m_attributes);
</del><ins>+    size_t cellSize = m_cellSize ? m_cellSize : WTF::roundUpToMultipleOf&lt;MarkedBlock::atomSize&gt;(bytes);
+
+    return MarkedBlock::create(*m_heap, this, blockSize, cellSize, m_attributes);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void MarkedAllocator::addBlock(MarkedBlock* block)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!m_currentBlock);
</span><del>-    ASSERT(!m_freeList);
</del><ins>+    ASSERT(!m_freeList.head);
</ins><span class="cx">     
</span><span class="cx">     m_blockList.append(block);
</span><span class="cx">     m_nextBlockToSweep = block;
</span><span class="lines">@@ -235,7 +203,7 @@
</span><span class="cx"> {
</span><span class="cx">     if (m_currentBlock == block) {
</span><span class="cx">         m_currentBlock = m_currentBlock-&gt;next();
</span><del>-        setFreeList(FreeList());
</del><ins>+        m_freeList = MarkedBlock::FreeList();
</ins><span class="cx">     }
</span><span class="cx">     if (m_nextBlockToSweep == block)
</span><span class="cx">         m_nextBlockToSweep = m_nextBlockToSweep-&gt;next();
</span><span class="lines">@@ -248,7 +216,7 @@
</span><span class="cx"> {
</span><span class="cx">     m_lastActiveBlock = 0;
</span><span class="cx">     m_currentBlock = 0;
</span><del>-    setFreeList(FreeList());
</del><ins>+    m_freeList = MarkedBlock::FreeList();
</ins><span class="cx">     if (m_heap-&gt;operationInProgress() == FullCollection)
</span><span class="cx">         m_blockList.append(m_retiredBlocks);
</span><span class="cx"> 
</span><span class="lines">@@ -259,7 +227,7 @@
</span><span class="cx">         for (MarkedBlock*&amp; block = m_nextBlockToSweep; block; block = next) {
</span><span class="cx">             next = block-&gt;next();
</span><span class="cx"> 
</span><del>-            FreeList freeList = block-&gt;sweep(MarkedBlock::SweepToFreeList);
</del><ins>+            MarkedBlock::FreeList freeList = block-&gt;sweep(MarkedBlock::SweepToFreeList);
</ins><span class="cx">             retire(block, freeList);
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="lines">@@ -274,9 +242,4 @@
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void MarkedAllocator::setFreeList(const FreeList&amp; freeList)
-{
-    m_freeList = freeList;
-}
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedAllocatorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedAllocator.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedAllocator.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/MarkedAllocator.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #define MarkedAllocator_h
</span><span class="cx"> 
</span><span class="cx"> #include &quot;AllocatorAttributes.h&quot;
</span><del>-#include &quot;FreeList.h&quot;
</del><span class="cx"> #include &quot;MarkedBlock.h&quot;
</span><span class="cx"> #include &lt;wtf/DoublyLinkedList.h&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -41,10 +40,9 @@
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx"> 
</span><span class="cx"> public:
</span><del>-    static ptrdiff_t offsetOfFreeList();
-    static ptrdiff_t offsetOfCellSize();
</del><ins>+    static ptrdiff_t offsetOfFreeListHead();
</ins><span class="cx"> 
</span><del>-    MarkedAllocator(Heap*, MarkedSpace*, size_t cellSize, const AllocatorAttributes&amp;);
</del><ins>+    MarkedAllocator();
</ins><span class="cx">     void lastChanceToFinalize();
</span><span class="cx">     void reset();
</span><span class="cx">     void stopAllocating();
</span><span class="lines">@@ -55,7 +53,6 @@
</span><span class="cx">     DestructionMode destruction() const { return m_attributes.destruction; }
</span><span class="cx">     HeapCell::Kind cellKind() const { return m_attributes.cellKind; }
</span><span class="cx">     void* allocate(size_t);
</span><del>-    void* tryAllocate(size_t);
</del><span class="cx">     Heap* heap() { return m_heap; }
</span><span class="cx">     MarkedBlock* takeLastActiveBlock()
</span><span class="cx">     {
</span><span class="lines">@@ -68,78 +65,69 @@
</span><span class="cx">     
</span><span class="cx">     void addBlock(MarkedBlock*);
</span><span class="cx">     void removeBlock(MarkedBlock*);
</span><ins>+    void init(Heap*, MarkedSpace*, size_t cellSize, const AllocatorAttributes&amp;);
</ins><span class="cx"> 
</span><span class="cx">     bool isPagedOut(double deadline);
</span><del>-    
-    static size_t blockSizeForBytes(size_t);
</del><span class="cx">    
</span><span class="cx"> private:
</span><span class="cx">     JS_EXPORT_PRIVATE void* allocateSlowCase(size_t);
</span><del>-    JS_EXPORT_PRIVATE void* tryAllocateSlowCase(size_t);
-    void* allocateSlowCaseImpl(size_t, bool crashOnFailure);
-    void* tryAllocateWithoutCollecting(size_t);
-    void* tryAllocateWithoutCollectingImpl(size_t);
-    MarkedBlock* tryAllocateBlock();
</del><ins>+    void* tryAllocate(size_t);
+    void* tryAllocateHelper(size_t);
+    void* tryPopFreeList(size_t);
+    MarkedBlock* allocateBlock(size_t);
</ins><span class="cx">     ALWAYS_INLINE void doTestCollectionsIfNeeded();
</span><del>-    void retire(MarkedBlock*, FreeList&amp;);
</del><ins>+    void retire(MarkedBlock*, MarkedBlock::FreeList&amp;);
</ins><span class="cx">     
</span><del>-    void setFreeList(const FreeList&amp;);
-    
-    FreeList m_freeList;
</del><ins>+    MarkedBlock::FreeList m_freeList;
</ins><span class="cx">     MarkedBlock* m_currentBlock;
</span><span class="cx">     MarkedBlock* m_lastActiveBlock;
</span><span class="cx">     MarkedBlock* m_nextBlockToSweep;
</span><span class="cx">     DoublyLinkedList&lt;MarkedBlock&gt; m_blockList;
</span><span class="cx">     DoublyLinkedList&lt;MarkedBlock&gt; m_retiredBlocks;
</span><del>-    unsigned m_cellSize;
</del><ins>+    size_t m_cellSize;
</ins><span class="cx">     AllocatorAttributes m_attributes;
</span><span class="cx">     Heap* m_heap;
</span><span class="cx">     MarkedSpace* m_markedSpace;
</span><span class="cx"> };
</span><span class="cx"> 
</span><del>-inline ptrdiff_t MarkedAllocator::offsetOfFreeList()
</del><ins>+inline ptrdiff_t MarkedAllocator::offsetOfFreeListHead()
</ins><span class="cx"> {
</span><del>-    return OBJECT_OFFSETOF(MarkedAllocator, m_freeList);
</del><ins>+    return OBJECT_OFFSETOF(MarkedAllocator, m_freeList) + OBJECT_OFFSETOF(MarkedBlock::FreeList, head);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline ptrdiff_t MarkedAllocator::offsetOfCellSize()
</del><ins>+inline MarkedAllocator::MarkedAllocator()
+    : m_currentBlock(0)
+    , m_lastActiveBlock(0)
+    , m_nextBlockToSweep(0)
+    , m_cellSize(0)
+    , m_heap(0)
+    , m_markedSpace(0)
</ins><span class="cx"> {
</span><del>-    return OBJECT_OFFSETOF(MarkedAllocator, m_cellSize);
</del><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void* MarkedAllocator::tryAllocate(size_t bytes)
</del><ins>+inline void MarkedAllocator::init(Heap* heap, MarkedSpace* markedSpace, size_t cellSize, const AllocatorAttributes&amp; attributes)
</ins><span class="cx"> {
</span><del>-    unsigned remaining = m_freeList.remaining;
-    if (remaining) {
-        unsigned cellSize = m_cellSize;
-        remaining -= cellSize;
-        m_freeList.remaining = remaining;
-        return m_freeList.payloadEnd - remaining - cellSize;
-    }
-    
-    FreeCell* head = m_freeList.head;
-    if (UNLIKELY(!head))
-        return tryAllocateSlowCase(bytes);
-    
-    m_freeList.head = head-&gt;next;
-    return head;
</del><ins>+    m_heap = heap;
+    m_markedSpace = markedSpace;
+    m_cellSize = cellSize;
+    m_attributes = attributes;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void* MarkedAllocator::allocate(size_t bytes)
</del><ins>+inline void* MarkedAllocator::allocate(size_t bytes)
</ins><span class="cx"> {
</span><del>-    unsigned remaining = m_freeList.remaining;
-    if (remaining) {
-        unsigned cellSize = m_cellSize;
-        remaining -= cellSize;
-        m_freeList.remaining = remaining;
-        return m_freeList.payloadEnd - remaining - cellSize;
</del><ins>+    MarkedBlock::FreeCell* head = m_freeList.head;
+    if (UNLIKELY(!head)) {
+        void* result = allocateSlowCase(bytes);
+#ifndef NDEBUG
+        memset(result, 0xCD, bytes);
+#endif
+        return result;
</ins><span class="cx">     }
</span><span class="cx">     
</span><del>-    FreeCell* head = m_freeList.head;
-    if (UNLIKELY(!head))
-        return allocateSlowCase(bytes);
-    
</del><span class="cx">     m_freeList.head = head-&gt;next;
</span><ins>+#ifndef NDEBUG
+    memset(head, 0xCD, bytes);
+#endif
</ins><span class="cx">     return head;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -147,7 +135,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!m_lastActiveBlock);
</span><span class="cx">     if (!m_currentBlock) {
</span><del>-        ASSERT(!m_freeList);
</del><ins>+        ASSERT(!m_freeList.head);
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -154,7 +142,7 @@
</span><span class="cx">     m_currentBlock-&gt;stopAllocating(m_freeList);
</span><span class="cx">     m_lastActiveBlock = m_currentBlock;
</span><span class="cx">     m_currentBlock = 0;
</span><del>-    m_freeList = FreeList();
</del><ins>+    m_freeList = MarkedBlock::FreeList();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void MarkedAllocator::resumeAllocating()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="cx"> #include &quot;JSDestructibleObject.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;SuperSampler.h&quot;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -36,7 +35,7 @@
</span><span class="cx"> static const bool computeBalance = false;
</span><span class="cx"> static size_t balance;
</span><span class="cx"> 
</span><del>-MarkedBlock* MarkedBlock::tryCreate(Heap&amp; heap, MarkedAllocator* allocator, size_t capacity, size_t cellSize, const AllocatorAttributes&amp; attributes)
</del><ins>+MarkedBlock* MarkedBlock::create(Heap&amp; heap, MarkedAllocator* allocator, size_t capacity, size_t cellSize, const AllocatorAttributes&amp; attributes)
</ins><span class="cx"> {
</span><span class="cx">     if (computeBalance) {
</span><span class="cx">         balance++;
</span><span class="lines">@@ -43,12 +42,7 @@
</span><span class="cx">         if (!(balance % 10))
</span><span class="cx">             dataLog(&quot;MarkedBlock Balance: &quot;, balance, &quot;\n&quot;);
</span><span class="cx">     }
</span><del>-    void* blockSpace = tryFastAlignedMalloc(blockSize, capacity);
-    if (!blockSpace)
-        return nullptr;
-    if (scribbleFreeCells())
-        scribble(blockSpace, capacity);
-    MarkedBlock* block = new (NotNull, blockSpace) MarkedBlock(allocator, capacity, cellSize, attributes);
</del><ins>+    MarkedBlock* block = new (NotNull, fastAlignedMalloc(blockSize, capacity)) MarkedBlock(allocator, capacity, cellSize, attributes);
</ins><span class="cx">     heap.didAllocateBlock(capacity);
</span><span class="cx">     return block;
</span><span class="cx"> }
</span><span class="lines">@@ -69,11 +63,11 @@
</span><span class="cx"> MarkedBlock::MarkedBlock(MarkedAllocator* allocator, size_t capacity, size_t cellSize, const AllocatorAttributes&amp; attributes)
</span><span class="cx">     : DoublyLinkedListNode&lt;MarkedBlock&gt;()
</span><span class="cx">     , m_atomsPerCell((cellSize + atomSize - 1) / atomSize)
</span><del>-    , m_endAtom(atomsPerBlock - m_atomsPerCell + 1)
</del><ins>+    , m_endAtom((allocator-&gt;cellSize() ? atomsPerBlock - m_atomsPerCell : firstAtom()) + 1)
</ins><span class="cx">     , m_capacity(capacity)
</span><span class="cx">     , m_attributes(attributes)
</span><ins>+    , m_allocator(allocator)
</ins><span class="cx">     , m_state(New) // All cells start out unmarked.
</span><del>-    , m_allocator(allocator)
</del><span class="cx">     , m_weakSet(allocator-&gt;heap()-&gt;vm(), *this)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(allocator);
</span><span class="lines">@@ -82,33 +76,28 @@
</span><span class="cx">         RELEASE_ASSERT(m_attributes.destruction == DoesNotNeedDestruction);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, DestructionMode destructionMode, MarkedBlock::ScribbleMode scribbleMode, MarkedBlock::NewlyAllocatedMode newlyAllocatedMode&gt;
-FreeList MarkedBlock::specializedSweep()
</del><ins>+inline void MarkedBlock::callDestructor(HeapCell* cell)
</ins><span class="cx"> {
</span><del>-    SuperSamplerScope superSamplerScope(false);
-    ASSERT(blockState == New || blockState == Marked);
-    ASSERT(!(destructionMode == DoesNotNeedDestruction &amp;&amp; sweepMode == SweepOnly));
</del><ins>+    // A previous eager sweep may already have run cell's destructor.
+    if (cell-&gt;isZapped())
+        return;
</ins><span class="cx">     
</span><del>-    bool isNewBlock = blockState == New;
-    bool isEmptyBlock = !m_hasAnyMarked
-        &amp;&amp; newlyAllocatedMode == DoesNotHaveNewlyAllocated
-        &amp;&amp; destructionMode == DoesNotNeedDestruction;
-    if (Options::useBumpAllocator() &amp;&amp; (isNewBlock || isEmptyBlock)) {
-        ASSERT(m_marks.isEmpty());
-        
-        char* startOfLastCell = static_cast&lt;char*&gt;(cellAlign(atoms() + m_endAtom - 1));
-        char* payloadEnd = startOfLastCell + cellSize();
-        RELEASE_ASSERT(payloadEnd - MarkedBlock::blockSize &lt;= bitwise_cast&lt;char*&gt;(this));
-        char* payloadBegin = bitwise_cast&lt;char*&gt;(atoms() + firstAtom());
-        if (scribbleMode == Scribble)
-            scribble(payloadBegin, payloadEnd - payloadBegin);
-        m_state = ((sweepMode == SweepToFreeList) ? FreeListed : Marked);
-        FreeList result = FreeList::bump(payloadEnd, payloadEnd - payloadBegin);
-        if (false)
-            dataLog(&quot;Quickly swept block &quot;, RawPointer(this), &quot; with cell size &quot;, cellSize(), &quot; and attributes &quot;, m_attributes, &quot;: &quot;, result, &quot;\n&quot;);
-        return result;
-    }
</del><ins>+    JSCell* jsCell = static_cast&lt;JSCell*&gt;(cell);
</ins><span class="cx"> 
</span><ins>+    ASSERT(jsCell-&gt;structureID());
+    if (jsCell-&gt;inlineTypeFlags() &amp; StructureIsImmortal)
+        jsCell-&gt;structure(*vm())-&gt;classInfo()-&gt;methodTable.destroy(jsCell);
+    else
+        jsCast&lt;JSDestructibleObject*&gt;(jsCell)-&gt;classInfo()-&gt;methodTable.destroy(jsCell);
+    cell-&gt;zap();
+}
+
+template&lt;MarkedBlock::BlockState blockState, MarkedBlock::SweepMode sweepMode, bool callDestructors&gt;
+MarkedBlock::FreeList MarkedBlock::specializedSweep()
+{
+    ASSERT(blockState != Allocated &amp;&amp; blockState != FreeListed);
+    ASSERT(!(!callDestructors &amp;&amp; sweepMode == SweepOnly));
+
</ins><span class="cx">     // This produces a free list that is ordered in reverse through the block.
</span><span class="cx">     // This is fine, since the allocation code makes no assumptions about the
</span><span class="cx">     // order of the free list.
</span><span class="lines">@@ -115,20 +104,16 @@
</span><span class="cx">     FreeCell* head = 0;
</span><span class="cx">     size_t count = 0;
</span><span class="cx">     for (size_t i = firstAtom(); i &lt; m_endAtom; i += m_atomsPerCell) {
</span><del>-        if (blockState == Marked
-            &amp;&amp; (m_marks.get(i)
-                || (newlyAllocatedMode == HasNewlyAllocated &amp;&amp; m_newlyAllocated-&gt;get(i))))
</del><ins>+        if (blockState == Marked &amp;&amp; (m_marks.get(i) || (m_newlyAllocated &amp;&amp; m_newlyAllocated-&gt;get(i))))
</ins><span class="cx">             continue;
</span><span class="cx"> 
</span><span class="cx">         HeapCell* cell = reinterpret_cast_ptr&lt;HeapCell*&gt;(&amp;atoms()[i]);
</span><span class="cx"> 
</span><del>-        if (destructionMode == NeedsDestruction &amp;&amp; blockState != New)
-            static_cast&lt;JSCell*&gt;(cell)-&gt;callDestructor(*vm());
</del><ins>+        if (callDestructors &amp;&amp; blockState != New)
+            callDestructor(cell);
</ins><span class="cx"> 
</span><span class="cx">         if (sweepMode == SweepToFreeList) {
</span><span class="cx">             FreeCell* freeCell = reinterpret_cast&lt;FreeCell*&gt;(cell);
</span><del>-            if (scribbleMode == Scribble)
-                scribble(freeCell, cellSize());
</del><span class="cx">             freeCell-&gt;next = head;
</span><span class="cx">             head = freeCell;
</span><span class="cx">             ++count;
</span><span class="lines">@@ -137,17 +122,14 @@
</span><span class="cx"> 
</span><span class="cx">     // We only want to discard the newlyAllocated bits if we're creating a FreeList,
</span><span class="cx">     // otherwise we would lose information on what's currently alive.
</span><del>-    if (sweepMode == SweepToFreeList &amp;&amp; newlyAllocatedMode == HasNewlyAllocated)
</del><ins>+    if (sweepMode == SweepToFreeList &amp;&amp; m_newlyAllocated)
</ins><span class="cx">         m_newlyAllocated = nullptr;
</span><span class="cx"> 
</span><span class="cx">     m_state = ((sweepMode == SweepToFreeList) ? FreeListed : Marked);
</span><del>-    FreeList result = FreeList::list(head, count * cellSize());
-    if (false)
-        dataLog(&quot;Slowly swept block &quot;, RawPointer(this), &quot; with cell size &quot;, cellSize(), &quot; and attributes &quot;, m_attributes, &quot;: &quot;, result, &quot;\n&quot;);
-    return result;
</del><ins>+    return FreeList(head, count * cellSize());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-FreeList MarkedBlock::sweep(SweepMode sweepMode)
</del><ins>+MarkedBlock::FreeList MarkedBlock::sweep(SweepMode sweepMode)
</ins><span class="cx"> {
</span><span class="cx">     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
</span><span class="cx"> 
</span><span class="lines">@@ -157,25 +139,17 @@
</span><span class="cx">         return FreeList();
</span><span class="cx"> 
</span><span class="cx">     if (m_attributes.destruction == NeedsDestruction)
</span><del>-        return sweepHelperSelectScribbleMode&lt;NeedsDestruction&gt;(sweepMode);
-    return sweepHelperSelectScribbleMode&lt;DoesNotNeedDestruction&gt;(sweepMode);
</del><ins>+        return sweepHelper&lt;true&gt;(sweepMode);
+    return sweepHelper&lt;false&gt;(sweepMode);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;DestructionMode destructionMode&gt;
-FreeList MarkedBlock::sweepHelperSelectScribbleMode(SweepMode sweepMode)
</del><ins>+template&lt;bool callDestructors&gt;
+MarkedBlock::FreeList MarkedBlock::sweepHelper(SweepMode sweepMode)
</ins><span class="cx"> {
</span><del>-    if (scribbleFreeCells())
-        return sweepHelperSelectStateAndSweepMode&lt;destructionMode, Scribble&gt;(sweepMode);
-    return sweepHelperSelectStateAndSweepMode&lt;destructionMode, DontScribble&gt;(sweepMode);
-}
-
-template&lt;DestructionMode destructionMode, MarkedBlock::ScribbleMode scribbleMode&gt;
-FreeList MarkedBlock::sweepHelperSelectStateAndSweepMode(SweepMode sweepMode)
-{
</del><span class="cx">     switch (m_state) {
</span><span class="cx">     case New:
</span><span class="cx">         ASSERT(sweepMode == SweepToFreeList);
</span><del>-        return specializedSweep&lt;New, SweepToFreeList, destructionMode, scribbleMode, DoesNotHaveNewlyAllocated&gt;();
</del><ins>+        return specializedSweep&lt;New, SweepToFreeList, callDestructors&gt;();
</ins><span class="cx">     case FreeListed:
</span><span class="cx">         // Happens when a block transitions to fully allocated.
</span><span class="cx">         ASSERT(sweepMode == SweepToFreeList);
</span><span class="lines">@@ -185,15 +159,9 @@
</span><span class="cx">         RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">         return FreeList();
</span><span class="cx">     case Marked:
</span><del>-        if (m_newlyAllocated) {
-            return sweepMode == SweepToFreeList
-                ? specializedSweep&lt;Marked, SweepToFreeList, destructionMode, scribbleMode, HasNewlyAllocated&gt;()
-                : specializedSweep&lt;Marked, SweepOnly, destructionMode, scribbleMode, HasNewlyAllocated&gt;();
-        } else {
-            return sweepMode == SweepToFreeList
-                ? specializedSweep&lt;Marked, SweepToFreeList, destructionMode, scribbleMode, DoesNotHaveNewlyAllocated&gt;()
-                : specializedSweep&lt;Marked, SweepOnly, destructionMode, scribbleMode, DoesNotHaveNewlyAllocated&gt;();
-        }
</del><ins>+        return sweepMode == SweepToFreeList
+            ? specializedSweep&lt;Marked, SweepToFreeList, callDestructors&gt;()
+            : specializedSweep&lt;Marked, SweepOnly, callDestructors&gt;();
</ins><span class="cx">     }
</span><span class="cx">     RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">     return FreeList();
</span><span class="lines">@@ -220,6 +188,7 @@
</span><span class="cx"> void MarkedBlock::stopAllocating(const FreeList&amp; freeList)
</span><span class="cx"> {
</span><span class="cx">     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
</span><ins>+    FreeCell* head = freeList.head;
</ins><span class="cx"> 
</span><span class="cx">     if (m_state == Marked) {
</span><span class="cx">         // If the block is in the Marked state then we know that:
</span><span class="lines">@@ -227,10 +196,11 @@
</span><span class="cx">         // 2) It may have dead objects, and we only know them to be dead by the
</span><span class="cx">         //    fact that their mark bits are unset.
</span><span class="cx">         // Hence if the block is Marked we need to leave it Marked.
</span><del>-        ASSERT(freeList.allocationWillFail());
</del><ins>+        
+        ASSERT(!head);
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><del>-    
</del><ins>+   
</ins><span class="cx">     ASSERT(m_state == FreeListed);
</span><span class="cx">     
</span><span class="cx">     // Roll back to a coherent state for Heap introspection. Cells newly
</span><span class="lines">@@ -243,13 +213,13 @@
</span><span class="cx">     SetNewlyAllocatedFunctor functor(this);
</span><span class="cx">     forEachCell(functor);
</span><span class="cx"> 
</span><del>-    forEachFreeCell(
-        freeList,
-        [&amp;] (HeapCell* cell) {
-            if (m_attributes.destruction == NeedsDestruction)
-                cell-&gt;zap();
-            clearNewlyAllocated(cell);
-        });
</del><ins>+    FreeCell* next;
+    for (FreeCell* current = head; current; current = next) {
+        next = current-&gt;next;
+        if (m_attributes.destruction == NeedsDestruction)
+            reinterpret_cast&lt;HeapCell*&gt;(current)-&gt;zap();
+        clearNewlyAllocated(current);
+    }
</ins><span class="cx">     
</span><span class="cx">     m_state = Marked;
</span><span class="cx"> }
</span><span class="lines">@@ -271,7 +241,6 @@
</span><span class="cx">     ASSERT(m_state != New &amp;&amp; m_state != FreeListed);
</span><span class="cx">     if (collectionType == FullCollection) {
</span><span class="cx">         m_marks.clearAll();
</span><del>-        clearHasAnyMarked();
</del><span class="cx">         // This will become true at the end of the mark phase. We set it now to
</span><span class="cx">         // avoid an extra pass to do so later.
</span><span class="cx">         m_state = Marked;
</span><span class="lines">@@ -293,7 +262,7 @@
</span><span class="cx">     sweep();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-FreeList MarkedBlock::resumeAllocating()
</del><ins>+MarkedBlock::FreeList MarkedBlock::resumeAllocating()
</ins><span class="cx"> {
</span><span class="cx">     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
</span><span class="cx"> 
</span><span class="lines">@@ -312,6 +281,7 @@
</span><span class="cx"> void MarkedBlock::didRetireBlock(const FreeList&amp; freeList)
</span><span class="cx"> {
</span><span class="cx">     HEAP_LOG_BLOCK_STATE_TRANSITION(this);
</span><ins>+    FreeCell* head = freeList.head;
</ins><span class="cx"> 
</span><span class="cx">     // Currently we don't notify the Heap that we're giving up on this block. 
</span><span class="cx">     // The Heap might be able to make a better decision about how many bytes should 
</span><span class="lines">@@ -321,30 +291,15 @@
</span><span class="cx"> 
</span><span class="cx">     // We need to zap the free list when retiring a block so that we don't try to destroy 
</span><span class="cx">     // previously destroyed objects when we re-sweep the block in the future.
</span><del>-    forEachFreeCell(
-        freeList,
-        [&amp;] (HeapCell* cell) {
-            if (m_attributes.destruction == NeedsDestruction)
-                cell-&gt;zap();
-        });
</del><ins>+    FreeCell* next;
+    for (FreeCell* current = head; current; current = next) {
+        next = current-&gt;next;
+        if (m_attributes.destruction == NeedsDestruction)
+            reinterpret_cast&lt;HeapCell*&gt;(current)-&gt;zap();
+    }
</ins><span class="cx"> 
</span><span class="cx">     ASSERT(m_state == FreeListed);
</span><span class="cx">     m_state = Retired;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;typename Func&gt;
-void MarkedBlock::forEachFreeCell(const FreeList&amp; freeList, const Func&amp; func)
-{
-    if (freeList.remaining) {
-        for (unsigned remaining = freeList.remaining; remaining; remaining -= cellSize())
-            func(bitwise_cast&lt;HeapCell*&gt;(freeList.payloadEnd - remaining));
-    } else {
-        for (FreeCell* current = freeList.head; current;) {
-            FreeCell* next = current-&gt;next;
-            func(bitwise_cast&lt;HeapCell*&gt;(current));
-            current = next;
-        }
-    }
-}
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedBlock.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedBlock.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/MarkedBlock.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -24,7 +24,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;AllocatorAttributes.h&quot;
</span><span class="cx"> #include &quot;DestructionMode.h&quot;
</span><del>-#include &quot;FreeList.h&quot;
</del><span class="cx"> #include &quot;HeapCell.h&quot;
</span><span class="cx"> #include &quot;HeapOperation.h&quot;
</span><span class="cx"> #include &quot;IterationStatus.h&quot;
</span><span class="lines">@@ -71,7 +70,7 @@
</span><span class="cx">         friend struct VerifyMarkedOrRetired;
</span><span class="cx">     public:
</span><span class="cx">         static const size_t atomSize = 16; // bytes
</span><del>-        static const size_t blockSize = 64 * KB;
</del><ins>+        static const size_t blockSize = 16 * KB;
</ins><span class="cx">         static const size_t blockMask = ~(blockSize - 1); // blockSize must be a power of two.
</span><span class="cx"> 
</span><span class="cx">         static const size_t atomsPerBlock = blockSize / atomSize;
</span><span class="lines">@@ -79,6 +78,18 @@
</span><span class="cx">         static_assert(!(MarkedBlock::atomSize &amp; (MarkedBlock::atomSize - 1)), &quot;MarkedBlock::atomSize must be a power of two.&quot;);
</span><span class="cx">         static_assert(!(MarkedBlock::blockSize &amp; (MarkedBlock::blockSize - 1)), &quot;MarkedBlock::blockSize must be a power of two.&quot;);
</span><span class="cx"> 
</span><ins>+        struct FreeCell {
+            FreeCell* next;
+        };
+        
+        struct FreeList {
+            FreeCell* head;
+            size_t bytes;
+
+            FreeList();
+            FreeList(FreeCell*, size_t);
+        };
+
</ins><span class="cx">         struct VoidFunctor {
</span><span class="cx">             typedef void ReturnType;
</span><span class="cx">             void returnValue() { }
</span><span class="lines">@@ -98,14 +109,12 @@
</span><span class="cx">             mutable ReturnType m_count;
</span><span class="cx">         };
</span><span class="cx"> 
</span><del>-        static MarkedBlock* tryCreate(Heap&amp;, MarkedAllocator*, size_t capacity, size_t cellSize, const AllocatorAttributes&amp;);
</del><ins>+        static MarkedBlock* create(Heap&amp;, MarkedAllocator*, size_t capacity, size_t cellSize, const AllocatorAttributes&amp;);
</ins><span class="cx">         static void destroy(Heap&amp;, MarkedBlock*);
</span><span class="cx"> 
</span><span class="cx">         static bool isAtomAligned(const void*);
</span><del>-        void* cellAlign(void*);
</del><span class="cx">         static MarkedBlock* blockFor(const void*);
</span><span class="cx">         static size_t firstAtom();
</span><del>-        size_t atomNumber(const void*);
</del><span class="cx">         
</span><span class="cx">         void lastChanceToFinalize();
</span><span class="cx"> 
</span><span class="lines">@@ -166,15 +175,6 @@
</span><span class="cx">         bool needsSweeping() const;
</span><span class="cx">         void didRetireBlock(const FreeList&amp;);
</span><span class="cx">         void willRemoveBlock();
</span><del>-        
-        void setHasAnyMarked()
-        {
-            if (!m_hasAnyMarked) // Prevent store traffic if it's not needed.
-                m_hasAnyMarked = true;
-        }
-        bool hasAnyMarked() const { return m_hasAnyMarked; }
-        
-        void clearHasAnyMarked() { m_hasAnyMarked = false; }
</del><span class="cx"> 
</span><span class="cx">         template &lt;typename Functor&gt; IterationStatus forEachCell(const Functor&amp;);
</span><span class="cx">         template &lt;typename Functor&gt; IterationStatus forEachLiveCell(const Functor&amp;);
</span><span class="lines">@@ -183,29 +183,27 @@
</span><span class="cx">     private:
</span><span class="cx">         static const size_t atomAlignmentMask = atomSize - 1;
</span><span class="cx"> 
</span><del>-        enum BlockState : uint8_t { New, FreeListed, Allocated, Marked, Retired };
-        
-        template&lt;DestructionMode&gt;
-        FreeList sweepHelperSelectScribbleMode(SweepMode = SweepOnly);
-        
-        enum ScribbleMode { DontScribble, Scribble };
-        
-        template&lt;DestructionMode, ScribbleMode&gt;
-        FreeList sweepHelperSelectStateAndSweepMode(SweepMode = SweepOnly);
</del><ins>+        // During allocation, we look for available space in free lists in blocks.
+        // If a block's utilization is sufficiently high (i.e. it's almost full),
+        // we want to remove that block as a candidate for allocating to reduce
+        // the likelihood of allocation having to take a slow path. When the
+        // block is in this state, we say that it is &quot;Retired&quot;.
+        //
+        // A full GC can take a Retired blocks out of retirement. An eden GC
+        // will simply ignore Retired blocks (i.e. they will not be swept even
+        // if they no longer have live objects).
</ins><span class="cx"> 
</span><del>-        enum NewlyAllocatedMode { HasNewlyAllocated, DoesNotHaveNewlyAllocated };
-        
-        template&lt;BlockState, SweepMode, DestructionMode, ScribbleMode, NewlyAllocatedMode&gt;
-        FreeList specializedSweep();
-        
</del><ins>+        enum BlockState { New, FreeListed, Allocated, Marked, Retired };
+        template&lt;bool callDestructors&gt; FreeList sweepHelper(SweepMode = SweepOnly);
+
</ins><span class="cx">         typedef char Atom[atomSize];
</span><span class="cx"> 
</span><span class="cx">         MarkedBlock(MarkedAllocator*, size_t capacity, size_t cellSize, const AllocatorAttributes&amp;);
</span><span class="cx">         Atom* atoms();
</span><ins>+        size_t atomNumber(const void*);
+        void callDestructor(HeapCell*);
+        template&lt;BlockState, SweepMode, bool callDestructors&gt; FreeList specializedSweep();
</ins><span class="cx">         
</span><del>-        template&lt;typename Func&gt;
-        void forEachFreeCell(const FreeList&amp;, const Func&amp;);
-
</del><span class="cx">         MarkedBlock* m_prev;
</span><span class="cx">         MarkedBlock* m_next;
</span><span class="cx"> 
</span><span class="lines">@@ -216,18 +214,23 @@
</span><span class="cx"> 
</span><span class="cx">         size_t m_capacity;
</span><span class="cx">         AllocatorAttributes m_attributes;
</span><ins>+        MarkedAllocator* m_allocator;
</ins><span class="cx">         BlockState m_state;
</span><del>-        bool m_hasAnyMarked { false };
-        MarkedAllocator* m_allocator;
</del><span class="cx">         WeakSet m_weakSet;
</span><del>-        // FIXME: We &quot;need&quot; this to get 10% on Kraken/ai-astar. I'm pretty sure that's because we
-        // lose the butterfly allocation if the subsequent cell allocation fails, during NewArray
-        // and friends.
-        // https://bugs.webkit.org/show_bug.cgi?id=160783
-        uintptr_t m_padding1;
-        uintptr_t m_padding2;
</del><span class="cx">     };
</span><span class="cx"> 
</span><ins>+    inline MarkedBlock::FreeList::FreeList()
+        : head(0)
+        , bytes(0)
+    {
+    }
+
+    inline MarkedBlock::FreeList::FreeList(FreeCell* head, size_t bytes)
+        : head(head)
+        , bytes(bytes)
+    {
+    }
+
</ins><span class="cx">     inline size_t MarkedBlock::firstAtom()
</span><span class="cx">     {
</span><span class="cx">         return WTF::roundUpToMultipleOf&lt;atomSize&gt;(sizeof(MarkedBlock)) / atomSize;
</span><span class="lines">@@ -243,16 +246,6 @@
</span><span class="cx">         return !(reinterpret_cast&lt;Bits&gt;(p) &amp; atomAlignmentMask);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    inline void* MarkedBlock::cellAlign(void* p)
-    {
-        Bits base = reinterpret_cast&lt;Bits&gt;(atoms() + firstAtom());
-        Bits bits = reinterpret_cast&lt;Bits&gt;(p);
-        bits -= base;
-        bits -= bits % cellSize();
-        bits += base;
-        return reinterpret_cast&lt;void*&gt;(bits);
-    }
-
</del><span class="cx">     inline MarkedBlock* MarkedBlock::blockFor(const void* p)
</span><span class="cx">     {
</span><span class="cx">         return reinterpret_cast&lt;MarkedBlock*&gt;(reinterpret_cast&lt;Bits&gt;(p) &amp; blockMask);
</span><span class="lines">@@ -313,7 +306,7 @@
</span><span class="cx"> 
</span><span class="cx">     inline bool MarkedBlock::isEmpty()
</span><span class="cx">     {
</span><del>-        return m_state == Marked &amp;&amp; !m_hasAnyMarked &amp;&amp; m_weakSet.isEmpty() &amp;&amp; (!m_newlyAllocated || m_newlyAllocated-&gt;isEmpty());
</del><ins>+        return m_marks.isEmpty() &amp;&amp; m_weakSet.isEmpty() &amp;&amp; (!m_newlyAllocated || m_newlyAllocated-&gt;isEmpty());
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     inline size_t MarkedBlock::cellSize()
</span><span class="lines">@@ -501,7 +494,7 @@
</span><span class="cx">     {
</span><span class="cx">         return m_state == Marked || m_state == Retired;
</span><span class="cx">     }
</span><del>-        
</del><ins>+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> namespace WTF {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedSpacecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -24,175 +24,17 @@
</span><span class="cx"> #include &quot;IncrementalSweeper.h&quot;
</span><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;SuperSampler.h&quot;
-#include &lt;wtf/ListDump.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-std::array&lt;size_t, MarkedSpace::numSizeClasses&gt; MarkedSpace::s_sizeClassForSizeStep;
-
-namespace {
-
-const Vector&lt;size_t&gt;&amp; sizeClasses()
-{
-    static Vector&lt;size_t&gt;* result;
-    static std::once_flag once;
-    std::call_once(
-        once,
-        [] {
-            result = new Vector&lt;size_t&gt;();
-            
-            auto add = [&amp;] (size_t sizeClass) {
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;Adding JSC MarkedSpace size class: &quot;, sizeClass, &quot;\n&quot;);
-                // Perform some validation as we go.
-                RELEASE_ASSERT(!(sizeClass % MarkedSpace::sizeStep));
-                if (result-&gt;isEmpty())
-                    RELEASE_ASSERT(sizeClass == MarkedSpace::sizeStep);
-                else
-                    RELEASE_ASSERT(sizeClass &gt; result-&gt;last());
-                result-&gt;append(sizeClass);
-            };
-            
-            // This is a definition of the size classes in our GC. It must define all of the
-            // size classes from sizeStep up to largeCutoff.
-    
-            // Have very precise size classes for the small stuff. This is a loop to make it easy to reduce
-            // atomSize.
-            for (size_t size = MarkedSpace::sizeStep; size &lt; MarkedSpace::preciseCutoff; size += MarkedSpace::sizeStep)
-                add(size);
-            
-            // We want to make sure that the remaining size classes minimize internal fragmentation (i.e.
-            // the wasted space at the tail end of a MarkedBlock) while proceeding roughly in an exponential
-            // way starting at just above the precise size classes to four cells per block.
-            
-            if (Options::dumpSizeClasses())
-                dataLog(&quot;    Marked block payload size: &quot;, static_cast&lt;size_t&gt;(MarkedSpace::blockPayload), &quot;\n&quot;);
-            
-            for (unsigned i = 0; ; ++i) {
-                double approximateSize = MarkedSpace::preciseCutoff * pow(Options::sizeClassProgression(), i);
-                
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;    Next size class as a double: &quot;, approximateSize, &quot;\n&quot;);
-        
-                size_t approximateSizeInBytes = static_cast&lt;size_t&gt;(approximateSize);
-        
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;    Next size class as bytes: &quot;, approximateSizeInBytes, &quot;\n&quot;);
-        
-                // Make sure that the computer did the math correctly.
-                RELEASE_ASSERT(approximateSizeInBytes &gt;= MarkedSpace::preciseCutoff);
-                
-                if (approximateSizeInBytes &gt; MarkedSpace::largeCutoff)
-                    break;
-                
-                size_t sizeClass =
-                    WTF::roundUpToMultipleOf&lt;MarkedSpace::sizeStep&gt;(approximateSizeInBytes);
-                
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;    Size class: &quot;, sizeClass, &quot;\n&quot;);
-                
-                // Optimize the size class so that there isn't any slop at the end of the block's
-                // payload.
-                unsigned cellsPerBlock = MarkedSpace::blockPayload / sizeClass;
-                size_t possiblyBetterSizeClass = (MarkedSpace::blockPayload / cellsPerBlock) &amp; ~(MarkedSpace::sizeStep - 1);
-                
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;    Possibly better size class: &quot;, possiblyBetterSizeClass, &quot;\n&quot;);
-
-                // The size class we just came up with is better than the other one if it reduces
-                // total wastage assuming we only allocate cells of that size.
-                size_t originalWastage = MarkedSpace::blockPayload - cellsPerBlock * sizeClass;
-                size_t newWastage = (possiblyBetterSizeClass - sizeClass) * cellsPerBlock;
-                
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;    Original wastage: &quot;, originalWastage, &quot;, new wastage: &quot;, newWastage, &quot;\n&quot;);
-                
-                size_t betterSizeClass;
-                if (newWastage &gt; originalWastage)
-                    betterSizeClass = sizeClass;
-                else
-                    betterSizeClass = possiblyBetterSizeClass;
-                
-                if (Options::dumpSizeClasses())
-                    dataLog(&quot;    Choosing size class: &quot;, betterSizeClass, &quot;\n&quot;);
-                
-                if (betterSizeClass == result-&gt;last()) {
-                    // Defense for when expStep is small.
-                    continue;
-                }
-                
-                // This is usually how we get out of the loop.
-                if (betterSizeClass &gt; MarkedSpace::largeCutoff
-                    || betterSizeClass &gt; Options::largeAllocationCutoff())
-                    break;
-                
-                add(betterSizeClass);
-            }
-            
-            if (Options::dumpSizeClasses())
-                dataLog(&quot;JSC Heap MarkedSpace size class dump: &quot;, listDump(*result), &quot;\n&quot;);
-
-            // We have an optimiation in MarkedSpace::optimalSizeFor() that assumes things about
-            // the size class table. This checks our results against that function's assumptions.
-            for (size_t size = MarkedSpace::sizeStep, i = 0; size &lt;= MarkedSpace::preciseCutoff; size += MarkedSpace::sizeStep, i++)
-                RELEASE_ASSERT(result-&gt;at(i) == size);
-        });
-    return *result;
-}
-
-template&lt;typename TableType, typename SizeClassCons, typename DefaultCons&gt;
-void buildSizeClassTable(TableType&amp; table, const SizeClassCons&amp; cons, const DefaultCons&amp; defaultCons)
-{
-    size_t nextIndex = 0;
-    for (size_t sizeClass : sizeClasses()) {
-        auto entry = cons(sizeClass);
-        size_t index = MarkedSpace::sizeClassToIndex(sizeClass);
-        for (size_t i = nextIndex; i &lt;= index; ++i)
-            table[i] = entry;
-        nextIndex = index + 1;
-    }
-    for (size_t i = nextIndex; i &lt; MarkedSpace::numSizeClasses; ++i)
-        table[i] = defaultCons(MarkedSpace::indexToSizeClass(i));
-}
-
-} // anonymous namespace
-
-void MarkedSpace::initializeSizeClassForStepSize()
-{
-    // We call this multiple times and we may call it simultaneously from multiple threads. That's
-    // OK, since it always stores the same values into the table.
