<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[287008] branches/safari-613.1.11-branch/Source</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/287008">287008</a></dd>
<dt>Author</dt> <dd>repstein@apple.com</dd>
<dt>Date</dt> <dd>2021-12-13 19:28:24 -0800 (Mon, 13 Dec 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/286994">r286994</a>. rdar://problem/86445989

    Roll back <a href="http://trac.webkit.org/projects/webkit/changeset/286345">r286345</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/286387">r286387</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/286471">r286471</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/286667">r286667</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/286849">r286849</a>
    https://bugs.webkit.org/show_bug.cgi?id=234268

    Reviewed by Mark Lam.

    Source/JavaScriptCore:

    * CMakeLists.txt:
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * Sources.txt:
    * bytecode/AccessCase.cpp:
    (JSC::AccessCase::AccessCase):
    (JSC::AccessCase::forEachDependentCell const):
    (JSC::AccessCase::dump const):
    (JSC::AccessCase::propagateTransitions const):
    (JSC::AccessCase::generateWithGuard):
    (JSC::AccessCase::canBeShared):
    * bytecode/AccessCase.h:
    (JSC::AccessCase::structure const):
    (JSC::AccessCase::newStructure const):
    (JSC::AccessCase::hash const):
    (JSC::AccessCase::AccessCase):
    * bytecode/ArrayProfile.cpp:
    (JSC::ArrayProfile::computeUpdatedPrediction):
    * bytecode/ArrayProfile.h:
    * bytecode/CheckPrivateBrandStatus.cpp:
    (JSC::CheckPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::propagateTransitions):
    (JSC::CodeBlock::determineLiveness):
    (JSC::CodeBlock::finalizeLLIntInlineCaches):
    (JSC::CodeBlock::stronglyVisitWeakReferences):
    * bytecode/DeleteByStatus.cpp:
    (JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
    * bytecode/GetByIdMetadata.h:
    (JSC::GetByIdModeMetadata::GetByIdModeMetadata):
    (JSC::GetByIdModeMetadata::clearToDefaultModeWithoutCache):
    * bytecode/GetByStatus.cpp:
    (JSC::GetByStatus::computeFromLLInt):
    (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
    * bytecode/InByStatus.cpp:
    (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
    * bytecode/InlineAccess.cpp:
    (JSC::InlineAccess::rewireStubAsJumpInAccess):
    (JSC::InlineAccess::resetStubAsJumpInAccess):
    * bytecode/InstanceOfStatus.cpp:
    (JSC::InstanceOfStatus::computeForStubInfo):
    * bytecode/InternalFunctionAllocationProfile.h:
    (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
    (JSC::InternalFunctionAllocationProfile::structure):
    (JSC::InternalFunctionAllocationProfile::clear):
    (JSC::InternalFunctionAllocationProfile::visitAggregate):
    (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
    (JSC::InternalFunctionAllocationProfile::offsetOfStructureID): Deleted.
    * bytecode/PolyProtoAccessChain.cpp:
    (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
    * bytecode/PolyProtoAccessChain.h:
    * bytecode/PolymorphicAccess.cpp:
    (JSC::PolymorphicAccess::visitWeak const):
    * bytecode/PutByIdFlags.h:
    * bytecode/PutByStatus.cpp:
    (JSC::PutByStatus::computeFromLLInt):
    (JSC::PutByStatus::computeForStubInfo):
    * bytecode/SetPrivateBrandStatus.cpp:
    (JSC::SetPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
    * bytecode/SpeculatedType.cpp:
    (JSC::speculationFromCell):
    * bytecode/StructureStubInfo.cpp:
    (JSC::StructureStubInfo::initGetByIdSelf):
    (JSC::StructureStubInfo::initPutByIdReplace):
    (JSC::StructureStubInfo::initInByIdSelf):
    (JSC::StructureStubInfo::deref):
    (JSC::StructureStubInfo::aboutToDie):
    (JSC::StructureStubInfo::addAccessCase):
    (JSC::StructureStubInfo::reset):
    (JSC::StructureStubInfo::visitAggregateImpl):
    (JSC::StructureStubInfo::visitWeakReferences):
    (JSC::StructureStubInfo::propagateTransitions):
    (JSC::StructureStubInfo::summary const):
    (JSC::StructureStubInfo::containsPC const):
    * bytecode/StructureStubInfo.h:
    (JSC::StructureStubInfo::offsetOfByIdSelfOffset):
    (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructure):
    (JSC::StructureStubInfo::inlineAccessBaseStructure):
    (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructureID): Deleted.
    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::dump):
    * dfg/DFGJITCompiler.h:
    (JSC::DFG::JITCompiler::branchWeakStructure):
    * dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::finalize):
    * dfg/DFGSpeculativeJIT.cpp:
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
    (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
    (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
    (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
    (JSC::DFG::SpeculativeJIT::emitUntypedBranch):
    (JSC::DFG::SpeculativeJIT::compile):
    * ftl/FTLAbstractHeapRepository.h:
    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
    (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
    * heap/AbstractSlotVisitor.h:
    * heap/AbstractSlotVisitorInlines.h:
    * heap/Heap.cpp:
    (JSC::Heap::Heap):
    (JSC::Heap::runEndPhase):
    * heap/Heap.h:
    (JSC::Heap::structureIDTable):
    * heap/IsoAlignedMemoryAllocator.cpp:
    (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
    (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
    (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
    (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
    (JSC::IsoAlignedMemoryAllocator::tryMallocBlock): Deleted.
    (JSC::IsoAlignedMemoryAllocator::freeBlock): Deleted.
    (JSC::IsoAlignedMemoryAllocator::commitBlock): Deleted.
    (JSC::IsoAlignedMemoryAllocator::decommitBlock): Deleted.
    * heap/IsoAlignedMemoryAllocator.h:
    * heap/IsoMemoryAllocatorBase.cpp: Removed.
    * heap/IsoMemoryAllocatorBase.h: Removed.
    * heap/IsoSubspace.cpp:
    (JSC::IsoSubspace::IsoSubspace):
    (JSC::IsoSubspace::tryAllocateFromLowerTier):
    * heap/IsoSubspace.h:
    * heap/PreciseAllocation.cpp:
    (JSC::PreciseAllocation::createForLowerTier):
    (JSC::PreciseAllocation::tryCreateForLowerTier): Deleted.
    * heap/PreciseAllocation.h:
    * heap/SlotVisitor.cpp:
    (JSC::SlotVisitor::appendJSCellOrAuxiliary):
    * heap/SlotVisitor.h:
    * heap/SlotVisitorInlines.h:
    * heap/StructureAlignedMemoryAllocator.cpp: Removed.
    * heap/StructureAlignedMemoryAllocator.h: Removed.
    * jit/AssemblyHelpers.cpp:
    (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
    (JSC::AssemblyHelpers::emitLoadStructure):
    (JSC::AssemblyHelpers::emitLoadPrototype):
    (JSC::AssemblyHelpers::emitRandomThunk):
    (JSC::AssemblyHelpers::emitConvertValueToBoolean):
    (JSC::AssemblyHelpers::branchIfValue):
    (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): Deleted.
    * jit/AssemblyHelpers.h:
    (JSC::AssemblyHelpers::branchStructure):
    (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
    * jit/GCAwareJITStubRoutine.cpp:
    (JSC::PolymorphicAccessJITStubRoutine::computeHash):
    * jit/JITInlineCacheGenerator.cpp:
    (JSC::generateGetByIdInlineAccess):
    (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
    (JSC::JITInByIdGenerator::generateBaselineDataICFastPath):
    * jit/JITOpcodes.cpp:
    (JSC::JIT::emit_op_typeof_is_undefined):
    (JSC::JIT::emit_op_jeq_null):
    (JSC::JIT::emit_op_jneq_null):
    (JSC::JIT::emit_op_eq_null):
    (JSC::JIT::emit_op_neq_null):
    (JSC::JIT::emit_op_get_prototype_of):
    * jit/JITPropertyAccess.cpp:
    (JSC::JIT::emit_op_get_property_enumerator):
    * jit/JITStubRoutine.h:
    * llint/LLIntSlowPaths.cpp:
    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
    (JSC::LLInt::performLLIntGetByID):
    * llint/LowLevelInterpreter.asm:
    * llint/LowLevelInterpreter64.asm:
    * runtime/ArrayPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/BigIntPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/BooleanPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/CommonSlowPaths.cpp:
    (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
    * runtime/DatePrototype.cpp:
    (JSC::formateDateInstance):
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/ErrorInstance.cpp:
    (JSC::ErrorInstance::sanitizedMessageString):
    (JSC::ErrorInstance::sanitizedNameString):
    (JSC::ErrorInstance::sanitizedToString):
    * runtime/ErrorPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/FunctionExecutable.cpp:
    (JSC::FunctionExecutable::visitChildrenImpl):
    * runtime/FunctionExecutable.h:
    * runtime/FunctionPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/FunctionRareData.cpp:
    (JSC::FunctionRareData::visitChildrenImpl):
    * runtime/FunctionRareData.h:
    * runtime/HasOwnPropertyCache.h:
    * runtime/InitializeThreading.cpp:
    (JSC::initialize):
    * runtime/JSCConfig.h:
    * runtime/JSCJSValue.cpp:
    (JSC::JSValue::dumpInContextAssumingStructure const):
    (JSC::JSValue::dumpForBacktrace const):
    * runtime/JSCell.cpp:
    (JSC::JSCell::toObjectSlow const):
    * runtime/JSCell.h:
    (JSC::JSCell::clearStructure):
    * runtime/JSCellInlines.h:
    (JSC::JSCell::structure const):
    (JSC::JSCell::setStructure):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::visitChildrenImpl):
    * runtime/JSGlobalObject.h:
    * runtime/JSObject.cpp:
    (JSC::JSObject::visitButterflyImpl):
    (JSC::JSObject::createInitialUndecided):
    (JSC::JSObject::createInitialInt32):
    (JSC::JSObject::createInitialDouble):
    (JSC::JSObject::createInitialContiguous):
    (JSC::JSObject::createArrayStorage):
    (JSC::JSObject::convertUndecidedToArrayStorage):
    (JSC::JSObject::convertInt32ToArrayStorage):
    (JSC::JSObject::convertDoubleToArrayStorage):
    (JSC::JSObject::convertContiguousToArrayStorage):
    (JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
    (JSC::JSObject::putDirectNonIndexAccessorWithoutTransition):
    * runtime/JSObject.h:
    (JSC::JSObject::nukeStructureAndSetButterfly):
    (JSC::JSObject::getPropertySlot):
    * runtime/JSObjectInlines.h:
    (JSC::JSObject::getPropertySlot):
    (JSC::JSObject::getNonIndexPropertySlot):
    (JSC::JSObject::putDirectWithoutTransition):
    (JSC::JSObject::putDirectInternal):
    * runtime/JSPropertyNameEnumerator.cpp:
    (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
    (JSC::JSPropertyNameEnumerator::visitChildrenImpl):
    * runtime/JSPropertyNameEnumerator.h:
    * runtime/NumberPrototype.cpp:
    (JSC::toThisNumber):
    * runtime/ObjectPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    (JSC::objectPrototypeToString):
    * runtime/RegExpPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/StringPrototype.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/Structure.cpp:
    (JSC::Structure::Structure):
    (JSC::Structure::~Structure):
    (JSC::Structure::flattenDictionaryStructure):
    (JSC::Structure::dump const):
    (JSC::Structure::canCachePropertyNameEnumerator const):
    * runtime/Structure.h:
    (JSC::Structure::id const):
    * runtime/StructureChain.cpp:
    (JSC::StructureChain::create):
    (JSC::StructureChain::visitChildrenImpl):
    * runtime/StructureID.h: Removed.
    * runtime/StructureIDBlob.h:
    (JSC::StructureIDBlob::StructureIDBlob):
    * runtime/StructureIDTable.cpp: Added.
    (JSC::StructureIDTable::StructureIDTable):
    (JSC::StructureIDTable::makeFreeListFromRange):
    (JSC::StructureIDTable::resize):
    (JSC::StructureIDTable::flushOldTables):
    (JSC::StructureIDTable::allocateID):
    (JSC::StructureIDTable::deallocateID):
    * runtime/StructureIDTable.h: Added.
    (JSC::nukedStructureIDBit):
    (JSC::nuke):
    (JSC::isNuked):
    (JSC::decontaminate):
    (JSC::StructureIDTable::base):
    (JSC::StructureIDTable::size const):
    (JSC::StructureIDTable::table const):
    (JSC::StructureIDTable::decode):
    (JSC::StructureIDTable::encode):
    (JSC::StructureIDTable::get):
    (JSC::StructureIDTable::tryGet):
    (JSC::StructureIDTable::validate):
    (JSC::StructureIDTable::deallocateID):
    (JSC::StructureIDTable::allocateID):
    (JSC::StructureIDTable::flushOldTables):
    * runtime/StructureRareData.cpp:
    (JSC::StructureRareData::StructureRareData):
    * runtime/StructureRareData.h:
    * runtime/StructureRareDataInlines.h:
    (JSC::StructureRareData::tryCachePropertyNameEnumeratorViaWatchpoint):
    * runtime/SymbolPrototype.cpp:
    (JSC::JSC_DEFINE_CUSTOM_GETTER):
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/TypeProfilerLog.cpp:
    (JSC::TypeProfilerLog::processLogEntries):
    (JSC::TypeProfilerLog::visit):
    * runtime/VM.h:
    (JSC::VM::getStructure):
    (JSC::VM::tryGetStructure):
    * runtime/WriteBarrier.h:
    (JSC::WriteBarrierStructureID::WriteBarrierStructureID): Deleted.
    (JSC::WriteBarrierStructureID::get const): Deleted.
    (JSC::WriteBarrierStructureID::operator* const): Deleted.
    (JSC::WriteBarrierStructureID::operator-> const): Deleted.
    (JSC::WriteBarrierStructureID::clear): Deleted.
    (JSC::WriteBarrierStructureID::operator bool const): Deleted.
    (JSC::WriteBarrierStructureID::operator! const): Deleted.
    (JSC::WriteBarrierStructureID::setWithoutWriteBarrier): Deleted.
    (JSC::WriteBarrierStructureID::unvalidatedGet const): Deleted.
    (JSC::WriteBarrierStructureID::value const): Deleted.
    * runtime/WriteBarrierInlines.h:
    (JSC::WriteBarrierStructureID::set): Deleted.
    (JSC::WriteBarrierStructureID::setMayBeNull): Deleted.
    (JSC::WriteBarrierStructureID::setEarlyValue): Deleted.
    * tools/HeapVerifier.cpp:
    (JSC::HeapVerifier::validateJSCell):
    * tools/Integrity.cpp:
    * tools/Integrity.h:
    * tools/IntegrityInlines.h:
    (JSC::Integrity::auditStructureID):
    * tools/JSDollarVM.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    (JSC::JSDollarVM::finishCreation):
    (JSC::JSDollarVM::visitChildrenImpl):
    * tools/JSDollarVM.h:
    * wasm/js/WebAssemblyFunction.cpp:
    (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
    * wasm/js/WebAssemblyGlobalPrototype.cpp:
    (JSC::getGlobal):

    Source/WTF:

    * wtf/OSAllocator.h:
    * wtf/posix/OSAllocatorPOSIX.cpp:
    (WTF::OSAllocator::reserveUncommittedAligned): Deleted.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286994 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreCMakeListstxt">branches/safari-613.1.11-branch/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreChangeLog">branches/safari-613.1.11-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">branches/safari-613.1.11-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreSourcestxt">branches/safari-613.1.11-branch/Source/JavaScriptCore/Sources.txt</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeAccessCasecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeAccessCaseh">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeArrayProfilecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeArrayProfileh">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeCheckPrivateBrandStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeCodeBlockcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeDeleteByStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeGetByIdMetadatah">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByIdMetadata.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeGetByStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeInByStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InByStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeInlineAccesscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InlineAccess.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeInstanceOfStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InstanceOfStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeInternalFunctionAllocationProfileh">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodePolyProtoAccessChaincpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodePolyProtoAccessChainh">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodePolymorphicAccesscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodePutByIdFlagsh">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByIdFlags.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodePutByStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeSetPrivateBrandStatuscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeSpeculatedTypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SpeculatedType.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeStructureStubInfocpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorebytecodeStructureStubInfoh">branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGByteCodeParsercpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGGraphcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGJITCompilerh">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGPlancpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh">branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapAbstractSlotVisitorh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitor.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapAbstractSlotVisitorInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitorInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapHeapcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapHeaph">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapIsoSubspacecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapIsoSubspaceh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapPreciseAllocationcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapPreciseAllocationh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapSlotVisitorcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapSlotVisitorh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapSlotVisitorInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitorInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitAssemblyHelperscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitAssemblyHelpersh">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitGCAwareJITStubRoutinecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitJITInlineCacheGeneratorcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitJITOpcodescpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitJITPropertyAccesscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorejitJITStubRoutineh">branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITStubRoutine.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorellintLLIntSlowPathscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorellintLowLevelInterpreterasm">branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorellintLowLevelInterpreter64asm">branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeArrayPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeBigIntPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BigIntPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeBooleanPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BooleanPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeCommonSlowPathscpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeDatePrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/DatePrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeErrorInstancecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorInstance.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeErrorPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeFunctionExecutablecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeFunctionExecutableh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeFunctionPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeFunctionRareDatacpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeFunctionRareDatah">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeHasOwnPropertyCacheh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/HasOwnPropertyCache.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeInitializeThreadingcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSCConfigh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCConfig.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSCJSValuecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCJSValue.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSCellcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSCellh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSCellInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSGlobalObjectcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSGlobalObjecth">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSObjectcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSObjecth">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSObjectInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObjectInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeNumberPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/NumberPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeObjectPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ObjectPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeRegExpPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/RegExpPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStringPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StringPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructurecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureChaincpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureChain.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDBlobh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDBlob.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureRareDatacpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureRareDatah">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureRareDataInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareDataInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeSymbolPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/SymbolPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeTypeProfilerLogcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeVMh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeWriteBarrierh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrier.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeWriteBarrierInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrierInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoretoolsHeapVerifiercpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/HeapVerifier.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoretoolsIntegritycpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoretoolsIntegrityh">branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoretoolsIntegrityInlinesh">branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/IntegrityInlines.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoretoolsJSDollarVMcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoretoolsJSDollarVMh">branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorewasmjsWebAssemblyFunctioncpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCorewasmjsWebAssemblyGlobalPrototypecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyGlobalPrototype.cpp</a></li>
<li><a href="#branchessafari613111branchSourceWTFChangeLog">branches/safari-613.1.11-branch/Source/WTF/ChangeLog</a></li>
<li><a href="#branchessafari613111branchSourceWTFwtfOSAllocatorh">branches/safari-613.1.11-branch/Source/WTF/wtf/OSAllocator.h</a></li>
<li><a href="#branchessafari613111branchSourceWTFwtfposixOSAllocatorPOSIXcpp">branches/safari-613.1.11-branch/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp</a></li>
<li><a href="#branchessafari613111branchSourceWTFwtfwinOSAllocatorWincpp">branches/safari-613.1.11-branch/Source/WTF/wtf/win/OSAllocatorWin.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDTablecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDTableh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.h</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapIsoMemoryAllocatorBasecpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapIsoMemoryAllocatorBaseh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapStructureAlignedMemoryAllocatorcpp">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreheapStructureAlignedMemoryAllocatorh">branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.h</a></li>
<li><a href="#branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDh">branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureID.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari613111branchSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/CMakeLists.txt (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/CMakeLists.txt     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/CMakeLists.txt        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -762,11 +762,11 @@
</span><span class="cx">     heap/HeapSnapshotBuilder.h
</span><span class="cx">     heap/HeapSubspaceTypes.h
</span><span class="cx">     heap/IncrementalSweeper.h
</span><ins>+    heap/IsoAlignedMemoryAllocator.h
</ins><span class="cx">     heap/IsoCellSet.h
</span><span class="cx">     heap/IsoHeapCellType.h
</span><span class="cx">     heap/IsoInlinedHeapCellType.h
</span><span class="cx">     heap/IsoInlinedHeapCellTypeInlines.h
</span><del>-    heap/IsoMemoryAllocatorBase.h
</del><span class="cx">     heap/IsoSubspace.h
</span><span class="cx">     heap/IsoSubspaceInlines.h
</span><span class="cx">     heap/IsoSubspacePerVM.h
</span><span class="lines">@@ -793,7 +793,6 @@
</span><span class="cx">     heap/Strong.h
</span><span class="cx">     heap/StrongForward.h
</span><span class="cx">     heap/StrongInlines.h
</span><del>-    heap/StructureAlignedMemoryAllocator.h
</del><span class="cx">     heap/Subspace.h
</span><span class="cx">     heap/SubspaceInlines.h
</span><span class="cx">     heap/Synchronousness.h
</span><span class="lines">@@ -1185,8 +1184,8 @@
</span><span class="cx">     runtime/Structure.h
</span><span class="cx">     runtime/StructureCache.h
</span><span class="cx">     runtime/StructureChain.h
</span><del>-    runtime/StructureID.h
</del><span class="cx">     runtime/StructureIDBlob.h
</span><ins>+    runtime/StructureIDTable.h
</ins><span class="cx">     runtime/StructureInlines.h
</span><span class="cx">     runtime/StructureRareData.h
</span><span class="cx">     runtime/StructureRareDataInlines.h
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/ChangeLog (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/ChangeLog  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/ChangeLog     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,5 +1,679 @@
</span><span class="cx"> 2021-12-13  Russell Epstein  <repstein@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r286994. rdar://problem/86445989
+
+    Roll back r286345, r286387, r286471, r286667, r286849
+    https://bugs.webkit.org/show_bug.cgi?id=234268
+    
+    Reviewed by Mark Lam.
+    
+    Source/JavaScriptCore:
+    
+    * CMakeLists.txt:
+    * JavaScriptCore.xcodeproj/project.pbxproj:
+    * Sources.txt:
+    * bytecode/AccessCase.cpp:
+    (JSC::AccessCase::AccessCase):
+    (JSC::AccessCase::forEachDependentCell const):
+    (JSC::AccessCase::dump const):
+    (JSC::AccessCase::propagateTransitions const):
+    (JSC::AccessCase::generateWithGuard):
+    (JSC::AccessCase::canBeShared):
+    * bytecode/AccessCase.h:
+    (JSC::AccessCase::structure const):
+    (JSC::AccessCase::newStructure const):
+    (JSC::AccessCase::hash const):
+    (JSC::AccessCase::AccessCase):
+    * bytecode/ArrayProfile.cpp:
+    (JSC::ArrayProfile::computeUpdatedPrediction):
+    * bytecode/ArrayProfile.h:
+    * bytecode/CheckPrivateBrandStatus.cpp:
+    (JSC::CheckPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/CodeBlock.cpp:
+    (JSC::CodeBlock::propagateTransitions):
+    (JSC::CodeBlock::determineLiveness):
+    (JSC::CodeBlock::finalizeLLIntInlineCaches):
+    (JSC::CodeBlock::stronglyVisitWeakReferences):
+    * bytecode/DeleteByStatus.cpp:
+    (JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/GetByIdMetadata.h:
+    (JSC::GetByIdModeMetadata::GetByIdModeMetadata):
+    (JSC::GetByIdModeMetadata::clearToDefaultModeWithoutCache):
+    * bytecode/GetByStatus.cpp:
+    (JSC::GetByStatus::computeFromLLInt):
+    (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/InByStatus.cpp:
+    (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/InlineAccess.cpp:
+    (JSC::InlineAccess::rewireStubAsJumpInAccess):
+    (JSC::InlineAccess::resetStubAsJumpInAccess):
+    * bytecode/InstanceOfStatus.cpp:
+    (JSC::InstanceOfStatus::computeForStubInfo):
+    * bytecode/InternalFunctionAllocationProfile.h:
+    (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
+    (JSC::InternalFunctionAllocationProfile::structure):
+    (JSC::InternalFunctionAllocationProfile::clear):
+    (JSC::InternalFunctionAllocationProfile::visitAggregate):
+    (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+    (JSC::InternalFunctionAllocationProfile::offsetOfStructureID): Deleted.
