<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[225314] trunk/Source</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/225314">225314</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2017-11-29 20:39:50 -0800 (Wed, 29 Nov 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>GC should support isoheaps
https://bugs.webkit.org/show_bug.cgi?id=179288

Reviewed by Saam Barati.
Source/JavaScriptCore:

        
This expands the power of the Subspace API in JSC:
        
- Everything associated with describing the types of objects is now part of the HeapCellType class.
  We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
  HeapCellType; these are orthogonal things.
        
- There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
  any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
  special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
  pages but releases the physical pages as part of the respective allocator's scavenging policy
  (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
  IsoSubspace).
        
So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
for more things.
        
This does not have any effect on JetStream (0.18% faster with p = 0.69).

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/ObjectAllocationProfileInlines.h:
(JSC::ObjectAllocationProfile::initializeProfile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
* heap/AlignedMemoryAllocator.cpp:
(JSC::AlignedMemoryAllocator::registerAllocator):
(JSC::AlignedMemoryAllocator::registerSubspace):
* heap/AlignedMemoryAllocator.h:
(JSC::AlignedMemoryAllocator::firstAllocator const):
* heap/AllocationFailureMode.h: Added.
* heap/CompleteSubspace.cpp: Added.
(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::~CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):
* heap/CompleteSubspace.h: Added.
(JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):
* heap/HeapCellType.cpp: Added.
(JSC::HeapCellType::HeapCellType):
(JSC::HeapCellType::~HeapCellType):
(JSC::HeapCellType::finishSweep):
(JSC::HeapCellType::destroy):
* heap/HeapCellType.h: Added.
(JSC::HeapCellType::attributes const):
* heap/IsoAlignedMemoryAllocator.cpp: Added.
(JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
(JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
(JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
(JSC::IsoAlignedMemoryAllocator::dump const):
* heap/IsoAlignedMemoryAllocator.h: Added.
* heap/IsoSubspace.cpp: Added.
(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::~IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocatorForNonVirtual):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):
* heap/IsoSubspace.h: Added.
(JSC::IsoSubspace::size const):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::MarkedAllocator):
(JSC::MarkedAllocator::setSubspace):
(JSC::MarkedAllocator::allocateSlowCase):
(JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
(JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
(JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
* heap/MarkedAllocatorInlines.h:
(JSC::MarkedAllocator::allocate):
(JSC::MarkedAllocator::tryAllocate): Deleted.
* heap/MarkedBlock.h:
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
(JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::addMarkedAllocator):
* heap/MarkedSpace.h:
* heap/Subspace.cpp:
(JSC::Subspace::Subspace):
(JSC::Subspace::initialize):
(JSC::Subspace::finishSweep):
(JSC::Subspace::destroy):
(JSC::Subspace::prepareForAllocation):
(JSC::Subspace::findEmptyBlockToSteal):
(): Deleted.
(JSC::Subspace::allocate): Deleted.
(JSC::Subspace::tryAllocate): Deleted.
(JSC::Subspace::allocatorForSlow): Deleted.
(JSC::Subspace::allocateSlow): Deleted.
(JSC::Subspace::tryAllocateSlow): Deleted.
(JSC::Subspace::didAllocate): Deleted.
* heap/Subspace.h:
(JSC::Subspace::heapCellType const):
(JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
(JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
(JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
(JSC::Subspace::allocatorForSizeStep): Deleted.
(JSC::Subspace::tryAllocatorFor): Deleted.
(JSC::Subspace::allocatorFor): Deleted.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateVariableSized):
(JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_object):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):
* runtime/DirectArguments.cpp:
(JSC::DirectArguments::overrideThings):
* runtime/DirectArguments.h:
(JSC::DirectArguments::subspaceFor):
* runtime/DirectEvalExecutable.h:
* runtime/EvalExecutable.h:
* runtime/ExecutableBase.h:
(JSC::ExecutableBase::subspaceFor):
* runtime/FunctionExecutable.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
* runtime/HashMapImpl.h:
(JSC::HashMapBuffer::create):
* runtime/IndirectEvalExecutable.h:
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):
* runtime/JSArray.h:
(JSC::JSArray::tryCreate):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
* runtime/JSCell.h:
(JSC::subspaceFor):
* runtime/JSCellInlines.h:
(JSC::JSCell::subspaceFor):
(JSC::tryAllocateCellHelper):
(JSC::allocateCell):
(JSC::tryAllocateCell):
* runtime/JSDestructibleObject.h:
(JSC::JSDestructibleObject::subspaceFor):
* runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
(JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
(JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
(JSC::JSDestructibleObjectHeapCellType::finishSweep):
(JSC::JSDestructibleObjectHeapCellType::destroy):
(JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
(JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
(JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
(JSC::JSDestructibleObjectSubspace::destroy): Deleted.
* runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
* runtime/JSDestructibleObjectSubspace.cpp: Removed.
* runtime/JSDestructibleObjectSubspace.h: Removed.
* runtime/JSLexicalEnvironment.h:
(JSC::JSLexicalEnvironment::subspaceFor):
* runtime/JSSegmentedVariableObject.h:
(JSC::JSSegmentedVariableObject::subspaceFor):
* runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
(JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
(JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
(JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
(JSC::JSSegmentedVariableObjectHeapCellType::destroy):
(JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
(JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
(JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
(JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
* runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
* runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
* runtime/JSSegmentedVariableObjectSubspace.h: Removed.
* runtime/JSString.h:
(JSC::JSString::subspaceFor):
* runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
(JSC::JSStringHeapCellType::JSStringHeapCellType):
(JSC::JSStringHeapCellType::~JSStringHeapCellType):
(JSC::JSStringHeapCellType::finishSweep):
(JSC::JSStringHeapCellType::destroy):
(JSC::JSStringSubspace::JSStringSubspace): Deleted.
(JSC::JSStringSubspace::~JSStringSubspace): Deleted.
(JSC::JSStringSubspace::finishSweep): Deleted.
(JSC::JSStringSubspace::destroy): Deleted.
* runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
* runtime/JSStringSubspace.cpp: Removed.
* runtime/JSStringSubspace.h: Removed.
* runtime/ModuleProgramExecutable.h:
* runtime/NativeExecutable.h:
* runtime/ProgramExecutable.h:
* runtime/RegExpMatchesArray.h:
(JSC::tryCreateUninitializedRegExpMatchesArray):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::gigacageAuxiliarySpace):
* wasm/js/JSWebAssemblyCodeBlock.h:
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
(JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
(JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
(JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
(JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
(JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
(JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
(JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
(JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
* wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
* wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
* wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
* wasm/js/JSWebAssemblyMemory.h:
(JSC::JSWebAssemblyMemory::subspaceFor):

Source/WebCore:


No new tests because no new behavior.
        
Adopting changes in JSC Subspace API.

* ForwardingHeaders/runtime/JSDestructibleObjectHeapCellType.h: Added.
* ForwardingHeaders/runtime/JSSegmentedVariableObjectHeapCellType.h: Added.
* bindings/js/JSDOMWrapper.cpp:
(WebCore::outputConstraintSubspaceFor):
(WebCore::globalObjectOutputConstraintSubspaceFor):
* bindings/js/JSDOMWrapper.h:
* bindings/js/WebCoreJSClientData.cpp:
(WebCore::JSVMClientData::JSVMClientData):
* bindings/js/WebCoreJSClientData.h:
(WebCore::JSVMClientData::outputConstraintSpace):
(WebCore::JSVMClientData::globalObjectOutputConstraintSpace):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):

Source/WTF:

        
One of my favorite data structures in the GC is a singly-linked list that knows its tail, so that
things get added to it at the end rather that at the beginning. In this patch, I use this to put
the same node on multiple lists, which our existing linked list templates also don't support.
        
This adds a new linked list that does those things:
        
- It supports append(). It could also support prepend(), but currently there is no need for it.
        
- It supports nodes that are on multiple lists. The GC uses std::mem_fn() to create a lambda that the
  list uses to set next.