-    
-    buildSizeClassTable(
-        s_sizeClassForSizeStep,
-        [&amp;] (size_t sizeClass) -&gt; size_t {
-            return sizeClass;
-        },
-        [&amp;] (size_t sizeClass) -&gt; size_t {
-            return sizeClass;
-        });
-}
-
</del><span class="cx"> MarkedSpace::MarkedSpace(Heap* heap)
</span><span class="cx">     : m_heap(heap)
</span><span class="cx">     , m_capacity(0)
</span><span class="cx">     , m_isIterating(false)
</span><span class="cx"> {
</span><del>-    initializeSizeClassForStepSize();
-    
-    forEachSubspace(
-        [&amp;] (Subspace&amp; subspace, AllocatorAttributes attributes) -&gt; IterationStatus {
-            subspace.attributes = attributes;
-            
-            buildSizeClassTable(
-                subspace.allocatorForSizeStep,
-                [&amp;] (size_t sizeClass) -&gt; MarkedAllocator* {
-                    return subspace.bagOfAllocators.add(heap, this, sizeClass, attributes);
-                },
-                [&amp;] (size_t) -&gt; MarkedAllocator* {
-                    return nullptr;
-                });
-            
</del><ins>+    forEachAllocator(
+        [&amp;] (MarkedAllocator&amp; allocator, size_t cellSize, AllocatorAttributes attributes) -&gt; IterationStatus {
+            allocator.init(heap, this, cellSize, attributes);
</ins><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="lines">@@ -210,53 +52,14 @@
</span><span class="cx"> {
</span><span class="cx">     stopAllocating();
</span><span class="cx">     forEachAllocator(
</span><del>-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
</del><ins>+        [&amp;] (MarkedAllocator&amp; allocator, size_t, AllocatorAttributes) -&gt; IterationStatus {
</ins><span class="cx">             allocator.lastChanceToFinalize();
</span><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><del>-    for (LargeAllocation* allocation : m_largeAllocations)
-        allocation-&gt;lastChanceToFinalize();
</del><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* MarkedSpace::allocate(Subspace&amp; subspace, size_t bytes)
-{
-    if (MarkedAllocator* allocator = allocatorFor(subspace, bytes))
-        return allocator-&gt;allocate(bytes);
-    return allocateLarge(subspace, bytes);
-}
-
-void* MarkedSpace::tryAllocate(Subspace&amp; subspace, size_t bytes)
-{
-    if (MarkedAllocator* allocator = allocatorFor(subspace, bytes))
-        return allocator-&gt;tryAllocate(bytes);
-    return tryAllocateLarge(subspace, bytes);
-}
-
-void* MarkedSpace::allocateLarge(Subspace&amp; subspace, size_t size)
-{
-    void* result = tryAllocateLarge(subspace, size);
-    RELEASE_ASSERT(result);
-    return result;
-}
-
-void* MarkedSpace::tryAllocateLarge(Subspace&amp; subspace, size_t size)
-{
-    m_heap-&gt;collectIfNecessaryOrDefer();
-    
-    size = WTF::roundUpToMultipleOf&lt;sizeStep&gt;(size);
-    LargeAllocation* allocation = LargeAllocation::tryCreate(*m_heap, size, subspace.attributes);
-    if (!allocation)
-        return nullptr;
-    
-    m_largeAllocations.append(allocation);
-    m_heap-&gt;didAllocate(size);
-    m_capacity += size;
-    return allocation-&gt;cell();
-}
-
</del><span class="cx"> void MarkedSpace::sweep()
</span><span class="cx"> {
</span><del>-    sweepLargeAllocations();
</del><span class="cx">     m_heap-&gt;sweeper()-&gt;willFinishSweeping();
</span><span class="cx">     forEachBlock(
</span><span class="cx">         [&amp;] (MarkedBlock* block) {
</span><span class="lines">@@ -264,30 +67,10 @@
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void MarkedSpace::sweepLargeAllocations()
-{
-    RELEASE_ASSERT(m_largeAllocationsNurseryOffset == m_largeAllocations.size());
-    unsigned srcIndex = m_largeAllocationsNurseryOffsetForSweep;
-    unsigned dstIndex = srcIndex;
-    while (srcIndex &lt; m_largeAllocations.size()) {
-        LargeAllocation* allocation = m_largeAllocations[srcIndex++];
-        allocation-&gt;sweep();
-        if (allocation-&gt;isEmpty()) {
-            m_capacity -= allocation-&gt;cellSize();
-            allocation-&gt;destroy();
-            continue;
-        }
-        m_largeAllocations[dstIndex++] = allocation;
-    }
-    m_largeAllocations.resize(dstIndex);
-    m_largeAllocationsNurseryOffset = m_largeAllocations.size();
-}
-
</del><span class="cx"> void MarkedSpace::zombifySweep()
</span><span class="cx"> {
</span><span class="cx">     if (Options::logGC())
</span><span class="cx">         dataLog(&quot;Zombifying sweep...&quot;);
</span><del>-    sweepLargeAllocations();
</del><span class="cx">     m_heap-&gt;sweeper()-&gt;willFinishSweeping();
</span><span class="cx">     forEachBlock(
</span><span class="cx">         [&amp;] (MarkedBlock* block) {
</span><span class="lines">@@ -299,17 +82,12 @@
</span><span class="cx"> void MarkedSpace::resetAllocators()
</span><span class="cx"> {
</span><span class="cx">     forEachAllocator(
</span><del>-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
</del><ins>+        [&amp;] (MarkedAllocator&amp; allocator, size_t, AllocatorAttributes) -&gt; IterationStatus {
</ins><span class="cx">             allocator.reset();
</span><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="cx">     m_blocksWithNewObjects.clear();
</span><del>-    if (m_heap-&gt;operationInProgress() == EdenCollection)
-        m_largeAllocationsNurseryOffsetForSweep = m_largeAllocationsNurseryOffset;
-    else
-        m_largeAllocationsNurseryOffsetForSweep = 0;
-    m_largeAllocationsNurseryOffset = m_largeAllocations.size();
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void MarkedSpace::visitWeakSets(HeapRootVisitor&amp; heapRootVisitor)
</span><span class="lines">@@ -323,8 +101,6 @@
</span><span class="cx">                 block-&gt;visitWeakSet(heapRootVisitor);
</span><span class="cx">             });
</span><span class="cx">     }
</span><del>-    for (unsigned i = m_largeAllocationsOffsetForThisCollection; i &lt; m_largeAllocations.size(); ++i)
-        m_largeAllocations[i]-&gt;visitWeakSet(heapRootVisitor);
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void MarkedSpace::reapWeakSets()
</span><span class="lines">@@ -338,46 +114,46 @@
</span><span class="cx">                 block-&gt;reapWeakSet();
</span><span class="cx">             });
</span><span class="cx">     }
</span><del>-    for (unsigned i = m_largeAllocationsOffsetForThisCollection; i &lt; m_largeAllocations.size(); ++i)
-        m_largeAllocations[i]-&gt;reapWeakSet();
</del><span class="cx"> }
</span><span class="cx"> 
</span><ins>+template &lt;typename Functor&gt;
+void MarkedSpace::forEachAllocator(const Functor&amp; functor)
+{
+    forEachSubspace(
+        [&amp;] (Subspace&amp; subspace, AllocatorAttributes attributes) -&gt; IterationStatus {
+            for (size_t cellSize = preciseStep; cellSize &lt;= preciseCutoff; cellSize += preciseStep) {
+                if (functor(allocatorFor(subspace, cellSize), cellSize, attributes) == IterationStatus::Done)
+                    return IterationStatus::Done;
+            }
+            for (size_t cellSize = impreciseStart; cellSize &lt;= impreciseCutoff; cellSize += impreciseStep) {
+                if (functor(allocatorFor(subspace, cellSize), cellSize, attributes) == IterationStatus::Done)
+                    return IterationStatus::Done;
+            }
+            if (functor(subspace.largeAllocator, 0, attributes) == IterationStatus::Done)
+                return IterationStatus::Done;
+            
+            return IterationStatus::Continue;
+        });
+}
+
</ins><span class="cx"> void MarkedSpace::stopAllocating()
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!isIterating());
</span><span class="cx">     forEachAllocator(
</span><del>-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
</del><ins>+        [&amp;] (MarkedAllocator&amp; allocator, size_t, AllocatorAttributes) -&gt; IterationStatus {
</ins><span class="cx">             allocator.stopAllocating();
</span><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void MarkedSpace::prepareForMarking()
-{
-    if (m_heap-&gt;operationInProgress() == EdenCollection)
-        m_largeAllocationsOffsetForThisCollection = m_largeAllocationsNurseryOffset;
-    else
-        m_largeAllocationsOffsetForThisCollection = 0;
-    m_largeAllocationsForThisCollectionBegin = m_largeAllocations.begin() + m_largeAllocationsOffsetForThisCollection;
-    m_largeAllocationsForThisCollectionSize = m_largeAllocations.size() - m_largeAllocationsOffsetForThisCollection;
-    m_largeAllocationsForThisCollectionEnd = m_largeAllocations.end();
-    RELEASE_ASSERT(m_largeAllocationsForThisCollectionEnd == m_largeAllocationsForThisCollectionBegin + m_largeAllocationsForThisCollectionSize);
-    std::sort(
-        m_largeAllocationsForThisCollectionBegin, m_largeAllocationsForThisCollectionEnd,
-        [&amp;] (LargeAllocation* a, LargeAllocation* b) {
-            return a &lt; b;
-        });
-}
-
</del><span class="cx"> void MarkedSpace::resumeAllocating()
</span><span class="cx"> {
</span><span class="cx">     ASSERT(isIterating());
</span><span class="cx">     forEachAllocator(
</span><del>-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
</del><ins>+        [&amp;] (MarkedAllocator&amp; allocator, size_t, AllocatorAttributes) -&gt; IterationStatus {
</ins><span class="cx">             allocator.resumeAllocating();
</span><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><del>-    // Nothing to do for LargeAllocations.
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool MarkedSpace::isPagedOut(double deadline)
</span><span class="lines">@@ -384,7 +160,7 @@
</span><span class="cx"> {
</span><span class="cx">     bool result = false;
</span><span class="cx">     forEachAllocator(
</span><del>-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
</del><ins>+        [&amp;] (MarkedAllocator&amp; allocator, size_t, AllocatorAttributes) -&gt; IterationStatus {
</ins><span class="cx">             if (allocator.isPagedOut(deadline)) {
</span><span class="cx">                 result = true;
</span><span class="cx">                 return IterationStatus::Done;
</span><span class="lines">@@ -391,7 +167,6 @@
</span><span class="cx">             }
</span><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><del>-    // FIXME: Consider taking LargeAllocations into account here.
</del><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -419,20 +194,25 @@
</span><span class="cx">         [&amp;] (MarkedBlock* block) {
</span><span class="cx">             freeOrShrinkBlock(block);
</span><span class="cx">         });
</span><del>-    // For LargeAllocations, we do the moral equivalent in sweepLargeAllocations().
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void MarkedSpace::clearNewlyAllocated()
</span><span class="cx"> {
</span><span class="cx">     forEachAllocator(
</span><del>-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
</del><ins>+        [&amp;] (MarkedAllocator&amp; allocator, size_t size, AllocatorAttributes) -&gt; IterationStatus {
+            if (!size) {
+                // This means it's a largeAllocator.
+                allocator.forEachBlock(
+                    [&amp;] (MarkedBlock* block) {
+                        block-&gt;clearNewlyAllocated();
+                    });
+                return IterationStatus::Continue;
+            }
+            
</ins><span class="cx">             if (MarkedBlock* block = allocator.takeLastActiveBlock())
</span><span class="cx">                 block-&gt;clearNewlyAllocated();
</span><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><del>-    
-    for (unsigned i = m_largeAllocationsOffsetForThisCollection; i &lt; m_largeAllocations.size(); ++i)
-        m_largeAllocations[i]-&gt;clearNewlyAllocated();
</del><span class="cx"> 
</span><span class="cx"> #if !ASSERT_DISABLED
</span><span class="cx">     forEachBlock(
</span><span class="lines">@@ -439,9 +219,6 @@
</span><span class="cx">         [&amp;] (MarkedBlock* block) {
</span><span class="cx">             ASSERT(!block-&gt;clearNewlyAllocated());
</span><span class="cx">         });
</span><del>-
-    for (LargeAllocation* allocation : m_largeAllocations)
-        ASSERT(!allocation-&gt;isNewlyAllocated());
</del><span class="cx"> #endif // !ASSERT_DISABLED
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -470,8 +247,6 @@
</span><span class="cx">             [&amp;] (MarkedBlock* block) {
</span><span class="cx">                 block-&gt;clearMarks();
</span><span class="cx">             });
</span><del>-        for (LargeAllocation* allocation : m_largeAllocations)
-            allocation-&gt;clearMarks();
</del><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> #ifndef NDEBUG
</span><span class="lines">@@ -494,37 +269,4 @@
</span><span class="cx">     m_isIterating = false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-size_t MarkedSpace::objectCount()
-{
-    size_t result = 0;
-    forEachBlock(
-        [&amp;] (MarkedBlock* block) {
-            result += block-&gt;markCount();
-        });
-    for (LargeAllocation* allocation : m_largeAllocations) {
-        if (allocation-&gt;isMarked())
-            result++;
-    }
-    return result;
-}
-
-size_t MarkedSpace::size()
-{
-    size_t result = 0;
-    forEachBlock(
-        [&amp;] (MarkedBlock* block) {
-            result += block-&gt;markCount() * block-&gt;cellSize();
-        });
-    for (LargeAllocation* allocation : m_largeAllocations) {
-        if (allocation-&gt;isMarked())
-            result += allocation-&gt;cellSize();
-    }
-    return result;
-}
-
-size_t MarkedSpace::capacity()
-{
-    return m_capacity;
-}
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedSpaceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedSpace.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedSpace.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/MarkedSpace.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -23,12 +23,10 @@
</span><span class="cx"> #define MarkedSpace_h
</span><span class="cx"> 
</span><span class="cx"> #include &quot;IterationStatus.h&quot;
</span><del>-#include &quot;LargeAllocation.h&quot;
</del><span class="cx"> #include &quot;MarkedAllocator.h&quot;
</span><span class="cx"> #include &quot;MarkedBlock.h&quot;
</span><span class="cx"> #include &quot;MarkedBlockSet.h&quot;
</span><span class="cx"> #include &lt;array&gt;
</span><del>-#include &lt;wtf/Bag.h&gt;
</del><span class="cx"> #include &lt;wtf/HashSet.h&gt;
</span><span class="cx"> #include &lt;wtf/Noncopyable.h&gt;
</span><span class="cx"> #include &lt;wtf/RetainPtr.h&gt;
</span><span class="lines">@@ -43,71 +41,38 @@
</span><span class="cx"> class MarkedSpace {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(MarkedSpace);
</span><span class="cx"> public:
</span><del>-    // sizeStep is really a synonym for atomSize; it's no accident that they are the same.
-    static const size_t sizeStep = MarkedBlock::atomSize;
-    
-    // Sizes up to this amount get a size class for each size step.
-    static const size_t preciseCutoff = 80;
-    
-    // The amount of available payload in a block is the block's size minus the header. But the
-    // header size might not be atom size aligned, so we round down the result accordingly.
-    static const size_t blockPayload = (MarkedBlock::blockSize - sizeof(MarkedBlock)) &amp; ~(MarkedBlock::atomSize - 1);
-    
-    // The largest cell we're willing to allocate in a MarkedBlock the &quot;normal way&quot; (i.e. using size
-    // classes, rather than a large allocation) is half the size of the payload, rounded down. This
-    // ensures that we only use the size class approach if it means being able to pack two things
-    // into one block.
-    static const size_t largeCutoff = (blockPayload / 2) &amp; ~(sizeStep - 1);
</del><ins>+    // [ 16 ... 768 ]
+    static const size_t preciseStep = MarkedBlock::atomSize;
+    static const size_t preciseCutoff = 768;
+    static const size_t preciseCount = preciseCutoff / preciseStep;
</ins><span class="cx"> 
</span><del>-    static const size_t numSizeClasses = largeCutoff / sizeStep;
-    
-    static size_t sizeClassToIndex(size_t size)
-    {
-        ASSERT(size);
-        return (size + sizeStep - 1) / sizeStep - 1;
-    }
-    
-    static size_t indexToSizeClass(size_t index)
-    {
-        return (index + 1) * sizeStep;
-    }
-    
-    // Each Subspace corresponds to all of the blocks for all of the sizes for some &quot;class&quot; of
-    // objects. There are three classes: non-destructor JSCells, destructor JSCells, and auxiliary.
-    // MarkedSpace is set up to make it relatively easy to add new Subspaces.
</del><ins>+    // [ 1024 ... blockSize/2 ]
+    static const size_t impreciseStart = 1024;
+    static const size_t impreciseStep = 256;
+    static const size_t impreciseCutoff = MarkedBlock::blockSize / 2;
+    static const size_t impreciseCount = impreciseCutoff / impreciseStep;
+
</ins><span class="cx">     struct Subspace {
</span><del>-        std::array&lt;MarkedAllocator*, numSizeClasses&gt; allocatorForSizeStep;
-        
-        // Each MarkedAllocator is a size class.
-        Bag&lt;MarkedAllocator&gt; bagOfAllocators;
-        
-        AllocatorAttributes attributes;
</del><ins>+        std::array&lt;MarkedAllocator, preciseCount&gt; preciseAllocators;
+        std::array&lt;MarkedAllocator, impreciseCount&gt; impreciseAllocators;
+        MarkedAllocator largeAllocator;
</ins><span class="cx">     };
</span><del>-    
</del><ins>+
</ins><span class="cx">     MarkedSpace(Heap*);
</span><span class="cx">     ~MarkedSpace();
</span><span class="cx">     void lastChanceToFinalize();
</span><span class="cx"> 
</span><del>-    static size_t optimalSizeFor(size_t);
-    
-    static MarkedAllocator* allocatorFor(Subspace&amp;, size_t);
-
-    MarkedAllocator* allocatorFor(size_t);
-    MarkedAllocator* destructorAllocatorFor(size_t);
-    MarkedAllocator* auxiliaryAllocatorFor(size_t);
-
-    JS_EXPORT_PRIVATE void* allocate(Subspace&amp;, size_t);
-    JS_EXPORT_PRIVATE void* tryAllocate(Subspace&amp;, size_t);
-    
</del><ins>+    MarkedAllocator&amp; allocatorFor(size_t);
+    MarkedAllocator&amp; destructorAllocatorFor(size_t);
+    MarkedAllocator&amp; auxiliaryAllocatorFor(size_t);
</ins><span class="cx">     void* allocateWithDestructor(size_t);
</span><span class="cx">     void* allocateWithoutDestructor(size_t);
</span><span class="cx">     void* allocateAuxiliary(size_t);
</span><del>-    void* tryAllocateAuxiliary(size_t);
-    
</del><ins>+
</ins><span class="cx">     Subspace&amp; subspaceForObjectsWithDestructor() { return m_destructorSpace; }
</span><span class="cx">     Subspace&amp; subspaceForObjectsWithoutDestructor() { return m_normalSpace; }
</span><span class="cx">     Subspace&amp; subspaceForAuxiliaryData() { return m_auxiliarySpace; }
</span><del>-    
</del><ins>+
</ins><span class="cx">     void resetAllocators();
</span><span class="cx"> 
</span><span class="cx">     void visitWeakSets(HeapRootVisitor&amp;);
</span><span class="lines">@@ -121,8 +86,6 @@
</span><span class="cx"> 
</span><span class="cx">     void stopAllocating();
</span><span class="cx">     void resumeAllocating(); // If we just stopped allocation but we didn't do a collection, we need to resume allocation.
</span><del>-    
-    void prepareForMarking();
</del><span class="cx"> 
</span><span class="cx">     typedef HashSet&lt;MarkedBlock*&gt;::iterator BlockIterator;
</span><span class="cx"> 
</span><span class="lines">@@ -141,7 +104,6 @@
</span><span class="cx">     void clearMarks();
</span><span class="cx">     void clearNewlyAllocated();
</span><span class="cx">     void sweep();
</span><del>-    void sweepLargeAllocations();
</del><span class="cx">     void zombifySweep();
</span><span class="cx">     size_t objectCount();
</span><span class="cx">     size_t size();
</span><span class="lines">@@ -150,33 +112,15 @@
</span><span class="cx">     bool isPagedOut(double deadline);
</span><span class="cx"> 
</span><span class="cx">     const Vector&lt;MarkedBlock*&gt;&amp; blocksWithNewObjects() const { return m_blocksWithNewObjects; }
</span><del>-    
-    const Vector&lt;LargeAllocation*&gt;&amp; largeAllocations() const { return m_largeAllocations; }
-    unsigned largeAllocationsNurseryOffset() const { return m_largeAllocationsNurseryOffset; }
-    unsigned largeAllocationsOffsetForThisCollection() const { return m_largeAllocationsOffsetForThisCollection; }
-    
-    // These are cached pointers and offsets for quickly searching the large allocations that are
-    // relevant to this collection.
-    LargeAllocation** largeAllocationsForThisCollectionBegin() const { return m_largeAllocationsForThisCollectionBegin; }
-    LargeAllocation** largeAllocationsForThisCollectionEnd() const { return m_largeAllocationsForThisCollectionEnd; }
-    unsigned largeAllocationsForThisCollectionSize() const { return m_largeAllocationsForThisCollectionSize; }
</del><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx">     friend class JIT;
</span><del>-    
-    JS_EXPORT_PRIVATE static std::array&lt;size_t, numSizeClasses&gt; s_sizeClassForSizeStep;
-    
-    JS_EXPORT_PRIVATE void* allocateLarge(Subspace&amp;, size_t);
-    JS_EXPORT_PRIVATE void* tryAllocateLarge(Subspace&amp;, size_t);
</del><span class="cx"> 
</span><del>-    static void initializeSizeClassForStepSize();
-    
-    void initializeSubspace(Subspace&amp;);
-
</del><span class="cx">     template&lt;typename Functor&gt; void forEachAllocator(const Functor&amp;);
</span><span class="cx">     template&lt;typename Functor&gt; void forEachSubspace(const Functor&amp;);
</span><del>-    
</del><ins>+    MarkedAllocator&amp; allocatorFor(Subspace&amp;, size_t);
+
</ins><span class="cx">     Subspace m_destructorSpace;
</span><span class="cx">     Subspace m_normalSpace;
</span><span class="cx">     Subspace m_auxiliarySpace;
</span><span class="lines">@@ -186,13 +130,6 @@
</span><span class="cx">     bool m_isIterating;
</span><span class="cx">     MarkedBlockSet m_blocks;
</span><span class="cx">     Vector&lt;MarkedBlock*&gt; m_blocksWithNewObjects;
</span><del>-    Vector&lt;LargeAllocation*&gt; m_largeAllocations;
-    unsigned m_largeAllocationsNurseryOffset { 0 };
-    unsigned m_largeAllocationsOffsetForThisCollection { 0 };
-    unsigned m_largeAllocationsNurseryOffsetForSweep { 0 };
-    LargeAllocation** m_largeAllocationsForThisCollectionBegin { nullptr };
-    LargeAllocation** m_largeAllocationsForThisCollectionEnd { nullptr };
-    unsigned m_largeAllocationsForThisCollectionSize { 0 };
</del><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Functor&gt; inline void MarkedSpace::forEachLiveCell(HeapIterationScope&amp;, const Functor&amp; functor)
</span><span class="lines">@@ -201,14 +138,8 @@
</span><span class="cx">     BlockIterator end = m_blocks.set().end();
</span><span class="cx">     for (BlockIterator it = m_blocks.set().begin(); it != end; ++it) {
</span><span class="cx">         if ((*it)-&gt;forEachLiveCell(functor) == IterationStatus::Done)
</span><del>-            return;
</del><ins>+            break;
</ins><span class="cx">     }
</span><del>-    for (LargeAllocation* allocation : m_largeAllocations) {
-        if (allocation-&gt;isLive()) {
-            if (functor(allocation-&gt;cell(), allocation-&gt;attributes().cellKind) == IterationStatus::Done)
-                return;
-        }
-    }
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename Functor&gt; inline void MarkedSpace::forEachDeadCell(HeapIterationScope&amp;, const Functor&amp; functor)
</span><span class="lines">@@ -217,35 +148,21 @@
</span><span class="cx">     BlockIterator end = m_blocks.set().end();
</span><span class="cx">     for (BlockIterator it = m_blocks.set().begin(); it != end; ++it) {
</span><span class="cx">         if ((*it)-&gt;forEachDeadCell(functor) == IterationStatus::Done)
</span><del>-            return;
</del><ins>+            break;
</ins><span class="cx">     }
</span><del>-    for (LargeAllocation* allocation : m_largeAllocations) {
-        if (!allocation-&gt;isLive()) {
-            if (functor(allocation-&gt;cell(), allocation-&gt;attributes().cellKind) == IterationStatus::Done)
-                return;
-        }
-    }
</del><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline MarkedAllocator* MarkedSpace::allocatorFor(Subspace&amp; space, size_t bytes)
</del><ins>+inline MarkedAllocator&amp; MarkedSpace::allocatorFor(size_t bytes)
</ins><span class="cx"> {
</span><del>-    ASSERT(bytes);
-    if (bytes &lt;= largeCutoff)
-        return space.allocatorForSizeStep[sizeClassToIndex(bytes)];
-    return nullptr;
-}
-
-inline MarkedAllocator* MarkedSpace::allocatorFor(size_t bytes)
-{
</del><span class="cx">     return allocatorFor(m_normalSpace, bytes);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline MarkedAllocator* MarkedSpace::destructorAllocatorFor(size_t bytes)
</del><ins>+inline MarkedAllocator&amp; MarkedSpace::destructorAllocatorFor(size_t bytes)
</ins><span class="cx"> {
</span><span class="cx">     return allocatorFor(m_destructorSpace, bytes);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline MarkedAllocator* MarkedSpace::auxiliaryAllocatorFor(size_t bytes)
</del><ins>+inline MarkedAllocator&amp; MarkedSpace::auxiliaryAllocatorFor(size_t bytes)
</ins><span class="cx"> {
</span><span class="cx">     return allocatorFor(m_auxiliarySpace, bytes);
</span><span class="cx"> }
</span><span class="lines">@@ -252,29 +169,28 @@
</span><span class="cx"> 
</span><span class="cx"> inline void* MarkedSpace::allocateWithoutDestructor(size_t bytes)
</span><span class="cx"> {
</span><del>-    return allocate(m_normalSpace, bytes);
</del><ins>+    return allocatorFor(bytes).allocate(bytes);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void* MarkedSpace::allocateWithDestructor(size_t bytes)
</span><span class="cx"> {
</span><del>-    return allocate(m_destructorSpace, bytes);
</del><ins>+    return destructorAllocatorFor(bytes).allocate(bytes);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline void* MarkedSpace::allocateAuxiliary(size_t bytes)
</span><span class="cx"> {
</span><del>-    return allocate(m_auxiliarySpace, bytes);
</del><ins>+    return auxiliaryAllocatorFor(bytes).allocate(bytes);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void* MarkedSpace::tryAllocateAuxiliary(size_t bytes)
-{
-    return tryAllocate(m_auxiliarySpace, bytes);
-}
-
</del><span class="cx"> template &lt;typename Functor&gt; inline void MarkedSpace::forEachBlock(const Functor&amp; functor)
</span><span class="cx"> {
</span><del>-    forEachAllocator(
-        [&amp;] (MarkedAllocator&amp; allocator) -&gt; IterationStatus {
-            allocator.forEachBlock(functor);
</del><ins>+    forEachSubspace(
+        [&amp;] (Subspace&amp; subspace, AllocatorAttributes) -&gt; IterationStatus {
+            for (size_t i = 0; i &lt; preciseCount; ++i)
+                subspace.preciseAllocators[i].forEachBlock(functor);
+            for (size_t i = 0; i &lt; impreciseCount; ++i)
+                subspace.impreciseAllocators[i].forEachBlock(functor);
+            subspace.largeAllocator.forEachBlock(functor);
</ins><span class="cx">             return IterationStatus::Continue;
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="lines">@@ -290,20 +206,31 @@
</span><span class="cx">     m_blocksWithNewObjects.append(block);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template &lt;typename Functor&gt;
-void MarkedSpace::forEachAllocator(const Functor&amp; functor)
</del><ins>+inline size_t MarkedSpace::objectCount()
</ins><span class="cx"> {
</span><del>-    forEachSubspace(
-        [&amp;] (Subspace&amp; subspace, AllocatorAttributes) -&gt; IterationStatus {
-            for (MarkedAllocator* allocator : subspace.bagOfAllocators) {
-                if (functor(*allocator) == IterationStatus::Done)
-                    return IterationStatus::Done;
-            }
-            
-            return IterationStatus::Continue;
</del><ins>+    size_t result = 0;
+    forEachBlock(
+        [&amp;] (MarkedBlock* block) {
+            result += block-&gt;markCount();
</ins><span class="cx">         });
</span><ins>+    return result;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline size_t MarkedSpace::size()
+{
+    size_t result = 0;
+    forEachBlock(
+        [&amp;] (MarkedBlock* block) {
+            result += block-&gt;markCount() * block-&gt;cellSize();
+        });
+    return result;
+}
+
+inline size_t MarkedSpace::capacity()
+{
+    return m_capacity;
+}
+
</ins><span class="cx"> template&lt;typename Functor&gt;
</span><span class="cx"> inline void MarkedSpace::forEachSubspace(const Functor&amp; func)
</span><span class="cx"> {
</span><span class="lines">@@ -324,14 +251,14 @@
</span><span class="cx">     func(m_auxiliarySpace, attributes);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE size_t MarkedSpace::optimalSizeFor(size_t bytes)
</del><ins>+inline MarkedAllocator&amp; MarkedSpace::allocatorFor(Subspace&amp; space, size_t bytes)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(bytes);
</span><span class="cx">     if (bytes &lt;= preciseCutoff)
</span><del>-        return WTF::roundUpToMultipleOf&lt;sizeStep&gt;(bytes);
-    if (bytes &lt;= largeCutoff)
-        return s_sizeClassForSizeStep[sizeClassToIndex(bytes)];
-    return bytes;
</del><ins>+        return space.preciseAllocators[(bytes - 1) / preciseStep];
+    if (bytes &lt;= impreciseCutoff)
+        return space.impreciseAllocators[(bytes - 1) / impreciseStep];
+    return space.largeAllocator;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSlotVisitorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,16 +31,14 @@
</span><span class="cx"> #include &quot;CopiedBlockInlines.h&quot;
</span><span class="cx"> #include &quot;CopiedSpace.h&quot;
</span><span class="cx"> #include &quot;CopiedSpaceInlines.h&quot;
</span><del>-#include &quot;HeapCellInlines.h&quot;
</del><span class="cx"> #include &quot;HeapProfiler.h&quot;
</span><span class="cx"> #include &quot;HeapSnapshotBuilder.h&quot;
</span><span class="cx"> #include &quot;JSArray.h&quot;
</span><span class="cx"> #include &quot;JSDestructibleObject.h&quot;
</span><ins>+#include &quot;VM.h&quot;
</ins><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &quot;JSString.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;SuperSampler.h&quot;
-#include &quot;VM.h&quot;
</del><span class="cx"> #include &lt;wtf/Lock.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -98,8 +96,6 @@
</span><span class="cx"> {
</span><span class="cx">     if (heap()-&gt;operationInProgress() == FullCollection)
</span><span class="cx">         ASSERT(m_opaqueRoots.isEmpty()); // Should have merged by now.
</span><del>-    else
-        reset();
</del><span class="cx"> 
</span><span class="cx">     if (HeapProfiler* heapProfiler = vm().heapProfiler())
</span><span class="cx">         m_heapSnapshotBuilder = heapProfiler-&gt;activeSnapshotBuilder();
</span><span class="lines">@@ -112,6 +108,7 @@
</span><span class="cx">     m_visitCount = 0;
</span><span class="cx">     m_heapSnapshotBuilder = nullptr;
</span><span class="cx">     ASSERT(!m_currentCell);
</span><ins>+    ASSERT(m_stack.isEmpty());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SlotVisitor::clearMarkStack()
</span><span class="lines">@@ -121,43 +118,12 @@
</span><span class="cx"> 
</span><span class="cx"> void SlotVisitor::append(ConservativeRoots&amp; conservativeRoots)
</span><span class="cx"> {
</span><del>-    HeapCell** roots = conservativeRoots.roots();
</del><ins>+    JSCell** roots = conservativeRoots.roots();
</ins><span class="cx">     size_t size = conservativeRoots.size();
</span><span class="cx">     for (size_t i = 0; i &lt; size; ++i)
</span><del>-        appendJSCellOrAuxiliary(roots[i]);
</del><ins>+        append(roots[i]);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-void SlotVisitor::appendJSCellOrAuxiliary(HeapCell* heapCell)
-{
-    if (!heapCell)
-        return;
-    
-    ASSERT(!m_isCheckingForDefaultMarkViolation);
-    
-    if (Heap::testAndSetMarked(heapCell))
-        return;
-    
-    switch (heapCell-&gt;cellKind()) {
-    case HeapCell::JSCell: {
-        JSCell* jsCell = static_cast&lt;JSCell*&gt;(heapCell);
-        
-        if (!jsCell-&gt;structure()) {
-            ASSERT_NOT_REACHED();
-            return;
-        }
-        
-        jsCell-&gt;setCellState(CellState::NewGrey);
-
-        appendToMarkStack(jsCell);
-        return;
-    }
-        
-    case HeapCell::Auxiliary: {
-        noteLiveAuxiliaryCell(heapCell);
-        return;
-    } }
-}
-
</del><span class="cx"> void SlotVisitor::append(JSValue value)
</span><span class="cx"> {
</span><span class="cx">     if (!value || !value.isCell())
</span><span class="lines">@@ -179,8 +145,6 @@
</span><span class="cx"> 
</span><span class="cx"> void SlotVisitor::setMarkedAndAppendToMarkStack(JSCell* cell)
</span><span class="cx"> {
</span><del>-    SuperSamplerScope superSamplerScope(false);
-    
</del><span class="cx">     ASSERT(!m_isCheckingForDefaultMarkViolation);
</span><span class="cx">     if (!cell)
</span><span class="cx">         return;
</span><span class="lines">@@ -188,51 +152,27 @@
</span><span class="cx"> #if ENABLE(GC_VALIDATION)
</span><span class="cx">     validate(cell);
</span><span class="cx"> #endif
</span><del>-    
-    if (cell-&gt;isLargeAllocation())
-        setMarkedAndAppendToMarkStack(cell-&gt;largeAllocation(), cell);
-    else
-        setMarkedAndAppendToMarkStack(cell-&gt;markedBlock(), cell);
-}
</del><span class="cx"> 
</span><del>-template&lt;typename ContainerType&gt;
-ALWAYS_INLINE void SlotVisitor::setMarkedAndAppendToMarkStack(
-    ContainerType&amp; container, JSCell* cell)
-{
-    if (container.testAndSetMarked(cell))
</del><ins>+    if (Heap::testAndSetMarked(cell) || !cell-&gt;structure()) {
+        ASSERT(cell-&gt;structure());
</ins><span class="cx">         return;
</span><del>-    
-    ASSERT(cell-&gt;structure());
-    
</del><ins>+    }
+
</ins><span class="cx">     // Indicate that the object is grey and that:
</span><span class="cx">     // In case of concurrent GC: it's the first time it is grey in this GC cycle.
</span><span class="cx">     // In case of eden collection: it's a new object that became grey rather than an old remembered object.
</span><span class="cx">     cell-&gt;setCellState(CellState::NewGrey);
</span><del>-    
-    appendToMarkStack(container, cell);
</del><ins>+
+    appendToMarkStack(cell);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SlotVisitor::appendToMarkStack(JSCell* cell)
</span><span class="cx"> {
</span><del>-    if (cell-&gt;isLargeAllocation())
-        appendToMarkStack(cell-&gt;largeAllocation(), cell);
-    else
-        appendToMarkStack(cell-&gt;markedBlock(), cell);
-}
-
-template&lt;typename ContainerType&gt;
-ALWAYS_INLINE void SlotVisitor::appendToMarkStack(ContainerType&amp; container, JSCell* cell)
-{
</del><span class="cx">     ASSERT(Heap::isMarked(cell));
</span><span class="cx">     ASSERT(!cell-&gt;isZapped());
</span><del>-    
-    container.setHasAnyMarked(); // This permits super fast sweeping.
-    
-    // FIXME: These &quot;just work&quot; because the GC resets these fields before doing anything else. But
-    // that won't be the case when we do concurrent GC.
</del><ins>+
</ins><span class="cx">     m_visitCount++;
</span><del>-    m_bytesVisited += container.cellSize();
-    
</del><ins>+    m_bytesVisited += MarkedBlock::blockFor(cell)-&gt;cellSize();
</ins><span class="cx">     m_stack.append(cell);
</span><span class="cx"> 
</span><span class="cx">     if (UNLIKELY(m_heapSnapshotBuilder))
</span><span class="lines">@@ -239,34 +179,6 @@
</span><span class="cx">         m_heapSnapshotBuilder-&gt;appendNode(cell);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void SlotVisitor::markAuxiliary(const void* base)
-{
-    HeapCell* cell = bitwise_cast&lt;HeapCell*&gt;(base);
-    
-    if (Heap::testAndSetMarked(cell)) {
-        RELEASE_ASSERT(Heap::isMarked(cell));
-        return;
-    }
-    
-    noteLiveAuxiliaryCell(cell);
-}
-
-void SlotVisitor::noteLiveAuxiliaryCell(HeapCell* cell)
-{
-    // We get here once per GC under these circumstances:
-    //
-    // Eden collection: if the cell was allocated since the last collection and is live somehow.
-    //
-    // Full collection: if the cell is live somehow.
-    
-    CellContainer container = cell-&gt;cellContainer();
-    
-    container.setHasAnyMarked();
-    
-    m_visitCount++;
-    m_bytesVisited += container.cellSize();
-}
-
</del><span class="cx"> class SetCurrentCellScope {
</span><span class="cx"> public:
</span><span class="cx">     SetCurrentCellScope(SlotVisitor&amp; visitor, const JSCell* cell)
</span><span class="lines">@@ -290,9 +202,9 @@
</span><span class="cx"> ALWAYS_INLINE void SlotVisitor::visitChildren(const JSCell* cell)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(Heap::isMarked(cell));
</span><del>-    
</del><ins>+
</ins><span class="cx">     SetCurrentCellScope currentCellScope(*this, cell);
</span><del>-    
</del><ins>+
</ins><span class="cx">     m_currentObjectCellStateBeforeVisiting = cell-&gt;cellState();
</span><span class="cx">     cell-&gt;setCellState(CellState::OldBlack);
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSlotVisitorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/SlotVisitor.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/SlotVisitor.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/SlotVisitor.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -37,10 +37,8 @@
</span><span class="cx"> class ConservativeRoots;
</span><span class="cx"> class GCThreadSharedData;
</span><span class="cx"> class Heap;
</span><del>-class HeapCell;
</del><span class="cx"> class HeapSnapshotBuilder;
</span><span class="cx"> template&lt;typename T&gt; class JITWriteBarrier;
</span><del>-class MarkedBlock;
</del><span class="cx"> class UnconditionalFinalizer;
</span><span class="cx"> template&lt;typename T&gt; class Weak;
</span><span class="cx"> class WeakReferenceHarvester;
</span><span class="lines">@@ -106,10 +104,6 @@
</span><span class="cx"> 
</span><span class="cx">     void harvestWeakReferences();
</span><span class="cx">     void finalizeUnconditionalFinalizers();
</span><del>-    
-    // This informs the GC about auxiliary of some size that we are keeping alive. If you don't do
-    // this then the space will be freed at end of GC.
-    void markAuxiliary(const void* base);
</del><span class="cx"> 
</span><span class="cx">     void copyLater(JSCell*, CopyToken, void*, size_t);
</span><span class="cx">     
</span><span class="lines">@@ -129,21 +123,11 @@
</span><span class="cx">     friend class ParallelModeEnabler;
</span><span class="cx">     
</span><span class="cx">     JS_EXPORT_PRIVATE void append(JSValue); // This is private to encourage clients to use WriteBarrier&lt;T&gt;.
</span><del>-    void appendJSCellOrAuxiliary(HeapCell*);
</del><span class="cx">     void appendHidden(JSValue);
</span><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE void setMarkedAndAppendToMarkStack(JSCell*);
</span><del>-    
-    template&lt;typename ContainerType&gt;
-    void setMarkedAndAppendToMarkStack(ContainerType&amp;, JSCell*);
-    
</del><span class="cx">     void appendToMarkStack(JSCell*);
</span><span class="cx">     
</span><del>-    template&lt;typename ContainerType&gt;
-    void appendToMarkStack(ContainerType&amp;, JSCell*);
-    
-    void noteLiveAuxiliaryCell(HeapCell*);
-    
</del><span class="cx">     JS_EXPORT_PRIVATE void mergeOpaqueRoots();
</span><span class="cx">     void mergeOpaqueRootsIfNecessary();
</span><span class="cx">     void mergeOpaqueRootsIfProfitable();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapWeakBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/WeakBlock.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/WeakBlock.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/WeakBlock.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;WeakBlock.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;CellContainerInlines.h&quot;
</del><span class="cx"> #include &quot;Heap.h&quot;
</span><span class="cx"> #include &quot;HeapRootVisitor.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="lines">@@ -35,10 +34,10 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-WeakBlock* WeakBlock::create(Heap&amp; heap, CellContainer container)
</del><ins>+WeakBlock* WeakBlock::create(Heap&amp; heap, MarkedBlock&amp; markedBlock)
</ins><span class="cx"> {
</span><span class="cx">     heap.didAllocateBlock(WeakBlock::blockSize);
</span><del>-    return new (NotNull, fastMalloc(blockSize)) WeakBlock(container);
</del><ins>+    return new (NotNull, fastMalloc(blockSize)) WeakBlock(markedBlock);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void WeakBlock::destroy(Heap&amp; heap, WeakBlock* block)
</span><span class="lines">@@ -48,9 +47,9 @@
</span><span class="cx">     heap.didFreeBlock(WeakBlock::blockSize);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-WeakBlock::WeakBlock(CellContainer container)
</del><ins>+WeakBlock::WeakBlock(MarkedBlock&amp; markedBlock)
</ins><span class="cx">     : DoublyLinkedListNode&lt;WeakBlock&gt;()
</span><del>-    , m_container(container)
</del><ins>+    , m_markedBlock(&amp;markedBlock)
</ins><span class="cx"> {
</span><span class="cx">     for (size_t i = 0; i &lt; weakImplCount(); ++i) {
</span><span class="cx">         WeakImpl* weakImpl = &amp;weakImpls()[i];
</span><span class="lines">@@ -102,11 +101,11 @@
</span><span class="cx">     if (isEmpty())
</span><span class="cx">         return;
</span><span class="cx"> 
</span><del>-    // If this WeakBlock doesn't belong to a CellContainer, we won't even be here.