+    * bytecode/PolyProtoAccessChain.cpp:
+    (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
+    * bytecode/PolyProtoAccessChain.h:
+    * bytecode/PolymorphicAccess.cpp:
+    (JSC::PolymorphicAccess::visitWeak const):
+    * bytecode/PutByIdFlags.h:
+    * bytecode/PutByStatus.cpp:
+    (JSC::PutByStatus::computeFromLLInt):
+    (JSC::PutByStatus::computeForStubInfo):
+    * bytecode/SetPrivateBrandStatus.cpp:
+    (JSC::SetPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/SpeculatedType.cpp:
+    (JSC::speculationFromCell):
+    * bytecode/StructureStubInfo.cpp:
+    (JSC::StructureStubInfo::initGetByIdSelf):
+    (JSC::StructureStubInfo::initPutByIdReplace):
+    (JSC::StructureStubInfo::initInByIdSelf):
+    (JSC::StructureStubInfo::deref):
+    (JSC::StructureStubInfo::aboutToDie):
+    (JSC::StructureStubInfo::addAccessCase):
+    (JSC::StructureStubInfo::reset):
+    (JSC::StructureStubInfo::visitAggregateImpl):
+    (JSC::StructureStubInfo::visitWeakReferences):
+    (JSC::StructureStubInfo::propagateTransitions):
+    (JSC::StructureStubInfo::summary const):
+    (JSC::StructureStubInfo::containsPC const):
+    * bytecode/StructureStubInfo.h:
+    (JSC::StructureStubInfo::offsetOfByIdSelfOffset):
+    (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructure):
+    (JSC::StructureStubInfo::inlineAccessBaseStructure):
+    (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructureID): Deleted.
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+    * dfg/DFGByteCodeParser.cpp:
+    (JSC::DFG::ByteCodeParser::parseBlock):
+    * dfg/DFGGraph.cpp:
+    (JSC::DFG::Graph::dump):
+    * dfg/DFGJITCompiler.h:
+    (JSC::DFG::JITCompiler::branchWeakStructure):
+    * dfg/DFGPlan.cpp:
+    (JSC::DFG::Plan::finalize):
+    * dfg/DFGSpeculativeJIT.cpp:
+    * dfg/DFGSpeculativeJIT64.cpp:
+    (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
+    (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
+    (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
+    (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+    (JSC::DFG::SpeculativeJIT::emitUntypedBranch):
+    (JSC::DFG::SpeculativeJIT::compile):
+    * ftl/FTLAbstractHeapRepository.h:
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
+    (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
+    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+    * heap/AbstractSlotVisitor.h:
+    * heap/AbstractSlotVisitorInlines.h:
+    * heap/Heap.cpp:
+    (JSC::Heap::Heap):
+    (JSC::Heap::runEndPhase):
+    * heap/Heap.h:
+    (JSC::Heap::structureIDTable):
+    * heap/IsoAlignedMemoryAllocator.cpp:
+    (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
+    (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+    (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+    (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+    (JSC::IsoAlignedMemoryAllocator::tryMallocBlock): Deleted.
+    (JSC::IsoAlignedMemoryAllocator::freeBlock): Deleted.
+    (JSC::IsoAlignedMemoryAllocator::commitBlock): Deleted.
+    (JSC::IsoAlignedMemoryAllocator::decommitBlock): Deleted.
+    * heap/IsoAlignedMemoryAllocator.h:
+    * heap/IsoMemoryAllocatorBase.cpp: Removed.
+    * heap/IsoMemoryAllocatorBase.h: Removed.
+    * heap/IsoSubspace.cpp:
+    (JSC::IsoSubspace::IsoSubspace):
+    (JSC::IsoSubspace::tryAllocateFromLowerTier):
+    * heap/IsoSubspace.h:
+    * heap/PreciseAllocation.cpp:
+    (JSC::PreciseAllocation::createForLowerTier):
+    (JSC::PreciseAllocation::tryCreateForLowerTier): Deleted.
+    * heap/PreciseAllocation.h:
+    * heap/SlotVisitor.cpp:
+    (JSC::SlotVisitor::appendJSCellOrAuxiliary):
+    * heap/SlotVisitor.h:
+    * heap/SlotVisitorInlines.h:
+    * heap/StructureAlignedMemoryAllocator.cpp: Removed.
+    * heap/StructureAlignedMemoryAllocator.h: Removed.
+    * jit/AssemblyHelpers.cpp:
+    (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+    (JSC::AssemblyHelpers::emitLoadStructure):
+    (JSC::AssemblyHelpers::emitLoadPrototype):
+    (JSC::AssemblyHelpers::emitRandomThunk):
+    (JSC::AssemblyHelpers::emitConvertValueToBoolean):
+    (JSC::AssemblyHelpers::branchIfValue):
+    (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): Deleted.
+    * jit/AssemblyHelpers.h:
+    (JSC::AssemblyHelpers::branchStructure):
+    (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
+    * jit/GCAwareJITStubRoutine.cpp:
+    (JSC::PolymorphicAccessJITStubRoutine::computeHash):
+    * jit/JITInlineCacheGenerator.cpp:
+    (JSC::generateGetByIdInlineAccess):
+    (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
+    (JSC::JITInByIdGenerator::generateBaselineDataICFastPath):
+    * jit/JITOpcodes.cpp:
+    (JSC::JIT::emit_op_typeof_is_undefined):
+    (JSC::JIT::emit_op_jeq_null):
+    (JSC::JIT::emit_op_jneq_null):
+    (JSC::JIT::emit_op_eq_null):
+    (JSC::JIT::emit_op_neq_null):
+    (JSC::JIT::emit_op_get_prototype_of):
+    * jit/JITPropertyAccess.cpp:
+    (JSC::JIT::emit_op_get_property_enumerator):
+    * jit/JITStubRoutine.h:
+    * llint/LLIntSlowPaths.cpp:
+    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+    (JSC::LLInt::performLLIntGetByID):
+    * llint/LowLevelInterpreter.asm:
+    * llint/LowLevelInterpreter64.asm:
+    * runtime/ArrayPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/BigIntPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/BooleanPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/CommonSlowPaths.cpp:
+    (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
+    * runtime/DatePrototype.cpp:
+    (JSC::formateDateInstance):
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/ErrorInstance.cpp:
+    (JSC::ErrorInstance::sanitizedMessageString):
+    (JSC::ErrorInstance::sanitizedNameString):
+    (JSC::ErrorInstance::sanitizedToString):
+    * runtime/ErrorPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/FunctionExecutable.cpp:
+    (JSC::FunctionExecutable::visitChildrenImpl):
+    * runtime/FunctionExecutable.h:
+    * runtime/FunctionPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/FunctionRareData.cpp:
+    (JSC::FunctionRareData::visitChildrenImpl):
+    * runtime/FunctionRareData.h:
+    * runtime/HasOwnPropertyCache.h:
+    * runtime/InitializeThreading.cpp:
+    (JSC::initialize):
+    * runtime/JSCConfig.h:
+    * runtime/JSCJSValue.cpp:
+    (JSC::JSValue::dumpInContextAssumingStructure const):
+    (JSC::JSValue::dumpForBacktrace const):
+    * runtime/JSCell.cpp:
+    (JSC::JSCell::toObjectSlow const):
+    * runtime/JSCell.h:
+    (JSC::JSCell::clearStructure):
+    * runtime/JSCellInlines.h:
+    (JSC::JSCell::structure const):
+    (JSC::JSCell::setStructure):
+    * runtime/JSGlobalObject.cpp:
+    (JSC::JSGlobalObject::visitChildrenImpl):
+    * runtime/JSGlobalObject.h:
+    * runtime/JSObject.cpp:
+    (JSC::JSObject::visitButterflyImpl):
+    (JSC::JSObject::createInitialUndecided):
+    (JSC::JSObject::createInitialInt32):
+    (JSC::JSObject::createInitialDouble):
+    (JSC::JSObject::createInitialContiguous):
+    (JSC::JSObject::createArrayStorage):
+    (JSC::JSObject::convertUndecidedToArrayStorage):
+    (JSC::JSObject::convertInt32ToArrayStorage):
+    (JSC::JSObject::convertDoubleToArrayStorage):
+    (JSC::JSObject::convertContiguousToArrayStorage):
+    (JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
+    (JSC::JSObject::putDirectNonIndexAccessorWithoutTransition):
+    * runtime/JSObject.h:
+    (JSC::JSObject::nukeStructureAndSetButterfly):
+    (JSC::JSObject::getPropertySlot):
+    * runtime/JSObjectInlines.h:
+    (JSC::JSObject::getPropertySlot):
+    (JSC::JSObject::getNonIndexPropertySlot):
+    (JSC::JSObject::putDirectWithoutTransition):
+    (JSC::JSObject::putDirectInternal):
+    * runtime/JSPropertyNameEnumerator.cpp:
+    (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
+    (JSC::JSPropertyNameEnumerator::visitChildrenImpl):
+    * runtime/JSPropertyNameEnumerator.h:
+    * runtime/NumberPrototype.cpp:
+    (JSC::toThisNumber):
+    * runtime/ObjectPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    (JSC::objectPrototypeToString):
+    * runtime/RegExpPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/StringPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/Structure.cpp:
+    (JSC::Structure::Structure):
+    (JSC::Structure::~Structure):
+    (JSC::Structure::flattenDictionaryStructure):
+    (JSC::Structure::dump const):
+    (JSC::Structure::canCachePropertyNameEnumerator const):
+    * runtime/Structure.h:
+    (JSC::Structure::id const):
+    * runtime/StructureChain.cpp:
+    (JSC::StructureChain::create):
+    (JSC::StructureChain::visitChildrenImpl):
+    * runtime/StructureID.h: Removed.
+    * runtime/StructureIDBlob.h:
+    (JSC::StructureIDBlob::StructureIDBlob):
+    * runtime/StructureIDTable.cpp: Added.
+    (JSC::StructureIDTable::StructureIDTable):
+    (JSC::StructureIDTable::makeFreeListFromRange):
+    (JSC::StructureIDTable::resize):
+    (JSC::StructureIDTable::flushOldTables):
+    (JSC::StructureIDTable::allocateID):
+    (JSC::StructureIDTable::deallocateID):
+    * runtime/StructureIDTable.h: Added.
+    (JSC::nukedStructureIDBit):
+    (JSC::nuke):
+    (JSC::isNuked):
+    (JSC::decontaminate):
+    (JSC::StructureIDTable::base):
+    (JSC::StructureIDTable::size const):
+    (JSC::StructureIDTable::table const):
+    (JSC::StructureIDTable::decode):
+    (JSC::StructureIDTable::encode):
+    (JSC::StructureIDTable::get):
+    (JSC::StructureIDTable::tryGet):
+    (JSC::StructureIDTable::validate):
+    (JSC::StructureIDTable::deallocateID):
+    (JSC::StructureIDTable::allocateID):
+    (JSC::StructureIDTable::flushOldTables):
+    * runtime/StructureRareData.cpp:
+    (JSC::StructureRareData::StructureRareData):
+    * runtime/StructureRareData.h:
+    * runtime/StructureRareDataInlines.h:
+    (JSC::StructureRareData::tryCachePropertyNameEnumeratorViaWatchpoint):
+    * runtime/SymbolPrototype.cpp:
+    (JSC::JSC_DEFINE_CUSTOM_GETTER):
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/TypeProfilerLog.cpp:
+    (JSC::TypeProfilerLog::processLogEntries):
+    (JSC::TypeProfilerLog::visit):
+    * runtime/VM.h:
+    (JSC::VM::getStructure):
+    (JSC::VM::tryGetStructure):
+    * runtime/WriteBarrier.h:
+    (JSC::WriteBarrierStructureID::WriteBarrierStructureID): Deleted.
+    (JSC::WriteBarrierStructureID::get const): Deleted.
+    (JSC::WriteBarrierStructureID::operator* const): Deleted.
+    (JSC::WriteBarrierStructureID::operator-> const): Deleted.
+    (JSC::WriteBarrierStructureID::clear): Deleted.
+    (JSC::WriteBarrierStructureID::operator bool const): Deleted.
+    (JSC::WriteBarrierStructureID::operator! const): Deleted.
+    (JSC::WriteBarrierStructureID::setWithoutWriteBarrier): Deleted.
+    (JSC::WriteBarrierStructureID::unvalidatedGet const): Deleted.
+    (JSC::WriteBarrierStructureID::value const): Deleted.
+    * runtime/WriteBarrierInlines.h:
+    (JSC::WriteBarrierStructureID::set): Deleted.
+    (JSC::WriteBarrierStructureID::setMayBeNull): Deleted.
+    (JSC::WriteBarrierStructureID::setEarlyValue): Deleted.
+    * tools/HeapVerifier.cpp:
+    (JSC::HeapVerifier::validateJSCell):
+    * tools/Integrity.cpp:
+    * tools/Integrity.h:
+    * tools/IntegrityInlines.h:
+    (JSC::Integrity::auditStructureID):
+    * tools/JSDollarVM.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    (JSC::JSDollarVM::finishCreation):
+    (JSC::JSDollarVM::visitChildrenImpl):
+    * tools/JSDollarVM.h:
+    * wasm/js/WebAssemblyFunction.cpp:
+    (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+    * wasm/js/WebAssemblyGlobalPrototype.cpp:
+    (JSC::getGlobal):
+    
+    Source/WTF:
+    
+    * wtf/OSAllocator.h:
+    * wtf/posix/OSAllocatorPOSIX.cpp:
+    (WTF::OSAllocator::reserveUncommittedAligned): Deleted.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286994 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-12-13  Saam Barati  <sbarati@apple.com>
+
+            Roll back r286345, r286387, r286471, r286667, r286849
+            https://bugs.webkit.org/show_bug.cgi?id=234268
+
+            Reviewed by Mark Lam.
+
+            * CMakeLists.txt:
+            * JavaScriptCore.xcodeproj/project.pbxproj:
+            * Sources.txt:
+            * bytecode/AccessCase.cpp:
+            (JSC::AccessCase::AccessCase):
+            (JSC::AccessCase::forEachDependentCell const):
+            (JSC::AccessCase::dump const):
+            (JSC::AccessCase::propagateTransitions const):
+            (JSC::AccessCase::generateWithGuard):
+            (JSC::AccessCase::canBeShared):
+            * bytecode/AccessCase.h:
+            (JSC::AccessCase::structure const):
+            (JSC::AccessCase::newStructure const):
+            (JSC::AccessCase::hash const):
+            (JSC::AccessCase::AccessCase):
+            * bytecode/ArrayProfile.cpp:
+            (JSC::ArrayProfile::computeUpdatedPrediction):
+            * bytecode/ArrayProfile.h:
+            * bytecode/CheckPrivateBrandStatus.cpp:
+            (JSC::CheckPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
+            * bytecode/CodeBlock.cpp:
+            (JSC::CodeBlock::propagateTransitions):
+            (JSC::CodeBlock::determineLiveness):
+            (JSC::CodeBlock::finalizeLLIntInlineCaches):
+            (JSC::CodeBlock::stronglyVisitWeakReferences):
+            * bytecode/DeleteByStatus.cpp:
+            (JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
+            * bytecode/GetByIdMetadata.h:
+            (JSC::GetByIdModeMetadata::GetByIdModeMetadata):
+            (JSC::GetByIdModeMetadata::clearToDefaultModeWithoutCache):
+            * bytecode/GetByStatus.cpp:
+            (JSC::GetByStatus::computeFromLLInt):
+            (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
+            * bytecode/InByStatus.cpp:
+            (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
+            * bytecode/InlineAccess.cpp:
+            (JSC::InlineAccess::rewireStubAsJumpInAccess):
+            (JSC::InlineAccess::resetStubAsJumpInAccess):
+            * bytecode/InstanceOfStatus.cpp:
+            (JSC::InstanceOfStatus::computeForStubInfo):
+            * bytecode/InternalFunctionAllocationProfile.h:
+            (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
+            (JSC::InternalFunctionAllocationProfile::structure):
+            (JSC::InternalFunctionAllocationProfile::clear):
+            (JSC::InternalFunctionAllocationProfile::visitAggregate):
+            (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+            (JSC::InternalFunctionAllocationProfile::offsetOfStructureID): Deleted.
+            * bytecode/PolyProtoAccessChain.cpp:
+            (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
+            * bytecode/PolyProtoAccessChain.h:
+            * bytecode/PolymorphicAccess.cpp:
+            (JSC::PolymorphicAccess::visitWeak const):
+            * bytecode/PutByIdFlags.h:
+            * bytecode/PutByStatus.cpp:
+            (JSC::PutByStatus::computeFromLLInt):
+            (JSC::PutByStatus::computeForStubInfo):
+            * bytecode/SetPrivateBrandStatus.cpp:
+            (JSC::SetPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
+            * bytecode/SpeculatedType.cpp:
+            (JSC::speculationFromCell):
+            * bytecode/StructureStubInfo.cpp:
+            (JSC::StructureStubInfo::initGetByIdSelf):
+            (JSC::StructureStubInfo::initPutByIdReplace):
+            (JSC::StructureStubInfo::initInByIdSelf):
+            (JSC::StructureStubInfo::deref):
+            (JSC::StructureStubInfo::aboutToDie):
+            (JSC::StructureStubInfo::addAccessCase):
+            (JSC::StructureStubInfo::reset):
+            (JSC::StructureStubInfo::visitAggregateImpl):
+            (JSC::StructureStubInfo::visitWeakReferences):
+            (JSC::StructureStubInfo::propagateTransitions):
+            (JSC::StructureStubInfo::summary const):
+            (JSC::StructureStubInfo::containsPC const):
+            * bytecode/StructureStubInfo.h:
+            (JSC::StructureStubInfo::offsetOfByIdSelfOffset):
+            (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructure):
+            (JSC::StructureStubInfo::inlineAccessBaseStructure):
+            (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructureID): Deleted.
+            * dfg/DFGAbstractInterpreterInlines.h:
+            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+            * dfg/DFGByteCodeParser.cpp:
+            (JSC::DFG::ByteCodeParser::parseBlock):
+            * dfg/DFGGraph.cpp:
+            (JSC::DFG::Graph::dump):
+            * dfg/DFGJITCompiler.h:
+            (JSC::DFG::JITCompiler::branchWeakStructure):
+            * dfg/DFGPlan.cpp:
+            (JSC::DFG::Plan::finalize):
+            * dfg/DFGSpeculativeJIT.cpp:
+            * dfg/DFGSpeculativeJIT64.cpp:
+            (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
+            (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
+            (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
+            (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+            (JSC::DFG::SpeculativeJIT::emitUntypedBranch):
+            (JSC::DFG::SpeculativeJIT::compile):
+            * ftl/FTLAbstractHeapRepository.h:
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
+            (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+            * heap/AbstractSlotVisitor.h:
+            * heap/AbstractSlotVisitorInlines.h:
+            * heap/Heap.cpp:
+            (JSC::Heap::Heap):
+            (JSC::Heap::runEndPhase):
+            * heap/Heap.h:
+            (JSC::Heap::structureIDTable):
+            * heap/IsoAlignedMemoryAllocator.cpp:
+            (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
+            (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+            (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+            (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+            (JSC::IsoAlignedMemoryAllocator::tryMallocBlock): Deleted.
+            (JSC::IsoAlignedMemoryAllocator::freeBlock): Deleted.
+            (JSC::IsoAlignedMemoryAllocator::commitBlock): Deleted.
+            (JSC::IsoAlignedMemoryAllocator::decommitBlock): Deleted.
+            * heap/IsoAlignedMemoryAllocator.h:
+            * heap/IsoMemoryAllocatorBase.cpp: Removed.
+            * heap/IsoMemoryAllocatorBase.h: Removed.
+            * heap/IsoSubspace.cpp:
+            (JSC::IsoSubspace::IsoSubspace):
+            (JSC::IsoSubspace::tryAllocateFromLowerTier):
+            * heap/IsoSubspace.h:
+            * heap/PreciseAllocation.cpp:
+            (JSC::PreciseAllocation::createForLowerTier):
+            (JSC::PreciseAllocation::tryCreateForLowerTier): Deleted.
+            * heap/PreciseAllocation.h:
+            * heap/SlotVisitor.cpp:
+            (JSC::SlotVisitor::appendJSCellOrAuxiliary):
+            * heap/SlotVisitor.h:
+            * heap/SlotVisitorInlines.h:
+            * heap/StructureAlignedMemoryAllocator.cpp: Removed.
+            * heap/StructureAlignedMemoryAllocator.h: Removed.
+            * jit/AssemblyHelpers.cpp:
+            (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+            (JSC::AssemblyHelpers::emitLoadStructure):
+            (JSC::AssemblyHelpers::emitLoadPrototype):
+            (JSC::AssemblyHelpers::emitRandomThunk):
+            (JSC::AssemblyHelpers::emitConvertValueToBoolean):
+            (JSC::AssemblyHelpers::branchIfValue):
+            (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): Deleted.