* WTF.xcodeproj/project.pbxproj:
* wtf/SinglyLinkedListWithTail.h: Added.
(WTF::SinglyLinkedListWithTail::isEmpty const):
(WTF::SinglyLinkedListWithTail::append):
(WTF::SinglyLinkedListWithTail::first const):
(WTF::SinglyLinkedListWithTail::last const):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreSourcestxt">trunk/Source/JavaScriptCore/Sources.txt</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeAccessCasecpp">trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeObjectAllocationProfileInlinesh">trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapAlignedMemoryAllocatorcpp">trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapAlignedMemoryAllocatorh">trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedAllocatorcpp">trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedAllocatorh">trunk/Source/JavaScriptCore/heap/MarkedAllocator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedAllocatorInlinesh">trunk/Source/JavaScriptCore/heap/MarkedAllocatorInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedBlockh">trunk/Source/JavaScriptCore/heap/MarkedBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedBlockInlinesh">trunk/Source/JavaScriptCore/heap/MarkedBlockInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedSpacecpp">trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapMarkedSpaceh">trunk/Source/JavaScriptCore/heap/MarkedSpace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSubspacecpp">trunk/Source/JavaScriptCore/heap/Subspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapSubspaceh">trunk/Source/JavaScriptCore/heap/Subspace.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitAssemblyHelpersh">trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeButterflyInlinesh">trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDirectArgumentscpp">trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDirectArgumentsh">trunk/Source/JavaScriptCore/runtime/DirectArguments.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeDirectEvalExecutableh">trunk/Source/JavaScriptCore/runtime/DirectEvalExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeEvalExecutableh">trunk/Source/JavaScriptCore/runtime/EvalExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExecutableBaseh">trunk/Source/JavaScriptCore/runtime/ExecutableBase.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionExecutableh">trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeGenericArgumentsInlinesh">trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeHashMapImplh">trunk/Source/JavaScriptCore/runtime/HashMapImpl.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeIndirectEvalExecutableh">trunk/Source/JavaScriptCore/runtime/IndirectEvalExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArraycpp">trunk/Source/JavaScriptCore/runtime/JSArray.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayh">trunk/Source/JavaScriptCore/runtime/JSArray.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp">trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellh">trunk/Source/JavaScriptCore/runtime/JSCell.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSCellInlinesh">trunk/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDestructibleObjecth">trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSLexicalEnvironmenth">trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth">trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringh">trunk/Source/JavaScriptCore/runtime/JSString.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeModuleProgramExecutableh">trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeNativeExecutableh">trunk/Source/JavaScriptCore/runtime/NativeExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeProgramExecutableh">trunk/Source/JavaScriptCore/runtime/ProgramExecutable.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpMatchesArrayh">trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeScopedArgumentsh">trunk/Source/JavaScriptCore/runtime/ScopedArguments.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMh">trunk/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockh">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyMemoryh">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h</a></li>
<li><a href="#trunkSourceWTFChangeLog">trunk/Source/WTF/ChangeLog</a></li>
<li><a href="#trunkSourceWTFWTFxcodeprojprojectpbxproj">trunk/Source/WTF/WTF.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMWrappercpp">trunk/Source/WebCore/bindings/js/JSDOMWrapper.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMWrapperh">trunk/Source/WebCore/bindings/js/JSDOMWrapper.h</a></li>
<li><a href="#trunkSourceWebCorebindingsjsWebCoreJSClientDatacpp">trunk/Source/WebCore/bindings/js/WebCoreJSClientData.cpp</a></li>
<li><a href="#trunkSourceWebCorebindingsjsWebCoreJSClientDatah">trunk/Source/WebCore/bindings/js/WebCoreJSClientData.h</a></li>
<li><a href="#trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm">trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreheapAllocationFailureModeh">trunk/Source/JavaScriptCore/heap/AllocationFailureMode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapAllocatorForModeh">trunk/Source/JavaScriptCore/heap/AllocatorForMode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCompleteSubspacecpp">trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCompleteSubspaceh">trunk/Source/JavaScriptCore/heap/CompleteSubspace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapCellTypecpp">trunk/Source/JavaScriptCore/heap/HeapCellType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapCellTypeh">trunk/Source/JavaScriptCore/heap/HeapCellType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorcpp">trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorh">trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapIsoSubspacecpp">trunk/Source/JavaScriptCore/heap/IsoSubspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapIsoSubspaceh">trunk/Source/JavaScriptCore/heap/IsoSubspace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDestructibleObjectHeapCellTypecpp">trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDestructibleObjectHeapCellTypeh">trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectHeapCellTypecpp">trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectHeapCellTypeh">trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringHeapCellTypecpp">trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringHeapCellTypeh">trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.h</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockHeapCellTypecpp">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockHeapCellTypeh">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.h</a></li>
<li><a href="#trunkSourceWTFwtfSinglyLinkedListWithTailh">trunk/Source/WTF/wtf/SinglyLinkedListWithTail.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersruntimeJSDestructibleObjectHeapCellTypeh">trunk/Source/WebCore/ForwardingHeaders/runtime/JSDestructibleObjectHeapCellType.h</a></li>
<li><a href="#trunkSourceWebCoreForwardingHeadersruntimeJSSegmentedVariableObjectHeapCellTypeh">trunk/Source/WebCore/ForwardingHeaders/runtime/JSSegmentedVariableObjectHeapCellType.h</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDestructibleObjectSubspacecpp">trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSDestructibleObjectSubspaceh">trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectSubspacecpp">trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectSubspaceh">trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringSubspacecpp">trunk/Source/JavaScriptCore/runtime/JSStringSubspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSStringSubspaceh">trunk/Source/JavaScriptCore/runtime/JSStringSubspace.h</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockSubspacecpp">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockSubspaceh">trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/ChangeLog       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,3 +1,240 @@
</span><ins>+2017-11-29  Filip Pizlo  <fpizlo@apple.com>
+
+        GC should support isoheaps
+        https://bugs.webkit.org/show_bug.cgi?id=179288
+
+        Reviewed by Saam Barati.
+        
+        This expands the power of the Subspace API in JSC:
+        
+        - Everything associated with describing the types of objects is now part of the HeapCellType class.
+          We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
+          HeapCellType; these are orthogonal things.
+        
+        - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
+          any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
+          special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
+          pages but releases the physical pages as part of the respective allocator's scavenging policy
+          (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
+          IsoSubspace).
+        
+        So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
+        for more things.
+        
+        This does not have any effect on JetStream (0.18% faster with p = 0.69).
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        * heap/AlignedMemoryAllocator.cpp:
+        (JSC::AlignedMemoryAllocator::registerAllocator):
+        (JSC::AlignedMemoryAllocator::registerSubspace):
+        * heap/AlignedMemoryAllocator.h:
+        (JSC::AlignedMemoryAllocator::firstAllocator const):
+        * heap/AllocationFailureMode.h: Added.
+        * heap/CompleteSubspace.cpp: Added.
+        (JSC::CompleteSubspace::CompleteSubspace):
+        (JSC::CompleteSubspace::~CompleteSubspace):
+        (JSC::CompleteSubspace::allocatorFor):
+        (JSC::CompleteSubspace::allocate):
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::allocateSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h: Added.
+        (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForNonVirtual):
+        * heap/HeapCellType.cpp: Added.
+        (JSC::HeapCellType::HeapCellType):
+        (JSC::HeapCellType::~HeapCellType):
+        (JSC::HeapCellType::finishSweep):
+        (JSC::HeapCellType::destroy):
+        * heap/HeapCellType.h: Added.
+        (JSC::HeapCellType::attributes const):
+        * heap/IsoAlignedMemoryAllocator.cpp: Added.
+        (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
+        (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+        (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+        (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+        (JSC::IsoAlignedMemoryAllocator::dump const):
+        * heap/IsoAlignedMemoryAllocator.h: Added.
+        * heap/IsoSubspace.cpp: Added.
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::~IsoSubspace):
+        (JSC::IsoSubspace::allocatorFor):
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        (JSC::IsoSubspace::allocate):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h: Added.
+        (JSC::IsoSubspace::size const):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC::MarkedAllocator::setSubspace):
+        (JSC::MarkedAllocator::allocateSlowCase):
+        (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
+        (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
+        (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
+        * heap/MarkedAllocatorInlines.h:
+        (JSC::MarkedAllocator::allocate):
+        (JSC::MarkedAllocator::tryAllocate): Deleted.
+        * heap/MarkedBlock.h:
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
+        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::addMarkedAllocator):
+        * heap/MarkedSpace.h:
+        * heap/Subspace.cpp:
+        (JSC::Subspace::Subspace):
+        (JSC::Subspace::initialize):
+        (JSC::Subspace::finishSweep):
+        (JSC::Subspace::destroy):
+        (JSC::Subspace::prepareForAllocation):
+        (JSC::Subspace::findEmptyBlockToSteal):
+        (): Deleted.
+        (JSC::Subspace::allocate): Deleted.
+        (JSC::Subspace::tryAllocate): Deleted.
+        (JSC::Subspace::allocatorForSlow): Deleted.
+        (JSC::Subspace::allocateSlow): Deleted.
+        (JSC::Subspace::tryAllocateSlow): Deleted.
+        (JSC::Subspace::didAllocate): Deleted.
+        * heap/Subspace.h:
+        (JSC::Subspace::heapCellType const):
+        (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
+        (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
+        (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
+        (JSC::Subspace::allocatorForSizeStep): Deleted.
+        (JSC::Subspace::tryAllocatorFor): Deleted.
+        (JSC::Subspace::allocatorFor): Deleted.
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::growArrayRight):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::subspaceFor):
+        * runtime/DirectEvalExecutable.h:
+        * runtime/EvalExecutable.h:
+        * runtime/ExecutableBase.h:
+        (JSC::ExecutableBase::subspaceFor):
+        * runtime/FunctionExecutable.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::create):
+        * runtime/IndirectEvalExecutable.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSCell.h:
+        (JSC::subspaceFor):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::subspaceFor):
+        (JSC::tryAllocateCellHelper):
+        (JSC::allocateCell):
+        (JSC::tryAllocateCell):
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::subspaceFor):
+        * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
+        (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
+        (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
+        (JSC::JSDestructibleObjectHeapCellType::finishSweep):
+        (JSC::JSDestructibleObjectHeapCellType::destroy):
+        (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
+        (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
+        (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
+        (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
+        * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
+        * runtime/JSDestructibleObjectSubspace.cpp: Removed.
+        * runtime/JSDestructibleObjectSubspace.h: Removed.
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::JSLexicalEnvironment::subspaceFor):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::subspaceFor):
+        * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
+        (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
+        (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
+        (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
+        (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
+        (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
+        (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
+        (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
+        (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
+        * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
+        * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
+        * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
+        * runtime/JSString.h:
+        (JSC::JSString::subspaceFor):
+        * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
+        (JSC::JSStringHeapCellType::JSStringHeapCellType):
+        (JSC::JSStringHeapCellType::~JSStringHeapCellType):
+        (JSC::JSStringHeapCellType::finishSweep):
+        (JSC::JSStringHeapCellType::destroy):
+        (JSC::JSStringSubspace::JSStringSubspace): Deleted.
+        (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
+        (JSC::JSStringSubspace::finishSweep): Deleted.
+        (JSC::JSStringSubspace::destroy): Deleted.
+        * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
+        * runtime/JSStringSubspace.cpp: Removed.
+        * runtime/JSStringSubspace.h: Removed.
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/NativeExecutable.h:
+        * runtime/ProgramExecutable.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::gigacageAuxiliarySpace):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
+        (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
+        (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
+        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
+        (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
+        * wasm/js/JSWebAssemblyMemory.h:
+        (JSC::JSWebAssemblyMemory::subspaceFor):
+
</ins><span class="cx"> 2017-11-29  Saam Barati  <sbarati@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Remove pointer caging for double arrays
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -249,6 +249,7 @@
</span><span class="cx">          0F2FCCFF18A60070001A27F8 /* DFGThreadData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2FCCF818A60070001A27F8 /* DFGThreadData.h */; };
</span><span class="cx">          0F300B7818AB051100A6D72E /* DFGNodeOrigin.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F300B7718AB051100A6D72E /* DFGNodeOrigin.h */; };
</span><span class="cx">          0F300B7C18AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F300B7A18AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.h */; };
</span><ins>+               0F30CB5E1FCE4E37004B5323 /* AllocatorForMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F30CB5D1FCE46B4004B5323 /* AllocatorForMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           0F30D7C01D95D6320053089D /* CPU.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F30D7BF1D95D62F0053089D /* CPU.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F30FB611DC2DE99003124F2 /* ArrayBufferSharingMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F30FB601DC2DE96003124F2 /* ArrayBufferSharingMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F32BD111BB34F190093A57F /* HeapHelperPool.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F32BD0F1BB34F190093A57F /* HeapHelperPool.h */; };
</span><span class="lines">@@ -313,7 +314,7 @@
</span><span class="cx">          0F4C91661C29F4F2004341A6 /* B3OriginDump.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4C91651C29F4F2004341A6 /* B3OriginDump.h */; };
</span><span class="cx">          0F4DE1CF1C4C1B54004D6C11 /* AirFixObviousSpills.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4DE1CD1C4C1B54004D6C11 /* AirFixObviousSpills.h */; };
</span><span class="cx">          0F4F29E018B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4F29DE18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.h */; };
</span><del>-               0F4F82881E2FFDE00075184C /* JSSegmentedVariableObjectSubspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4F82861E2FFDDB0075184C /* JSSegmentedVariableObjectSubspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><ins>+                0F4F82881E2FFDE00075184C /* JSSegmentedVariableObjectHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4F82861E2FFDDB0075184C /* JSSegmentedVariableObjectHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           0F4F828C1E31B9760075184C /* StochasticSpaceTimeMutatorScheduler.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F4F828A1E31B9710075184C /* StochasticSpaceTimeMutatorScheduler.h */; };
</span><span class="cx">          0F50AF3C193E8B3900674EE8 /* DFGStructureClobberState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F50AF3B193E8B3900674EE8 /* DFGStructureClobberState.h */; };
</span><span class="cx">          0F5513A61D5A682C00C32BD8 /* FreeList.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5513A51D5A682A00C32BD8 /* FreeList.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -400,8 +401,8 @@
</span><span class="cx">          0F7DF1351E2970DC0095951B /* MarkedSpaceInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1301E2970D50095951B /* MarkedSpaceInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F7DF1371E2970E10095951B /* Subspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1321E2970D50095951B /* Subspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F7DF1381E2970E40095951B /* SubspaceInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1331E2970D50095951B /* SubspaceInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>-               0F7DF13C1E2971130095951B /* JSDestructibleObjectSubspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13A1E29710E0095951B /* JSDestructibleObjectSubspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
-               0F7DF13F1E2AFC4D0095951B /* JSStringSubspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13E1E2AFC4B0095951B /* JSStringSubspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><ins>+                0F7DF13C1E2971130095951B /* JSDestructibleObjectHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13A1E29710E0095951B /* JSDestructibleObjectHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               0F7DF13F1E2AFC4D0095951B /* JSStringHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13E1E2AFC4B0095951B /* JSStringHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           0F7DF1461E2BEF6A0095951B /* MarkedAllocatorInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1451E2BEF680095951B /* MarkedAllocatorInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F7F988C1D9596C800F4F12E /* DFGStoreBarrierClusteringPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7F988A1D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.h */; };
</span><span class="cx">          0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -539,6 +540,11 @@
</span><span class="cx">          0FDB2CCA173DA523007B3C1B /* FTLValueFromBlock.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDB2CC8173DA51E007B3C1B /* FTLValueFromBlock.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0FDB2CE8174830A2007B3C1B /* DFGWorklist.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDB2CE6174830A2007B3C1B /* DFGWorklist.h */; };
</span><span class="cx">          0FDB2CEA174896C7007B3C1B /* ConcurrentJSLock.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDB2CE9174896C7007B3C1B /* ConcurrentJSLock.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+               0FDCE11C1FAE6209006F3901 /* AllocationFailureMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDCE11B1FAE61F4006F3901 /* AllocationFailureMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               0FDCE1221FAE858C006F3901 /* HeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDCE11F1FAE8587006F3901 /* HeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               0FDCE12A1FAFA85F006F3901 /* CompleteSubspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDCE1281FAFA859006F3901 /* CompleteSubspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               0FDCE12D1FAFB4E5006F3901 /* IsoSubspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDCE12B1FAFB4DE006F3901 /* IsoSubspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               0FDCE1321FB11DA4006F3901 /* IsoAlignedMemoryAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDCE1301FB11D9D006F3901 /* IsoAlignedMemoryAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           0FDDBFB61666EEDA00C55FEF /* DFGVariableAccessDataDump.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDDBFB31666EED500C55FEF /* DFGVariableAccessDataDump.h */; };
</span><span class="cx">          0FDE87FC1DFE6E510064C390 /* SpaceTimeMutatorScheduler.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDE87FB1DFE6E500064C390 /* SpaceTimeMutatorScheduler.h */; };
</span><span class="cx">          0FDF67D21D9C6D27001B9825 /* B3Kind.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDF67D11D9C6086001B9825 /* B3Kind.h */; };
</span><span class="lines">@@ -1098,7 +1104,7 @@
</span><span class="cx">          79DAE27A1E03C82200B526AA /* WasmExceptionType.h in Headers */ = {isa = PBXBuildFile; fileRef = 79DAE2791E03C82200B526AA /* WasmExceptionType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          79DFCBDB1D88C59600527D03 /* HasOwnPropertyCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 79DFCBDA1D88C59600527D03 /* HasOwnPropertyCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          79EE0C001B4AFB85000385C9 /* VariableEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EE0BFE1B4AFB85000385C9 /* VariableEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><del>-               79EFD4841EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><ins>+                79EFD4841EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           79F8FC1F1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */; };
</span><span class="cx">          79FC8A081E32E9F000D88F0E /* DFGRegisteredStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = 79FC8A071E32E9F000D88F0E /* DFGRegisteredStructure.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          7BC547D31B6959A100959B58 /* WasmFormat.h in Headers */ = {isa = PBXBuildFile; fileRef = 7BC547D21B69599B00959B58 /* WasmFormat.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -2163,6 +2169,7 @@
</span><span class="cx">          0F300B7718AB051100A6D72E /* DFGNodeOrigin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGNodeOrigin.h; path = dfg/DFGNodeOrigin.h; sourceTree = "<group>"; };
</span><span class="cx">          0F300B7918AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGIntegerCheckCombiningPhase.cpp; path = dfg/DFGIntegerCheckCombiningPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F300B7A18AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGIntegerCheckCombiningPhase.h; path = dfg/DFGIntegerCheckCombiningPhase.h; sourceTree = "<group>"; };
</span><ins>+               0F30CB5D1FCE46B4004B5323 /* AllocatorForMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AllocatorForMode.h; sourceTree = "<group>"; };
</ins><span class="cx">           0F30D7BF1D95D62F0053089D /* CPU.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CPU.h; sourceTree = "<group>"; };
</span><span class="cx">          0F30FB601DC2DE96003124F2 /* ArrayBufferSharingMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArrayBufferSharingMode.h; sourceTree = "<group>"; };
</span><span class="cx">          0F32BD0E1BB34F190093A57F /* HeapHelperPool.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HeapHelperPool.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -2268,8 +2275,8 @@
</span><span class="cx">          0F4DE1D01C4D764B004D6C11 /* B3OriginDump.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = B3OriginDump.cpp; path = b3/B3OriginDump.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F4F29DD18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStaticExecutionCountEstimationPhase.cpp; path = dfg/DFGStaticExecutionCountEstimationPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F4F29DE18B6AD1C0057BC15 /* DFGStaticExecutionCountEstimationPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStaticExecutionCountEstimationPhase.h; path = dfg/DFGStaticExecutionCountEstimationPhase.h; sourceTree = "<group>"; };
</span><del>-               0F4F82851E2FFDDB0075184C /* JSSegmentedVariableObjectSubspace.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSegmentedVariableObjectSubspace.cpp; sourceTree = "<group>"; };
-               0F4F82861E2FFDDB0075184C /* JSSegmentedVariableObjectSubspace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSegmentedVariableObjectSubspace.h; sourceTree = "<group>"; };
</del><ins>+                0F4F82851E2FFDDB0075184C /* JSSegmentedVariableObjectHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSegmentedVariableObjectHeapCellType.cpp; sourceTree = "<group>"; };
+               0F4F82861E2FFDDB0075184C /* JSSegmentedVariableObjectHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSegmentedVariableObjectHeapCellType.h; sourceTree = "<group>"; };
</ins><span class="cx">           0F4F82891E31B9710075184C /* StochasticSpaceTimeMutatorScheduler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StochasticSpaceTimeMutatorScheduler.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F4F828A1E31B9710075184C /* StochasticSpaceTimeMutatorScheduler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StochasticSpaceTimeMutatorScheduler.h; sourceTree = "<group>"; };