-    ASSERT(m_container);
</del><ins>+    // If this WeakBlock doesn't belong to a MarkedBlock, we won't even be here.
+    ASSERT(m_markedBlock);
</ins><span class="cx"> 
</span><span class="cx">     // We only visit after marking.
</span><del>-    ASSERT(m_container.isMarkedOrRetired());
</del><ins>+    ASSERT(m_markedBlock-&gt;isMarkedOrRetired());
</ins><span class="cx"> 
</span><span class="cx">     SlotVisitor&amp; visitor = heapRootVisitor.visitor();
</span><span class="cx"> 
</span><span class="lines">@@ -120,7 +119,7 @@
</span><span class="cx">             continue;
</span><span class="cx"> 
</span><span class="cx">         const JSValue&amp; jsValue = weakImpl-&gt;jsValue();
</span><del>-        if (m_container.isMarkedOrNewlyAllocated(jsValue.asCell()))
</del><ins>+        if (m_markedBlock-&gt;isMarkedOrNewlyAllocated(jsValue.asCell()))
</ins><span class="cx">             continue;
</span><span class="cx"> 
</span><span class="cx">         if (!weakHandleOwner-&gt;isReachableFromOpaqueRoots(Handle&lt;Unknown&gt;::wrapSlot(&amp;const_cast&lt;JSValue&amp;&gt;(jsValue)), weakImpl-&gt;context(), visitor))
</span><span class="lines">@@ -136,11 +135,11 @@
</span><span class="cx">     if (isEmpty())
</span><span class="cx">         return;
</span><span class="cx"> 
</span><del>-    // If this WeakBlock doesn't belong to a CellContainer, we won't even be here.
-    ASSERT(m_container);
</del><ins>+    // If this WeakBlock doesn't belong to a MarkedBlock, we won't even be here.
+    ASSERT(m_markedBlock);
</ins><span class="cx"> 
</span><span class="cx">     // We only reap after marking.
</span><del>-    ASSERT(m_container.isMarkedOrRetired());
</del><ins>+    ASSERT(m_markedBlock-&gt;isMarkedOrRetired());
</ins><span class="cx"> 
</span><span class="cx">     for (size_t i = 0; i &lt; weakImplCount(); ++i) {
</span><span class="cx">         WeakImpl* weakImpl = &amp;weakImpls()[i];
</span><span class="lines">@@ -147,7 +146,7 @@
</span><span class="cx">         if (weakImpl-&gt;state() &gt; WeakImpl::Dead)
</span><span class="cx">             continue;
</span><span class="cx"> 
</span><del>-        if (m_container.isMarkedOrNewlyAllocated(weakImpl-&gt;jsValue().asCell())) {
</del><ins>+        if (m_markedBlock-&gt;isMarkedOrNewlyAllocated(weakImpl-&gt;jsValue().asCell())) {
</ins><span class="cx">             ASSERT(weakImpl-&gt;state() == WeakImpl::Live);
</span><span class="cx">             continue;
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapWeakBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/WeakBlock.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/WeakBlock.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/WeakBlock.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #ifndef WeakBlock_h
</span><span class="cx"> #define WeakBlock_h
</span><span class="cx"> 
</span><del>-#include &quot;CellContainer.h&quot;
</del><span class="cx"> #include &quot;WeakImpl.h&quot;
</span><span class="cx"> #include &lt;wtf/DoublyLinkedList.h&gt;
</span><span class="cx"> #include &lt;wtf/StdLibExtras.h&gt;
</span><span class="lines">@@ -35,6 +34,7 @@
</span><span class="cx"> 
</span><span class="cx"> class Heap;
</span><span class="cx"> class HeapRootVisitor;
</span><ins>+class MarkedBlock;
</ins><span class="cx"> 
</span><span class="cx"> class WeakBlock : public DoublyLinkedListNode&lt;WeakBlock&gt; {
</span><span class="cx"> public:
</span><span class="lines">@@ -53,7 +53,7 @@
</span><span class="cx">         FreeCell* freeList { nullptr };
</span><span class="cx">     };
</span><span class="cx"> 
</span><del>-    static WeakBlock* create(Heap&amp;, CellContainer);
</del><ins>+    static WeakBlock* create(Heap&amp;, MarkedBlock&amp;);
</ins><span class="cx">     static void destroy(Heap&amp;, WeakBlock*);
</span><span class="cx"> 
</span><span class="cx">     static WeakImpl* asWeakImpl(FreeCell*);
</span><span class="lines">@@ -68,18 +68,18 @@
</span><span class="cx">     void reap();
</span><span class="cx"> 
</span><span class="cx">     void lastChanceToFinalize();
</span><del>-    void disconnectContainer() { m_container = CellContainer(); }
</del><ins>+    void disconnectMarkedBlock() { m_markedBlock = nullptr; }
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     static FreeCell* asFreeCell(WeakImpl*);
</span><span class="cx"> 
</span><del>-    explicit WeakBlock(CellContainer);
</del><ins>+    explicit WeakBlock(MarkedBlock&amp;);
</ins><span class="cx">     void finalize(WeakImpl*);
</span><span class="cx">     WeakImpl* weakImpls();
</span><span class="cx">     size_t weakImplCount();
</span><span class="cx">     void addToFreeList(FreeCell**, WeakImpl*);
</span><span class="cx"> 
</span><del>-    CellContainer m_container;
</del><ins>+    MarkedBlock* m_markedBlock;
</ins><span class="cx">     WeakBlock* m_prev;
</span><span class="cx">     WeakBlock* m_next;
</span><span class="cx">     SweepResult m_sweepResult;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapWeakSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/WeakSet.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/WeakSet.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/WeakSet.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -53,10 +53,10 @@
</span><span class="cx">         if (block-&gt;isLogicallyEmptyButNotFree()) {
</span><span class="cx">             // If this WeakBlock is logically empty, but still has Weaks pointing into it,
</span><span class="cx">             // we can't destroy it just yet. Detach it from the WeakSet and hand ownership
</span><del>-            // to the Heap so we don't pin down the entire MarkedBlock or LargeAllocation.
</del><ins>+            // to the Heap so we don't pin down the entire 64kB MarkedBlock.
</ins><span class="cx">             m_blocks.remove(block);
</span><span class="cx">             heap()-&gt;addLogicallyEmptyWeakBlock(block);
</span><del>-            block-&gt;disconnectContainer();
</del><ins>+            block-&gt;disconnectMarkedBlock();
</ins><span class="cx">         }
</span><span class="cx">         block = nextBlock;
</span><span class="cx">     }
</span><span class="lines">@@ -88,7 +88,7 @@
</span><span class="cx"> 
</span><span class="cx"> WeakBlock::FreeCell* WeakSet::addAllocator()
</span><span class="cx"> {
</span><del>-    WeakBlock* block = WeakBlock::create(*heap(), m_container);
</del><ins>+    WeakBlock* block = WeakBlock::create(*heap(), m_markedBlock);
</ins><span class="cx">     heap()-&gt;didAllocate(WeakBlock::blockSize);
</span><span class="cx">     m_blocks.append(block);
</span><span class="cx">     WeakBlock::SweepResult sweepResult = block-&gt;takeSweepResult();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapWeakSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/WeakSet.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/WeakSet.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/WeakSet.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,12 +26,12 @@
</span><span class="cx"> #ifndef WeakSet_h
</span><span class="cx"> #define WeakSet_h
</span><span class="cx"> 
</span><del>-#include &quot;CellContainer.h&quot;
</del><span class="cx"> #include &quot;WeakBlock.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> class Heap;
</span><ins>+class MarkedBlock;
</ins><span class="cx"> class WeakImpl;
</span><span class="cx"> 
</span><span class="cx"> class WeakSet {
</span><span class="lines">@@ -41,7 +41,7 @@
</span><span class="cx">     static WeakImpl* allocate(JSValue, WeakHandleOwner* = 0, void* context = 0);
</span><span class="cx">     static void deallocate(WeakImpl*);
</span><span class="cx"> 
</span><del>-    WeakSet(VM*, CellContainer);
</del><ins>+    WeakSet(VM*, MarkedBlock&amp;);
</ins><span class="cx">     ~WeakSet();
</span><span class="cx">     void lastChanceToFinalize();
</span><span class="cx"> 
</span><span class="lines">@@ -66,14 +66,14 @@
</span><span class="cx">     WeakBlock* m_nextAllocator;
</span><span class="cx">     DoublyLinkedList&lt;WeakBlock&gt; m_blocks;
</span><span class="cx">     VM* m_vm;
</span><del>-    CellContainer m_container;
</del><ins>+    MarkedBlock&amp; m_markedBlock;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><del>-inline WeakSet::WeakSet(VM* vm, CellContainer container)
</del><ins>+inline WeakSet::WeakSet(VM* vm, MarkedBlock&amp; markedBlock)
</ins><span class="cx">     : m_allocator(0)
</span><span class="cx">     , m_nextAllocator(0)
</span><span class="cx">     , m_vm(vm)
</span><del>-    , m_container(container)
</del><ins>+    , m_markedBlock(markedBlock)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapWeakSetInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/WeakSetInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/WeakSetInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/heap/WeakSetInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #ifndef WeakSetInlines_h
</span><span class="cx"> #define WeakSetInlines_h
</span><span class="cx"> 
</span><del>-#include &quot;CellContainerInlines.h&quot;
</del><span class="cx"> #include &quot;MarkedBlock.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -33,7 +32,7 @@
</span><span class="cx"> 
</span><span class="cx"> inline WeakImpl* WeakSet::allocate(JSValue jsValue, WeakHandleOwner* weakHandleOwner, void* context)
</span><span class="cx"> {
</span><del>-    WeakSet&amp; weakSet = jsValue.asCell()-&gt;cellContainer().weakSet();
</del><ins>+    WeakSet&amp; weakSet = MarkedBlock::blockFor(jsValue.asCell())-&gt;weakSet();
</ins><span class="cx">     WeakBlock::FreeCell* allocator = weakSet.m_allocator;
</span><span class="cx">     if (UNLIKELY(!allocator))
</span><span class="cx">         allocator = weakSet.findAllocator();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorInjectedScriptManagercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/InjectedScriptManager.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/InjectedScriptManager.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/inspector/InjectedScriptManager.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -35,7 +35,6 @@
</span><span class="cx"> #include &quot;InjectedScriptHost.h&quot;
</span><span class="cx"> #include &quot;InjectedScriptSource.h&quot;
</span><span class="cx"> #include &quot;InspectorValues.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;JSInjectedScriptHost.h&quot;
</span><span class="cx"> #include &quot;JSLock.h&quot;
</span><span class="cx"> #include &quot;ScriptObject.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorJSGlobalObjectInspectorControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -38,7 +38,6 @@
</span><span class="cx"> #include &quot;InspectorFrontendRouter.h&quot;
</span><span class="cx"> #include &quot;InspectorHeapAgent.h&quot;
</span><span class="cx"> #include &quot;InspectorScriptProfilerAgent.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObjectConsoleAgent.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObjectConsoleClient.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorJSJavaScriptCallFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFrame.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,9 +29,11 @@
</span><span class="cx"> #include &quot;DebuggerScope.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IdentifierInlines.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValue.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSJavaScriptCallFramePrototype.h&quot;
</span><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorScriptDebugServercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/ScriptDebugServer.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/ScriptDebugServer.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/inspector/ScriptDebugServer.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,7 +34,6 @@
</span><span class="cx"> #include &quot;DebuggerCallFrame.h&quot;
</span><span class="cx"> #include &quot;DebuggerScope.h&quot;
</span><span class="cx"> #include &quot;Exception.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;JSJavaScriptCallFrame.h&quot;
</span><span class="cx"> #include &quot;JSLock.h&quot;
</span><span class="cx"> #include &quot;JavaScriptCallFrame.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectoragentsInspectorDebuggerAgentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/inspector/agents/InspectorDebuggerAgent.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -35,7 +35,6 @@
</span><span class="cx"> #include &quot;InjectedScriptManager.h&quot;
</span><span class="cx"> #include &quot;InspectorFrontendRouter.h&quot;
</span><span class="cx"> #include &quot;InspectorValues.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;RegularExpression.h&quot;
</span><span class="cx"> #include &quot;ScriptDebugServer.h&quot;
</span><span class="cx"> #include &quot;ScriptObject.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterCachedCallh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/CachedCall.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/CachedCall.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/interpreter/CachedCall.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -42,11 +42,10 @@
</span><span class="cx">         CachedCall(CallFrame* callFrame, JSFunction* function, int argumentCount)
</span><span class="cx">             : m_valid(false)
</span><span class="cx">             , m_interpreter(callFrame-&gt;interpreter())
</span><del>-            , m_vm(callFrame-&gt;vm())
-            , m_entryScope(m_vm, function-&gt;scope()-&gt;globalObject(m_vm))
</del><ins>+            , m_entryScope(callFrame-&gt;vm(), function-&gt;scope()-&gt;globalObject())
</ins><span class="cx">         {
</span><span class="cx">             ASSERT(!function-&gt;isHostFunctionNonInline());
</span><del>-            if (UNLIKELY(m_vm.isSafeToRecurseSoft())) {
</del><ins>+            if (UNLIKELY(callFrame-&gt;vm().isSafeToRecurseSoft())) {
</ins><span class="cx">                 m_arguments.resize(argumentCount);
</span><span class="cx">                 m_closure = m_interpreter-&gt;prepareForRepeatCall(function-&gt;jsExecutable(), callFrame, &amp;m_protoCallFrame, function, argumentCount + 1, function-&gt;scope(), m_arguments.data());
</span><span class="cx">             } else
</span><span class="lines">@@ -65,7 +64,6 @@
</span><span class="cx">     private:
</span><span class="cx">         bool m_valid;
</span><span class="cx">         Interpreter* m_interpreter;
</span><del>-        VM&amp; m_vm;
</del><span class="cx">         VMEntryScope m_entryScope;
</span><span class="cx">         ProtoCallFrame m_protoCallFrame;
</span><span class="cx">         Vector&lt;JSValue&gt; m_arguments;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -51,7 +51,6 @@
</span><span class="cx"> #include &quot;JSString.h&quot;
</span><span class="cx"> #include &quot;JSWithScope.h&quot;
</span><span class="cx"> #include &quot;LLIntCLoop.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> #include &quot;LLIntThunks.h&quot;
</span><span class="cx"> #include &quot;LiteralParser.h&quot;
</span><span class="cx"> #include &quot;ObjectPrototype.h&quot;
</span><span class="lines">@@ -86,6 +85,46 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+intptr_t StackFrame::sourceID() const
+{
+    if (!codeBlock)
+        return noSourceID;
+    return codeBlock-&gt;ownerScriptExecutable()-&gt;sourceID();
+}
+
+String StackFrame::sourceURL() const
+{
+    if (!codeBlock)
+        return ASCIILiteral(&quot;[native code]&quot;);
+
+    String sourceURL = codeBlock-&gt;ownerScriptExecutable()-&gt;sourceURL();
+    if (!sourceURL.isNull())
+        return sourceURL;
+    return emptyString();
+}
+
+String StackFrame::functionName(VM&amp; vm) const
+{
+    if (codeBlock) {
+        switch (codeBlock-&gt;codeType()) {
+        case EvalCode:
+            return ASCIILiteral(&quot;eval code&quot;);
+        case ModuleCode:
+            return ASCIILiteral(&quot;module code&quot;);
+        case FunctionCode:
+            break;
+        case GlobalCode:
+            return ASCIILiteral(&quot;global code&quot;);
+        default:
+            ASSERT_NOT_REACHED();
+        }
+    }
+    String name;
+    if (callee)
+        name = getCalculatedDisplayName(vm, callee.get()).impl();
+    return name.isNull() ? emptyString() : name;
+}
+
</ins><span class="cx"> JSValue eval(CallFrame* callFrame)
</span><span class="cx"> {
</span><span class="cx">     if (!callFrame-&gt;argumentCount())
</span><span class="lines">@@ -225,7 +264,6 @@
</span><span class="cx">         return;
</span><span class="cx">     
</span><span class="cx">     JSCell* cell = arguments.asCell();
</span><del>-
</del><span class="cx">     switch (cell-&gt;type()) {
</span><span class="cx">     case DirectArgumentsType:
</span><span class="cx">         jsCast&lt;DirectArguments*&gt;(cell)-&gt;copyToArguments(callFrame, firstElementDest, offset, length);
</span><span class="lines">@@ -434,6 +472,48 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void StackFrame::computeLineAndColumn(unsigned&amp; line, unsigned&amp; column) const
+{
+    if (!codeBlock) {
+        line = 0;
+        column = 0;
+        return;
+    }
+
+    int divot = 0;
+    int unusedStartOffset = 0;
+    int unusedEndOffset = 0;
+    codeBlock-&gt;expressionRangeForBytecodeOffset(bytecodeOffset, divot, unusedStartOffset, unusedEndOffset, line, column);
+
+    ScriptExecutable* executable = codeBlock-&gt;ownerScriptExecutable();
+    if (executable-&gt;hasOverrideLineNumber())
+        line = executable-&gt;overrideLineNumber();
+}
+
+String StackFrame::toString(VM&amp; vm) const
+{
+    StringBuilder traceBuild;
+    String functionName = this-&gt;functionName(vm);
+    String sourceURL = this-&gt;sourceURL();
+    traceBuild.append(functionName);
+    if (!sourceURL.isEmpty()) {
+        if (!functionName.isEmpty())
+            traceBuild.append('@');
+        traceBuild.append(sourceURL);
+        if (codeBlock) {
+            unsigned line;
+            unsigned column;
+            computeLineAndColumn(line, column);
+
+            traceBuild.append(':');
+            traceBuild.appendNumber(line);
+            traceBuild.append(':');
+            traceBuild.appendNumber(column);
+        }
+    }
+    return traceBuild.toString().impl();
+}
+
</ins><span class="cx"> static inline bool isWebAssemblyExecutable(ExecutableBase* executable)
</span><span class="cx"> {
</span><span class="cx"> #if !ENABLE(WEBASSEMBLY)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpreterh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -37,7 +37,6 @@
</span><span class="cx"> #include &quot;Opcode.h&quot;
</span><span class="cx"> #include &quot;SourceProvider.h&quot;
</span><span class="cx"> #include &quot;StackAlignment.h&quot;
</span><del>-#include &quot;StackFrame.h&quot;
</del><span class="cx"> #include &lt;wtf/HashMap.h&gt;
</span><span class="cx"> #include &lt;wtf/text/StringBuilder.h&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -67,7 +66,7 @@
</span><span class="cx">     struct Instruction;
</span><span class="cx">     struct ProtoCallFrame;
</span><span class="cx"> 
</span><del>-    enum UnwindStart : uint8_t { UnwindFromCurrentFrame, UnwindFromCallerFrame };
</del><ins>+    enum UnwindStart { UnwindFromCurrentFrame, UnwindFromCallerFrame };
</ins><span class="cx"> 
</span><span class="cx">     enum DebugHookID {
</span><span class="cx">         WillExecuteProgram,
</span><span class="lines">@@ -86,6 +85,20 @@
</span><span class="cx">         StackFrameNativeCode
</span><span class="cx">     };
</span><span class="cx"> 
</span><ins>+    struct StackFrame {
+        Strong&lt;JSObject&gt; callee;
+        Strong&lt;CodeBlock&gt; codeBlock;
+        unsigned bytecodeOffset;
+
+        bool isNative() const { return !codeBlock; }
+
+        void computeLineAndColumn(unsigned&amp; line, unsigned&amp; column) const;
+        String functionName(VM&amp;) const;
+        intptr_t sourceID() const;
+        String sourceURL() const;
+        String toString(VM&amp;) const;
+    };
+
</ins><span class="cx">     class SuspendExceptionScope {
</span><span class="cx">     public:
</span><span class="cx">         SuspendExceptionScope(VM* vm)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1405,74 +1405,33 @@
</span><span class="cx">     void emitRandomThunk(JSGlobalObject*, GPRReg scratch0, GPRReg scratch1, GPRReg scratch2, FPRReg result);
</span><span class="cx">     void emitRandomThunk(GPRReg scratch0, GPRReg scratch1, GPRReg scratch2, GPRReg scratch3, FPRReg result);
</span><span class="cx"> #endif
</span><del>-
-    // Call this if you know that the value held in allocatorGPR is non-null. This DOES NOT mean
-    // that allocator is non-null; allocator can be null as a signal that we don't know what the
-    // value of allocatorGPR is.
-    void emitAllocateWithNonNullAllocator(GPRReg resultGPR, MarkedAllocator* allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList&amp; slowPath)
</del><ins>+    
+    void emitAllocate(GPRReg resultGPR, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList&amp; slowPath)
</ins><span class="cx">     {
</span><del>-        // NOTE: This is carefully written so that we can call it while we disallow scratch
-        // register usage.
-        
-        if (Options::forceGCSlowPaths()) {
</del><ins>+        if (Options::forceGCSlowPaths())
</ins><span class="cx">             slowPath.append(jump());
</span><del>-            return;
-        }
-        
-        Jump popPath;
-        Jump done;
-        
-        load32(Address(allocatorGPR, MarkedAllocator::offsetOfFreeList() + OBJECT_OFFSETOF(FreeList, remaining)), resultGPR);
-        popPath = branchTest32(Zero, resultGPR);
-        if (allocator)
-            add32(TrustedImm32(-allocator-&gt;cellSize()), resultGPR, scratchGPR);
</del><span class="cx">         else {
</span><del>-            move(resultGPR, scratchGPR);
-            sub32(Address(allocatorGPR, MarkedAllocator::offsetOfCellSize()), scratchGPR);
</del><ins>+            loadPtr(Address(allocatorGPR, MarkedAllocator::offsetOfFreeListHead()), resultGPR);
+            slowPath.append(branchTestPtr(Zero, resultGPR));
</ins><span class="cx">         }
</span><del>-        negPtr(resultGPR);
-        store32(scratchGPR, Address(allocatorGPR, MarkedAllocator::offsetOfFreeList() + OBJECT_OFFSETOF(FreeList, remaining)));
-        Address payloadEndAddr = Address(allocatorGPR, MarkedAllocator::offsetOfFreeList() + OBJECT_OFFSETOF(FreeList, payloadEnd));
-        if (isX86())
-            addPtr(payloadEndAddr, resultGPR);
-        else {
-            loadPtr(payloadEndAddr, scratchGPR);
-            addPtr(scratchGPR, resultGPR);
-        }
</del><span class="cx">         
</span><del>-        done = jump();
-        
-        popPath.link(this);
-        
-        loadPtr(Address(allocatorGPR, MarkedAllocator::offsetOfFreeList() + OBJECT_OFFSETOF(FreeList, head)), resultGPR);
-        slowPath.append(branchTestPtr(Zero, resultGPR));
-        
</del><span class="cx">         // The object is half-allocated: we have what we know is a fresh object, but
</span><span class="cx">         // it's still on the GC's free list.
</span><span class="cx">         loadPtr(Address(resultGPR), scratchGPR);
</span><del>-        storePtr(scratchGPR, Address(allocatorGPR, MarkedAllocator::offsetOfFreeList() + OBJECT_OFFSETOF(FreeList, head)));
-        
-        done.link(this);
</del><ins>+        storePtr(scratchGPR, Address(allocatorGPR, MarkedAllocator::offsetOfFreeListHead()));
</ins><span class="cx">     }
</span><span class="cx">     
</span><del>-    void emitAllocate(GPRReg resultGPR, MarkedAllocator* allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList&amp; slowPath)
-    {
-        if (!allocator)
-            slowPath.append(branchTestPtr(Zero, allocatorGPR));
-        emitAllocateWithNonNullAllocator(resultGPR, allocator, allocatorGPR, scratchGPR, slowPath);
-    }
-    
</del><span class="cx">     template&lt;typename StructureType&gt;
</span><del>-    void emitAllocateJSCell(GPRReg resultGPR, MarkedAllocator* allocator, GPRReg allocatorGPR, StructureType structure, GPRReg scratchGPR, JumpList&amp; slowPath)
</del><ins>+    void emitAllocateJSCell(GPRReg resultGPR, GPRReg allocatorGPR, StructureType structure, GPRReg scratchGPR, JumpList&amp; slowPath)
</ins><span class="cx">     {
</span><del>-        emitAllocate(resultGPR, allocator, allocatorGPR, scratchGPR, slowPath);
</del><ins>+        emitAllocate(resultGPR, allocatorGPR, scratchGPR, slowPath);
</ins><span class="cx">         emitStoreStructureWithTypeInfo(structure, resultGPR, scratchGPR);
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     template&lt;typename StructureType, typename StorageType&gt;
</span><del>-    void emitAllocateJSObject(GPRReg resultGPR, MarkedAllocator* allocator, GPRReg allocatorGPR, StructureType structure, StorageType storage, GPRReg scratchGPR, JumpList&amp; slowPath)
</del><ins>+    void emitAllocateJSObject(GPRReg resultGPR, GPRReg allocatorGPR, StructureType structure, StorageType storage, GPRReg scratchGPR, JumpList&amp; slowPath)
</ins><span class="cx">     {
</span><del>-        emitAllocateJSCell(resultGPR, allocator, allocatorGPR, structure, scratchGPR, slowPath);
</del><ins>+        emitAllocateJSCell(resultGPR, allocatorGPR, structure, scratchGPR, slowPath);
</ins><span class="cx">         storePtr(storage, Address(resultGPR, JSObject::butterflyOffset()));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1481,13 +1440,9 @@
</span><span class="cx">         GPRReg resultGPR, StructureType structure, StorageType storage, GPRReg scratchGPR1,
</span><span class="cx">         GPRReg scratchGPR2, JumpList&amp; slowPath, size_t size)
</span><span class="cx">     {
</span><del>-        MarkedAllocator* allocator = vm()-&gt;heap.allocatorForObjectOfType&lt;ClassType&gt;(size);
-        if (!allocator) {
-            slowPath.append(jump());
-            return;
-        }
</del><ins>+        MarkedAllocator* allocator = &amp;vm()-&gt;heap.allocatorForObjectOfType&lt;ClassType&gt;(size);
</ins><span class="cx">         move(TrustedImmPtr(allocator), scratchGPR1);
</span><del>-        emitAllocateJSObject(resultGPR, allocator, scratchGPR1, structure, storage, scratchGPR2, slowPath);
</del><ins>+        emitAllocateJSObject(resultGPR, scratchGPR1, structure, storage, scratchGPR2, slowPath);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     template&lt;typename ClassType, typename StructureType, typename StorageType&gt;
</span><span class="lines">@@ -1496,21 +1451,27 @@
</span><span class="cx">         emitAllocateJSObjectWithKnownSize&lt;ClassType&gt;(resultGPR, structure, storage, scratchGPR1, scratchGPR2, slowPath, ClassType::allocationSize(0));
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    // allocationSize can be aliased with any of the other input GPRs. If it's not aliased then it
-    // won't be clobbered.
</del><span class="cx">     void emitAllocateVariableSized(GPRReg resultGPR, MarkedSpace::Subspace&amp; subspace, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList&amp; slowPath)
</span><span class="cx">     {
</span><del>-        static_assert(!(MarkedSpace::sizeStep &amp; (MarkedSpace::sizeStep - 1)), &quot;MarkedSpace::sizeStep must be a power of two.&quot;);
</del><ins>+        static_assert(!(MarkedSpace::preciseStep &amp; (MarkedSpace::preciseStep - 1)), &quot;MarkedSpace::preciseStep must be a power of two.&quot;);
+        static_assert(!(MarkedSpace::impreciseStep &amp; (MarkedSpace::impreciseStep - 1)), &quot;MarkedSpace::impreciseStep must be a power of two.&quot;);
</ins><span class="cx">         
</span><del>-        unsigned stepShift = getLSBSet(MarkedSpace::sizeStep);
</del><ins>+        add32(TrustedImm32(MarkedSpace::preciseStep - 1), allocationSize);
+        Jump notSmall = branch32(AboveOrEqual, allocationSize, TrustedImm32(MarkedSpace::preciseCutoff));
+        rshift32(allocationSize, TrustedImm32(getLSBSet(MarkedSpace::preciseStep)), scratchGPR1);
+        mul32(TrustedImm32(sizeof(MarkedAllocator)), scratchGPR1, scratchGPR1);
+        addPtr(TrustedImmPtr(&amp;subspace.preciseAllocators[0]), scratchGPR1);
+
+        Jump selectedSmallSpace = jump();
+        notSmall.link(this);
+        slowPath.append(branch32(AboveOrEqual, allocationSize, TrustedImm32(MarkedSpace::impreciseCutoff)));
+        rshift32(allocationSize, TrustedImm32(getLSBSet(MarkedSpace::impreciseStep)), scratchGPR1);
+        mul32(TrustedImm32(sizeof(MarkedAllocator)), scratchGPR1, scratchGPR1);
+        addPtr(TrustedImmPtr(&amp;subspace.impreciseAllocators[0]), scratchGPR1);
+
+        selectedSmallSpace.link(this);
</ins><span class="cx">         
</span><del>-        add32(TrustedImm32(MarkedSpace::sizeStep - 1), allocationSize, scratchGPR1);
-        urshift32(TrustedImm32(stepShift), scratchGPR1);
-        slowPath.append(branch32(Above, scratchGPR1, TrustedImm32(MarkedSpace::largeCutoff &gt;&gt; stepShift)));
-        move(TrustedImmPtr(&amp;subspace.allocatorForSizeStep[0] - 1), scratchGPR2);
-        loadPtr(BaseIndex(scratchGPR2, scratchGPR1, timesPtr()), scratchGPR1);
-        
-        emitAllocate(resultGPR, nullptr, scratchGPR1, scratchGPR2, slowPath);
</del><ins>+        emitAllocate(resultGPR, scratchGPR1, scratchGPR2, slowPath);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     template&lt;typename ClassType, typename StructureType&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitGCAwareJITStubRoutinecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> #include &quot;DFGCommonData.h&quot;
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><span class="cx"> #include &quot;VM.h&quot;
</span><del>-#include &quot;JITStubRoutineSet.h&quot;
</del><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &quot;SlotVisitor.h&quot;
</span><span class="cx"> #include &quot;Structure.h&quot;
</span><span class="lines">@@ -46,7 +45,7 @@
</span><span class="cx">     , m_mayBeExecuting(false)
</span><span class="cx">     , m_isJettisoned(false)
</span><span class="cx"> {
</span><del>-    vm.heap.m_jitStubRoutines-&gt;add(this);
</del><ins>+    vm.heap.m_jitStubRoutines.add(this);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> GCAwareJITStubRoutine::~GCAwareJITStubRoutine() { }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -66,14 +66,6 @@
</span><span class="cx">         newCalleeFunction);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JIT::CodeRef JIT::compileCTINativeCall(VM* vm, NativeFunction func)
-{
-    if (!vm-&gt;canUseJIT())
-        return CodeRef::createLLIntCodeRef(llint_native_call_trampoline);
-    JIT jit(vm, 0);
-    return jit.privateCompileCTINativeCall(vm, func);
-}
-
</del><span class="cx"> JIT::JIT(VM* vm, CodeBlock* codeBlock)
</span><span class="cx">     : JSInterfaceJIT(vm, codeBlock)
</span><span class="cx">     , m_interpreter(vm-&gt;interpreter)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JIT.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -40,17 +40,17 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;CompactJITCodeMap.h&quot;
</span><ins>+#include &quot;Interpreter.h&quot;
</ins><span class="cx"> #include &quot;JITDisassembler.h&quot;
</span><span class="cx"> #include &quot;JITInlineCacheGenerator.h&quot;
</span><span class="cx"> #include &quot;JITMathIC.h&quot;
</span><span class="cx"> #include &quot;JSInterfaceJIT.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &quot;PCToCodeOriginMap.h&quot;
</span><span class="cx"> #include &quot;UnusedPointer.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-    enum OpcodeID : unsigned;
-
</del><span class="cx">     class ArrayAllocationProfile;
</span><span class="cx">     class CallLinkInfo;
</span><span class="cx">     class CodeBlock;
</span><span class="lines">@@ -248,7 +248,14 @@
</span><span class="cx">             jit.privateCompileHasIndexedProperty(byValInfo, returnAddress, arrayMode);
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        static CodeRef compileCTINativeCall(VM*, NativeFunction);
</del><ins>+        static CodeRef compileCTINativeCall(VM* vm, NativeFunction func)
+        {
+            if (!vm-&gt;canUseJIT()) {
+                return CodeRef::createLLIntCodeRef(llint_native_call_trampoline);
+            }
+            JIT jit(vm, 0);
+            return jit.privateCompileCTINativeCall(vm, func);
+        }
</ins><span class="cx"> 
</span><span class="cx">         static unsigned frameRegisterCountFor(CodeBlock*);
</span><span class="cx">         static int stackPointerOffsetFor(CodeBlock*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITExceptionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITExceptions.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITExceptions.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITExceptions.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -90,9 +90,4 @@
</span><span class="cx">     RELEASE_ASSERT(catchRoutine);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void genericUnwind(VM* vm, ExecState* callFrame)
-{
-    genericUnwind(vm, callFrame, UnwindFromCurrentFrame);
-}
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITExceptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITExceptions.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITExceptions.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITExceptions.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,15 +26,15 @@
</span><span class="cx"> #ifndef JITExceptions_h
</span><span class="cx"> #define JITExceptions_h
</span><span class="cx"> 
</span><ins>+#include &quot;Interpreter.h&quot;
+#include &quot;JSCJSValue.h&quot;
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-enum UnwindStart : uint8_t;
-
</del><span class="cx"> class ExecState;
</span><span class="cx"> class VM;
</span><span class="cx"> 
</span><del>-void genericUnwind(VM*, ExecState*, UnwindStart);
-void genericUnwind(VM*, ExecState*);
</del><ins>+void genericUnwind(VM*, ExecState*, UnwindStart = UnwindFromCurrentFrame);
</ins><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> #include &quot;CopiedSpaceInlines.h&quot;
</span><span class="cx"> #include &quot;Exception.h&quot;
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JITInlines.h&quot;
</span><span class="cx"> #include &quot;JSArray.h&quot;
</span><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="lines">@@ -84,7 +83,7 @@
</span><span class="cx"> {
</span><span class="cx">     Structure* structure = currentInstruction[3].u.objectAllocationProfile-&gt;structure();
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(structure-&gt;inlineCapacity());
</span><del>-    MarkedAllocator* allocator = m_vm-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</del><ins>+    MarkedAllocator* allocator = &amp;m_vm-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</ins><span class="cx"> 
</span><span class="cx">     RegisterID resultReg = regT0;
</span><span class="cx">     RegisterID allocatorReg = regT1;
</span><span class="lines">@@ -91,10 +90,8 @@
</span><span class="cx">     RegisterID scratchReg = regT2;
</span><span class="cx"> 
</span><span class="cx">     move(TrustedImmPtr(allocator), allocatorReg);
</span><del>-    if (allocator)
-        addSlowCase(Jump());
</del><span class="cx">     JumpList slowCases;
</span><del>-    emitAllocateJSObject(resultReg, allocator, allocatorReg, TrustedImmPtr(structure), TrustedImmPtr(0), scratchReg, slowCases);
</del><ins>+    emitAllocateJSObject(resultReg, allocatorReg, TrustedImmPtr(structure), TrustedImmPtr(0), scratchReg, slowCases);
</ins><span class="cx">     addSlowCase(slowCases);
</span><span class="cx">     emitPutVirtualRegister(currentInstruction[1].u.operand);
</span><span class="cx"> }
</span><span class="lines">@@ -102,7 +99,6 @@
</span><span class="cx"> void JIT::emitSlow_op_new_object(Instruction* currentInstruction, Vector&lt;SlowCaseEntry&gt;::iterator&amp; iter)
</span><span class="cx"> {
</span><span class="cx">     linkSlowCase(iter);
</span><del>-    linkSlowCase(iter);
</del><span class="cx">     int dst = currentInstruction[1].u.operand;
</span><span class="cx">     Structure* structure = currentInstruction[3].u.objectAllocationProfile-&gt;structure();
</span><span class="cx">     callOperation(operationNewObject, structure);
</span><span class="lines">@@ -776,7 +772,7 @@
</span><span class="cx">     hasSeenMultipleCallees.link(this);
</span><span class="cx"> 
</span><span class="cx">     JumpList slowCases;
</span><del>-    emitAllocateJSObject(resultReg, nullptr, allocatorReg, structureReg, TrustedImmPtr(0), scratchReg, slowCases);
</del><ins>+    emitAllocateJSObject(resultReg, allocatorReg, structureReg, TrustedImmPtr(0), scratchReg, slowCases);
</ins><span class="cx">     addSlowCase(slowCases);
</span><span class="cx">     emitPutVirtualRegister(currentInstruction[1].u.operand);
</span><span class="cx"> }
</span><span class="lines">@@ -786,8 +782,7 @@
</span><span class="cx">     linkSlowCase(iter); // Callee::m_type != JSFunctionType.
</span><span class="cx">     linkSlowCase(iter); // doesn't have rare data
</span><span class="cx">     linkSlowCase(iter); // doesn't have an allocation profile
</span><del>-    linkSlowCase(iter); // allocation failed (no allocator)
-    linkSlowCase(iter); // allocation failed (allocator empty)
</del><ins>+    linkSlowCase(iter); // allocation failed
</ins><span class="cx">     linkSlowCase(iter); // cached function didn't match
</span><span class="cx"> 
</span><span class="cx">     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_create_this);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -39,7 +39,6 @@
</span><span class="cx"> #include &quot;JSPropertyNameEnumerator.h&quot;
</span><span class="cx"> #include &quot;LinkBuffer.h&quot;
</span><span class="cx"> #include &quot;MaxFrameExtentForSlowPathCall.h&quot;
</span><del>-#include &quot;Opcode.h&quot;
</del><span class="cx"> #include &quot;SlowPathCall.h&quot;
</span><span class="cx"> #include &quot;TypeProfilerLog.h&quot;
</span><span class="cx"> #include &quot;VirtualRegister.h&quot;
</span><span class="lines">@@ -164,7 +163,7 @@
</span><span class="cx"> {
</span><span class="cx">     Structure* structure = currentInstruction[3].u.objectAllocationProfile-&gt;structure();
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(structure-&gt;inlineCapacity());
</span><del>-    MarkedAllocator* allocator = m_vm-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</del><ins>+    MarkedAllocator* allocator = &amp;m_vm-&gt;heap.allocatorForObjectWithoutDestructor(allocationSize);
</ins><span class="cx"> 
</span><span class="cx">     RegisterID resultReg = returnValueGPR;
</span><span class="cx">     RegisterID allocatorReg = regT1;
</span><span class="lines">@@ -171,10 +170,8 @@
</span><span class="cx">     RegisterID scratchReg = regT3;
</span><span class="cx"> 
</span><span class="cx">     move(TrustedImmPtr(allocator), allocatorReg);
</span><del>-    if (allocator)
-        addSlowCase(Jump());
</del><span class="cx">     JumpList slowCases;
</span><del>-    emitAllocateJSObject(resultReg, allocator, allocatorReg, TrustedImmPtr(structure), TrustedImmPtr(0), scratchReg, slowCases);
</del><ins>+    emitAllocateJSObject(resultReg, allocatorReg, TrustedImmPtr(structure), TrustedImmPtr(0), scratchReg, slowCases);
</ins><span class="cx">     addSlowCase(slowCases);
</span><span class="cx">     emitStoreCell(currentInstruction[1].u.operand, resultReg);
</span><span class="cx"> }
</span><span class="lines">@@ -182,7 +179,6 @@
</span><span class="cx"> void JIT::emitSlow_op_new_object(Instruction* currentInstruction, Vector&lt;SlowCaseEntry&gt;::iterator&amp; iter)
</span><span class="cx"> {
</span><span class="cx">     linkSlowCase(iter);
</span><del>-    linkSlowCase(iter);
</del><span class="cx">     int dst = currentInstruction[1].u.operand;
</span><span class="cx">     Structure* structure = currentInstruction[3].u.objectAllocationProfile-&gt;structure();
</span><span class="cx">     callOperation(operationNewObject, structure);
</span><span class="lines">@@ -1036,7 +1032,7 @@
</span><span class="cx">     hasSeenMultipleCallees.link(this);
</span><span class="cx"> 
</span><span class="cx">     JumpList slowCases;
</span><del>-    emitAllocateJSObject(resultReg, nullptr, allocatorReg, structureReg, TrustedImmPtr(0), scratchReg, slowCases);
</del><ins>+    emitAllocateJSObject(resultReg, allocatorReg, structureReg, TrustedImmPtr(0), scratchReg, slowCases);
</ins><span class="cx">     addSlowCase(slowCases);
</span><span class="cx">     emitStoreCell(currentInstruction[1].u.operand, resultReg);
</span><span class="cx"> }
</span><span class="lines">@@ -1046,8 +1042,7 @@
</span><span class="cx">     linkSlowCase(iter); // Callee::m_type != JSFunctionType.