+            * jit/AssemblyHelpers.h:
+            (JSC::AssemblyHelpers::branchStructure):
+            (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
+            * jit/GCAwareJITStubRoutine.cpp:
+            (JSC::PolymorphicAccessJITStubRoutine::computeHash):
+            * jit/JITInlineCacheGenerator.cpp:
+            (JSC::generateGetByIdInlineAccess):
+            (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
+            (JSC::JITInByIdGenerator::generateBaselineDataICFastPath):
+            * jit/JITOpcodes.cpp:
+            (JSC::JIT::emit_op_typeof_is_undefined):
+            (JSC::JIT::emit_op_jeq_null):
+            (JSC::JIT::emit_op_jneq_null):
+            (JSC::JIT::emit_op_eq_null):
+            (JSC::JIT::emit_op_neq_null):
+            (JSC::JIT::emit_op_get_prototype_of):
+            * jit/JITPropertyAccess.cpp:
+            (JSC::JIT::emit_op_get_property_enumerator):
+            * jit/JITStubRoutine.h:
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+            (JSC::LLInt::performLLIntGetByID):
+            * llint/LowLevelInterpreter.asm:
+            * llint/LowLevelInterpreter64.asm:
+            * runtime/ArrayPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/BigIntPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/BooleanPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/CommonSlowPaths.cpp:
+            (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
+            * runtime/DatePrototype.cpp:
+            (JSC::formateDateInstance):
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/ErrorInstance.cpp:
+            (JSC::ErrorInstance::sanitizedMessageString):
+            (JSC::ErrorInstance::sanitizedNameString):
+            (JSC::ErrorInstance::sanitizedToString):
+            * runtime/ErrorPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/FunctionExecutable.cpp:
+            (JSC::FunctionExecutable::visitChildrenImpl):
+            * runtime/FunctionExecutable.h:
+            * runtime/FunctionPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/FunctionRareData.cpp:
+            (JSC::FunctionRareData::visitChildrenImpl):
+            * runtime/FunctionRareData.h:
+            * runtime/HasOwnPropertyCache.h:
+            * runtime/InitializeThreading.cpp:
+            (JSC::initialize):
+            * runtime/JSCConfig.h:
+            * runtime/JSCJSValue.cpp:
+            (JSC::JSValue::dumpInContextAssumingStructure const):
+            (JSC::JSValue::dumpForBacktrace const):
+            * runtime/JSCell.cpp:
+            (JSC::JSCell::toObjectSlow const):
+            * runtime/JSCell.h:
+            (JSC::JSCell::clearStructure):
+            * runtime/JSCellInlines.h:
+            (JSC::JSCell::structure const):
+            (JSC::JSCell::setStructure):
+            * runtime/JSGlobalObject.cpp:
+            (JSC::JSGlobalObject::visitChildrenImpl):
+            * runtime/JSGlobalObject.h:
+            * runtime/JSObject.cpp:
+            (JSC::JSObject::visitButterflyImpl):
+            (JSC::JSObject::createInitialUndecided):
+            (JSC::JSObject::createInitialInt32):
+            (JSC::JSObject::createInitialDouble):
+            (JSC::JSObject::createInitialContiguous):
+            (JSC::JSObject::createArrayStorage):
+            (JSC::JSObject::convertUndecidedToArrayStorage):
+            (JSC::JSObject::convertInt32ToArrayStorage):
+            (JSC::JSObject::convertDoubleToArrayStorage):
+            (JSC::JSObject::convertContiguousToArrayStorage):
+            (JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
+            (JSC::JSObject::putDirectNonIndexAccessorWithoutTransition):
+            * runtime/JSObject.h:
+            (JSC::JSObject::nukeStructureAndSetButterfly):
+            (JSC::JSObject::getPropertySlot):
+            * runtime/JSObjectInlines.h:
+            (JSC::JSObject::getPropertySlot):
+            (JSC::JSObject::getNonIndexPropertySlot):
+            (JSC::JSObject::putDirectWithoutTransition):
+            (JSC::JSObject::putDirectInternal):
+            * runtime/JSPropertyNameEnumerator.cpp:
+            (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
+            (JSC::JSPropertyNameEnumerator::visitChildrenImpl):
+            * runtime/JSPropertyNameEnumerator.h:
+            * runtime/NumberPrototype.cpp:
+            (JSC::toThisNumber):
+            * runtime/ObjectPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            (JSC::objectPrototypeToString):
+            * runtime/RegExpPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/StringPrototype.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/Structure.cpp:
+            (JSC::Structure::Structure):
+            (JSC::Structure::~Structure):
+            (JSC::Structure::flattenDictionaryStructure):
+            (JSC::Structure::dump const):
+            (JSC::Structure::canCachePropertyNameEnumerator const):
+            * runtime/Structure.h:
+            (JSC::Structure::id const):
+            * runtime/StructureChain.cpp:
+            (JSC::StructureChain::create):
+            (JSC::StructureChain::visitChildrenImpl):
+            * runtime/StructureID.h: Removed.
+            * runtime/StructureIDBlob.h:
+            (JSC::StructureIDBlob::StructureIDBlob):
+            * runtime/StructureIDTable.cpp: Added.
+            (JSC::StructureIDTable::StructureIDTable):
+            (JSC::StructureIDTable::makeFreeListFromRange):
+            (JSC::StructureIDTable::resize):
+            (JSC::StructureIDTable::flushOldTables):
+            (JSC::StructureIDTable::allocateID):
+            (JSC::StructureIDTable::deallocateID):
+            * runtime/StructureIDTable.h: Added.
+            (JSC::nukedStructureIDBit):
+            (JSC::nuke):
+            (JSC::isNuked):
+            (JSC::decontaminate):
+            (JSC::StructureIDTable::base):
+            (JSC::StructureIDTable::size const):
+            (JSC::StructureIDTable::table const):
+            (JSC::StructureIDTable::decode):
+            (JSC::StructureIDTable::encode):
+            (JSC::StructureIDTable::get):
+            (JSC::StructureIDTable::tryGet):
+            (JSC::StructureIDTable::validate):
+            (JSC::StructureIDTable::deallocateID):
+            (JSC::StructureIDTable::allocateID):
+            (JSC::StructureIDTable::flushOldTables):
+            * runtime/StructureRareData.cpp:
+            (JSC::StructureRareData::StructureRareData):
+            * runtime/StructureRareData.h:
+            * runtime/StructureRareDataInlines.h:
+            (JSC::StructureRareData::tryCachePropertyNameEnumeratorViaWatchpoint):
+            * runtime/SymbolPrototype.cpp:
+            (JSC::JSC_DEFINE_CUSTOM_GETTER):
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/TypeProfilerLog.cpp:
+            (JSC::TypeProfilerLog::processLogEntries):
+            (JSC::TypeProfilerLog::visit):
+            * runtime/VM.h:
+            (JSC::VM::getStructure):
+            (JSC::VM::tryGetStructure):
+            * runtime/WriteBarrier.h:
+            (JSC::WriteBarrierStructureID::WriteBarrierStructureID): Deleted.
+            (JSC::WriteBarrierStructureID::get const): Deleted.
+            (JSC::WriteBarrierStructureID::operator* const): Deleted.
+            (JSC::WriteBarrierStructureID::operator-> const): Deleted.
+            (JSC::WriteBarrierStructureID::clear): Deleted.
+            (JSC::WriteBarrierStructureID::operator bool const): Deleted.
+            (JSC::WriteBarrierStructureID::operator! const): Deleted.
+            (JSC::WriteBarrierStructureID::setWithoutWriteBarrier): Deleted.
+            (JSC::WriteBarrierStructureID::unvalidatedGet const): Deleted.
+            (JSC::WriteBarrierStructureID::value const): Deleted.
+            * runtime/WriteBarrierInlines.h:
+            (JSC::WriteBarrierStructureID::set): Deleted.
+            (JSC::WriteBarrierStructureID::setMayBeNull): Deleted.
+            (JSC::WriteBarrierStructureID::setEarlyValue): Deleted.
+            * tools/HeapVerifier.cpp:
+            (JSC::HeapVerifier::validateJSCell):
+            * tools/Integrity.cpp:
+            * tools/Integrity.h:
+            * tools/IntegrityInlines.h:
+            (JSC::Integrity::auditStructureID):
+            * tools/JSDollarVM.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            (JSC::JSDollarVM::finishCreation):
+            (JSC::JSDollarVM::visitChildrenImpl):
+            * tools/JSDollarVM.h:
+            * wasm/js/WebAssemblyFunction.cpp:
+            (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+            * wasm/js/WebAssemblyGlobalPrototype.cpp:
+            (JSC::getGlobal):
+
+2021-12-13  Russell Epstein  <repstein@apple.com>
+
</ins><span class="cx">         Cherry-pick r286667. rdar://problem/86445989
</span><span class="cx"> 
</span><span class="cx">     [JSC] Introduce WriteBarrierStructureID
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -857,6 +857,7 @@
</span><span class="cx">          2AACE63D18CA5A0300ED0191 /* GCActivityCallback.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AACE63B18CA5A0300ED0191 /* GCActivityCallback.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          2AD2EDFB19799E38004D6478 /* EnumerationMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD2EDFA19799E38004D6478 /* EnumerationMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          2AD8932B17E3868F00668276 /* HeapIterationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD8932917E3868F00668276 /* HeapIterationScope.h */; };
</span><ins>+               2AF7382D18BBBF92008A5A37 /* StructureIDTable.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AF7382B18BBBF92008A5A37 /* StructureIDTable.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           2D342F36F7244096804ADB24 /* SourceOrigin.h in Headers */ = {isa = PBXBuildFile; fileRef = 425BA1337E4344E1B269A671 /* SourceOrigin.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          33111B8B2397256500AA34CE /* Scribble.h in Headers */ = {isa = PBXBuildFile; fileRef = 33111B8A2397256500AA34CE /* Scribble.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          3395C70722555F6D00BDBFAD /* B3EliminateDeadCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 3395C70522555F6D00BDBFAD /* B3EliminateDeadCode.h */; };
</span><span class="lines">@@ -1089,10 +1090,6 @@
</span><span class="cx">          536B319E1F735F160037FC33 /* LowLevelInterpreter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F4680C714BBB16900BFE272 /* LowLevelInterpreter.cpp */; };
</span><span class="cx">          5370806B1FE232DF00299E44 /* JSArrayBufferView.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2B66BB17B6B5AB00A7AE3F /* JSArrayBufferView.h */; };
</span><span class="cx">          5370B4F61BF26205005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 5370B4F41BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h */; };
</span><del>-               537FEEC92742BDA300C9EFEE /* StructureID.h in Headers */ = {isa = PBXBuildFile; fileRef = 537FEEC82742BDA300C9EFEE /* StructureID.h */; settings = {ATTRIBUTES = (Private, ); }; };
-               537FEECE2742BDE100C9EFEE /* IsoMemoryAllocatorBaseInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 537FEECA2742BDE000C9EFEE /* IsoMemoryAllocatorBaseInlines.h */; };
-               537FEED02742BDE100C9EFEE /* StructureAlignedMemoryAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 537FEECC2742BDE000C9EFEE /* StructureAlignedMemoryAllocator.h */; };
-               537FEED12742BDE100C9EFEE /* IsoMemoryAllocatorBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 537FEECD2742BDE000C9EFEE /* IsoMemoryAllocatorBase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</del><span class="cx">           5381B9391E60E97D0090F794 /* WasmFaultSignalHandler.h in Headers */ = {isa = PBXBuildFile; fileRef = 5381B9381E60E97D0090F794 /* WasmFaultSignalHandler.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          538F15E7268FBBB600D601C4 /* UnifiedSource148.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DD268FBBB300D601C4 /* UnifiedSource148.cpp */; };
</span><span class="cx">          538F15E8268FBBB600D601C4 /* UnifiedSource151.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 538F15DE268FBBB300D601C4 /* UnifiedSource151.cpp */; };
</span><span class="lines">@@ -3639,6 +3636,8 @@
</span><span class="cx">          2AD2EDFA19799E38004D6478 /* EnumerationMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EnumerationMode.h; sourceTree = "<group>"; };
</span><span class="cx">          2AD8932917E3868F00668276 /* HeapIterationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapIterationScope.h; sourceTree = "<group>"; };
</span><span class="cx">          2ADFA26218EF3540004F9FCC /* GCLogging.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GCLogging.cpp; sourceTree = "<group>"; };
</span><ins>+               2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StructureIDTable.cpp; sourceTree = "<group>"; };
+               2AF7382B18BBBF92008A5A37 /* StructureIDTable.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureIDTable.h; sourceTree = "<group>"; };
</ins><span class="cx">           3032175DF1AD47D8998B34E1 /* JSSourceCode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSourceCode.h; sourceTree = "<group>"; };
</span><span class="cx">          30A5F403F11C4F599CD596D5 /* WasmSignatureInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmSignatureInlines.h; sourceTree = "<group>"; };
</span><span class="cx">          33111B8A2397256500AA34CE /* Scribble.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = Scribble.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -3741,7 +3740,6 @@
</span><span class="cx">          530FB3011E7A0B6E003C19DD /* WasmWorklist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmWorklist.h; sourceTree = "<group>"; };
</span><span class="cx">          530FB3031E7A1146003C19DD /* WasmWorklist.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmWorklist.cpp; sourceTree = "<group>"; };
</span><span class="cx">          530FDE7321FAAFC600059D65 /* testIncludes.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = testIncludes.m; path = API/tests/testIncludes.m; sourceTree = "<group>"; };
</span><del>-               531013F3274419F40009009C /* libWTF.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; path = libWTF.a; sourceTree = BUILT_PRODUCTS_DIR; };
</del><span class="cx">           5311BD481EA581E500525281 /* WasmOMGPlan.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmOMGPlan.cpp; sourceTree = "<group>"; };
</span><span class="cx">          5311BD491EA581E500525281 /* WasmOMGPlan.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmOMGPlan.h; sourceTree = "<group>"; };
</span><span class="cx">          531374BC1D5CE67600AF7A0B /* WasmPlan.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmPlan.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -3930,11 +3928,6 @@
</span><span class="cx">          5370B4F41BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AdaptiveInferredPropertyValueWatchpointBase.h; sourceTree = "<group>"; };
</span><span class="cx">          5373B4D322AD8BF700803572 /* WeakObjectRefPrototype.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = WeakObjectRefPrototype.cpp; sourceTree = "<group>"; };
</span><span class="cx">          5373B4D422ADB31400803572 /* WeakObjectRefConstructor.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = WeakObjectRefConstructor.cpp; sourceTree = "<group>"; };
</span><del>-               537FEEC82742BDA300C9EFEE /* StructureID.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureID.h; sourceTree = "<group>"; };
-               537FEECA2742BDE000C9EFEE /* IsoMemoryAllocatorBaseInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IsoMemoryAllocatorBaseInlines.h; sourceTree = "<group>"; };
-               537FEECB2742BDE000C9EFEE /* StructureAlignedMemoryAllocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StructureAlignedMemoryAllocator.cpp; sourceTree = "<group>"; };
-               537FEECC2742BDE000C9EFEE /* StructureAlignedMemoryAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureAlignedMemoryAllocator.h; sourceTree = "<group>"; };
-               537FEECD2742BDE000C9EFEE /* IsoMemoryAllocatorBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IsoMemoryAllocatorBase.h; sourceTree = "<group>"; };
</del><span class="cx">           5381B9361E60E9660090F794 /* WasmFaultSignalHandler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmFaultSignalHandler.cpp; sourceTree = "<group>"; };
</span><span class="cx">          5381B9381E60E97D0090F794 /* WasmFaultSignalHandler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmFaultSignalHandler.h; sourceTree = "<group>"; };
</span><span class="cx">          5383AA2F1E65E8A100A532FC /* JSWebAssemblyCodeBlock.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlock.cpp; path = js/JSWebAssemblyCodeBlock.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -5790,7 +5783,6 @@
</span><span class="cx">                          5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */,
</span><span class="cx">                          9322A00306C341D3009067BB /* libicucore.dylib */,
</span><span class="cx">                          51F0EC0705C86C9A00E6DF1B /* libobjc.dylib */,
</span><del>-                               531013F3274419F40009009C /* libWTF.a */,
</del><span class="cx">                           1498CAD3214656C400710879 /* libWTF.a */,
</span><span class="cx">                          A8A4748D151A8306004123FF /* libWTF.a */,
</span><span class="cx">                          371D842C17C98B6E00ECF994 /* libz.dylib */,
</span><span class="lines">@@ -6672,8 +6664,6 @@
</span><span class="cx">                          142E3132134FF0A600AFADB5 /* Strong.h */,
</span><span class="cx">                          CD1F9B4A270CFE0F00617EB6 /* StrongForward.h */,
</span><span class="cx">                          145722851437E140005FDE26 /* StrongInlines.h */,
</span><del>-                               537FEECB2742BDE000C9EFEE /* StructureAlignedMemoryAllocator.cpp */,
-                               537FEECC2742BDE000C9EFEE /* StructureAlignedMemoryAllocator.h */,
</del><span class="cx">                           0F7DF1311E2970D50095951B /* Subspace.cpp */,
</span><span class="cx">                          0F7DF1321E2970D50095951B /* Subspace.h */,
</span><span class="cx">                          0F7DF1331E2970D50095951B /* SubspaceInlines.h */,
</span><span class="lines">@@ -8075,8 +8065,9 @@
</span><span class="cx">                          7986943A1F8C0AC8009232AE /* StructureCache.h */,
</span><span class="cx">                          7E4EE70E0EBB7A5B005934AA /* StructureChain.cpp */,
</span><span class="cx">                          7E4EE7080EBB7963005934AA /* StructureChain.h */,
</span><del>-                               537FEEC82742BDA300C9EFEE /* StructureID.h */,
</del><span class="cx">                           2AAAA31018BD49D100394CC8 /* StructureIDBlob.h */,
</span><ins>+                               2AF7382A18BBBF92008A5A37 /* StructureIDTable.cpp */,
+                               2AF7382B18BBBF92008A5A37 /* StructureIDTable.h */,
</ins><span class="cx">                           0FD2C92316D01EE900C7803F /* StructureInlines.h */,
</span><span class="cx">                          C2F0F2D016BAEEE900187C19 /* StructureRareData.cpp */,
</span><span class="cx">                          C2FE18A316BAEC4000AF3061 /* StructureRareData.h */,
</span><span class="lines">@@ -10276,8 +10267,6 @@
</span><span class="cx">                          0FB467811FDDA6F7003FCB09 /* IsoCellSetInlines.h in Headers */,
</span><span class="cx">                          E3BF1BAE238AAEDB003A1C2B /* IsoHeapCellType.h in Headers */,
</span><span class="cx">                          E3C8ED4323A1DBCB00131958 /* IsoInlinedHeapCellType.h in Headers */,
</span><del>-                               537FEED12742BDE100C9EFEE /* IsoMemoryAllocatorBase.h in Headers */,
-                               537FEECE2742BDE100C9EFEE /* IsoMemoryAllocatorBaseInlines.h in Headers */,
</del><span class="cx">                           0FDCE12D1FAFB4E5006F3901 /* IsoSubspace.h in Headers */,
</span><span class="cx">                          0FD2FD9520B52BE200F09441 /* IsoSubspaceInlines.h in Headers */,
</span><span class="cx">                          0F5E0FE72086AD480097F0DE /* IsoSubspacePerVM.h in Headers */,
</span><span class="lines">@@ -10828,11 +10817,10 @@
</span><span class="cx">                          CD1F9B4B270CFE0F00617EB6 /* StrongForward.h in Headers */,
</span><span class="cx">                          145722861437E140005FDE26 /* StrongInlines.h in Headers */,
</span><span class="cx">                          BCDE3AB80E6C82F5001453A7 /* Structure.h in Headers */,
</span><del>-                               537FEED02742BDE100C9EFEE /* StructureAlignedMemoryAllocator.h in Headers */,
</del><span class="cx">                           7986943B1F8C0ACC009232AE /* StructureCache.h in Headers */,
</span><span class="cx">                          7E4EE7090EBB7963005934AA /* StructureChain.h in Headers */,
</span><del>-                               537FEEC92742BDA300C9EFEE /* StructureID.h in Headers */,
</del><span class="cx">                           2AAAA31218BD49D100394CC8 /* StructureIDBlob.h in Headers */,
</span><ins>+                               2AF7382D18BBBF92008A5A37 /* StructureIDTable.h in Headers */,
</ins><span class="cx">                           0FD2C92416D01EE900C7803F /* StructureInlines.h in Headers */,
</span><span class="cx">                          C2FE18A416BAEC4000AF3061 /* StructureRareData.h in Headers */,
</span><span class="cx">                          C20BA92D16BB1C1500B3AEA2 /* StructureRareDataInlines.h in Headers */,
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreSourcestxt"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/Sources.txt (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/Sources.txt        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/Sources.txt   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -537,7 +537,6 @@
</span><span class="cx"> heap/IsoAlignedMemoryAllocator.cpp
</span><span class="cx"> heap/IsoCellSet.cpp
</span><span class="cx"> heap/IsoHeapCellType.cpp
</span><del>-heap/IsoMemoryAllocatorBase.cpp
</del><span class="cx"> heap/IsoSubspace.cpp
</span><span class="cx"> heap/IsoSubspacePerVM.cpp
</span><span class="cx"> heap/JITStubRoutineSet.cpp
</span><span class="lines">@@ -559,7 +558,6 @@
</span><span class="cx"> heap/SpaceTimeMutatorScheduler.cpp
</span><span class="cx"> heap/StochasticSpaceTimeMutatorScheduler.cpp
</span><span class="cx"> heap/StopIfNecessaryTimer.cpp
</span><del>-heap/StructureAlignedMemoryAllocator.cpp
</del><span class="cx"> heap/Subspace.cpp
</span><span class="cx"> heap/SynchronousStopTheWorldMutatorScheduler.cpp
</span><span class="cx"> heap/Synchronousness.cpp
</span><span class="lines">@@ -1007,6 +1005,7 @@
</span><span class="cx"> runtime/Structure.cpp
</span><span class="cx"> runtime/StructureCache.cpp
</span><span class="cx"> runtime/StructureChain.cpp
</span><ins>+runtime/StructureIDTable.cpp
</ins><span class="cx"> runtime/StructureRareData.cpp
</span><span class="cx"> runtime/Symbol.cpp
</span><span class="cx"> runtime/SymbolConstructor.cpp
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeAccessCasecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -63,7 +63,7 @@
</span><span class="cx">     , m_polyProtoAccessChain(WTFMove(prototypeAccessChain))
</span><span class="cx">     , m_identifier(identifier)
</span><span class="cx"> {
</span><del>-    m_structureID.setMayBeNull(vm, owner, structure);
</del><ins>+    m_structure.setMayBeNull(vm, owner, structure);
</ins><span class="cx">     m_conditionSet = conditionSet;
</span><span class="cx">     RELEASE_ASSERT(m_conditionSet.isValid());
</span><span class="cx"> }
</span><span class="lines">@@ -536,14 +536,14 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename Functor>
</span><del>-void AccessCase::forEachDependentCell(VM&, const Functor& functor) const
</del><ins>+void AccessCase::forEachDependentCell(VM& vm, const Functor& functor) const
</ins><span class="cx"> {
</span><span class="cx">     m_conditionSet.forEachDependentCell(functor);
</span><del>-    if (m_structureID)
-        functor(m_structureID.get());
</del><ins>+    if (m_structure)
+        functor(m_structure.get());
</ins><span class="cx">     if (m_polyProtoAccessChain) {
</span><span class="cx">         for (StructureID structureID : m_polyProtoAccessChain->chain())
</span><del>-            functor(structureID.decode());
</del><ins>+            functor(vm.getStructure(structureID));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     switch (type()) {
</span><span class="lines">@@ -874,8 +874,8 @@
</span><span class="cx">         if (m_type == Transition || m_type == Delete || m_type == SetPrivateBrand)
</span><span class="cx">             out.print("\n", indent, "from structure = ", pointerDump(structure()),
</span><span class="cx">                 "\n", indent, "to structure = ", pointerDump(newStructure()));
</span><del>-        else if (m_structureID)
-            out.print("\n", indent, "structure = ", pointerDump(m_structureID.get()));
</del><ins>+        else if (m_structure)
+            out.print("\n", indent, "structure = ", pointerDump(m_structure.get()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (!m_conditionSet.isEmpty())
</span><span class="lines">@@ -904,19 +904,19 @@
</span><span class="cx"> template<typename Visitor>
</span><span class="cx"> void AccessCase::propagateTransitions(Visitor& visitor) const
</span><span class="cx"> {
</span><del>-    if (m_structureID)
-        m_structureID->markIfCheap(visitor);
</del><ins>+    if (m_structure)
+        m_structure->markIfCheap(visitor);
</ins><span class="cx"> 
</span><span class="cx">     if (m_polyProtoAccessChain) {
</span><span class="cx">         for (StructureID structureID : m_polyProtoAccessChain->chain())
</span><del>-            structureID.decode()->markIfCheap(visitor);
</del><ins>+            visitor.vm().getStructure(structureID)->markIfCheap(visitor);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     switch (m_type) {
</span><span class="cx">     case Transition:
</span><span class="cx">     case Delete:
</span><del>-        if (visitor.isMarked(m_structureID->previousID()))
-            visitor.appendUnbarriered(m_structureID.get());
</del><ins>+        if (visitor.isMarked(m_structure->previousID()))
+            visitor.appendUnbarriered(m_structure.get());
</ins><span class="cx">         break;
</span><span class="cx">     default:
</span><span class="cx">         break;
</span><span class="lines">@@ -1720,7 +1720,7 @@
</span><span class="cx">         JSValueRegs resultRegs(scratchGPR, scratch2GPR);
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-        jit.emitLoadPrototype(vm, valueGPR, resultRegs, failAndIgnore);
</del><ins>+        jit.emitLoadPrototype(vm, valueGPR, resultRegs, scratchGPR, failAndIgnore);
</ins><span class="cx">         jit.move(scratch2GPR, valueGPR);
</span><span class="cx">         
</span><span class="cx">         CCallHelpers::Jump isInstance = jit.branchPtr(CCallHelpers::Equal, valueGPR, prototypeGPR);
</span><span class="lines">@@ -2613,7 +2613,7 @@
</span><span class="cx">         return false;
</span><span class="cx">     if (lhs.m_viaProxy != rhs.m_viaProxy)
</span><span class="cx">         return false;
</span><del>-    if (lhs.m_structureID.get() != rhs.m_structureID.get())
</del><ins>+    if (lhs.m_structure.get() != rhs.m_structure.get())
</ins><span class="cx">         return false;
</span><span class="cx">     if (lhs.m_identifier != rhs.m_identifier)
</span><span class="cx">         return false;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeAccessCaseh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.h      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/AccessCase.h 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -184,8 +184,8 @@
</span><span class="cx">     Structure* structure() const
</span><span class="cx">     {
</span><span class="cx">         if (m_type == Transition || m_type == Delete || m_type == SetPrivateBrand)
</span><del>-            return m_structureID->previousID();
-        return m_structureID.get();
</del><ins>+            return m_structure->previousID();
+        return m_structure.get();
</ins><span class="cx">     }
</span><span class="cx">     bool guardedByStructureCheck(const StructureStubInfo&) const;
</span><span class="cx"> 
</span><span class="lines">@@ -192,7 +192,7 @@
</span><span class="cx">     Structure* newStructure() const
</span><span class="cx">     {
</span><span class="cx">         ASSERT(m_type == Transition || m_type == Delete || m_type == SetPrivateBrand);
</span><del>-        return m_structureID.get();
</del><ins>+        return m_structure.get();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     ObjectPropertyConditionSet conditionSet() const { return m_conditionSet; }
</span><span class="lines">@@ -272,7 +272,7 @@
</span><span class="cx"> 
</span><span class="cx">     unsigned hash() const
</span><span class="cx">     {
</span><del>-        return computeHash(m_conditionSet.hash(), static_cast<unsigned>(m_type), m_viaProxy, m_structureID.unvalidatedGet(), m_offset);
</del><ins>+        return computeHash(m_conditionSet.hash(), static_cast<unsigned>(m_type), m_viaProxy, m_structure.unvalidatedGet(), m_offset);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     static bool canBeShared(const AccessCase&, const AccessCase&);
</span><span class="lines">@@ -284,7 +284,7 @@
</span><span class="cx">         , m_state(WTFMove(other.m_state))
</span><span class="cx">         , m_viaProxy(WTFMove(other.m_viaProxy))
</span><span class="cx">         , m_offset(WTFMove(other.m_offset))
</span><del>-        , m_structureID(WTFMove(other.m_structureID))
</del><ins>+        , m_structure(WTFMove(other.m_structure))
</ins><span class="cx">         , m_conditionSet(WTFMove(other.m_conditionSet))
</span><span class="cx">         , m_polyProtoAccessChain(WTFMove(other.m_polyProtoAccessChain))
</span><span class="cx">         , m_identifier(WTFMove(other.m_identifier))
</span><span class="lines">@@ -295,7 +295,7 @@
</span><span class="cx">         , m_state(other.m_state)
</span><span class="cx">         , m_viaProxy(other.m_viaProxy)
</span><span class="cx">         , m_offset(other.m_offset)
</span><del>-        , m_structureID(other.m_structureID)
</del><ins>+        , m_structure(other.m_structure)
</ins><span class="cx">         , m_conditionSet(other.m_conditionSet)
</span><span class="cx">         , m_polyProtoAccessChain(other.m_polyProtoAccessChain)
</span><span class="cx">         , m_identifier(other.m_identifier)
</span><span class="lines">@@ -348,7 +348,7 @@
</span><span class="cx">     // Usually this is the structure that we expect the base object to have. But, this is the *new*
</span><span class="cx">     // structure for a transition and we rely on the fact that it has a strong reference to the old
</span><span class="cx">     // structure. For proxies, this is the structure of the object behind the proxy.