</span><span class="cx">          0F50AF3B193E8B3900674EE8 /* DFGStructureClobberState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStructureClobberState.h; path = dfg/DFGStructureClobberState.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2411,10 +2418,10 @@
</span><span class="cx">          0F7DF1311E2970D50095951B /* Subspace.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Subspace.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F7DF1321E2970D50095951B /* Subspace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Subspace.h; sourceTree = "<group>"; };
</span><span class="cx">          0F7DF1331E2970D50095951B /* SubspaceInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SubspaceInlines.h; sourceTree = "<group>"; };
</span><del>-               0F7DF1391E29710E0095951B /* JSDestructibleObjectSubspace.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSDestructibleObjectSubspace.cpp; sourceTree = "<group>"; };
-               0F7DF13A1E29710E0095951B /* JSDestructibleObjectSubspace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSDestructibleObjectSubspace.h; sourceTree = "<group>"; };
-               0F7DF13D1E2AFC4B0095951B /* JSStringSubspace.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSStringSubspace.cpp; sourceTree = "<group>"; };
-               0F7DF13E1E2AFC4B0095951B /* JSStringSubspace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringSubspace.h; sourceTree = "<group>"; };
</del><ins>+                0F7DF1391E29710E0095951B /* JSDestructibleObjectHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSDestructibleObjectHeapCellType.cpp; sourceTree = "<group>"; };
+               0F7DF13A1E29710E0095951B /* JSDestructibleObjectHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSDestructibleObjectHeapCellType.h; sourceTree = "<group>"; };
+               0F7DF13D1E2AFC4B0095951B /* JSStringHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSStringHeapCellType.cpp; sourceTree = "<group>"; };
+               0F7DF13E1E2AFC4B0095951B /* JSStringHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringHeapCellType.h; sourceTree = "<group>"; };
</ins><span class="cx">           0F7DF1451E2BEF680095951B /* MarkedAllocatorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MarkedAllocatorInlines.h; sourceTree = "<group>"; };
</span><span class="cx">          0F7F98891D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStoreBarrierClusteringPhase.cpp; path = dfg/DFGStoreBarrierClusteringPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F7F988A1D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStoreBarrierClusteringPhase.h; path = dfg/DFGStoreBarrierClusteringPhase.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2662,6 +2669,15 @@
</span><span class="cx">          0FDB2CE5174830A2007B3C1B /* DFGWorklist.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGWorklist.cpp; path = dfg/DFGWorklist.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0FDB2CE6174830A2007B3C1B /* DFGWorklist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGWorklist.h; path = dfg/DFGWorklist.h; sourceTree = "<group>"; };
</span><span class="cx">          0FDB2CE9174896C7007B3C1B /* ConcurrentJSLock.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ConcurrentJSLock.h; sourceTree = "<group>"; };
</span><ins>+               0FDCE11B1FAE61F4006F3901 /* AllocationFailureMode.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AllocationFailureMode.h; sourceTree = "<group>"; };
+               0FDCE11F1FAE8587006F3901 /* HeapCellType.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = HeapCellType.h; sourceTree = "<group>"; };
+               0FDCE1201FAE8587006F3901 /* HeapCellType.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = HeapCellType.cpp; sourceTree = "<group>"; };
+               0FDCE1271FAFA859006F3901 /* CompleteSubspace.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = CompleteSubspace.cpp; sourceTree = "<group>"; };
+               0FDCE1281FAFA859006F3901 /* CompleteSubspace.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = CompleteSubspace.h; sourceTree = "<group>"; };
+               0FDCE12B1FAFB4DE006F3901 /* IsoSubspace.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IsoSubspace.h; sourceTree = "<group>"; };
+               0FDCE12C1FAFB4DE006F3901 /* IsoSubspace.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = IsoSubspace.cpp; sourceTree = "<group>"; };
+               0FDCE12F1FB11D9D006F3901 /* IsoAlignedMemoryAllocator.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = IsoAlignedMemoryAllocator.cpp; sourceTree = "<group>"; };
+               0FDCE1301FB11D9D006F3901 /* IsoAlignedMemoryAllocator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IsoAlignedMemoryAllocator.h; sourceTree = "<group>"; };
</ins><span class="cx">           0FDDBFB21666EED500C55FEF /* DFGVariableAccessDataDump.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGVariableAccessDataDump.cpp; path = dfg/DFGVariableAccessDataDump.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0FDDBFB31666EED500C55FEF /* DFGVariableAccessDataDump.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGVariableAccessDataDump.h; path = dfg/DFGVariableAccessDataDump.h; sourceTree = "<group>"; };
</span><span class="cx">          0FDE87F81DFD0C6D0064C390 /* CellContainer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CellContainer.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -3577,8 +3593,8 @@
</span><span class="cx">          79DFCBDA1D88C59600527D03 /* HasOwnPropertyCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HasOwnPropertyCache.h; sourceTree = "<group>"; };
</span><span class="cx">          79EE0BFD1B4AFB85000385C9 /* VariableEnvironment.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VariableEnvironment.cpp; sourceTree = "<group>"; };
</span><span class="cx">          79EE0BFE1B4AFB85000385C9 /* VariableEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableEnvironment.h; sourceTree = "<group>"; };
</span><del>-               79EFD4811EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlockSubspace.cpp; path = js/JSWebAssemblyCodeBlockSubspace.cpp; sourceTree = "<group>"; };
-               79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSWebAssemblyCodeBlockSubspace.h; path = js/JSWebAssemblyCodeBlockSubspace.h; sourceTree = "<group>"; };
</del><ins>+                79EFD4811EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlockHeapCellType.cpp; path = js/JSWebAssemblyCodeBlockHeapCellType.cpp; sourceTree = "<group>"; };
+               79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSWebAssemblyCodeBlockHeapCellType.h; path = js/JSWebAssemblyCodeBlockHeapCellType.h; sourceTree = "<group>"; };
</ins><span class="cx">           79F8FC1C1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGMaximalFlushInsertionPhase.cpp; path = dfg/DFGMaximalFlushInsertionPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx">          79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGMaximalFlushInsertionPhase.h; path = dfg/DFGMaximalFlushInsertionPhase.h; sourceTree = "<group>"; };
</span><span class="cx">          79FC8A071E32E9F000D88F0E /* DFGRegisteredStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGRegisteredStructure.h; path = dfg/DFGRegisteredStructure.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -5481,8 +5497,10 @@
</span><span class="cx">                          0FEC3C501F33A41600F59B6C /* AlignedMemoryAllocator.cpp */,
</span><span class="cx">                          0FEC3C511F33A41600F59B6C /* AlignedMemoryAllocator.h */,
</span><span class="cx">                          0FA7620A1DB959F600B7A2FD /* AllocatingScope.h */,
</span><ins>+                               0FDCE11B1FAE61F4006F3901 /* AllocationFailureMode.h */,
</ins><span class="cx">                           0F9630351D4192C3005609D9 /* AllocatorAttributes.cpp */,
</span><span class="cx">                          0F9630361D4192C3005609D9 /* AllocatorAttributes.h */,
</span><ins>+                               0F30CB5D1FCE46B4004B5323 /* AllocatorForMode.h */,
</ins><span class="cx">                           0FDE87F81DFD0C6D0064C390 /* CellContainer.cpp */,
</span><span class="cx">                          0F070A421D543A89006E7232 /* CellContainer.h */,
</span><span class="cx">                          0F070A431D543A89006E7232 /* CellContainerInlines.h */,
</span><span class="lines">@@ -5495,6 +5513,8 @@
</span><span class="cx">                          0FA762011DB9242300B7A2FD /* CollectionScope.h */,
</span><span class="cx">                          0FD0E5E51E43D3470006AB08 /* CollectorPhase.cpp */,
</span><span class="cx">                          0FD0E5E61E43D3470006AB08 /* CollectorPhase.h */,
</span><ins>+                               0FDCE1271FAFA859006F3901 /* CompleteSubspace.cpp */,
+                               0FDCE1281FAFA859006F3901 /* CompleteSubspace.h */,
</ins><span class="cx">                           146B14DB12EB5B12001BEC1B /* ConservativeRoots.cpp */,
</span><span class="cx">                          149DAAF212EB559D0083B12B /* ConservativeRoots.h */,
</span><span class="cx">                          0F7DF12F1E2970D50095951B /* ConstraintVolatility.h */,
</span><span class="lines">@@ -5545,6 +5565,8 @@
</span><span class="cx">                          DC3D2B0B1D34376E00BA918C /* HeapCell.cpp */,
</span><span class="cx">                          DC3D2B091D34316100BA918C /* HeapCell.h */,
</span><span class="cx">                          0F070A441D543A89006E7232 /* HeapCellInlines.h */,
</span><ins>+                               0FDCE1201FAE8587006F3901 /* HeapCellType.cpp */,
+                               0FDCE11F1FAE8587006F3901 /* HeapCellType.h */,
</ins><span class="cx">                           0F0CAEFD1EC4DA8500970D12 /* HeapFinalizerCallback.cpp */,
</span><span class="cx">                          0F0CAEFE1EC4DA8500970D12 /* HeapFinalizerCallback.h */,
</span><span class="cx">                          0F32BD0E1BB34F190093A57F /* HeapHelperPool.cpp */,
</span><span class="lines">@@ -5561,6 +5583,10 @@
</span><span class="cx">                          0FADE6721D4D23BC00768457 /* HeapUtil.h */,
</span><span class="cx">                          C25F8BCB157544A900245B71 /* IncrementalSweeper.cpp */,
</span><span class="cx">                          C25F8BCC157544A900245B71 /* IncrementalSweeper.h */,
</span><ins>+                               0FDCE12F1FB11D9D006F3901 /* IsoAlignedMemoryAllocator.cpp */,
+                               0FDCE1301FB11D9D006F3901 /* IsoAlignedMemoryAllocator.h */,
+                               0FDCE12C1FAFB4DE006F3901 /* IsoSubspace.cpp */,
+                               0FDCE12B1FAFB4DE006F3901 /* IsoSubspace.h */,
</ins><span class="cx">                           0F766D2915A8CC34008F363E /* JITStubRoutineSet.cpp */,
</span><span class="cx">                          0F766D2A15A8CC34008F363E /* JITStubRoutineSet.h */,
</span><span class="cx">                          0F070A451D543A89006E7232 /* LargeAllocation.cpp */,
</span><span class="lines">@@ -6502,8 +6528,8 @@
</span><span class="cx">                          9788FC221471AD0C0068CE2D /* JSDateMath.cpp */,
</span><span class="cx">                          9788FC231471AD0C0068CE2D /* JSDateMath.h */,
</span><span class="cx">                          C2A7F687160432D400F76B98 /* JSDestructibleObject.h */,
</span><del>-                               0F7DF1391E29710E0095951B /* JSDestructibleObjectSubspace.cpp */,
-                               0F7DF13A1E29710E0095951B /* JSDestructibleObjectSubspace.h */,
</del><ins>+                                0F7DF1391E29710E0095951B /* JSDestructibleObjectHeapCellType.cpp */,
+                               0F7DF13A1E29710E0095951B /* JSDestructibleObjectHeapCellType.h */,
</ins><span class="cx">                           A7B4ACAE1484C9CE00B38A36 /* JSExportMacros.h */,
</span><span class="cx">                          798937761DCAB57300F8D4FB /* JSFixedArray.cpp */,
</span><span class="cx">                          798937771DCAB57300F8D4FB /* JSFixedArray.h */,
</span><span class="lines">@@ -6588,8 +6614,8 @@
</span><span class="cx">                          E38D060B1F8E814100649CF2 /* JSScriptFetchParameters.h */,
</span><span class="cx">                          0F919D0E157F3327004A4E7D /* JSSegmentedVariableObject.cpp */,
</span><span class="cx">                          0F919D0F157F3327004A4E7D /* JSSegmentedVariableObject.h */,
</span><del>-                               0F4F82851E2FFDDB0075184C /* JSSegmentedVariableObjectSubspace.cpp */,
-                               0F4F82861E2FFDDB0075184C /* JSSegmentedVariableObjectSubspace.h */,
</del><ins>+                                0F4F82851E2FFDDB0075184C /* JSSegmentedVariableObjectHeapCellType.cpp */,
+                               0F4F82861E2FFDDB0075184C /* JSSegmentedVariableObjectHeapCellType.h */,
</ins><span class="cx">                           A7299D9B17D12837005F5FF9 /* JSSet.cpp */,
</span><span class="cx">                          A7299D9C17D12837005F5FF9 /* JSSet.h */,
</span><span class="cx">                          A790DD69182F499700588807 /* JSSetIterator.cpp */,
</span><span class="lines">@@ -6603,8 +6629,8 @@
</span><span class="cx">                          70EC0EBD1AA0D7DA00B6AAFA /* JSStringIterator.h */,
</span><span class="cx">                          2600B5A4152BAAA70091EE5F /* JSStringJoiner.cpp */,
</span><span class="cx">                          2600B5A5152BAAA70091EE5F /* JSStringJoiner.h */,
</span><del>-                               0F7DF13D1E2AFC4B0095951B /* JSStringSubspace.cpp */,
-                               0F7DF13E1E2AFC4B0095951B /* JSStringSubspace.h */,
</del><ins>+                                0F7DF13D1E2AFC4B0095951B /* JSStringHeapCellType.cpp */,
+                               0F7DF13E1E2AFC4B0095951B /* JSStringHeapCellType.h */,
</ins><span class="cx">                           0F919D09157EE09D004A4E7D /* JSSymbolTableObject.cpp */,
</span><span class="cx">                          0F919D0A157EE09D004A4E7D /* JSSymbolTableObject.h */,
</span><span class="cx">                          70ECA6001AFDBEA200449739 /* JSTemplateRegistryKey.cpp */,
</span><span class="lines">@@ -7786,8 +7812,8 @@
</span><span class="cx">                          ADD09AF31F62482E001313C2 /* JSWebAssembly.h */,
</span><span class="cx">                          5383AA2F1E65E8A100A532FC /* JSWebAssemblyCodeBlock.cpp */,
</span><span class="cx">                          AD9E852E1E8A0C6E008DE39E /* JSWebAssemblyCodeBlock.h */,
</span><del>-                               79EFD4811EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.cpp */,
-                               79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.h */,
</del><ins>+                                79EFD4811EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.cpp */,
+                               79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */,
</ins><span class="cx">                           AD2FCBA61DB58DA400B3E736 /* JSWebAssemblyCompileError.cpp */,
</span><span class="cx">                          AD2FCBA71DB58DA400B3E736 /* JSWebAssemblyCompileError.h */,
</span><span class="cx">                          796FB4391DFF8C3F0039C95D /* JSWebAssemblyHelpers.h */,
</span><span class="lines">@@ -7998,6 +8024,7 @@
</span><span class="cx">                          86D3B2C410156BDE002865E7 /* ARMAssembler.h in Headers */,
</span><span class="cx">                          86ADD1450FDDEA980006EEC2 /* ARMv7Assembler.h in Headers */,
</span><span class="cx">                          65C0285D1717966800351E35 /* ARMv7DOpcode.h in Headers */,
</span><ins>+                               0FDCE1321FB11DA4006F3901 /* IsoAlignedMemoryAllocator.h in Headers */,
</ins><span class="cx">                           0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */,
</span><span class="cx">                          A7A8AF3517ADB5F3005AB174 /* ArrayBuffer.h in Headers */,
</span><span class="cx">                          0FFC99D5184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.h in Headers */,
</span><span class="lines">@@ -8049,6 +8076,7 @@
</span><span class="cx">                          0FEC85061BDACDAC0080FF74 /* B3CheckSpecial.h in Headers */,
</span><span class="cx">                          0FEC85081BDACDAC0080FF74 /* B3CheckValue.h in Headers */,
</span><span class="cx">                          0FEC850A1BDACDAC0080FF74 /* B3Common.h in Headers */,
</span><ins>+                               0FDCE12D1FAFB4E5006F3901 /* IsoSubspace.h in Headers */,
</ins><span class="cx">                           0FEC850C1BDACDAC0080FF74 /* B3Commutativity.h in Headers */,
</span><span class="cx">                          0F338E0C1BF0276C0013C88F /* B3Compilation.h in Headers */,
</span><span class="cx">                          7919B7801E03559C005BEED8 /* B3Compile.h in Headers */,
</span><span class="lines">@@ -8474,6 +8502,7 @@
</span><span class="cx">                          A54982041891D0B00081E5B8 /* EventLoop.h in Headers */,
</span><span class="cx">                          FE1C0FFD1B193E9800B53FCA /* Exception.h in Headers */,
</span><span class="cx">                          FE6029D91D6E1E4F0030204D /* ExceptionEventLocation.h in Headers */,
</span><ins>+                               0F30CB5E1FCE4E37004B5323 /* AllocatorForMode.h in Headers */,
</ins><span class="cx">                           0F12DE101979D5FD0006FF4E /* ExceptionFuzz.h in Headers */,
</span><span class="cx">                          BC18C4000E16F5CD00B34460 /* ExceptionHelpers.h in Headers */,
</span><span class="cx">                          FE6491371D78F01D00A694D4 /* ExceptionScope.h in Headers */,
</span><span class="lines">@@ -8590,6 +8619,7 @@
</span><span class="cx">                          C4703CD5192844CC0013FBEA /* generator_templates.py in Headers */,
</span><span class="cx">                          70B791951C024A28002481E2 /* GeneratorFunctionConstructor.h in Headers */,
</span><span class="cx">                          70B791971C024A29002481E2 /* GeneratorFunctionPrototype.h in Headers */,
</span><ins>+                               0FDCE12A1FAFA85F006F3901 /* CompleteSubspace.h in Headers */,
</ins><span class="cx">                           70B791991C024A29002481E2 /* GeneratorPrototype.h in Headers */,
</span><span class="cx">                          70B7919D1C024A56002481E2 /* GeneratorPrototype.lut.h in Headers */,
</span><span class="cx">                          0FE050191AA9091100D33B33 /* GenericArguments.h in Headers */,
</span><span class="lines">@@ -8772,7 +8802,7 @@
</span><span class="cx">                          996B731C1BDA08DD00331B84 /* JSDataViewPrototype.lut.h in Headers */,
</span><span class="cx">                          978801411471AD920041B016 /* JSDateMath.h in Headers */,
</span><span class="cx">                          C2A7F688160432D400F76B98 /* JSDestructibleObject.h in Headers */,
</span><del>-                               0F7DF13C1E2971130095951B /* JSDestructibleObjectSubspace.h in Headers */,
</del><ins>+                                0F7DF13C1E2971130095951B /* JSDestructibleObjectHeapCellType.h in Headers */,
</ins><span class="cx">                           FE384EE61ADDB7AD0055DE2C /* JSDollarVM.h in Headers */,
</span><span class="cx">                          86E3C614167BABD7006D760A /* JSExport.h in Headers */,
</span><span class="cx">                          A7B4ACAF1484C9CE00B38A36 /* JSExportMacros.h in Headers */,
</span><span class="lines">@@ -8825,6 +8855,7 @@
</span><span class="cx">                          E3D239C91B829C1C00BBEF67 /* JSModuleEnvironment.h in Headers */,
</span><span class="cx">                          D9722752DC54459B9125B539 /* JSModuleLoader.h in Headers */,
</span><span class="cx">                          E318CBC11B8AEF5100A2929D /* JSModuleNamespaceObject.h in Headers */,
</span><ins>+                               0FDCE11C1FAE6209006F3901 /* AllocationFailureMode.h in Headers */,
</ins><span class="cx">                           E39DA4A71B7E8B7C0084F33A /* JSModuleRecord.h in Headers */,
</span><span class="cx">                          E33E8D1D1B9013C300346B52 /* JSNativeStdFunction.h in Headers */,
</span><span class="cx">                          BC18C4240E16F5CD00B34460 /* JSObject.h in Headers */,
</span><span class="lines">@@ -8849,7 +8880,7 @@
</span><span class="cx">                          E3201C1D1F8E82360076A032 /* JSScriptFetchParameters.h in Headers */,
</span><span class="cx">                          A7C0C4AC168103020017011D /* JSScriptRefPrivate.h in Headers */,
</span><span class="cx">                          0F919D11157F332C004A4E7D /* JSSegmentedVariableObject.h in Headers */,
</span><del>-                               0F4F82881E2FFDE00075184C /* JSSegmentedVariableObjectSubspace.h in Headers */,
</del><ins>+                                0F4F82881E2FFDE00075184C /* JSSegmentedVariableObjectHeapCellType.h in Headers */,
</ins><span class="cx">                           A7299D9E17D12837005F5FF9 /* JSSet.h in Headers */,
</span><span class="cx">                          A790DD70182F499700588807 /* JSSetIterator.h in Headers */,
</span><span class="cx">                          BDFCB2BBE90F41349E1B0BED /* JSSourceCode.h in Headers */,
</span><span class="lines">@@ -8860,7 +8891,7 @@
</span><span class="cx">                          BC18C4280E16F5CD00B34460 /* JSStringRef.h in Headers */,
</span><span class="cx">                          BC18C4290E16F5CD00B34460 /* JSStringRefCF.h in Headers */,
</span><span class="cx">                          1A28D4A8177B71C80007FA3C /* JSStringRefPrivate.h in Headers */,
</span><del>-                               0F7DF13F1E2AFC4D0095951B /* JSStringSubspace.h in Headers */,
</del><ins>+                                0F7DF13F1E2AFC4D0095951B /* JSStringHeapCellType.h in Headers */,
</ins><span class="cx">                           0F919D0D157EE0A2004A4E7D /* JSSymbolTableObject.h in Headers */,
</span><span class="cx">                          70ECA6061AFDBEA200449739 /* JSTemplateRegistryKey.h in Headers */,
</span><span class="cx">                          AD5C36EA1F75AD6A000BCAAF /* JSToWasm.h in Headers */,
</span><span class="lines">@@ -8888,7 +8919,7 @@
</span><span class="cx">                          709FB8681AE335C60039D069 /* JSWeakSet.h in Headers */,
</span><span class="cx">                          AD5C36EB1F75AD73000BCAAF /* JSWebAssembly.h in Headers */,
</span><span class="cx">                          AD9E852F1E8A0C7C008DE39E /* JSWebAssemblyCodeBlock.h in Headers */,
</span><del>-                               79EFD4841EBC045C00F3DFEA /* JSWebAssemblyCodeBlockSubspace.h in Headers */,
</del><ins>+                                79EFD4841EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h in Headers */,
</ins><span class="cx">                           AD2FCBE31DB58DAD00B3E736 /* JSWebAssemblyCompileError.h in Headers */,
</span><span class="cx">                          796FB43A1DFF8C3F0039C95D /* JSWebAssemblyHelpers.h in Headers */,
</span><span class="cx">                          AD2FCBE51DB58DAD00B3E736 /* JSWebAssemblyInstance.h in Headers */,
</span><span class="lines">@@ -9221,6 +9252,7 @@
</span><span class="cx">                          0FFB6C391AF48DDC00DB1BF7 /* TypeofType.h in Headers */,
</span><span class="cx">                          52C952B719A289850069B386 /* TypeProfiler.h in Headers */,
</span><span class="cx">                          0F2D4DEC19832DC4007D4B19 /* TypeProfilerLog.h in Headers */,
</span><ins>+                               0FDCE1221FAE858C006F3901 /* HeapCellType.h in Headers */,
</ins><span class="cx">                           0F2D4DF019832DD6007D4B19 /* TypeSet.h in Headers */,
</span><span class="cx">                          0FF4274B158EBE91004CB9FF /* udis86.h in Headers */,
</span><span class="cx">                          0FF42741158EBE8D004CB9FF /* udis86_decode.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreSourcestxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Sources.txt (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Sources.txt  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/Sources.txt     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -470,6 +470,7 @@
</span><span class="cx"> heap/CodeBlockSet.cpp
</span><span class="cx"> heap/CollectionScope.cpp
</span><span class="cx"> heap/CollectorPhase.cpp
</span><ins>+heap/CompleteSubspace.cpp
</ins><span class="cx"> heap/ConservativeRoots.cpp
</span><span class="cx"> heap/DeferGC.cpp
</span><span class="cx"> heap/DestructionMode.cpp
</span><span class="lines">@@ -486,6 +487,7 @@
</span><span class="cx"> heap/HandleStack.cpp
</span><span class="cx"> heap/Heap.cpp
</span><span class="cx"> heap/HeapCell.cpp
</span><ins>+heap/HeapCellType.cpp
</ins><span class="cx"> heap/HeapFinalizerCallback.cpp
</span><span class="cx"> heap/HeapHelperPool.cpp
</span><span class="cx"> heap/HeapProfiler.cpp
</span><span class="lines">@@ -492,6 +494,8 @@
</span><span class="cx"> heap/HeapSnapshot.cpp
</span><span class="cx"> heap/HeapSnapshotBuilder.cpp
</span><span class="cx"> heap/IncrementalSweeper.cpp
</span><ins>+heap/IsoAlignedMemoryAllocator.cpp
+heap/IsoSubspace.cpp
</ins><span class="cx"> heap/JITStubRoutineSet.cpp
</span><span class="cx"> heap/LargeAllocation.cpp
</span><span class="cx"> heap/MachineStackMarker.cpp
</span><span class="lines">@@ -771,7 +775,7 @@
</span><span class="cx"> runtime/JSDataView.cpp
</span><span class="cx"> runtime/JSDataViewPrototype.cpp
</span><span class="cx"> runtime/JSDateMath.cpp
</span><del>-runtime/JSDestructibleObjectSubspace.cpp
</del><ins>+runtime/JSDestructibleObjectHeapCellType.cpp
</ins><span class="cx"> runtime/JSFixedArray.cpp
</span><span class="cx"> runtime/JSFunction.cpp
</span><span class="cx"> runtime/JSGeneratorFunction.cpp
</span><span class="lines">@@ -806,7 +810,7 @@
</span><span class="cx"> runtime/JSScriptFetcher.cpp
</span><span class="cx"> runtime/JSScriptFetchParameters.cpp
</span><span class="cx"> runtime/JSSegmentedVariableObject.cpp
</span><del>-runtime/JSSegmentedVariableObjectSubspace.cpp
</del><ins>+runtime/JSSegmentedVariableObjectHeapCellType.cpp
</ins><span class="cx"> runtime/JSSet.cpp
</span><span class="cx"> runtime/JSSetIterator.cpp
</span><span class="cx"> runtime/JSSourceCode.cpp
</span><span class="lines">@@ -813,7 +817,7 @@
</span><span class="cx"> runtime/JSString.cpp
</span><span class="cx"> runtime/JSStringIterator.cpp
</span><span class="cx"> runtime/JSStringJoiner.cpp
</span><del>-runtime/JSStringSubspace.cpp
</del><ins>+runtime/JSStringHeapCellType.cpp
</ins><span class="cx"> runtime/JSSymbolTableObject.cpp
</span><span class="cx"> runtime/JSTemplateRegistryKey.cpp
</span><span class="cx"> runtime/JSTypedArrayConstructors.cpp
</span><span class="lines">@@ -970,7 +974,7 @@
</span><span class="cx"> wasm/js/JSToWasm.h
</span><span class="cx"> wasm/js/JSWebAssembly.cpp
</span><span class="cx"> wasm/js/JSWebAssemblyCodeBlock.cpp
</span><del>-wasm/js/JSWebAssemblyCodeBlockSubspace.cpp
</del><ins>+wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp
</ins><span class="cx"> wasm/js/JSWebAssemblyCompileError.cpp
</span><span class="cx"> wasm/js/JSWebAssemblyInstance.cpp
</span><span class="cx"> wasm/js/JSWebAssemblyLinkError.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeAccessCasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -955,7 +955,7 @@
</span><span class="cx">             size_t newSize = newStructure()->outOfLineCapacity() * sizeof(JSValue);
</span><span class="cx"> 
</span><span class="cx">             if (allocatingInline) {
</span><del>-                MarkedAllocator* allocator = vm.jsValueGigacageAuxiliarySpace.allocatorFor(newSize);