</span><span class="cx">     linkSlowCase(iter); // doesn't have rare data
</span><span class="cx">     linkSlowCase(iter); // doesn't have an allocation profile
</span><del>-    linkSlowCase(iter); // allocation failed (no allocator)
-    linkSlowCase(iter); // allocation failed (allocator empty)
</del><ins>+    linkSlowCase(iter); // allocation failed
</ins><span class="cx">     linkSlowCase(iter); // cached function didn't match
</span><span class="cx"> 
</span><span class="cx">     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_create_this);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -44,7 +44,6 @@
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;HostCallReturnValue.h&quot;
</span><span class="cx"> #include &quot;ICStats.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JIT.h&quot;
</span><span class="cx"> #include &quot;JITExceptions.h&quot;
</span><span class="cx"> #include &quot;JITToDFGDeferredCompilationCallback.h&quot;
</span><span class="lines">@@ -472,6 +471,17 @@
</span><span class="cx">         repatchPutByID(exec, baseObject, structure, ident, slot, *stubInfo, Direct);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void JIT_OPERATION operationReallocateStorageAndFinishPut(ExecState* exec, JSObject* base, Structure* structure, PropertyOffset offset, EncodedJSValue value)
+{
+    VM&amp; vm = exec-&gt;vm();
+    NativeCallFrameTracer tracer(&amp;vm, exec);
+
+    ASSERT(structure-&gt;outOfLineCapacity() &gt; base-&gt;structure(vm)-&gt;outOfLineCapacity());
+    ASSERT(!vm.heap.storageAllocator().fastPathShouldSucceed(structure-&gt;outOfLineCapacity() * sizeof(JSValue)));
+    base-&gt;setStructureAndReallocateStorageIfNecessary(vm, structure);
+    base-&gt;putDirect(vm, offset, JSValue::decode(value));
+}
+
</ins><span class="cx"> ALWAYS_INLINE static bool isStringOrSymbol(JSValue value)
</span><span class="cx"> {
</span><span class="cx">     return value.isString() || value.isSymbol();
</span><span class="lines">@@ -2119,6 +2129,7 @@
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><span class="cx">     ASSERT(!object-&gt;structure()-&gt;outOfLineCapacity());
</span><ins>+    DeferGC deferGC(vm.heap);
</ins><span class="cx">     Butterfly* result = object-&gt;growOutOfLineStorage(vm, 0, initialOutOfLineCapacity);
</span><span class="cx">     object-&gt;setButterflyWithoutChangingStructure(vm, result);
</span><span class="cx">     return reinterpret_cast&lt;char*&gt;(result);
</span><span class="lines">@@ -2129,6 +2140,7 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     NativeCallFrameTracer tracer(&amp;vm, exec);
</span><span class="cx"> 
</span><ins>+    DeferGC deferGC(vm.heap);
</ins><span class="cx">     Butterfly* result = object-&gt;growOutOfLineStorage(vm, object-&gt;structure()-&gt;outOfLineCapacity(), newSize);
</span><span class="cx">     object-&gt;setButterflyWithoutChangingStructure(vm, result);
</span><span class="cx">     return reinterpret_cast&lt;char*&gt;(result);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -38,8 +38,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-typedef int64_t EncodedJSValue;
-    
</del><span class="cx"> class ArrayAllocationProfile;
</span><span class="cx"> class ArrayProfile;
</span><span class="cx"> class CallLinkInfo;
</span><span class="lines">@@ -47,17 +45,11 @@
</span><span class="cx"> class ExecState;
</span><span class="cx"> class JITAddGenerator;
</span><span class="cx"> class JSArray;
</span><del>-class JSCell;
</del><span class="cx"> class JSFunction;
</span><del>-class JSGlobalObject;
</del><span class="cx"> class JSLexicalEnvironment;
</span><del>-class JSObject;
</del><span class="cx"> class JSScope;
</span><del>-class JSString;
-class JSValue;
</del><span class="cx"> class RegExpObject;
</span><span class="cx"> class Register;
</span><del>-class Structure;
</del><span class="cx"> class StructureStubInfo;
</span><span class="cx"> class SymbolTable;
</span><span class="cx"> class WatchpointSet;
</span><span class="lines">@@ -64,7 +56,6 @@
</span><span class="cx"> 
</span><span class="cx"> struct ByValInfo;
</span><span class="cx"> struct InlineCallFrame;
</span><del>-struct Instruction;
</del><span class="cx"> struct ArithProfile;
</span><span class="cx"> 
</span><span class="cx"> typedef ExecState CallFrame;
</span><span class="lines">@@ -329,6 +320,7 @@
</span><span class="cx"> void JIT_OPERATION operationPutByIdNonStrictBuildList(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationPutByIdDirectStrictBuildList(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationPutByIdDirectNonStrictBuildList(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
</span><ins>+void JIT_OPERATION operationReallocateStorageAndFinishPut(ExecState*, JSObject*, Structure*, PropertyOffset, EncodedJSValue) WTF_INTERNAL;
</ins><span class="cx"> void JIT_OPERATION operationPutByValOptimize(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationDirectPutByValOptimize(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationPutByValGeneric(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1245,7 +1245,7 @@
</span><span class="cx"> 
</span><span class="cx"> void JIT::emitWriteBarrier(JSCell* owner)
</span><span class="cx"> {
</span><del>-    if (!owner-&gt;cellContainer().isMarked(owner)) {
</del><ins>+    if (!MarkedBlock::blockFor(owner)-&gt;isMarked(owner)) {
</ins><span class="cx">         Jump ownerIsRememberedOrInEden = jumpIfIsRememberedOrInEden(owner);
</span><span class="cx">         callOperation(operationUnconditionalWriteBarrier, owner);
</span><span class="cx">         ownerIsRememberedOrInEden.link(this);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITThunkscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITThunks.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITThunks.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITThunks.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,9 +30,8 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Executable.h&quot;
</span><span class="cx"> #include &quot;JIT.h&quot;
</span><ins>+#include &quot;VM.h&quot;
</ins><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
-#include &quot;VM.h&quot;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITThunksh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITThunks.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITThunks.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jit/JITThunks.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CallData.h&quot;
</span><span class="cx"> #include &quot;Intrinsic.h&quot;
</span><ins>+#include &quot;LowLevelInterpreter.h&quot;
</ins><span class="cx"> #include &quot;MacroAssemblerCodeRef.h&quot;
</span><span class="cx"> #include &quot;ThunkGenerator.h&quot;
</span><span class="cx"> #include &quot;Weak.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejsccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jsc.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jsc.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/jsc.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1193,7 +1193,7 @@
</span><span class="cx">     JSObject* object = jsDynamicCast&lt;JSObject*&gt;(exec-&gt;argument(0));
</span><span class="cx">     if (!object)
</span><span class="cx">         return JSValue::encode(jsNontrivialString(exec, ASCIILiteral(&quot;&lt;not object&gt;&quot;)));
</span><del>-    return JSValue::encode(jsNontrivialString(exec, toString(&quot;&lt;Butterfly: &quot;, RawPointer(object-&gt;butterfly()), &quot;; public length: &quot;, object-&gt;getArrayLength(), &quot;; vector length: &quot;, object-&gt;getVectorLength(), &quot;&gt;&quot;)));
</del><ins>+    return JSValue::encode(jsNontrivialString(exec, toString(&quot;&lt;Public length: &quot;, object-&gt;getArrayLength(), &quot;; vector length: &quot;, object-&gt;getVectorLength(), &quot;&gt;&quot;)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> class FunctionJSCStackFunctor {
</span><span class="lines">@@ -2004,7 +2004,10 @@
</span><span class="cx">     TRY
</span><span class="cx">         res = jscmain(argc, argv);
</span><span class="cx">     EXCEPT(res = 3)
</span><del>-    finalizeStatsAtEndOfTesting();
</del><ins>+    if (Options::logHeapStatisticsAtExit())
+        HeapStatistics::reportSuccess();
+    if (Options::reportLLIntStats())
+        LLInt::Data::finalizeStats();
</ins><span class="cx"> 
</span><span class="cx"> #if PLATFORM(EFL)
</span><span class="cx">     ecore_shutdown();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntData.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntData.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LLIntData.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -211,7 +211,7 @@
</span><span class="cx">     STATIC_ASSERT(GetPutInfo::initializationShift == 10);
</span><span class="cx">     STATIC_ASSERT(GetPutInfo::initializationBits == 0xffc00);
</span><span class="cx"> 
</span><del>-    STATIC_ASSERT(MarkedBlock::blockSize == 64 * 1024);
</del><ins>+    STATIC_ASSERT(MarkedBlock::blockMask == ~static_cast&lt;decltype(MarkedBlock::blockMask)&gt;(0x3fff));
</ins><span class="cx"> 
</span><span class="cx">     ASSERT(bitwise_cast&lt;uintptr_t&gt;(ShadowChicken::Packet::tailMarker()) == static_cast&lt;uintptr_t&gt;(0x7a11));
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntExceptionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntExceptions.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntExceptions.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LLIntExceptions.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;Instruction.h&quot;
</span><span class="cx"> #include &quot;LLIntCommon.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> #include &quot;LowLevelInterpreter.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntThunkscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,7 +33,6 @@
</span><span class="cx"> #include &quot;JSInterfaceJIT.h&quot;
</span><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &quot;LLIntCLoop.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> #include &quot;LinkBuffer.h&quot;
</span><span class="cx"> #include &quot;LowLevelInterpreter.h&quot;
</span><span class="cx"> #include &quot;ProtoCallFrame.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntThunksh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntThunks.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntThunks.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LLIntThunks.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> 
</span><span class="cx"> class VM;
</span><span class="cx"> struct ProtoCallFrame;
</span><del>-typedef int64_t EncodedJSValue;
</del><span class="cx"> 
</span><span class="cx"> extern &quot;C&quot; {
</span><span class="cx">     EncodedJSValue vmEntryToJavaScript(void*, VM*, ProtoCallFrame*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -402,7 +402,7 @@
</span><span class="cx"> const InitializationModeShift = 10
</span><span class="cx"> const NotInitialization = 2
</span><span class="cx"> 
</span><del>-const MarkedBlockSize = 64 * 1024
</del><ins>+const MarkedBlockSize = 16 * 1024
</ins><span class="cx"> const MarkedBlockMask = ~(MarkedBlockSize - 1)
</span><span class="cx"> 
</span><span class="cx"> # Allocation constants
</span><span class="lines">@@ -1068,6 +1068,24 @@
</span><span class="cx"> .argumentProfileDone:
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+macro allocateJSObject(allocator, structure, result, scratch1, slowCase)
+    const offsetOfFirstFreeCell = 
+        MarkedAllocator::m_freeList + 
+        MarkedBlock::FreeList::head
+
+    # Get the object from the free list.   
+    loadp offsetOfFirstFreeCell[allocator], result
+    btpz result, slowCase
+    
+    # Remove the object from the free list.
+    loadp [result], scratch1
+    storep scratch1, offsetOfFirstFreeCell[allocator]
+
+    # Initialize the object.
+    storep 0, JSObject::m_butterfly[result]
+    storeStructureWithTypeInfo(result, structure, scratch1)
+end
+
</ins><span class="cx"> macro doReturn()
</span><span class="cx">     restoreCalleeSavesUsedByLLInt()
</span><span class="cx">     restoreCallerPCAndCFR()
</span><span class="lines">@@ -1289,18 +1307,6 @@
</span><span class="cx">     dispatch(2)
</span><span class="cx"> 
</span><span class="cx"> 
</span><del>-_llint_op_create_this:
-    traceExecution()
-    callOpcodeSlowPath(_slow_path_create_this)
-    dispatch(5)
-
-
-_llint_op_new_object:
-    traceExecution()
-    callOpcodeSlowPath(_llint_slow_path_new_object)
-    dispatch(4)
-
-
</del><span class="cx"> _llint_op_new_func:
</span><span class="cx">     traceExecution()
</span><span class="cx">     callOpcodeSlowPath(_llint_slow_path_new_func)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -25,17 +25,13 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;LowLevelInterpreter.h&quot;
</span><del>-
</del><span class="cx"> #include &quot;LLIntOfflineAsmConfig.h&quot;
</span><span class="cx"> #include &lt;wtf/InlineASM.h&gt;
</span><span class="cx"> 
</span><span class="cx"> #if !ENABLE(JIT)
</span><del>-#include &quot;CLoopStackInlines.h&quot;
</del><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;CommonSlowPaths.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;LLIntCLoop.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> #include &quot;LLIntSlowPaths.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &lt;wtf/Assertions.h&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -702,6 +702,31 @@
</span><span class="cx">     dispatch(2)
</span><span class="cx"> 
</span><span class="cx"> 
</span><ins>+_llint_op_create_this:
+    traceExecution()
+    loadi 8[PC], t0
+    loadp PayloadOffset[cfr, t0, 8], t0
+    bbneq JSCell::m_type[t0], JSFunctionType, .opCreateThisSlow
+    loadp JSFunction::m_rareData[t0], t5
+    btpz t5, .opCreateThisSlow
+    loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_allocator[t5], t1
+    loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_structure[t5], t2
+    btpz t1, .opCreateThisSlow
+    loadpFromInstruction(4, t5)
+    bpeq t5, 1, .hasSeenMultipleCallee
+    bpneq t5, t0, .opCreateThisSlow
+.hasSeenMultipleCallee:
+    allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
+    loadi 4[PC], t1
+    storei CellTag, TagOffset[cfr, t1, 8]
+    storei t0, PayloadOffset[cfr, t1, 8]
+    dispatch(5)
+
+.opCreateThisSlow:
+    callOpcodeSlowPath(_slow_path_create_this)
+    dispatch(5)
+
+
</ins><span class="cx"> _llint_op_to_this:
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadi 4[PC], t0
</span><span class="lines">@@ -717,6 +742,22 @@
</span><span class="cx">     dispatch(4)
</span><span class="cx"> 
</span><span class="cx"> 
</span><ins>+_llint_op_new_object:
+    traceExecution()
+    loadpFromInstruction(3, t0)
+    loadp ObjectAllocationProfile::m_allocator[t0], t1
+    loadp ObjectAllocationProfile::m_structure[t0], t2
+    allocateJSObject(t1, t2, t0, t3, .opNewObjectSlow)
+    loadi 4[PC], t1
+    storei CellTag, TagOffset[cfr, t1, 8]
+    storei t0, PayloadOffset[cfr, t1, 8]
+    dispatch(4)
+
+.opNewObjectSlow:
+    callOpcodeSlowPath(_llint_slow_path_new_object)
+    dispatch(4)
+
+
</ins><span class="cx"> _llint_op_check_tdz:
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadisFromInstruction(1, t0)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -607,6 +607,30 @@
</span><span class="cx">     dispatch(2)
</span><span class="cx"> 
</span><span class="cx"> 
</span><ins>+_llint_op_create_this:
+    traceExecution()
+    loadisFromInstruction(2, t0)
+    loadp [cfr, t0, 8], t0
+    bbneq JSCell::m_type[t0], JSFunctionType, .opCreateThisSlow
+    loadp JSFunction::m_rareData[t0], t3
+    btpz t3, .opCreateThisSlow
+    loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_allocator[t3], t1
+    loadp FunctionRareData::m_objectAllocationProfile + ObjectAllocationProfile::m_structure[t3], t2
+    btpz t1, .opCreateThisSlow
+    loadpFromInstruction(4, t3)
+    bpeq t3, 1, .hasSeenMultipleCallee
+    bpneq t3, t0, .opCreateThisSlow
+.hasSeenMultipleCallee:
+    allocateJSObject(t1, t2, t0, t3, .opCreateThisSlow)
+    loadisFromInstruction(1, t1)
+    storeq t0, [cfr, t1, 8]
+    dispatch(5)
+
+.opCreateThisSlow:
+    callOpcodeSlowPath(_slow_path_create_this)
+    dispatch(5)
+
+
</ins><span class="cx"> _llint_op_to_this:
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadisFromInstruction(1, t0)
</span><span class="lines">@@ -623,6 +647,21 @@
</span><span class="cx">     dispatch(4)
</span><span class="cx"> 
</span><span class="cx"> 
</span><ins>+_llint_op_new_object:
+    traceExecution()
+    loadpFromInstruction(3, t0)
+    loadp ObjectAllocationProfile::m_allocator[t0], t1
+    loadp ObjectAllocationProfile::m_structure[t0], t2
+    allocateJSObject(t1, t2, t0, t3, .opNewObjectSlow)
+    loadisFromInstruction(1, t1)
+    storeq t0, [cfr, t1, 8]
+    dispatch(4)
+
+.opNewObjectSlow:
+    callOpcodeSlowPath(_llint_slow_path_new_object)
+    dispatch(4)
+
+
</ins><span class="cx"> _llint_op_check_tdz:
</span><span class="cx">     traceExecution()
</span><span class="cx">     loadisFromInstruction(1, t0)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserModuleAnalyzercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,7 +26,9 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;ModuleAnalyzer.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;IdentifierInlines.h&quot;
+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSModuleRecord.h&quot;
</span><span class="cx"> #include &quot;ModuleScopeData.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserNodeConstructorsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/NodeConstructors.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/NodeConstructors.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/parser/NodeConstructors.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -23,7 +23,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Nodes.h&quot;
</span><span class="cx"> #include &quot;Lexer.h&quot;
</span><del>-#include &quot;Opcode.h&quot;
</del><span class="cx"> #include &quot;Parser.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserNodesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Nodes.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Nodes.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/parser/Nodes.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;JITCode.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &quot;ParserArena.h&quot;
</span><span class="cx"> #include &quot;ParserTokens.h&quot;
</span><span class="cx"> #include &quot;ResultType.h&quot;
</span><span class="lines">@@ -40,8 +41,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-    enum OpcodeID : unsigned;
-
</del><span class="cx">     class ArgumentListNode;
</span><span class="cx">     class BytecodeGenerator;
</span><span class="cx">     class FunctionMetadataNode;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerBytecodecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><del>-#include &quot;Opcode.h&quot;
</del><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace Profiler {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerBytecodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerBytecode.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,14 +27,11 @@
</span><span class="cx"> #define ProfilerBytecode_h
</span><span class="cx"> 
</span><span class="cx"> #include &quot;JSCJSValue.h&quot;
</span><ins>+#include &quot;Opcode.h&quot;
</ins><span class="cx"> #include &lt;wtf/text/CString.h&gt;
</span><span class="cx"> 
</span><del>-namespace JSC {
</del><ins>+namespace JSC { namespace Profiler {
</ins><span class="cx"> 
</span><del>-enum OpcodeID : unsigned;
-
-namespace Profiler {
-
</del><span class="cx"> class Bytecode {
</span><span class="cx"> public:
</span><span class="cx">     Bytecode()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreprofilerProfilerBytecodeSequencecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/profiler/ProfilerBytecodeSequence.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,10 +27,9 @@
</span><span class="cx"> #include &quot;ProfilerBytecodeSequence.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;Operands.h&quot;
</span><ins>+#include &quot;JSCInlines.h&quot;
</ins><span class="cx"> #include &lt;wtf/StringPrintStream.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace Profiler {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayConventionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayConventions.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayConventions.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ArrayConventions.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx">  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- *  Copyright (C) 2003, 2007, 2008, 2009, 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ *  Copyright (C) 2003, 2007, 2008, 2009, 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  *  This library is free software; you can redistribute it and/or
</span><span class="cx">  *  modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -70,15 +70,13 @@
</span><span class="cx"> // 0xFFFFFFFF is a bit weird -- is not an array index even though it's an integer.
</span><span class="cx"> #define MAX_ARRAY_INDEX 0xFFFFFFFEU
</span><span class="cx"> 
</span><del>-// The value BASE_XXX_VECTOR_LEN is the maximum number of vector elements we'll allocate
</del><ins>+// The value BASE_VECTOR_LEN is the maximum number of vector elements we'll allocate
</ins><span class="cx"> // for an array that was created with a sepcified length (e.g. a = new Array(123))
</span><del>-#define BASE_CONTIGUOUS_VECTOR_LEN 3U
-#define BASE_CONTIGUOUS_VECTOR_LEN_EMPTY 5U
-#define BASE_ARRAY_STORAGE_VECTOR_LEN 4U
-
</del><ins>+#define BASE_VECTOR_LEN 4U
+    
</ins><span class="cx"> // The upper bound to the size we'll grow a zero length array when the first element
</span><span class="cx"> // is added.
</span><del>-#define FIRST_ARRAY_STORAGE_VECTOR_GROW 4U
</del><ins>+#define FIRST_VECTOR_GROW 4U
</ins><span class="cx"> 
</span><span class="cx"> #define MIN_BEYOND_LENGTH_SPARSE_INDEX 1000
</span><span class="cx"> 
</span><span class="lines">@@ -98,7 +96,7 @@
</span><span class="cx">     return i &gt;= MIN_BEYOND_LENGTH_SPARSE_INDEX &amp;&amp; i &gt; length;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline IndexingHeader indexingHeaderForArrayStorage(unsigned length, unsigned vectorLength)
</del><ins>+inline IndexingHeader indexingHeaderForArray(unsigned length, unsigned vectorLength)
</ins><span class="cx"> {
</span><span class="cx">     IndexingHeader result;
</span><span class="cx">     result.setPublicLength(length);
</span><span class="lines">@@ -106,9 +104,9 @@
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline IndexingHeader baseIndexingHeaderForArrayStorage(unsigned length)
</del><ins>+inline IndexingHeader baseIndexingHeaderForArray(unsigned length)
</ins><span class="cx"> {
</span><del>-    return indexingHeaderForArrayStorage(length, BASE_ARRAY_STORAGE_VECTOR_LEN);
</del><ins>+    return indexingHeaderForArray(length, BASE_VECTOR_LEN);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -994,7 +994,7 @@
</span><span class="cx">         if (UNLIKELY(vm.exception()))
</span><span class="cx">             return JSValue::encode(jsUndefined());
</span><span class="cx">     }
</span><del>-    
</del><ins>+
</ins><span class="cx">     setLength(exec, thisObj, length - deleteCount + additionalArgs);
</span><span class="cx">     return JSValue::encode(result);
</span><span class="cx"> }
</span><span class="lines">@@ -1129,7 +1129,6 @@
</span><span class="cx">     unsigned firstArraySize = firstButterfly-&gt;publicLength();
</span><span class="cx"> 
</span><span class="cx">     IndexingType type = first-&gt;mergeIndexingTypeForCopying(indexingTypeForValue(second) | IsArray);
</span><del>-    
</del><span class="cx">     if (type == NonArray)
</span><span class="cx">         type = first-&gt;indexingType();
</span><span class="cx"> 
</span><span class="lines">@@ -1157,7 +1156,7 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx"> 
</span><span class="cx">     JSArray* firstArray = jsCast&lt;JSArray*&gt;(exec-&gt;uncheckedArgument(0));
</span><del>-    
</del><ins>+
</ins><span class="cx">     // This code assumes that neither array has set Symbol.isConcatSpreadable. If the first array
</span><span class="cx">     // has indexed accessors then one of those accessors might change the value of Symbol.isConcatSpreadable
</span><span class="cx">     // on the second argument.
</span><span class="lines">@@ -1173,7 +1172,7 @@
</span><span class="cx">         return concatAppendOne(exec, vm, firstArray, second);
</span><span class="cx"> 
</span><span class="cx">     JSArray* secondArray = jsCast&lt;JSArray*&gt;(second);
</span><del>-    
</del><ins>+
</ins><span class="cx">     Butterfly* firstButterfly = firstArray-&gt;butterfly();
</span><span class="cx">     Butterfly* secondButterfly = secondArray-&gt;butterfly();
</span><span class="cx"> 
</span><span class="lines">@@ -1180,8 +1179,7 @@
</span><span class="cx">     unsigned firstArraySize = firstButterfly-&gt;publicLength();
</span><span class="cx">     unsigned secondArraySize = secondButterfly-&gt;publicLength();
</span><span class="cx"> 
</span><del>-    IndexingType secondType = secondArray-&gt;indexingType();
-    IndexingType type = firstArray-&gt;mergeIndexingTypeForCopying(secondType);
</del><ins>+    IndexingType type = firstArray-&gt;mergeIndexingTypeForCopying(secondArray-&gt;indexingType());
</ins><span class="cx">     if (type == NonArray || !firstArray-&gt;canFastCopy(vm, secondArray) || firstArraySize + secondArraySize &gt;= MIN_SPARSE_ARRAY_INDEX) {
</span><span class="cx">         JSArray* result = constructEmptyArray(exec, nullptr, firstArraySize + secondArraySize);
</span><span class="cx">         if (vm.exception())
</span><span class="lines">@@ -1200,7 +1198,7 @@
</span><span class="cx">     JSArray* result = JSArray::tryCreateUninitialized(vm, resultStructure, firstArraySize + secondArraySize);
</span><span class="cx">     if (!result)
</span><span class="cx">         return JSValue::encode(throwOutOfMemoryError(exec));
</span><del>-    
</del><ins>+
</ins><span class="cx">     if (type == ArrayWithDouble) {
</span><span class="cx">         double* buffer = result-&gt;butterfly()-&gt;contiguousDouble().data();
</span><span class="cx">         memcpy(buffer, firstButterfly-&gt;contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
</span><span class="lines">@@ -1208,12 +1206,7 @@
</span><span class="cx">     } else if (type != ArrayWithUndecided) {
</span><span class="cx">         WriteBarrier&lt;Unknown&gt;* buffer = result-&gt;butterfly()-&gt;contiguous().data();
</span><span class="cx">         memcpy(buffer, firstButterfly-&gt;contiguous().data(), sizeof(JSValue) * firstArraySize);
</span><del>-        if (secondType != ArrayWithUndecided)
-            memcpy(buffer + firstArraySize, secondButterfly-&gt;contiguous().data(), sizeof(JSValue) * secondArraySize);
-        else {
-            for (unsigned i = secondArraySize; i--;)
-                buffer[i + firstArraySize].clear();
-        }
</del><ins>+        memcpy(buffer + firstArraySize, secondButterfly-&gt;contiguous().data(), sizeof(JSValue) * secondArraySize);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     result-&gt;butterfly()-&gt;setPublicLength(firstArraySize + secondArraySize);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayStorageh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayStorage.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayStorage.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ArrayStorage.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -29,9 +29,7 @@
</span><span class="cx"> #include &quot;ArrayConventions.h&quot;
</span><span class="cx"> #include &quot;Butterfly.h&quot;
</span><span class="cx"> #include &quot;IndexingHeader.h&quot;
</span><del>-#include &quot;MarkedSpace.h&quot;
</del><span class="cx"> #include &quot;SparseArrayValueMap.h&quot;
</span><del>-#include &quot;Structure.h&quot;
</del><span class="cx"> #include &quot;WriteBarrier.h&quot;
</span><span class="cx"> #include &lt;wtf/Noncopyable.h&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -60,7 +58,7 @@
</span><span class="cx">     // We steal two fields from the indexing header: vectorLength and length.
</span><span class="cx">     unsigned length() const { return indexingHeader()-&gt;publicLength(); }
</span><span class="cx">     void setLength(unsigned length) { indexingHeader()-&gt;setPublicLength(length); }
</span><del>-    unsigned vectorLength() const { return indexingHeader()-&gt;vectorLength(); }
</del><ins>+    unsigned vectorLength() { return indexingHeader()-&gt;vectorLength(); }
</ins><span class="cx">     void setVectorLength(unsigned length) { indexingHeader()-&gt;setVectorLength(length); }
</span><span class="cx">     
</span><span class="cx">     ALWAYS_INLINE void copyHeaderFromDuringGC(const ArrayStorage&amp; other)
</span><span class="lines">@@ -101,66 +99,6 @@
</span><span class="cx">     {
</span><span class="cx">         return ArrayStorage::vectorOffset() + vectorLength * sizeof(WriteBarrier&lt;Unknown&gt;);
</span><span class="cx">     }
</span><del>-    
-    static size_t totalSizeFor(unsigned indexBias, size_t propertyCapacity, unsigned vectorLength)
-    {
-        return Butterfly::totalSize(indexBias, propertyCapacity, true, sizeFor(vectorLength));
-    }
-    
-    size_t totalSize(size_t propertyCapacity) const
-    {
-        return totalSizeFor(m_indexBias, propertyCapacity, vectorLength());
-    }
-    
-    size_t totalSize(Structure* structure) const
-    {
-        return totalSize(structure-&gt;outOfLineCapacity());
-    }
-    
-    static unsigned availableVectorLength(unsigned indexBias, size_t propertyCapacity, unsigned vectorLength)
-    {
-        size_t cellSize = MarkedSpace::optimalSizeFor(totalSizeFor(indexBias, propertyCapacity, vectorLength));
-        
-        vectorLength = (cellSize - totalSizeFor(indexBias, propertyCapacity, 0)) / sizeof(WriteBarrier&lt;Unknown&gt;);
-
-        return vectorLength;
-    }
-    
-    static unsigned availableVectorLength(unsigned indexBias, Structure* structure, unsigned vectorLength)
-    {
-        return availableVectorLength(indexBias, structure-&gt;outOfLineCapacity(), vectorLength);
-    }
-    
-    unsigned availableVectorLength(size_t propertyCapacity, unsigned vectorLength)
-    {
-        return availableVectorLength(m_indexBias, propertyCapacity, vectorLength);
-    }
-    
-    unsigned availableVectorLength(Structure* structure, unsigned vectorLength)
-    {
-        return availableVectorLength(structure-&gt;outOfLineCapacity(), vectorLength);
-    }
-
-    static unsigned optimalVectorLength(unsigned indexBias, size_t propertyCapacity, unsigned vectorLength)
-    {
-        vectorLength = std::max(BASE_ARRAY_STORAGE_VECTOR_LEN, vectorLength);
-        return availableVectorLength(indexBias, propertyCapacity, vectorLength);
-    }
-    
-    static unsigned optimalVectorLength(unsigned indexBias, Structure* structure, unsigned vectorLength)
-    {
-        return optimalVectorLength(indexBias, structure-&gt;outOfLineCapacity(), vectorLength);
-    }
-    
-    unsigned optimalVectorLength(size_t propertyCapacity, unsigned vectorLength)
-    {
-        return optimalVectorLength(m_indexBias, propertyCapacity, vectorLength);
-    }
-    
-    unsigned optimalVectorLength(Structure* structure, unsigned vectorLength)
-    {
-        return optimalVectorLength(structure-&gt;outOfLineCapacity(), vectorLength);
-    }
</del><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeAuxiliaryBarrierh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,63 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-namespace JSC {
-
-class JSCell;
-class VM;
-
-// An Auxiliary barrier is a barrier that does not try to reason about the value being stored into
-// it, other than interpreting a falsy value as not needing a barrier. It's OK to use this for either
-// JSCells or any other kind of data, so long as it responds to operator!().
-template&lt;typename T&gt;
-class AuxiliaryBarrier {
-public:
-    AuxiliaryBarrier() { }
-    
-    template&lt;typename U&gt;
-    AuxiliaryBarrier(VM&amp;, JSCell*, U&amp;&amp;);
-    
-    void clear() { m_value = T(); }
-    
-    template&lt;typename U&gt;
-    void set(VM&amp;, JSCell*, U&amp;&amp;);
-    
-    const T&amp; get() const { return m_value; }
-    
-    T* slot() { return &amp;m_value; }
-    
-    explicit operator bool() const { return !!m_value; }
-    
-    template&lt;typename U&gt;
-    void setWithoutBarrier(U&amp;&amp; value) { m_value = std::forward&lt;U&gt;(value); }
-    
-private:
-    T m_value;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeAuxiliaryBarrierInlinesh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrierInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,51 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#include &quot;AuxiliaryBarrier.h&quot;
-#include &quot;Heap.h&quot;
-#include &quot;VM.h&quot;
-
-namespace JSC {
-
-template&lt;typename T&gt;
-template&lt;typename U&gt;
-AuxiliaryBarrier&lt;T&gt;::AuxiliaryBarrier(VM&amp; vm, JSCell* owner, U&amp;&amp; value)
-{
-    m_value = std::forward&lt;U&gt;(value);
-    vm.heap.writeBarrier(owner);
-}
-
-template&lt;typename T&gt;
-template&lt;typename U&gt;
-void AuxiliaryBarrier&lt;T&gt;::set(VM&amp; vm, JSCell* owner, U&amp;&amp; value)
-{
-    m_value = std::forward&lt;U&gt;(value);
-    vm.heap.writeBarrier(owner);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeButterflyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Butterfly.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Butterfly.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Butterfly.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -90,12 +90,6 @@
</span><span class="cx">         return reinterpret_cast&lt;Butterfly*&gt;(static_cast&lt;EncodedJSValue*&gt;(base) + preCapacity + propertyCapacity + 1);
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    ALWAYS_INLINE static unsigned availableContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength);
-    static unsigned availableContiguousVectorLength(Structure*, unsigned vectorLength);
-    
-    ALWAYS_INLINE static unsigned optimalContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength);
-    static unsigned optimalContiguousVectorLength(Structure*, unsigned vectorLength);
-    
</del><span class="cx">     // This method is here not just because it's handy, but to remind you that
</span><span class="cx">     // the whole point of butterflies is to do evil pointer arithmetic.
</span><span class="cx">     static Butterfly* fromPointer(char* ptr)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeButterflyInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -35,38 +35,12 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE unsigned Butterfly::availableContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength)
-{
-    size_t cellSize = totalSize(0, propertyCapacity, true, sizeof(EncodedJSValue) * vectorLength);
-    cellSize = MarkedSpace::optimalSizeFor(cellSize);
-    vectorLength = (cellSize - totalSize(0, propertyCapacity, true, 0)) / sizeof(EncodedJSValue);
-    return vectorLength;
-}
-
-ALWAYS_INLINE unsigned Butterfly::availableContiguousVectorLength(Structure* structure, unsigned vectorLength)
-{
-    return availableContiguousVectorLength(structure ? structure-&gt;outOfLineCapacity() : 0, vectorLength);
-}
-
-ALWAYS_INLINE unsigned Butterfly::optimalContiguousVectorLength(size_t propertyCapacity, unsigned vectorLength)
-{
-    if (!vectorLength)
-        vectorLength = BASE_CONTIGUOUS_VECTOR_LEN_EMPTY;
-    else
-        vectorLength = std::max(BASE_CONTIGUOUS_VECTOR_LEN, vectorLength);
-    return availableContiguousVectorLength(propertyCapacity, vectorLength);
-}
-
-ALWAYS_INLINE unsigned Butterfly::optimalContiguousVectorLength(Structure* structure, unsigned vectorLength)
-{
-    return optimalContiguousVectorLength(structure ? structure-&gt;outOfLineCapacity() : 0, vectorLength);
-}
-
</del><span class="cx"> inline Butterfly* Butterfly::createUninitialized(VM&amp; vm, JSCell* intendedOwner, size_t preCapacity, size_t propertyCapacity, bool hasIndexingHeader, size_t indexingPayloadSizeInBytes)
</span><span class="cx"> {
</span><ins>+    void* temp;
</ins><span class="cx">     size_t size = totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
</span><del>-    void* base = vm.heap.allocateAuxiliary(intendedOwner, size);
-    Butterfly* result = fromBase(base, preCapacity, propertyCapacity);
</del><ins>+    RELEASE_ASSERT(vm.heap.tryAllocateStorage(intendedOwner, size, &amp;temp));
+    Butterfly* result = fromBase(temp, preCapacity, propertyCapacity);
</ins><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -145,8 +119,7 @@
</span><span class="cx">     void* theBase = base(0, propertyCapacity);
</span><span class="cx">     size_t oldSize = totalSize(0, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes);
</span><span class="cx">     size_t newSize = totalSize(0, propertyCapacity, true, newIndexingPayloadSizeInBytes);
</span><del>-    theBase = vm.heap.tryReallocateAuxiliary(intendedOwner, theBase, oldSize, newSize);
-    if (!theBase)
</del><ins>+    if (!vm.heap.tryReallocateStorage(intendedOwner, &amp;theBase, oldSize, newSize))
</ins><span class="cx">         return 0;
</span><span class="cx">     return fromBase(theBase, 0, propertyCapacity);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeClonedArgumentscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ClonedArguments.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ClonedArguments.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ClonedArguments.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -44,19 +44,16 @@
</span><span class="cx"> ClonedArguments* ClonedArguments::createEmpty(
</span><span class="cx">     VM&amp; vm, Structure* structure, JSFunction* callee, unsigned length)
</span><span class="cx"> {
</span><del>-    unsigned vectorLength = length;
</del><ins>+    unsigned vectorLength = std::max(BASE_VECTOR_LEN, length);
</ins><span class="cx">     if (vectorLength &gt; MAX_STORAGE_VECTOR_LENGTH)
</span><span class="cx">         return 0;
</span><span class="cx"> 
</span><del>-    void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, structure-&gt;outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
-    if (!temp)
</del><ins>+    void* temp;
+    if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, structure-&gt;outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), &amp;temp))
</ins><span class="cx">         return 0;
</span><span class="cx">     Butterfly* butterfly = Butterfly::fromBase(temp, 0, structure-&gt;outOfLineCapacity());
</span><span class="cx">     butterfly-&gt;setVectorLength(vectorLength);
</span><span class="cx">     butterfly-&gt;setPublicLength(length);
</span><del>-    
-    for (unsigned i = length; i &lt; vectorLength; ++i)
-        butterfly-&gt;contiguous()[i].clear();
</del><span class="cx"> 
</span><span class="cx">     ClonedArguments* result =
</span><span class="cx">         new (NotNull, allocateCell&lt;ClonedArguments&gt;(vm.heap))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathsExceptionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CallFrame.h&quot;
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JITExceptions.h&quot;
</span><span class="cx"> #include &quot;LLIntCommon.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathsExceptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPathsExceptions.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,10 +26,11 @@
</span><span class="cx"> #ifndef CommonSlowPathExceptions_h
</span><span class="cx"> #define CommonSlowPathExceptions_h
</span><span class="cx"> 
</span><ins>+#include &quot;MacroAssemblerCodeRef.h&quot;
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> class ExecState;
</span><del>-class JSObject;
</del><span class="cx"> 
</span><span class="cx"> namespace CommonSlowPaths {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDataViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DataView.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DataView.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/DataView.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;DataView.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><span class="cx"> #include &quot;JSDataView.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDirectArgumentsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DirectArguments.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DirectArguments.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/DirectArguments.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #ifndef DirectArguments_h
</span><span class="cx"> #define DirectArguments_h
</span><span class="cx"> 
</span><del>-#include &quot;CopyBarrier.h&quot;
</del><span class="cx"> #include &quot;DirectArgumentsOffset.h&quot;
</span><span class="cx"> #include &quot;GenericArguments.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeECMAScriptSpecInternalFunctionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ECMAScriptSpecInternalFunctions.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CallFrame.h&quot;
</span><span class="cx"> #include &quot;ConstructData.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;RegExpObject.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeErrorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Error.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Error.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Error.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,16 +28,14 @@
</span><span class="cx"> #include &quot;ErrorConstructor.h&quot;
</span><span class="cx"> #include &quot;ExceptionHelpers.h&quot;
</span><span class="cx"> #include &quot;FunctionPrototype.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JSArray.h&quot;
</span><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &quot;JSString.h&quot;
</span><ins>+#include &quot;NativeErrorConstructor.h&quot;
</ins><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;NativeErrorConstructor.h&quot;
</del><span class="cx"> #include &quot;SourceCode.h&quot;
</span><del>-#include &quot;StackFrame.h&quot;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeErrorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Error.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Error.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Error.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -25,6 +25,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;ErrorInstance.h&quot;
</span><span class="cx"> #include &quot;InternalFunction.h&quot;
</span><ins>+#include &quot;Interpreter.h&quot;
</ins><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &lt;stdint.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeErrorInstancecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #include &quot;JSScope.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObjectFunctions.h&quot;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeErrorInstanceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ErrorInstance.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ErrorInstance.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ErrorInstance.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -21,7 +21,7 @@
</span><span class="cx"> #ifndef ErrorInstance_h
</span><span class="cx"> #define ErrorInstance_h
</span><span class="cx"> 
</span><del>-#include &quot;JSObject.h&quot;
</del><ins>+#include &quot;Interpreter.h&quot;
</ins><span class="cx"> #include &quot;RuntimeType.h&quot;
</span><span class="cx"> #include &quot;SourceProvider.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExceptioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Exception.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Exception.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Exception.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;Exception.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExceptionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Exception.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Exception.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Exception.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,7 @@
</span><span class="cx"> #ifndef Exception_h
</span><span class="cx"> #define Exception_h
</span><span class="cx"> 
</span><del>-#include &quot;JSObject.h&quot;
-#include &quot;StackFrame.h&quot;
</del><ins>+#include &quot;Interpreter.h&quot;
</ins><span class="cx"> #include &lt;wtf/Vector.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeGeneratorFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/GeneratorFrame.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/GeneratorFrame.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/GeneratorFrame.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,10 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><span class="cx"> #include &quot;HeapIterationScope.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeGeneratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/GeneratorPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,8 +27,10 @@
</span><span class="cx"> #include &quot;GeneratorPrototype.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> #include &quot;GeneratorPrototype.lut.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeInternalFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -37,8 +37,6 @@
</span><span class="cx"> InternalFunction::InternalFunction(VM&amp; vm, Structure* structure)
</span><span class="cx">     : JSDestructibleObject(vm, structure)
</span><span class="cx"> {
</span><del>-    // exec-&gt;vm() wants callees to not be large allocations.
-    RELEASE_ASSERT(!isLargeAllocation());
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void InternalFunction::finishCreation(VM&amp; vm, const String&amp; name)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlCollatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlCollator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlCollator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlCollator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,7 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx">  * Copyright (C) 2015 Andy VanWagoner (thetalecrafter@gmail.com)
</span><span class="cx">  * Copyright (C) 2015 Sukolsak Sakshuwong (sukolsak@gmail.com)
</span><del>- * Copyright (C) 2016 Apple Inc. All Rights Reserved.