</span><del>-    WriteBarrierStructureID m_structureID;
</del><ins>+    WriteBarrier<Structure> m_structure;
</ins><span class="cx"> 
</span><span class="cx">     ObjectPropertyConditionSet m_conditionSet;
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeArrayProfilecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -123,9 +123,9 @@
</span><span class="cx">     if (!m_lastSeenStructureID)
</span><span class="cx">         return;
</span><span class="cx">     
</span><del>-    Structure* lastSeenStructure = m_lastSeenStructureID.decode();
</del><ins>+    Structure* lastSeenStructure = codeBlock->heap()->structureIDTable().get(m_lastSeenStructureID);
</ins><span class="cx">     computeUpdatedPrediction(locker, codeBlock, lastSeenStructure);
</span><del>-    m_lastSeenStructureID = StructureID();
</del><ins>+    m_lastSeenStructureID = 0;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void ArrayProfile::computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock* codeBlock, Structure* lastSeenStructure)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeArrayProfileh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.h    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/ArrayProfile.h       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -249,7 +249,7 @@
</span><span class="cx">     
</span><span class="cx">     static Structure* polymorphicStructure() { return static_cast<Structure*>(reinterpret_cast<void*>(1)); }
</span><span class="cx">     
</span><del>-    StructureID m_lastSeenStructureID;
</del><ins>+    StructureID m_lastSeenStructureID { 0 };
</ins><span class="cx">     bool m_mayStoreToHole { false }; // This flag may become overloaded to indicate other special cases that were encountered during array access, as it depends on indexing type. Since we currently have basically just one indexing type (two variants of ArrayStorage), this flag for now just means exactly what its name implies.
</span><span class="cx">     bool m_outOfBounds { false };
</span><span class="cx"> #if USE(LARGE_TYPED_ARRAYS)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeCheckPrivateBrandStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -100,7 +100,7 @@
</span><span class="cx">         return CheckPrivateBrandStatus(NoInformation);
</span><span class="cx"> 
</span><span class="cx">     case CacheType::Stub: {
</span><del>-        PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+        PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx"> 
</span><span class="cx">         for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
</span><span class="cx">             const AccessCase& access = list->at(listIndex);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/CodeBlock.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1192,6 +1192,7 @@
</span><span class="cx"> void CodeBlock::propagateTransitions(const ConcurrentJSLocker&, Visitor& visitor)
</span><span class="cx"> {
</span><span class="cx">     typename Visitor::SuppressGCVerifierScope suppressScope(visitor);
</span><ins>+    VM& vm = *m_vm;
</ins><span class="cx"> 
</span><span class="cx">     if (jitType() == JITType::InterpreterThunk) {
</span><span class="cx">         if (m_metadata) {
</span><span class="lines">@@ -1201,9 +1202,9 @@
</span><span class="cx">                 if (!oldStructureID || !newStructureID)
</span><span class="cx">                     return;
</span><span class="cx"> 
</span><del>-                Structure* oldStructure = oldStructureID.decode();
</del><ins>+                Structure* oldStructure = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 if (visitor.isMarked(oldStructure)) {
</span><del>-                    Structure* newStructure = newStructureID.decode();
</del><ins>+                    Structure* newStructure = vm.heap.structureIDTable().get(newStructureID);
</ins><span class="cx">                     visitor.appendUnbarriered(newStructure);
</span><span class="cx">                 }
</span><span class="cx">             });
</span><span class="lines">@@ -1219,9 +1220,9 @@
</span><span class="cx">                 if (!visitor.isMarked(property))
</span><span class="cx">                     return;
</span><span class="cx"> 
</span><del>-                Structure* oldStructure = oldStructureID.decode();
</del><ins>+                Structure* oldStructure = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 if (visitor.isMarked(oldStructure)) {
</span><del>-                    Structure* newStructure = newStructureID.decode();
</del><ins>+                    Structure* newStructure = vm.heap.structureIDTable().get(newStructureID);
</ins><span class="cx">                     visitor.appendUnbarriered(newStructure);
</span><span class="cx">                 }
</span><span class="cx">             });
</span><span class="lines">@@ -1237,9 +1238,9 @@
</span><span class="cx">                 if (!visitor.isMarked(brand))
</span><span class="cx">                     return;
</span><span class="cx"> 
</span><del>-                Structure* oldStructure = oldStructureID.decode();
</del><ins>+                Structure* oldStructure = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 if (visitor.isMarked(oldStructure)) {
</span><del>-                    Structure* newStructure = newStructureID.decode();
</del><ins>+                    Structure* newStructure = vm.heap.structureIDTable().get(newStructureID);
</ins><span class="cx">                     visitor.appendUnbarriered(newStructure);
</span><span class="cx">                 }
</span><span class="cx">             });
</span><span class="lines">@@ -1268,7 +1269,7 @@
</span><span class="cx">         dfgCommon->recordedStatuses.markIfCheap(visitor);
</span><span class="cx">         
</span><span class="cx">         for (StructureID structureID : dfgCommon->m_weakStructureReferences)
</span><del>-            structureID.decode()->markIfCheap(visitor);
</del><ins>+            vm.getStructure(structureID)->markIfCheap(visitor);
</ins><span class="cx"> 
</span><span class="cx">         for (auto& transition : dfgCommon->m_transitions) {
</span><span class="cx">             if (shouldMarkTransition(visitor, transition)) {
</span><span class="lines">@@ -1308,7 +1309,6 @@
</span><span class="cx">     
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx">     VM& vm = *m_vm;
</span><del>-    UNUSED_VARIABLE(vm);
</del><span class="cx">     if (visitor.isMarked(this))
</span><span class="cx">         return;
</span><span class="cx">     
</span><span class="lines">@@ -1333,7 +1333,7 @@
</span><span class="cx">     }
</span><span class="cx">     if (allAreLiveSoFar) {
</span><span class="cx">         for (StructureID structureID : dfgCommon->m_weakStructureReferences) {
</span><del>-            Structure* structure = structureID.decode();
</del><ins>+            Structure* structure = vm.getStructure(structureID);
</ins><span class="cx">             if (!visitor.isMarked(structure)) {
</span><span class="cx">                 allAreLiveSoFar = false;
</span><span class="cx">                 break;
</span><span class="lines">@@ -1367,7 +1367,7 @@
</span><span class="cx">             if (modeMetadata.mode != GetByIdMode::Default)
</span><span class="cx">                 return;
</span><span class="cx">             StructureID oldStructureID = modeMetadata.defaultMode.structureID;
</span><del>-            if (!oldStructureID || vm.heap.isMarked(oldStructureID.decode()))
</del><ins>+            if (!oldStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(oldStructureID)))
</ins><span class="cx">                 return;
</span><span class="cx">             dataLogLnIf(Options::verboseOSR(), "Clearing ", opName, " LLInt property access.");
</span><span class="cx">             LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache(modeMetadata);
</span><span class="lines">@@ -1388,10 +1388,10 @@
</span><span class="cx"> 
</span><span class="cx">         m_metadata->forEach<OpGetByIdDirect>([&] (auto& metadata) {
</span><span class="cx">             StructureID oldStructureID = metadata.m_structureID;
</span><del>-            if (!oldStructureID || vm.heap.isMarked(oldStructureID.decode()))
</del><ins>+            if (!oldStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(oldStructureID)))
</ins><span class="cx">                 return;
</span><del>-            dataLogLnIf(Options::verboseOSR(), "Clearing LLInt property access.");
-            metadata.m_structureID = StructureID();
</del><ins>+            dataLogLnIf(Options::verboseOSR(), "Clearing get_by_id_direct LLInt property access.");
+            metadata.m_structureID = 0;
</ins><span class="cx">             metadata.m_offset = 0;
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="lines">@@ -1399,11 +1399,11 @@
</span><span class="cx">             JSCell* property = metadata.m_property.get();
</span><span class="cx">             StructureID structureID = metadata.m_structureID;
</span><span class="cx"> 
</span><del>-            if ((!property || vm.heap.isMarked(property)) && (!structureID || vm.heap.isMarked(structureID.decode())))
</del><ins>+            if ((!property || vm.heap.isMarked(property)) && (!structureID || vm.heap.isMarked(vm.heap.structureIDTable().get(structureID))))
</ins><span class="cx">                 return;
</span><span class="cx"> 
</span><span class="cx">             dataLogLnIf(Options::verboseOSR(), "Clearing LLInt private property access.");
</span><del>-            metadata.m_structureID = StructureID();
</del><ins>+            metadata.m_structureID = 0;
</ins><span class="cx">             metadata.m_offset = 0;
</span><span class="cx">             metadata.m_property.clear();
</span><span class="cx">         });
</span><span class="lines">@@ -1412,14 +1412,14 @@
</span><span class="cx">             StructureID oldStructureID = metadata.m_oldStructureID;
</span><span class="cx">             StructureID newStructureID = metadata.m_newStructureID;
</span><span class="cx">             StructureChain* chain = metadata.m_structureChain.get();
</span><del>-            if ((!oldStructureID || vm.heap.isMarked(oldStructureID.decode()))
-                && (!newStructureID || vm.heap.isMarked(newStructureID.decode()))
</del><ins>+            if ((!oldStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(oldStructureID)))
+                && (!newStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(newStructureID)))
</ins><span class="cx">                 && (!chain || vm.heap.isMarked(chain)))
</span><span class="cx">                 return;
</span><span class="cx">             dataLogLnIf(Options::verboseOSR(), "Clearing LLInt put transition.");
</span><del>-            metadata.m_oldStructureID = StructureID();
</del><ins>+            metadata.m_oldStructureID = 0;
</ins><span class="cx">             metadata.m_offset = 0;
</span><del>-            metadata.m_newStructureID = StructureID();
</del><ins>+            metadata.m_newStructureID = 0;
</ins><span class="cx">             metadata.m_structureChain.clear();
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="lines">@@ -1427,15 +1427,15 @@
</span><span class="cx">             StructureID oldStructureID = metadata.m_oldStructureID;
</span><span class="cx">             StructureID newStructureID = metadata.m_newStructureID;
</span><span class="cx">             JSCell* property = metadata.m_property.get();
</span><del>-            if ((!oldStructureID || vm.heap.isMarked(oldStructureID.decode()))
</del><ins>+            if ((!oldStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(oldStructureID)))
</ins><span class="cx">                 && (!property || vm.heap.isMarked(property))
</span><del>-                && (!newStructureID || vm.heap.isMarked(newStructureID.decode())))
</del><ins>+                && (!newStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(newStructureID))))
</ins><span class="cx">                 return;
</span><span class="cx"> 
</span><span class="cx">             dataLogLnIf(Options::verboseOSR(), "Clearing LLInt put_private_name transition.");
</span><del>-            metadata.m_oldStructureID = StructureID();
</del><ins>+            metadata.m_oldStructureID = 0;
</ins><span class="cx">             metadata.m_offset = 0;
</span><del>-            metadata.m_newStructureID = StructureID();
</del><ins>+            metadata.m_newStructureID = 0;
</ins><span class="cx">             metadata.m_property.clear();
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="lines">@@ -1443,14 +1443,14 @@
</span><span class="cx">             StructureID oldStructureID = metadata.m_oldStructureID;
</span><span class="cx">             StructureID newStructureID = metadata.m_newStructureID;
</span><span class="cx">             JSCell* brand = metadata.m_brand.get();
</span><del>-            if ((!oldStructureID || vm.heap.isMarked(oldStructureID.decode()))
</del><ins>+            if ((!oldStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(oldStructureID)))
</ins><span class="cx">                 && (!brand || vm.heap.isMarked(brand))
</span><del>-                && (!newStructureID || vm.heap.isMarked(newStructureID.decode())))
</del><ins>+                && (!newStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(newStructureID))))
</ins><span class="cx">                 return;
</span><span class="cx"> 
</span><span class="cx">             dataLogLnIf(Options::verboseOSR(), "Clearing LLInt set_private_brand transition.");
</span><del>-            metadata.m_oldStructureID = StructureID();
-            metadata.m_newStructureID = StructureID();
</del><ins>+            metadata.m_oldStructureID = 0;
+            metadata.m_newStructureID = 0;
</ins><span class="cx">             metadata.m_brand.clear();
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="lines">@@ -1457,23 +1457,23 @@
</span><span class="cx">         m_metadata->forEach<OpCheckPrivateBrand>([&] (auto& metadata) {
</span><span class="cx">             StructureID structureID = metadata.m_structureID;
</span><span class="cx">             JSCell* brand = metadata.m_brand.get();
</span><del>-            if ((!structureID || vm.heap.isMarked(structureID.decode()))
</del><ins>+            if ((!structureID || vm.heap.isMarked(vm.heap.structureIDTable().get(structureID)))
</ins><span class="cx">                 && (!brand || vm.heap.isMarked(brand)))
</span><span class="cx">                 return;
</span><span class="cx"> 
</span><del>-            dataLogLnIf(Options::verboseOSR(), "Clearing LLInt set_private_brand transition.");
-            metadata.m_structureID = StructureID();
</del><ins>+            dataLogLnIf(Options::verboseOSR(), "Clearing LLInt check_private_brand transition.");
+            metadata.m_structureID = 0;
</ins><span class="cx">             metadata.m_brand.clear();
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="cx">         m_metadata->forEach<OpToThis>([&] (auto& metadata) {
</span><del>-            if (!metadata.m_cachedStructureID || vm.heap.isMarked(metadata.m_cachedStructureID.decode()))
</del><ins>+            if (!metadata.m_cachedStructureID || vm.heap.isMarked(vm.heap.structureIDTable().get(metadata.m_cachedStructureID)))
</ins><span class="cx">                 return;
</span><span class="cx">             if (Options::verboseOSR()) {
</span><del>-                Structure* structure = metadata.m_cachedStructureID.decode();
</del><ins>+                Structure* structure = vm.heap.structureIDTable().get(metadata.m_cachedStructureID);
</ins><span class="cx">                 dataLogF("Clearing LLInt to_this with structure %p.\n", structure);
</span><span class="cx">             }
</span><del>-            metadata.m_cachedStructureID = StructureID();
</del><ins>+            metadata.m_cachedStructureID = 0;
</ins><span class="cx">             metadata.m_toThisStatus = merge(metadata.m_toThisStatus, ToThisClearedByGC);
</span><span class="cx">         });
</span><span class="cx"> 
</span><span class="lines">@@ -1560,7 +1560,7 @@
</span><span class="cx">             return true;
</span><span class="cx">         };
</span><span class="cx"> 
</span><del>-        if (!vm.heap.isMarked(std::get<0>(pair.key).decode()))
</del><ins>+        if (!vm.heap.isMarked(vm.heap.structureIDTable().get(std::get<0>(pair.key))))
</ins><span class="cx">             return clear();
</span><span class="cx"> 
</span><span class="cx">         for (const LLIntPrototypeLoadAdaptiveStructureWatchpoint& watchpoint : pair.value) {
</span><span class="lines">@@ -1908,7 +1908,7 @@
</span><span class="cx">         visitor.append(weakReference);
</span><span class="cx"> 
</span><span class="cx">     for (StructureID structureID : dfgCommon->m_weakStructureReferences)
</span><del>-        visitor.appendUnbarriered(structureID.decode());
</del><ins>+        visitor.appendUnbarriered(visitor.vm().getStructure(structureID));
</ins><span class="cx"> #endif    
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeDeleteByStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx">         return DeleteByStatus(NoInformation);
</span><span class="cx"> 
</span><span class="cx">     case CacheType::Stub: {
</span><del>-        PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+        PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx"> 
</span><span class="cx">         for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
</span><span class="cx">             const AccessCase& access = list->at(listIndex);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeGetByIdMetadatah"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByIdMetadata.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByIdMetadata.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByIdMetadata.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -69,7 +69,7 @@
</span><span class="cx"> union GetByIdModeMetadata {
</span><span class="cx">     GetByIdModeMetadata()
</span><span class="cx">     {
</span><del>-        defaultMode.structureID = StructureID();
</del><ins>+        defaultMode.structureID = 0;
</ins><span class="cx">         defaultMode.cachedOffset = 0;
</span><span class="cx">         defaultMode.padding1 = 0;
</span><span class="cx">         mode = GetByIdMode::Default;
</span><span class="lines">@@ -100,7 +100,7 @@
</span><span class="cx"> struct GetByIdModeMetadata {
</span><span class="cx">     GetByIdModeMetadata()
</span><span class="cx">     {
</span><del>-        defaultMode.structureID = StructureID();
</del><ins>+        defaultMode.structureID = 0;
</ins><span class="cx">         defaultMode.cachedOffset = 0;
</span><span class="cx">         defaultMode.padding1 = 0;
</span><span class="cx">         mode = GetByIdMode::Default;
</span><span class="lines">@@ -127,7 +127,7 @@
</span><span class="cx"> inline void GetByIdModeMetadata::clearToDefaultModeWithoutCache()
</span><span class="cx"> {
</span><span class="cx">     mode = GetByIdMode::Default;
</span><del>-    defaultMode.structureID = StructureID();
</del><ins>+    defaultMode.structureID = 0;
</ins><span class="cx">     defaultMode.cachedOffset = 0;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeGetByStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByStatus.cpp   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/GetByStatus.cpp      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -127,7 +127,7 @@
</span><span class="cx">     if (!structureID)
</span><span class="cx">         return GetByStatus(NoInformation, false);
</span><span class="cx"> 
</span><del>-    Structure* structure = structureID.decode();
</del><ins>+    Structure* structure = vm.heap.structureIDTable().get(structureID);
</ins><span class="cx"> 
</span><span class="cx">     if (structure->takesSlowPathInDFGForImpureProperty())
</span><span class="cx">         return GetByStatus(NoInformation, false);
</span><span class="lines">@@ -236,7 +236,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case CacheType::Stub: {
</span><del>-        PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+        PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx">         if (list->size() == 1) {
</span><span class="cx">             const AccessCase& access = list->at(0);
</span><span class="cx">             switch (access.type()) {
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeInByStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InByStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InByStatus.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InByStatus.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -160,7 +160,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     case CacheType::Stub: {
</span><del>-        PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+        PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx">         for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
</span><span class="cx">             const AccessCase& access = list->at(listIndex);
</span><span class="cx">             if (access.viaProxy())
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeInlineAccesscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InlineAccess.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InlineAccess.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InlineAccess.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -447,7 +447,7 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         stubInfo.m_codePtr = target;
</span><del>-        stubInfo.m_inlineAccessBaseStructureID.clear(); // Clear out the inline access code.
</del><ins>+        stubInfo.m_inlineAccessBaseStructure = 0; // Clear out the inline access code.