</del><ins>+                MarkedAllocator* allocator = vm.jsValueGigacageAuxiliarySpace.allocatorFor(newSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">                 if (!allocator) {
</span><span class="cx">                     // Yuck, this case would suck!
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeObjectAllocationProfileInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx">     ASSERT(inlineCapacity <= JSFinalObject::maxInlineCapacity());
</span><span class="cx"> 
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
</span><del>-    MarkedAllocator* allocator = vm.cellSpace.allocatorFor(allocationSize);
</del><ins>+    MarkedAllocator* allocator = vm.cellSpace.allocatorForNonVirtual(allocationSize, AllocatorForMode::EnsureAllocator);
</ins><span class="cx"> 
</span><span class="cx">     // Take advantage of extra inline capacity available in the size class.
</span><span class="cx">     if (allocator) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -110,7 +110,7 @@
</span><span class="cx">     m_jit.move(TrustedImmPtr(0), storageGPR);
</span><span class="cx">     
</span><span class="cx">     if (size) {
</span><del>-        if (MarkedAllocator* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorFor(size)) {
</del><ins>+        if (MarkedAllocator* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists)) {
</ins><span class="cx">             m_jit.move(TrustedImmPtr(allocator), scratchGPR);
</span><span class="cx">             m_jit.emitAllocate(storageGPR, allocator, scratchGPR, scratch2GPR, slowCases);
</span><span class="cx">             
</span><span class="lines">@@ -125,7 +125,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
</span><del>-    MarkedAllocator* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorFor(allocationSize);
</del><ins>+    MarkedAllocator* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx">     if (allocatorPtr) {
</span><span class="cx">         m_jit.move(TrustedImmPtr(allocatorPtr), scratchGPR);
</span><span class="cx">         emitAllocateJSObject(resultGPR, allocatorPtr, scratchGPR, TrustedImmPtr(structure), storageGPR, scratch2GPR, slowCases);
</span><span class="lines">@@ -4249,8 +4249,7 @@
</span><span class="cx">     GPRReg scratchGPR = scratch.gpr();
</span><span class="cx">     
</span><span class="cx">     JITCompiler::JumpList slowPath;
</span><del>-    MarkedAllocator* markedAllocator = subspaceFor<JSString>(*m_jit.vm())->allocatorFor(sizeof(JSRopeString));
-    RELEASE_ASSERT(markedAllocator);
</del><ins>+    MarkedAllocator* markedAllocator = subspaceFor<JSString>(*m_jit.vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::MustAlreadyHaveAllocator);
</ins><span class="cx">     m_jit.move(TrustedImmPtr(markedAllocator), allocatorGPR);
</span><span class="cx">     emitAllocateJSCell(resultGPR, markedAllocator, allocatorGPR, TrustedImmPtr(m_jit.graph().registerStructure(m_jit.vm()->stringStructure.get())), scratchGPR, slowPath);
</span><span class="cx">         
</span><span class="lines">@@ -8428,7 +8427,7 @@
</span><span class="cx">     
</span><span class="cx">     size_t size = initialOutOfLineCapacity * sizeof(JSValue);
</span><span class="cx"> 
</span><del>-    MarkedAllocator* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorFor(size);
</del><ins>+    MarkedAllocator* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">     if (!allocator || node->transition()->previous->couldHaveIndexingHeader()) {
</span><span class="cx">         SpeculateCellOperand base(this, node->child1());
</span><span class="lines">@@ -8473,7 +8472,7 @@
</span><span class="cx">     size_t newSize = oldSize * outOfLineGrowthFactor;
</span><span class="cx">     ASSERT(newSize == node->transition()->next->outOfLineCapacity() * sizeof(JSValue));
</span><span class="cx">     
</span><del>-    MarkedAllocator* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorFor(newSize);
</del><ins>+    MarkedAllocator* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(newSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">     if (!allocator || node->transition()->previous->couldHaveIndexingHeader()) {
</span><span class="cx">         SpeculateCellOperand base(this, node->child1());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -4115,7 +4115,7 @@
</span><span class="cx">         
</span><span class="cx">         RegisteredStructure structure = node->structure();
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
</span><del>-        MarkedAllocator* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorFor(allocationSize);
</del><ins>+        MarkedAllocator* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">         m_jit.move(TrustedImmPtr(allocatorPtr), allocatorGPR);
</span><span class="cx">         emitAllocateJSObject(resultGPR, allocatorPtr, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -4321,7 +4321,7 @@
</span><span class="cx"> 
</span><span class="cx">         RegisteredStructure structure = node->structure();
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
</span><del>-        MarkedAllocator* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorFor(allocationSize);
</del><ins>+        MarkedAllocator* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">         m_jit.move(TrustedImmPtr(allocatorPtr), allocatorGPR);
</span><span class="cx">         emitAllocateJSObject(resultGPR, allocatorPtr, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -123,12 +123,12 @@
</span><span class="cx"> 
</span><span class="cx"> #define FOR_EACH_INDEXED_ABSTRACT_HEAP(macro) \
</span><span class="cx">     macro(ArrayStorage_vector, ArrayStorage::vectorOffset(), sizeof(WriteBarrier<Unknown>)) \
</span><ins>+    macro(CompleteSubspace_allocatorForSizeStep, CompleteSubspace::offsetOfAllocatorForSizeStep(), sizeof(MarkedAllocator*)) \
</ins><span class="cx">     macro(DirectArguments_storage, DirectArguments::storageOffset(), sizeof(EncodedJSValue)) \
</span><span class="cx">     macro(JSLexicalEnvironment_variables, JSLexicalEnvironment::offsetOfVariables(), sizeof(EncodedJSValue)) \
</span><span class="cx">     macro(JSPropertyNameEnumerator_cachedPropertyNamesVectorContents, 0, sizeof(WriteBarrier<JSString>)) \
</span><span class="cx">     macro(JSRopeString_fibers, JSRopeString::offsetOfFibers(), sizeof(WriteBarrier<JSString>)) \
</span><span class="cx">     macro(ScopedArguments_overflowStorage, ScopedArguments::overflowStorageOffset(), sizeof(EncodedJSValue)) \
</span><del>-    macro(Subspace_allocatorForSizeStep, Subspace::offsetOfAllocatorForSizeStep(), sizeof(MarkedAllocator*)) \
</del><span class="cx">     macro(WriteBarrierBuffer_bufferContents, 0, sizeof(JSCell*)) \
</span><span class="cx">     macro(characters8, 0, sizeof(LChar)) \
</span><span class="cx">     macro(characters16, 0, sizeof(UChar)) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -5783,8 +5783,7 @@
</span><span class="cx">         
</span><span class="cx">         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
</span><span class="cx">         
</span><del>-        MarkedAllocator* allocator = subspaceFor<JSRopeString>(vm())->allocatorFor(sizeof(JSRopeString));
-        DFG_ASSERT(m_graph, m_node, allocator);
</del><ins>+        MarkedAllocator* allocator = subspaceFor<JSRopeString>(vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::MustAlreadyHaveAllocator);
</ins><span class="cx">         
</span><span class="cx">         LValue result = allocateCell(
</span><span class="cx">             m_out.constIntPtr(allocator), vm().stringStructure.get(), slowPath);
</span><span class="lines">@@ -9690,8 +9689,7 @@
</span><span class="cx">             
</span><span class="cx">             if (structure->outOfLineCapacity() || hasIndexedProperties(structure->indexingType())) {
</span><span class="cx">                 size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
</span><del>-                MarkedAllocator* cellAllocator = subspaceFor<JSFinalObject>(vm())->allocatorFor(allocationSize);
-                DFG_ASSERT(m_graph, m_node, cellAllocator);
</del><ins>+                MarkedAllocator* cellAllocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::MustAlreadyHaveAllocator);
</ins><span class="cx"> 
</span><span class="cx">                 bool hasIndexingHeader = hasIndexedProperties(structure->indexingType());
</span><span class="cx">                 unsigned indexingHeaderSize = 0;
</span><span class="lines">@@ -10686,7 +10684,7 @@
</span><span class="cx">         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
</span><span class="cx"> 
</span><span class="cx">         size_t sizeInBytes = sizeInValues * sizeof(JSValue);
</span><del>-        MarkedAllocator* allocator = vm().jsValueGigacageAuxiliarySpace.allocatorFor(sizeInBytes);
</del><ins>+        MarkedAllocator* allocator = vm().jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(sizeInBytes, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx">         LValue startOfStorage = allocateHeapCell(m_out.constIntPtr(allocator), slowPath);
</span><span class="cx">         ValueFromBlock fastButterfly = m_out.anchor(
</span><span class="cx">             m_out.add(m_out.constIntPtr(sizeInBytes + sizeof(IndexingHeader)), startOfStorage));
</span><span class="lines">@@ -11830,7 +11828,7 @@
</span><span class="cx">     LValue allocateObject(
</span><span class="cx">         size_t size, StructureType structure, LValue butterfly, LBasicBlock slowPath)
</span><span class="cx">     {
</span><del>-        MarkedAllocator* allocator = subspaceFor<ClassType>(vm())->allocatorFor(size);
</del><ins>+        MarkedAllocator* allocator = subspaceFor<ClassType>(vm())->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx">         return allocateObject(m_out.constIntPtr(allocator), structure, butterfly, slowPath);
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -11847,10 +11845,10 @@
</span><span class="cx">         
</span><span class="cx">         // Try to do some constant-folding here.
</span><span class="cx">         if (subspace->hasIntPtr() && size->hasIntPtr()) {
</span><del>-            Subspace* actualSubspace = bitwise_cast<Subspace*>(subspace->asIntPtr());
</del><ins>+            CompleteSubspace* actualSubspace = bitwise_cast<CompleteSubspace*>(subspace->asIntPtr());
</ins><span class="cx">             size_t actualSize = size->asIntPtr();
</span><span class="cx">             
</span><del>-            MarkedAllocator* actualAllocator = actualSubspace->allocatorFor(actualSize);
</del><ins>+            MarkedAllocator* actualAllocator = actualSubspace->allocatorForNonVirtual(actualSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx">             if (!actualAllocator) {
</span><span class="cx">                 LBasicBlock continuation = m_out.newBlock();
</span><span class="cx">                 LBasicBlock lastNext = m_out.insertNewBlocksBefore(continuation);
</span><span class="lines">@@ -11880,11 +11878,11 @@
</span><span class="cx">         
</span><span class="cx">         return m_out.loadPtr(
</span><span class="cx">             m_out.baseIndex(
</span><del>-                m_heaps.Subspace_allocatorForSizeStep,
</del><ins>+                m_heaps.CompleteSubspace_allocatorForSizeStep,
</ins><span class="cx">                 subspace, m_out.sub(sizeClassIndex, m_out.intPtrOne)));
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    LValue allocatorForSize(Subspace& subspace, LValue size, LBasicBlock slowPath)
</del><ins>+    LValue allocatorForSize(CompleteSubspace& subspace, LValue size, LBasicBlock slowPath)
</ins><span class="cx">     {
</span><span class="cx">         return allocatorForSize(m_out.constIntPtr(&subspace), size, slowPath);
</span><span class="cx">     }
</span><span class="lines">@@ -11910,7 +11908,7 @@
</span><span class="cx">     LValue allocateObject(RegisteredStructure structure)
</span><span class="cx">     {
</span><span class="cx">         size_t allocationSize = JSFinalObject::allocationSize(structure.get()->inlineCapacity());
</span><del>-        MarkedAllocator* allocator = subspaceFor<JSFinalObject>(vm())->allocatorFor(allocationSize);
</del><ins>+        MarkedAllocator* allocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx">         
</span><span class="cx">         // FIXME: If the allocator is null, we could simply emit a normal C call to the allocator
</span><span class="cx">         // instead of putting it on the slow path.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapAlignedMemoryAllocatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.cpp      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.cpp 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -26,6 +26,9 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "AlignedMemoryAllocator.h"
</span><span class="cx"> 
</span><ins>+#include "MarkedAllocator.h"
+#include "Subspace.h"
+
</ins><span class="cx"> namespace JSC { 
</span><span class="cx"> 
</span><span class="cx"> AlignedMemoryAllocator::AlignedMemoryAllocator()
</span><span class="lines">@@ -36,6 +39,24 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void AlignedMemoryAllocator::registerAllocator(MarkedAllocator* allocator)
+{
+    RELEASE_ASSERT(!allocator->nextAllocatorInAlignedMemoryAllocator());
+    
+    if (m_allocators.isEmpty()) {
+        for (Subspace* subspace = m_subspaces.first(); subspace; subspace = subspace->nextSubspaceInAlignedMemoryAllocator())
+            subspace->didCreateFirstAllocator(allocator);
+    }
+    
+    m_allocators.append(std::mem_fn(&MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator), allocator);
+}
+
+void AlignedMemoryAllocator::registerSubspace(Subspace* subspace)
+{
+    RELEASE_ASSERT(!subspace->nextSubspaceInAlignedMemoryAllocator());
+    m_subspaces.append(std::mem_fn(&Subspace::setNextSubspaceInAlignedMemoryAllocator), subspace);
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapAlignedMemoryAllocatorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.h        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/AlignedMemoryAllocator.h   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -26,9 +26,13 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include <wtf/PrintStream.h>
</span><ins>+#include <wtf/SinglyLinkedListWithTail.h>
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+class MarkedAllocator;
+class Subspace;
+
</ins><span class="cx"> class AlignedMemoryAllocator {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(AlignedMemoryAllocator);
</span><span class="cx">     WTF_MAKE_FAST_ALLOCATED;
</span><span class="lines">@@ -40,6 +44,15 @@
</span><span class="cx">     virtual void freeAlignedMemory(void*) = 0;
</span><span class="cx">     
</span><span class="cx">     virtual void dump(PrintStream&) const = 0;
</span><ins>+
+    void registerAllocator(MarkedAllocator*);
+    MarkedAllocator* firstAllocator() const { return m_allocators.first(); }
+
+    void registerSubspace(Subspace*);
+
+private:
+    SinglyLinkedListWithTail<MarkedAllocator> m_allocators;
+    SinglyLinkedListWithTail<Subspace> m_subspaces;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace WTF
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapAllocationFailureModeh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/AllocationFailureMode.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/AllocationFailureMode.h                         (rev 0)
+++ trunk/Source/JavaScriptCore/heap/AllocationFailureMode.h    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+namespace JSC {
+
+enum class AllocationFailureMode {
+    Assert,
+    ReturnNull
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapAllocatorForModeh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/AllocatorForMode.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/AllocatorForMode.h                              (rev 0)
+++ trunk/Source/JavaScriptCore/heap/AllocatorForMode.h 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,38 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+namespace JSC {
+
+// This is the mode of the allocatorFor function.
+enum class AllocatorForMode {
+    MustAlreadyHaveAllocator,
+    EnsureAllocator,
+    AllocatorIfExists
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCompleteSubspacecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp                            (rev 0)
+++ trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,152 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "Subspace.h"
+
+#include "JSCInlines.h"
+#include "MarkedAllocatorInlines.h"
+#include "MarkedBlockInlines.h"
+#include "PreventCollectionScope.h"
+#include "SubspaceInlines.h"
+
+namespace JSC {
+
+CompleteSubspace::CompleteSubspace(CString name, Heap& heap, HeapCellType* heapCellType, AlignedMemoryAllocator* alignedMemoryAllocator)
+    : Subspace(name, heap)
+{
+    initialize(heapCellType, alignedMemoryAllocator);
+    for (size_t i = MarkedSpace::numSizeClasses; i--;)
+        m_allocatorForSizeStep[i] = nullptr;
+}
+
+CompleteSubspace::~CompleteSubspace()
+{
+}
+
+MarkedAllocator* CompleteSubspace::allocatorFor(size_t size, AllocatorForMode mode)
+{
+    return allocatorForNonVirtual(size, mode);
+}
+
+void* CompleteSubspace::allocate(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+{
+    return allocateNonVirtual(size, deferralContext, failureMode);
+}
+
+void* CompleteSubspace::allocateNonVirtual(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+{
+    void *result;
+    if (MarkedAllocator* allocator = allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists))
+        result = allocator->allocate(deferralContext, failureMode);
+    else
+        result = allocateSlow(size, deferralContext, failureMode);
+    return result;
+}
+
+MarkedAllocator* CompleteSubspace::allocatorForSlow(size_t size)
+{
+    size_t index = MarkedSpace::sizeClassToIndex(size);
+    size_t sizeClass = MarkedSpace::s_sizeClassForSizeStep[index];
+    if (!sizeClass)
+        return nullptr;
+    
+    // This is written in such a way that it's OK for the JIT threads to end up here if they want
+    // to generate code that uses some allocator that hadn't been used yet. Note that a possibly-
+    // just-as-good solution would be to return null if we're in the JIT since the JIT treats null
+    // allocator as "please always take the slow path". But, that could lead to performance
+    // surprises and the algorithm here is pretty easy. Only this code has to hold the lock, to
+    // prevent simultaneously MarkedAllocator creations from multiple threads. This code ensures
+    // that any "forEachAllocator" traversals will only see this allocator after it's initialized
+    // enough: it will have 
+    auto locker = holdLock(m_space.allocatorLock());
+    if (MarkedAllocator* allocator = m_allocatorForSizeStep[index])
+        return allocator;
+
+    if (false)
+        dataLog("Creating marked allocator for ", m_name, ", ", m_attributes, ", ", sizeClass, ".\n");
+    std::unique_ptr<MarkedAllocator> uniqueAllocator =
+        std::make_unique<MarkedAllocator>(m_space.heap(), sizeClass);
+    MarkedAllocator* allocator = uniqueAllocator.get();
+    m_allocators.append(WTFMove(uniqueAllocator));
+    allocator->setSubspace(this);
+    m_space.addMarkedAllocator(locker, allocator);
+    index = MarkedSpace::sizeClassToIndex(sizeClass);
+    for (;;) {
+        if (MarkedSpace::s_sizeClassForSizeStep[index] != sizeClass)
+            break;
+
+        m_allocatorForSizeStep[index] = allocator;
+        
+        if (!index--)
+            break;
+    }
+    allocator->setNextAllocatorInSubspace(m_firstAllocator);
+    m_alignedMemoryAllocator->registerAllocator(allocator);
+    WTF::storeStoreFence();
+    m_firstAllocator = allocator;
+    return allocator;
+}
+
+void* CompleteSubspace::allocateSlow(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+{
+    void* result = tryAllocateSlow(size, deferralContext);
+    if (failureMode == AllocationFailureMode::Assert)
+        RELEASE_ASSERT(result);
+    return result;
+}
+
+void* CompleteSubspace::tryAllocateSlow(size_t size, GCDeferralContext* deferralContext)
+{
+    sanitizeStackForVM(m_space.heap()->vm());
+    
+    if (MarkedAllocator* allocator = allocatorFor(size, AllocatorForMode::EnsureAllocator))
+        return allocator->allocate(deferralContext, AllocationFailureMode::ReturnNull);
+    
+    if (size <= Options::largeAllocationCutoff()
+        && size <= MarkedSpace::largeCutoff) {
+        dataLog("FATAL: attampting to allocate small object using large allocation.\n");
+        dataLog("Requested allocation size: ", size, "\n");
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    
+    m_space.heap()->collectIfNecessaryOrDefer(deferralContext);
+    
+    size = WTF::roundUpToMultipleOf<MarkedSpace::sizeStep>(size);
+    LargeAllocation* allocation = LargeAllocation::tryCreate(*m_space.m_heap, size, this);
+    if (!allocation)
+        return nullptr;
+    
+    m_space.m_largeAllocations.append(allocation);
+    m_space.m_heap->didAllocate(size);
+    m_space.m_capacity += size;
+    
+    m_largeAllocations.append(allocation);
+        
+    return allocation->cell();
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCompleteSubspaceh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/CompleteSubspace.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CompleteSubspace.h                              (rev 0)
+++ trunk/Source/JavaScriptCore/heap/CompleteSubspace.h 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,83 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "Subspace.h"
+
+namespace JSC {
+
+class CompleteSubspace : public Subspace {
+public:
+    JS_EXPORT_PRIVATE CompleteSubspace(CString name, Heap&, HeapCellType*, AlignedMemoryAllocator*);
+    JS_EXPORT_PRIVATE ~CompleteSubspace();
+
+    // In some code paths, we need it to be a compile error to call the virtual version of one of
+    // these functions. That's why we do final methods the old school way.
+    
+    MarkedAllocator* allocatorFor(size_t, AllocatorForMode) override;
+    MarkedAllocator* allocatorForNonVirtual(size_t, AllocatorForMode);
+    
+    void* allocate(size_t, GCDeferralContext*, AllocationFailureMode) override;
+    JS_EXPORT_PRIVATE void* allocateNonVirtual(size_t, GCDeferralContext*, AllocationFailureMode);
+    
+    static ptrdiff_t offsetOfAllocatorForSizeStep() { return OBJECT_OFFSETOF(CompleteSubspace, m_allocatorForSizeStep); }
+    
+    MarkedAllocator** allocatorForSizeStep() { return &m_allocatorForSizeStep[0]; }
+
+private:
+    MarkedAllocator* allocatorForSlow(size_t);
+    
+    // These slow paths are concerned with large allocations and allocator creation.
+    void* allocateSlow(size_t, GCDeferralContext*, AllocationFailureMode);
+    void* tryAllocateSlow(size_t, GCDeferralContext*);
+    
+    std::array<MarkedAllocator*, MarkedSpace::numSizeClasses> m_allocatorForSizeStep;
+    Vector<std::unique_ptr<MarkedAllocator>> m_allocators;
+};
+
+ALWAYS_INLINE MarkedAllocator* CompleteSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode mode)
+{
+    if (size <= MarkedSpace::largeCutoff) {
+        MarkedAllocator* result = m_allocatorForSizeStep[MarkedSpace::sizeClassToIndex(size)];
+        switch (mode) {
+        case AllocatorForMode::MustAlreadyHaveAllocator:
+            RELEASE_ASSERT(result);
+            break;
+        case AllocatorForMode::EnsureAllocator:
+            if (!result)
+                return allocatorForSlow(size);
+            break;
+        case AllocatorForMode::AllocatorIfExists:
+            break;
+        }
+        return result;
+    }
+    RELEASE_ASSERT(mode != AllocatorForMode::MustAlreadyHaveAllocator);
+    return nullptr;
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapCellTypecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/HeapCellType.cpp (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapCellType.cpp                                (rev 0)
+++ trunk/Source/JavaScriptCore/heap/HeapCellType.cpp   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,74 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "HeapCellType.h"
+
+#include "JSCInlines.h"
+#include "MarkedBlockInlines.h"
+
+namespace JSC {
+
+namespace {
+
+// Writing it this way ensures that when you pass this as a functor, the callee is specialized for
+// this callback. If you wrote this as a normal function then the callee would be specialized for
+// the function's type and it would have indirect calls to that function. And unlike a lambda, it's
+// possible to mark this ALWAYS_INLINE.
+struct DestroyFunc {
+    ALWAYS_INLINE void operator()(VM& vm, JSCell* cell) const
+    {
+        ASSERT(cell->structureID());
+        ASSERT(cell->inlineTypeFlags() & StructureIsImmortal);
+        Structure* structure = cell->structure(vm);
+        const ClassInfo* classInfo = structure->classInfo();
+        MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
+        destroy(cell);
+    }
+};
+
+} // anonymous namespace
+
+HeapCellType::HeapCellType(AllocatorAttributes attributes)
+    : m_attributes(attributes)
+{
+}
+
+HeapCellType::~HeapCellType()
+{
+}
+
+void HeapCellType::finishSweep(MarkedBlock::Handle& block, FreeList* freeList)
+{
+    block.finishSweepKnowingHeapCellType(freeList, DestroyFunc());
+}
+
+void HeapCellType::destroy(VM& vm, JSCell* cell)
+{
+    DestroyFunc()(vm, cell);
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapCellTypeh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/HeapCellType.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/HeapCellType.h                          (rev 0)
+++ trunk/Source/JavaScriptCore/heap/HeapCellType.h     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,53 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "MarkedBlock.h"
+
+namespace JSC {
+
+class HeapCellType {
+    WTF_MAKE_NONCOPYABLE(HeapCellType);
+    WTF_MAKE_FAST_ALLOCATED;
+public:
+    JS_EXPORT_PRIVATE HeapCellType(AllocatorAttributes);
+    JS_EXPORT_PRIVATE virtual ~HeapCellType();
+
+    const AllocatorAttributes& attributes() const { return m_attributes; }
+
+    // The purpose of overriding this is to specialize the sweep for your destructors. This won't
+    // be called for no-destructor blocks. This must call MarkedBlock::finishSweepKnowingSubspace.
+    virtual void finishSweep(MarkedBlock::Handle&, FreeList*);
+
+    // These get called for large objects.
+    virtual void destroy(VM&, JSCell*);
+
+private:
+    AllocatorAttributes m_attributes;
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp                           (rev 0)
+++ trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,84 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "IsoAlignedMemoryAllocator.h"
+
+namespace JSC {
+
+IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator()
+{
+}
+
+IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator()
+{
+}
+
+void* IsoAlignedMemoryAllocator::tryAllocateAlignedMemory(size_t alignment, size_t size)
+{
+    // Since this is designed specially for IsoSubspace, we know that we will only be asked to
+    // allocate MarkedBlocks.
+    RELEASE_ASSERT(alignment == MarkedBlock::blockSize);
+    RELEASE_ASSERT(size == MarkedBlock::blockSize);
+    
+    auto locker = holdLock(m_lock);
+    
+    m_firstUncommitted = m_committed.findBit(m_firstUncommitted, false);
+    if (m_firstUncommitted < m_blocks.size()) {
+        m_committed[m_firstUncommitted] = true;
+        void* result = m_blocks[m_firstUncommitted];
+        OSAllocator::commit(result, MarkedBlock::blockSize, true, false);
+        return result;
+    }
+    
+    void* result = fastAlignedMalloc(MarkedBlock::blockSize, MarkedBlock::blockSize);
+    unsigned index = m_blocks.size();
+    m_blocks.append(result);
+    m_blockIndices.add(result, index);
+    if (m_blocks.capacity() != m_committed.size())
+        m_committed.resize(m_blocks.capacity());
+    m_committed[index] = true;
+    return result;
+}
+
+void IsoAlignedMemoryAllocator::freeAlignedMemory(void* basePtr)