</del><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -34,7 +33,8 @@
</span><span class="cx"> #include &quot;IntlCollatorConstructor.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><span class="cx"> #include &quot;JSBoundFunction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><span class="cx"> #include &quot;SlotVisitorInlines.h&quot;
</span><span class="cx"> #include &quot;StructureInlines.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlCollatorConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlCollatorConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,8 +33,11 @@
</span><span class="cx"> #include &quot;IntlCollator.h&quot;
</span><span class="cx"> #include &quot;IntlCollatorPrototype.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;Lookup.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlCollatorPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,7 +32,10 @@
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IntlCollator.h&quot;
</span><span class="cx"> #include &quot;JSBoundFunction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;JSObject.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlDateTimeFormatcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormat.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,7 +34,8 @@
</span><span class="cx"> #include &quot;IntlDateTimeFormatConstructor.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><span class="cx"> #include &quot;JSBoundFunction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><span class="cx"> #include &quot;SlotVisitorInlines.h&quot;
</span><span class="cx"> #include &quot;StructureInlines.h&quot;
</span><span class="lines">@@ -41,7 +42,6 @@
</span><span class="cx"> #include &lt;unicode/ucal.h&gt;
</span><span class="cx"> #include &lt;unicode/udatpg.h&gt;
</span><span class="cx"> #include &lt;unicode/uenum.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlDateTimeFormatConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,8 +33,11 @@
</span><span class="cx"> #include &quot;IntlDateTimeFormatPrototype.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><span class="cx"> #include &quot;IntlObjectInlines.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;Lookup.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlDateTimeFormatPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,8 +34,10 @@
</span><span class="cx"> #include &quot;IntlDateTimeFormat.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><span class="cx"> #include &quot;JSBoundFunction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSObject.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlNumberFormatcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlNumberFormat.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,8 +34,11 @@
</span><span class="cx"> #include &quot;IntlNumberFormatConstructor.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><span class="cx"> #include &quot;JSBoundFunction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlNumberFormatConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlNumberFormatConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,8 +33,11 @@
</span><span class="cx"> #include &quot;IntlNumberFormatPrototype.h&quot;
</span><span class="cx"> #include &quot;IntlObject.h&quot;
</span><span class="cx"> #include &quot;IntlObjectInlines.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;Lookup.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlNumberFormatPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,8 +33,10 @@
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IntlNumberFormat.h&quot;
</span><span class="cx"> #include &quot;JSBoundFunction.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSObject.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIntlObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IntlObject.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IntlObject.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IntlObject.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -50,7 +50,6 @@
</span><span class="cx"> #include &lt;wtf/Assertions.h&gt;
</span><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span><span class="cx"> #include &lt;wtf/PlatformUserPreferredLanguages.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIteratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IteratorPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IteratorPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/IteratorPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,9 +27,11 @@
</span><span class="cx"> #include &quot;IteratorPrototype.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -41,12 +41,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-#if 0
-#define LOGIT() dataLog(RawPointer(this), &quot;: &quot;, WTF_PRETTY_FUNCTION, &quot;\n&quot;);
-#else
-#define LOGIT() do { } while(false)
-#endif
-
</del><span class="cx"> STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSArray);
</span><span class="cx"> 
</span><span class="cx"> const ClassInfo JSArray::s_info = {&quot;Array&quot;, &amp;JSNonFinalObject::s_info, 0, CREATE_METHOD_TABLE(JSArray)};
</span><span class="lines">@@ -65,58 +59,8 @@
</span><span class="cx">     return butterfly;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JSArray* JSArray::tryCreateUninitialized(VM&amp; vm, Structure* structure, unsigned initialLength)
-{
-    if (initialLength &gt; MAX_STORAGE_VECTOR_LENGTH)
-        return 0;
-
-    unsigned outOfLineStorage = structure-&gt;outOfLineCapacity();
-
-    Butterfly* butterfly;
-    IndexingType indexingType = structure-&gt;indexingType();
-    if (LIKELY(!hasAnyArrayStorage(indexingType))) {
-        ASSERT(
-            hasUndecided(indexingType)
-            || hasInt32(indexingType)
-            || hasDouble(indexingType)
-            || hasContiguous(indexingType));
-
-        unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
-        void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
-        if (!temp)
-            return nullptr;
-        butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
-        butterfly-&gt;setVectorLength(vectorLength);
-        butterfly-&gt;setPublicLength(initialLength);
-        if (hasDouble(indexingType)) {
-            for (unsigned i = initialLength; i &lt; vectorLength; ++i)
-                butterfly-&gt;contiguousDouble()[i] = PNaN;
-        } else {
-            for (unsigned i = initialLength; i &lt; vectorLength; ++i)
-                butterfly-&gt;contiguous()[i].clear();
-        }
-    } else {
-        unsigned vectorLength = ArrayStorage::optimalVectorLength(0, structure, initialLength);
-        void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)));
-        if (!temp)
-            return nullptr;
-        butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
-        *butterfly-&gt;indexingHeader() = indexingHeaderForArrayStorage(initialLength, vectorLength);
-        ArrayStorage* storage = butterfly-&gt;arrayStorage();
-        storage-&gt;m_indexBias = 0;
-        storage-&gt;m_sparseMap.clear();
-        storage-&gt;m_numValuesInVector = initialLength;
-        for (unsigned i = initialLength; i &lt; vectorLength; ++i)
-            storage-&gt;m_vector[i].clear();
-    }
-
-    return createWithButterfly(vm, structure, butterfly);
-}
-
</del><span class="cx"> void JSArray::setLengthWritable(ExecState* exec, bool writable)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     ASSERT(isLengthWritable() || !writable);
</span><span class="cx">     if (!isLengthWritable() || writable)
</span><span class="cx">         return;
</span><span class="lines">@@ -294,13 +238,11 @@
</span><span class="cx"> // This method makes room in the vector, but leaves the new space for count slots uncleared.
</span><span class="cx"> bool JSArray::unshiftCountSlowCase(VM&amp; vm, bool addToFront, unsigned count)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     ArrayStorage* storage = ensureArrayStorage(vm);
</span><span class="cx">     Butterfly* butterfly = storage-&gt;butterfly();
</span><span class="cx">     unsigned propertyCapacity = structure(vm)-&gt;outOfLineCapacity();
</span><span class="cx">     unsigned propertySize = structure(vm)-&gt;outOfLineSize();
</span><del>-    
</del><ins>+
</ins><span class="cx">     // If not, we should have handled this on the fast path.
</span><span class="cx">     ASSERT(!addToFront || count &gt; storage-&gt;m_indexBias);
</span><span class="cx"> 
</span><span class="lines">@@ -312,8 +254,7 @@
</span><span class="cx">     //  * desiredCapacity - how large should we like to grow the vector to - based on 2x requiredVectorLength.
</span><span class="cx"> 
</span><span class="cx">     unsigned length = storage-&gt;length();
</span><del>-    unsigned oldVectorLength = storage-&gt;vectorLength();
-    unsigned usedVectorLength = min(oldVectorLength, length);
</del><ins>+    unsigned usedVectorLength = min(storage-&gt;vectorLength(), length);
</ins><span class="cx">     ASSERT(usedVectorLength &lt;= MAX_STORAGE_VECTOR_LENGTH);
</span><span class="cx">     // Check that required vector length is possible, in an overflow-safe fashion.
</span><span class="cx">     if (count &gt; MAX_STORAGE_VECTOR_LENGTH - usedVectorLength)
</span><span class="lines">@@ -324,10 +265,7 @@
</span><span class="cx">     ASSERT(storage-&gt;vectorLength() &lt;= MAX_STORAGE_VECTOR_LENGTH &amp;&amp; (MAX_STORAGE_VECTOR_LENGTH - storage-&gt;vectorLength()) &gt;= storage-&gt;m_indexBias);
</span><span class="cx">     unsigned currentCapacity = storage-&gt;vectorLength() + storage-&gt;m_indexBias;
</span><span class="cx">     // The calculation of desiredCapacity won't overflow, due to the range of MAX_STORAGE_VECTOR_LENGTH.
</span><del>-    // FIXME: This code should be fixed to avoid internal fragmentation. It's not super high
-    // priority since increaseVectorLength() will &quot;fix&quot; any mistakes we make, but it would be cool
-    // to get this right eventually.
-    unsigned desiredCapacity = min(MAX_STORAGE_VECTOR_LENGTH, max(BASE_ARRAY_STORAGE_VECTOR_LEN, requiredVectorLength) &lt;&lt; 1);
</del><ins>+    unsigned desiredCapacity = min(MAX_STORAGE_VECTOR_LENGTH, max(BASE_VECTOR_LEN, requiredVectorLength) &lt;&lt; 1);
</ins><span class="cx"> 
</span><span class="cx">     // Step 2:
</span><span class="cx">     // We're either going to choose to allocate a new ArrayStorage, or we're going to reuse the existing one.
</span><span class="lines">@@ -335,19 +273,15 @@
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     void* newAllocBase = 0;
</span><span class="cx">     unsigned newStorageCapacity;
</span><del>-    bool allocatedNewStorage;
</del><span class="cx">     // If the current storage array is sufficiently large (but not too large!) then just keep using it.
</span><span class="cx">     if (currentCapacity &gt; desiredCapacity &amp;&amp; isDenseEnoughForVector(currentCapacity, requiredVectorLength)) {
</span><span class="cx">         newAllocBase = butterfly-&gt;base(structure(vm));
</span><span class="cx">         newStorageCapacity = currentCapacity;
</span><del>-        allocatedNewStorage = false;
</del><span class="cx">     } else {
</span><span class="cx">         size_t newSize = Butterfly::totalSize(0, propertyCapacity, true, ArrayStorage::sizeFor(desiredCapacity));
</span><del>-        newAllocBase = vm.heap.tryAllocateAuxiliary(this, newSize);
-        if (!newAllocBase)
</del><ins>+        if (!vm.heap.tryAllocateStorage(this, newSize, &amp;newAllocBase))
</ins><span class="cx">             return false;
</span><span class="cx">         newStorageCapacity = desiredCapacity;
</span><del>-        allocatedNewStorage = true;
</del><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Step 3:
</span><span class="lines">@@ -377,19 +311,13 @@
</span><span class="cx">         ASSERT(count + usedVectorLength &lt;= newVectorLength);
</span><span class="cx">         memmove(newButterfly-&gt;arrayStorage()-&gt;m_vector + count, storage-&gt;m_vector, sizeof(JSValue) * usedVectorLength);
</span><span class="cx">         memmove(newButterfly-&gt;propertyStorage() - propertySize, butterfly-&gt;propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
</span><del>-        
-        if (allocatedNewStorage) {
-            // We will set the vectorLength to newVectorLength. We populated requiredVectorLength
-            // (usedVectorLength + count), which is less. Clear the difference.
-            for (unsigned i = requiredVectorLength; i &lt; newVectorLength; ++i)
-                newButterfly-&gt;arrayStorage()-&gt;m_vector[i].clear();
-        }
</del><span class="cx">     } else if ((newAllocBase != butterfly-&gt;base(structure(vm))) || (newIndexBias != storage-&gt;m_indexBias)) {
</span><span class="cx">         memmove(newButterfly-&gt;propertyStorage() - propertySize, butterfly-&gt;propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
</span><span class="cx">         memmove(newButterfly-&gt;arrayStorage()-&gt;m_vector, storage-&gt;m_vector, sizeof(JSValue) * usedVectorLength);
</span><del>-        
</del><ins>+
+        WriteBarrier&lt;Unknown&gt;* newVector = newButterfly-&gt;arrayStorage()-&gt;m_vector;
</ins><span class="cx">         for (unsigned i = requiredVectorLength; i &lt; newVectorLength; i++)
</span><del>-            newButterfly-&gt;arrayStorage()-&gt;m_vector[i].clear();
</del><ins>+            newVector[i].clear();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     newButterfly-&gt;arrayStorage()-&gt;setVectorLength(newVectorLength);
</span><span class="lines">@@ -401,10 +329,8 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::setLengthWithArrayStorage(ExecState* exec, unsigned newLength, bool throwException, ArrayStorage* storage)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     unsigned length = storage-&gt;length();
</span><del>-    
</del><ins>+
</ins><span class="cx">     // If the length is read only then we enter sparse mode, so should enter the following 'if'.
</span><span class="cx">     ASSERT(isLengthWritable() || storage-&gt;m_sparseMap);
</span><span class="cx"> 
</span><span class="lines">@@ -467,8 +393,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::appendMemcpy(ExecState* exec, VM&amp; vm, unsigned startIndex, JSC::JSArray* otherArray)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     if (!canFastCopy(vm, otherArray))
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><span class="lines">@@ -509,8 +433,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="lines">@@ -575,8 +497,6 @@
</span><span class="cx"> 
</span><span class="cx"> JSValue JSArray::pop(ExecState* exec)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><span class="cx">     
</span><span class="cx">     switch (indexingType()) {
</span><span class="lines">@@ -674,8 +594,6 @@
</span><span class="cx"> //  - pushing to an array of length 2^32-1 stores the property, but throws a range error.
</span><span class="cx"> void JSArray::push(ExecState* exec, JSValue value)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><span class="cx">     
</span><span class="cx">     switch (indexingType()) {
</span><span class="lines">@@ -812,8 +730,6 @@
</span><span class="cx"> 
</span><span class="cx"> JSArray* JSArray::fastSlice(ExecState&amp; exec, unsigned startIndex, unsigned count)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     auto arrayType = indexingType();
</span><span class="cx">     switch (arrayType) {
</span><span class="cx">     case ArrayWithDouble:
</span><span class="lines">@@ -844,8 +760,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::shiftCountWithArrayStorage(VM&amp; vm, unsigned startIndex, unsigned count, ArrayStorage* storage)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     unsigned oldLength = storage-&gt;length();
</span><span class="cx">     RELEASE_ASSERT(count &lt;= oldLength);
</span><span class="cx">     
</span><span class="lines">@@ -951,8 +865,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSArray::shiftCountWithAnyIndexingType(ExecState* exec, unsigned&amp; startIndex, unsigned count)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     RELEASE_ASSERT(count &gt; 0);
</span><span class="cx"> 
</span><span class="lines">@@ -1051,8 +963,6 @@
</span><span class="cx"> // Returns true if the unshift can be handled, false to fallback.    
</span><span class="cx"> bool JSArray::unshiftCountWithArrayStorage(ExecState* exec, unsigned startIndex, unsigned count, ArrayStorage* storage)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     unsigned length = storage-&gt;length();
</span><span class="cx"> 
</span><span class="cx">     RELEASE_ASSERT(startIndex &lt;= length);
</span><span class="lines">@@ -1190,8 +1100,6 @@
</span><span class="cx"> 
</span><span class="cx"> void JSArray::fillArgList(ExecState* exec, MarkedArgumentBuffer&amp; args)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     unsigned i = 0;
</span><span class="cx">     unsigned vectorEnd;
</span><span class="cx">     WriteBarrier&lt;Unknown&gt;* vector;
</span><span class="lines">@@ -1258,8 +1166,6 @@
</span><span class="cx"> 
</span><span class="cx"> void JSArray::copyToArguments(ExecState* exec, VirtualRegister firstElementDest, unsigned offset, unsigned length)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    
</del><span class="cx">     unsigned i = offset;
</span><span class="cx">     WriteBarrier&lt;Unknown&gt;* vector;
</span><span class="cx">     unsigned vectorEnd;
</span><span class="lines">@@ -1269,6 +1175,7 @@
</span><span class="cx">     ASSERT(length == this-&gt;length());
</span><span class="cx"> 
</span><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><ins>+    
</ins><span class="cx">     switch (indexingType()) {
</span><span class="cx">     case ArrayClass:
</span><span class="cx">         return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx">  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><del>- *  Copyright (C) 2003, 2007, 2008, 2009, 2012, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ *  Copyright (C) 2003, 2007, 2008, 2009, 2012, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  *  This library is free software; you can redistribute it and/or
</span><span class="cx">  *  modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -60,7 +60,7 @@
</span><span class="cx">     // contents are known at time of creation. Clients of this interface must:
</span><span class="cx">     //   - null-check the result (indicating out of memory, or otherwise unable to allocate vector).
</span><span class="cx">     //   - call 'initializeIndex' for all properties in sequence, for 0 &lt;= i &lt; initialLength.
</span><del>-    JS_EXPORT_PRIVATE static JSArray* tryCreateUninitialized(VM&amp;, Structure*, unsigned initialLength);
</del><ins>+    static JSArray* tryCreateUninitialized(VM&amp;, Structure*, unsigned initialLength);
</ins><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&amp;, bool throwException);
</span><span class="cx"> 
</span><span class="lines">@@ -177,8 +177,7 @@
</span><span class="cx"> inline Butterfly* createContiguousArrayButterfly(VM&amp; vm, JSCell* intendedOwner, unsigned length, unsigned&amp; vectorLength)
</span><span class="cx"> {
</span><span class="cx">     IndexingHeader header;
</span><del>-    vectorLength = Butterfly::optimalContiguousVectorLength(
-        intendedOwner ? intendedOwner-&gt;structure(vm) : 0, length);
</del><ins>+    vectorLength = std::max(length, BASE_VECTOR_LEN);
</ins><span class="cx">     header.setVectorLength(vectorLength);
</span><span class="cx">     header.setPublicLength(length);
</span><span class="cx">     Butterfly* result = Butterfly::create(
</span><span class="lines">@@ -189,11 +188,11 @@
</span><span class="cx"> inline Butterfly* createArrayButterfly(VM&amp; vm, JSCell* intendedOwner, unsigned initialLength)
</span><span class="cx"> {
</span><span class="cx">     Butterfly* butterfly = Butterfly::create(
</span><del>-        vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArrayStorage(initialLength),
-        ArrayStorage::sizeFor(BASE_ARRAY_STORAGE_VECTOR_LEN));
</del><ins>+        vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArray(initialLength),
+        ArrayStorage::sizeFor(BASE_VECTOR_LEN));
</ins><span class="cx">     ArrayStorage* storage = butterfly-&gt;arrayStorage();
</span><ins>+    storage-&gt;m_indexBias = 0;
</ins><span class="cx">     storage-&gt;m_sparseMap.clear();
</span><del>-    storage-&gt;m_indexBias = 0;
</del><span class="cx">     storage-&gt;m_numValuesInVector = 0;
</span><span class="cx">     return butterfly;
</span><span class="cx"> }
</span><span class="lines">@@ -212,12 +211,10 @@
</span><span class="cx">             || hasContiguous(structure-&gt;indexingType()));
</span><span class="cx">         unsigned vectorLength;
</span><span class="cx">         butterfly = createContiguousArrayButterfly(vm, 0, initialLength, vectorLength);
</span><ins>+        ASSERT(initialLength &lt; MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH);
</ins><span class="cx">         if (hasDouble(structure-&gt;indexingType())) {
</span><span class="cx">             for (unsigned i = 0; i &lt; vectorLength; ++i)
</span><span class="cx">                 butterfly-&gt;contiguousDouble()[i] = PNaN;
</span><del>-        } else {
-            for (unsigned i = 0; i &lt; vectorLength; ++i)
-                butterfly-&gt;contiguous()[i].clear();
</del><span class="cx">         }
</span><span class="cx">     } else {
</span><span class="cx">         ASSERT(
</span><span class="lines">@@ -224,13 +221,52 @@
</span><span class="cx">             structure-&gt;indexingType() == ArrayWithSlowPutArrayStorage
</span><span class="cx">             || structure-&gt;indexingType() == ArrayWithArrayStorage);
</span><span class="cx">         butterfly = createArrayButterfly(vm, 0, initialLength);
</span><del>-        for (unsigned i = 0; i &lt; BASE_ARRAY_STORAGE_VECTOR_LEN; ++i)
-            butterfly-&gt;arrayStorage()-&gt;m_vector[i].clear();
</del><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     return createWithButterfly(vm, structure, butterfly);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline JSArray* JSArray::tryCreateUninitialized(VM&amp; vm, Structure* structure, unsigned initialLength)
+{
+    unsigned vectorLength = std::max(BASE_VECTOR_LEN, initialLength);
+    if (vectorLength &gt; MAX_STORAGE_VECTOR_LENGTH)
+        return 0;
+
+    unsigned outOfLineStorage = structure-&gt;outOfLineCapacity();
+
+    Butterfly* butterfly;
+    if (LIKELY(!hasAnyArrayStorage(structure-&gt;indexingType()))) {
+        ASSERT(
+            hasUndecided(structure-&gt;indexingType())
+            || hasInt32(structure-&gt;indexingType())
+            || hasDouble(structure-&gt;indexingType())
+            || hasContiguous(structure-&gt;indexingType()));
+
+        void* temp;
+        if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)), &amp;temp))
+            return 0;
+        butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
+        butterfly-&gt;setVectorLength(vectorLength);
+        butterfly-&gt;setPublicLength(initialLength);
+        if (hasDouble(structure-&gt;indexingType())) {
+            for (unsigned i = initialLength; i &lt; vectorLength; ++i)
+                butterfly-&gt;contiguousDouble()[i] = PNaN;
+        }
+    } else {
+        void* temp;
+        if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)), &amp;temp))
+            return 0;
+        butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
+        *butterfly-&gt;indexingHeader() = indexingHeaderForArray(initialLength, vectorLength);
+        ArrayStorage* storage = butterfly-&gt;arrayStorage();
+        storage-&gt;m_indexBias = 0;
+        storage-&gt;m_sparseMap.clear();
+        storage-&gt;m_numValuesInVector = initialLength;
+    }
+
+    return createWithButterfly(vm, structure, butterfly);
+}
+
</ins><span class="cx"> inline JSArray* JSArray::createWithButterfly(VM&amp; vm, Structure* structure, Butterfly* butterfly)
</span><span class="cx"> {
</span><span class="cx">     JSArray* array = new (NotNull, allocateCell&lt;JSArray&gt;(vm.heap)) JSArray(vm, structure, butterfly);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #ifndef JSArrayBufferView_h
</span><span class="cx"> #define JSArrayBufferView_h
</span><span class="cx"> 
</span><del>-#include &quot;CopyBarrier.h&quot;
</del><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSCInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> #include &quot;GCIncomingRefCountedInlines.h&quot;
</span><span class="cx"> #include &quot;HeapInlines.h&quot;
</span><span class="cx"> #include &quot;IdentifierInlines.h&quot;
</span><ins>+#include &quot;Interpreter.h&quot;
</ins><span class="cx"> #include &quot;JSArrayBufferViewInlines.h&quot;
</span><span class="cx"> #include &quot;JSCJSValueInlines.h&quot;
</span><span class="cx"> #include &quot;JSFunctionInlines.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCJSValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,10 +29,11 @@
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;ExceptionHelpers.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;NumberObject.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &lt;wtf/MathExtras.h&gt;
</span><span class="cx"> #include &lt;wtf/StringExtras.h&gt;
</span><span class="cx"> 
</span><span class="lines">@@ -255,11 +256,7 @@
</span><span class="cx">             out.print(&quot;Symbol: &quot;, RawPointer(asCell()));
</span><span class="cx">         else if (structure-&gt;classInfo()-&gt;isSubClassOf(Structure::info()))
</span><span class="cx">             out.print(&quot;Structure: &quot;, inContext(*jsCast&lt;Structure*&gt;(asCell()), context));
</span><del>-        else if (structure-&gt;classInfo()-&gt;isSubClassOf(JSObject::info())) {
-            out.print(&quot;Object: &quot;, RawPointer(asCell()));
-            out.print(&quot; with butterfly &quot;, RawPointer(asObject(asCell())-&gt;butterfly()));
-            out.print(&quot; (&quot;, inContext(*structure, context), &quot;)&quot;);
-        } else {
</del><ins>+        else {
</ins><span class="cx">             out.print(&quot;Cell: &quot;, RawPointer(asCell()));
</span><span class="cx">             out.print(&quot; (&quot;, inContext(*structure, context), &quot;)&quot;);
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCalleecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCallee.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCallee.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSCallee.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -27,9 +27,13 @@
</span><span class="cx"> #include &quot;JSCallee.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCell.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
</ins><span class="cx"> #include &quot;StackVisitor.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -39,7 +43,6 @@
</span><span class="cx">     : Base(vm, structure)
</span><span class="cx">     , m_scope(vm, this, globalObject)
</span><span class="cx"> {
</span><del>-    RELEASE_ASSERT(!isLargeAllocation());
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JSCallee::JSCallee(VM&amp; vm, JSScope* scope, Structure* structure)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -58,7 +58,7 @@
</span><span class="cx"> 
</span><span class="cx"> size_t JSCell::estimatedSize(JSCell* cell)
</span><span class="cx"> {
</span><del>-    return cell-&gt;cellSize();
</del><ins>+    return MarkedBlock::blockFor(cell)-&gt;cellSize();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSCell::copyBackingStore(JSCell*, CopyVisitor&amp;, CopyToken)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -80,7 +80,7 @@
</span><span class="cx"> 
</span><span class="cx">     enum CreatingEarlyCellTag { CreatingEarlyCell };
</span><span class="cx">     JSCell(CreatingEarlyCellTag);
</span><del>-    
</del><ins>+
</ins><span class="cx"> protected:
</span><span class="cx">     JSCell(VM&amp;, Structure*);
</span><span class="cx">     JS_EXPORT_PRIVATE static void destroy(JSCell*);
</span><span class="lines">@@ -108,6 +108,8 @@
</span><span class="cx"> 
</span><span class="cx">     const char* className() const;
</span><span class="cx"> 
</span><ins>+    VM* vm() const;
+
</ins><span class="cx">     // Extracting the value.
</span><span class="cx">     JS_EXPORT_PRIVATE bool getString(ExecState*, String&amp;) const;
</span><span class="cx">     JS_EXPORT_PRIVATE String getString(ExecState*) const; // null string if not a string
</span><span class="lines">@@ -188,8 +190,6 @@
</span><span class="cx">     {
</span><span class="cx">         return OBJECT_OFFSETOF(JSCell, m_cellState);
</span><span class="cx">     }
</span><del>-    
-    void callDestructor(VM&amp;);
</del><span class="cx"> 
</span><span class="cx">     static const TypedArrayType TypedArrayStorageType = NotTypedArray;
</span><span class="cx"> protected:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCellInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCellInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSCellInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -113,13 +113,16 @@
</span><span class="cx">     visitor.appendUnbarrieredPointer(&amp;structure);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline VM* JSCell::vm() const
+{
+    return MarkedBlock::blockFor(this)-&gt;vm();
+}
+
</ins><span class="cx"> ALWAYS_INLINE VM&amp; ExecState::vm() const
</span><span class="cx"> {
</span><span class="cx">     ASSERT(callee());
</span><span class="cx">     ASSERT(callee()-&gt;vm());
</span><del>-    ASSERT(!callee()-&gt;isLargeAllocation());
-    // This is an important optimization since we access this so often.
-    return *calleeAsValue().asCell()-&gt;markedBlock().vm();
</del><ins>+    return *calleeAsValue().asCell()-&gt;vm();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;typename T&gt;
</span><span class="lines">@@ -230,19 +233,12 @@
</span><span class="cx">         &amp;&amp; !structure.typeInfo().overridesGetOwnPropertySlot();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
</del><ins>+inline const ClassInfo* JSCell::classInfo() const
</ins><span class="cx"> {
</span><del>-    if (isLargeAllocation()) {
-        LargeAllocation&amp; allocation = largeAllocation();
-        if (allocation.attributes().destruction == NeedsDestruction
-            &amp;&amp; !(inlineTypeFlags() &amp; StructureIsImmortal))
-            return static_cast&lt;const JSDestructibleObject*&gt;(this)-&gt;classInfo();
-        return structure(*allocation.vm())-&gt;classInfo();
-    }
-    MarkedBlock&amp; block = markedBlock();
-    if (block.needsDestruction() &amp;&amp; !(inlineTypeFlags() &amp; StructureIsImmortal))
</del><ins>+    MarkedBlock* block = MarkedBlock::blockFor(this);
+    if (block-&gt;needsDestruction() &amp;&amp; !(inlineTypeFlags() &amp; StructureIsImmortal))
</ins><span class="cx">         return static_cast&lt;const JSDestructibleObject*&gt;(this)-&gt;classInfo();
</span><del>-    return structure(*block.vm())-&gt;classInfo();
</del><ins>+    return structure(*block-&gt;vm())-&gt;classInfo();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::toBoolean(ExecState* exec) const
</span><span class="lines">@@ -261,18 +257,6 @@
</span><span class="cx">     return MixedTriState;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void JSCell::callDestructor(VM&amp; vm)
-{
-    if (isZapped())
-        return;
-    ASSERT(structureID());
-    if (inlineTypeFlags() &amp; StructureIsImmortal)
-        structure(vm)-&gt;classInfo()-&gt;methodTable.destroy(this);
-    else
-        jsCast&lt;JSDestructibleObject*&gt;(this)-&gt;classInfo()-&gt;methodTable.destroy(this);
-    zap();
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // JSCellInlines_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx"> 
</span><span class="cx"> JSFunction* JSFunction::create(VM&amp; vm, FunctionExecutable* executable, JSScope* scope)
</span><span class="cx"> {
</span><del>-    return create(vm, executable, scope, scope-&gt;globalObject(vm)-&gt;functionStructure());
</del><ins>+    return create(vm, executable, scope, scope-&gt;globalObject()-&gt;functionStructure());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JSFunction* JSFunction::create(VM&amp; vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
</span><span class="lines">@@ -76,7 +76,7 @@
</span><span class="cx"> JSFunction* JSFunction::create(VM&amp; vm, WebAssemblyExecutable* executable, JSScope* scope)
</span><span class="cx"> {
</span><span class="cx">     JSFunction* function = new (NotNull, allocateCell&lt;JSFunction&gt;(vm.heap)) JSFunction(vm, executable, scope);
</span><del>-    ASSERT(function-&gt;structure(vm)-&gt;globalObject());
</del><ins>+    ASSERT(function-&gt;structure()-&gt;globalObject());
</ins><span class="cx">     function-&gt;finishCreation(vm);
</span><span class="cx">     return function;
</span><span class="cx"> }
</span><span class="lines">@@ -143,9 +143,9 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     JSObject* prototype = jsDynamicCast&lt;JSObject*&gt;(get(exec, vm.propertyNames-&gt;prototype));
</span><span class="cx">     if (!prototype)
</span><del>-        prototype = globalObject(vm)-&gt;objectPrototype();
</del><ins>+        prototype = globalObject()-&gt;objectPrototype();
</ins><span class="cx">     FunctionRareData* rareData = FunctionRareData::create(vm);
</span><del>-    rareData-&gt;initializeObjectAllocationProfile(vm, prototype, inlineCapacity);
</del><ins>+    rareData-&gt;initializeObjectAllocationProfile(globalObject()-&gt;vm(), prototype, inlineCapacity);
</ins><span class="cx"> 
</span><span class="cx">     // A DFG compilation thread may be trying to read the rare data
</span><span class="cx">     // We want to ensure that it sees it properly allocated
</span><span class="lines">@@ -161,8 +161,8 @@
</span><span class="cx">     VM&amp; vm = exec-&gt;vm();
</span><span class="cx">     JSObject* prototype = jsDynamicCast&lt;JSObject*&gt;(get(exec, vm.propertyNames-&gt;prototype));
</span><span class="cx">     if (!prototype)
</span><del>-        prototype = globalObject(vm)-&gt;objectPrototype();
-    m_rareData-&gt;initializeObjectAllocationProfile(vm, prototype, inlineCapacity);
</del><ins>+        prototype = globalObject()-&gt;objectPrototype();
+    m_rareData-&gt;initializeObjectAllocationProfile(globalObject()-&gt;vm(), prototype, inlineCapacity);
</ins><span class="cx">     return m_rareData.get();
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -340,26 +340,26 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSFunction::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot&amp; slot)
</span><span class="cx"> {
</span><del>-    VM&amp; vm = exec-&gt;vm();
</del><span class="cx">     JSFunction* thisObject = jsCast&lt;JSFunction*&gt;(object);
</span><span class="cx">     if (thisObject-&gt;isHostOrBuiltinFunction()) {
</span><del>-        thisObject-&gt;reifyBoundNameIfNeeded(vm, exec, propertyName);
</del><ins>+        thisObject-&gt;reifyBoundNameIfNeeded(exec, propertyName);
</ins><span class="cx">         return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (propertyName == vm.propertyNames-&gt;prototype &amp;&amp; !thisObject-&gt;jsExecutable()-&gt;isArrowFunction()) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().prototype &amp;&amp; !thisObject-&gt;jsExecutable()-&gt;isArrowFunction()) {
+        VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">         unsigned attributes;
</span><span class="cx">         PropertyOffset offset = thisObject-&gt;getDirectOffset(vm, propertyName, attributes);
</span><span class="cx">         if (!isValidOffset(offset)) {
</span><span class="cx">             JSObject* prototype = nullptr;
</span><span class="cx">             if (thisObject-&gt;jsExecutable()-&gt;parseMode() == SourceParseMode::GeneratorWrapperFunctionMode)
</span><del>-                prototype = constructEmptyObject(exec, thisObject-&gt;globalObject(vm)-&gt;generatorPrototype());
</del><ins>+                prototype = constructEmptyObject(exec, thisObject-&gt;globalObject()-&gt;generatorPrototype());
</ins><span class="cx">             else
</span><span class="cx">                 prototype = constructEmptyObject(exec);
</span><span class="cx"> 
</span><del>-            prototype-&gt;putDirect(vm, vm.propertyNames-&gt;constructor, thisObject, DontEnum);
-            thisObject-&gt;putDirect(vm, vm.propertyNames-&gt;prototype, prototype, DontDelete | DontEnum);
-            offset = thisObject-&gt;getDirectOffset(vm, vm.propertyNames-&gt;prototype, attributes);
</del><ins>+            prototype-&gt;putDirect(vm, exec-&gt;propertyNames().constructor, thisObject, DontEnum);
+            thisObject-&gt;putDirect(vm, exec-&gt;propertyNames().prototype, prototype, DontDelete | DontEnum);
+            offset = thisObject-&gt;getDirectOffset(vm, exec-&gt;propertyNames().prototype, attributes);
</ins><span class="cx">             ASSERT(isValidOffset(offset));
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="lines">@@ -366,11 +366,11 @@
</span><span class="cx">         slot.setValue(thisObject, attributes, thisObject-&gt;getDirect(offset), offset);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (propertyName == vm.propertyNames-&gt;arguments) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().arguments) {
</ins><span class="cx">         if (thisObject-&gt;jsExecutable()-&gt;isStrictMode() || thisObject-&gt;jsExecutable()-&gt;isClassConstructorFunction()) {
</span><span class="cx">             bool result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><span class="cx">             if (!result) {
</span><del>-                GetterSetter* errorGetterSetter = thisObject-&gt;globalObject(vm)-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
</del><ins>+                GetterSetter* errorGetterSetter = thisObject-&gt;globalObject()-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
</ins><span class="cx">                 thisObject-&gt;putDirectAccessor(exec, propertyName, errorGetterSetter, DontDelete | DontEnum | Accessor);
</span><span class="cx">                 result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><span class="cx">                 ASSERT(result);
</span><span class="lines">@@ -381,11 +381,11 @@
</span><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (propertyName == vm.propertyNames-&gt;caller) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().caller) {
</ins><span class="cx">         if (thisObject-&gt;jsExecutable()-&gt;isStrictMode() || thisObject-&gt;jsExecutable()-&gt;isClassConstructorFunction()) {
</span><span class="cx">             bool result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><span class="cx">             if (!result) {
</span><del>-                GetterSetter* errorGetterSetter = thisObject-&gt;globalObject(vm)-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
</del><ins>+                GetterSetter* errorGetterSetter = thisObject-&gt;globalObject()-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter();
</ins><span class="cx">                 thisObject-&gt;putDirectAccessor(exec, propertyName, errorGetterSetter, DontDelete | DontEnum | Accessor);
</span><span class="cx">                 result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><span class="cx">                 ASSERT(result);
</span><span class="lines">@@ -396,7 +396,7 @@
</span><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    thisObject-&gt;reifyLazyPropertyIfNeeded(vm, exec, propertyName);
</del><ins>+    thisObject-&gt;reifyLazyPropertyIfNeeded(exec, propertyName);
</ins><span class="cx"> 
</span><span class="cx">     return Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
</span><span class="cx"> }
</span><span class="lines">@@ -423,7 +423,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSFunction::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot&amp; slot)
</span><span class="cx"> {
</span><del>-    VM&amp; vm = exec-&gt;vm();
</del><span class="cx">     JSFunction* thisObject = jsCast&lt;JSFunction*&gt;(cell);
</span><span class="cx"> 
</span><span class="cx">     if (UNLIKELY(isThisValueAltered(slot, thisObject)))
</span><span class="lines">@@ -430,15 +429,15 @@
</span><span class="cx">         return ordinarySetSlow(exec, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
</span><span class="cx"> 
</span><span class="cx">     if (thisObject-&gt;isHostOrBuiltinFunction()) {
</span><del>-        thisObject-&gt;reifyBoundNameIfNeeded(vm, exec, propertyName);
</del><ins>+        thisObject-&gt;reifyBoundNameIfNeeded(exec, propertyName);
</ins><span class="cx">         return Base::put(thisObject, exec, propertyName, value, slot);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (propertyName == vm.propertyNames-&gt;prototype) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().prototype) {
</ins><span class="cx">         // Make sure prototype has been reified, such that it can only be overwritten
</span><span class="cx">         // following the rules set out in ECMA-262 8.12.9.
</span><span class="cx">         PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
</span><del>-        thisObject-&gt;methodTable(vm)-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</del><ins>+        thisObject-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</ins><span class="cx">         if (thisObject-&gt;m_rareData)
</span><span class="cx">             thisObject-&gt;m_rareData-&gt;clear(&quot;Store to prototype property of a function&quot;);
</span><span class="cx">         // Don't allow this to be cached, since a [[Put]] must clear m_rareData.
</span><span class="lines">@@ -445,18 +444,18 @@
</span><span class="cx">         PutPropertySlot dontCache(thisObject);
</span><span class="cx">         return Base::put(thisObject, exec, propertyName, value, dontCache);
</span><span class="cx">     }
</span><del>-    if (thisObject-&gt;jsExecutable()-&gt;isStrictMode() &amp;&amp; (propertyName == vm.propertyNames-&gt;arguments || propertyName == vm.propertyNames-&gt;caller)) {
</del><ins>+    if (thisObject-&gt;jsExecutable()-&gt;isStrictMode() &amp;&amp; (propertyName == exec-&gt;propertyNames().arguments || propertyName == exec-&gt;propertyNames().caller)) {
</ins><span class="cx">         // This will trigger the property to be reified, if this is not already the case!
</span><span class="cx">         bool okay = thisObject-&gt;hasProperty(exec, propertyName);
</span><span class="cx">         ASSERT_UNUSED(okay, okay);
</span><span class="cx">         return Base::put(thisObject, exec, propertyName, value, slot);
</span><span class="cx">     }
</span><del>-    if (propertyName == vm.propertyNames-&gt;arguments || propertyName == vm.propertyNames-&gt;caller) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().arguments || propertyName == exec-&gt;propertyNames().caller) {
</ins><span class="cx">         if (slot.isStrictMode())
</span><span class="cx">             throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
</span><span class="cx">         return false;
</span><span class="cx">     }
</span><del>-    thisObject-&gt;reifyLazyPropertyIfNeeded(vm, exec, propertyName);
</del><ins>+    thisObject-&gt;reifyLazyPropertyIfNeeded(exec, propertyName);
</ins><span class="cx">     return Base::put(thisObject, exec, propertyName, value, slot);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -464,17 +463,16 @@
</span><span class="cx"> {
</span><span class="cx">     JSFunction* thisObject = jsCast&lt;JSFunction*&gt;(cell);
</span><span class="cx">     if (thisObject-&gt;isHostOrBuiltinFunction())
</span><del>-        thisObject-&gt;reifyBoundNameIfNeeded(exec-&gt;vm(), exec, propertyName);
</del><ins>+        thisObject-&gt;reifyBoundNameIfNeeded(exec, propertyName);
</ins><span class="cx">     else if (exec-&gt;vm().deletePropertyMode() != VM::DeletePropertyMode::IgnoreConfigurable) {
</span><span class="cx">         // For non-host functions, don't let these properties by deleted - except by DefineOwnProperty.
</span><del>-        VM&amp; vm = exec-&gt;vm();
</del><span class="cx">         FunctionExecutable* executable = thisObject-&gt;jsExecutable();
</span><del>-        if (propertyName == vm.propertyNames-&gt;arguments
-            || (propertyName == vm.propertyNames-&gt;prototype &amp;&amp; !executable-&gt;isArrowFunction())
-            || propertyName == vm.propertyNames-&gt;caller)
</del><ins>+        if (propertyName == exec-&gt;propertyNames().arguments
+            || (propertyName == exec-&gt;propertyNames().prototype &amp;&amp; !executable-&gt;isArrowFunction())
+            || propertyName == exec-&gt;propertyNames().caller)
</ins><span class="cx">             return false;
</span><span class="cx"> 
</span><del>-        thisObject-&gt;reifyLazyPropertyIfNeeded(vm, exec, propertyName);
</del><ins>+        thisObject-&gt;reifyLazyPropertyIfNeeded(exec, propertyName);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     return Base::deleteProperty(thisObject, exec, propertyName);
</span><span class="lines">@@ -482,18 +480,17 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSFunction::defineOwnProperty(JSObject* object, ExecState* exec, PropertyName propertyName, const PropertyDescriptor&amp; descriptor, bool throwException)
</span><span class="cx"> {
</span><del>-    VM&amp; vm = exec-&gt;vm();
</del><span class="cx">     JSFunction* thisObject = jsCast&lt;JSFunction*&gt;(object);
</span><span class="cx">     if (thisObject-&gt;isHostOrBuiltinFunction()) {
</span><del>-        thisObject-&gt;reifyBoundNameIfNeeded(vm, exec, propertyName);
</del><ins>+        thisObject-&gt;reifyBoundNameIfNeeded(exec, propertyName);
</ins><span class="cx">         return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (propertyName == vm.propertyNames-&gt;prototype) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().prototype) {
</ins><span class="cx">         // Make sure prototype has been reified, such that it can only be overwritten
</span><span class="cx">         // following the rules set out in ECMA-262 8.12.9.
</span><span class="cx">         PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
</span><del>-        thisObject-&gt;methodTable(vm)-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</del><ins>+        thisObject-&gt;methodTable(exec-&gt;vm())-&gt;getOwnPropertySlot(thisObject, exec, propertyName, slot);
</ins><span class="cx">         if (thisObject-&gt;m_rareData)
</span><span class="cx">             thisObject-&gt;m_rareData-&gt;clear(&quot;Store to prototype property of a function&quot;);
</span><span class="cx">         return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="lines">@@ -500,24 +497,24 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     bool valueCheck;
</span><del>-    if (propertyName == vm.propertyNames-&gt;arguments) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().arguments) {
</ins><span class="cx">         if (thisObject-&gt;jsExecutable()-&gt;isStrictMode()) {
</span><span class="cx">             PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
</span><span class="cx">             if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
</span><del>-                thisObject-&gt;putDirectAccessor(exec, propertyName, thisObject-&gt;globalObject(vm)-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
</del><ins>+                thisObject-&gt;putDirectAccessor(exec, propertyName, thisObject-&gt;globalObject()-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
</ins><span class="cx">             return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="cx">         }
</span><span class="cx">         valueCheck = !descriptor.value() || sameValue(exec, descriptor.value(), retrieveArguments(exec, thisObject));
</span><del>-    } else if (propertyName == vm.propertyNames-&gt;caller) {
</del><ins>+    } else if (propertyName == exec-&gt;propertyNames().caller) {
</ins><span class="cx">         if (thisObject-&gt;jsExecutable()-&gt;isStrictMode()) {
</span><span class="cx">             PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
</span><span class="cx">             if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
</span><del>-                thisObject-&gt;putDirectAccessor(exec, propertyName, thisObject-&gt;globalObject(vm)-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
</del><ins>+                thisObject-&gt;putDirectAccessor(exec, propertyName, thisObject-&gt;globalObject()-&gt;throwTypeErrorArgumentsCalleeAndCallerGetterSetter(), DontDelete | DontEnum | Accessor);
</ins><span class="cx">             return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="cx">         }
</span><span class="cx">         valueCheck = !descriptor.value() || sameValue(exec, descriptor.value(), retrieveCallerFunction(exec, thisObject));
</span><span class="cx">     } else {
</span><del>-        thisObject-&gt;reifyLazyPropertyIfNeeded(vm, exec, propertyName);
</del><ins>+        thisObject-&gt;reifyLazyPropertyIfNeeded(exec, propertyName);
</ins><span class="cx">         return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
</span><span class="cx">     }
</span><span class="cx">      
</span><span class="lines">@@ -579,7 +576,6 @@
</span><span class="cx"> 
</span><span class="cx"> void JSFunction::setFunctionName(ExecState* exec, JSValue value)
</span><span class="cx"> {
</span><del>-    VM&amp; vm = exec-&gt;vm();
</del><span class="cx">     // The &quot;name&quot; property may have been already been defined as part of a property list in an
</span><span class="cx">     // object literal (and therefore reified).