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -464,7 +464,7 @@
</span><span class="cx"> {
</span><span class="cx">     if (codeBlock->useDataIC() && codeBlock->jitType() == JITType::BaselineJIT) {
</span><span class="cx">         stubInfo.m_codePtr = stubInfo.slowPathStartLocation;
</span><del>-        stubInfo.m_inlineAccessBaseStructureID.clear(); // Clear out the inline access code.
</del><ins>+        stubInfo.m_inlineAccessBaseStructure = 0; // Clear out the inline access code.
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeInstanceOfStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InstanceOfStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InstanceOfStatus.cpp      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InstanceOfStatus.cpp 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx">     if (stubInfo->cacheType() != CacheType::Stub)
</span><span class="cx">         return TakesSlowPath; // This is conservative. It could be that we have no information.
</span><span class="cx">     
</span><del>-    PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+    PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx">     InstanceOfStatus result;
</span><span class="cx">     for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
</span><span class="cx">         const AccessCase& access = list->at(listIndex);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeInternalFunctionAllocationProfileh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -33,21 +33,21 @@
</span><span class="cx"> 
</span><span class="cx"> class InternalFunctionAllocationProfile {
</span><span class="cx"> public:
</span><del>-    static inline ptrdiff_t offsetOfStructureID() { return OBJECT_OFFSETOF(InternalFunctionAllocationProfile, m_structureID); }
</del><ins>+    static inline ptrdiff_t offsetOfStructure() { return OBJECT_OFFSETOF(InternalFunctionAllocationProfile, m_structure); }
</ins><span class="cx"> 
</span><del>-    Structure* structure() { return m_structureID.get(); }
</del><ins>+    Structure* structure() { return m_structure.get(); }
</ins><span class="cx">     Structure* createAllocationStructureFromBase(VM&, JSGlobalObject*, JSCell* owner, JSObject* prototype, Structure* base);
</span><span class="cx"> 
</span><del>-    void clear() { m_structureID.clear(); }
-    template<typename Visitor> void visitAggregate(Visitor& visitor) { visitor.append(m_structureID); }
</del><ins>+    void clear() { m_structure.clear(); }
+    template<typename Visitor> void visitAggregate(Visitor& visitor) { visitor.append(m_structure); }
</ins><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    WriteBarrierStructureID m_structureID;
</del><ins>+    WriteBarrier<Structure> m_structure;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> inline Structure* InternalFunctionAllocationProfile::createAllocationStructureFromBase(VM& vm, JSGlobalObject* baseGlobalObject, JSCell* owner, JSObject* prototype, Structure* baseStructure)
</span><span class="cx"> {
</span><del>-    ASSERT(!m_structureID || m_structureID.get()->classInfo() != baseStructure->classInfo() || m_structureID->globalObject() != baseStructure->globalObject());
</del><ins>+    ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo() || m_structure->globalObject() != baseStructure->globalObject());
</ins><span class="cx">     ASSERT(baseStructure->hasMonoProto());
</span><span class="cx"> 
</span><span class="cx">     Structure* structure;
</span><span class="lines">@@ -61,8 +61,8 @@
</span><span class="cx">     // Ensure that if another thread sees the structure, it will see it properly created.
</span><span class="cx">     WTF::storeStoreFence();
</span><span class="cx"> 
</span><del>-    m_structureID.set(vm, owner, structure);
-    return structure;
</del><ins>+    m_structure.set(vm, owner, structure);
+    return m_structure.get();
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodePolyProtoAccessChaincpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -80,10 +80,10 @@
</span><span class="cx">     return adoptRef(*new PolyProtoAccessChain(WTFMove(chain)));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool PolyProtoAccessChain::needImpurePropertyWatchpoint(VM&) const
</del><ins>+bool PolyProtoAccessChain::needImpurePropertyWatchpoint(VM& vm) const
</ins><span class="cx"> {
</span><span class="cx">     for (StructureID structureID : m_chain) {
</span><del>-        if (structureID.decode()->needImpurePropertyWatchpoint())
</del><ins>+        if (vm.getStructure(structureID)->needImpurePropertyWatchpoint())
</ins><span class="cx">             return true;
</span><span class="cx">     }
</span><span class="cx">     return false;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodePolyProtoAccessChainh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.h    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolyProtoAccessChain.h       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -25,7 +25,7 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><del>-#include "StructureID.h"
</del><ins>+#include "StructureIDTable.h"
</ins><span class="cx"> #include "VM.h"
</span><span class="cx"> #include <wtf/FixedVector.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="lines">@@ -57,20 +57,20 @@
</span><span class="cx">     bool needImpurePropertyWatchpoint(VM&) const;
</span><span class="cx"> 
</span><span class="cx">     template <typename Func>
</span><del>-    void forEach(VM&, Structure* baseStructure, const Func& func) const
</del><ins>+    void forEach(VM& vm, Structure* baseStructure, const Func& func) const
</ins><span class="cx">     {
</span><span class="cx">         bool atEnd = !m_chain.size();
</span><span class="cx">         func(baseStructure, atEnd);
</span><span class="cx">         for (unsigned i = 0; i < m_chain.size(); ++i) {
</span><span class="cx">             atEnd = i + 1 == m_chain.size();
</span><del>-            func(m_chain[i].decode(), atEnd);
</del><ins>+            func(vm.getStructure(m_chain[i]), atEnd);
</ins><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Structure* slotBaseStructure(VM&, Structure* baseStructure) const
</del><ins>+    Structure* slotBaseStructure(VM& vm, Structure* baseStructure) const
</ins><span class="cx">     {
</span><span class="cx">         if (m_chain.size())
</span><del>-            return m_chain.last().decode();
</del><ins>+            return vm.getStructure(m_chain.last());
</ins><span class="cx">         return baseStructure;
</span><span class="cx">     }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodePolymorphicAccesscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -381,7 +381,7 @@
</span><span class="cx">     }
</span><span class="cx">     if (m_stubRoutine) {
</span><span class="cx">         for (StructureID weakReference : m_stubRoutine->weakStructures()) {
</span><del>-            Structure* structure = weakReference.decode();
</del><ins>+            Structure* structure = vm.getStructure(weakReference);
</ins><span class="cx">             if (!vm.heap.isMarked(structure))
</span><span class="cx">                 return false;
</span><span class="cx">         }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodePutByIdFlagsh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByIdFlags.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByIdFlags.h    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByIdFlags.h       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "ECMAMode.h"
</span><ins>+#include "StructureIDTable.h"
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodePutByStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByStatus.cpp   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/PutByStatus.cpp      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -81,7 +81,7 @@
</span><span class="cx">     if (!structureID)
</span><span class="cx">         return PutByStatus(NoInformation);
</span><span class="cx">     
</span><del>-    Structure* structure = structureID.decode();
</del><ins>+    Structure* structure = vm.heap.structureIDTable().get(structureID);
</ins><span class="cx"> 
</span><span class="cx">     StructureID newStructureID = metadata.m_newStructureID;
</span><span class="cx">     if (!newStructureID) {
</span><span class="lines">@@ -92,7 +92,7 @@
</span><span class="cx">         return PutByVariant::replace(nullptr, structure, offset);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Structure* newStructure = newStructureID.decode();
</del><ins>+    Structure* newStructure = vm.heap.structureIDTable().get(newStructureID);
</ins><span class="cx">     
</span><span class="cx">     ASSERT(structure->transitionWatchpointSetHasBeenInvalidated());
</span><span class="cx">     
</span><span class="lines">@@ -188,7 +188,7 @@
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="cx">     case CacheType::Stub: {
</span><del>-        PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+        PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx">         
</span><span class="cx">         PutByStatus result;
</span><span class="cx">         result.m_state = Simple;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeSetPrivateBrandStatuscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -100,7 +100,7 @@
</span><span class="cx">         return SetPrivateBrandStatus(NoInformation);
</span><span class="cx"> 
</span><span class="cx">     case CacheType::Stub: {
</span><del>-        PolymorphicAccess* list = stubInfo->m_stub;
</del><ins>+        PolymorphicAccess* list = stubInfo->u.stub;
</ins><span class="cx"> 
</span><span class="cx">         for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
</span><span class="cx">             const AccessCase& access = list->at(listIndex);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeSpeculatedTypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SpeculatedType.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SpeculatedType.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/SpeculatedType.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -596,7 +596,13 @@
</span><span class="cx">         }
</span><span class="cx">         return SpecString;
</span><span class="cx">     }
</span><del>-    return speculationFromStructure(cell->structure());
</del><ins>+    // FIXME: rdar://69036888: undo this when no longer needed.
+    auto* structure = cell->vm().tryGetStructure(cell->structureID());
+    if (UNLIKELY(!isSanePointer(structure))) {
+        ASSERT_NOT_REACHED();
+        return SpecNone;
+    }
+    return speculationFromStructure(structure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> SpeculatedType speculationFromValue(JSValue value)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeStructureStubInfocpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -49,7 +49,8 @@
</span><span class="cx">     ASSERT(hasConstantIdentifier);
</span><span class="cx">     setCacheType(locker, CacheType::GetByIdSelf);
</span><span class="cx">     m_identifier = identifier;
</span><del>-    m_inlineAccessBaseStructureID.set(codeBlock->vm(), codeBlock, inlineAccessBaseStructure);
</del><ins>+    m_inlineAccessBaseStructure = inlineAccessBaseStructure->id();
+    codeBlock->vm().writeBarrier(codeBlock);
</ins><span class="cx">     byIdSelfOffset = offset;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -70,7 +71,8 @@
</span><span class="cx">     ASSERT(m_cacheType == CacheType::Unset);
</span><span class="cx">     setCacheType(locker, CacheType::PutByIdReplace);
</span><span class="cx">     m_identifier = identifier;
</span><del>-    m_inlineAccessBaseStructureID.set(codeBlock->vm(), codeBlock, inlineAccessBaseStructure);
</del><ins>+    m_inlineAccessBaseStructure = inlineAccessBaseStructure->id();
+    codeBlock->vm().writeBarrier(codeBlock);
</ins><span class="cx">     byIdSelfOffset = offset;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -79,7 +81,8 @@
</span><span class="cx">     ASSERT(m_cacheType == CacheType::Unset);
</span><span class="cx">     setCacheType(locker, CacheType::InByIdSelf);
</span><span class="cx">     m_identifier = identifier;
</span><del>-    m_inlineAccessBaseStructureID.set(codeBlock->vm(), codeBlock, inlineAccessBaseStructure);
</del><ins>+    m_inlineAccessBaseStructure = inlineAccessBaseStructure->id();
+    codeBlock->vm().writeBarrier(codeBlock);
</ins><span class="cx">     byIdSelfOffset = offset;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -87,7 +90,7 @@
</span><span class="cx"> {
</span><span class="cx">     switch (m_cacheType) {
</span><span class="cx">     case CacheType::Stub:
</span><del>-        delete m_stub;
</del><ins>+        delete u.stub;
</ins><span class="cx">         return;
</span><span class="cx">     case CacheType::Unset:
</span><span class="cx">     case CacheType::GetByIdSelf:
</span><span class="lines">@@ -105,7 +108,7 @@
</span><span class="cx"> {
</span><span class="cx">     switch (m_cacheType) {
</span><span class="cx">     case CacheType::Stub:
</span><del>-        m_stub->aboutToDie();
</del><ins>+        u.stub->aboutToDie();
</ins><span class="cx">         return;
</span><span class="cx">     case CacheType::Unset:
</span><span class="cx">     case CacheType::GetByIdSelf:
</span><span class="lines">@@ -136,7 +139,7 @@
</span><span class="cx">         AccessGenerationResult result;
</span><span class="cx">         
</span><span class="cx">         if (m_cacheType == CacheType::Stub) {
</span><del>-            result = m_stub->addCase(locker, vm, codeBlock, *this, accessCase.releaseNonNull());
</del><ins>+            result = u.stub->addCase(locker, vm, codeBlock, *this, accessCase.releaseNonNull());
</ins><span class="cx">             
</span><span class="cx">             if (StructureStubInfoInternal::verbose)
</span><span class="cx">                 dataLog("Had stub, result: ", result, "\n");
</span><span class="lines">@@ -173,7 +176,7 @@
</span><span class="cx">             }
</span><span class="cx">             
</span><span class="cx">             setCacheType(locker, CacheType::Stub);
</span><del>-            m_stub = access.release();
</del><ins>+            u.stub = access.release();
</ins><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         ASSERT(m_cacheType == CacheType::Stub);
</span><span class="lines">@@ -199,7 +202,7 @@
</span><span class="cx">         // PolymorphicAccess.
</span><span class="cx">         clearBufferedStructures();
</span><span class="cx">         
</span><del>-        result = m_stub->regenerate(locker, vm, globalObject, codeBlock, ecmaMode, *this);
</del><ins>+        result = u.stub->regenerate(locker, vm, globalObject, codeBlock, ecmaMode, *this);
</ins><span class="cx">         
</span><span class="cx">         if (StructureStubInfoInternal::verbose)
</span><span class="cx">             dataLog("Regeneration result: ", result, "\n");
</span><span class="lines">@@ -213,11 +216,11 @@
</span><span class="cx">         // access code. That's because when we first transition to becoming a Stub, we may
</span><span class="cx">         // be buffered, and we have not yet generated any code. Once the Stub finally generates
</span><span class="cx">         // code, we're no longer running the inline access code, so we can then clear out
</span><del>-        // m_inlineAccessBaseStructureID. The reason we don't clear m_inlineAccessBaseStructureID while
-        // we're buffered is because we rely on it to reset during GC if m_inlineAccessBaseStructureID
</del><ins>+        // m_inlineAccessBaseStructure. The reason we don't clear m_inlineAccessBaseStructure while
+        // we're buffered is because we rely on it to reset during GC if m_inlineAccessBaseStructure
</ins><span class="cx">         // is collected.
</span><span class="cx">         m_identifier = nullptr;
</span><del>-        m_inlineAccessBaseStructureID.clear();
</del><ins>+        m_inlineAccessBaseStructure = 0;
</ins><span class="cx">         
</span><span class="cx">         // If we generated some code then we don't want to attempt to repatch in the future until we
</span><span class="cx">         // gather enough cases.
</span><span class="lines">@@ -232,7 +235,7 @@
</span><span class="cx"> {
</span><span class="cx">     clearBufferedStructures();
</span><span class="cx">     m_identifier = nullptr;
</span><del>-    m_inlineAccessBaseStructureID.clear();
</del><ins>+    m_inlineAccessBaseStructure = 0;
</ins><span class="cx"> 
</span><span class="cx">     if (m_cacheType == CacheType::Unset)
</span><span class="cx">         return;
</span><span class="lines">@@ -320,7 +323,7 @@
</span><span class="cx">     case CacheType::GetByIdSelf:
</span><span class="cx">         return;
</span><span class="cx">     case CacheType::Stub:
</span><del>-        m_stub->visitAggregate(visitor);
</del><ins>+        u.stub->visitAggregate(visitor);
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -345,7 +348,7 @@
</span><span class="cx">     if (Structure* structure = inlineAccessBaseStructure(vm))
</span><span class="cx">         isValid &= vm.heap.isMarked(structure);
</span><span class="cx">     if (m_cacheType == CacheType::Stub)
</span><del>-        isValid &= m_stub->visitWeak(vm);
</del><ins>+        isValid &= u.stub->visitWeak(vm);
</ins><span class="cx"> 
</span><span class="cx">     if (isValid)
</span><span class="cx">         return;
</span><span class="lines">@@ -361,7 +364,7 @@
</span><span class="cx">         structure->markIfCheap(visitor);
</span><span class="cx"> 
</span><span class="cx">     if (m_cacheType == CacheType::Stub)
</span><del>-        m_stub->propagateTransitions(visitor);
</del><ins>+        u.stub->propagateTransitions(visitor);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template void StructureStubInfo::propagateTransitions(AbstractSlotVisitor&);
</span><span class="lines">@@ -372,7 +375,7 @@
</span><span class="cx">     StubInfoSummary takesSlowPath = StubInfoSummary::TakesSlowPath;
</span><span class="cx">     StubInfoSummary simple = StubInfoSummary::Simple;
</span><span class="cx">     if (m_cacheType == CacheType::Stub) {
</span><del>-        PolymorphicAccess* list = m_stub;
</del><ins>+        PolymorphicAccess* list = u.stub;
</ins><span class="cx">         for (unsigned i = 0; i < list->size(); ++i) {
</span><span class="cx">             const AccessCase& access = list->at(i);
</span><span class="cx">             if (access.doesCalls(vm)) {
</span><span class="lines">@@ -404,7 +407,7 @@
</span><span class="cx"> {
</span><span class="cx">     if (m_cacheType != CacheType::Stub)
</span><span class="cx">         return false;
</span><del>-    return m_stub->containsPC(pc);
</del><ins>+    return u.stub->containsPC(pc);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE void StructureStubInfo::setCacheType(const ConcurrentJSLockerBase&, CacheType newCacheType)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorebytecodeStructureStubInfoh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.h       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/bytecode/StructureStubInfo.h  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -211,14 +211,6 @@
</span><span class="cx">         return considerCaching(vm, codeBlock, structure, impl);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Structure* inlineAccessBaseStructure(VM&)
-    {
-        return m_inlineAccessBaseStructureID.get();
-    }
-
-    static ptrdiff_t offsetOfByIdSelfOffset() { return OBJECT_OFFSETOF(StructureStubInfo, byIdSelfOffset); }
-    static ptrdiff_t offsetOfInlineAccessBaseStructureID() { return OBJECT_OFFSETOF(StructureStubInfo, m_inlineAccessBaseStructureID); }
-
</del><span class="cx"> private:
</span><span class="cx">     ALWAYS_INLINE bool considerCaching(VM& vm, CodeBlock* codeBlock, Structure* structure, CacheableIdentifier impl)
</span><span class="cx">     {
</span><span class="lines">@@ -359,10 +351,19 @@
</span><span class="cx"> 
</span><span class="cx"> public:
</span><span class="cx">     CodeOrigin codeOrigin;
</span><del>-    PolymorphicAccess* m_stub { nullptr };
</del><span class="cx">     PropertyOffset byIdSelfOffset;
</span><del>-    WriteBarrierStructureID m_inlineAccessBaseStructureID;
-
</del><ins>+    static ptrdiff_t offsetOfByIdSelfOffset() { return OBJECT_OFFSETOF(StructureStubInfo, byIdSelfOffset); }
+    static ptrdiff_t offsetOfInlineAccessBaseStructure() { return OBJECT_OFFSETOF(StructureStubInfo, m_inlineAccessBaseStructure); }
+    union {
+        PolymorphicAccess* stub;
+    } u;
+    Structure* inlineAccessBaseStructure(VM& vm)
+    {
+        if (!m_inlineAccessBaseStructure)
+            return nullptr;
+        return vm.getStructure(m_inlineAccessBaseStructure);
+    }
+    StructureID m_inlineAccessBaseStructure { 0 };
</ins><span class="cx"> private:
</span><span class="cx">     CacheableIdentifier m_identifier;
</span><span class="cx">     // Represents those structures that already have buffered AccessCases in the PolymorphicAccess.
</span><span class="lines">@@ -421,11 +422,10 @@
</span><span class="cx">     uint8_t countdown { 1 };
</span><span class="cx">     uint8_t repatchCount { 0 };
</span><span class="cx">     uint8_t numberOfCoolDowns { 0 };
</span><ins>+
+    CallSiteIndex callSiteIndex;
+
</ins><span class="cx">     uint8_t bufferingCountdown;
</span><del>-private:
-    Lock m_bufferedStructuresLock;
-public:
-    CallSiteIndex callSiteIndex;
</del><span class="cx">     bool resetByGC : 1;
</span><span class="cx">     bool tookSlowPath : 1;
</span><span class="cx">     bool everConsidered : 1;
</span><span class="lines">@@ -435,6 +435,8 @@
</span><span class="cx">     bool propertyIsString : 1;
</span><span class="cx">     bool propertyIsInt32 : 1;
</span><span class="cx">     bool propertyIsSymbol : 1;
</span><ins>+private:
+    Lock m_bufferedStructuresLock;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> inline CodeOrigin getStructureStubInfoCodeOrigin(StructureStubInfo& structureStubInfo)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -2201,7 +2201,7 @@
</span><span class="cx">                 // And we check the indexing mode of the structure. If the indexing mode is CoW, the butterfly is
</span><span class="cx">                 // definitely JSImmutableButterfly.