+{
+    auto locker = holdLock(m_lock);
+    
+    auto iter = m_blockIndices.find(basePtr);
+    RELEASE_ASSERT(iter != m_blockIndices.end());
+    unsigned index = iter->value;
+    m_committed[index] = false;
+    m_firstUncommitted = std::min(index, m_firstUncommitted);
+    OSAllocator::decommit(basePtr, MarkedBlock::blockSize);
+}
+
+void IsoAlignedMemoryAllocator::dump(PrintStream& out) const
+{
+    out.print("Iso(", RawPointer(this), ")");
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h                             (rev 0)
+++ trunk/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,51 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "AlignedMemoryAllocator.h"
+
+namespace JSC {
+
+class IsoAlignedMemoryAllocator : public AlignedMemoryAllocator {
+public:
+    IsoAlignedMemoryAllocator();
+    ~IsoAlignedMemoryAllocator();
+
+    void* tryAllocateAlignedMemory(size_t alignment, size_t size) override;
+    void freeAlignedMemory(void*) override;
+
+    void dump(PrintStream&) const override;
+
+private:
+    Lock m_lock;
+    Vector<void*> m_blocks;
+    HashMap<void*, unsigned> m_blockIndices;
+    FastBitVector m_committed;
+    unsigned m_firstUncommitted { 0 };
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapIsoSubspacecpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/IsoSubspace.cpp (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/IsoSubspace.cpp                         (rev 0)
+++ trunk/Source/JavaScriptCore/heap/IsoSubspace.cpp    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,71 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "IsoSubspace.h"
+
+#include "IsoAlignedMemoryAllocator.h"
+#include "MarkedAllocatorInlines.h"
+
+namespace JSC {
+
+IsoSubspace::IsoSubspace(CString name, Heap& heap, HeapCellType* heapCellType, size_t size)
+    : Subspace(name, heap)
+    , m_size(size)
+    , m_allocator(&heap, WTF::roundUpToMultipleOf<MarkedBlock::atomSize>(size))
+    , m_isoAlignedMemoryAllocator(std::make_unique<IsoAlignedMemoryAllocator>())
+{
+    initialize(heapCellType, m_isoAlignedMemoryAllocator.get());
+
+    auto locker = holdLock(m_space.allocatorLock());
+    m_allocator.setSubspace(this);
+    m_space.addMarkedAllocator(locker, &m_allocator);
+    m_alignedMemoryAllocator->registerAllocator(&m_allocator);
+    m_firstAllocator = &m_allocator;
+}
+
+IsoSubspace::~IsoSubspace()
+{
+}
+
+MarkedAllocator* IsoSubspace::allocatorFor(size_t size, AllocatorForMode mode)
+{
+    return allocatorForNonVirtual(size, mode);
+}
+
+void* IsoSubspace::allocate(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+{
+    return allocateNonVirtual(size, deferralContext, failureMode);
+}
+
+void* IsoSubspace::allocateNonVirtual(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+{
+    RELEASE_ASSERT(size == this->size());
+    void* result = m_allocator.allocate(deferralContext, failureMode);
+    return result;
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapIsoSubspaceh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/heap/IsoSubspace.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/IsoSubspace.h                           (rev 0)
+++ trunk/Source/JavaScriptCore/heap/IsoSubspace.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,63 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "MarkedAllocator.h"
+#include "Subspace.h"
+
+namespace JSC {
+
+class IsoAlignedMemoryAllocator;
+
+class IsoSubspace : public Subspace {
+public:
+    JS_EXPORT_PRIVATE IsoSubspace(CString name, Heap&, HeapCellType*, size_t size);
+    JS_EXPORT_PRIVATE ~IsoSubspace();
+
+    size_t size() const { return m_size; }
+
+    MarkedAllocator* allocatorFor(size_t, AllocatorForMode) override;
+    MarkedAllocator* allocatorForNonVirtual(size_t size, AllocatorForMode);
+
+    void* allocate(size_t, GCDeferralContext*, AllocationFailureMode) override;
+    JS_EXPORT_PRIVATE void* allocateNonVirtual(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode);
+
+private:
+    size_t m_size;
+    MarkedAllocator m_allocator;
+    std::unique_ptr<IsoAlignedMemoryAllocator> m_isoAlignedMemoryAllocator;
+};
+
+inline MarkedAllocator* IsoSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode)
+{
+    RELEASE_ASSERT(size == this->size());
+    return &m_allocator;
+}
+
+#define ISO_SUBSPACE_INIT(heap, heapCellType, type) ("Isolated " #type " Space", (heap), (heapCellType), sizeof(type))
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedAllocatorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -41,17 +41,21 @@
</span><span class="cx"> 
</span><span class="cx"> static constexpr bool tradeDestructorBlocks = true;
</span><span class="cx"> 
</span><del>-MarkedAllocator::MarkedAllocator(Heap* heap, Subspace* subspace, size_t cellSize)
</del><ins>+MarkedAllocator::MarkedAllocator(Heap* heap, size_t cellSize)
</ins><span class="cx">     : m_freeList(cellSize)
</span><span class="cx">     , m_currentBlock(0)
</span><span class="cx">     , m_lastActiveBlock(0)
</span><span class="cx">     , m_cellSize(static_cast<unsigned>(cellSize))
</span><del>-    , m_attributes(subspace->attributes())
</del><span class="cx">     , m_heap(heap)
</span><del>-    , m_subspace(subspace)
</del><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void MarkedAllocator::setSubspace(Subspace* subspace)
+{
+    m_attributes = subspace->attributes();
+    m_subspace = subspace;
+}
+
</ins><span class="cx"> bool MarkedAllocator::isPagedOut(double deadline)
</span><span class="cx"> {
</span><span class="cx">     unsigned itersSinceLastTimeCheck = 0;
</span><span class="lines">@@ -175,20 +179,8 @@
</span><span class="cx">         allocationCount = 0;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* MarkedAllocator::allocateSlowCase(GCDeferralContext* deferralContext)
</del><ins>+void* MarkedAllocator::allocateSlowCase(GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
</ins><span class="cx"> {
</span><del>-    bool crashOnFailure = true;
-    return allocateSlowCaseImpl(deferralContext, crashOnFailure);
-}
-
-void* MarkedAllocator::tryAllocateSlowCase(GCDeferralContext* deferralContext)
-{
-    bool crashOnFailure = false;
-    return allocateSlowCaseImpl(deferralContext, crashOnFailure);
-}
-
-void* MarkedAllocator::allocateSlowCaseImpl(GCDeferralContext* deferralContext, bool crashOnFailure)
-{
</del><span class="cx">     SuperSamplerScope superSamplerScope(false);
</span><span class="cx">     ASSERT(m_heap->vm()->currentThreadIsHoldingAPILock());
</span><span class="cx">     doTestCollectionsIfNeeded(deferralContext);
</span><span class="lines">@@ -204,11 +196,8 @@
</span><span class="cx">     
</span><span class="cx">     // Goofy corner case: the GC called a callback and now this allocator has a currentBlock. This only
</span><span class="cx">     // happens when running WebKit tests, which inject a callback into the GC's finalization.
</span><del>-    if (UNLIKELY(m_currentBlock)) {
-        if (crashOnFailure)
-            return allocate(deferralContext);
-        return tryAllocate(deferralContext);
-    }
</del><ins>+    if (UNLIKELY(m_currentBlock))
+        return allocate(deferralContext, failureMode);
</ins><span class="cx">     
</span><span class="cx">     void* result = tryAllocateWithoutCollecting();
</span><span class="cx">     
</span><span class="lines">@@ -217,7 +206,7 @@
</span><span class="cx">     
</span><span class="cx">     MarkedBlock::Handle* block = tryAllocateBlock();
</span><span class="cx">     if (!block) {
</span><del>-        if (crashOnFailure)
</del><ins>+        if (failureMode == AllocationFailureMode::Assert)
</ins><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">         else
</span><span class="cx">             return nullptr;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedAllocatorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedAllocator.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedAllocator.h       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedAllocator.h  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -25,6 +25,7 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><ins>+#include "AllocationFailureMode.h"
</ins><span class="cx"> #include "AllocatorAttributes.h"
</span><span class="cx"> #include "FreeList.h"
</span><span class="cx"> #include "MarkedBlock.h"
</span><span class="lines">@@ -67,6 +68,9 @@
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=162121
</span><span class="cx"> 
</span><span class="cx"> class MarkedAllocator {
</span><ins>+    WTF_MAKE_NONCOPYABLE(MarkedAllocator);
+    WTF_MAKE_FAST_ALLOCATED;
+    
</ins><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx"> 
</span><span class="cx"> public:
</span><span class="lines">@@ -73,7 +77,8 @@
</span><span class="cx">     static ptrdiff_t offsetOfFreeList();
</span><span class="cx">     static ptrdiff_t offsetOfCellSize();
</span><span class="cx"> 
</span><del>-    MarkedAllocator(Heap*, Subspace*, size_t cellSize);
</del><ins>+    MarkedAllocator(Heap*, size_t cellSize);
+    void setSubspace(Subspace*);
</ins><span class="cx">     void lastChanceToFinalize();
</span><span class="cx">     void prepareForAllocation();
</span><span class="cx">     void stopAllocating();
</span><span class="lines">@@ -90,8 +95,7 @@
</span><span class="cx">     bool needsDestruction() const { return m_attributes.destruction == NeedsDestruction; }
</span><span class="cx">     DestructionMode destruction() const { return m_attributes.destruction; }
</span><span class="cx">     HeapCell::Kind cellKind() const { return m_attributes.cellKind; }
</span><del>-    void* allocate(GCDeferralContext* = nullptr);
-    void* tryAllocate(GCDeferralContext* = nullptr);
</del><ins>+    void* allocate(GCDeferralContext*, AllocationFailureMode);
</ins><span class="cx">     Heap* heap() { return m_heap; }
</span><span class="cx"> 
</span><span class="cx">     bool isFreeListedCell(const void* target) const;
</span><span class="lines">@@ -136,9 +140,11 @@
</span><span class="cx">     
</span><span class="cx">     MarkedAllocator* nextAllocator() const { return m_nextAllocator; }
</span><span class="cx">     MarkedAllocator* nextAllocatorInSubspace() const { return m_nextAllocatorInSubspace; }
</span><ins>+    MarkedAllocator* nextAllocatorInAlignedMemoryAllocator() const { return m_nextAllocatorInAlignedMemoryAllocator; }
</ins><span class="cx">     
</span><span class="cx">     void setNextAllocator(MarkedAllocator* allocator) { m_nextAllocator = allocator; }
</span><span class="cx">     void setNextAllocatorInSubspace(MarkedAllocator* allocator) { m_nextAllocatorInSubspace = allocator; }
</span><ins>+    void setNextAllocatorInAlignedMemoryAllocator(MarkedAllocator* allocator) { m_nextAllocatorInAlignedMemoryAllocator = allocator; }
</ins><span class="cx">     
</span><span class="cx">     MarkedBlock::Handle* findEmptyBlockToSteal();
</span><span class="cx">     
</span><span class="lines">@@ -155,9 +161,7 @@
</span><span class="cx"> private:
</span><span class="cx">     friend class MarkedBlock;
</span><span class="cx">     
</span><del>-    JS_EXPORT_PRIVATE void* allocateSlowCase(GCDeferralContext*);
-    JS_EXPORT_PRIVATE void* tryAllocateSlowCase(GCDeferralContext*);
-    void* allocateSlowCaseImpl(GCDeferralContext*, bool crashOnFailure);
</del><ins>+    JS_EXPORT_PRIVATE void* allocateSlowCase(GCDeferralContext*, AllocationFailureMode failureMode);
</ins><span class="cx">     void didConsumeFreeList();
</span><span class="cx">     void* tryAllocateWithoutCollecting();
</span><span class="cx">     MarkedBlock::Handle* tryAllocateBlock();
</span><span class="lines">@@ -192,10 +196,11 @@
</span><span class="cx">     AllocatorAttributes m_attributes;
</span><span class="cx">     // FIXME: All of these should probably be references.
</span><span class="cx">     // https://bugs.webkit.org/show_bug.cgi?id=166988
</span><del>-    Heap* m_heap;
-    Subspace* m_subspace;
</del><ins>+    Heap* m_heap { nullptr };
+    Subspace* m_subspace { nullptr };
</ins><span class="cx">     MarkedAllocator* m_nextAllocator { nullptr };
</span><span class="cx">     MarkedAllocator* m_nextAllocatorInSubspace { nullptr };
</span><ins>+    MarkedAllocator* m_nextAllocatorInAlignedMemoryAllocator { nullptr };
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> inline ptrdiff_t MarkedAllocator::offsetOfFreeList()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedAllocatorInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedAllocatorInlines.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedAllocatorInlines.h        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedAllocatorInlines.h   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -35,24 +35,15 @@
</span><span class="cx">     return m_freeList.contains(bitwise_cast<HeapCell*>(target));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void* MarkedAllocator::tryAllocate(GCDeferralContext* deferralContext)
</del><ins>+ALWAYS_INLINE void* MarkedAllocator::allocate(GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
</ins><span class="cx"> {
</span><span class="cx">     return m_freeList.allocate(
</span><span class="cx">         [&] () -> HeapCell* {
</span><span class="cx">             sanitizeStackForVM(heap()->vm());
</span><del>-            return static_cast<HeapCell*>(tryAllocateSlowCase(deferralContext));
</del><ins>+            return static_cast<HeapCell*>(allocateSlowCase(deferralContext, failureMode));
</ins><span class="cx">         });
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void* MarkedAllocator::allocate(GCDeferralContext* deferralContext)
-{
-    return m_freeList.allocate(
-        [&] () -> HeapCell* {
-            sanitizeStackForVM(heap()->vm());
-            return static_cast<HeapCell*>(allocateSlowCase(deferralContext));
-        });
-}
-
</del><span class="cx"> template <typename Functor> inline void MarkedAllocator::forEachBlock(const Functor& functor)
</span><span class="cx"> {
</span><span class="cx">     m_live.forEachSetBit(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedBlock.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedBlock.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedBlock.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx">         
</span><span class="cx">         // This is to be called by Subspace.
</span><span class="cx">         template<typename DestroyFunc>
</span><del>-        void finishSweepKnowingSubspace(FreeList*, const DestroyFunc&);
</del><ins>+        void finishSweepKnowingHeapCellType(FreeList*, const DestroyFunc&);
</ins><span class="cx">         
</span><span class="cx">         void unsweepWithNoNewlyAllocated();
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedBlockInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedBlockInlines.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedBlockInlines.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedBlockInlines.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -272,7 +272,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename DestroyFunc>
</span><del>-void MarkedBlock::Handle::finishSweepKnowingSubspace(FreeList* freeList, const DestroyFunc& destroyFunc)
</del><ins>+void MarkedBlock::Handle::finishSweepKnowingHeapCellType(FreeList* freeList, const DestroyFunc& destroyFunc)
</ins><span class="cx"> {
</span><span class="cx">     SweepMode sweepMode = freeList ? SweepToFreeList : SweepOnly;
</span><span class="cx">     SweepDestructionMode destructionMode = this->sweepDestructionMode();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedSpacecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -132,9 +132,10 @@
</span><span class="cx">             }
</span><span class="cx"> 
</span><span class="cx">             // Manually inject size classes for objects we know will be allocated in high volume.
</span><ins>+            // FIXME: All of these things should have IsoSubspaces.
+            // https://bugs.webkit.org/show_bug.cgi?id=179876
</ins><span class="cx">             add(sizeof(UnlinkedFunctionExecutable));
</span><span class="cx">             add(sizeof(UnlinkedFunctionCodeBlock));
</span><del>-            add(sizeof(FunctionExecutable));
</del><span class="cx">             add(sizeof(FunctionCodeBlock));
</span><span class="cx">             add(sizeof(JSString));
</span><span class="cx">             add(sizeof(JSFunction));
</span><span class="lines">@@ -551,25 +552,13 @@
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-MarkedAllocator* MarkedSpace::addMarkedAllocator(
-    const AbstractLocker&, Subspace* subspace, size_t sizeClass)
</del><ins>+void MarkedSpace::addMarkedAllocator(const AbstractLocker&, MarkedAllocator* allocator)
</ins><span class="cx"> {
</span><del>-    MarkedAllocator* allocator = m_bagOfAllocators.add(heap(), subspace, sizeClass);
</del><span class="cx">     allocator->setNextAllocator(nullptr);
</span><span class="cx">     
</span><span class="cx">     WTF::storeStoreFence();
</span><span class="cx"> 
</span><del>-    if (!m_firstAllocator) {
-        m_firstAllocator = allocator;
-        m_lastAllocator = allocator;
-        for (Subspace* subspace : m_subspaces)
-            subspace->didCreateFirstAllocator(allocator);
-    } else {
-        m_lastAllocator->setNextAllocator(allocator);
-        m_lastAllocator = allocator;
-    }
-    
-    return allocator;
</del><ins>+    m_allocators.append(std::mem_fn(&MarkedAllocator::setNextAllocator), allocator);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapMarkedSpaceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/MarkedSpace.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/MarkedSpace.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/MarkedSpace.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -32,10 +32,12 @@
</span><span class="cx"> #include <wtf/Noncopyable.h>
</span><span class="cx"> #include <wtf/RetainPtr.h>
</span><span class="cx"> #include <wtf/SentinelLinkedList.h>
</span><ins>+#include <wtf/SinglyLinkedListWithTail.h>
</ins><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+class CompleteSubspace;
</ins><span class="cx"> class Heap;
</span><span class="cx"> class HeapIterationScope;
</span><span class="cx"> class LLIntOffsetsExtractor;
</span><span class="lines">@@ -155,10 +157,10 @@
</span><span class="cx">     LargeAllocation** largeAllocationsForThisCollectionEnd() const { return m_largeAllocationsForThisCollectionEnd; }
</span><span class="cx">     unsigned largeAllocationsForThisCollectionSize() const { return m_largeAllocationsForThisCollectionSize; }
</span><span class="cx">     
</span><del>-    MarkedAllocator* firstAllocator() const { return m_firstAllocator; }
</del><ins>+    MarkedAllocator* firstAllocator() const { return m_allocators.first(); }
</ins><span class="cx">     
</span><span class="cx">     Lock& allocatorLock() { return m_allocatorLock; }
</span><del>-    MarkedAllocator* addMarkedAllocator(const AbstractLocker&, Subspace*, size_t cellSize);
</del><ins>+    void addMarkedAllocator(const AbstractLocker&, MarkedAllocator*);
</ins><span class="cx">     
</span><span class="cx">     // When this is true it means that we have flipped but the mark bits haven't converged yet.
</span><span class="cx">     bool isMarking() const { return m_isMarking; }
</span><span class="lines">@@ -168,14 +170,12 @@
</span><span class="cx">     JS_EXPORT_PRIVATE static std::array<size_t, numSizeClasses> s_sizeClassForSizeStep;
</span><span class="cx">     
</span><span class="cx"> private:
</span><ins>+    friend class CompleteSubspace;
</ins><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx">     friend class JIT;
</span><span class="cx">     friend class WeakSet;
</span><span class="cx">     friend class Subspace;
</span><span class="cx">     
</span><del>-    void* allocateSlow(Subspace&, GCDeferralContext*, size_t);
-    void* tryAllocateSlow(Subspace&, GCDeferralContext*, size_t);
-
</del><span class="cx">     // Use this version when calling from within the GC where we know that the allocators
</span><span class="cx">     // have already been stopped.
</span><span class="cx">     template<typename Functor> void forEachLiveCell(const Functor&);
</span><span class="lines">@@ -210,9 +210,7 @@
</span><span class="cx">     SentinelLinkedList<WeakSet, BasicRawSentinelNode<WeakSet>> m_newActiveWeakSets;
</span><span class="cx"> 
</span><span class="cx">     Lock m_allocatorLock;
</span><del>-    Bag<MarkedAllocator> m_bagOfAllocators;
-    MarkedAllocator* m_firstAllocator { nullptr };
-    MarkedAllocator* m_lastAllocator { nullptr };
</del><ins>+    SinglyLinkedListWithTail<MarkedAllocator> m_allocators;
</ins><span class="cx"> 
</span><span class="cx">     friend class HeapVerifier;
</span><span class="cx"> };
</span><span class="lines">@@ -229,7 +227,7 @@
</span><span class="cx"> template <typename Functor>
</span><span class="cx"> void MarkedSpace::forEachAllocator(const Functor& functor)
</span><span class="cx"> {
</span><del>-    for (MarkedAllocator* allocator = m_firstAllocator; allocator; allocator = allocator->nextAllocator()) {
</del><ins>+    for (MarkedAllocator* allocator = m_allocators.first(); allocator; allocator = allocator->nextAllocator()) {
</ins><span class="cx">         if (functor(*allocator) == IterationStatus::Done)
</span><span class="cx">             return;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSubspacecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Subspace.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Subspace.cpp    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/Subspace.cpp       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -26,6 +26,8 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "Subspace.h"
</span><span class="cx"> 
</span><ins>+#include "AlignedMemoryAllocator.h"
+#include "HeapCellType.h"
</ins><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "MarkedAllocatorInlines.h"
</span><span class="cx"> #include "MarkedBlockInlines.h"
</span><span class="lines">@@ -34,45 +36,23 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-namespace {
-
-// Writing it this way ensures that when you pass this as a functor, the callee is specialized for
-// this callback. If you wrote this as a normal function then the callee would be specialized for
-// the function's type and it would have indirect calls to that function. And unlike a lambda, it's
-// possible to mark this ALWAYS_INLINE.
-struct DestroyFunc {
-    ALWAYS_INLINE void operator()(VM& vm, JSCell* cell) const
-    {
-        ASSERT(cell->structureID());
-        ASSERT(cell->inlineTypeFlags() & StructureIsImmortal);
-        Structure* structure = cell->structure(vm);
-        const ClassInfo* classInfo = structure->classInfo();
-        MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
-        destroy(cell);
-    }
-};
-
-} // anonymous namespace
-
-Subspace::Subspace(CString name, Heap& heap, AllocatorAttributes attributes, AlignedMemoryAllocator* alignedMemoryAllocator)
</del><ins>+Subspace::Subspace(CString name, Heap& heap)
</ins><span class="cx">     : m_space(heap.objectSpace())
</span><span class="cx">     , m_name(name)
</span><del>-    , m_attributes(attributes)
-    , m_alignedMemoryAllocator(alignedMemoryAllocator)
-    , m_allocatorForEmptyAllocation(m_space.firstAllocator())
</del><span class="cx"> {
</span><del>-    // It's remotely possible that we're GCing right now even if the client is careful to only
-    // create subspaces right after VM creation, since collectContinuously (and probably other
-    // things) could cause a GC to be launched at pretty much any time and it's not 100% obvious
-    // that all clients would be able to ensure that there are zero safepoints between when they
-    // create VM and when they do this. Preventing GC while we're creating the Subspace ensures
-    // that we don't have to worry about whether it's OK for the GC to ever see a brand new
-    // subspace.
</del><ins>+}
+
+void Subspace::initialize(HeapCellType* heapCellType, AlignedMemoryAllocator* alignedMemoryAllocator)
+{
+    m_attributes = heapCellType->attributes();
+    m_heapCellType = heapCellType;
+    m_alignedMemoryAllocator = alignedMemoryAllocator;
+    m_allocatorForEmptyAllocation = m_alignedMemoryAllocator->firstAllocator();
+
+    Heap& heap = *m_space.heap();
</ins><span class="cx">     PreventCollectionScope preventCollectionScope(heap);
</span><span class="cx">     heap.objectSpace().m_subspaces.append(this);
</span><del>-    
-    for (size_t i = MarkedSpace::numSizeClasses; i--;)
-        m_allocatorForSizeStep[i] = nullptr;
</del><ins>+    m_alignedMemoryAllocator->registerSubspace(this);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> Subspace::~Subspace()
</span><span class="lines">@@ -81,62 +61,14 @@
</span><span class="cx"> 
</span><span class="cx"> void Subspace::finishSweep(MarkedBlock::Handle& block, FreeList* freeList)
</span><span class="cx"> {
</span><del>-    block.finishSweepKnowingSubspace(freeList, DestroyFunc());
</del><ins>+    m_heapCellType->finishSweep(block, freeList);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Subspace::destroy(VM& vm, JSCell* cell)
</span><span class="cx"> {
</span><del>-    DestroyFunc()(vm, cell);
</del><ins>+    m_heapCellType->destroy(vm, cell);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-// The reason why we distinguish between allocate and tryAllocate is to minimize the number of
-// checks on the allocation path in both cases. Likewise, the reason why we have overloads with and
-// without deferralContext is to minimize the amount of code for calling allocate when you don't
-// need the deferralContext.
-void* Subspace::allocate(size_t size)
-{
-    void* result;
-    if (MarkedAllocator* allocator = tryAllocatorFor(size))
-        result = allocator->allocate();
-    else
-        result = allocateSlow(nullptr, size);
-    didAllocate(result);
-    return result;
-}
-
-void* Subspace::allocate(GCDeferralContext* deferralContext, size_t size)
-{
-    void *result;
-    if (MarkedAllocator* allocator = tryAllocatorFor(size))
-        result = allocator->allocate(deferralContext);
-    else
-        result = allocateSlow(deferralContext, size);
-    didAllocate(result);
-    return result;
-}
-
-void* Subspace::tryAllocate(size_t size)
-{
-    void* result;
-    if (MarkedAllocator* allocator = tryAllocatorFor(size))
-        result = allocator->tryAllocate();
-    else
-        result = tryAllocateSlow(nullptr, size);
-    didAllocate(result);
-    return result;
-}
-
-void* Subspace::tryAllocate(GCDeferralContext* deferralContext, size_t size)
-{
-    void* result;
-    if (MarkedAllocator* allocator = tryAllocatorFor(size))
-        result = allocator->tryAllocate(deferralContext);
-    else
-        result = tryAllocateSlow(deferralContext, size);
-    didAllocate(result);
-    return result;
-}
-
</del><span class="cx"> void Subspace::prepareForAllocation()
</span><span class="cx"> {
</span><span class="cx">     forEachAllocator(
</span><span class="lines">@@ -144,16 +76,12 @@
</span><span class="cx">             allocator.prepareForAllocation();
</span><span class="cx">         });
</span><span class="cx"> 
</span><del>-    m_allocatorForEmptyAllocation = m_space.firstAllocator();
</del><ins>+    m_allocatorForEmptyAllocation = m_alignedMemoryAllocator->firstAllocator();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> MarkedBlock::Handle* Subspace::findEmptyBlockToSteal()
</span><span class="cx"> {
</span><del>-    for (; m_allocatorForEmptyAllocation; m_allocatorForEmptyAllocation = m_allocatorForEmptyAllocation->nextAllocator()) {
-        Subspace* otherSubspace = m_allocatorForEmptyAllocation->subspace();
-        if (otherSubspace->alignedMemoryAllocator() != alignedMemoryAllocator())
-            continue;
-        
</del><ins>+    for (; m_allocatorForEmptyAllocation; m_allocatorForEmptyAllocation = m_allocatorForEmptyAllocation->nextAllocatorInAlignedMemoryAllocator()) {