</span><span class="cx">     if (hasReifiedName())
</span><span class="lines">@@ -595,6 +591,7 @@
</span><span class="cx">         else
</span><span class="cx">             name = makeString('[', String(uid), ']');
</span><span class="cx">     } else {
</span><ins>+        VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">         JSString* jsStr = value.toString(exec);
</span><span class="cx">         if (vm.exception())
</span><span class="cx">             return;
</span><span class="lines">@@ -602,11 +599,12 @@
</span><span class="cx">         if (vm.exception())
</span><span class="cx">             return;
</span><span class="cx">     }
</span><del>-    reifyName(vm, exec, name);
</del><ins>+    reifyName(exec, name);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-void JSFunction::reifyLength(VM&amp; vm)
</del><ins>+void JSFunction::reifyLength(ExecState* exec)
</ins><span class="cx"> {
</span><ins>+    VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">     FunctionRareData* rareData = this-&gt;rareData(vm);
</span><span class="cx"> 
</span><span class="cx">     ASSERT(!hasReifiedLength());
</span><span class="lines">@@ -613,13 +611,13 @@
</span><span class="cx">     ASSERT(!isHostFunction());
</span><span class="cx">     JSValue initialValue = jsNumber(jsExecutable()-&gt;parameterCount());
</span><span class="cx">     unsigned initialAttributes = DontEnum | ReadOnly;
</span><del>-    const Identifier&amp; identifier = vm.propertyNames-&gt;length;
</del><ins>+    const Identifier&amp; identifier = exec-&gt;propertyNames().length;
</ins><span class="cx">     putDirect(vm, identifier, initialValue, initialAttributes);
</span><span class="cx"> 
</span><span class="cx">     rareData-&gt;setHasReifiedLength();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void JSFunction::reifyName(VM&amp; vm, ExecState* exec)
</del><ins>+void JSFunction::reifyName(ExecState* exec)
</ins><span class="cx"> {
</span><span class="cx">     const Identifier&amp; ecmaName = jsExecutable()-&gt;ecmaName();
</span><span class="cx">     String name;
</span><span class="lines">@@ -630,17 +628,18 @@
</span><span class="cx">         name = exec-&gt;propertyNames().defaultKeyword.string();
</span><span class="cx">     else
</span><span class="cx">         name = ecmaName.string();
</span><del>-    reifyName(vm, exec, name);
</del><ins>+    reifyName(exec, name);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-void JSFunction::reifyName(VM&amp; vm, ExecState* exec, String name)
</del><ins>+void JSFunction::reifyName(ExecState* exec, String name)
</ins><span class="cx"> {
</span><ins>+    VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">     FunctionRareData* rareData = this-&gt;rareData(vm);
</span><span class="cx"> 
</span><span class="cx">     ASSERT(!hasReifiedName());
</span><span class="cx">     ASSERT(!isHostFunction());
</span><span class="cx">     unsigned initialAttributes = DontEnum | ReadOnly;
</span><del>-    const Identifier&amp; propID = vm.propertyNames-&gt;name;
</del><ins>+    const Identifier&amp; propID = exec-&gt;propertyNames().name;
</ins><span class="cx"> 
</span><span class="cx">     if (exec-&gt;lexicalGlobalObject()-&gt;needsSiteSpecificQuirks()) {
</span><span class="cx">         auto illegalCharMatcher = [] (UChar ch) -&gt; bool {
</span><span class="lines">@@ -659,20 +658,20 @@
</span><span class="cx">     rareData-&gt;setHasReifiedName();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void JSFunction::reifyLazyPropertyIfNeeded(VM&amp; vm, ExecState* exec, PropertyName propertyName)
</del><ins>+void JSFunction::reifyLazyPropertyIfNeeded(ExecState* exec, PropertyName propertyName)
</ins><span class="cx"> {
</span><del>-    if (propertyName == vm.propertyNames-&gt;length) {
</del><ins>+    if (propertyName == exec-&gt;propertyNames().length) {
</ins><span class="cx">         if (!hasReifiedLength())
</span><del>-            reifyLength(vm);
-    } else if (propertyName == vm.propertyNames-&gt;name) {
</del><ins>+            reifyLength(exec);
+    } else if (propertyName == exec-&gt;propertyNames().name) {
</ins><span class="cx">         if (!hasReifiedName())
</span><del>-            reifyName(vm, exec);
</del><ins>+            reifyName(exec);
</ins><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void JSFunction::reifyBoundNameIfNeeded(VM&amp; vm, ExecState* exec, PropertyName propertyName)
</del><ins>+void JSFunction::reifyBoundNameIfNeeded(ExecState* exec, PropertyName propertyName)
</ins><span class="cx"> {
</span><del>-    const Identifier&amp; nameIdent = vm.propertyNames-&gt;name;
</del><ins>+    const Identifier&amp; nameIdent = exec-&gt;propertyNames().name;
</ins><span class="cx">     if (propertyName != nameIdent)
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="lines">@@ -680,6 +679,7 @@
</span><span class="cx">         return;
</span><span class="cx"> 
</span><span class="cx">     if (this-&gt;inherits(JSBoundFunction::info())) {
</span><ins>+        VM&amp; vm = exec-&gt;vm();
</ins><span class="cx">         FunctionRareData* rareData = this-&gt;rareData(vm);
</span><span class="cx">         String name = makeString(&quot;bound &quot;, static_cast&lt;NativeExecutable*&gt;(m_executable.get())-&gt;name());
</span><span class="cx">         unsigned initialAttributes = DontEnum | ReadOnly;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunction.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunction.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSFunction.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -189,11 +189,11 @@
</span><span class="cx"> 
</span><span class="cx">     bool hasReifiedLength() const;
</span><span class="cx">     bool hasReifiedName() const;
</span><del>-    void reifyLength(VM&amp;);
-    void reifyName(VM&amp;, ExecState*);
-    void reifyBoundNameIfNeeded(VM&amp;, ExecState*, PropertyName);
-    void reifyName(VM&amp;, ExecState*, String name);
-    void reifyLazyPropertyIfNeeded(VM&amp;, ExecState*, PropertyName propertyName);
</del><ins>+    void reifyLength(ExecState*);
+    void reifyName(ExecState*);
+    void reifyBoundNameIfNeeded(ExecState*, PropertyName);
+    void reifyName(ExecState*, String name);
+    void reifyLazyPropertyIfNeeded(ExecState*, PropertyName propertyName);
</ins><span class="cx"> 
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSFunctionInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSFunctionInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -35,7 +35,7 @@
</span><span class="cx">     VM&amp; vm, FunctionExecutable* executable, JSScope* scope)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(executable-&gt;singletonFunction()-&gt;hasBeenInvalidated());
</span><del>-    return createImpl(vm, executable, scope, scope-&gt;globalObject(vm)-&gt;functionStructure());
</del><ins>+    return createImpl(vm, executable, scope, scope-&gt;globalObject()-&gt;functionStructure());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline JSFunction::JSFunction(VM&amp; vm, FunctionExecutable* executable, JSScope* scope, Structure* structure)
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><span class="cx"> inline JSFunction::JSFunction(VM&amp; vm, WebAssemblyExecutable* executable, JSScope* scope)
</span><del>-    : Base(vm, scope, scope-&gt;globalObject(vm)-&gt;functionStructure())
</del><ins>+    : Base(vm, scope, scope-&gt;globalObject()-&gt;functionStructure())
</ins><span class="cx">     , m_executable(vm, this, executable)
</span><span class="cx">     , m_rareData()
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGenericTypedArrayViewInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -510,15 +510,25 @@
</span><span class="cx">     // up. But if you do *anything* to trigger a GC watermark check, it will know
</span><span class="cx">     // that you *had* done those allocations and it will GC appropriately.
</span><span class="cx">     Heap* heap = Heap::heap(thisObject);
</span><del>-    VM&amp; vm = *heap-&gt;vm();
</del><span class="cx">     DeferGCForAWhile deferGC(*heap);
</span><span class="cx">     
</span><span class="cx">     ASSERT(!thisObject-&gt;hasIndexingHeader());
</span><span class="cx"> 
</span><del>-    RELEASE_ASSERT(!thisObject-&gt;hasIndexingHeader());
-    thisObject-&gt;m_butterfly.set(vm, thisObject, Butterfly::createOrGrowArrayRight(
-        thisObject-&gt;butterfly(), vm, thisObject, thisObject-&gt;structure(),
-        thisObject-&gt;structure()-&gt;outOfLineCapacity(), false, 0, 0));
</del><ins>+    size_t size = thisObject-&gt;byteSize();
+    
+    if (thisObject-&gt;m_mode == FastTypedArray
+        &amp;&amp; !thisObject-&gt;butterfly() &amp;&amp; size &gt;= sizeof(IndexingHeader)) {
+        ASSERT(thisObject-&gt;m_vector);
+        // Reuse already allocated memory if at all possible.
+        thisObject-&gt;m_butterfly.setWithoutBarrier(
+            bitwise_cast&lt;IndexingHeader*&gt;(thisObject-&gt;vector())-&gt;butterfly());
+    } else {
+        RELEASE_ASSERT(!thisObject-&gt;hasIndexingHeader());
+        VM&amp; vm = *heap-&gt;vm();
+        thisObject-&gt;m_butterfly.set(vm, thisObject, Butterfly::createOrGrowArrayRight(
+            thisObject-&gt;butterfly(), vm, thisObject, thisObject-&gt;structure(),
+            thisObject-&gt;structure()-&gt;outOfLineCapacity(), false, 0, 0));
+    }
</ins><span class="cx"> 
</span><span class="cx">     RefPtr&lt;ArrayBuffer&gt; buffer;
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSInternalPromisecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSInternalPromise.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,9 @@
</span><span class="cx"> #include &quot;JSInternalPromise.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSInternalPromiseConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,9 +27,11 @@
</span><span class="cx"> #include &quot;JSInternalPromiseConstructor.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSInternalPromise.h&quot;
</span><span class="cx"> #include &quot;JSInternalPromisePrototype.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> #include &quot;JSInternalPromiseConstructor.lut.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSInternalPromiseDeferredcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSInternalPromiseDeferred.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,9 +29,12 @@
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;Exception.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSInternalPromise.h&quot;
</span><span class="cx"> #include &quot;JSInternalPromiseConstructor.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSInternalPromisePrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSInternalPromisePrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,10 +28,12 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSInternalPromise.h&quot;
</span><span class="cx"> #include &quot;Microtask.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSJobcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSJob.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSJob.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSJob.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,9 +28,11 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;Exception.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;Microtask.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
</ins><span class="cx"> #include &quot;StrongInlines.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSMapIteratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013 Apple, Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,9 +26,12 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSMapIterator.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSMap.h&quot;
</span><span class="cx"> #include &quot;MapDataInlines.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSModuleNamespaceObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -27,10 +27,14 @@
</span><span class="cx"> #include &quot;JSModuleNamespaceObject.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;IdentifierInlines.h&quot;
+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSModuleEnvironment.h&quot;
</span><span class="cx"> #include &quot;JSModuleRecord.h&quot;
</span><span class="cx"> #include &quot;JSPropertyNameIterator.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -28,11 +28,14 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;Executable.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;IdentifierInlines.h&quot;
+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSMap.h&quot;
</span><span class="cx"> #include &quot;JSModuleEnvironment.h&quot;
</span><span class="cx"> #include &quot;JSModuleNamespaceObject.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -55,12 +55,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-#if 0
-#define LOGIT() dataLog(RawPointer(this), &quot;: &quot;, WTF_PRETTY_FUNCTION, &quot;\n&quot;);
-#else
-#define LOGIT() do { } while(false)
-#endif
-
</del><span class="cx"> // We keep track of the size of the last array after it was grown. We use this
</span><span class="cx"> // as a simple heuristic for as the value to grow the next array from size 0.
</span><span class="cx"> // This value is capped by the constant FIRST_VECTOR_GROW defined in
</span><span class="lines">@@ -94,6 +88,77 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+ALWAYS_INLINE void JSObject::copyButterfly(CopyVisitor&amp; visitor, Butterfly* butterfly, size_t storageSize)
+{
+    ASSERT(butterfly);
+    
+    Structure* structure = this-&gt;structure();
+    
+    size_t propertyCapacity = structure-&gt;outOfLineCapacity();
+    size_t preCapacity;
+    size_t indexingPayloadSizeInBytes;
+    bool hasIndexingHeader = this-&gt;hasIndexingHeader();
+    if (UNLIKELY(hasIndexingHeader)) {
+        preCapacity = butterfly-&gt;indexingHeader()-&gt;preCapacity(structure);
+        indexingPayloadSizeInBytes = butterfly-&gt;indexingHeader()-&gt;indexingPayloadSizeInBytes(structure);
+    } else {
+        preCapacity = 0;
+        indexingPayloadSizeInBytes = 0;
+    }
+    size_t capacityInBytes = Butterfly::totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
+    if (visitor.checkIfShouldCopy(butterfly-&gt;base(preCapacity, propertyCapacity))) {
+        Butterfly* newButterfly = Butterfly::createUninitializedDuringCollection(visitor, preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
+
+        // Copy the properties.
+        PropertyStorage currentTarget = newButterfly-&gt;propertyStorage();
+        PropertyStorage currentSource = butterfly-&gt;propertyStorage();
+        for (size_t count = storageSize; count--;)
+            (--currentTarget)-&gt;setWithoutWriteBarrier((--currentSource)-&gt;get());
+        
+        if (UNLIKELY(hasIndexingHeader)) {
+            *newButterfly-&gt;indexingHeader() = *butterfly-&gt;indexingHeader();
+            
+            // Copy the array if appropriate.
+            
+            WriteBarrier&lt;Unknown&gt;* currentTarget;
+            WriteBarrier&lt;Unknown&gt;* currentSource;
+            size_t count;
+            
+            switch (this-&gt;indexingType()) {
+            case ALL_UNDECIDED_INDEXING_TYPES:
+            case ALL_CONTIGUOUS_INDEXING_TYPES:
+            case ALL_INT32_INDEXING_TYPES:
+            case ALL_DOUBLE_INDEXING_TYPES: {
+                currentTarget = newButterfly-&gt;contiguous().data();
+                currentSource = butterfly-&gt;contiguous().data();
+                RELEASE_ASSERT(newButterfly-&gt;publicLength() &lt;= newButterfly-&gt;vectorLength());
+                count = newButterfly-&gt;vectorLength();
+                break;
+            }
+                
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES: {
+                newButterfly-&gt;arrayStorage()-&gt;copyHeaderFromDuringGC(*butterfly-&gt;arrayStorage());
+                currentTarget = newButterfly-&gt;arrayStorage()-&gt;m_vector;
+                currentSource = butterfly-&gt;arrayStorage()-&gt;m_vector;
+                count = newButterfly-&gt;arrayStorage()-&gt;vectorLength();
+                break;
+            }
+                
+            default:
+                currentTarget = 0;
+                currentSource = 0;
+                count = 0;
+                break;
+            }
+
+            memcpy(currentTarget, currentSource, count * sizeof(EncodedJSValue));
+        }
+        
+        m_butterfly.setWithoutBarrier(newButterfly);
+        visitor.didCopy(butterfly-&gt;base(preCapacity, propertyCapacity), capacityInBytes);
+    } 
+}
+
</ins><span class="cx"> ALWAYS_INLINE void JSObject::visitButterfly(SlotVisitor&amp; visitor, Butterfly* butterfly, Structure* structure)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(butterfly);
</span><span class="lines">@@ -101,21 +166,22 @@
</span><span class="cx">     size_t storageSize = structure-&gt;outOfLineSize();
</span><span class="cx">     size_t propertyCapacity = structure-&gt;outOfLineCapacity();
</span><span class="cx">     size_t preCapacity;
</span><ins>+    size_t indexingPayloadSizeInBytes;
</ins><span class="cx">     bool hasIndexingHeader = this-&gt;hasIndexingHeader();
</span><del>-    if (UNLIKELY(hasIndexingHeader))
</del><ins>+    if (UNLIKELY(hasIndexingHeader)) {
</ins><span class="cx">         preCapacity = butterfly-&gt;indexingHeader()-&gt;preCapacity(structure);
</span><del>-    else
</del><ins>+        indexingPayloadSizeInBytes = butterfly-&gt;indexingHeader()-&gt;indexingPayloadSizeInBytes(structure);
+    } else {
</ins><span class="cx">         preCapacity = 0;
</span><del>-    
-    HeapCell* base = bitwise_cast&lt;HeapCell*&gt;(butterfly-&gt;base(preCapacity, propertyCapacity));
-    
-    ASSERT(Heap::heap(base) == visitor.heap());
</del><ins>+        indexingPayloadSizeInBytes = 0;
+    }
+    size_t capacityInBytes = Butterfly::totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
</ins><span class="cx"> 
</span><del>-    // Keep the butterfly alive.
-    visitor.markAuxiliary(base);
-    
</del><span class="cx">     // Mark the properties.
</span><span class="cx">     visitor.appendValuesHidden(butterfly-&gt;propertyStorage() - storageSize, storageSize);
</span><ins>+    visitor.copyLater(
+        this, ButterflyCopyToken,
+        butterfly-&gt;base(preCapacity, propertyCapacity), capacityInBytes);
</ins><span class="cx">     
</span><span class="cx">     // Mark the array if appropriate.
</span><span class="cx">     switch (this-&gt;indexingType()) {
</span><span class="lines">@@ -159,6 +225,19 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void JSObject::copyBackingStore(JSCell* cell, CopyVisitor&amp; visitor, CopyToken token)
+{
+    JSObject* thisObject = jsCast&lt;JSObject*&gt;(cell);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+
+    if (token != ButterflyCopyToken)
+        return;
+    
+    Butterfly* butterfly = thisObject-&gt;m_butterfly.get();
+    if (butterfly)
+        thisObject-&gt;copyButterfly(visitor, butterfly, thisObject-&gt;structure()-&gt;outOfLineSize());
+}
+
</ins><span class="cx"> void JSObject::heapSnapshot(JSCell* cell, HeapSnapshotBuilder&amp; builder)
</span><span class="cx"> {
</span><span class="cx">     JSObject* thisObject = jsCast&lt;JSObject*&gt;(cell);
</span><span class="lines">@@ -697,23 +776,20 @@
</span><span class="cx">     if (!vm.prototypeMap.isPrototype(this))
</span><span class="cx">         return;
</span><span class="cx">     
</span><del>-    globalObject(vm)-&gt;haveABadTime(vm);
</del><ins>+    globalObject()-&gt;haveABadTime(vm);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-Butterfly* JSObject::createInitialIndexedStorage(VM&amp; vm, unsigned length)
</del><ins>+Butterfly* JSObject::createInitialIndexedStorage(VM&amp; vm, unsigned length, size_t elementSize)
</ins><span class="cx"> {
</span><del>-    LOGIT();
</del><span class="cx">     ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><span class="cx">     IndexingType oldType = indexingType();
</span><span class="cx">     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
</span><span class="cx">     ASSERT(!structure()-&gt;needsSlowPutIndexing());
</span><span class="cx">     ASSERT(!indexingShouldBeSparse());
</span><del>-    Structure* structure = this-&gt;structure(vm);
-    unsigned propertyCapacity = structure-&gt;outOfLineCapacity();
-    unsigned vectorLength = Butterfly::optimalContiguousVectorLength(propertyCapacity, length);
</del><ins>+    unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
</ins><span class="cx">     Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
</span><del>-        m_butterfly.get(), vm, this, structure, propertyCapacity, false, 0,
-        sizeof(EncodedJSValue) * vectorLength);
</del><ins>+        m_butterfly.get(), vm, this, structure(), structure()-&gt;outOfLineCapacity(), false, 0,
+        elementSize * vectorLength);
</ins><span class="cx">     newButterfly-&gt;setPublicLength(length);
</span><span class="cx">     newButterfly-&gt;setVectorLength(vectorLength);
</span><span class="cx">     return newButterfly;
</span><span class="lines">@@ -722,7 +798,7 @@
</span><span class="cx"> Butterfly* JSObject::createInitialUndecided(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
</del><ins>+    Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateUndecided);
</span><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly;
</span><span class="lines">@@ -731,9 +807,7 @@
</span><span class="cx"> ContiguousJSValues JSObject::createInitialInt32(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
-    for (unsigned i = newButterfly-&gt;vectorLength(); i--;)
-        newButterfly-&gt;contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
</del><ins>+    Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateInt32);
</span><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly-&gt;contiguousInt32();
</span><span class="lines">@@ -742,7 +816,7 @@
</span><span class="cx"> ContiguousDoubles JSObject::createInitialDouble(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
</del><ins>+    Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(double));
</ins><span class="cx">     for (unsigned i = newButterfly-&gt;vectorLength(); i--;)
</span><span class="cx">         newButterfly-&gt;contiguousDouble()[i] = PNaN;
</span><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateDouble);
</span><span class="lines">@@ -753,9 +827,7 @@
</span><span class="cx"> ContiguousJSValues JSObject::createInitialContiguous(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm.heap);
</span><del>-    Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
-    for (unsigned i = newButterfly-&gt;vectorLength(); i--;)
-        newButterfly-&gt;contiguous()[i].setWithoutWriteBarrier(JSValue());
</del><ins>+    Butterfly* newButterfly = createInitialIndexedStorage(vm, length, sizeof(EncodedJSValue));
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateContiguous);
</span><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return newButterfly-&gt;contiguous();
</span><span class="lines">@@ -763,7 +835,6 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::createArrayStorage(VM&amp; vm, unsigned length, unsigned vectorLength)
</span><span class="cx"> {
</span><del>-    LOGIT();
</del><span class="cx">     DeferGC deferGC(vm.heap);
</span><span class="cx">     Structure* structure = this-&gt;structure(vm);
</span><span class="cx">     IndexingType oldType = indexingType();
</span><span class="lines">@@ -779,8 +850,6 @@
</span><span class="cx">     result-&gt;m_sparseMap.clear();
</span><span class="cx">     result-&gt;m_numValuesInVector = 0;
</span><span class="cx">     result-&gt;m_indexBias = 0;
</span><del>-    for (size_t i = vectorLength; i--;)
-        result-&gt;m_vector[i].setWithoutWriteBarrier(JSValue());
</del><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure, structure-&gt;suggestedArrayStorageTransition());
</span><span class="cx">     setStructureAndButterfly(vm, newStructure, newButterfly);
</span><span class="cx">     return result;
</span><span class="lines">@@ -788,18 +857,12 @@
</span><span class="cx"> 
</span><span class="cx"> ArrayStorage* JSObject::createInitialArrayStorage(VM&amp; vm)
</span><span class="cx"> {
</span><del>-    return createArrayStorage(
-        vm, 0, ArrayStorage::optimalVectorLength(0, structure(vm)-&gt;outOfLineCapacity(), 0));
</del><ins>+    return createArrayStorage(vm, 0, BASE_VECTOR_LEN);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ContiguousJSValues JSObject::convertUndecidedToInt32(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasUndecided(indexingType()));
</span><del>-
-    Butterfly* butterfly = m_butterfly.get();
-    for (unsigned i = butterfly-&gt;vectorLength(); i--;)
-        butterfly-&gt;contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
-
</del><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateInt32));
</span><span class="cx">     return m_butterfly.get()-&gt;contiguousInt32();
</span><span class="cx"> }
</span><span class="lines">@@ -819,11 +882,6 @@
</span><span class="cx"> ContiguousJSValues JSObject::convertUndecidedToContiguous(VM&amp; vm)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(hasUndecided(indexingType()));
</span><del>-
-    Butterfly* butterfly = m_butterfly.get();
-    for (unsigned i = butterfly-&gt;vectorLength(); i--;)
-        butterfly-&gt;contiguous()[i].setWithoutWriteBarrier(JSValue());
-
</del><span class="cx">     setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), NonPropertyTransition::AllocateContiguous));
</span><span class="cx">     return m_butterfly.get()-&gt;contiguous();
</span><span class="cx"> }
</span><span class="lines">@@ -860,10 +918,8 @@
</span><span class="cx"> 
</span><span class="cx">     unsigned vectorLength = m_butterfly.get()-&gt;vectorLength();
</span><span class="cx">     ArrayStorage* storage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><ins>+    // No need to copy elements.
</ins><span class="cx">     
</span><del>-    for (unsigned i = vectorLength; i--;)
-        storage-&gt;m_vector[i].setWithoutWriteBarrier(JSValue());
-    
</del><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</span><span class="cx">     setStructureAndButterfly(vm, newStructure, storage-&gt;butterfly());
</span><span class="cx">     return storage;
</span><span class="lines">@@ -883,12 +939,11 @@
</span><span class="cx">         WriteBarrier&lt;Unknown&gt;* current = &amp;butterfly-&gt;contiguousInt32()[i];
</span><span class="cx">         double* currentAsDouble = bitwise_cast&lt;double*&gt;(current);
</span><span class="cx">         JSValue v = current-&gt;get();
</span><del>-        // NOTE: Since this may be used during initialization, v could be garbage. If it's garbage,
-        // that means it will be overwritten later.
-        if (!v.isInt32()) {
</del><ins>+        if (!v) {
</ins><span class="cx">             *currentAsDouble = PNaN;
</span><span class="cx">             continue;
</span><span class="cx">         }
</span><ins>+        ASSERT(v.isInt32());
</ins><span class="cx">         *currentAsDouble = v.asInt32();
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -912,11 +967,13 @@
</span><span class="cx">     unsigned vectorLength = m_butterfly.get()-&gt;vectorLength();
</span><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><del>-    for (unsigned i = 0; i &lt; vectorLength; i++) {
</del><ins>+    for (unsigned i = 0; i &lt; butterfly-&gt;publicLength(); i++) {
</ins><span class="cx">         JSValue v = butterfly-&gt;contiguous()[i].get();
</span><del>-        newStorage-&gt;m_vector[i].setWithoutWriteBarrier(v);
-        if (v)
</del><ins>+        if (v) {
+            newStorage-&gt;m_vector[i].setWithoutWriteBarrier(v);
</ins><span class="cx">             newStorage-&gt;m_numValuesInVector++;
</span><ins>+        } else
+            ASSERT(newStorage-&gt;m_vector[i].get().isEmpty());
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</span><span class="lines">@@ -958,11 +1015,13 @@
</span><span class="cx">     unsigned vectorLength = m_butterfly.get()-&gt;vectorLength();
</span><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><del>-    for (unsigned i = 0; i &lt; vectorLength; i++) {
</del><ins>+    for (unsigned i = 0; i &lt; butterfly-&gt;publicLength(); i++) {
</ins><span class="cx">         double value = butterfly-&gt;contiguousDouble()[i];
</span><del>-        newStorage-&gt;m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
-        if (value == value)
</del><ins>+        if (value == value) {
+            newStorage-&gt;m_vector[i].setWithoutWriteBarrier(JSValue(JSValue::EncodeAsDouble, value));
</ins><span class="cx">             newStorage-&gt;m_numValuesInVector++;
</span><ins>+        } else
+            ASSERT(newStorage-&gt;m_vector[i].get().isEmpty());
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</span><span class="lines">@@ -983,11 +1042,13 @@
</span><span class="cx">     unsigned vectorLength = m_butterfly.get()-&gt;vectorLength();
</span><span class="cx">     ArrayStorage* newStorage = constructConvertedArrayStorageWithoutCopyingElements(vm, vectorLength);
</span><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><del>-    for (unsigned i = 0; i &lt; vectorLength; i++) {
</del><ins>+    for (unsigned i = 0; i &lt; butterfly-&gt;publicLength(); i++) {
</ins><span class="cx">         JSValue v = butterfly-&gt;contiguous()[i].get();
</span><del>-        newStorage-&gt;m_vector[i].setWithoutWriteBarrier(v);
-        if (v)
</del><ins>+        if (v) {
+            newStorage-&gt;m_vector[i].setWithoutWriteBarrier(v);
</ins><span class="cx">             newStorage-&gt;m_numValuesInVector++;
</span><ins>+        } else
+            ASSERT(newStorage-&gt;m_vector[i].get().isEmpty());
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition);
</span><span class="lines">@@ -2321,7 +2382,7 @@
</span><span class="cx">         }
</span><span class="cx">         if (structure(vm)-&gt;needsSlowPutIndexing()) {
</span><span class="cx">             // Convert the indexing type to the SlowPutArrayStorage and retry.
</span><del>-            createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, 0, i + 1));
</del><ins>+            createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, i + 1));
</ins><span class="cx">             return putByIndex(this, exec, i, value, shouldThrow);
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="lines">@@ -2462,7 +2523,7 @@
</span><span class="cx">                 exec, i, value, attributes, mode, createArrayStorage(vm, 0, 0));
</span><span class="cx">         }
</span><span class="cx">         if (structure(vm)-&gt;needsSlowPutIndexing()) {
</span><del>-            ArrayStorage* storage = createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, 0, i + 1));
</del><ins>+            ArrayStorage* storage = createArrayStorage(vm, i + 1, getNewVectorLength(0, 0, i + 1));
</ins><span class="cx">             storage-&gt;m_vector[i].set(vm, this, value);
</span><span class="cx">             storage-&gt;m_numValuesInVector++;
</span><span class="cx">             return true;
</span><span class="lines">@@ -2581,8 +2642,7 @@
</span><span class="cx">     putDirectWithoutTransition(vm, propertyName, function, attributes);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-// NOTE: This method is for ArrayStorage vectors.
-ALWAYS_INLINE unsigned JSObject::getNewVectorLength(unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength)
</del><ins>+ALWAYS_INLINE unsigned JSObject::getNewVectorLength(unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(desiredLength &lt;= MAX_STORAGE_VECTOR_LENGTH);
</span><span class="cx"> 
</span><span class="lines">@@ -2599,27 +2659,25 @@
</span><span class="cx"> 
</span><span class="cx">     ASSERT(increasedLength &gt;= desiredLength);
</span><span class="cx"> 
</span><del>-    lastArraySize = std::min(increasedLength, FIRST_ARRAY_STORAGE_VECTOR_GROW);
</del><ins>+    lastArraySize = std::min(increasedLength, FIRST_VECTOR_GROW);
</ins><span class="cx"> 
</span><del>-    return ArrayStorage::optimalVectorLength(
-        indexBias, structure()-&gt;outOfLineCapacity(),
-        std::min(increasedLength, MAX_STORAGE_VECTOR_LENGTH));
</del><ins>+    return std::min(increasedLength, MAX_STORAGE_VECTOR_LENGTH);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE unsigned JSObject::getNewVectorLength(unsigned desiredLength)
</span><span class="cx"> {
</span><del>-    unsigned indexBias = 0;
-    unsigned vectorLength = 0;
-    unsigned length = 0;
</del><ins>+    unsigned vectorLength;
+    unsigned length;
</ins><span class="cx">     
</span><span class="cx">     if (hasIndexedProperties(indexingType())) {
</span><del>-        if (ArrayStorage* storage = arrayStorageOrNull())
-            indexBias = storage-&gt;m_indexBias;
</del><span class="cx">         vectorLength = m_butterfly.get()-&gt;vectorLength();
</span><span class="cx">         length = m_butterfly.get()-&gt;publicLength();
</span><ins>+    } else {
+        vectorLength = 0;
+        length = 0;
</ins><span class="cx">     }
</span><span class="cx"> 
</span><del>-    return getNewVectorLength(indexBias, vectorLength, length, desiredLength);
</del><ins>+    return getNewVectorLength(vectorLength, length, desiredLength);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template&lt;IndexingType indexingShape&gt;
</span><span class="lines">@@ -2672,29 +2730,19 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::increaseVectorLength(VM&amp; vm, unsigned newLength)
</span><span class="cx"> {
</span><del>-    LOGIT();
-    ArrayStorage* storage = arrayStorage();
-    
-    unsigned vectorLength = storage-&gt;vectorLength();
-    unsigned availableVectorLength = storage-&gt;availableVectorLength(structure(vm), vectorLength); 
-    if (availableVectorLength &gt;= newLength) {
-        // The cell was already big enough for the desired length!
-        for (unsigned i = vectorLength; i &lt; availableVectorLength; ++i)
-            storage-&gt;m_vector[i].clear();
-        storage-&gt;setVectorLength(availableVectorLength);
-        return true;
-    }
-    
</del><span class="cx">     // This function leaves the array in an internally inconsistent state, because it does not move any values from sparse value map
</span><span class="cx">     // to the vector. Callers have to account for that, because they can do it more efficiently.
</span><span class="cx">     if (newLength &gt; MAX_STORAGE_VECTOR_LENGTH)
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><ins>+    ArrayStorage* storage = arrayStorage();
+    
</ins><span class="cx">     if (newLength &gt;= MIN_SPARSE_ARRAY_INDEX
</span><span class="cx">         &amp;&amp; !isDenseEnoughForVector(newLength, storage-&gt;m_numValuesInVector))
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><span class="cx">     unsigned indexBias = storage-&gt;m_indexBias;
</span><ins>+    unsigned vectorLength = storage-&gt;vectorLength();
</ins><span class="cx">     ASSERT(newLength &gt; vectorLength);
</span><span class="cx">     unsigned newVectorLength = getNewVectorLength(newLength);
</span><span class="cx"> 
</span><span class="lines">@@ -2707,8 +2755,6 @@
</span><span class="cx">             ArrayStorage::sizeFor(vectorLength), ArrayStorage::sizeFor(newVectorLength));
</span><span class="cx">         if (!newButterfly)
</span><span class="cx">             return false;
</span><del>-        for (unsigned i = vectorLength; i &lt; newVectorLength; ++i)
-            newButterfly-&gt;arrayStorage()-&gt;m_vector[i].clear();
</del><span class="cx">         newButterfly-&gt;arrayStorage()-&gt;setVectorLength(newVectorLength);
</span><span class="cx">         setButterflyWithoutChangingStructure(vm, newButterfly);
</span><span class="cx">         return true;
</span><span class="lines">@@ -2723,8 +2769,6 @@
</span><span class="cx">         newIndexBias, true, ArrayStorage::sizeFor(newVectorLength));
</span><span class="cx">     if (!newButterfly)
</span><span class="cx">         return false;
</span><del>-    for (unsigned i = vectorLength; i &lt; newVectorLength; ++i)
-        newButterfly-&gt;arrayStorage()-&gt;m_vector[i].clear();
</del><span class="cx">     newButterfly-&gt;arrayStorage()-&gt;setVectorLength(newVectorLength);
</span><span class="cx">     newButterfly-&gt;arrayStorage()-&gt;m_indexBias = newIndexBias;
</span><span class="cx">     setButterflyWithoutChangingStructure(vm, newButterfly);
</span><span class="lines">@@ -2733,7 +2777,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool JSObject::ensureLengthSlow(VM&amp; vm, unsigned length)
</span><span class="cx"> {
</span><del>-    LOGIT();
</del><span class="cx">     Butterfly* butterfly = m_butterfly.get();
</span><span class="cx">     
</span><span class="cx">     ASSERT(length &lt; MAX_ARRAY_INDEX);
</span><span class="lines">@@ -2740,41 +2783,25 @@
</span><span class="cx">     ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
</span><span class="cx">     ASSERT(length &gt; butterfly-&gt;vectorLength());
</span><span class="cx">     
</span><ins>+    unsigned newVectorLength = std::min(
+        length &lt;&lt; 1,
+        MAX_STORAGE_VECTOR_LENGTH);
</ins><span class="cx">     unsigned oldVectorLength = butterfly-&gt;vectorLength();
</span><del>-    unsigned newVectorLength;
-    
-    Structure* structure = this-&gt;structure(vm);
-    unsigned propertyCapacity = structure-&gt;outOfLineCapacity();
-    
-    unsigned availableOldLength =
-        Butterfly::availableContiguousVectorLength(propertyCapacity, oldVectorLength);
-    if (availableOldLength &gt;= length) {
-        // This is the case where someone else selected a vector length that caused internal
-        // fragmentation. If we did our jobs right, this would never happen. But I bet we will mess
-        // this up, so this defense should stay.
-        newVectorLength = availableOldLength;
-    } else {
-        newVectorLength = Butterfly::optimalContiguousVectorLength(
-            propertyCapacity, std::min(length &lt;&lt; 1, MAX_STORAGE_VECTOR_LENGTH));
-        butterfly = butterfly-&gt;growArrayRight(
-            vm, this, structure, propertyCapacity, true,
-            oldVectorLength * sizeof(EncodedJSValue),
-            newVectorLength * sizeof(EncodedJSValue));
-        if (!butterfly)
-            return false;
-        m_butterfly.set(vm, this, butterfly);
-    }
</del><ins>+    DeferGC deferGC(vm.heap);
+    butterfly = butterfly-&gt;growArrayRight(
+        vm, this, structure(), structure()-&gt;outOfLineCapacity(), true,
+        oldVectorLength * sizeof(EncodedJSValue),
+        newVectorLength * sizeof(EncodedJSValue));
+    if (!butterfly)
+        return false;
+    m_butterfly.set(vm, this, butterfly);
</ins><span class="cx"> 
</span><span class="cx">     butterfly-&gt;setVectorLength(newVectorLength);
</span><span class="cx"> 
</span><span class="cx">     if (hasDouble(indexingType())) {
</span><span class="cx">         for (unsigned i = oldVectorLength; i &lt; newVectorLength; ++i)
</span><del>-            butterfly-&gt;contiguousDouble()[i] = PNaN;
-    } else {
-        for (unsigned i = oldVectorLength; i &lt; newVectorLength; ++i)
-            butterfly-&gt;contiguous()[i].clear();
</del><ins>+            butterfly-&gt;contiguousDouble().data()[i] = PNaN;
</ins><span class="cx">     }
</span><del>-
</del><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -2795,7 +2822,6 @@
</span><span class="cx"> 
</span><span class="cx"> Butterfly* JSObject::growOutOfLineStorage(VM&amp; vm, size_t oldSize, size_t newSize)
</span><span class="cx"> {
</span><del>-    LOGIT();
</del><span class="cx">     ASSERT(newSize &gt; oldSize);
</span><span class="cx"> 
</span><span class="cx">     // It's important that this function not rely on structure(), for the property
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,14 +26,15 @@
</span><span class="cx"> #include &quot;ArgList.h&quot;
</span><span class="cx"> #include &quot;ArrayConventions.h&quot;
</span><span class="cx"> #include &quot;ArrayStorage.h&quot;
</span><del>-#include &quot;AuxiliaryBarrier.h&quot;
</del><span class="cx"> #include &quot;Butterfly.h&quot;
</span><span class="cx"> #include &quot;CallFrame.h&quot;
</span><span class="cx"> #include &quot;ClassInfo.h&quot;
</span><span class="cx"> #include &quot;CommonIdentifiers.h&quot;
</span><ins>+#include &quot;CopyBarrier.h&quot;
</ins><span class="cx"> #include &quot;CustomGetterSetter.h&quot;
</span><span class="cx"> #include &quot;DeferGC.h&quot;
</span><span class="cx"> #include &quot;Heap.h&quot;
</span><ins>+#include &quot;HeapInlines.h&quot;
</ins><span class="cx"> #include &quot;IndexingHeaderInlines.h&quot;
</span><span class="cx"> #include &quot;JSCell.h&quot;
</span><span class="cx"> #include &quot;PropertySlot.h&quot;
</span><span class="lines">@@ -102,6 +103,7 @@
</span><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE static size_t estimatedSize(JSCell*);
</span><span class="cx">     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&amp;);
</span><ins>+    JS_EXPORT_PRIVATE static void copyBackingStore(JSCell*, CopyVisitor&amp;, CopyToken);
</ins><span class="cx">     JS_EXPORT_PRIVATE static void heapSnapshot(JSCell*, HeapSnapshotBuilder&amp;);
</span><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE static String className(const JSObject*);
</span><span class="lines">@@ -412,8 +414,6 @@
</span><span class="cx">         initializeIndex(vm, i, v, indexingType());
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    // NOTE: Clients of this method may call it more than once for any index, and this is supposed
-    // to work.
</del><span class="cx">     void initializeIndex(VM&amp; vm, unsigned i, JSValue v, IndexingType indexingType)
</span><span class="cx">     {
</span><span class="cx">         Butterfly* butterfly = m_butterfly.get();
</span><span class="lines">@@ -686,6 +686,8 @@
</span><span class="cx">         
</span><span class="cx">     void setStructure(VM&amp;, Structure*);
</span><span class="cx">     void setStructureAndButterfly(VM&amp;, Structure*, Butterfly*);
</span><ins>+    void setStructureAndReallocateStorageIfNecessary(VM&amp;, unsigned oldCapacity, Structure*);
+    void setStructureAndReallocateStorageIfNecessary(VM&amp;, Structure*);
</ins><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE void convertToDictionary(VM&amp;);
</span><span class="cx"> 
</span><span class="lines">@@ -702,13 +704,6 @@
</span><span class="cx">         return structure()-&gt;globalObject();
</span><span class="cx">     }
</span><span class="cx">         
</span><del>-    JSGlobalObject* globalObject(VM&amp; vm) const
-    {
-        ASSERT(structure(vm)-&gt;globalObject());
-        ASSERT(!isGlobalObject() || ((JSObject*)structure()-&gt;globalObject()) == this);
-        return structure(vm)-&gt;globalObject();
-    }
-        
</del><span class="cx">     void switchToSlowPutArrayStorage(VM&amp;);
</span><span class="cx">         
</span><span class="cx">     // The receiver is the prototype in this case. The following:
</span><span class="lines">@@ -802,6 +797,7 @@
</span><span class="cx">     JSObject(VM&amp;, Structure*, Butterfly* = 0);
</span><span class="cx">         
</span><span class="cx">     void visitButterfly(SlotVisitor&amp;, Butterfly*, Structure*);
</span><ins>+    void copyButterfly(CopyVisitor&amp;, Butterfly*, size_t storageSize);
</ins><span class="cx"> 
</span><span class="cx">     // Call this if you know that the object is in a mode where it has array
</span><span class="cx">     // storage. This will assert otherwise.