</span><span class="cx">                 StructureID structureIDEarly = array->structureID();
</span><del>-                if (structureIDEarly.isNuked())
</del><ins>+                if (isNuked(structureIDEarly))
</ins><span class="cx">                     return false;
</span><span class="cx"> 
</span><span class="cx">                 if (node->arrayMode().arrayClass() == Array::OriginalCopyOnWriteArray) {
</span><span class="lines">@@ -2215,7 +2215,7 @@
</span><span class="cx">                     if (structureIDEarly != structureIDLate)
</span><span class="cx">                         return false;
</span><span class="cx"> 
</span><del>-                    Structure* structure = structureIDLate.decode();
</del><ins>+                    Structure* structure = m_vm.getStructure(structureIDLate);
</ins><span class="cx">                     switch (node->arrayMode().type()) {
</span><span class="cx">                     case Array::Int32:
</span><span class="cx">                     case Array::Contiguous:
</span><span class="lines">@@ -2273,7 +2273,7 @@
</span><span class="cx">                         if (structureIDEarly != structureIDLate)
</span><span class="cx">                             return false;
</span><span class="cx"> 
</span><del>-                        Structure* structure = structureIDLate.decode();
</del><ins>+                        Structure* structure = m_vm.getStructure(structureIDLate);
</ins><span class="cx">                         if (!hasAnyArrayStorage(structure->indexingMode()))
</span><span class="cx">                             return false;
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -5504,7 +5504,7 @@
</span><span class="cx">             StructureID cachedStructureID = metadata.m_cachedStructureID;
</span><span class="cx">             Structure* cachedStructure = nullptr;
</span><span class="cx">             if (cachedStructureID)
</span><del>-                cachedStructure = cachedStructureID.decode();
</del><ins>+                cachedStructure = m_vm->heap.structureIDTable().get(cachedStructureID);
</ins><span class="cx">             if (metadata.m_toThisStatus != ToThisOK
</span><span class="cx">                 || !cachedStructure
</span><span class="cx">                 || cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGGraph.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGGraph.cpp   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGGraph.cpp      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -262,7 +262,7 @@
</span><span class="cx">     if (node->hasTransition()) {
</span><span class="cx">         out.print(comma, pointerDumpInContext(node->transition(), context));
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>-        out.print(", ID:", node->transition()->next->id().bits());
</del><ins>+        out.print(", ID:", node->transition()->next->id());
</ins><span class="cx"> #else
</span><span class="cx">         out.print(", ID:", RawPointer(node->transition()->next.get()));
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGJITCompilerh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.h       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGJITCompiler.h  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -268,7 +268,7 @@
</span><span class="cx">     {
</span><span class="cx">         Structure* structure = weakStructure.get();
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>-        Jump result = branch32(cond, left, TrustedImm32(structure->id().bits()));
</del><ins>+        Jump result = branch32(cond, left, TrustedImm32(structure->id()));
</ins><span class="cx">         return result;
</span><span class="cx"> #else
</span><span class="cx">         return branchPtr(cond, left, TrustedImmPtr(structure));
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGPlan.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGPlan.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGPlan.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -564,7 +564,7 @@
</span><span class="cx">             for (WriteBarrier<JSCell>& reference : m_codeBlock->jitCode()->dfgCommon()->m_weakReferences)
</span><span class="cx">                 trackedReferences.add(reference.get());
</span><span class="cx">             for (StructureID structureID : m_codeBlock->jitCode()->dfgCommon()->m_weakStructureReferences)
</span><del>-                trackedReferences.add(structureID.decode());
</del><ins>+                trackedReferences.add(m_vm->getStructure(structureID));
</ins><span class="cx">             for (WriteBarrier<Unknown>& constant : m_codeBlock->constants())
</span><span class="cx">                 trackedReferences.add(constant.get());
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -8533,7 +8533,8 @@
</span><span class="cx"> {
</span><span class="cx">     SpeculateCellOperand object(this, node->child1());
</span><span class="cx">     GPRTemporary result(this);
</span><del>-    m_jit.emitLoadStructure(vm(), object.gpr(), result.gpr());
</del><ins>+    GPRTemporary scratch(this);
+    m_jit.emitLoadStructure(vm(), object.gpr(), result.gpr(), scratch.gpr());
</ins><span class="cx">     m_jit.loadPtr(JITCompiler::Address(result.gpr(), Structure::globalObjectOffset()), result.gpr());
</span><span class="cx">     cellResult(result.gpr(), node);
</span><span class="cx"> }
</span><span class="lines">@@ -11041,7 +11042,7 @@
</span><span class="cx">         GPRReg otherGPR = other.gpr();
</span><span class="cx">         GPRReg specifiedGPR = specified.gpr();
</span><span class="cx"> 
</span><del>-        m_jit.emitLoadStructure(vm(), baseGPR, otherGPR);
</del><ins>+        m_jit.emitLoadStructure(vm(), baseGPR, otherGPR, specifiedGPR);
</ins><span class="cx">         m_jit.loadPtr(CCallHelpers::Address(otherGPR, Structure::classInfoOffset()), otherGPR);
</span><span class="cx">         m_jit.move(CCallHelpers::TrustedImmPtr(node->classInfo()), specifiedGPR);
</span><span class="cx"> 
</span><span class="lines">@@ -11252,7 +11253,7 @@
</span><span class="cx"> 
</span><span class="cx">     speculateFunction(node->child1(), function.gpr());
</span><span class="cx"> 
</span><del>-    m_jit.emitLoadStructure(vm(), function.gpr(), result.gpr());
</del><ins>+    m_jit.emitLoadStructure(vm(), function.gpr(), result.gpr(), executable.gpr());
</ins><span class="cx">     m_jit.loadPtr(JITCompiler::Address(result.gpr(), Structure::classInfoOffset()), result.gpr());
</span><span class="cx">     static_assert(std::is_final_v<JSBoundFunction>, "We don't handle subclasses when comparing classInfo below");
</span><span class="cx">     slowCases.append(m_jit.branchPtr(CCallHelpers::Equal, result.gpr(), TrustedImmPtr(JSBoundFunction::info())));
</span><span class="lines">@@ -14267,11 +14268,13 @@
</span><span class="cx">     if (node->child1().useKind() == CellUse || node->child1().useKind() == CellOrOtherUse) {
</span><span class="cx">         JSValueOperand base(this, node->child1(), ManualOperandSpeculation);
</span><span class="cx">         GPRTemporary scratch1(this);
</span><ins>+        GPRTemporary scratch2(this);
</ins><span class="cx"> 
</span><span class="cx">         speculate(node, node->child1());
</span><span class="cx"> 
</span><span class="cx">         JSValueRegs baseRegs = base.jsValueRegs();
</span><span class="cx">         GPRReg scratch1GPR = scratch1.gpr();
</span><ins>+        GPRReg scratch2GPR = scratch2.gpr();
</ins><span class="cx"> 
</span><span class="cx">         CCallHelpers::JumpList slowCases;
</span><span class="cx">         CCallHelpers::JumpList doneCases;
</span><span class="lines">@@ -14323,7 +14326,7 @@
</span><span class="cx">             if (onlyStructure)
</span><span class="cx">                 m_jit.move(TrustedImmPtr(onlyStructure), scratch1GPR);
</span><span class="cx">             else
</span><del>-                m_jit.emitLoadStructure(vm(), baseRegs.payloadGPR(), scratch1GPR);
</del><ins>+                m_jit.emitLoadStructure(vm(), baseRegs.payloadGPR(), scratch1GPR, scratch2GPR);
</ins><span class="cx">             m_jit.loadPtr(CCallHelpers::Address(scratch1GPR, Structure::previousOrRareDataOffset()), scratch1GPR);
</span><span class="cx">             slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratch1GPR));
</span><span class="cx">             slowCases.append(m_jit.branchIfStructure(scratch1GPR));
</span><span class="lines">@@ -14335,7 +14338,7 @@
</span><span class="cx">         doneCases.append(m_jit.jump());
</span><span class="cx"> 
</span><span class="cx">         slowCases.link(&m_jit);
</span><del>-        silentSpillAllRegisters(scratch1GPR);
</del><ins>+        silentSpillAllRegisters(scratch1GPR, scratch2GPR);
</ins><span class="cx">         callOperation(operationGetPropertyEnumeratorCell, scratch1GPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs.payloadGPR());
</span><span class="cx">         silentFillAllRegisters();
</span><span class="cx">         m_jit.exceptionCheck();
</span><span class="lines">@@ -14602,7 +14605,7 @@
</span><span class="cx">             speculateObject(node->child1(), objectGPR);
</span><span class="cx"> 
</span><span class="cx">             CCallHelpers::JumpList slowCases;
</span><del>-            m_jit.emitLoadStructure(vm(), objectGPR, structureGPR);
</del><ins>+            m_jit.emitLoadStructure(vm(), objectGPR, structureGPR, scratchGPR);
</ins><span class="cx">             m_jit.loadPtr(CCallHelpers::Address(structureGPR, Structure::previousOrRareDataOffset()), scratchGPR);
</span><span class="cx"> 
</span><span class="cx">             slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, scratchGPR));
</span><span class="lines">@@ -14819,9 +14822,8 @@
</span><span class="cx">     slowCases.append(m_jit.branchIfNotFunction(calleeGPR));
</span><span class="cx">     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfExecutableOrRareData()), rareDataGPR);
</span><span class="cx">     slowCases.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR, CCallHelpers::TrustedImm32(JSFunction::rareDataTag)));
</span><del>-    m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructureID() - JSFunction::rareDataTag), structureGPR);
-    slowCases.append(m_jit.branchTest32(CCallHelpers::Zero, structureGPR));
-    m_jit.emitNonNullDecodeStructureID(structureGPR, structureGPR);
</del><ins>+    m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructure() - JSFunction::rareDataTag), structureGPR);
+    slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, structureGPR));
</ins><span class="cx">     m_jit.move(TrustedImmPtr(node->isInternalPromise() ? JSInternalPromise::info() : JSPromise::info()), scratch1GPR);
</span><span class="cx">     slowCases.append(m_jit.branchPtr(CCallHelpers::NotEqual, scratch1GPR, CCallHelpers::Address(structureGPR, Structure::classInfoOffset())));
</span><span class="cx">     m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), scratch1GPR);
</span><span class="lines">@@ -14868,9 +14870,8 @@
</span><span class="cx">     slowCases.append(m_jit.branchIfNotFunction(calleeGPR));
</span><span class="cx">     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfExecutableOrRareData()), rareDataGPR);
</span><span class="cx">     slowCases.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR, CCallHelpers::TrustedImm32(JSFunction::rareDataTag)));
</span><del>-    m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructureID() - JSFunction::rareDataTag), structureGPR);
-    slowCases.append(m_jit.branchTest32(CCallHelpers::Zero, structureGPR));
-    m_jit.emitNonNullDecodeStructureID(structureGPR, structureGPR);
</del><ins>+    m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructure() - JSFunction::rareDataTag), structureGPR);
+    slowCases.append(m_jit.branchTestPtr(CCallHelpers::Zero, structureGPR));
</ins><span class="cx">     m_jit.move(TrustedImmPtr(JSClass::info()), scratch1GPR);
</span><span class="cx">     slowCases.append(m_jit.branchPtr(CCallHelpers::NotEqual, scratch1GPR, CCallHelpers::Address(structureGPR, Structure::classInfoOffset())));
</span><span class="cx">     m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), scratch1GPR);
</span><span class="lines">@@ -15331,14 +15332,15 @@
</span><span class="cx"> void SpeculativeJIT::compileGetPrototypeOf(Node* node)
</span><span class="cx"> {
</span><span class="cx">     GPRTemporary temp(this);
</span><ins>+    GPRTemporary temp2(this);
</ins><span class="cx"> 
</span><span class="cx">     GPRReg tempGPR = temp.gpr();
</span><ins>+    GPRReg temp2GPR = temp2.gpr();
</ins><span class="cx"> 
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     JSValueRegs resultRegs(tempGPR);
</span><span class="cx"> #else
</span><del>-    GPRTemporary temp2(this);
-    JSValueRegs resultRegs(temp2.gpr(), tempGPR);
</del><ins>+    JSValueRegs resultRegs(temp2GPR, tempGPR);
</ins><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">     switch (node->child1().useKind()) {
</span><span class="lines">@@ -15363,7 +15365,7 @@
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        m_jit.emitLoadStructure(vm(), objectGPR, tempGPR);
</del><ins>+        m_jit.emitLoadStructure(vm(), objectGPR, tempGPR, temp2GPR);
</ins><span class="cx"> 
</span><span class="cx">         AbstractValue& value = m_state.forNode(node->child1());
</span><span class="cx">         if ((value.m_type && !(value.m_type & ~SpecObject)) && value.m_structure.isFinite()) {
</span><span class="lines">@@ -15402,7 +15404,7 @@
</span><span class="cx">         speculateObject(node->child1(), objectGPR);
</span><span class="cx"> 
</span><span class="cx">         JITCompiler::JumpList slowCases;
</span><del>-        m_jit.emitLoadPrototype(vm(), objectGPR, resultRegs, slowCases);
</del><ins>+        m_jit.emitLoadPrototype(vm(), objectGPR, resultRegs, temp2GPR, slowCases);
</ins><span class="cx">         addSlowPathGenerator(slowPathCall(slowCases, this, operationGetPrototypeOfObject,
</span><span class="cx">             resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), objectGPR));
</span><span class="cx"> 
</span><span class="lines">@@ -15419,7 +15421,7 @@
</span><span class="cx">         GPRReg valueGPR = valueRegs.payloadGPR();
</span><span class="cx">         slowCases.append(m_jit.branchIfNotObject(valueGPR));
</span><span class="cx"> 
</span><del>-        m_jit.emitLoadPrototype(vm(), valueGPR, resultRegs, slowCases);
</del><ins>+        m_jit.emitLoadPrototype(vm(), valueGPR, resultRegs, temp2GPR, slowCases);
</ins><span class="cx">         addSlowPathGenerator(slowPathCall(slowCases, this, operationGetPrototypeOf,
</span><span class="cx">             resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), valueRegs));
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -244,6 +244,7 @@
</span><span class="cx">     } else {
</span><span class="cx">         GPRTemporary localGlobalObject(this);
</span><span class="cx">         GPRTemporary remoteGlobalObject(this);
</span><ins>+        GPRTemporary scratch(this);
</ins><span class="cx"> 
</span><span class="cx">         JITCompiler::Jump notCell;
</span><span class="cx">         if (!isKnownCell(operand.node()))
</span><span class="lines">@@ -258,7 +259,7 @@
</span><span class="cx">         GPRReg localGlobalObjectGPR = localGlobalObject.gpr();
</span><span class="cx">         GPRReg remoteGlobalObjectGPR = remoteGlobalObject.gpr();
</span><span class="cx">         m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.graph().globalObjectFor(m_currentNode->origin.semantic)), localGlobalObjectGPR);
</span><del>-        m_jit.emitLoadStructure(vm(), argGPR, resultGPR);
</del><ins>+        m_jit.emitLoadStructure(vm(), argGPR, resultGPR, scratch.gpr());
</ins><span class="cx">         m_jit.loadPtr(JITCompiler::Address(resultGPR, Structure::globalObjectOffset()), remoteGlobalObjectGPR);
</span><span class="cx">         m_jit.comparePtr(JITCompiler::Equal, localGlobalObjectGPR, remoteGlobalObjectGPR, resultGPR);
</span><span class="cx">         done.append(m_jit.jump());
</span><span class="lines">@@ -298,6 +299,7 @@
</span><span class="cx">     } else {
</span><span class="cx">         GPRTemporary localGlobalObject(this);
</span><span class="cx">         GPRTemporary remoteGlobalObject(this);
</span><ins>+        GPRTemporary scratch(this);
</ins><span class="cx"> 
</span><span class="cx">         JITCompiler::Jump notCell;
</span><span class="cx">         if (!isKnownCell(operand.node()))
</span><span class="lines">@@ -310,7 +312,7 @@
</span><span class="cx">         GPRReg localGlobalObjectGPR = localGlobalObject.gpr();
</span><span class="cx">         GPRReg remoteGlobalObjectGPR = remoteGlobalObject.gpr();
</span><span class="cx">         m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.graph().globalObjectFor(m_currentNode->origin.semantic)), localGlobalObjectGPR);
</span><del>-        m_jit.emitLoadStructure(vm(), argGPR, resultGPR);
</del><ins>+        m_jit.emitLoadStructure(vm(), argGPR, resultGPR, scratch.gpr());
</ins><span class="cx">         m_jit.loadPtr(JITCompiler::Address(resultGPR, Structure::globalObjectOffset()), remoteGlobalObjectGPR);
</span><span class="cx">         branchPtr(JITCompiler::Equal, localGlobalObjectGPR, remoteGlobalObjectGPR, taken);
</span><span class="cx"> 
</span><span class="lines">@@ -1903,6 +1905,8 @@
</span><span class="cx">     GPRReg resultGPR = result.gpr();
</span><span class="cx">     GPRTemporary structure;
</span><span class="cx">     GPRReg structureGPR = InvalidGPRReg;
</span><ins>+    GPRTemporary scratch;
+    GPRReg scratchGPR = InvalidGPRReg;
</ins><span class="cx"> 
</span><span class="cx">     bool masqueradesAsUndefinedWatchpointValid =
</span><span class="cx">         masqueradesAsUndefinedWatchpointIsStillValid();
</span><span class="lines">@@ -1911,8 +1915,11 @@
</span><span class="cx">         // The masquerades as undefined case will use the structure register, so allocate it here.
</span><span class="cx">         // Do this at the top of the function to avoid branching around a register allocation.
</span><span class="cx">         GPRTemporary realStructure(this);
</span><ins>+        GPRTemporary realScratch(this);
</ins><span class="cx">         structure.adopt(realStructure);
</span><ins>+        scratch.adopt(realScratch);
</ins><span class="cx">         structureGPR = structure.gpr();
</span><ins>+        scratchGPR = scratch.gpr();
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     MacroAssembler::Jump notCell = m_jit.branchIfNotCell(JSValueRegs(valueGPR));
</span><span class="lines">@@ -1929,7 +1936,7 @@
</span><span class="cx">                 MacroAssembler::Address(valueGPR, JSCell::typeInfoFlagsOffset()), 
</span><span class="cx">                 MacroAssembler::TrustedImm32(MasqueradesAsUndefined));
</span><span class="cx"> 
</span><del>-        m_jit.emitLoadStructure(vm(), valueGPR, structureGPR);
</del><ins>+        m_jit.emitLoadStructure(vm(), valueGPR, structureGPR, scratchGPR);
</ins><span class="cx">         speculationCheck(BadType, JSValueRegs(valueGPR), nodeUse, 
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><span class="lines">@@ -2084,7 +2091,7 @@
</span><span class="cx">             MacroAssembler::Address(valueGPR, JSCell::typeInfoFlagsOffset()), 
</span><span class="cx">             TrustedImm32(MasqueradesAsUndefined));
</span><span class="cx"> 
</span><del>-        m_jit.emitLoadStructure(vm(), valueGPR, structureGPR);
</del><ins>+        m_jit.emitLoadStructure(vm(), valueGPR, structureGPR, scratchGPR);
</ins><span class="cx">         speculationCheck(BadType, JSValueRegs(valueGPR), nodeUse,
</span><span class="cx">             m_jit.branchPtr(
</span><span class="cx">                 MacroAssembler::Equal, 
</span><span class="lines">@@ -2178,7 +2185,7 @@
</span><span class="cx">         bool shouldCheckMasqueradesAsUndefined = !masqueradesAsUndefinedWatchpointIsStillValid();
</span><span class="cx">         if (shouldCheckMasqueradesAsUndefined) {
</span><span class="cx">             branchTest8(MacroAssembler::Zero, MacroAssembler::Address(valueGPR, JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined), taken);
</span><del>-            m_jit.emitLoadStructure(vm(), valueGPR, temp1GPR);
</del><ins>+            m_jit.emitLoadStructure(vm(), valueGPR, temp1GPR, temp2GPR);
</ins><span class="cx">             JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(m_currentNode->origin.semantic);
</span><span class="cx">             m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), temp2GPR);
</span><span class="cx">             branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp1GPR, Structure::globalObjectOffset()), temp2GPR, taken);
</span><span class="lines">@@ -4440,7 +4447,7 @@
</span><span class="cx">         ASSERT_UNUSED(oldStructure, oldStructure->indexingMode() == newStructure->indexingMode());
</span><span class="cx">         ASSERT(oldStructure->typeInfo().type() == newStructure->typeInfo().type());
</span><span class="cx">         ASSERT(oldStructure->typeInfo().inlineTypeFlags() == newStructure->typeInfo().inlineTypeFlags());
</span><del>-        m_jit.store32(MacroAssembler::TrustedImm32(newStructure->id().bits()), MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()));
</del><ins>+        m_jit.store32(MacroAssembler::TrustedImm32(newStructure->id()), MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()));
</ins><span class="cx">         
</span><span class="cx">         noResult(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -4659,6 +4666,7 @@
</span><span class="cx">         GPRTemporary result(this);
</span><span class="cx">         GPRTemporary localGlobalObject(this);
</span><span class="cx">         GPRTemporary remoteGlobalObject(this);
</span><ins>+        GPRTemporary scratch(this);
</ins><span class="cx"> 
</span><span class="cx">         JITCompiler::Jump isCell = m_jit.branchIfCell(value.jsValueRegs());
</span><span class="cx"> 
</span><span class="lines">@@ -4682,7 +4690,7 @@
</span><span class="cx">             GPRReg localGlobalObjectGPR = localGlobalObject.gpr();
</span><span class="cx">             GPRReg remoteGlobalObjectGPR = remoteGlobalObject.gpr();
</span><span class="cx">             m_jit.move(TrustedImmPtr::weakPointer(m_jit.graph(), m_jit.globalObjectFor(node->origin.semantic)), localGlobalObjectGPR);
</span><del>-            m_jit.emitLoadStructure(vm(), value.gpr(), result.gpr());
</del><ins>+            m_jit.emitLoadStructure(vm(), value.gpr(), result.gpr(), scratch.gpr());
</ins><span class="cx">             m_jit.loadPtr(JITCompiler::Address(result.gpr(), Structure::globalObjectOffset()), remoteGlobalObjectGPR); 
</span><span class="cx">             m_jit.comparePtr(JITCompiler::Equal, localGlobalObjectGPR, remoteGlobalObjectGPR, result.gpr());
</span><span class="cx">         }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreftlFTLAbstractHeapRepositoryh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -84,7 +84,9 @@
</span><span class="cx">     macro(FunctionRareData_prototype, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfileWithPrototype::offsetOfPrototype()) \
</span><span class="cx">     macro(FunctionRareData_allocationProfileWatchpointSet, FunctionRareData::offsetOfAllocationProfileWatchpointSet()) \
</span><span class="cx">     macro(FunctionRareData_executable, FunctionRareData::offsetOfExecutable()) \
</span><del>-    macro(FunctionRareData_internalFunctionAllocationProfile_structureID, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructureID()) \
</del><ins>+    macro(FunctionRareData_internalFunctionAllocationProfile_structure, FunctionRareData::offsetOfInternalFunctionAllocationProfile() + InternalFunctionAllocationProfile::offsetOfStructure()) \
+    macro(FunctionRareData_boundFunctionStructure, FunctionRareData::offsetOfBoundFunctionStructure()) \
+    macro(FunctionRareData_allocationProfileClearingWatchpoint, FunctionRareData::offsetOfAllocationProfileClearingWatchpoint()) \
</ins><span class="cx">     macro(GetterSetter_getter, GetterSetter::offsetOfGetter()) \
</span><span class="cx">     macro(GetterSetter_setter, GetterSetter::offsetOfSetter()) \
</span><span class="cx">     macro(JSArrayBufferView_length, JSArrayBufferView::offsetOfLength()) \
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -7877,11 +7877,10 @@
</span><span class="cx"> 
</span><span class="cx">         m_out.appendTo(hasRareData, hasStructure);
</span><span class="cx">         LValue rareData = m_out.sub(rareDataTags, m_out.constIntPtr(JSFunction::rareDataTag));
</span><del>-        LValue structureID = m_out.load32(rareData, m_heaps.FunctionRareData_internalFunctionAllocationProfile_structureID);
-        m_out.branch(m_out.isZero32(structureID), rarely(slowCase), usually(hasStructure));
</del><ins>+        LValue structure = m_out.loadPtr(rareData, m_heaps.FunctionRareData_internalFunctionAllocationProfile_structure);