</ins><span class="cx">         if (MarkedBlock::Handle* block = m_allocatorForEmptyAllocation->findEmptyBlockToSteal())
</span><span class="cx">             return block;
</span><span class="cx">     }
</span><span class="lines">@@ -160,88 +88,5 @@
</span><span class="cx">     return nullptr;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-MarkedAllocator* Subspace::allocatorForSlow(size_t size)
-{
-    size_t index = MarkedSpace::sizeClassToIndex(size);
-    size_t sizeClass = MarkedSpace::s_sizeClassForSizeStep[index];
-    if (!sizeClass)
-        return nullptr;
-    
-    // This is written in such a way that it's OK for the JIT threads to end up here if they want
-    // to generate code that uses some allocator that hadn't been used yet. Note that a possibly-
-    // just-as-good solution would be to return null if we're in the JIT since the JIT treats null
-    // allocator as "please always take the slow path". But, that could lead to performance
-    // surprises and the algorithm here is pretty easy. Only this code has to hold the lock, to
-    // prevent simultaneously MarkedAllocator creations from multiple threads. This code ensures
-    // that any "forEachAllocator" traversals will only see this allocator after it's initialized
-    // enough: it will have 
-    auto locker = holdLock(m_space.allocatorLock());
-    if (MarkedAllocator* allocator = m_allocatorForSizeStep[index])
-        return allocator;
-
-    if (false)
-        dataLog("Creating marked allocator for ", m_name, ", ", m_attributes, ", ", sizeClass, ".\n");
-    MarkedAllocator* allocator = m_space.addMarkedAllocator(locker, this, sizeClass);
-    index = MarkedSpace::sizeClassToIndex(sizeClass);
-    for (;;) {
-        if (MarkedSpace::s_sizeClassForSizeStep[index] != sizeClass)
-            break;
-
-        m_allocatorForSizeStep[index] = allocator;
-        
-        if (!index--)
-            break;
-    }
-    allocator->setNextAllocatorInSubspace(m_firstAllocator);
-    WTF::storeStoreFence();
-    m_firstAllocator = allocator;
-    return allocator;
-}
-
-void* Subspace::allocateSlow(GCDeferralContext* deferralContext, size_t size)
-{
-    void* result = tryAllocateSlow(deferralContext, size);
-    RELEASE_ASSERT(result);
-    return result;
-}
-
-void* Subspace::tryAllocateSlow(GCDeferralContext* deferralContext, size_t size)
-{
-    sanitizeStackForVM(m_space.heap()->vm());
-    
-    if (MarkedAllocator* allocator = allocatorFor(size))
-        return allocator->tryAllocate(deferralContext);
-    
-    if (size <= Options::largeAllocationCutoff()
-        && size <= MarkedSpace::largeCutoff) {
-        dataLog("FATAL: attampting to allocate small object using large allocation.\n");
-        dataLog("Requested allocation size: ", size, "\n");
-        RELEASE_ASSERT_NOT_REACHED();
-    }
-    
-    m_space.heap()->collectIfNecessaryOrDefer(deferralContext);
-    
-    size = WTF::roundUpToMultipleOf<MarkedSpace::sizeStep>(size);
-    LargeAllocation* allocation = LargeAllocation::tryCreate(*m_space.m_heap, size, this);
-    if (!allocation)
-        return nullptr;
-    
-    m_space.m_largeAllocations.append(allocation);
-    m_space.m_heap->didAllocate(size);
-    m_space.m_capacity += size;
-    
-    m_largeAllocations.append(allocation);
-        
-    return allocation->cell();
-}
-
-ALWAYS_INLINE void Subspace::didAllocate(void* ptr)
-{
-    UNUSED_PARAM(ptr);
-    
-    // This is useful for logging allocations, or doing other kinds of debugging hacks. Just make
-    // sure you JSC_forceGCSlowPaths=true.
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapSubspaceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Subspace.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Subspace.h      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/heap/Subspace.h 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -25,6 +25,8 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><ins>+#include "AllocationFailureMode.h"
+#include "AllocatorForMode.h"
</ins><span class="cx"> #include "MarkedBlock.h"
</span><span class="cx"> #include "MarkedSpace.h"
</span><span class="cx"> #include <wtf/text/CString.h>
</span><span class="lines">@@ -32,45 +34,31 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> class AlignedMemoryAllocator;
</span><ins>+class HeapCellType;
</ins><span class="cx"> 
</span><span class="cx"> // The idea of subspaces is that you can provide some custom behavior for your objects if you
</span><span class="cx"> // allocate them from a custom Subspace in which you override some of the virtual methods. This
</span><del>-// class is the baseclass of Subspaces and it provides a reasonable default implementation, where
-// sweeping assumes immortal structure. The common ways of overriding this are:
-//
-// - Provide customized destructor behavior. You can change how the destructor is called. You can
-//   also specialize the destructor call in the loop.
-//
-// - Use the Subspace as a quick way to iterate all of the objects in that subspace.
</del><ins>+// class is the baseclass of Subspaces. Usually you will use either Subspace or FixedSizeSubspace.
</ins><span class="cx"> class Subspace {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(Subspace);
</span><span class="cx">     WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>-    JS_EXPORT_PRIVATE Subspace(CString name, Heap&, AllocatorAttributes, AlignedMemoryAllocator*);
</del><ins>+    JS_EXPORT_PRIVATE Subspace(CString name, Heap&);
</ins><span class="cx">     JS_EXPORT_PRIVATE virtual ~Subspace();
</span><del>-    
</del><ins>+
</ins><span class="cx">     const char* name() const { return m_name.data(); }
</span><span class="cx">     MarkedSpace& space() const { return m_space; }
</span><span class="cx">     
</span><span class="cx">     const AllocatorAttributes& attributes() const { return m_attributes; }
</span><ins>+    HeapCellType* heapCellType() const { return m_heapCellType; }
</ins><span class="cx">     AlignedMemoryAllocator* alignedMemoryAllocator() const { return m_alignedMemoryAllocator; }
</span><span class="cx">     
</span><del>-    // The purpose of overriding this is to specialize the sweep for your destructors. This won't
-    // be called for no-destructor blocks. This must call MarkedBlock::finishSweepKnowingSubspace.
-    virtual void finishSweep(MarkedBlock::Handle&, FreeList*);
</del><ins>+    void finishSweep(MarkedBlock::Handle&, FreeList*);
+    void destroy(VM&, JSCell*);
+
+    virtual MarkedAllocator* allocatorFor(size_t, AllocatorForMode) = 0;
+    virtual void* allocate(size_t, GCDeferralContext*, AllocationFailureMode) = 0;
</ins><span class="cx">     
</span><del>-    // These get called for large objects.
-    virtual void destroy(VM&, JSCell*);
-    
-    MarkedAllocator* tryAllocatorFor(size_t);
-    MarkedAllocator* allocatorFor(size_t);
-    
-    JS_EXPORT_PRIVATE void* allocate(size_t);
-    JS_EXPORT_PRIVATE void* allocate(GCDeferralContext*, size_t);
-    
-    JS_EXPORT_PRIVATE void* tryAllocate(size_t);
-    JS_EXPORT_PRIVATE void* tryAllocate(GCDeferralContext*, size_t);
-    
</del><span class="cx">     void prepareForAllocation();
</span><span class="cx">     
</span><span class="cx">     void didCreateFirstAllocator(MarkedAllocator* allocator) { m_allocatorForEmptyAllocation = allocator; }
</span><span class="lines">@@ -96,48 +84,25 @@
</span><span class="cx">     template<typename Func>
</span><span class="cx">     void forEachLiveCell(const Func&);
</span><span class="cx">     
</span><del>-    static ptrdiff_t offsetOfAllocatorForSizeStep() { return OBJECT_OFFSETOF(Subspace, m_allocatorForSizeStep); }
-    
-    MarkedAllocator** allocatorForSizeStep() { return &m_allocatorForSizeStep[0]; }
</del><ins>+    Subspace* nextSubspaceInAlignedMemoryAllocator() const { return m_nextSubspaceInAlignedMemoryAllocator; }
+    void setNextSubspaceInAlignedMemoryAllocator(Subspace* subspace) { m_nextSubspaceInAlignedMemoryAllocator = subspace; }
</ins><span class="cx"> 
</span><del>-private:
-    MarkedAllocator* allocatorForSlow(size_t);
</del><ins>+protected:
+    void initialize(HeapCellType*, AlignedMemoryAllocator*);
</ins><span class="cx">     
</span><del>-    // These slow paths are concerned with large allocations and allocator creation.
-    void* allocateSlow(GCDeferralContext*, size_t);
-    void* tryAllocateSlow(GCDeferralContext*, size_t);
-    
-    void didAllocate(void*);
-    
</del><span class="cx">     MarkedSpace& m_space;
</span><span class="cx">     
</span><span class="cx">     CString m_name;
</span><span class="cx">     AllocatorAttributes m_attributes;
</span><ins>+
+    HeapCellType* m_heapCellType { nullptr };
+    AlignedMemoryAllocator* m_alignedMemoryAllocator { nullptr };
</ins><span class="cx">     
</span><del>-    AlignedMemoryAllocator* m_alignedMemoryAllocator;
-    
-    std::array<MarkedAllocator*, MarkedSpace::numSizeClasses> m_allocatorForSizeStep;
</del><span class="cx">     MarkedAllocator* m_firstAllocator { nullptr };
</span><span class="cx">     MarkedAllocator* m_allocatorForEmptyAllocation { nullptr }; // Uses the MarkedSpace linked list of blocks.
</span><span class="cx">     SentinelLinkedList<LargeAllocation, BasicRawSentinelNode<LargeAllocation>> m_largeAllocations;
</span><ins>+    Subspace* m_nextSubspaceInAlignedMemoryAllocator { nullptr };
</ins><span class="cx"> };
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE MarkedAllocator* Subspace::tryAllocatorFor(size_t size)
-{
-    if (size <= MarkedSpace::largeCutoff)
-        return m_allocatorForSizeStep[MarkedSpace::sizeClassToIndex(size)];
-    return nullptr;
-}
-
-ALWAYS_INLINE MarkedAllocator* Subspace::allocatorFor(size_t size)
-{
-    if (size <= MarkedSpace::largeCutoff) {
-        if (MarkedAllocator* result = m_allocatorForSizeStep[MarkedSpace::sizeClassToIndex(size)])
-            return result;
-        return allocatorForSlow(size);
-    }
-    return nullptr;
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1572,7 +1572,7 @@
</span><span class="cx">         VM& vm, GPRReg resultGPR, StructureType structure, StorageType storage, GPRReg scratchGPR1,
</span><span class="cx">         GPRReg scratchGPR2, JumpList& slowPath, size_t size)
</span><span class="cx">     {
</span><del>-        MarkedAllocator* allocator = subspaceFor<ClassType>(vm)->allocatorFor(size);
</del><ins>+        MarkedAllocator* allocator = subspaceFor<ClassType>(vm)->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx">         if (!allocator) {
</span><span class="cx">             slowPath.append(jump());
</span><span class="cx">             return;
</span><span class="lines">@@ -1589,7 +1589,7 @@
</span><span class="cx">     
</span><span class="cx">     // allocationSize can be aliased with any of the other input GPRs. If it's not aliased then it
</span><span class="cx">     // won't be clobbered.
</span><del>-    void emitAllocateVariableSized(GPRReg resultGPR, Subspace& subspace, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
</del><ins>+    void emitAllocateVariableSized(GPRReg resultGPR, CompleteSubspace& subspace, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
</ins><span class="cx">     {
</span><span class="cx">         static_assert(!(MarkedSpace::sizeStep & (MarkedSpace::sizeStep - 1)), "MarkedSpace::sizeStep must be a power of two.");
</span><span class="cx">         
</span><span class="lines">@@ -1607,7 +1607,7 @@
</span><span class="cx">     template<typename ClassType, typename StructureType>
</span><span class="cx">     void emitAllocateVariableSizedCell(VM& vm, GPRReg resultGPR, StructureType structure, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
</span><span class="cx">     {
</span><del>-        Subspace& subspace = *subspaceFor<ClassType>(vm);
</del><ins>+        CompleteSubspace& subspace = *subspaceFor<ClassType>(vm);
</ins><span class="cx">         emitAllocateVariableSized(resultGPR, subspace, allocationSize, scratchGPR1, scratchGPR2, slowPath);
</span><span class="cx">         emitStoreStructureWithTypeInfo(structure, resultGPR, scratchGPR2);
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -81,7 +81,7 @@
</span><span class="cx"> {
</span><span class="cx">     Structure* structure = currentInstruction[3].u.objectAllocationProfile->structure();
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
</span><del>-    MarkedAllocator* allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorFor(allocationSize);
</del><ins>+    MarkedAllocator* allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">     RegisterID resultReg = regT0;
</span><span class="cx">     RegisterID allocatorReg = regT1;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -79,7 +79,7 @@
</span><span class="cx"> {
</span><span class="cx">     Structure* structure = currentInstruction[3].u.objectAllocationProfile->structure();
</span><span class="cx">     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
</span><del>-    MarkedAllocator* allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorFor(allocationSize);
</del><ins>+    MarkedAllocator* allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
</ins><span class="cx"> 
</span><span class="cx">     RegisterID resultReg = returnValueGPR;
</span><span class="cx">     RegisterID allocatorReg = regT1;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeButterflyInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx"> inline Butterfly* Butterfly::createUninitialized(VM& vm, JSCell*, size_t preCapacity, size_t propertyCapacity, bool hasIndexingHeader, size_t indexingPayloadSizeInBytes)
</span><span class="cx"> {
</span><span class="cx">     size_t size = totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
</span><del>-    void* base = vm.jsValueGigacageAuxiliarySpace.allocate(size);
</del><ins>+    void* base = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(size, nullptr, AllocationFailureMode::Assert);
</ins><span class="cx">     Butterfly* result = fromBase(base, preCapacity, propertyCapacity);
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="lines">@@ -70,7 +70,7 @@
</span><span class="cx"> inline Butterfly* Butterfly::tryCreate(VM& vm, JSCell*, size_t preCapacity, size_t propertyCapacity, bool hasIndexingHeader, const IndexingHeader& indexingHeader, size_t indexingPayloadSizeInBytes)
</span><span class="cx"> {
</span><span class="cx">     size_t size = totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
</span><del>-    void* base = vm.jsValueGigacageAuxiliarySpace.tryAllocate(size);
</del><ins>+    void* base = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(size, nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx">     if (!base)
</span><span class="cx">         return nullptr;
</span><span class="cx">     Butterfly* result = fromBase(base, preCapacity, propertyCapacity);
</span><span class="lines">@@ -148,7 +148,7 @@
</span><span class="cx">     void* theBase = base(0, propertyCapacity);
</span><span class="cx">     size_t oldSize = totalSize(0, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes);
</span><span class="cx">     size_t newSize = totalSize(0, propertyCapacity, true, newIndexingPayloadSizeInBytes);
</span><del>-    void* newBase = vm.jsValueGigacageAuxiliarySpace.tryAllocate(newSize);
</del><ins>+    void* newBase = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(newSize, nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx">     if (!newBase)
</span><span class="cx">         return nullptr;
</span><span class="cx">     // FIXME: This probably shouldn't be a memcpy.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDirectArgumentscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -118,8 +118,7 @@
</span><span class="cx">     putDirect(vm, vm.propertyNames->callee, m_callee.get(), static_cast<unsigned>(PropertyAttribute::DontEnum));
</span><span class="cx">     putDirect(vm, vm.propertyNames->iteratorSymbol, globalObject()->arrayProtoValuesFunction(), static_cast<unsigned>(PropertyAttribute::DontEnum));
</span><span class="cx">     
</span><del>-    void* backingStore = vm.gigacageAuxiliarySpace(m_mappedArguments.kind).tryAllocate(mappedArgumentsSize());
-    RELEASE_ASSERT(backingStore);
</del><ins>+    void* backingStore = vm.gigacageAuxiliarySpace(m_mappedArguments.kind).allocateNonVirtual(mappedArgumentsSize(), nullptr, AllocationFailureMode::Assert);
</ins><span class="cx">     bool* overrides = static_cast<bool*>(backingStore);
</span><span class="cx">     m_mappedArguments.set(vm, this, overrides);
</span><span class="cx">     for (unsigned i = m_length; i--;)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDirectArgumentsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DirectArguments.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DirectArguments.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/DirectArguments.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx">     
</span><span class="cx"> public:
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         RELEASE_ASSERT(!CellType::needsDestruction);
</span><span class="cx">         return &vm.jsValueGigacageCellSpace;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeDirectEvalExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/DirectEvalExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/DirectEvalExecutable.h       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/DirectEvalExecutable.h  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,6 +31,12 @@
</span><span class="cx"> 
</span><span class="cx"> class DirectEvalExecutable final : public EvalExecutable {
</span><span class="cx"> public:
</span><ins>+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.directEvalExecutableSpace;
+    }
+
</ins><span class="cx">     static DirectEvalExecutable* create(ExecState*, const SourceCode&, bool isInStrictContext, DerivedContextType, bool isArrowFunctionContext, EvalContextType, const VariableEnvironment*);
</span><span class="cx"> private:
</span><span class="cx">     DirectEvalExecutable(ExecState*, const SourceCode&, bool inStrictContext, DerivedContextType, bool isArrowFunctionContext, EvalContextType);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeEvalExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/EvalExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/EvalExecutable.h     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/EvalExecutable.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2010, 2013-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -37,7 +37,7 @@
</span><span class="cx">     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
</span><span class="cx"> 
</span><span class="cx">     static void destroy(JSCell*);
</span><del>-
</del><ins>+    
</ins><span class="cx">     EvalCodeBlock* codeBlock()
</span><span class="cx">     {
</span><span class="cx">         return m_evalCodeBlock.get();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExecutableBaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ExecutableBase.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ExecutableBase.h     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/ExecutableBase.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -81,6 +81,10 @@
</span><span class="cx"> 
</span><span class="cx">     static const bool needsDestruction = true;
</span><span class="cx">     static void destroy(JSCell*);
</span><ins>+    
+    // Force subclasses to override this.
+    template<typename>
+    static void subspaceFor(VM&) { }
</ins><span class="cx">         
</span><span class="cx">     CodeBlockHash hashFor(CodeSpecializationKind) const;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/FunctionExecutable.h    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -38,6 +38,12 @@
</span><span class="cx">     typedef ScriptExecutable Base;
</span><span class="cx">     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
</span><span class="cx"> 
</span><ins>+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.functionExecutableSpace;
+    }
+
</ins><span class="cx">     static FunctionExecutable* create(
</span><span class="cx">         VM& vm, const SourceCode& source, UnlinkedFunctionExecutable* unlinkedExecutable, 
</span><span class="cx">         unsigned lastLine, unsigned endColumn, Intrinsic intrinsic)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeGenericArgumentsInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -263,8 +263,7 @@
</span><span class="cx">     RELEASE_ASSERT(!m_modifiedArgumentsDescriptor);
</span><span class="cx"> 
</span><span class="cx">     if (argsLength) {
</span><del>-        void* backingStore = vm.gigacageAuxiliarySpace(m_modifiedArgumentsDescriptor.kind).tryAllocate(WTF::roundUpToMultipleOf<8>(argsLength));
-        RELEASE_ASSERT(backingStore);
</del><ins>+        void* backingStore = vm.gigacageAuxiliarySpace(m_modifiedArgumentsDescriptor.kind).allocateNonVirtual(WTF::roundUpToMultipleOf<8>(argsLength), nullptr, AllocationFailureMode::Assert);
</ins><span class="cx">         bool* modifiedArguments = static_cast<bool*>(backingStore);
</span><span class="cx">         m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments);
</span><span class="cx">         for (unsigned i = argsLength; i--;)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeHashMapImplh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/HashMapImpl.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/HashMapImpl.h        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/HashMapImpl.h   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -207,7 +207,7 @@
</span><span class="cx">     {
</span><span class="cx">         auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx">         size_t allocationSize = HashMapBuffer::allocationSize(capacity);
</span><del>-        void* data = vm.jsValueGigacageAuxiliarySpace.tryAllocate(allocationSize);
</del><ins>+        void* data = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(allocationSize, nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx">         if (!data) {
</span><span class="cx">             throwOutOfMemoryError(exec, scope);
</span><span class="cx">             return nullptr;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeIndirectEvalExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/IndirectEvalExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/IndirectEvalExecutable.h     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/IndirectEvalExecutable.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,6 +31,12 @@
</span><span class="cx"> 
</span><span class="cx"> class IndirectEvalExecutable final : public EvalExecutable {
</span><span class="cx"> public:
</span><ins>+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.indirectEvalExecutableSpace;
+    }
+
</ins><span class="cx">     static IndirectEvalExecutable* create(ExecState*, const SourceCode&, bool isInStrictContext, DerivedContextType, bool isArrowFunctionContext, EvalContextType);
</span><span class="cx"> private:
</span><span class="cx">     IndirectEvalExecutable(ExecState*, const SourceCode&, bool inStrictContext, DerivedContextType, bool isArrowFunctionContext, EvalContextType);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArraycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.cpp  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.cpp     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -81,7 +81,7 @@
</span><span class="cx">             || hasContiguous(indexingType));
</span><span class="cx"> 
</span><span class="cx">         unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
</span><del>-        void* temp = vm.jsValueGigacageAuxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
</del><ins>+        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)), deferralContext, AllocationFailureMode::ReturnNull);
</ins><span class="cx">         if (UNLIKELY(!temp))
</span><span class="cx">             return nullptr;
</span><span class="cx">         butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
</span><span class="lines">@@ -98,7 +98,7 @@
</span><span class="cx">     } else {
</span><span class="cx">         static const unsigned indexBias = 0;
</span><span class="cx">         unsigned vectorLength = ArrayStorage::optimalVectorLength(indexBias, structure, initialLength);
</span><del>-        void* temp = vm.jsValueGigacageAuxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(indexBias, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)));
</del><ins>+        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(Butterfly::totalSize(indexBias, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)), deferralContext, AllocationFailureMode::ReturnNull);
</ins><span class="cx">         if (UNLIKELY(!temp))
</span><span class="cx">             return nullptr;
</span><span class="cx">         butterfly = Butterfly::fromBase(temp, indexBias, outOfLineStorage);
</span><span class="lines">@@ -368,7 +368,7 @@
</span><span class="cx">         allocatedNewStorage = false;
</span><span class="cx">     } else {
</span><span class="cx">         size_t newSize = Butterfly::totalSize(0, propertyCapacity, true, ArrayStorage::sizeFor(desiredCapacity));
</span><del>-        newAllocBase = vm.jsValueGigacageAuxiliarySpace.tryAllocate(newSize);
</del><ins>+        newAllocBase = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(newSize, nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx">         if (!newAllocBase)
</span><span class="cx">             return false;
</span><span class="cx">         newStorageCapacity = desiredCapacity;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArray.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArray.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSArray.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -237,7 +237,9 @@
</span><span class="cx">             return nullptr;
</span><span class="cx"> 
</span><span class="cx">         unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, vectorLengthHint);
</span><del>-        void* temp = vm.jsValueGigacageAuxiliarySpace.tryAllocate(nullptr, Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)));
</del><ins>+        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(
+            Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)),
+            nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx">         if (!temp)
</span><span class="cx">             return nullptr;
</span><span class="cx">         butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferViewcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -66,7 +66,7 @@
</span><span class="cx">         void* temp;
</span><span class="cx">         size_t size = sizeOf(length, elementSize);
</span><span class="cx">         if (size) {
</span><del>-            temp = vm.primitiveGigacageAuxiliarySpace.tryAllocate(nullptr, size);
</del><ins>+            temp = vm.primitiveGigacageAuxiliarySpace.allocateNonVirtual(size, nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx">             if (!temp)
</span><span class="cx">                 return;
</span><span class="cx">         } else
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCell.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCell.h     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSCell.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+class CompleteSubspace;
</ins><span class="cx"> class CopyVisitor;
</span><span class="cx"> class GCDeferralContext;
</span><span class="cx"> class ExecState;
</span><span class="lines">@@ -50,11 +51,6 @@
</span><span class="cx"> class PropertyNameArray;
</span><span class="cx"> class Structure;
</span><span class="cx"> 
</span><del>-enum class AllocationFailureMode {
-    ShouldAssertOnFailure,
-    ShouldNotAssertOnFailure
-};
-
</del><span class="cx"> enum class GCDeferralContextArgPresense {
</span><span class="cx">     HasArg,
</span><span class="cx">     DoesNotHaveArg
</span><span class="lines">@@ -86,8 +82,8 @@