</span><span class="lines">@@ -912,7 +908,7 @@
</span><span class="cx">     void isObject();
</span><span class="cx">     void isString();
</span><span class="cx">         
</span><del>-    Butterfly* createInitialIndexedStorage(VM&amp;, unsigned length);
</del><ins>+    Butterfly* createInitialIndexedStorage(VM&amp;, unsigned length, size_t elementSize);
</ins><span class="cx">         
</span><span class="cx">     ArrayStorage* enterDictionaryIndexingModeWhenArrayStorageAlreadyExists(VM&amp;, ArrayStorage*);
</span><span class="cx">         
</span><span class="lines">@@ -936,7 +932,7 @@
</span><span class="cx">     bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
</span><span class="cx">     JS_EXPORT_PRIVATE bool putDirectIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
</span><span class="cx">         
</span><del>-    unsigned getNewVectorLength(unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
</del><ins>+    unsigned getNewVectorLength(unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);
</ins><span class="cx">     unsigned getNewVectorLength(unsigned desiredLength);
</span><span class="cx"> 
</span><span class="cx">     ArrayStorage* constructConvertedArrayStorageWithoutCopyingElements(VM&amp;, unsigned neededLength);
</span><span class="lines">@@ -953,7 +949,7 @@
</span><span class="cx">     JS_EXPORT_PRIVATE ArrayStorage* ensureArrayStorageSlow(VM&amp;);
</span><span class="cx"> 
</span><span class="cx"> protected:
</span><del>-    AuxiliaryBarrier&lt;Butterfly*&gt; m_butterfly;
</del><ins>+    CopyBarrier&lt;Butterfly&gt; m_butterfly;
</ins><span class="cx"> #if USE(JSVALUE32_64)
</span><span class="cx"> private:
</span><span class="cx">     uint32_t m_padding;
</span><span class="lines">@@ -1491,16 +1487,8 @@
</span><span class="cx">     
</span><span class="cx">     validateOffset(offset);
</span><span class="cx">     ASSERT(newStructure-&gt;isValidOffset(offset));
</span><del>-    DeferGC deferGC(vm.heap);
-    size_t oldCapacity = structure-&gt;outOfLineCapacity();
-    size_t newCapacity = newStructure-&gt;outOfLineCapacity();
-    ASSERT(oldCapacity &lt;= newCapacity);
-    if (oldCapacity == newCapacity)
-        setStructure(vm, newStructure);
-    else {
-        Butterfly* newButterfly = growOutOfLineStorage(vm, oldCapacity, newCapacity);
-        setStructureAndButterfly(vm, newStructure, newButterfly);
-    }
</del><ins>+    setStructureAndReallocateStorageIfNecessary(vm, newStructure);
+
</ins><span class="cx">     putDirect(vm, offset, value);
</span><span class="cx">     slot.setNewProperty(this, offset);
</span><span class="cx">     if (attributes &amp; ReadOnly)
</span><span class="lines">@@ -1508,6 +1496,27 @@
</span><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+inline void JSObject::setStructureAndReallocateStorageIfNecessary(VM&amp; vm, unsigned oldCapacity, Structure* newStructure)
+{
+    ASSERT(oldCapacity &lt;= newStructure-&gt;outOfLineCapacity());
+    
+    if (oldCapacity == newStructure-&gt;outOfLineCapacity()) {
+        setStructure(vm, newStructure);
+        return;
+    }
+
+    DeferGC deferGC(vm.heap); 
+    Butterfly* newButterfly = growOutOfLineStorage(
+        vm, oldCapacity, newStructure-&gt;outOfLineCapacity());
+    setStructureAndButterfly(vm, newStructure, newButterfly);
+}
+
+inline void JSObject::setStructureAndReallocateStorageIfNecessary(VM&amp; vm, Structure* newStructure)
+{
+    setStructureAndReallocateStorageIfNecessary(
+        vm, structure(vm)-&gt;outOfLineCapacity(), newStructure);
+}
+
</ins><span class="cx"> inline bool JSObject::putOwnDataProperty(VM&amp; vm, PropertyName propertyName, JSValue value, PutPropertySlot&amp; slot)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(value);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx">  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
</span><span class="cx">  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- *  Copyright (C) 2003-2006, 2008, 2009, 2012-2016 Apple Inc. All rights reserved.
</del><ins>+ *  Copyright (C) 2003-2006, 2008, 2009, 2012-2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *  Copyright (C) 2007 Eric Seidel (eric@webkit.org)
</span><span class="cx">  *
</span><span class="cx">  *  This library is free software; you can redistribute it and/or
</span><span class="lines">@@ -24,7 +24,6 @@
</span><span class="cx"> #ifndef JSObjectInlines_h
</span><span class="cx"> #define JSObjectInlines_h
</span><span class="cx"> 
</span><del>-#include &quot;AuxiliaryBarrierInlines.h&quot;
</del><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;JSObject.h&quot;
</span><span class="cx"> #include &quot;Lookup.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromisecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromise.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromise.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSPromise.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,9 +28,12 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSPromiseConstructor.h&quot;
</span><span class="cx"> #include &quot;Microtask.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromiseConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -32,12 +32,14 @@
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSPromise.h&quot;
</span><span class="cx"> #include &quot;JSPromisePrototype.h&quot;
</span><span class="cx"> #include &quot;Lookup.h&quot;
</span><span class="cx"> #include &quot;NumberObject.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromiseDeferredcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSPromiseDeferred.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,9 +29,12 @@
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;Exception.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSPromise.h&quot;
</span><span class="cx"> #include &quot;JSPromiseConstructor.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromisePrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,11 +29,13 @@
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSPromise.h&quot;
</span><span class="cx"> #include &quot;Microtask.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPropertyNameIteratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015 Apple, Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,9 +26,13 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSPropertyNameIterator.h&quot;
</span><span class="cx"> 
</span><ins>+#include &quot;IdentifierInlines.h&quot;
</ins><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSPropertyNameEnumerator.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSScope.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSScope.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSScope.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -217,7 +217,6 @@
</span><span class="cx"> 
</span><span class="cx"> JSObject* JSScope::resolve(ExecState* exec, JSScope* scope, const Identifier&amp; ident)
</span><span class="cx"> {
</span><del>-    VM&amp; vm = exec-&gt;vm();
</del><span class="cx">     ScopeChainIterator end = scope-&gt;end();
</span><span class="cx">     ScopeChainIterator it = scope-&gt;begin();
</span><span class="cx">     while (1) {
</span><span class="lines">@@ -226,7 +225,7 @@
</span><span class="cx"> 
</span><span class="cx">         // Global scope.
</span><span class="cx">         if (++it == end) {
</span><del>-            JSScope* globalScopeExtension = scope-&gt;globalObject(vm)-&gt;globalScopeExtension();
</del><ins>+            JSScope* globalScopeExtension = scope-&gt;globalObject()-&gt;globalScopeExtension();
</ins><span class="cx">             if (UNLIKELY(globalScopeExtension)) {
</span><span class="cx">                 if (object-&gt;hasProperty(exec, ident))
</span><span class="cx">                     return object;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSScope.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSScope.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSScope.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -69,7 +69,7 @@
</span><span class="cx">     JSScope* next();
</span><span class="cx"> 
</span><span class="cx">     JSGlobalObject* globalObject();
</span><del>-    JSGlobalObject* globalObject(VM&amp;);
</del><ins>+    VM* vm();
</ins><span class="cx">     JSObject* globalThis();
</span><span class="cx"> 
</span><span class="cx">     SymbolTable* symbolTable();
</span><span class="lines">@@ -129,9 +129,9 @@
</span><span class="cx">     return structure()-&gt;globalObject();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline JSGlobalObject* JSScope::globalObject(VM&amp; vm)
</del><ins>+inline VM* JSScope::vm()
</ins><span class="cx"> { 
</span><del>-    return structure(vm)-&gt;globalObject();
</del><ins>+    return MarkedBlock::blockFor(this)-&gt;vm();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline Register&amp; Register::operator=(JSScope* scope)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSetIteratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013 Apple, Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,9 +26,12 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSSetIterator.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSSet.h&quot;
</span><span class="cx"> #include &quot;MapDataInlines.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringIteratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSStringIterator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSStringIterator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSStringIterator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,9 @@
</span><span class="cx"> #include &quot;JSStringIterator.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTemplateRegistryKeycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSTemplateRegistryKey.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> /*
</span><span class="cx">  * Copyright (C) 2015 Yusuke Suzuki &lt;utatane.tea@gmail.com&gt;.
</span><del>- * Copyright (C) 2016 Apple Inc. All Rights Reserved.
</del><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -27,7 +26,9 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSTemplateRegistryKey.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;VM.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypedArrayViewConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,8 +30,9 @@
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;JSCBuiltins.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGenericTypedArrayViewConstructorInlines.h&quot;
</span><ins>+#include &quot;JSObject.h&quot;
</ins><span class="cx"> #include &quot;JSTypedArrayViewPrototype.h&quot;
</span><span class="cx"> #include &quot;JSTypedArrays.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypedArrayViewPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,7 @@
</span><span class="cx"> #include &quot;BuiltinNames.h&quot;
</span><span class="cx"> #include &quot;CallFrame.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSGenericTypedArrayViewPrototypeFunctions.h&quot;
</span><span class="cx"> #include &quot;TypedArrayAdaptors.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSWeakMapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSWeakMap.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,11 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSWeakMap.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakMapData.h&quot;
</span><ins>+#include &quot;WriteBarrierInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSWeakSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/JSWeakSet.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,11 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSWeakSet.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakMapData.h&quot;
</span><ins>+#include &quot;WriteBarrierInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,10 +29,12 @@
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSMap.h&quot;
</span><span class="cx"> #include &quot;MapPrototype.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapIteratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,8 +27,10 @@
</span><span class="cx"> #include &quot;MapIteratorPrototype.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSMapIterator.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/MapPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,11 +31,13 @@
</span><span class="cx"> #include &quot;ExceptionHelpers.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSFunctionInlines.h&quot;
</ins><span class="cx"> #include &quot;JSMap.h&quot;
</span><span class="cx"> #include &quot;JSMapIterator.h&quot;
</span><span class="cx"> #include &quot;Lookup.h&quot;
</span><span class="cx"> #include &quot;MapDataInlines.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> #include &quot;MapPrototype.lut.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeNativeErrorConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/NativeErrorConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -22,7 +22,6 @@
</span><span class="cx"> #include &quot;NativeErrorConstructor.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;ErrorInstance.h&quot;
</span><del>-#include &quot;Interpreter.h&quot;
</del><span class="cx"> #include &quot;JSFunction.h&quot;
</span><span class="cx"> #include &quot;JSString.h&quot;
</span><span class="cx"> #include &quot;NativeErrorPrototype.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeNativeStdFunctionCellcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/NativeStdFunctionCell.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,10 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;NativeStdFunctionCell.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;JSFunctionInlines.h&quot;
+#include &quot;SlotVisitorInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Operations.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Operations.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Operations.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -195,20 +195,6 @@
</span><span class="cx">     return jsAddSlowCase(callFrame, v1, v2);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline bool scribbleFreeCells()
-{
-    return !ASSERT_DISABLED || Options::scribbleFreeCells();
-}
-
-inline void scribble(void* base, size_t size)
-{
-    for (size_t i = size / sizeof(EncodedJSValue); i--;) {
-        // Use a 16-byte aligned value to ensure that it passes the cell check.
-        static_cast&lt;EncodedJSValue*&gt;(base)[i] = JSValue::encode(
-            bitwise_cast&lt;JSCell*&gt;(static_cast&lt;intptr_t&gt;(0xbadbeef0)));
-    }
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // Operations_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Options.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Options.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/Options.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -182,11 +182,6 @@
</span><span class="cx">     v(bool, testTheFTL, false, Normal, nullptr) \
</span><span class="cx">     v(bool, verboseSanitizeStack, false, Normal, nullptr) \
</span><span class="cx">     v(bool, useGenerationalGC, true, Normal, nullptr) \
</span><del>-    v(bool, scribbleFreeCells, false, Normal, nullptr) \
-    v(double, sizeClassProgression, 1.4, Normal, nullptr) \
-    v(unsigned, largeAllocationCutoff, 400, Normal, nullptr) \
-    v(bool, dumpSizeClasses, false, Normal, nullptr) \
-    v(bool, useBumpAllocator, true, Normal, nullptr) \
</del><span class="cx">     v(bool, eagerlyUpdateTopCallFrame, false, Normal, nullptr) \
</span><span class="cx">     \
</span><span class="cx">     v(bool, useOSREntryToDFG, true, Normal, nullptr) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimePropertyTablecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/PropertyTable.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/PropertyTable.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/PropertyTable.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,10 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;PropertyMapHashTable.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeProxyConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ProxyConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,8 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IdentifierInlines.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><span class="cx"> #include &quot;ObjectPrototype.h&quot;
</span><span class="cx"> #include &quot;ProxyObject.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeProxyObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,8 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IdentifierInlines.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><span class="cx"> #include &quot;SlotVisitorInlines.h&quot;
</span><span class="cx"> #include &quot;StructureInlines.h&quot;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeProxyRevokecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ProxyRevoke.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ProxyRevoke.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/ProxyRevoke.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,10 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;ProxyRevoke.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;ProxyObject.h&quot;
</span><ins>+#include &quot;SlotVisitorInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExp.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExp.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RegExp.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -296,13 +296,13 @@
</span><span class="cx">     m_regExpBytecode = Yarr::byteCompile(pattern, &amp;vm-&gt;m_regExpAllocator, &amp;vm-&gt;m_regExpAllocatorLock);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-int RegExp::match(VM&amp; vm, const String&amp; s, unsigned startOffset, Vector&lt;int&gt;&amp; ovector)
</del><ins>+int RegExp::match(VM&amp; vm, const String&amp; s, unsigned startOffset, Vector&lt;int, 32&gt;&amp; ovector)
</ins><span class="cx"> {
</span><span class="cx">     return matchInline(vm, s, startOffset, ovector);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool RegExp::matchConcurrently(
</span><del>-    VM&amp; vm, const String&amp; s, unsigned startOffset, int&amp; position, Vector&lt;int&gt;&amp; ovector)
</del><ins>+    VM&amp; vm, const String&amp; s, unsigned startOffset, int&amp; position, Vector&lt;int, 32&gt;&amp; ovector)
</ins><span class="cx"> {
</span><span class="cx">     ConcurrentJITLocker locker(m_lock);
</span><span class="cx"> 
</span><span class="lines">@@ -382,7 +382,7 @@
</span><span class="cx"> void RegExp::matchCompareWithInterpreter(const String&amp; s, int startOffset, int* offsetVector, int jitResult)
</span><span class="cx"> {
</span><span class="cx">     int offsetVectorSize = (m_numSubpatterns + 1) * 2;
</span><del>-    Vector&lt;int&gt; interpreterOvector;
</del><ins>+    Vector&lt;int, 32&gt; interpreterOvector;
</ins><span class="cx">     interpreterOvector.resize(offsetVectorSize);
</span><span class="cx">     int* interpreterOffsetVector = interpreterOvector.data();
</span><span class="cx">     int interpreterResult = 0;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExp.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExp.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RegExp.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -64,10 +64,10 @@
</span><span class="cx">     bool isValid() const { return !m_constructionError &amp;&amp; m_flags != InvalidFlags; }
</span><span class="cx">     const char* errorMessage() const { return m_constructionError; }
</span><span class="cx"> 
</span><del>-    JS_EXPORT_PRIVATE int match(VM&amp;, const String&amp;, unsigned startOffset, Vector&lt;int&gt;&amp; ovector);
</del><ins>+    JS_EXPORT_PRIVATE int match(VM&amp;, const String&amp;, unsigned startOffset, Vector&lt;int, 32&gt;&amp; ovector);
</ins><span class="cx"> 
</span><span class="cx">     // Returns false if we couldn't run the regular expression for any reason.
</span><del>-    bool matchConcurrently(VM&amp;, const String&amp;, unsigned startOffset, int&amp; position, Vector&lt;int&gt;&amp; ovector);
</del><ins>+    bool matchConcurrently(VM&amp;, const String&amp;, unsigned startOffset, int&amp; position, Vector&lt;int, 32&gt;&amp; ovector);
</ins><span class="cx">     
</span><span class="cx">     JS_EXPORT_PRIVATE MatchResult match(VM&amp;, const String&amp;, unsigned startOffset);
</span><span class="cx"> 
</span><span class="lines">@@ -74,8 +74,7 @@
</span><span class="cx">     bool matchConcurrently(VM&amp;, const String&amp;, unsigned startOffset, MatchResult&amp;);
</span><span class="cx"> 
</span><span class="cx">     // Call these versions of the match functions if you're desperate for performance.
</span><del>-    template&lt;typename VectorType&gt;
-    int matchInline(VM&amp;, const String&amp;, unsigned startOffset, VectorType&amp; ovector);
</del><ins>+    int matchInline(VM&amp;, const String&amp;, unsigned startOffset, Vector&lt;int, 32&gt;&amp; ovector);
</ins><span class="cx">     MatchResult matchInline(VM&amp;, const String&amp;, unsigned startOffset);
</span><span class="cx">     
</span><span class="cx">     unsigned numSubpatterns() const { return m_numSubpatterns; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpConstructorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -80,7 +80,7 @@
</span><span class="cx"> 
</span><span class="cx">     RegExpCachedResult m_cachedResult;
</span><span class="cx">     bool m_multiline;
</span><del>-    Vector&lt;int&gt; m_ovector;
</del><ins>+    Vector&lt;int, 32&gt; m_ovector;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> RegExpConstructor* asRegExpConstructor(JSValue);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RegExpInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -94,8 +94,7 @@
</span><span class="cx">     compile(&amp;vm, charSize);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;typename VectorType&gt;
-ALWAYS_INLINE int RegExp::matchInline(VM&amp; vm, const String&amp; s, unsigned startOffset, VectorType&amp; ovector)
</del><ins>+ALWAYS_INLINE int RegExp::matchInline(VM&amp; vm, const String&amp; s, unsigned startOffset, Vector&lt;int, 32&gt;&amp; ovector)
</ins><span class="cx"> {
</span><span class="cx"> #if ENABLE(REGEXP_TRACING)
</span><span class="cx">     m_rtMatchCallCount++;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpMatchesArrayh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,20 +34,17 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE JSArray* tryCreateUninitializedRegExpMatchesArray(VM&amp; vm, Structure* structure, unsigned initialLength)
</span><span class="cx"> {
</span><del>-    unsigned vectorLength = initialLength;
</del><ins>+    unsigned vectorLength = std::max(BASE_VECTOR_LEN, initialLength);
</ins><span class="cx">     if (vectorLength &gt; MAX_STORAGE_VECTOR_LENGTH)
</span><span class="cx">         return 0;
</span><span class="cx"> 
</span><del>-    void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, structure-&gt;outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
-    if (!temp)
-        return nullptr;
</del><ins>+    void* temp;
+    if (!vm.heap.tryAllocateStorage(0, Butterfly::totalSize(0, structure-&gt;outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), &amp;temp))
+        return 0;
</ins><span class="cx">     Butterfly* butterfly = Butterfly::fromBase(temp, 0, structure-&gt;outOfLineCapacity());
</span><span class="cx">     butterfly-&gt;setVectorLength(vectorLength);
</span><span class="cx">     butterfly-&gt;setPublicLength(initialLength);
</span><del>-    
-    for (unsigned i = initialLength; i &lt; vectorLength; ++i)
-        butterfly-&gt;contiguous()[i].clear();
-    
</del><ins>+
</ins><span class="cx">     return JSArray::createWithButterfly(vm, structure, butterfly);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -70,54 +67,40 @@
</span><span class="cx">     // FIXME: This should handle array allocation errors gracefully.
</span><span class="cx">     // https://bugs.webkit.org/show_bug.cgi?id=155144
</span><span class="cx">     
</span><del>-    auto setProperties = [&amp;] () {
-        array-&gt;putDirect(vm, RegExpMatchesArrayIndexPropertyOffset, jsNumber(result.start));
-        array-&gt;putDirect(vm, RegExpMatchesArrayInputPropertyOffset, input);
-    };
-    
-    unsigned numSubpatterns = regExp-&gt;numSubpatterns();
-    
</del><span class="cx">     if (UNLIKELY(globalObject-&gt;isHavingABadTime())) {
</span><del>-        array = JSArray::tryCreateUninitialized(vm, globalObject-&gt;regExpMatchesArrayStructure(), numSubpatterns + 1);
</del><ins>+        array = JSArray::tryCreateUninitialized(vm, globalObject-&gt;regExpMatchesArrayStructure(), regExp-&gt;numSubpatterns() + 1);
</ins><span class="cx">         
</span><del>-        setProperties();
-        
-        array-&gt;initializeIndex(vm, 0, jsUndefined());
-        
-        for (unsigned i = 1; i &lt;= numSubpatterns; ++i)
-            array-&gt;initializeIndex(vm, i, jsUndefined());
-        
-        // Now the object is safe to scan by GC.
-        
</del><span class="cx">         array-&gt;initializeIndex(vm, 0, jsSubstringOfResolved(vm, input, result.start, result.end - result.start));
</span><span class="cx">         
</span><del>-        for (unsigned i = 1; i &lt;= numSubpatterns; ++i) {
-            int start = subpatternResults[2 * i];
-            if (start &gt;= 0)
-                array-&gt;initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start));
</del><ins>+        if (unsigned numSubpatterns = regExp-&gt;numSubpatterns()) {
+            for (unsigned i = 1; i &lt;= numSubpatterns; ++i) {
+                int start = subpatternResults[2 * i];
+                if (start &gt;= 0)
+                    array-&gt;initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start));
+                else
+                    array-&gt;initializeIndex(vm, i, jsUndefined());
+            }
</ins><span class="cx">         }
</span><span class="cx">     } else {
</span><del>-        array = tryCreateUninitializedRegExpMatchesArray(vm, globalObject-&gt;regExpMatchesArrayStructure(), numSubpatterns + 1);
</del><ins>+        array = tryCreateUninitializedRegExpMatchesArray(vm, globalObject-&gt;regExpMatchesArrayStructure(), regExp-&gt;numSubpatterns() + 1);
</ins><span class="cx">         RELEASE_ASSERT(array);
</span><span class="cx">         
</span><del>-        setProperties();
-        
-        array-&gt;initializeIndex(vm, 0, jsUndefined(), ArrayWithContiguous);
-        
-        for (unsigned i = 1; i &lt;= numSubpatterns; ++i)
-            array-&gt;initializeIndex(vm, i, jsUndefined(), ArrayWithContiguous);
-        
-        // Now the object is safe to scan by GC.
-
</del><span class="cx">         array-&gt;initializeIndex(vm, 0, jsSubstringOfResolved(vm, input, result.start, result.end - result.start), ArrayWithContiguous);
</span><span class="cx">         
</span><del>-        for (unsigned i = 1; i &lt;= numSubpatterns; ++i) {
-            int start = subpatternResults[2 * i];
-            if (start &gt;= 0)
-                array-&gt;initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start), ArrayWithContiguous);
</del><ins>+        if (unsigned numSubpatterns = regExp-&gt;numSubpatterns()) {
+            for (unsigned i = 1; i &lt;= numSubpatterns; ++i) {
+                int start = subpatternResults[2 * i];
+                if (start &gt;= 0)
+                    array-&gt;initializeIndex(vm, i, JSRopeString::createSubstringOfResolved(vm, input, start, subpatternResults[2 * i + 1] - start), ArrayWithContiguous);
+                else
+                    array-&gt;initializeIndex(vm, i, jsUndefined(), ArrayWithContiguous);
+            }
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    array-&gt;putDirect(vm, RegExpMatchesArrayIndexPropertyOffset, jsNumber(result.start));
+    array-&gt;putDirect(vm, RegExpMatchesArrayInputPropertyOffset, input);
+
</ins><span class="cx">     return array;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RegExpPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -468,14 +468,12 @@
</span><span class="cx">     unsigned&amp; matchPosition, bool regExpIsSticky, bool regExpIsUnicode,
</span><span class="cx">     const ControlFunc&amp; control, const PushFunc&amp; push)
</span><span class="cx"> {
</span><del>-    Vector&lt;int&gt; ovector;
-        
</del><span class="cx">     while (matchPosition &lt; inputSize) {
</span><span class="cx">         if (control() == AbortSplit)
</span><span class="cx">             return;
</span><span class="cx">         
</span><del>-        ovector.resize(0);
-        
</del><ins>+        Vector&lt;int, 32&gt; ovector;
+
</ins><span class="cx">         // a. Perform ? Set(splitter, &quot;lastIndex&quot;, q, true).
</span><span class="cx">         // b. Let z be ? RegExpExec(splitter, S).
</span><span class="cx">         int mpos = regexp-&gt;match(vm, input, matchPosition, ovector);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRuntimeTypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RuntimeType.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RuntimeType.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/RuntimeType.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,8 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;RuntimeType.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValue.h&quot;
+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSamplingProfilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SamplingProfiler.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SamplingProfiler.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/SamplingProfiler.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,7 +33,6 @@
</span><span class="cx"> #include &quot;Executable.h&quot;
</span><span class="cx"> #include &quot;HeapInlines.h&quot;
</span><span class="cx"> #include &quot;HeapIterationScope.h&quot;
</span><del>-#include &quot;HeapUtil.h&quot;
</del><span class="cx"> #include &quot;InlineCallFrame.h&quot;
</span><span class="cx"> #include &quot;Interpreter.h&quot;
</span><span class="cx"> #include &quot;JSCJSValueInlines.h&quot;
</span><span class="lines">@@ -357,6 +356,7 @@
</span><span class="cx">     RELEASE_ASSERT(m_lock.isLocked());
</span><span class="cx"> 
</span><span class="cx">     TinyBloomFilter filter = m_vm.heap.objectSpace().blocks().filter();
</span><ins>+    MarkedBlockSet&amp; markedBlockSet = m_vm.heap.objectSpace().blocks();
</ins><span class="cx"> 
</span><span class="cx">     for (UnprocessedStackTrace&amp; unprocessedStackTrace : m_unprocessedStackTraces) {
</span><span class="cx">         m_stackTraces.append(StackTrace());
</span><span class="lines">@@ -390,7 +390,7 @@
</span><span class="cx">             JSValue callee = JSValue::decode(encodedCallee);
</span><span class="cx">             StackFrame&amp; stackFrame = stackTrace.frames.last();
</span><span class="cx">             bool alreadyHasExecutable = !!stackFrame.executable;
</span><del>-            if (!HeapUtil::isValueGCObject(m_vm.heap, filter, callee)) {
</del><ins>+            if (!Heap::isValueGCObject(filter, markedBlockSet, callee)) {
</ins><span class="cx">                 if (!alreadyHasExecutable)
</span><span class="cx">                     stackFrame.frameType = FrameType::Unknown;
</span><span class="cx">                 return;
</span><span class="lines">@@ -435,7 +435,7 @@
</span><span class="cx">                 return;
</span><span class="cx">             }
</span><span class="cx"> 
</span><del>-            RELEASE_ASSERT(HeapUtil::isPointerGCObjectJSCell(m_vm.heap, filter, executable));
</del><ins>+            RELEASE_ASSERT(Heap::isPointerGCObject(filter, markedBlockSet, executable));
</ins><span class="cx">             stackFrame.frameType = FrameType::Executable;
</span><span class="cx">             stackFrame.executable = executable;
</span><span class="cx">             m_liveCellPointers.add(executable);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSetConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,11 +29,13 @@
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSSet.h&quot;
</span><span class="cx"> #include &quot;MapData.h&quot;
</span><span class="cx"> #include &quot;SetPrototype.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSetIteratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,8 +27,10 @@
</span><span class="cx"> #include &quot;SetIteratorPrototype.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSSetIterator.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSetPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SetPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SetPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/SetPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,11 +31,13 @@
</span><span class="cx"> #include &quot;ExceptionHelpers.h&quot;
</span><span class="cx"> #include &quot;GetterSetter.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSFunctionInlines.h&quot;
</ins><span class="cx"> #include &quot;JSSet.h&quot;
</span><span class="cx"> #include &quot;JSSetIterator.h&quot;
</span><span class="cx"> #include &quot;Lookup.h&quot;
</span><span class="cx"> #include &quot;MapDataInlines.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> #include &quot;SetPrototype.lut.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStackFramecpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/StackFrame.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StackFrame.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/StackFrame.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,119 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include &quot;config.h&quot;
-#include &quot;StackFrame.h&quot;
-
-#include &quot;CodeBlock.h&quot;
-#include &quot;DebuggerPrimitives.h&quot;
-#include &quot;JSCInlines.h&quot;
-#include &lt;wtf/text/StringBuilder.h&gt;
-
-namespace JSC {
-
-intptr_t StackFrame::sourceID() const
-{
-    if (!codeBlock)
-        return noSourceID;
-    return codeBlock-&gt;ownerScriptExecutable()-&gt;sourceID();
-}
-
-String StackFrame::sourceURL() const
-{
-    if (!codeBlock)
-        return ASCIILiteral(&quot;[native code]&quot;);
-
-    String sourceURL = codeBlock-&gt;ownerScriptExecutable()-&gt;sourceURL();
-    if (!sourceURL.isNull())
-        return sourceURL;
-    return emptyString();
-}
-
-String StackFrame::functionName(VM&amp; vm) const
-{
-    if (codeBlock) {
-        switch (codeBlock-&gt;codeType()) {
-        case EvalCode:
-            return ASCIILiteral(&quot;eval code&quot;);
-        case ModuleCode:
-            return ASCIILiteral(&quot;module code&quot;);
-        case FunctionCode:
-            break;
-        case GlobalCode:
-            return ASCIILiteral(&quot;global code&quot;);
-        default:
-            ASSERT_NOT_REACHED();
-        }
-    }
-    String name;
-    if (callee)
-        name = getCalculatedDisplayName(vm, callee.get()).impl();
-    return name.isNull() ? emptyString() : name;
-}
-
-void StackFrame::computeLineAndColumn(unsigned&amp; line, unsigned&amp; column) const
-{
-    if (!codeBlock) {
-        line = 0;
-        column = 0;
-        return;
-    }
-
-    int divot = 0;
-    int unusedStartOffset = 0;
-    int unusedEndOffset = 0;
-    codeBlock-&gt;expressionRangeForBytecodeOffset(bytecodeOffset, divot, unusedStartOffset, unusedEndOffset, line, column);
-
-    ScriptExecutable* executable = codeBlock-&gt;ownerScriptExecutable();
-    if (executable-&gt;hasOverrideLineNumber())
-        line = executable-&gt;overrideLineNumber();
-}
-
-String StackFrame::toString(VM&amp; vm) const
-{
-    StringBuilder traceBuild;
-    String functionName = this-&gt;functionName(vm);
-    String sourceURL = this-&gt;sourceURL();
-    traceBuild.append(functionName);
-    if (!sourceURL.isEmpty()) {
-        if (!functionName.isEmpty())
-            traceBuild.append('@');
-        traceBuild.append(sourceURL);
-        if (codeBlock) {
-            unsigned line;
-            unsigned column;
-            computeLineAndColumn(line, column);
-
-            traceBuild.append(':');
-            traceBuild.appendNumber(line);
-            traceBuild.append(':');
-            traceBuild.appendNumber(column);
-        }
-    }
-    return traceBuild.toString().impl();
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStackFrameh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/StackFrame.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StackFrame.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/StackFrame.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,50 +0,0 @@
</span><del>-/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#include &quot;Strong.h&quot;
-
-namespace JSC {
-
-class CodeBlock;
-class JSObject;
-
-struct StackFrame {
-    Strong&lt;JSObject&gt; callee;
-    Strong&lt;CodeBlock&gt; codeBlock;
-    unsigned bytecodeOffset;
-    
-    bool isNative() const { return !codeBlock; }
-    
-    void computeLineAndColumn(unsigned&amp; line, unsigned&amp; column) const;
-    String functionName(VM&amp;) const;
-    intptr_t sourceID() const;
-    String sourceURL() const;
-    String toString(VM&amp;) const;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStringConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><span class="cx"> #include &quot;StringPrototype.h&quot;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeStringIteratorPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/StringIteratorPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,10 +27,12 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;StringIteratorPrototype.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSStringIterator.h&quot;
</span><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> #include &quot;StringIteratorPrototype.lut.h&quot;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTemplateRegistrycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/TemplateRegistry.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,9 +26,10 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;TemplateRegistry.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;ObjectConstructor.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakGCMapInlines.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTestRunnerUtilscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2014, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -27,9 +27,7 @@
</span><span class="cx"> #include &quot;TestRunnerUtils.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;CodeBlock.h&quot;
</span><del>-#include &quot;HeapStatistics.h&quot;
</del><span class="cx"> #include &quot;JSCInlines.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -152,14 +150,5 @@
</span><span class="cx">     return optimizeNextInvocation(exec-&gt;uncheckedArgument(0));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-// This is a hook called at the bitter end of some of our tests.
-void finalizeStatsAtEndOfTesting()
-{
-    if (Options::logHeapStatisticsAtExit())
-        HeapStatistics::reportSuccess();
-    if (Options::reportLLIntStats())
-        LLInt::Data::finalizeStats();
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTestRunnerUtilsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -53,8 +53,6 @@
</span><span class="cx"> JS_EXPORT_PRIVATE unsigned numberOfStaticOSRExitFuzzChecks();
</span><span class="cx"> JS_EXPORT_PRIVATE unsigned numberOfOSRExitFuzzChecks();
</span><span class="cx"> 
</span><del>-JS_EXPORT_PRIVATE void finalizeStatsAtEndOfTesting();
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // TestRunnerUtils_h
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeProfilerLogcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,7 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;TypeProfilerLog.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;TypeLocation.h&quot;
</span><span class="cx"> #include &lt;wtf/CurrentTime.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypeSet.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeSet.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/TypeSet.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,8 @@
</span><span class="cx"> #include &quot;TypeSet.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;InspectorProtocolObjects.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValue.h&quot;
+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &lt;wtf/text/CString.h&gt;
</span><span class="cx"> #include &lt;wtf/text/WTFString.h&gt;
</span><span class="cx"> #include &lt;wtf/text/StringBuilder.h&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -70,7 +70,6 @@
</span><span class="cx"> #include &quot;JSPropertyNameEnumerator.h&quot;
</span><span class="cx"> #include &quot;JSTemplateRegistryKey.h&quot;
</span><span class="cx"> #include &quot;JSWithScope.h&quot;
</span><del>-#include &quot;LLIntData.h&quot;
</del><span class="cx"> #include &quot;Lexer.h&quot;
</span><span class="cx"> #include &quot;Lookup.h&quot;
</span><span class="cx"> #include &quot;MapData.h&quot;
</span><span class="lines">@@ -108,7 +107,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if !ENABLE(JIT)
</span><span class="cx"> #include &quot;CLoopStack.h&quot;
</span><del>-#include &quot;CLoopStackInlines.h&quot;
</del><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="lines">@@ -877,16 +875,4 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-#if !ENABLE(JIT)
-bool VM::ensureStackCapacityForCLoop(Register* newTopOfStack)
-{
-    return interpreter-&gt;cloopStack().ensureCapacityFor(newTopOfStack);
-}
-
-bool VM::isSafeToRecurseSoftCLoop() const
-{
-    return interpreter-&gt;cloopStack().isSafeToRecurse();
-}
-#endif // !ENABLE(JIT)
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/VM.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -39,6 +39,7 @@
</span><span class="cx"> #include &quot;JITThunks.h&quot;
</span><span class="cx"> #include &quot;JSCJSValue.h&quot;
</span><span class="cx"> #include &quot;JSLock.h&quot;
</span><ins>+#include &quot;LLIntData.h&quot;
</ins><span class="cx"> #include &quot;MacroAssemblerCodeRef.h&quot;
</span><span class="cx"> #include &quot;Microtask.h&quot;
</span><span class="cx"> #include &quot;NumericStrings.h&quot;
</span><span class="lines">@@ -644,11 +645,6 @@
</span><span class="cx">         m_lastException = exception;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-#if !ENABLE(JIT)    
-    bool ensureStackCapacityForCLoop(Register* newTopOfStack);
-    bool isSafeToRecurseSoftCLoop() const;
-#endif // !ENABLE(JIT)
-
</del><span class="cx"> #if ENABLE(ASSEMBLER)
</span><span class="cx">     bool m_canUseAssembler;
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMEntryScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VMEntryScope.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VMEntryScope.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/VMEntryScope.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef VMEntryScope_h
</span><span class="cx"> #define VMEntryScope_h
</span><span class="cx"> 
</span><ins>+#include &quot;Interpreter.h&quot;
</ins><span class="cx"> #include &lt;wtf/StackBounds.h&gt;
</span><span class="cx"> #include &lt;wtf/StackStats.h&gt;
</span><span class="cx"> #include &lt;wtf/Vector.h&gt;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VMInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VMInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/VMInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,6 +30,10 @@
</span><span class="cx"> #include &quot;VM.h&quot;
</span><span class="cx"> #include &quot;Watchdog.h&quot;
</span><span class="cx"> 
</span><ins>+#if !ENABLE(JIT)
+#include &quot;CLoopStackInlines.h&quot;
+#endif
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx">     
</span><span class="cx"> bool VM::ensureStackCapacityFor(Register* newTopOfStack)
</span><span class="lines">@@ -38,7 +42,7 @@
</span><span class="cx">     ASSERT(wtfThreadData().stack().isGrowingDownward());
</span><span class="cx">     return newTopOfStack &gt;= m_softStackLimit;
</span><span class="cx"> #else
</span><del>-    return ensureStackCapacityForCLoop(newTopOfStack);
</del><ins>+    return interpreter-&gt;cloopStack().ensureCapacityFor(newTopOfStack);
</ins><span class="cx"> #endif
</span><span class="cx">     
</span><span class="cx"> }
</span><span class="lines">@@ -47,7 +51,7 @@
</span><span class="cx"> {
</span><span class="cx">     bool safe = isSafeToRecurse(m_softStackLimit);
</span><span class="cx"> #if !ENABLE(JIT)
</span><del>-    safe = safe &amp;&amp; isSafeToRecurseSoftCLoop();
</del><ins>+    safe = safe &amp;&amp; interpreter-&gt;cloopStack().isSafeToRecurse();
</ins><span class="cx"> #endif
</span><span class="cx">     return safe;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakMapConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/WeakMapConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013 Apple, Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -28,9 +28,11 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSWeakMap.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakMapPrototype.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakMapDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakMapData.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakMapData.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/WeakMapData.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,8 @@
</span><span class="cx"> #include &quot;CopiedAllocator.h&quot;
</span><span class="cx"> #include &quot;CopyVisitorInlines.h&quot;
</span><span class="cx"> #include &quot;ExceptionHelpers.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;SlotVisitorInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> #include &lt;wtf/MathExtras.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakMapPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/WeakMapPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,9 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;WeakMapPrototype.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;JSWeakMap.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakMapData.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakSetConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/WeakSetConstructor.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015-2016 Apple, Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015 Apple, Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -28,9 +28,11 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;Error.h&quot;
</span><span class="cx"> #include &quot;IteratorOperations.h&quot;
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;JSCellInlines.h&quot;
</ins><span class="cx"> #include &quot;JSGlobalObject.h&quot;
</span><span class="cx"> #include &quot;JSWeakSet.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakSetPrototype.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWeakSetPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/runtime/WeakSetPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,9 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;WeakSetPrototype.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
</ins><span class="cx"> #include &quot;JSWeakSet.h&quot;
</span><ins>+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> #include &quot;WeakMapData.h&quot;
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestRegExpcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/testRegExp.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/testRegExp.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/testRegExp.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -191,7 +191,7 @@
</span><span class="cx"> static bool testOneRegExp(VM&amp; vm, RegExp* regexp, RegExpTest* regExpTest, bool verbose, unsigned int lineNumber)
</span><span class="cx"> {
</span><span class="cx">     bool result = true;
</span><del>-    Vector&lt;int&gt; outVector;
</del><ins>+    Vector&lt;int, 32&gt; outVector;
</ins><span class="cx">     outVector.resize(regExpTest-&gt;expectVector.size());
</span><span class="cx">     int matchResult = regexp-&gt;match(vm, regExpTest-&gt;subject, regExpTest-&gt;offset, outVector);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretoolsJSDollarVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,7 +26,8 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;JSDollarVM.h&quot;
</span><span class="cx"> 
</span><del>-#include &quot;JSCInlines.h&quot;
</del><ins>+#include &quot;JSCJSValueInlines.h&quot;
+#include &quot;StructureInlines.h&quot;
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretoolsJSDollarVMPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tools/JSDollarVMPrototype.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tools/JSDollarVMPrototype.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/JavaScriptCore/tools/JSDollarVMPrototype.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -146,13 +146,7 @@
</span><span class="cx"> bool JSDollarVMPrototype::isInObjectSpace(Heap* heap, void* ptr)
</span><span class="cx"> {
</span><span class="cx">     MarkedBlock* candidate = MarkedBlock::blockFor(ptr);
</span><del>-    if (heap-&gt;objectSpace().blocks().set().contains(candidate))
-        return true;
-    for (LargeAllocation* allocation : heap-&gt;objectSpace().largeAllocations()) {
-        if (allocation-&gt;contains(ptr))
-            return true;
-    }
-    return false;
</del><ins>+    return heap-&gt;objectSpace().blocks().set().contains(candidate);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool JSDollarVMPrototype::isInStorageSpace(Heap* heap, void* ptr)
</span></span></pre></div>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WTF/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * wtf/FastMalloc.cpp:
+        (WTF::tryFastAlignedMalloc): Deleted.
+        * wtf/FastMalloc.h:
+        * wtf/ParkingLot.cpp:
+        (WTF::ParkingLot::forEach):
+        (WTF::ParkingLot::forEachImpl): Deleted.
+        * wtf/ParkingLot.h:
+        (WTF::ParkingLot::parkConditionally):
+        (WTF::ParkingLot::unparkOne):
+        (WTF::ParkingLot::forEach): Deleted.
+        * wtf/ScopedLambda.h:
+        (WTF::scopedLambdaRef): Deleted.
+
</ins><span class="cx"> 2016-08-22  Filip Pizlo  &lt;fpizlo@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
</span></span></pre></div>
<a id="trunkSourceWTFwtfFastMalloccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/FastMalloc.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/FastMalloc.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WTF/wtf/FastMalloc.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><ins>+// Copyright (c) 2005, 2007, Google Inc. All rights reserved.