+        m_out.branch(m_out.isZero64(structure), rarely(slowCase), usually(hasStructure));
</ins><span class="cx"> 
</span><span class="cx">         m_out.appendTo(hasStructure, checkGlobalObjectCase);
</span><del>-        LValue structure = decodeNonNullStructure(structureID);
</del><span class="cx">         m_out.branch(m_out.equal(m_out.loadPtr(structure, m_heaps.Structure_classInfo), m_out.constIntPtr(m_node->isInternalPromise() ? JSInternalPromise::info() : JSPromise::info())), usually(checkGlobalObjectCase), rarely(slowCase));
</span><span class="cx"> 
</span><span class="cx">         m_out.appendTo(checkGlobalObjectCase, fastAllocationCase);
</span><span class="lines">@@ -7933,11 +7932,10 @@
</span><span class="cx"> 
</span><span class="cx">         m_out.appendTo(hasRareData, hasStructure);
</span><span class="cx">         LValue rareData = m_out.sub(rareDataTags, m_out.constIntPtr(JSFunction::rareDataTag));
</span><del>-        LValue structureID = m_out.load32(rareData, m_heaps.FunctionRareData_internalFunctionAllocationProfile_structureID);
-        m_out.branch(m_out.isZero32(structureID), rarely(slowCase), usually(hasStructure));
</del><ins>+        LValue structure = m_out.loadPtr(rareData, m_heaps.FunctionRareData_internalFunctionAllocationProfile_structure);
+        m_out.branch(m_out.isZero64(structure), rarely(slowCase), usually(hasStructure));
</ins><span class="cx"> 
</span><span class="cx">         m_out.appendTo(hasStructure, checkGlobalObjectCase);
</span><del>-        LValue structure = decodeNonNullStructure(structureID);
</del><span class="cx">         m_out.branch(m_out.equal(m_out.loadPtr(structure, m_heaps.Structure_classInfo), m_out.constIntPtr(JSClass::info())), usually(checkGlobalObjectCase), rarely(slowCase));
</span><span class="cx"> 
</span><span class="cx">         m_out.appendTo(checkGlobalObjectCase, fastAllocationCase);
</span><span class="lines">@@ -13712,7 +13710,7 @@
</span><span class="cx">         LValue structureID;
</span><span class="cx">         auto structure = m_state.forNode(baseEdge.node()).m_structure.onlyStructure();
</span><span class="cx">         if (structure)
</span><del>-            structureID = m_out.constInt32(structure->id().bits());
</del><ins>+            structureID = m_out.constInt32(structure->id());
</ins><span class="cx">         else
</span><span class="cx">             structureID = m_out.load32(base, m_heaps.JSCell_structureID);
</span><span class="cx"> 
</span><span class="lines">@@ -16791,7 +16789,7 @@
</span><span class="cx">     
</span><span class="cx">     void storeStructure(LValue object, Structure* structure)
</span><span class="cx">     {
</span><del>-        m_out.store32(m_out.constInt32(structure->id().bits()), object, m_heaps.JSCell_structureID);
</del><ins>+        m_out.store32(m_out.constInt32(structure->id()), object, m_heaps.JSCell_structureID);
</ins><span class="cx">         m_out.store32(
</span><span class="cx">             m_out.constInt32(structure->objectInitializationBlob()),
</span><span class="cx">             object, m_heaps.JSCell_usefulBytes);
</span><span class="lines">@@ -19572,7 +19570,7 @@
</span><span class="cx">             return proven;
</span><span class="cx">         return m_out.notEqual(
</span><span class="cx">             m_out.load32(cell, m_heaps.JSCell_structureID),
</span><del>-            m_out.constInt32(vm().stringStructure->id().bits()));
</del><ins>+            m_out.constInt32(vm().stringStructure->id()));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     LValue isString(LValue cell, SpeculatedType type = SpecFullTop)
</span><span class="lines">@@ -19581,7 +19579,7 @@
</span><span class="cx">             return proven;
</span><span class="cx">         return m_out.equal(
</span><span class="cx">             m_out.load32(cell, m_heaps.JSCell_structureID),
</span><del>-            m_out.constInt32(vm().stringStructure->id().bits()));
</del><ins>+            m_out.constInt32(vm().stringStructure->id()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     LValue isRopeString(LValue string, Edge edge = Edge())
</span><span class="lines">@@ -19628,7 +19626,7 @@
</span><span class="cx">             return proven;
</span><span class="cx">         return m_out.notEqual(
</span><span class="cx">             m_out.load32(cell, m_heaps.JSCell_structureID),
</span><del>-            m_out.constInt32(vm().symbolStructure->id().bits()));
</del><ins>+            m_out.constInt32(vm().symbolStructure->id()));
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     LValue isSymbol(LValue cell, SpeculatedType type = SpecFullTop)
</span><span class="lines">@@ -19637,7 +19635,7 @@
</span><span class="cx">             return proven;
</span><span class="cx">         return m_out.equal(
</span><span class="cx">             m_out.load32(cell, m_heaps.JSCell_structureID),
</span><del>-            m_out.constInt32(vm().symbolStructure->id().bits()));
</del><ins>+            m_out.constInt32(vm().symbolStructure->id()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     LValue isNotHeapBigIntUnknownWhetherCell(LValue value, SpeculatedType type = SpecFullTop)
</span><span class="lines">@@ -19666,7 +19664,7 @@
</span><span class="cx">             return proven;
</span><span class="cx">         return m_out.notEqual(
</span><span class="cx">             m_out.load32(cell, m_heaps.JSCell_structureID),
</span><del>-            m_out.constInt32(vm().bigIntStructure->id().bits()));
</del><ins>+            m_out.constInt32(vm().bigIntStructure->id()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     LValue isHeapBigInt(LValue cell, SpeculatedType type = SpecFullTop)
</span><span class="lines">@@ -19675,7 +19673,7 @@
</span><span class="cx">             return proven;
</span><span class="cx">         return m_out.equal(
</span><span class="cx">             m_out.load32(cell, m_heaps.JSCell_structureID),
</span><del>-            m_out.constInt32(vm().bigIntStructure->id().bits()));
</del><ins>+            m_out.constInt32(vm().bigIntStructure->id()));
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     LValue isArrayTypeForArrayify(LValue cell, ArrayMode arrayMode)
</span><span class="lines">@@ -20402,7 +20400,7 @@
</span><span class="cx">             m_out.store32(
</span><span class="cx">                 m_out.bitOr(
</span><span class="cx">                     m_out.load32(object, m_heaps.JSCell_structureID),
</span><del>-                    m_out.constInt32(StructureID::nukedStructureIDBit)),
</del><ins>+                    m_out.constInt32(nukedStructureIDBit())),
</ins><span class="cx">                 object, m_heaps.JSCell_structureID);
</span><span class="cx">             m_out.fence(&m_heaps.root, nullptr);
</span><span class="cx">             m_out.storePtr(butterfly, object, m_heaps.JSObject_butterfly);
</span><span class="lines">@@ -20430,7 +20428,7 @@
</span><span class="cx">         m_out.store32(
</span><span class="cx">             m_out.bitOr(
</span><span class="cx">                 m_out.load32(object, m_heaps.JSCell_structureID),
</span><del>-                m_out.constInt32(StructureID::nukedStructureIDBit)),
</del><ins>+                m_out.constInt32(nukedStructureIDBit())),
</ins><span class="cx">             object, m_heaps.JSCell_structureID);
</span><span class="cx">         m_out.fence(&m_heaps.root, nullptr);
</span><span class="cx">         m_out.storePtr(butterfly, object, m_heaps.JSObject_butterfly);
</span><span class="lines">@@ -20975,16 +20973,15 @@
</span><span class="cx">         m_graph.m_plan.weakReferences().addLazily(target);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    LValue decodeNonNullStructure(LValue structureID)
-    {
-        LValue maskedStructureID = m_out.bitAnd(structureID, m_out.constInt32(structureIDMask));
-        return m_out.add(m_out.constIntPtr(g_jscConfig.startOfStructureHeap), m_out.zeroExtPtr(maskedStructureID));
-    }
-
</del><span class="cx">     LValue loadStructure(LValue value)
</span><span class="cx">     {
</span><span class="cx">         LValue structureID = m_out.load32(value, m_heaps.JSCell_structureID);
</span><del>-        return decodeNonNullStructure(structureID);
</del><ins>+        LValue tableBase = m_out.loadPtr(m_out.absolute(vm().heap.structureIDTable().base()));
+        LValue tableIndex = m_out.aShr(structureID, m_out.constInt32(StructureIDTable::s_numberOfEntropyBits));
+        LValue entropyBits = m_out.shl(m_out.zeroExtPtr(structureID), m_out.constInt32(StructureIDTable::s_entropyBitsShiftForStructurePointer));
+        TypedPointer address = m_out.baseIndex(m_heaps.structureTable, tableBase, m_out.zeroExtPtr(tableIndex));
+        LValue encodedStructureBits = m_out.loadPtr(address);
+        return m_out.bitXor(encodedStructureBits, entropyBits);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     LValue weakPointer(JSCell* pointer)
</span><span class="lines">@@ -21000,7 +20997,7 @@
</span><span class="cx"> 
</span><span class="cx">     LValue weakStructureID(RegisteredStructure structure)
</span><span class="cx">     {
</span><del>-        return m_out.constInt32(structure->id().bits());
</del><ins>+        return m_out.constInt32(structure->id());
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     LValue weakStructure(RegisteredStructure structure)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapAbstractSlotVisitorh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitor.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitor.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitor.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -48,7 +48,6 @@
</span><span class="cx"> class VerifierSlotVisitor;
</span><span class="cx"> template<typename T> class Weak;
</span><span class="cx"> template<typename T, typename Traits> class WriteBarrierBase;
</span><del>-class WriteBarrierStructureID;
</del><span class="cx"> 
</span><span class="cx"> class AbstractSlotVisitor {
</span><span class="cx">     WTF_MAKE_NONCOPYABLE(AbstractSlotVisitor);
</span><span class="lines">@@ -144,8 +143,6 @@
</span><span class="cx"> 
</span><span class="cx">     template<typename T, typename Traits> void append(const WriteBarrierBase<T, Traits>&);
</span><span class="cx">     template<typename T, typename Traits> void appendHidden(const WriteBarrierBase<T, Traits>&);
</span><del>-    void append(const WriteBarrierStructureID&);
-    void appendHidden(const WriteBarrierStructureID&);
</del><span class="cx">     template<typename Iterator> void append(Iterator begin , Iterator end);
</span><span class="cx">     ALWAYS_INLINE void appendValues(const WriteBarrierBase<Unknown, RawValueTraits<Unknown>>*, size_t count);
</span><span class="cx">     ALWAYS_INLINE void appendValuesHidden(const WriteBarrierBase<Unknown, RawValueTraits<Unknown>>*, size_t count);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapAbstractSlotVisitorInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitorInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitorInlines.h  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/AbstractSlotVisitorInlines.h     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -158,16 +158,6 @@
</span><span class="cx">     appendHiddenUnbarriered(slot.get());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void AbstractSlotVisitor::append(const WriteBarrierStructureID& slot)
-{
-    appendUnbarriered(reinterpret_cast<JSCell*>(slot.get()));
-}
-
-ALWAYS_INLINE void AbstractSlotVisitor::appendHidden(const WriteBarrierStructureID& slot)
-{
-    appendHiddenUnbarriered(reinterpret_cast<JSCell*>(slot.get()));
-}
-
</del><span class="cx"> ALWAYS_INLINE void AbstractSlotVisitor::appendHiddenUnbarriered(JSValue value)
</span><span class="cx"> {
</span><span class="cx">     if (value.isCell())
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.cpp      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.cpp 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -67,7 +67,6 @@
</span><span class="cx"> #include "SpaceTimeMutatorScheduler.h"
</span><span class="cx"> #include "StochasticSpaceTimeMutatorScheduler.h"
</span><span class="cx"> #include "StopIfNecessaryTimer.h"
</span><del>-#include "StructureAlignedMemoryAllocator.h"
</del><span class="cx"> #include "SubspaceInlines.h"
</span><span class="cx"> #include "SuperSampler.h"
</span><span class="cx"> #include "SweepingScope.h"
</span><span class="lines">@@ -389,8 +388,8 @@
</span><span class="cx">     , stringObjectSpace ISO_SUBSPACE_INIT(*this, cellHeapCellType, StringObject)
</span><span class="cx">     , structureChainSpace ISO_SUBSPACE_INIT(*this, cellHeapCellType, StructureChain)
</span><span class="cx">     , structureRareDataSpace ISO_SUBSPACE_INIT(*this, destructibleCellHeapCellType, StructureRareData) // Hash:0xaca4e62d
</span><del>-    , structureSpace("IsolatedStructureSpace", *this, destructibleCellHeapCellType, sizeof(Structure), Structure::numberOfLowerTierCells, makeUnique<StructureAlignedMemoryAllocator>("Structure"))
-    , brandedStructureSpace("IsolatedBrandedStructureSpace", *this, destructibleCellHeapCellType, sizeof(BrandedStructure), BrandedStructure::numberOfLowerTierCells, makeUnique<StructureAlignedMemoryAllocator>("Structure"))
</del><ins>+    , structureSpace ISO_SUBSPACE_INIT(*this, destructibleCellHeapCellType, Structure)
+    , brandedStructureSpace ISO_SUBSPACE_INIT(*this, destructibleCellHeapCellType, BrandedStructure)
</ins><span class="cx">     , symbolTableSpace ISO_SUBSPACE_INIT(*this, destructibleCellHeapCellType, SymbolTable) // Hash:0xc5215afd
</span><span class="cx">     , executableToCodeBlockEdgesWithConstraints(executableToCodeBlockEdgeSpace)
</span><span class="cx">     , executableToCodeBlockEdgesWithFinalizers(executableToCodeBlockEdgeSpace)
</span><span class="lines">@@ -1606,6 +1605,8 @@
</span><span class="cx">         if (vm().typeProfiler())
</span><span class="cx">             vm().typeProfiler()->invalidateTypeSetCache(vm());
</span><span class="cx"> 
</span><ins>+        m_structureIDTable.flushOldTables();
+
</ins><span class="cx">         reapWeakHandles();
</span><span class="cx">         pruneStaleEntriesFromWeakGCHashTables();
</span><span class="cx">         sweepArrayBuffers();
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.h        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/Heap.h   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx"> #include "MarkedSpace.h"
</span><span class="cx"> #include "MutatorState.h"
</span><span class="cx"> #include "Options.h"
</span><del>-#include "StructureID.h"
</del><ins>+#include "StructureIDTable.h"
</ins><span class="cx"> #include "Synchronousness.h"
</span><span class="cx"> #include "WeakHandleOwner.h"
</span><span class="cx"> #include <wtf/AutomaticThread.h>
</span><span class="lines">@@ -275,6 +275,8 @@
</span><span class="cx">     
</span><span class="cx">     bool isDeferred() const { return !!m_deferralDepth; }
</span><span class="cx"> 
</span><ins>+    StructureIDTable& structureIDTable() { return m_structureIDTable; }
+
</ins><span class="cx">     CodeBlockSet& codeBlockSet() { return *m_codeBlocks; }
</span><span class="cx"> 
</span><span class="cx"> #if USE(FOUNDATION)
</span><span class="lines">@@ -594,6 +596,7 @@
</span><span class="cx">     Markable<CollectionScope, EnumMarkableTraits<CollectionScope>> m_lastCollectionScope;
</span><span class="cx">     Lock m_raceMarkStackLock;
</span><span class="cx"> 
</span><ins>+    StructureIDTable m_structureIDTable;
</ins><span class="cx">     MarkedSpace m_objectSpace;
</span><span class="cx">     GCIncomingRefCountedSet<ArrayBuffer> m_arrayBuffers;
</span><span class="cx">     size_t m_extraMemorySize { 0 };
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -30,15 +30,74 @@
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="cx"> IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator(CString name)
</span><del>-    : Base(name)
</del><ins>+#if ENABLE(MALLOC_HEAP_BREAKDOWN)
+    : m_debugHeap(name.data())
+#endif
</ins><span class="cx"> {
</span><ins>+    UNUSED_PARAM(name);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator()
</span><span class="cx"> {
</span><del>-    releaseMemoryFromSubclassDestructor();
</del><ins>+#if !ENABLE(MALLOC_HEAP_BREAKDOWN)
+    for (unsigned i = 0; i < m_blocks.size(); ++i) {
+        void* block = m_blocks[i];
+        if (!m_committed.quickGet(i))
+            WTF::fastCommitAlignedMemory(block, MarkedBlock::blockSize);
+        fastAlignedFree(block);
+    }
+#endif
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void* IsoAlignedMemoryAllocator::tryAllocateAlignedMemory(size_t alignment, size_t size)
+{
+    // Since this is designed specially for IsoSubspace, we know that we will only be asked to
+    // allocate MarkedBlocks.
+    RELEASE_ASSERT(alignment == MarkedBlock::blockSize);
+    RELEASE_ASSERT(size == MarkedBlock::blockSize);
+
+#if ENABLE(MALLOC_HEAP_BREAKDOWN)
+    return m_debugHeap.memalign(MarkedBlock::blockSize, MarkedBlock::blockSize, true);
+#else
+    Locker locker { m_lock };
+    
+    m_firstUncommitted = m_committed.findBit(m_firstUncommitted, false);
+    if (m_firstUncommitted < m_blocks.size()) {
+        m_committed.quickSet(m_firstUncommitted);
+        void* result = m_blocks[m_firstUncommitted];
+        WTF::fastCommitAlignedMemory(result, MarkedBlock::blockSize);
+        return result;
+    }
+    
+    void* result = tryFastAlignedMalloc(MarkedBlock::blockSize, MarkedBlock::blockSize);
+    if (!result)
+        return nullptr;
+    unsigned index = m_blocks.size();
+    m_blocks.append(result);
+    m_blockIndices.add(result, index);
+    if (m_blocks.capacity() != m_committed.size())
+        m_committed.resize(m_blocks.capacity());
+    m_committed.quickSet(index);
+    return result;
+#endif
+}
+
+void IsoAlignedMemoryAllocator::freeAlignedMemory(void* basePtr)
+{
+#if ENABLE(MALLOC_HEAP_BREAKDOWN)
+    m_debugHeap.free(basePtr);
+#else
+    Locker locker { m_lock };
+    
+    auto iter = m_blockIndices.find(basePtr);
+    RELEASE_ASSERT(iter != m_blockIndices.end());
+    unsigned index = iter->value;
+    m_committed.quickClear(index);
+    m_firstUncommitted = std::min(index, m_firstUncommitted);
+    WTF::fastDecommitAlignedMemory(basePtr, MarkedBlock::blockSize);
+#endif
+}
+
</ins><span class="cx"> void IsoAlignedMemoryAllocator::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx">     out.print("Iso(", RawPointer(this), ")");
</span><span class="lines">@@ -68,25 +127,5 @@
</span><span class="cx">     RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* IsoAlignedMemoryAllocator::tryMallocBlock()
-{
-    return tryFastAlignedMalloc(MarkedBlock::blockSize, MarkedBlock::blockSize);
-}
-
-void IsoAlignedMemoryAllocator::freeBlock(void* block)
-{
-    fastAlignedFree(block);
-}
-
-void IsoAlignedMemoryAllocator::commitBlock(void* block)
-{
-    WTF::fastCommitAlignedMemory(block, MarkedBlock::blockSize);
-}
-
-void IsoAlignedMemoryAllocator::decommitBlock(void* block)
-{
-    WTF::fastDecommitAlignedMemory(block, MarkedBlock::blockSize);
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapIsoAlignedMemoryAllocatorh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoAlignedMemoryAllocator.h      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -25,7 +25,7 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><del>-#include "IsoMemoryAllocatorBase.h"
</del><ins>+#include "AlignedMemoryAllocator.h"
</ins><span class="cx"> #include <wtf/BitVector.h>
</span><span class="cx"> #include <wtf/DebugHeap.h>
</span><span class="cx"> #include <wtf/HashMap.h>
</span><span class="lines">@@ -34,13 +34,14 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-class IsoAlignedMemoryAllocator final : public IsoMemoryAllocatorBase {
</del><ins>+class IsoAlignedMemoryAllocator final : public AlignedMemoryAllocator {
</ins><span class="cx"> public:
</span><del>-    using Base = IsoMemoryAllocatorBase;
-
</del><span class="cx">     IsoAlignedMemoryAllocator(CString);
</span><span class="cx">     ~IsoAlignedMemoryAllocator() final;
</span><span class="cx"> 
</span><ins>+    void* tryAllocateAlignedMemory(size_t alignment, size_t size) final;
+    void freeAlignedMemory(void*) final;
+
</ins><span class="cx">     void dump(PrintStream&) const final;
</span><span class="cx"> 
</span><span class="cx">     void* tryAllocateMemory(size_t) final;
</span><span class="lines">@@ -47,11 +48,17 @@
</span><span class="cx">     void freeMemory(void*) final;
</span><span class="cx">     void* tryReallocateMemory(void*, size_t) final;
</span><span class="cx"> 
</span><del>-protected:
-    void* tryMallocBlock() final;
-    void freeBlock(void* block) final;
-    void commitBlock(void* block) final;
-    void decommitBlock(void* block) final;
</del><ins>+private:
+#if ENABLE(MALLOC_HEAP_BREAKDOWN)
+    // If breakdown is enabled, we do not ensure Iso-feature. This is totally OK since breakdown is memory bloat debugging feature.
+    WTF::DebugHeap m_debugHeap;
+#else
+    Vector<void*> m_blocks;
+    HashMap<void*, unsigned> m_blockIndices;
+    BitVector m_committed;
+    unsigned m_firstUncommitted { 0 };
+    Lock m_lock;
+#endif
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapIsoMemoryAllocatorBasecpp"></a>
<div class="delfile"><h4>Deleted: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,108 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "IsoMemoryAllocatorBase.h"
-
-#include "MarkedBlock.h"
-
-namespace JSC {
-
-IsoMemoryAllocatorBase::IsoMemoryAllocatorBase(CString name)
-#if ENABLE(MALLOC_HEAP_BREAKDOWN)
-    : m_debugHeap(name.data())
-#endif
-{
-    UNUSED_PARAM(name);
-}
-
-IsoMemoryAllocatorBase::~IsoMemoryAllocatorBase()
-{
-}
-
-// We need to call this from the derived class's destructor because it's undefined behavior to call pure virtual methods from within a destructor.
-void IsoMemoryAllocatorBase::releaseMemoryFromSubclassDestructor()
-{
-#if !ENABLE(MALLOC_HEAP_BREAKDOWN)
-    for (unsigned i = 0; i < m_blocks.size(); ++i) {
-        void* block = m_blocks[i];
-        if (!m_committed.quickGet(i))
-            commitBlock(block);
-        freeBlock(block);
-    }
-#endif
-}
-
-void* IsoMemoryAllocatorBase::tryAllocateAlignedMemory(size_t alignment, size_t size)
-{
-    // Since this is designed specially for IsoSubspace, we know that we will only be asked to
-    // allocate MarkedBlocks.
-    RELEASE_ASSERT(alignment == MarkedBlock::blockSize);
-    RELEASE_ASSERT(size == MarkedBlock::blockSize);
-
-#if ENABLE(MALLOC_HEAP_BREAKDOWN)
-    return m_debugHeap.memalign(MarkedBlock::blockSize, MarkedBlock::blockSize, true);
-#else
-    Locker locker { m_lock };
-    
-    m_firstUncommitted = m_committed.findBit(m_firstUncommitted, false);
-    if (m_firstUncommitted < m_blocks.size()) {
-        m_committed.quickSet(m_firstUncommitted);
-        void* result = m_blocks[m_firstUncommitted];
-        commitBlock(result);
-        return result;
-    }
-    
-    void* result = tryMallocBlock();
-    if (!result)
-        return nullptr;
-    unsigned index = m_blocks.size();
-    m_blocks.append(result);
-    m_blockIndices.add(result, index);
-    if (m_blocks.capacity() != m_committed.size())
-        m_committed.resize(m_blocks.capacity());
-    m_committed.quickSet(index);
-    return result;
-#endif
-}
-
-void IsoMemoryAllocatorBase::freeAlignedMemory(void* basePtr)
-{
-#if ENABLE(MALLOC_HEAP_BREAKDOWN)
-    m_debugHeap.free(basePtr);
-#else
-    Locker locker { m_lock };
-    
-    auto iter = m_blockIndices.find(basePtr);
-    RELEASE_ASSERT(iter != m_blockIndices.end());
-    unsigned index = iter->value;
-    m_committed.quickClear(index);
-    m_firstUncommitted = std::min(index, m_firstUncommitted);
-    decommitBlock(basePtr);
-#endif
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapIsoMemoryAllocatorBaseh"></a>
<div class="delfile"><h4>Deleted: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.h      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoMemoryAllocatorBase.h 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,67 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "AlignedMemoryAllocator.h"
-#include <wtf/BitVector.h>
-#include <wtf/DebugHeap.h>
-#include <wtf/HashMap.h>
-#include <wtf/Vector.h>
-
-
-namespace JSC {
-
-class IsoMemoryAllocatorBase : public AlignedMemoryAllocator {
-public:
-    IsoMemoryAllocatorBase(CString);
-    ~IsoMemoryAllocatorBase() override;
-
-    void* tryAllocateAlignedMemory(size_t alignment, size_t size) final;
-    void freeAlignedMemory(void*) final;
-
-protected:
-    void releaseMemoryFromSubclassDestructor();
-    virtual void* tryMallocBlock() = 0;
-    virtual void freeBlock(void* block) = 0;
-    virtual void commitBlock(void* block) = 0;
-    virtual void decommitBlock(void* block) = 0;
-
-#if ENABLE(MALLOC_HEAP_BREAKDOWN)
-protected:
-    // If breakdown is enabled, we do not ensure Iso-feature. This is totally OK since breakdown is memory bloat debugging feature.