</span><span class="cx"> class JSCell : public HeapCell {
</span><span class="cx">     friend class JSValue;
</span><span class="cx">     friend class MarkedBlock;
</span><del>-    template<typename T, AllocationFailureMode, GCDeferralContextArgPresense>
-    friend void* tryAllocateCellHelper(Heap&, GCDeferralContext*, size_t);
</del><ins>+    template<typename T>
+    friend void* tryAllocateCellHelper(Heap&, size_t, GCDeferralContext*, AllocationFailureMode);
</ins><span class="cx"> 
</span><span class="cx"> public:
</span><span class="cx">     static const unsigned StructureFlags = 0;
</span><span class="lines">@@ -98,7 +94,7 @@
</span><span class="cx">     // FIXME: Refer to Subspace by reference.
</span><span class="cx">     // https://bugs.webkit.org/show_bug.cgi?id=166988
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM&);
</del><ins>+    static CompleteSubspace* subspaceFor(VM&);
</ins><span class="cx"> 
</span><span class="cx">     static JSCell* seenMultipleCalleeObjects() { return bitwise_cast<JSCell*>(static_cast<uintptr_t>(1)); }
</span><span class="cx"> 
</span><span class="lines">@@ -320,7 +316,7 @@
</span><span class="cx"> // FIXME: Refer to Subspace by reference.
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=166988
</span><span class="cx"> template<typename Type>
</span><del>-inline Subspace* subspaceFor(VM& vm)
</del><ins>+inline auto subspaceFor(VM& vm)
</ins><span class="cx"> {
</span><span class="cx">     return Type::template subspaceFor<Type>(vm);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSCellInlines.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSCellInlines.h      2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSCellInlines.h 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -135,7 +135,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename CellType>
</span><del>-Subspace* JSCell::subspaceFor(VM& vm)
</del><ins>+CompleteSubspace* JSCell::subspaceFor(VM& vm)
</ins><span class="cx"> {
</span><span class="cx">     if (CellType::needsDestruction)
</span><span class="cx">         return &vm.destructibleCellSpace;
</span><span class="lines">@@ -142,23 +142,14 @@
</span><span class="cx">     return &vm.cellSpace;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template<typename T, AllocationFailureMode mode, GCDeferralContextArgPresense deferralContextArgPresence>
-ALWAYS_INLINE void* tryAllocateCellHelper(Heap& heap, GCDeferralContext* deferralContext, size_t size)
</del><ins>+template<typename T>
+ALWAYS_INLINE void* tryAllocateCellHelper(Heap& heap, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(deferralContext || !DisallowGC::isInEffectOnCurrentThread());
</span><span class="cx">     ASSERT(size >= sizeof(T));
</span><del>-    JSCell* result;
-    if (mode == AllocationFailureMode::ShouldAssertOnFailure) {
-        result = (deferralContextArgPresence == GCDeferralContextArgPresense::HasArg)
-            ? static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocate(deferralContext, size))
-            : static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocate(size));
-    } else {
-        result = (deferralContextArgPresence == GCDeferralContextArgPresense::HasArg)
-            ? static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->tryAllocate(deferralContext, size))
-            : static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->tryAllocate(size));
-        if (UNLIKELY(!result))
-            return nullptr;
-    }
</del><ins>+    JSCell* result = static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocateNonVirtual(size, deferralContext, failureMode));
+    if (failureMode == AllocationFailureMode::ReturnNull && !result)
+        return nullptr;
</ins><span class="cx"> #if ENABLE(GC_VALIDATION)
</span><span class="cx">     ASSERT(!heap.vm()->isInitializingObject());
</span><span class="cx">     heap.vm()->setInitializingObjectClass(T::info());
</span><span class="lines">@@ -170,25 +161,25 @@
</span><span class="cx"> template<typename T>
</span><span class="cx"> void* allocateCell(Heap& heap, size_t size)
</span><span class="cx"> {
</span><del>-    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldAssertOnFailure, GCDeferralContextArgPresense::DoesNotHaveArg>(heap, nullptr, size);
</del><ins>+    return tryAllocateCellHelper<T>(heap, size, nullptr, AllocationFailureMode::Assert);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename T>
</span><span class="cx"> void* tryAllocateCell(Heap& heap, size_t size)
</span><span class="cx"> {
</span><del>-    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldNotAssertOnFailure, GCDeferralContextArgPresense::DoesNotHaveArg>(heap, nullptr, size);
</del><ins>+    return tryAllocateCellHelper<T>(heap, size, nullptr, AllocationFailureMode::ReturnNull);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename T>
</span><span class="cx"> void* allocateCell(Heap& heap, GCDeferralContext* deferralContext, size_t size)
</span><span class="cx"> {
</span><del>-    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldAssertOnFailure, GCDeferralContextArgPresense::HasArg>(heap, deferralContext, size);
</del><ins>+    return tryAllocateCellHelper<T>(heap, size, deferralContext, AllocationFailureMode::Assert);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename T>
</span><span class="cx"> void* tryAllocateCell(Heap& heap, GCDeferralContext* deferralContext, size_t size)
</span><span class="cx"> {
</span><del>-    return tryAllocateCellHelper<T, AllocationFailureMode::ShouldNotAssertOnFailure, GCDeferralContextArgPresense::HasArg>(heap, deferralContext, size);
</del><ins>+    return tryAllocateCellHelper<T>(heap, size, deferralContext, AllocationFailureMode::ReturnNull);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline bool JSCell::isObject() const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDestructibleObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -38,7 +38,7 @@
</span><span class="cx">     static const bool needsDestruction = true;
</span><span class="cx">     
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         return &vm.destructibleObjectSpace;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDestructibleObjectHeapCellTypecppfromrev224536trunkSourceJavaScriptCoreruntimeJSDestructibleObjectSubspacecpp"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp (from rev 224536, trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp                         (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,65 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "JSDestructibleObjectHeapCellType.h"
+
+#include "MarkedBlockInlines.h"
+#include "JSCInlines.h"
+
+namespace JSC {
+
+namespace {
+
+struct DestroyFunc {
+    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
+    {
+        static_cast<JSDestructibleObject*>(cell)->classInfo()->methodTable.destroy(cell);
+    }
+};
+
+} // anonymous namespace
+
+JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType()
+    : HeapCellType(AllocatorAttributes(NeedsDestruction, HeapCell::JSCell))
+{
+}
+
+JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType()
+{
+}
+
+void JSDestructibleObjectHeapCellType::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
+{
+    handle.finishSweepKnowingHeapCellType(freeList, DestroyFunc());
+}
+
+void JSDestructibleObjectHeapCellType::destroy(VM& vm, JSCell* cell)
+{
+    DestroyFunc()(vm, cell);
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDestructibleObjectHeapCellTypehfromrev224536trunkSourceJavaScriptCoreruntimeJSDestructibleObjectSubspaceh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.h (from rev 224536, trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.h                           (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,42 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "HeapCellType.h"
+
+namespace JSC {
+
+class JSDestructibleObjectHeapCellType : public HeapCellType {
+public:
+    JS_EXPORT_PRIVATE JSDestructibleObjectHeapCellType();
+    JS_EXPORT_PRIVATE virtual ~JSDestructibleObjectHeapCellType();
+    
+    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
+    void destroy(VM&, JSCell*) override;
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDestructibleObjectSubspacecpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,66 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "JSDestructibleObjectSubspace.h"
-
-#include "MarkedBlockInlines.h"
-#include "JSCInlines.h"
-#include "SubspaceInlines.h"
-
-namespace JSC {
-
-namespace {
-
-struct DestroyFunc {
-    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
-    {
-        static_cast<JSDestructibleObject*>(cell)->classInfo()->methodTable.destroy(cell);
-    }
-};
-
-} // anonymous namespace
-
-JSDestructibleObjectSubspace::JSDestructibleObjectSubspace(CString name, Heap& heap, AlignedMemoryAllocator* allocator)
-    : Subspace(name, heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), allocator)
-{
-}
-
-JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace()
-{
-}
-
-void JSDestructibleObjectSubspace::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
-{
-    handle.finishSweepKnowingSubspace(freeList, DestroyFunc());
-}
-
-void JSDestructibleObjectSubspace::destroy(VM& vm, JSCell* cell)
-{
-    DestroyFunc()(vm, cell);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSDestructibleObjectSubspaceh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,42 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "Subspace.h"
-
-namespace JSC {
-
-class JSDestructibleObjectSubspace : public Subspace {
-public:
-    JS_EXPORT_PRIVATE JSDestructibleObjectSubspace(CString name, Heap&, AlignedMemoryAllocator*);
-    JS_EXPORT_PRIVATE virtual ~JSDestructibleObjectSubspace();
-    
-    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
-    void destroy(VM&, JSCell*) override;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSLexicalEnvironmenth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -41,7 +41,7 @@
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx"> public:
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         RELEASE_ASSERT(!CellType::needsDestruction);
</span><span class="cx">         return &vm.jsValueGigacageCellSpace;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObject.h     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -89,7 +89,7 @@
</span><span class="cx">     static void destroy(JSCell*);
</span><span class="cx">     
</span><span class="cx">     template<typename>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         return &vm.segmentedVariableObjectSpace;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectHeapCellTypecppfromrev224536trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectSubspacecpp"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.cpp (from rev 224536, trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.cpp                            (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.cpp       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,65 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "JSSegmentedVariableObjectHeapCellType.h"
+
+#include "JSCInlines.h"
+#include "MarkedBlockInlines.h"
+
+namespace JSC {
+
+namespace {
+
+struct DestroyFunc {
+    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
+    {
+        static_cast<JSSegmentedVariableObject*>(cell)->classInfo()->methodTable.destroy(cell);
+    }
+};
+
+} // anonymous namespace
+
+JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType()
+    : HeapCellType(AllocatorAttributes(NeedsDestruction, HeapCell::JSCell))
+{
+}
+
+JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType()
+{
+}
+
+void JSSegmentedVariableObjectHeapCellType::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
+{
+    handle.finishSweepKnowingHeapCellType(freeList, DestroyFunc());
+}
+
+void JSSegmentedVariableObjectHeapCellType::destroy(VM& vm, JSCell* cell)
+{
+    DestroyFunc()(vm, cell);
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectHeapCellTypehfromrev224536trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectSubspaceh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.h (from rev 224536, trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.h                              (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectHeapCellType.h 2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,42 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "HeapCellType.h"
+
+namespace JSC {
+
+class JSSegmentedVariableObjectHeapCellType : public HeapCellType {
+public:
+    JS_EXPORT_PRIVATE JSSegmentedVariableObjectHeapCellType();
+    JS_EXPORT_PRIVATE virtual ~JSSegmentedVariableObjectHeapCellType();
+    
+    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
+    void destroy(VM&, JSCell*) override;
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectSubspacecpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,66 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "JSSegmentedVariableObjectSubspace.h"
-
-#include "JSCInlines.h"
-#include "MarkedBlockInlines.h"
-#include "SubspaceInlines.h"
-
-namespace JSC {
-
-namespace {
-
-struct DestroyFunc {
-    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
-    {
-        static_cast<JSSegmentedVariableObject*>(cell)->classInfo()->methodTable.destroy(cell);
-    }
-};
-
-} // anonymous namespace
-
-JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace(CString name, Heap& heap, AlignedMemoryAllocator* allocator)
-    : Subspace(name, heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), allocator)
-{
-}
-
-JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace()
-{
-}
-
-void JSSegmentedVariableObjectSubspace::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
-{
-    handle.finishSweepKnowingSubspace(freeList, DestroyFunc());
-}
-
-void JSSegmentedVariableObjectSubspace::destroy(VM& vm, JSCell* cell)
-{
-    DestroyFunc()(vm, cell);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSSegmentedVariableObjectSubspaceh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,42 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "Subspace.h"
-
-namespace JSC {
-
-class JSSegmentedVariableObjectSubspace : public Subspace {
-public:
-    JS_EXPORT_PRIVATE JSSegmentedVariableObjectSubspace(CString name, Heap&, AlignedMemoryAllocator*);
-    JS_EXPORT_PRIVATE virtual ~JSSegmentedVariableObjectSubspace();
-    
-    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
-    void destroy(VM&, JSCell*) override;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSString.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSString.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSString.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -91,7 +91,7 @@
</span><span class="cx">     // We specialize the string subspace to get the fastest possible sweep. This wouldn't be
</span><span class="cx">     // necessary if JSString didn't have a destructor.
</span><span class="cx">     template<typename>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         return &vm.stringSpace;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringHeapCellTypecppfromrev224536trunkSourceJavaScriptCoreruntimeJSStringSubspacecpp"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.cpp (from rev 224536, trunk/Source/JavaScriptCore/runtime/JSStringSubspace.cpp) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.cpp                             (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.cpp        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,65 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "JSStringHeapCellType.h"
+
+#include "MarkedBlockInlines.h"
+#include "JSCInlines.h"
+
+namespace JSC {
+
+namespace {
+
+struct DestroyFunc {
+    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
+    {
+        static_cast<JSString*>(cell)->JSString::~JSString();
+    }
+};
+
+} // anonymous namespace
+
+JSStringHeapCellType::JSStringHeapCellType()
+    : HeapCellType(AllocatorAttributes(NeedsDestruction, HeapCell::JSCell))
+{
+}
+
+JSStringHeapCellType::~JSStringHeapCellType()
+{
+}
+
+void JSStringHeapCellType::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
+{
+    handle.finishSweepKnowingHeapCellType(freeList, DestroyFunc());
+}
+
+void JSStringHeapCellType::destroy(VM& vm, JSCell* cell)
+{
+    DestroyFunc()(vm, cell);
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringHeapCellTypehfromrev224536trunkSourceJavaScriptCoreruntimeJSStringSubspaceh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.h (from rev 224536, trunk/Source/JavaScriptCore/runtime/JSStringSubspace.h) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.h                               (rev 0)
+++ trunk/Source/JavaScriptCore/runtime/JSStringHeapCellType.h  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,42 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include "HeapCellType.h"
+
+namespace JSC {
+
+class JSStringHeapCellType : public HeapCellType {
+public:
+    JS_EXPORT_PRIVATE JSStringHeapCellType();
+    JS_EXPORT_PRIVATE virtual ~JSStringHeapCellType();
+    
+    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
+    void destroy(VM&, JSCell*) override;
+};
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringSubspacecpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSStringSubspace.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSStringSubspace.cpp 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSStringSubspace.cpp    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,66 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "JSStringSubspace.h"
-
-#include "MarkedBlockInlines.h"
-#include "JSCInlines.h"
-#include "SubspaceInlines.h"
-
-namespace JSC {
-
-namespace {
-
-struct DestroyFunc {
-    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
-    {
-        static_cast<JSString*>(cell)->JSString::~JSString();
-    }
-};
-
-} // anonymous namespace
-
-JSStringSubspace::JSStringSubspace(CString name, Heap& heap, AlignedMemoryAllocator* allocator)
-    : Subspace(name, heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), allocator)
-{
-}
-
-JSStringSubspace::~JSStringSubspace()
-{
-}
-
-void JSStringSubspace::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
-{
-    handle.finishSweepKnowingSubspace(freeList, DestroyFunc());
-}
-
-void JSStringSubspace::destroy(VM& vm, JSCell* cell)
-{
-    DestroyFunc()(vm, cell);
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSStringSubspaceh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/runtime/JSStringSubspace.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSStringSubspace.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/JSStringSubspace.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,42 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "Subspace.h"
-
-namespace JSC {
-
-class JSStringSubspace : public Subspace {
-public:
-    JS_EXPORT_PRIVATE JSStringSubspace(CString name, Heap&, AlignedMemoryAllocator*);
-    JS_EXPORT_PRIVATE virtual ~JSStringSubspace();
-    
-    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
-    void destroy(VM&, JSCell*) override;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeModuleProgramExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/ModuleProgramExecutable.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -35,6 +35,12 @@
</span><span class="cx">     typedef ScriptExecutable Base;
</span><span class="cx">     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
</span><span class="cx"> 
</span><ins>+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.moduleProgramExecutableSpace;
+    }
+
</ins><span class="cx">     static ModuleProgramExecutable* create(ExecState*, const SourceCode&);
</span><span class="cx"> 
</span><span class="cx">     static void destroy(JSCell*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeNativeExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/NativeExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/NativeExecutable.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/NativeExecutable.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2009, 2010, 2013-2016 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -42,6 +42,12 @@
</span><span class="cx">     static NativeExecutable* create(VM&, Ref<JITCode>&& callThunk, NativeFunction function, Ref<JITCode>&& constructThunk, NativeFunction constructor, Intrinsic, const DOMJIT::Signature*, const String& name);
</span><span class="cx"> 
</span><span class="cx">     static void destroy(JSCell*);
</span><ins>+    
+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.nativeExecutableSpace;
+    }
</ins><span class="cx"> 
</span><span class="cx">     CodeBlockHash hashFor(CodeSpecializationKind) const;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeProgramExecutableh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ProgramExecutable.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ProgramExecutable.h  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/ProgramExecutable.h     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -35,6 +35,12 @@
</span><span class="cx">     typedef ScriptExecutable Base;
</span><span class="cx">     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
</span><span class="cx"> 
</span><ins>+    template<typename CellType>
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.programExecutableSpace;
+    }
+
</ins><span class="cx">     static ProgramExecutable* create(ExecState* exec, const SourceCode& source)
</span><span class="cx">     {
</span><span class="cx">         VM& vm = exec->vm();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpMatchesArrayh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx"> 
</span><span class="cx">     JSGlobalObject* globalObject = structure->globalObject();
</span><span class="cx">     bool createUninitialized = globalObject->isOriginalArrayStructure(structure);
</span><del>-    void* temp = vm.jsValueGigacageAuxiliarySpace.tryAllocate(deferralContext, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
</del><ins>+    void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), deferralContext, AllocationFailureMode::ReturnNull);
</ins><span class="cx">     if (UNLIKELY(!temp))
</span><span class="cx">         return nullptr;
</span><span class="cx">     Butterfly* butterfly = Butterfly::fromBase(temp, 0, structure->outOfLineCapacity());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeScopedArgumentsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ScopedArguments.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ScopedArguments.h    2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/ScopedArguments.h       2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx"> 
</span><span class="cx"> public:
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         RELEASE_ASSERT(!CellType::needsDestruction);
</span><span class="cx">         return &vm.jsValueGigacageCellSpace;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -39,6 +39,7 @@
</span><span class="cx"> #include "CommonSlowPaths.h"
</span><span class="cx"> #include "CustomGetterSetter.h"
</span><span class="cx"> #include "DFGWorklist.h"
</span><ins>+#include "DirectEvalExecutable.h"
</ins><span class="cx"> #include "Disassembler.h"
</span><span class="cx"> #include "ErrorInstance.h"
</span><span class="cx"> #include "EvalCodeBlock.h"
</span><span class="lines">@@ -47,6 +48,7 @@
</span><span class="cx"> #include "FastMallocAlignedMemoryAllocator.h"
</span><span class="cx"> #include "FunctionCodeBlock.h"
</span><span class="cx"> #include "FunctionConstructor.h"
</span><ins>+#include "FunctionExecutable.h"
</ins><span class="cx"> #include "GCActivityCallback.h"
</span><span class="cx"> #include "GetterSetter.h"
</span><span class="cx"> #include "GigacageAlignedMemoryAllocator.h"
</span><span class="lines">@@ -57,6 +59,7 @@
</span><span class="cx"> #include "HostCallReturnValue.h"
</span><span class="cx"> #include "Identifier.h"
</span><span class="cx"> #include "IncrementalSweeper.h"
</span><ins>+#include "IndirectEvalExecutable.h"
</ins><span class="cx"> #include "InferredTypeTable.h"
</span><span class="cx"> #include "Interpreter.h"
</span><span class="cx"> #include "JITCode.h"
</span><span class="lines">@@ -64,6 +67,7 @@
</span><span class="cx"> #include "JSAPIValueWrapper.h"
</span><span class="cx"> #include "JSArray.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include "JSDestructibleObjectHeapCellType.h"
</ins><span class="cx"> #include "JSFixedArray.h"
</span><span class="cx"> #include "JSFunction.h"
</span><span class="cx"> #include "JSGlobalObjectFunctions.h"
</span><span class="lines">@@ -73,13 +77,16 @@
</span><span class="cx"> #include "JSMapIterator.h"
</span><span class="cx"> #include "JSPromiseDeferred.h"
</span><span class="cx"> #include "JSPropertyNameEnumerator.h"
</span><ins>+#include "JSSegmentedVariableObjectHeapCellType.h"
</ins><span class="cx"> #include "JSScriptFetchParameters.h"
</span><span class="cx"> #include "JSScriptFetcher.h"
</span><span class="cx"> #include "JSSet.h"
</span><span class="cx"> #include "JSSetIterator.h"
</span><span class="cx"> #include "JSSourceCode.h"
</span><ins>+#include "JSStringHeapCellType.h"
</ins><span class="cx"> #include "JSTemplateRegistryKey.h"
</span><span class="cx"> #include "JSWebAssembly.h"
</span><ins>+#include "JSWebAssemblyCodeBlockHeapCellType.h"
</ins><span class="cx"> #include "JSWithScope.h"
</span><span class="cx"> #include "LLIntData.h"
</span><span class="cx"> #include "Lexer.h"
</span><span class="lines">@@ -86,11 +93,14 @@
</span><span class="cx"> #include "Lookup.h"
</span><span class="cx"> #include "MinimumReservedZoneSize.h"
</span><span class="cx"> #include "ModuleProgramCodeBlock.h"
</span><ins>+#include "ModuleProgramExecutable.h"
+#include "NativeExecutable.h"
</ins><span class="cx"> #include "NativeStdFunctionCell.h"
</span><span class="cx"> #include "Nodes.h"
</span><span class="cx"> #include "Parser.h"
</span><span class="cx"> #include "ProfilerDatabase.h"
</span><span class="cx"> #include "ProgramCodeBlock.h"
</span><ins>+#include "ProgramExecutable.h"
</ins><span class="cx"> #include "PromiseDeferredTimer.h"
</span><span class="cx"> #include "PropertyMapHashTable.h"
</span><span class="cx"> #include "RegExpCache.h"
</span><span class="lines">@@ -171,18 +181,33 @@
</span><span class="cx">     , fastMallocAllocator(std::make_unique<FastMallocAlignedMemoryAllocator>())
</span><span class="cx">     , primitiveGigacageAllocator(std::make_unique<GigacageAlignedMemoryAllocator>(Gigacage::Primitive))
</span><span class="cx">     , jsValueGigacageAllocator(std::make_unique<GigacageAlignedMemoryAllocator>(Gigacage::JSValue))
</span><del>-    , primitiveGigacageAuxiliarySpace("Primitive Gigacage Auxiliary", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::Auxiliary), primitiveGigacageAllocator.get())
-    , jsValueGigacageAuxiliarySpace("JSValue Gigacage Auxiliary", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::Auxiliary), jsValueGigacageAllocator.get())
-    , cellSpace("JSCell", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell), fastMallocAllocator.get())
-    , jsValueGigacageCellSpace("JSValue Gigacage JSCell", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell), jsValueGigacageAllocator.get())
-    , destructibleCellSpace("Destructible JSCell", heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), fastMallocAllocator.get())
-    , stringSpace("JSString", heap, fastMallocAllocator.get())
-    , destructibleObjectSpace("JSDestructibleObject", heap, fastMallocAllocator.get())
-    , eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, fastMallocAllocator.get())
-    , segmentedVariableObjectSpace("JSSegmentedVariableObjectSpace", heap, fastMallocAllocator.get())
</del><ins>+    , auxiliaryHeapCellType(std::make_unique<HeapCellType>(AllocatorAttributes(DoesNotNeedDestruction, HeapCell::Auxiliary)))
+    , cellHeapCellType(std::make_unique<HeapCellType>(AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell)))