+
</ins><span class="cx"> /*
</span><del>- * Copyright (c) 2005, 2007, Google Inc. All rights reserved.
- * Copyright (C) 2005-2009, 2011, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2005-2009, 2011, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="cx">  * are met:
</span><span class="lines">@@ -96,11 +97,6 @@
</span><span class="cx">     return _aligned_malloc(size, alignment);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* tryFastAlignedMalloc(size_t alignment, size_t size) 
-{
-    return _aligned_malloc(size, alignment);
-}
-
</del><span class="cx"> void fastAlignedFree(void* p) 
</span><span class="cx"> {
</span><span class="cx">     _aligned_free(p);
</span><span class="lines">@@ -115,13 +111,6 @@
</span><span class="cx">     return p;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* tryFastAlignedMalloc(size_t alignment, size_t size) 
-{
-    void* p = nullptr;
-    posix_memalign(&amp;p, alignment, size);
-    return p;
-}
-
</del><span class="cx"> void fastAlignedFree(void* p) 
</span><span class="cx"> {
</span><span class="cx">     free(p);
</span><span class="lines">@@ -242,11 +231,6 @@
</span><span class="cx">     return bmalloc::api::memalign(alignment, size);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* tryFastAlignedMalloc(size_t alignment, size_t size) 
-{
-    return bmalloc::api::tryMemalign(alignment, size);
-}
-
</del><span class="cx"> void fastAlignedFree(void* p) 
</span><span class="cx"> {
</span><span class="cx">     bmalloc::api::free(p);
</span></span></pre></div>
<a id="trunkSourceWTFwtfFastMalloch"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/FastMalloc.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/FastMalloc.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WTF/wtf/FastMalloc.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- *  Copyright (C) 2005-2009, 2015-2016 Apple Inc. All rights reserved.
</del><ins>+ *  Copyright (C) 2005-2009, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  *  This library is free software; you can redistribute it and/or
</span><span class="cx">  *  modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -53,7 +53,6 @@
</span><span class="cx"> 
</span><span class="cx"> // Allocations from fastAlignedMalloc() must be freed using fastAlignedFree().
</span><span class="cx"> WTF_EXPORT_PRIVATE void* fastAlignedMalloc(size_t alignment, size_t);
</span><del>-WTF_EXPORT_PRIVATE void* tryFastAlignedMalloc(size_t alignment, size_t);
</del><span class="cx"> WTF_EXPORT_PRIVATE void fastAlignedFree(void*);
</span><span class="cx"> 
</span><span class="cx"> WTF_EXPORT_PRIVATE size_t fastMallocSize(const void*);
</span><span class="lines">@@ -108,7 +107,6 @@
</span><span class="cx"> using WTF::fastRealloc;
</span><span class="cx"> using WTF::fastStrDup;
</span><span class="cx"> using WTF::fastZeroedMalloc;
</span><del>-using WTF::tryFastAlignedMalloc;
</del><span class="cx"> using WTF::tryFastCalloc;
</span><span class="cx"> using WTF::tryFastMalloc;
</span><span class="cx"> using WTF::tryFastZeroedMalloc;
</span></span></pre></div>
<a id="trunkSourceWTFwtfParkingLotcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/ParkingLot.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/ParkingLot.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WTF/wtf/ParkingLot.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -767,7 +767,7 @@
</span><span class="cx">         dataLog(toString(currentThread(), &quot;: done unparking.\n&quot;));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-NEVER_INLINE void ParkingLot::forEachImpl(const ScopedLambda&lt;void(ThreadIdentifier, const void*)&gt;&amp; callback)
</del><ins>+NEVER_INLINE void ParkingLot::forEach(std::function&lt;void(ThreadIdentifier, const void*)&gt; callback)
</ins><span class="cx"> {
</span><span class="cx">     Vector&lt;Bucket*&gt; bucketsToUnlock = lockHashtable();
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWTFwtfParkingLoth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/ParkingLot.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/ParkingLot.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WTF/wtf/ParkingLot.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -66,14 +66,14 @@
</span><span class="cx">     template&lt;typename ValidationFunctor, typename BeforeSleepFunctor&gt;
</span><span class="cx">     static ParkResult parkConditionally(
</span><span class="cx">         const void* address,
</span><del>-        const ValidationFunctor&amp; validation,
-        const BeforeSleepFunctor&amp; beforeSleep,
</del><ins>+        ValidationFunctor&amp;&amp; validation,
+        BeforeSleepFunctor&amp;&amp; beforeSleep,
</ins><span class="cx">         Clock::time_point timeout)
</span><span class="cx">     {
</span><span class="cx">         return parkConditionallyImpl(
</span><span class="cx">             address,
</span><del>-            scopedLambdaRef&lt;bool()&gt;(validation),
-            scopedLambdaRef&lt;void()&gt;(beforeSleep),
</del><ins>+            scopedLambda&lt;bool()&gt;(std::forward&lt;ValidationFunctor&gt;(validation)),
+            scopedLambda&lt;void()&gt;(std::forward&lt;BeforeSleepFunctor&gt;(beforeSleep)),
</ins><span class="cx">             timeout);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -124,9 +124,9 @@
</span><span class="cx">     // moment nobody can add any threads to the queue because the queue lock is still held. Also,
</span><span class="cx">     // WTF::Lock uses the timeToBeFair and token mechanism to implement eventual fairness.
</span><span class="cx">     template&lt;typename Callback&gt;
</span><del>-    static void unparkOne(const void* address, const Callback&amp; callback)
</del><ins>+    static void unparkOne(const void* address, Callback&amp;&amp; callback)
</ins><span class="cx">     {
</span><del>-        unparkOneImpl(address, scopedLambdaRef&lt;intptr_t(UnparkResult)&gt;(callback));
</del><ins>+        unparkOneImpl(address, scopedLambda&lt;intptr_t(UnparkResult)&gt;(std::forward&lt;Callback&gt;(callback)));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // Unparks every thread from the queue associated with the given address, which cannot be null.
</span><span class="lines">@@ -145,11 +145,7 @@
</span><span class="cx">     // As well as many other possible interleavings that all have T1 before T2 and T3 before T4 but are
</span><span class="cx">     // otherwise unconstrained. This method is useful primarily for debugging. It's also used by unit
</span><span class="cx">     // tests.
</span><del>-    template&lt;typename Func&gt;
-    static void forEach(const Func&amp; func)
-    {
-        forEachImpl(scopedLambdaRef&lt;void(ThreadIdentifier, const void*)&gt;(func));
-    }
</del><ins>+    WTF_EXPORT_PRIVATE static void forEach(std::function&lt;void(ThreadIdentifier, const void*)&gt;);
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><span class="cx">     WTF_EXPORT_PRIVATE static ParkResult parkConditionallyImpl(
</span><span class="lines">@@ -161,7 +157,7 @@
</span><span class="cx">     WTF_EXPORT_PRIVATE static void unparkOneImpl(
</span><span class="cx">         const void* address, const ScopedLambda&lt;intptr_t(UnparkResult)&gt;&amp; callback);
</span><span class="cx"> 
</span><del>-    WTF_EXPORT_PRIVATE static void forEachImpl(const ScopedLambda&lt;void(ThreadIdentifier, const void*)&gt;&amp;);
</del><ins>+    WTF_EXPORT_PRIVATE static void forEachImpl(const std::function&lt;void(ThreadIdentifier, const void*)&gt;&amp;);
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace WTF
</span></span></pre></div>
<a id="trunkSourceWTFwtfScopedLambdah"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/wtf/ScopedLambda.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/ScopedLambda.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WTF/wtf/ScopedLambda.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -126,65 +126,10 @@
</span><span class="cx">     return ScopedLambdaFunctor&lt;FunctionType, Functor&gt;(WTFMove(functor));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template&lt;typename FunctionType, typename Functor&gt; class ScopedLambdaRefFunctor;
-template&lt;typename ResultType, typename... ArgumentTypes, typename Functor&gt;
-class ScopedLambdaRefFunctor&lt;ResultType (ArgumentTypes...), Functor&gt; : public ScopedLambda&lt;ResultType (ArgumentTypes...)&gt; {
-public:
-    ScopedLambdaRefFunctor(const Functor&amp; functor)
-        : ScopedLambda&lt;ResultType (ArgumentTypes...)&gt;(implFunction, this)
-        , m_functor(&amp;functor)
-    {
-    }
-    
-    // We need to make sure that copying and moving ScopedLambdaRefFunctor results in a
-    // ScopedLambdaRefFunctor whose ScopedLambda supertype still points to this rather than
-    // other.
-    ScopedLambdaRefFunctor(const ScopedLambdaRefFunctor&amp; other)
-        : ScopedLambda&lt;ResultType (ArgumentTypes...)&gt;(implFunction, this)
-        , m_functor(other.m_functor)
-    {
-    }
-
-    ScopedLambdaRefFunctor(ScopedLambdaRefFunctor&amp;&amp; other)
-        : ScopedLambda&lt;ResultType (ArgumentTypes...)&gt;(implFunction, this)
-        , m_functor(other.m_functor)
-    {
-    }
-    
-    ScopedLambdaRefFunctor&amp; operator=(const ScopedLambdaRefFunctor&amp; other)
-    {
-        m_functor = other.m_functor;
-        return *this;
-    }
-    
-    ScopedLambdaRefFunctor&amp; operator=(ScopedLambdaRefFunctor&amp;&amp; other)
-    {
-        m_functor = other.m_functor;
-        return *this;
-    }
-
-private:
-    static ResultType implFunction(void* argument, ArgumentTypes... arguments)
-    {
-        return (*static_cast&lt;ScopedLambdaRefFunctor*&gt;(argument)-&gt;m_functor)(arguments...);
-    }
-
-    const Functor* m_functor;
-};
-
-// This is for when you already refer to a functor by reference, and you know its lifetime is
-// good. This just creates a ScopedLambda that points to your functor.
-template&lt;typename FunctionType, typename Functor&gt;
-ScopedLambdaRefFunctor&lt;FunctionType, Functor&gt; scopedLambdaRef(const Functor&amp; functor)
-{
-    return ScopedLambdaRefFunctor&lt;FunctionType, Functor&gt;(functor);
-}
-
</del><span class="cx"> } // namespace WTF
</span><span class="cx"> 
</span><span class="cx"> using WTF::ScopedLambda;
</span><span class="cx"> using WTF::scopedLambda;
</span><del>-using WTF::scopedLambdaRef;
</del><span class="cx"> 
</span><span class="cx"> #endif // ScopedLambda_h
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,43 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * ForwardingHeaders/heap/HeapInlines.h: Removed.
+        * ForwardingHeaders/interpreter/Interpreter.h: Added.
+        * ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h: Removed.
+        * Modules/indexeddb/IDBCursorWithValue.cpp:
+        * Modules/indexeddb/client/TransactionOperation.cpp:
+        * Modules/indexeddb/server/SQLiteIDBBackingStore.cpp:
+        * Modules/indexeddb/server/UniqueIDBDatabase.cpp:
+        * bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp:
+        * bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp:
+        * bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp:
+        * bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp:
+        * bindings/js/JSClientRectCustom.cpp:
+        * bindings/js/JSDOMBinding.cpp:
+        * bindings/js/JSDOMBinding.h:
+        * bindings/js/JSDeviceMotionEventCustom.cpp:
+        * bindings/js/JSDeviceOrientationEventCustom.cpp:
+        * bindings/js/JSErrorEventCustom.cpp:
+        * bindings/js/JSIDBCursorWithValueCustom.cpp:
+        * bindings/js/JSIDBIndexCustom.cpp:
+        * bindings/js/JSPopStateEventCustom.cpp:
+        * bindings/js/JSWebGL2RenderingContextCustom.cpp:
+        * bindings/js/JSWorkerGlobalScopeCustom.cpp:
+        * bindings/js/WorkerScriptController.cpp:
+        * contentextensions/ContentExtensionParser.cpp:
+        * dom/ErrorEvent.cpp:
+        * html/HTMLCanvasElement.cpp:
+        * html/MediaDocument.cpp:
+        * inspector/CommandLineAPIModule.cpp:
+        * loader/EmptyClients.cpp:
+        * page/CaptionUserPreferences.cpp:
+        * page/Frame.cpp:
+        * page/PageGroup.cpp:
+        * page/UserContentController.cpp:
+        * platform/mock/mediasource/MockBox.cpp:
+        * testing/GCObservation.cpp:
+
</ins><span class="cx"> 2016-08-24  Zalan Bujtas  &lt;zalan@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         ASSERTION FAILED: childrenInline() in WebCore::RenderBlockFlow::hasLines
</span></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersheapHeapInlinesh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/WebCore/ForwardingHeaders/heap/HeapInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/heap/HeapInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/ForwardingHeaders/heap/HeapInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-#pragma once
-#include &lt;JavaScriptCore/HeapInlines.h&gt;
-
</del></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersinterpreterInterpreterh"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/ForwardingHeaders/interpreter/Interpreter.h (0 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/interpreter/Interpreter.h                                (rev 0)
+++ trunk/Source/WebCore/ForwardingHeaders/interpreter/Interpreter.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+#ifndef WebCore_FWD_Interpreter_h
+#define WebCore_FWD_Interpreter_h
+#include &lt;JavaScriptCore/Interpreter.h&gt;
+#endif
</ins></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersruntimeAuxiliaryBarrierInlinesh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/WebCore/ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/ForwardingHeaders/runtime/AuxiliaryBarrierInlines.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +0,0 @@
</span><del>-#pragma once
-#include &lt;JavaScriptCore/AuxiliaryBarrierInlines.h&gt;
-
</del></span></pre></div>
<a id="trunkSourceWebCoreModulesindexeddbIDBCursorWithValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/indexeddb/IDBCursorWithValue.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/indexeddb/IDBCursorWithValue.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/Modules/indexeddb/IDBCursorWithValue.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,8 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(INDEXED_DATABASE)
</span><span class="cx"> 
</span><del>-#include &lt;heap/HeapInlines.h&gt;
-
</del><span class="cx"> namespace WebCore {
</span><span class="cx"> 
</span><span class="cx"> Ref&lt;IDBCursorWithValue&gt; IDBCursorWithValue::create(IDBTransaction&amp; transaction, IDBObjectStore&amp; objectStore, const IDBCursorInfo&amp; info)
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesindexeddbclientTransactionOperationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/indexeddb/client/TransactionOperation.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/indexeddb/client/TransactionOperation.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/Modules/indexeddb/client/TransactionOperation.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #if ENABLE(INDEXED_DATABASE)
</span><span class="cx"> 
</span><span class="cx"> #include &quot;IDBCursor.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="cx"> namespace IDBClient {
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesindexeddbserverSQLiteIDBBackingStorecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -45,9 +45,7 @@
</span><span class="cx"> #include &quot;SQLiteStatement.h&quot;
</span><span class="cx"> #include &quot;SQLiteTransaction.h&quot;
</span><span class="cx"> #include &quot;ThreadSafeDataBuffer.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;heap/StrongInlines.h&gt;
</span><del>-#include &lt;runtime/AuxiliaryBarrierInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/JSGlobalObject.h&gt;
</span><span class="cx"> #include &lt;runtime/StructureInlines.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesindexeddbserverUniqueIDBDatabasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -39,8 +39,6 @@
</span><span class="cx"> #include &quot;ScopeGuard.h&quot;
</span><span class="cx"> #include &quot;SerializedScriptValue.h&quot;
</span><span class="cx"> #include &quot;UniqueIDBDatabaseConnection.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
-#include &lt;runtime/AuxiliaryBarrierInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/StructureInlines.h&gt;
</span><span class="cx"> #include &lt;wtf/MainThread.h&gt;
</span><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSApplePayPaymentAuthorizedEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSApplePayPaymentAuthorizedEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(APPLE_PAY)
</span><span class="cx"> 
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSApplePayPaymentMethodSelectedEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSApplePayPaymentMethodSelectedEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(APPLE_PAY)
</span><span class="cx"> 
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSApplePayShippingContactSelectedEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSApplePayShippingContactSelectedEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(APPLE_PAY)
</span><span class="cx"> 
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSApplePayShippingMethodSelectedEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSApplePayShippingMethodSelectedEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,9 +28,10 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(APPLE_PAY)
</span><span class="cx"> 
</span><del>-#include &lt;runtime/JSCInlines.h&gt;
</del><ins>+#include &lt;runtime/IdentifierInlines.h&gt;
+#include &lt;runtime/JSCJSValueInlines.h&gt;
</ins><span class="cx"> #include &lt;runtime/ObjectConstructor.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><ins>+#include &lt;runtime/StructureInlines.h&gt;
</ins><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSClientRectCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSClientRectCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSClientRectCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSClientRectCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,8 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;ClientRect.h&quot;
</span><span class="cx"> #include &lt;bytecode/CodeBlock.h&gt;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
-#include &lt;runtime/AuxiliaryBarrierInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/IdentifierInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/JSObject.h&gt;
</span><span class="cx"> #include &lt;runtime/ObjectConstructor.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMBindingcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx"> #include &lt;bytecode/CodeBlock.h&gt;
</span><span class="cx"> #include &lt;inspector/ScriptCallStack.h&gt;
</span><span class="cx"> #include &lt;inspector/ScriptCallStackFactory.h&gt;
</span><ins>+#include &lt;interpreter/Interpreter.h&gt;
</ins><span class="cx"> #include &lt;runtime/DateInstance.h&gt;
</span><span class="cx"> #include &lt;runtime/Error.h&gt;
</span><span class="cx"> #include &lt;runtime/ErrorHandlingScope.h&gt;
</span><span class="lines">@@ -48,7 +49,6 @@
</span><span class="cx"> #include &lt;stdarg.h&gt;
</span><span class="cx"> #include &lt;wtf/MathExtras.h&gt;
</span><span class="cx"> #include &lt;wtf/unicode/CharacterNames.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> using namespace Inspector;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMBindingh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMBinding.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMBinding.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSDOMBinding.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -30,11 +30,9 @@
</span><span class="cx"> #include &quot;ScriptWrappableInlines.h&quot;
</span><span class="cx"> #include &quot;WebCoreTypedArrayController.h&quot;
</span><span class="cx"> #include &lt;cstddef&gt;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;heap/SlotVisitorInlines.h&gt;
</span><span class="cx"> #include &lt;heap/Weak.h&gt;
</span><span class="cx"> #include &lt;heap/WeakInlines.h&gt;
</span><del>-#include &lt;runtime/AuxiliaryBarrierInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/Error.h&gt;
</span><span class="cx"> #include &lt;runtime/IteratorOperations.h&gt;
</span><span class="cx"> #include &lt;runtime/JSArray.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDeviceMotionEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSDeviceMotionEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,8 +31,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;DeviceMotionData.h&quot;
</span><span class="cx"> #include &quot;DeviceMotionEvent.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
-#include &lt;runtime/AuxiliaryBarrierInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/IdentifierInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/ObjectConstructor.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDeviceOrientationEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDeviceOrientationEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDeviceOrientationEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSDeviceOrientationEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -31,7 +31,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;DeviceOrientationData.h&quot;
</span><span class="cx"> #include &quot;DeviceOrientationEvent.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/StructureInlines.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSErrorEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSErrorEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSErrorEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSErrorEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #include &quot;JSErrorEvent.h&quot;
</span><span class="cx"> 
</span><span class="cx"> #include &quot;ErrorEvent.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSIDBCursorWithValueCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSIDBCursorWithValueCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSIDBCursorWithValueCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSIDBCursorWithValueCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #if ENABLE(INDEXED_DATABASE)
</span><span class="cx"> 
</span><span class="cx"> #include &quot;IDBCursorWithValue.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSIDBIndexCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSIDBIndexCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSIDBIndexCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSIDBIndexCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #if ENABLE(INDEXED_DATABASE)
</span><span class="cx"> 
</span><span class="cx"> #include &quot;IDBIndex.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSPopStateEventCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSPopStateEventCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,7 +33,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;DOMWrapperWorld.h&quot;
</span><span class="cx"> #include &quot;JSHistory.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCJSValueInlines.h&gt;
</span><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSWebGL2RenderingContextCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSWebGL2RenderingContextCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSWebGL2RenderingContextCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSWebGL2RenderingContextCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> #if ENABLE(WEBGL) &amp;&amp; ENABLE(WEBGL2)
</span><span class="cx"> #include &quot;JSWebGL2RenderingContext.h&quot;
</span><span class="cx"> 
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/Error.h&gt;
</span><span class="cx"> #include &quot;NotImplemented.h&quot;
</span><span class="cx"> #include &quot;WebGL2RenderingContext.h&quot;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSWorkerGlobalScopeCustomcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeCustom.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeCustom.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeCustom.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> #include &quot;WorkerGlobalScope.h&quot;
</span><span class="cx"> #include &quot;WorkerLocation.h&quot;
</span><span class="cx"> #include &quot;WorkerNavigator.h&quot;
</span><ins>+#include &lt;interpreter/Interpreter.h&gt;
</ins><span class="cx"> 
</span><span class="cx"> #if ENABLE(WEB_SOCKETS)
</span><span class="cx"> #include &quot;JSWebSocket.h&quot;
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsWorkerScriptControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/bindings/js/WorkerScriptController.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -39,6 +39,7 @@
</span><span class="cx"> #include &quot;WorkerThread.h&quot;
</span><span class="cx"> #include &lt;bindings/ScriptValue.h&gt;
</span><span class="cx"> #include &lt;heap/StrongInlines.h&gt;
</span><ins>+#include &lt;interpreter/Interpreter.h&gt;
</ins><span class="cx"> #include &lt;runtime/Completion.h&gt;
</span><span class="cx"> #include &lt;runtime/Error.h&gt;
</span><span class="cx"> #include &lt;runtime/Exception.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCorecontentextensionsContentExtensionParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/contentextensions/ContentExtensionParser.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -35,9 +35,11 @@
</span><span class="cx"> #include &quot;ContentExtensionRule.h&quot;
</span><span class="cx"> #include &quot;ContentExtensionsBackend.h&quot;
</span><span class="cx"> #include &quot;ContentExtensionsDebugging.h&quot;
</span><del>-#include &lt;JavaScriptCore/JSCInlines.h&gt;
</del><ins>+#include &lt;JavaScriptCore/IdentifierInlines.h&gt;
+#include &lt;JavaScriptCore/JSCJSValueInlines.h&gt;
</ins><span class="cx"> #include &lt;JavaScriptCore/JSGlobalObject.h&gt;
</span><span class="cx"> #include &lt;JavaScriptCore/JSONObject.h&gt;
</span><ins>+#include &lt;JavaScriptCore/StructureInlines.h&gt;
</ins><span class="cx"> #include &lt;JavaScriptCore/VM.h&gt;
</span><span class="cx"> #include &lt;wtf/CurrentTime.h&gt;
</span><span class="cx"> #include &lt;wtf/text/WTFString.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCoredomErrorEventcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ErrorEvent.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ErrorEvent.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/dom/ErrorEvent.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,7 +34,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include &quot;DOMWrapperWorld.h&quot;
</span><span class="cx"> #include &quot;EventNames.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLCanvasElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLCanvasElement.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLCanvasElement.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/html/HTMLCanvasElement.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -51,7 +51,6 @@
</span><span class="cx"> #include &lt;runtime/JSCInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/JSLock.h&gt;
</span><span class="cx"> #include &lt;wtf/RAMSize.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> #if ENABLE(WEBGL)    
</span><span class="cx"> #include &quot;WebGLContextAttributes.h&quot;
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlMediaDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/MediaDocument.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/MediaDocument.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/html/MediaDocument.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -48,7 +48,6 @@
</span><span class="cx"> #include &quot;ScriptController.h&quot;
</span><span class="cx"> #include &quot;ShadowRoot.h&quot;
</span><span class="cx"> #include &quot;TypedElementDescendantIterator.h&quot;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreinspectorCommandLineAPIModulecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/inspector/CommandLineAPIModule.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/inspector/CommandLineAPIModule.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/inspector/CommandLineAPIModule.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include &quot;CommandLineAPIModuleSource.h&quot;
</span><span class="cx"> #include &quot;JSDOMGlobalObject.h&quot;
</span><span class="cx"> #include &quot;WebInjectedScriptManager.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;inspector/InjectedScript.h&gt;
</span><span class="cx"> 
</span><span class="cx"> using namespace JSC;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderEmptyClientscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/EmptyClients.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/EmptyClients.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/loader/EmptyClients.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -48,7 +48,6 @@
</span><span class="cx"> #include &quot;StorageNamespaceProvider.h&quot;
</span><span class="cx"> #include &quot;ThreadableWebSocketChannel.h&quot;
</span><span class="cx"> #include &quot;UserContentProvider.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span></span></pre></div>
<a id="trunkSourceWebCorepageCaptionUserPreferencescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/CaptionUserPreferences.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/CaptionUserPreferences.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/page/CaptionUserPreferences.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -38,7 +38,6 @@
</span><span class="cx"> #include &quot;UserContentTypes.h&quot;
</span><span class="cx"> #include &quot;UserStyleSheet.h&quot;
</span><span class="cx"> #include &quot;UserStyleSheetTypes.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCellInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/StructureInlines.h&gt;
</span><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCorepageFramecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/Frame.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/Frame.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/page/Frame.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -110,7 +110,6 @@
</span><span class="cx"> #include &lt;bindings/ScriptValue.h&gt;
</span><span class="cx"> #include &lt;wtf/RefCountedLeakCounter.h&gt;
</span><span class="cx"> #include &lt;wtf/StdLibExtras.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> #include &lt;yarr/RegularExpression.h&gt;
</span><span class="cx"> 
</span><span class="cx"> #if PLATFORM(IOS)
</span></span></pre></div>
<a id="trunkSourceWebCorepagePageGroupcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/PageGroup.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/PageGroup.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/page/PageGroup.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -36,7 +36,6 @@
</span><span class="cx"> #include &quot;SecurityOrigin.h&quot;
</span><span class="cx"> #include &quot;Settings.h&quot;
</span><span class="cx"> #include &quot;StorageNamespace.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/StructureInlines.h&gt;
</span><span class="cx"> #include &lt;wtf/StdLibExtras.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorepageUserContentControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/UserContentController.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/UserContentController.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/page/UserContentController.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include &quot;DOMWrapperWorld.h&quot;
</span><span class="cx"> #include &quot;UserScript.h&quot;
</span><span class="cx"> #include &quot;UserStyleSheet.h&quot;
</span><del>-#include &lt;heap/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;runtime/JSCellInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/StructureInlines.h&gt;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformmockmediasourceMockBoxcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/mock/mediasource/MockBox.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/mock/mediasource/MockBox.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/platform/mock/mediasource/MockBox.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -28,7 +28,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(MEDIA_SOURCE)
</span><span class="cx"> 
</span><del>-#include &lt;JavaScriptCore/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;JavaScriptCore/JSCJSValueInlines.h&gt;
</span><span class="cx"> #include &lt;JavaScriptCore/TypedArrayInlines.h&gt;
</span><span class="cx"> #include &lt;runtime/ArrayBuffer.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebCoretestingGCObservationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/testing/GCObservation.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/testing/GCObservation.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebCore/testing/GCObservation.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -26,8 +26,6 @@
</span><span class="cx"> #include &quot;config.h&quot;
</span><span class="cx"> #include &quot;GCObservation.h&quot;
</span><span class="cx"> 
</span><del>-#include &lt;heap/HeapInlines.h&gt;
-
</del><span class="cx"> namespace WebCore {
</span><span class="cx"> 
</span><span class="cx"> GCObservation::GCObservation(JSC::JSObject* object)
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * UIProcess/ViewGestureController.cpp:
+        * UIProcess/WebPageProxy.cpp:
+        * UIProcess/WebProcessPool.cpp:
+        * UIProcess/WebProcessProxy.cpp:
+        * WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp:
+        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+
</ins><span class="cx"> 2016-08-24  Anders Carlsson  &lt;andersca@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         In some cases, an IPC::Connection won't know when the other end has gone away
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessViewGestureControllercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/ViewGestureController.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/ViewGestureController.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/UIProcess/ViewGestureController.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -33,7 +33,6 @@
</span><span class="cx"> #import &quot;WebProcessProxy.h&quot;
</span><span class="cx"> #import &lt;wtf/MathExtras.h&gt;
</span><span class="cx"> #import &lt;wtf/NeverDestroyed.h&gt;
</span><del>-#import &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> using namespace WebCore;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessWebPageProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -125,7 +125,6 @@
</span><span class="cx"> #include &lt;WebCore/WindowFeatures.h&gt;
</span><span class="cx"> #include &lt;stdio.h&gt;
</span><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> #include &lt;wtf/text/StringView.h&gt;
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(ASYNC_SCROLLING)
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessWebProcessPoolcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/UIProcess/WebProcessPool.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -74,7 +74,6 @@
</span><span class="cx"> #include &lt;wtf/MainThread.h&gt;
</span><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span><span class="cx"> #include &lt;wtf/RunLoop.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> 
</span><span class="cx"> #if ENABLE(BATTERY_STATUS)
</span><span class="cx"> #include &quot;WebBatteryManagerProxy.h&quot;
</span></span></pre></div>
<a id="trunkSourceWebKit2UIProcessWebProcessProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/UIProcess/WebProcessProxy.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -56,7 +56,6 @@
</span><span class="cx"> #include &lt;wtf/NeverDestroyed.h&gt;
</span><span class="cx"> #include &lt;wtf/RunLoop.h&gt;
</span><span class="cx"> #include &lt;wtf/text/CString.h&gt;
</span><del>-#include &lt;wtf/text/StringBuilder.h&gt;
</del><span class="cx"> #include &lt;wtf/text/WTFString.h&gt;
</span><span class="cx"> 
</span><span class="cx"> #if PLATFORM(COCOA)
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessInjectedBundleDOMInjectedBundleRangeHandlecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/WebProcess/InjectedBundle/DOM/InjectedBundleRangeHandle.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include &quot;ShareableBitmap.h&quot;
</span><span class="cx"> #include &quot;WebImage.h&quot;
</span><span class="cx"> #include &lt;JavaScriptCore/APICast.h&gt;
</span><del>-#include &lt;JavaScriptCore/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;WebCore/Document.h&gt;
</span><span class="cx"> #include &lt;WebCore/FloatRect.h&gt;
</span><span class="cx"> #include &lt;WebCore/Frame.h&gt;
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessPluginsNetscapeJSNPObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2010, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2010 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> #include &quot;NPJSObject.h&quot;
</span><span class="cx"> #include &quot;NPRuntimeObjectMap.h&quot;
</span><span class="cx"> #include &quot;NPRuntimeUtilities.h&quot;
</span><del>-#include &lt;JavaScriptCore/AuxiliaryBarrierInlines.h&gt;
</del><span class="cx"> #include &lt;JavaScriptCore/Error.h&gt;
</span><span class="cx"> #include &lt;JavaScriptCore/IdentifierInlines.h&gt;
</span><span class="cx"> #include &lt;JavaScriptCore/JSGlobalObject.h&gt;
</span></span></pre></div>
<a id="trunkSourcebmallocChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/bmalloc/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/bmalloc/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/bmalloc/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * bmalloc/Allocator.cpp:
+        (bmalloc::Allocator::allocate):
+        (bmalloc::Allocator::tryAllocate): Deleted.
+        (bmalloc::Allocator::allocateImpl): Deleted.
+        * bmalloc/Allocator.h:
+        * bmalloc/Cache.h:
+        (bmalloc::Cache::tryAllocate): Deleted.
+        * bmalloc/bmalloc.h:
+        (bmalloc::api::tryMemalign): Deleted.
+
</ins><span class="cx"> 2016-08-12  Filip Pizlo  &lt;fpizlo@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression
</span></span></pre></div>
<a id="trunkSourcebmallocbmallocAllocatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/bmalloc/bmalloc/Allocator.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/bmalloc/bmalloc/Allocator.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/bmalloc/bmalloc/Allocator.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -64,18 +64,6 @@
</span><span class="cx"> 
</span><span class="cx"> void* Allocator::allocate(size_t alignment, size_t size)
</span><span class="cx"> {
</span><del>-    bool crashOnFailure = true;
-    return allocateImpl(alignment, size, crashOnFailure);
-}
-
-void* Allocator::tryAllocate(size_t alignment, size_t size)
-{
-    bool crashOnFailure = false;
-    return allocateImpl(alignment, size, crashOnFailure);
-}
-
-void* Allocator::allocateImpl(size_t alignment, size_t size, bool crashOnFailure)
-{
</del><span class="cx">     BASSERT(isPowerOfTwo(alignment));
</span><span class="cx"> 
</span><span class="cx">     if (!m_isBmallocEnabled) {
</span><span class="lines">@@ -92,10 +80,7 @@
</span><span class="cx">         return allocate(roundUpToMultipleOf(alignment, size));
</span><span class="cx"> 
</span><span class="cx">     std::lock_guard&lt;StaticMutex&gt; lock(PerProcess&lt;Heap&gt;::mutex());
</span><del>-    Heap* heap = PerProcess&lt;Heap&gt;::getFastCase();
-    if (crashOnFailure)
-        return heap-&gt;allocateLarge(lock, alignment, size);
-    return heap-&gt;tryAllocateLarge(lock, alignment, size);
</del><ins>+    return PerProcess&lt;Heap&gt;::getFastCase()-&gt;allocateLarge(lock, alignment, size);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void* Allocator::reallocate(void* object, size_t newSize)
</span></span></pre></div>
<a id="trunkSourcebmallocbmallocAllocatorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/bmalloc/bmalloc/Allocator.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/bmalloc/bmalloc/Allocator.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/bmalloc/bmalloc/Allocator.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -43,7 +43,6 @@
</span><span class="cx"> 
</span><span class="cx">     void* tryAllocate(size_t);
</span><span class="cx">     void* allocate(size_t);
</span><del>-    void* tryAllocate(size_t alignment, size_t);
</del><span class="cx">     void* allocate(size_t alignment, size_t);
</span><span class="cx">     void* reallocate(void*, size_t);
</span><span class="cx"> 
</span><span class="lines">@@ -50,8 +49,6 @@
</span><span class="cx">     void scavenge();
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    void* allocateImpl(size_t alignment, size_t, bool crashOnFailure);
-    
</del><span class="cx">     bool allocateFastCase(size_t, void*&amp;);
</span><span class="cx">     void* allocateSlowCase(size_t);
</span><span class="cx">     
</span></span></pre></div>
<a id="trunkSourcebmallocbmallocCacheh"></a>
<div class="modfile"><h4>Modified: trunk/Source/bmalloc/bmalloc/Cache.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/bmalloc/bmalloc/Cache.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/bmalloc/bmalloc/Cache.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014, 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -41,7 +41,6 @@
</span><span class="cx"> 
</span><span class="cx">     static void* tryAllocate(size_t);
</span><span class="cx">     static void* allocate(size_t);
</span><del>-    static void* tryAllocate(size_t alignment, size_t);
</del><span class="cx">     static void* allocate(size_t alignment, size_t);
</span><span class="cx">     static void deallocate(void*);
</span><span class="cx">     static void* reallocate(void*, size_t);
</span><span class="lines">@@ -80,14 +79,6 @@
</span><span class="cx">     return cache-&gt;allocator().allocate(size);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void* Cache::tryAllocate(size_t alignment, size_t size)
-{
-    Cache* cache = PerThread&lt;Cache&gt;::getFastCase();
-    if (!cache)
-        return allocateSlowCaseNullCache(alignment, size);
-    return cache-&gt;allocator().tryAllocate(alignment, size);
-}
-
</del><span class="cx"> inline void* Cache::allocate(size_t alignment, size_t size)
</span><span class="cx"> {
</span><span class="cx">     Cache* cache = PerThread&lt;Cache&gt;::getFastCase();
</span></span></pre></div>
<a id="trunkSourcebmallocbmallocbmalloch"></a>
<div class="modfile"><h4>Modified: trunk/Source/bmalloc/bmalloc/bmalloc.h (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/bmalloc/bmalloc/bmalloc.h        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Source/bmalloc/bmalloc/bmalloc.h        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -43,12 +43,6 @@
</span><span class="cx">     return Cache::allocate(size);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-// Returns null on failure.
-inline void* tryMemalign(size_t alignment, size_t size)
-{
-    return Cache::tryAllocate(alignment, size);
-}
-
</del><span class="cx"> // Crashes on failure.
</span><span class="cx"> inline void* memalign(size_t alignment, size_t size)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Tools/ChangeLog        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2016-08-24  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
+        Unreviewed, roll out r204901, r204897, r204866, r204856, r204854.
+
+        * DumpRenderTree/TestRunner.cpp:
+        * DumpRenderTree/mac/DumpRenderTree.mm:
+        (DumpRenderTreeMain):
+        * Scripts/run-jsc-stress-tests:
+        * TestWebKitAPI/Tests/WTF/Vector.cpp:
+        (TestWebKitAPI::TEST):
+
</ins><span class="cx"> 2016-08-24  Simon Fraser  &lt;simon.fraser@apple.com&gt;
</span><span class="cx"> 
</span><span class="cx">         Try to fix Production builds.
</span></span></pre></div>
<a id="trunkToolsDumpRenderTreeTestRunnercpp"></a>
<div class="modfile"><h4>Modified: trunk/Tools/DumpRenderTree/TestRunner.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/DumpRenderTree/TestRunner.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Tools/DumpRenderTree/TestRunner.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -34,7 +34,6 @@
</span><span class="cx"> #include &quot;WorkQueue.h&quot;
</span><span class="cx"> #include &quot;WorkQueueItem.h&quot;
</span><span class="cx"> #include &lt;JavaScriptCore/APICast.h&gt;
</span><del>-#include &lt;JavaScriptCore/HeapInlines.h&gt;
</del><span class="cx"> #include &lt;JavaScriptCore/JSContextRef.h&gt;
</span><span class="cx"> #include &lt;JavaScriptCore/JSCTestRunnerUtils.h&gt;
</span><span class="cx"> #include &lt;JavaScriptCore/JSObjectRef.h&gt;
</span></span></pre></div>
<a id="trunkToolsDumpRenderTreemacDumpRenderTreemm"></a>
<div class="modfile"><h4>Modified: trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Tools/DumpRenderTree/mac/DumpRenderTree.mm        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -56,7 +56,9 @@
</span><span class="cx"> #import &quot;WorkQueue.h&quot;
</span><span class="cx"> #import &quot;WorkQueueItem.h&quot;
</span><span class="cx"> #import &lt;CoreFoundation/CoreFoundation.h&gt;
</span><del>-#import &lt;JavaScriptCore/TestRunnerUtils.h&gt;
</del><ins>+#import &lt;JavaScriptCore/HeapStatistics.h&gt;
+#import &lt;JavaScriptCore/LLIntData.h&gt;
+#import &lt;JavaScriptCore/Options.h&gt;
</ins><span class="cx"> #import &lt;WebCore/LogInitialization.h&gt;
</span><span class="cx"> #import &lt;WebKit/DOMElement.h&gt;
</span><span class="cx"> #import &lt;WebKit/DOMExtensions.h&gt;
</span><span class="lines">@@ -1427,7 +1429,10 @@
</span><span class="cx"> #endif
</span><span class="cx">     [WebCoreStatistics garbageCollectJavaScriptObjects];
</span><span class="cx">     [WebCoreStatistics emptyCache]; // Otherwise SVGImages trigger false positives for Frame/Node counts
</span><del>-    JSC::finalizeStatsAtEndOfTesting();
</del><ins>+    if (JSC::Options::logHeapStatisticsAtExit())
+        JSC::HeapStatistics::reportSuccess();
+    if (JSC::Options::reportLLIntStats())
+        JSC::LLInt::Data::finalizeStats();
</ins><span class="cx">     [pool release];
</span><span class="cx">     returningFromMain = true;
</span><span class="cx">     return 0;
</span></span></pre></div>
<a id="trunkToolsScriptsrunjscstresstests"></a>
<div class="modfile"><h4>Modified: trunk/Tools/Scripts/run-jsc-stress-tests (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/run-jsc-stress-tests        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Tools/Scripts/run-jsc-stress-tests        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -420,7 +420,7 @@
</span><span class="cx"> # We force all tests to use a smaller (1.5M) stack so that stack overflow tests can run faster.
</span><span class="cx"> BASE_OPTIONS = [&quot;--useFTLJIT=false&quot;, &quot;--useFunctionDotArguments=true&quot;, &quot;--maxPerThreadStackUsage=1572864&quot;]
</span><span class="cx"> EAGER_OPTIONS = [&quot;--thresholdForJITAfterWarmUp=10&quot;, &quot;--thresholdForJITSoon=10&quot;, &quot;--thresholdForOptimizeAfterWarmUp=20&quot;, &quot;--thresholdForOptimizeAfterLongWarmUp=20&quot;, &quot;--thresholdForOptimizeSoon=20&quot;, &quot;--thresholdForFTLOptimizeAfterWarmUp=20&quot;, &quot;--thresholdForFTLOptimizeSoon=20&quot;, &quot;--maximumEvalCacheableSourceLength=150000&quot;, &quot;--useEagerCodeBlockJettisonTiming=true&quot;]
</span><del>-NO_CJIT_OPTIONS = [&quot;--useConcurrentJIT=false&quot;, &quot;--thresholdForJITAfterWarmUp=100&quot;, &quot;--scribbleFreeCells=true&quot;]
</del><ins>+NO_CJIT_OPTIONS = [&quot;--useConcurrentJIT=false&quot;, &quot;--thresholdForJITAfterWarmUp=100&quot;]
</ins><span class="cx"> FTL_OPTIONS = [&quot;--useFTLJIT=true&quot;]
</span><span class="cx"> 
</span><span class="cx"> $runlist = []
</span></span></pre></div>
<a id="trunkToolsTestWebKitAPITestsWTFVectorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Tools/TestWebKitAPI/Tests/WTF/Vector.cpp (204911 => 204912)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/TestWebKitAPI/Tests/WTF/Vector.cpp        2016-08-24 18:53:33 UTC (rev 204911)
+++ trunk/Tools/TestWebKitAPI/Tests/WTF/Vector.cpp        2016-08-24 19:00:37 UTC (rev 204912)
</span><span class="lines">@@ -66,7 +66,8 @@
</span><span class="cx"> TEST(WTF_Vector, OverloadedOperatorAmpersand)
</span><span class="cx"> {
</span><span class="cx">     struct Test {
</span><del>-        Test* operator&amp;() = delete;
</del><ins>+    private:
+        Test* operator&amp;();
</ins><span class="cx">     };
</span><span class="cx"> 
</span><span class="cx">     Vector&lt;Test&gt; vector;
</span></span></pre>
</div>
</div>

</body>
</html>