+    , destructibleCellHeapCellType(std::make_unique<HeapCellType>(AllocatorAttributes(NeedsDestruction, HeapCell::JSCell)))
+    , stringHeapCellType(std::make_unique<JSStringHeapCellType>())
+    , destructibleObjectHeapCellType(std::make_unique<JSDestructibleObjectHeapCellType>())
+    , segmentedVariableObjectHeapCellType(std::make_unique<JSSegmentedVariableObjectHeapCellType>())
</ins><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><del>-    , webAssemblyCodeBlockSpace("JSWebAssemblyCodeBlockSpace", heap, fastMallocAllocator.get())
</del><ins>+    , webAssemblyCodeBlockHeapCellType(std::make_unique<JSWebAssemblyCodeBlockHeapCellType>())
</ins><span class="cx"> #endif
</span><ins>+    , primitiveGigacageAuxiliarySpace("Primitive Gigacage Auxiliary", heap, auxiliaryHeapCellType.get(), primitiveGigacageAllocator.get())
+    , jsValueGigacageAuxiliarySpace("JSValue Gigacage Auxiliary", heap, auxiliaryHeapCellType.get(), jsValueGigacageAllocator.get())
+    , cellSpace("JSCell", heap, cellHeapCellType.get(), fastMallocAllocator.get())
+    , jsValueGigacageCellSpace("JSValue Gigacage JSCell", heap, cellHeapCellType.get(), jsValueGigacageAllocator.get())
+    , destructibleCellSpace("Destructible JSCell", heap, destructibleCellHeapCellType.get(), fastMallocAllocator.get())
+    , stringSpace("JSString", heap, stringHeapCellType.get(), fastMallocAllocator.get())
+    , destructibleObjectSpace("JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
+    , eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
+    , segmentedVariableObjectSpace("JSSegmentedVariableObjectSpace", heap, segmentedVariableObjectHeapCellType.get(), fastMallocAllocator.get())
+#if ENABLE(WEBASSEMBLY)
+    , webAssemblyCodeBlockSpace("JSWebAssemblyCodeBlockSpace", heap, webAssemblyCodeBlockHeapCellType.get(), fastMallocAllocator.get())
+#endif
+    , nativeExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), NativeExecutable)
+    , directEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), DirectEvalExecutable)
+    , indirectEvalExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), IndirectEvalExecutable)
+    , functionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), FunctionExecutable)
+    , moduleProgramExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ModuleProgramExecutable)
+    , programExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ProgramExecutable)
</ins><span class="cx">     , vmType(vmType)
</span><span class="cx">     , clientData(0)
</span><span class="cx">     , topEntryFrame(nullptr)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.h 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/runtime/VM.h    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx"> 
</span><span class="cx"> #include "CallData.h"
</span><span class="cx"> #include "CodeSpecializationKind.h"
</span><ins>+#include "CompleteSubspace.h"
</ins><span class="cx"> #include "ConcurrentJSLock.h"
</span><span class="cx"> #include "ControlFlowProfiler.h"
</span><span class="cx"> #include "DateInstanceCache.h"
</span><span class="lines">@@ -39,13 +40,10 @@
</span><span class="cx"> #include "FunctionHasExecutedCache.h"
</span><span class="cx"> #include "Heap.h"
</span><span class="cx"> #include "Intrinsic.h"
</span><ins>+#include "IsoSubspace.h"
</ins><span class="cx"> #include "JITThunks.h"
</span><span class="cx"> #include "JSCJSValue.h"
</span><del>-#include "JSDestructibleObjectSubspace.h"
</del><span class="cx"> #include "JSLock.h"
</span><del>-#include "JSSegmentedVariableObjectSubspace.h"
-#include "JSStringSubspace.h"
-#include "JSWebAssemblyCodeBlockSubspace.h"
</del><span class="cx"> #include "MacroAssemblerCodeRef.h"
</span><span class="cx"> #include "Microtask.h"
</span><span class="cx"> #include "NumericStrings.h"
</span><span class="lines">@@ -52,7 +50,6 @@
</span><span class="cx"> #include "SmallStrings.h"
</span><span class="cx"> #include "Strong.h"
</span><span class="cx"> #include "StructureCache.h"
</span><del>-#include "Subspace.h"
</del><span class="cx"> #include "TemplateRegistryKeyTable.h"
</span><span class="cx"> #include "VMEntryRecord.h"
</span><span class="cx"> #include "VMTraps.h"
</span><span class="lines">@@ -108,9 +105,13 @@
</span><span class="cx"> class Identifier;
</span><span class="cx"> class Interpreter;
</span><span class="cx"> class JSCustomGetterSetterFunction;
</span><ins>+class JSDestructibleObjectHeapCellType;
</ins><span class="cx"> class JSGlobalObject;
</span><span class="cx"> class JSObject;
</span><span class="cx"> class JSRunLoopTimer;
</span><ins>+class JSSegmentedVariableObjectHeapCellType;
+class JSStringHeapCellType;
+class JSWebAssemblyCodeBlockHeapCellType;
</ins><span class="cx"> class JSWebAssemblyInstance;
</span><span class="cx"> class LLIntOffsetsExtractor;
</span><span class="cx"> class NativeExecutable;
</span><span class="lines">@@ -290,9 +291,19 @@
</span><span class="cx">     std::unique_ptr<FastMallocAlignedMemoryAllocator> fastMallocAllocator;
</span><span class="cx">     std::unique_ptr<GigacageAlignedMemoryAllocator> primitiveGigacageAllocator;
</span><span class="cx">     std::unique_ptr<GigacageAlignedMemoryAllocator> jsValueGigacageAllocator;
</span><ins>+
+    std::unique_ptr<HeapCellType> auxiliaryHeapCellType;
+    std::unique_ptr<HeapCellType> cellHeapCellType;
+    std::unique_ptr<HeapCellType> destructibleCellHeapCellType;
+    std::unique_ptr<JSStringHeapCellType> stringHeapCellType;
+    std::unique_ptr<JSDestructibleObjectHeapCellType> destructibleObjectHeapCellType;
+    std::unique_ptr<JSSegmentedVariableObjectHeapCellType> segmentedVariableObjectHeapCellType;
+#if ENABLE(WEBASSEMBLY)
+    std::unique_ptr<JSWebAssemblyCodeBlockHeapCellType> webAssemblyCodeBlockHeapCellType;
+#endif
</ins><span class="cx">     
</span><del>-    Subspace primitiveGigacageAuxiliarySpace; // Typed arrays, strings, bitvectors, etc go here.
-    Subspace jsValueGigacageAuxiliarySpace; // Butterflies, arrays of JSValues, etc go here.
</del><ins>+    CompleteSubspace primitiveGigacageAuxiliarySpace; // Typed arrays, strings, bitvectors, etc go here.
+    CompleteSubspace jsValueGigacageAuxiliarySpace; // Butterflies, arrays of JSValues, etc go here.
</ins><span class="cx"> 
</span><span class="cx">     // We make cross-cutting assumptions about typed arrays being in the primitive Gigacage and butterflies
</span><span class="cx">     // being in the JSValue gigacage. For some types, it's super obvious where they should go, and so we
</span><span class="lines">@@ -300,7 +311,7 @@
</span><span class="cx">     // constant somewhere.
</span><span class="cx">     // FIXME: Maybe it would be better if everyone abstracted this?
</span><span class="cx">     // https://bugs.webkit.org/show_bug.cgi?id=175248
</span><del>-    ALWAYS_INLINE Subspace& gigacageAuxiliarySpace(Gigacage::Kind kind)
</del><ins>+    ALWAYS_INLINE CompleteSubspace& gigacageAuxiliarySpace(Gigacage::Kind kind)
</ins><span class="cx">     {
</span><span class="cx">         switch (kind) {
</span><span class="cx">         case Gigacage::Primitive:
</span><span class="lines">@@ -315,16 +326,23 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     // Whenever possible, use subspaceFor<CellType>(vm) to get one of these subspaces.
</span><del>-    Subspace cellSpace;
-    Subspace jsValueGigacageCellSpace;
-    Subspace destructibleCellSpace;
-    JSStringSubspace stringSpace;
-    JSDestructibleObjectSubspace destructibleObjectSpace;
-    JSDestructibleObjectSubspace eagerlySweptDestructibleObjectSpace;
-    JSSegmentedVariableObjectSubspace segmentedVariableObjectSpace;
</del><ins>+    CompleteSubspace cellSpace;
+    CompleteSubspace jsValueGigacageCellSpace;
+    CompleteSubspace destructibleCellSpace;
+    CompleteSubspace stringSpace;
+    CompleteSubspace destructibleObjectSpace;
+    CompleteSubspace eagerlySweptDestructibleObjectSpace;
+    CompleteSubspace segmentedVariableObjectSpace;
</ins><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><del>-    JSWebAssemblyCodeBlockSubspace webAssemblyCodeBlockSpace;
</del><ins>+    CompleteSubspace webAssemblyCodeBlockSpace;
</ins><span class="cx"> #endif
</span><ins>+    
+    IsoSubspace nativeExecutableSpace;
+    IsoSubspace directEvalExecutableSpace;
+    IsoSubspace indirectEvalExecutableSpace;
+    IsoSubspace functionExecutableSpace;
+    IsoSubspace moduleProgramExecutableSpace;
+    IsoSubspace programExecutableSpace;
</ins><span class="cx"> 
</span><span class="cx">     VMType vmType;
</span><span class="cx">     ClientData* clientData;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlock.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -58,7 +58,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         return &vm.webAssemblyCodeBlockSpace;
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockHeapCellTypecppfromrev224536trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockSubspacecpp"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp (from rev 224536, trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp                               (rev 0)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,70 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include "config.h"
+#include "JSWebAssemblyCodeBlockHeapCellType.h"
+
+#if ENABLE(WEBASSEMBLY)
+
+#include "JSCInlines.h"
+#include "JSWebAssemblyCodeBlock.h"
+#include "MarkedBlockInlines.h"
+
+namespace JSC {
+
+namespace {
+
+struct DestroyFunc {
+    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
+    {
+        static_assert(std::is_final<JSWebAssemblyCodeBlock>::value, "Otherwise, this code would not be correct.");
+        JSWebAssemblyCodeBlock::info()->methodTable.destroy(cell);
+    }
+};
+
+} // anonymous namespace
+
+JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType()
+    : HeapCellType(AllocatorAttributes(NeedsDestruction, HeapCell::JSCell))
+{
+}
+
+JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType()
+{
+}
+
+void JSWebAssemblyCodeBlockHeapCellType::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
+{
+    handle.finishSweepKnowingHeapCellType(freeList, DestroyFunc());
+}
+
+void JSWebAssemblyCodeBlockHeapCellType::destroy(VM& vm, JSCell* cell)
+{
+    DestroyFunc()(vm, cell);
+}
+
+} // namespace JSC
+
+#endif // ENABLE(WEBASSEMBLY)
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockHeapCellTypehfromrev224536trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockSubspaceh"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.h (from rev 224536, trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h) (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.h                         (rev 0)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockHeapCellType.h    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#if ENABLE(WEBASSEMBLY)
+
+#include "HeapCellType.h"
+
+namespace JSC {
+
+class JSWebAssemblyCodeBlockHeapCellType : public HeapCellType {
+public:
+    JSWebAssemblyCodeBlockHeapCellType();
+    virtual ~JSWebAssemblyCodeBlockHeapCellType();
+    
+    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
+    void destroy(VM&, JSCell*) override;
+};
+
+} // namespace JSC
+
+#endif // ENABLE(WEBASSEMBLY)
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockSubspacecpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,71 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "JSWebAssemblyCodeBlockSubspace.h"
-
-#if ENABLE(WEBASSEMBLY)
-
-#include "JSCInlines.h"
-#include "JSWebAssemblyCodeBlock.h"
-#include "MarkedBlockInlines.h"
-#include "SubspaceInlines.h"
-
-namespace JSC {
-
-namespace {
-
-struct DestroyFunc {
-    ALWAYS_INLINE void operator()(VM&, JSCell* cell) const
-    {
-        static_assert(std::is_final<JSWebAssemblyCodeBlock>::value, "Otherwise, this code would not be correct.");
-        JSWebAssemblyCodeBlock::info()->methodTable.destroy(cell);
-    }
-};
-
-} // anonymous namespace
-
-JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace(CString name, Heap& heap, AlignedMemoryAllocator* allocator)
-    : Subspace(name, heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), allocator)
-{
-}
-
-JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace()
-{
-}
-
-void JSWebAssemblyCodeBlockSubspace::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
-{
-    handle.finishSweepKnowingSubspace(freeList, DestroyFunc());
-}
-
-void JSWebAssemblyCodeBlockSubspace::destroy(VM& vm, JSCell* cell)
-{
-    DestroyFunc()(vm, cell);
-}
-
-} // namespace JSC
-
-#endif // ENABLE(WEBASSEMBLY)
</del></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyCodeBlockSubspaceh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h     2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h        2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,45 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#if ENABLE(WEBASSEMBLY)
-
-#include "Subspace.h"
-
-namespace JSC {
-
-class JSWebAssemblyCodeBlockSubspace : public Subspace {
-public:
-    JSWebAssemblyCodeBlockSubspace(CString name, Heap&, AlignedMemoryAllocator*);
-    virtual ~JSWebAssemblyCodeBlockSubspace();
-    
-    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
-    void destroy(VM&, JSCell*) override;
-};
-
-} // namespace JSC
-
-#endif // ENABLE(WEBASSEMBLY)
</del></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsJSWebAssemblyMemoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx">     typedef JSDestructibleObject Base;
</span><span class="cx"> 
</span><span class="cx">     template<typename CellType>
</span><del>-    static Subspace* subspaceFor(VM& vm)
</del><ins>+    static CompleteSubspace* subspaceFor(VM& vm)
</ins><span class="cx">     {
</span><span class="cx">         // We hold onto a lot of memory, so it makes a lot of sense to be swept eagerly.
</span><span class="cx">         return &vm.eagerlySweptDestructibleObjectSpace;
</span></span></pre></div>
<a id="trunkSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/ChangeLog (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/ChangeLog       2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WTF/ChangeLog  2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2017-11-29  Filip Pizlo  <fpizlo@apple.com>
+
+        GC should support isoheaps
+        https://bugs.webkit.org/show_bug.cgi?id=179288
+
+        Reviewed by Saam Barati.
+        
+        One of my favorite data structures in the GC is a singly-linked list that knows its tail, so that
+        things get added to it at the end rather that at the beginning. In this patch, I use this to put
+        the same node on multiple lists, which our existing linked list templates also don't support.
+        
+        This adds a new linked list that does those things:
+        
+        - It supports append(). It could also support prepend(), but currently there is no need for it.
+        
+        - It supports nodes that are on multiple lists. The GC uses std::mem_fn() to create a lambda that the
+          list uses to set next.
+
+        * WTF.xcodeproj/project.pbxproj:
+        * wtf/SinglyLinkedListWithTail.h: Added.
+        (WTF::SinglyLinkedListWithTail::isEmpty const):
+        (WTF::SinglyLinkedListWithTail::append):
+        (WTF::SinglyLinkedListWithTail::first const):
+        (WTF::SinglyLinkedListWithTail::last const):
+
</ins><span class="cx"> 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
</span><span class="cx"> 
</span><span class="cx">         [DFG][MIPS] Enable DFG JIT on MIPS.
</span></span></pre></div>
<a id="trunkSourceWTFWTFxcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WTF/WTF.xcodeproj/project.pbxproj (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/WTF.xcodeproj/project.pbxproj   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WTF/WTF.xcodeproj/project.pbxproj      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -189,6 +189,7 @@
</span><span class="cx">          0F43D8F01DB5ADDC00108FB6 /* AutomaticThread.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AutomaticThread.h; sourceTree = "<group>"; };
</span><span class="cx">          0F4570421BE5B58F0062A629 /* Dominators.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Dominators.h; sourceTree = "<group>"; };
</span><span class="cx">          0F4570441BE834410062A629 /* BubbleSort.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BubbleSort.h; sourceTree = "<group>"; };
</span><ins>+               0F4D8C711FC1E7CE001D32AC /* SinglyLinkedListWithTail.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SinglyLinkedListWithTail.h; sourceTree = "<group>"; };
</ins><span class="cx">           0F5BF1651F2317830029D91D /* NaturalLoops.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = NaturalLoops.h; sourceTree = "<group>"; };
</span><span class="cx">          0F5BF1741F23D49A0029D91D /* Gigacage.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = Gigacage.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F5BF1751F23D49A0029D91D /* Gigacage.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = Gigacage.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -990,6 +991,7 @@
</span><span class="cx">                          A8A4730A151A825B004123FF /* SimpleStats.h */,
</span><span class="cx">                          795212021F42588800BD6421 /* SingleRootGraph.h */,
</span><span class="cx">                          A8A4730B151A825B004123FF /* SinglyLinkedList.h */,
</span><ins>+                               0F4D8C711FC1E7CE001D32AC /* SinglyLinkedListWithTail.h */,
</ins><span class="cx">                           A748744F17A0BDAE00FA04CB /* SixCharacterHash.cpp */,
</span><span class="cx">                          A748745017A0BDAE00FA04CB /* SixCharacterHash.h */,
</span><span class="cx">                          A8A4730C151A825B004123FF /* SizeLimits.cpp */,
</span></span></pre></div>
<a id="trunkSourceWTFwtfSinglyLinkedListWithTailh"></a>
<div class="addfile"><h4>Added: trunk/Source/WTF/wtf/SinglyLinkedListWithTail.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WTF/wtf/SinglyLinkedListWithTail.h                          (rev 0)
+++ trunk/Source/WTF/wtf/SinglyLinkedListWithTail.h     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,63 @@
</span><ins>+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#pragma once
+
+#include <wtf/Assertions.h>
+#include <wtf/StdLibExtras.h>
+
+namespace WTF {
+
+template<typename T>
+class SinglyLinkedListWithTail {
+public:
+    bool isEmpty() const { return !m_first; }
+    
+    template<typename SetNextFunc>
+    void append(SetNextFunc&& setNextFunc, T* node)
+    {
+        if (!m_first) {
+            RELEASE_ASSERT(!m_last);
+            m_first = node;
+            m_last = node;
+            return;
+        }
+        
+        std::forward<SetNextFunc>(setNextFunc)(m_last, node);
+        m_last = node;
+    }
+    
+    T* first() const { return m_first; }
+    T* last() const { return m_last; }
+    
+private:
+    T* m_first { nullptr };
+    T* m_last { nullptr };
+};
+
+} // namespace WTF
+
+using WTF::SinglyLinkedListWithTail;
+
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WebCore/ChangeLog      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2017-11-29  Filip Pizlo  <fpizlo@apple.com>
+
+        GC should support isoheaps
+        https://bugs.webkit.org/show_bug.cgi?id=179288
+
+        Reviewed by Saam Barati.
+
+        No new tests because no new behavior.
+        
+        Adopting changes in JSC Subspace API.
+
+        * ForwardingHeaders/runtime/JSDestructibleObjectHeapCellType.h: Added.
+        * ForwardingHeaders/runtime/JSSegmentedVariableObjectHeapCellType.h: Added.
+        * bindings/js/JSDOMWrapper.cpp:
+        (WebCore::outputConstraintSubspaceFor):
+        (WebCore::globalObjectOutputConstraintSubspaceFor):
+        * bindings/js/JSDOMWrapper.h:
+        * bindings/js/WebCoreJSClientData.cpp:
+        (WebCore::JSVMClientData::JSVMClientData):
+        * bindings/js/WebCoreJSClientData.h:
+        (WebCore::JSVMClientData::outputConstraintSpace):
+        (WebCore::JSVMClientData::globalObjectOutputConstraintSpace):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+
</ins><span class="cx"> 2017-11-29  Eric Carlson  <eric.carlson@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [MediaStream] Clean up audio and video capture factories
</span></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersruntimeJSDestructibleObjectHeapCellTypeh"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/ForwardingHeaders/runtime/JSDestructibleObjectHeapCellType.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/runtime/JSDestructibleObjectHeapCellType.h                                (rev 0)
+++ trunk/Source/WebCore/ForwardingHeaders/runtime/JSDestructibleObjectHeapCellType.h   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+#pragma once
+#include <JavaScriptCore/JSDestructibleObjectHeapCellType.h>
</ins></span></pre></div>
<a id="trunkSourceWebCoreForwardingHeadersruntimeJSSegmentedVariableObjectHeapCellTypeh"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/ForwardingHeaders/runtime/JSSegmentedVariableObjectHeapCellType.h (0 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ForwardingHeaders/runtime/JSSegmentedVariableObjectHeapCellType.h                           (rev 0)
+++ trunk/Source/WebCore/ForwardingHeaders/runtime/JSSegmentedVariableObjectHeapCellType.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+#pragma once
+#include <JavaScriptCore/JSSegmentedVariableObjectHeapCellType.h>
</ins></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMWrappercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMWrapper.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMWrapper.cpp        2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WebCore/bindings/js/JSDOMWrapper.cpp   2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -45,12 +45,12 @@
</span><span class="cx">     return *domWindow;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-Subspace* outputConstraintSubspaceFor(VM& vm)
</del><ins>+CompleteSubspace* outputConstraintSubspaceFor(VM& vm)
</ins><span class="cx"> {
</span><span class="cx">     return &static_cast<JSVMClientData*>(vm.clientData)->outputConstraintSpace();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-Subspace* globalObjectOutputConstraintSubspaceFor(VM& vm)
</del><ins>+CompleteSubspace* globalObjectOutputConstraintSubspaceFor(VM& vm)
</ins><span class="cx"> {
</span><span class="cx">     return &static_cast<JSVMClientData*>(vm.clientData)->globalObjectOutputConstraintSpace();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMWrapperh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMWrapper.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMWrapper.h  2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WebCore/bindings/js/JSDOMWrapper.h     2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -73,8 +73,8 @@
</span><span class="cx">     }
</span><span class="cx"> };
</span><span class="cx"> 
</span><del>-WEBCORE_EXPORT JSC::Subspace* outputConstraintSubspaceFor(JSC::VM&);
-WEBCORE_EXPORT JSC::Subspace* globalObjectOutputConstraintSubspaceFor(JSC::VM&);
</del><ins>+WEBCORE_EXPORT JSC::CompleteSubspace* outputConstraintSubspaceFor(JSC::VM&);
+WEBCORE_EXPORT JSC::CompleteSubspace* globalObjectOutputConstraintSubspaceFor(JSC::VM&);
</ins><span class="cx"> 
</span><span class="cx"> template<typename ImplementationClass> class JSDOMWrapper : public JSDOMObject {
</span><span class="cx"> public:
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsWebCoreJSClientDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/WebCoreJSClientData.cpp (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/WebCoreJSClientData.cpp 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WebCore/bindings/js/WebCoreJSClientData.cpp    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -34,6 +34,8 @@
</span><span class="cx"> #include <heap/MarkedBlockInlines.h>
</span><span class="cx"> #include <heap/SubspaceInlines.h>
</span><span class="cx"> #include <heap/VisitingTimeout.h>
</span><ins>+#include <runtime/JSDestructibleObjectHeapCellType.h>
+#include <runtime/JSSegmentedVariableObjectHeapCellType.h>
</ins><span class="cx"> #include <runtime/VM.h>
</span><span class="cx"> #include <wtf/MainThread.h>
</span><span class="cx"> 
</span><span class="lines">@@ -44,8 +46,8 @@
</span><span class="cx"> JSVMClientData::JSVMClientData(VM& vm)
</span><span class="cx">     : m_builtinFunctions(vm)
</span><span class="cx">     , m_builtinNames(&vm)
</span><del>-    , m_outputConstraintSpace("WebCore Wrapper w/ Output Constraint", vm.heap, vm.fastMallocAllocator.get())
-    , m_globalObjectOutputConstraintSpace("WebCore Global Object w/ Output Constraint", vm.heap, vm.fastMallocAllocator.get())
</del><ins>+    , m_outputConstraintSpace("WebCore Wrapper w/ Output Constraint", vm.heap, vm.destructibleObjectHeapCellType.get(), vm.fastMallocAllocator.get())
+    , m_globalObjectOutputConstraintSpace("WebCore Global Object w/ Output Constraint", vm.heap, vm.segmentedVariableObjectHeapCellType.get(), vm.fastMallocAllocator.get())
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsWebCoreJSClientDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/WebCoreJSClientData.h (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/WebCoreJSClientData.h   2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WebCore/bindings/js/WebCoreJSClientData.h      2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -59,8 +59,8 @@
</span><span class="cx">     WebCoreBuiltinNames& builtinNames() { return m_builtinNames; }
</span><span class="cx">     JSBuiltinFunctions& builtinFunctions() { return m_builtinFunctions; }
</span><span class="cx">     
</span><del>-    JSC::Subspace& outputConstraintSpace() { return m_outputConstraintSpace; }
-    JSC::Subspace& globalObjectOutputConstraintSpace() { return m_globalObjectOutputConstraintSpace; }
</del><ins>+    JSC::CompleteSubspace& outputConstraintSpace() { return m_outputConstraintSpace; }
+    JSC::CompleteSubspace& globalObjectOutputConstraintSpace() { return m_globalObjectOutputConstraintSpace; }
</ins><span class="cx">     
</span><span class="cx">     template<typename Func>
</span><span class="cx">     void forEachOutputConstraintSpace(const Func& func)
</span><span class="lines">@@ -76,8 +76,8 @@
</span><span class="cx">     JSBuiltinFunctions m_builtinFunctions;
</span><span class="cx">     WebCoreBuiltinNames m_builtinNames;
</span><span class="cx">     
</span><del>-    JSC::JSDestructibleObjectSubspace m_outputConstraintSpace;
-    JSC::JSSegmentedVariableObjectSubspace m_globalObjectOutputConstraintSpace;
</del><ins>+    JSC::CompleteSubspace m_outputConstraintSpace;
+    JSC::CompleteSubspace m_globalObjectOutputConstraintSpace;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsscriptsCodeGeneratorJSpm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (225313 => 225314)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-11-30 03:36:26 UTC (rev 225313)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm    2017-11-30 04:39:50 UTC (rev 225314)
</span><span class="lines">@@ -2735,7 +2735,7 @@
</span><span class="cx">             # this just calls visitAdditionalChildren, you usually don't have to worry about this.
</span><span class="cx">             push(@headerContent, "    static void visitOutputConstraints(JSCell*, JSC::SlotVisitor&);\n");
</span><span class="cx">             my $subspaceFunc = IsDOMGlobalObject($interface) ? "globalObjectOutputConstraintSubspaceFor" : "outputConstraintSubspaceFor";
</span><del>-            push(@headerContent, "    template<typename> static JSC::Subspace* subspaceFor(JSC::VM& vm) { return $subspaceFunc(vm); }\n");
</del><ins>+            push(@headerContent, "    template<typename> static JSC::CompleteSubspace* subspaceFor(JSC::VM& vm) { return $subspaceFunc(vm); }\n");
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     
</span></span></pre>
</div>
</div>

</body>
</html>