-    WTF::DebugHeap m_debugHeap;
-#else
-private:
-    Vector<void*> m_blocks;
-    HashMap<void*, unsigned> m_blockIndices;
-    BitVector m_committed;
-    unsigned m_firstUncommitted { 0 };
-    Lock m_lock;
-#endif
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapIsoSubspacecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -33,11 +33,11 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-IsoSubspace::IsoSubspace(CString name, Heap& heap, const HeapCellType& heapCellType, size_t size, uint8_t numberOfLowerTierCells, std::unique_ptr<IsoMemoryAllocatorBase>&& allocator)
</del><ins>+IsoSubspace::IsoSubspace(CString name, Heap& heap, const HeapCellType& heapCellType, size_t size, uint8_t numberOfLowerTierCells)
</ins><span class="cx">     : Subspace(name, heap)
</span><span class="cx">     , m_directory(WTF::roundUpToMultipleOf<MarkedBlock::atomSize>(size))
</span><span class="cx">     , m_localAllocator(&m_directory)
</span><del>-    , m_isoAlignedMemoryAllocator(allocator ? WTFMove(allocator) : makeUnique<IsoAlignedMemoryAllocator>(name))
</del><ins>+    , m_isoAlignedMemoryAllocator(makeUnique<IsoAlignedMemoryAllocator>(name))
</ins><span class="cx"> {
</span><span class="cx">     m_remainingLowerTierCellCount = numberOfLowerTierCells;
</span><span class="cx">     ASSERT(WTF::roundUpToMultipleOf<MarkedBlock::atomSize>(size) == cellSize());
</span><span class="lines">@@ -109,9 +109,8 @@
</span><span class="cx">         return revive(allocation);
</span><span class="cx">     }
</span><span class="cx">     if (m_remainingLowerTierCellCount) {
</span><del>-        PreciseAllocation* allocation = PreciseAllocation::tryCreateForLowerTier(m_space.heap(), cellSize(), this, --m_remainingLowerTierCellCount);
-        if (allocation)
-            return revive(allocation);
</del><ins>+        PreciseAllocation* allocation = PreciseAllocation::createForLowerTier(m_space.heap(), cellSize(), this, --m_remainingLowerTierCellCount);
+        return revive(allocation);
</ins><span class="cx">     }
</span><span class="cx">     return nullptr;
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapIsoSubspaceh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/IsoSubspace.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -26,7 +26,6 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "BlockDirectory.h"
</span><del>-#include "IsoMemoryAllocatorBase.h"
</del><span class="cx"> #include "Subspace.h"
</span><span class="cx"> #include "SubspaceAccess.h"
</span><span class="cx"> #include <wtf/SinglyLinkedListWithTail.h>
</span><span class="lines">@@ -33,11 +32,12 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><ins>+class IsoAlignedMemoryAllocator;
</ins><span class="cx"> class IsoCellSet;
</span><span class="cx"> 
</span><span class="cx"> class IsoSubspace : public Subspace {
</span><span class="cx"> public:
</span><del>-    JS_EXPORT_PRIVATE IsoSubspace(CString name, Heap&, const HeapCellType&, size_t size, uint8_t numberOfLowerTierCells, std::unique_ptr<IsoMemoryAllocatorBase>&& = nullptr);
</del><ins>+    JS_EXPORT_PRIVATE IsoSubspace(CString name, Heap&, const HeapCellType&, size_t, uint8_t numberOfLowerTierCells);
</ins><span class="cx">     JS_EXPORT_PRIVATE ~IsoSubspace() override;
</span><span class="cx"> 
</span><span class="cx">     size_t cellSize() { return m_directory.cellSize(); }
</span><span class="lines">@@ -67,7 +67,7 @@
</span><span class="cx">     
</span><span class="cx">     BlockDirectory m_directory;
</span><span class="cx">     LocalAllocator m_localAllocator;
</span><del>-    std::unique_ptr<IsoMemoryAllocatorBase> m_isoAlignedMemoryAllocator;
</del><ins>+    std::unique_ptr<IsoAlignedMemoryAllocator> m_isoAlignedMemoryAllocator;
</ins><span class="cx">     SentinelLinkedList<PreciseAllocation, PackedRawSentinelNode<PreciseAllocation>> m_lowerTierFreeList;
</span><span class="cx">     SentinelLinkedList<IsoCellSet, PackedRawSentinelNode<IsoCellSet>> m_cellSets;
</span><span class="cx"> };
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapPreciseAllocationcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -120,7 +120,7 @@
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> 
</span><del>-PreciseAllocation* PreciseAllocation::tryCreateForLowerTier(Heap& heap, size_t size, Subspace* subspace, uint8_t lowerTierIndex)
</del><ins>+PreciseAllocation* PreciseAllocation::createForLowerTier(Heap& heap, size_t size, Subspace* subspace, uint8_t lowerTierIndex)
</ins><span class="cx"> {
</span><span class="cx">     if constexpr (validateDFGDoesGC)
</span><span class="cx">         heap.vm().verifyCanGC();
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapPreciseAllocationh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.h   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/PreciseAllocation.h      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx"> 
</span><span class="cx">     static PreciseAllocation* tryCreate(Heap&, size_t, Subspace*, unsigned indexInSpace);
</span><span class="cx"> 
</span><del>-    static PreciseAllocation* tryCreateForLowerTier(Heap&, size_t, Subspace*, uint8_t lowerTierIndex);
</del><ins>+    static PreciseAllocation* createForLowerTier(Heap&, size_t, Subspace*, uint8_t lowerTierIndex);
</ins><span class="cx">     PreciseAllocation* reuseForLowerTier();
</span><span class="cx"> 
</span><span class="cx">     PreciseAllocation* tryReallocate(size_t, Subspace*);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapSlotVisitorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -152,9 +152,10 @@
</span><span class="cx">                     out.print("GC type: ", heap()->collectionScope(), "\n");
</span><span class="cx">                     out.print("Object at: ", RawPointer(jsCell), "\n");
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>-                    out.print("Structure ID: ", structureID.bits(), " (", RawPointer(structureID.decode()), ")\n");
</del><ins>+                    out.print("Structure ID: ", structureID, " (0x", format("%x", structureID), ")\n");
+                    out.print("Structure ID table size: ", heap()->structureIDTable().size(), "\n");
</ins><span class="cx"> #else
</span><del>-                    out.print("Structure: ", RawPointer(structureID.decode()), "\n");
</del><ins>+                    out.print("Structure: ", RawPointer(structureID), "\n");
</ins><span class="cx"> #endif
</span><span class="cx">                     out.print("Object contents:");
</span><span class="cx">                     for (unsigned i = 0; i < 2; ++i)
</span><span class="lines">@@ -185,13 +186,13 @@
</span><span class="cx">             die("GC scan found corrupt object: structureID is zero!\n");
</span><span class="cx">         
</span><span class="cx">         // It's not OK for the structure to be nuked at any GC scan point.
</span><del>-        if (structureID.isNuked())
</del><ins>+        if (isNuked(structureID))
</ins><span class="cx">             die("GC scan found object in bad state: structureID is nuked!\n");
</span><del>-
</del><ins>+        
</ins><span class="cx">         // This detects the worst of the badness.
</span><del>-        Integrity::auditStructureID(structureID);
</del><ins>+        Integrity::auditStructureID(heap()->structureIDTable(), structureID);
</ins><span class="cx">     };
</span><del>-
</del><ins>+    
</ins><span class="cx">     // In debug mode, we validate before marking since this makes it clearer what the problem
</span><span class="cx">     // was. It's also slower, so we don't do it normally.
</span><span class="cx">     if (ASSERT_ENABLED && isJSCellKind(heapCell->cellKind()))
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapSlotVisitorh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitor.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -92,8 +92,6 @@
</span><span class="cx"> 
</span><span class="cx">     template<typename T, typename Traits> void append(const WriteBarrierBase<T, Traits>&);
</span><span class="cx">     template<typename T, typename Traits> void appendHidden(const WriteBarrierBase<T, Traits>&);
</span><del>-    void append(const WriteBarrierStructureID&);
-    void appendHidden(const WriteBarrierStructureID&);
</del><span class="cx">     template<typename Iterator> void append(Iterator begin , Iterator end);
</span><span class="cx">     ALWAYS_INLINE void appendValues(const WriteBarrierBase<Unknown, RawValueTraits<Unknown>>*, size_t count);
</span><span class="cx">     ALWAYS_INLINE void appendValuesHidden(const WriteBarrierBase<Unknown, RawValueTraits<Unknown>>*, size_t count);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapSlotVisitorInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitorInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitorInlines.h  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/SlotVisitorInlines.h     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -116,16 +116,6 @@
</span><span class="cx">     appendHiddenUnbarriered(slot.get());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void SlotVisitor::append(const WriteBarrierStructureID& slot)
-{
-    appendUnbarriered(reinterpret_cast<JSCell*>(slot.get()));
-}
-
-ALWAYS_INLINE void SlotVisitor::appendHidden(const WriteBarrierStructureID& slot)
-{
-    appendHiddenUnbarriered(reinterpret_cast<JSCell*>(slot.get()));
-}
-
</del><span class="cx"> template<typename Iterator>
</span><span class="cx"> ALWAYS_INLINE void SlotVisitor::append(Iterator begin, Iterator end)
</span><span class="cx"> {
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapStructureAlignedMemoryAllocatorcpp"></a>
<div class="delfile"><h4>Deleted: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,180 +0,0 @@
</span><del>-/*
- * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#include "config.h"
-#include "StructureAlignedMemoryAllocator.h"
-
-#include "JSCConfig.h"
-#include "MarkedBlock.h"
-
-#include <wtf/OSAllocator.h>
-
-namespace JSC {
-
-StructureAlignedMemoryAllocator::StructureAlignedMemoryAllocator(CString name)
-    : Base(name)
-{
-}
-
-StructureAlignedMemoryAllocator::~StructureAlignedMemoryAllocator()
-{
-    releaseMemoryFromSubclassDestructor();
-}
-
-void StructureAlignedMemoryAllocator::dump(PrintStream& out) const
-{
-    out.print("Structure(", RawPointer(this), ")");
-}
-
-void* StructureAlignedMemoryAllocator::tryAllocateMemory(size_t)
-{
-    return nullptr;
-}
-
-void StructureAlignedMemoryAllocator::freeMemory(void*)
-{
-    // Structures do not support Precise allocations right now.
-    RELEASE_ASSERT_NOT_REACHED();
-}
-
-void* StructureAlignedMemoryAllocator::tryReallocateMemory(void*, size_t)
-{
-    // Structures do not support Precise allocations right now.
-    RELEASE_ASSERT_NOT_REACHED();
-}
-
-#if CPU(ADDRESS64)
-
-class StructureMemoryManager {
-public:
-    StructureMemoryManager()
-    {
-        // Don't use the first page because zero is used as the empty StructureID and the first allocation will conflict.
-        m_usedBlocks.set(0);
-    }
-
-    void* tryMallocStructureBlock()
-    {
-        size_t freeIndex;
-        {
-            Locker locker(m_lock);
-            constexpr size_t startIndex = 0;
-            freeIndex = m_usedBlocks.findBit(startIndex, 0);
-            ASSERT(freeIndex <= m_usedBlocks.bitCount());
-            if (freeIndex * MarkedBlock::blockSize >= structureHeapAddressSize)
-                return nullptr;
-            m_usedBlocks.set(freeIndex);
-        }
-
-        MarkedBlock* block = reinterpret_cast<MarkedBlock*>(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize;
-        constexpr bool writable = true;
-        constexpr bool executable = false;
-        OSAllocator::commit(block, MarkedBlock::blockSize, writable, executable);
-        return block;
-    }
-
-    void freeStructureBlock(void* blockPtr)
-    {
-        OSAllocator::decommit(blockPtr, MarkedBlock::blockSize);
-        uintptr_t block = reinterpret_cast<uintptr_t>(blockPtr);
-        RELEASE_ASSERT(g_jscConfig.startOfStructureHeap <= block && block < g_jscConfig.startOfStructureHeap + structureHeapAddressSize);
-        RELEASE_ASSERT(roundUpToMultipleOf<MarkedBlock::blockSize>(block) == block);
-
-        Locker locker(m_lock);
-        m_usedBlocks.quickClear((block - g_jscConfig.startOfStructureHeap) / MarkedBlock::blockSize);
-    }
-
-private:
-    Lock m_lock;
-    BitVector m_usedBlocks;
-};
-
-static LazyNeverDestroyed<StructureMemoryManager> s_structureMemoryManager;
-
-void StructureAlignedMemoryAllocator::initializeStructureAddressSpace()
-{
-    static_assert(hasOneBitSet(structureHeapAddressSize));
-
-    g_jscConfig.startOfStructureHeap = reinterpret_cast<uintptr_t>(OSAllocator::reserveUncommittedAligned(structureHeapAddressSize, OSAllocator::FastMallocPages));
-    s_structureMemoryManager.construct();
-
-    ASSERT((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap);
-}
-
-void* StructureAlignedMemoryAllocator::tryMallocBlock()
-{
-    return s_structureMemoryManager->tryMallocStructureBlock();
-}
-
-void StructureAlignedMemoryAllocator::freeBlock(void* block)
-{
-    s_structureMemoryManager->freeStructureBlock(block);
-}
-
-void StructureAlignedMemoryAllocator::commitBlock(void* block)
-{
-    constexpr bool writable = true;
-    constexpr bool executable = false;
-    OSAllocator::commit(block, MarkedBlock::blockSize, writable, executable);
-}
-
-void StructureAlignedMemoryAllocator::decommitBlock(void* block)
-{
-    OSAllocator::decommit(block, MarkedBlock::blockSize);
-}
-
-#else // not CPU(ADDRESS64)
-
-// FIXME: This is the same as IsoAlignedMemoryAllocator maybe we should just use that for 32-bit.
-
-void StructureAlignedMemoryAllocator::initializeStructureAddressSpace()
-{
-    g_jscConfig.startOfStructureHeap = 0;
-}
-
-void* StructureAlignedMemoryAllocator::tryMallocBlock()
-{
-    return tryFastAlignedMalloc(MarkedBlock::blockSize, MarkedBlock::blockSize);
-}
-
-void StructureAlignedMemoryAllocator::freeBlock(void* block)
-{
-    fastAlignedFree(block);
-}
-
-void StructureAlignedMemoryAllocator::commitBlock(void* block)
-{
-    WTF::fastCommitAlignedMemory(block, MarkedBlock::blockSize);
-}
-
-void StructureAlignedMemoryAllocator::decommitBlock(void* block)
-{
-    WTF::fastDecommitAlignedMemory(block, MarkedBlock::blockSize);
-}
-
-#endif // CPU(ADDRESS64)
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreheapStructureAlignedMemoryAllocatorh"></a>
<div class="delfile"><h4>Deleted: branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.h     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.h        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,60 +0,0 @@
</span><del>-/*
- * Copyright (C) 2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "IsoMemoryAllocatorBase.h"
-#include <wtf/Gigacage.h>
-
-#if ENABLE(MALLOC_HEAP_BREAKDOWN)
-#include <wtf/DebugHeap.h>
-#endif
-
-namespace JSC {
-
-class StructureAlignedMemoryAllocator final : public IsoMemoryAllocatorBase {
-public:
-    using Base = IsoMemoryAllocatorBase;
-
-    StructureAlignedMemoryAllocator(CString);
-    ~StructureAlignedMemoryAllocator() final;
-    
-    void dump(PrintStream&) const final;
-
-    void* tryAllocateMemory(size_t) final;
-    void freeMemory(void*) final;
-    void* tryReallocateMemory(void*, size_t) final;
-
-    static void initializeStructureAddressSpace();
-
-protected:
-    void* tryMallocBlock() final;
-    void freeBlock(void* block) final;
-    void commitBlock(void* block) final;
-    void decommitBlock(void* block) final;
-};
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitAssemblyHelperscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -320,7 +320,7 @@
</span><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">     jit.store64(TrustedImm64(structurePtr->idBlob()), MacroAssembler::Address(dest, JSCell::structureIDOffset()));
</span><span class="cx">     if (ASSERT_ENABLED) {
</span><del>-        Jump correctStructure = jit.branch32(Equal, MacroAssembler::Address(dest, JSCell::structureIDOffset()), TrustedImm32(structurePtr->id().bits()));
</del><ins>+        Jump correctStructure = jit.branch32(Equal, MacroAssembler::Address(dest, JSCell::structureIDOffset()), TrustedImm32(structurePtr->id()));
</ins><span class="cx">         jit.abortWithReason(AHStructureIDIsValid);
</span><span class="cx">         correctStructure.link(&jit);
</span><span class="cx"> 
</span><span class="lines">@@ -389,29 +389,44 @@
</span><span class="cx">         BaseIndex(scratch, offset, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void AssemblyHelpers::emitNonNullDecodeStructureID(RegisterID source, RegisterID dest)
</del><ins>+void AssemblyHelpers::emitLoadStructure(VM& vm, RegisterID source, RegisterID dest, RegisterID scratch)
</ins><span class="cx"> {
</span><del>-    move(source, dest);
-#if CPU(ADDRESS64)
-    // This could use BFI on arm64 but that only helps if the start of structure heap is encodable as a mov and not as an immediate in the add so it's probably not super important.
-    and32(TrustedImm32(structureIDMask), dest);
-    add64(TrustedImm64(g_jscConfig.startOfStructureHeap), dest);
-#endif // not CPU(ADDRESS64)
-}
</del><ins>+#if USE(JSVALUE64)
+#if CPU(ARM64)
+    RegisterID scratch2 = dataTempRegister;
+#elif CPU(X86_64)
+    RegisterID scratch2 = scratchRegister();
+#else
+#error "Unsupported cpu"
+#endif
</ins><span class="cx"> 
</span><del>-void AssemblyHelpers::emitLoadStructure(VM&, RegisterID source, RegisterID dest)
-{
-    load32(MacroAssembler::Address(source, JSCell::structureIDOffset()), dest);
-    emitNonNullDecodeStructureID(dest, dest);
</del><ins>+    ASSERT(dest != scratch);
+    ASSERT(dest != scratch2);
+    ASSERT(scratch != scratch2);
+
+    load32(MacroAssembler::Address(source, JSCell::structureIDOffset()), scratch2);
+    loadPtr(vm.heap.structureIDTable().base(), scratch);
+    rshift32(scratch2, TrustedImm32(StructureIDTable::s_numberOfEntropyBits), dest);
+    loadPtr(MacroAssembler::BaseIndex(scratch, dest, MacroAssembler::ScalePtr), dest);
+    lshiftPtr(TrustedImm32(StructureIDTable::s_entropyBitsShiftForStructurePointer), scratch2);
+    xorPtr(scratch2, dest);
+#else // not USE(JSVALUE64)
+    UNUSED_PARAM(scratch);
+    UNUSED_PARAM(vm);
+    loadPtr(MacroAssembler::Address(source, JSCell::structureIDOffset()), dest);
+#endif // not USE(JSVALUE64)
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-void AssemblyHelpers::emitLoadPrototype(VM& vm, GPRReg objectGPR, JSValueRegs resultRegs, JumpList& slowPath)
</del><ins>+void AssemblyHelpers::emitLoadPrototype(VM& vm, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, JumpList& slowPath)
</ins><span class="cx"> {
</span><span class="cx">     ASSERT(resultRegs.payloadGPR() != objectGPR);
</span><ins>+    ASSERT(resultRegs.payloadGPR() != scratchGPR);
+    ASSERT(objectGPR != scratchGPR);
</ins><span class="cx"> 
</span><del>-    emitLoadStructure(vm, objectGPR, resultRegs.payloadGPR());
</del><ins>+    emitLoadStructure(vm, objectGPR, resultRegs.payloadGPR(), scratchGPR);
</ins><span class="cx"> 
</span><del>-    auto overridesGetPrototype = branchTest32(MacroAssembler::NonZero, MacroAssembler::Address(resultRegs.payloadGPR(), Structure::outOfLineTypeFlagsOffset()), TrustedImm32(OverridesGetPrototypeOutOfLine));
</del><ins>+    load16(MacroAssembler::Address(resultRegs.payloadGPR(), Structure::outOfLineTypeFlagsOffset()), scratchGPR);
+    auto overridesGetPrototype = branchTest32(MacroAssembler::NonZero, scratchGPR, TrustedImm32(OverridesGetPrototypeOutOfLine));
</ins><span class="cx">     slowPath.append(overridesGetPrototype);
</span><span class="cx"> 
</span><span class="cx">     loadValue(MacroAssembler::Address(resultRegs.payloadGPR(), Structure::prototypeOffset()), resultRegs);
</span><span class="lines">@@ -510,7 +525,7 @@
</span><span class="cx"> void AssemblyHelpers::emitRandomThunk(VM& vm, GPRReg scratch0, GPRReg scratch1, GPRReg scratch2, GPRReg scratch3, FPRReg result)
</span><span class="cx"> {
</span><span class="cx">     emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, scratch3);
</span><del>-    emitLoadStructure(vm, scratch3, scratch3);
</del><ins>+    emitLoadStructure(vm, scratch3, scratch3, scratch0);
</ins><span class="cx">     loadPtr(Address(scratch3, Structure::globalObjectOffset()), scratch3);
</span><span class="cx">     // Now, scratch3 holds JSGlobalObject*.
</span><span class="cx"> 
</span><span class="lines">@@ -823,7 +838,7 @@
</span><span class="cx">         ASSERT(scratchIfShouldCheckMasqueradesAsUndefined != InvalidGPRReg);
</span><span class="cx">         JumpList isNotMasqueradesAsUndefined;
</span><span class="cx">         isNotMasqueradesAsUndefined.append(branchTest8(Zero, Address(value.payloadGPR(), JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)));
</span><del>-        emitLoadStructure(vm, value.payloadGPR(), result);
</del><ins>+        emitLoadStructure(vm, value.payloadGPR(), result, scratchIfShouldCheckMasqueradesAsUndefined);
</ins><span class="cx">         move(TrustedImmPtr(globalObject), scratchIfShouldCheckMasqueradesAsUndefined);
</span><span class="cx">         isNotMasqueradesAsUndefined.append(branchPtr(NotEqual, Address(result, Structure::globalObjectOffset()), scratchIfShouldCheckMasqueradesAsUndefined));
</span><span class="cx"> 
</span><span class="lines">@@ -914,7 +929,7 @@
</span><span class="cx">         ASSERT(scratchIfShouldCheckMasqueradesAsUndefined != InvalidGPRReg);
</span><span class="cx">         JumpList isNotMasqueradesAsUndefined;
</span><span class="cx">         isNotMasqueradesAsUndefined.append(branchTest8(Zero, Address(value.payloadGPR(), JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)));
</span><del>-        emitLoadStructure(vm, value.payloadGPR(), scratch);
</del><ins>+        emitLoadStructure(vm, value.payloadGPR(), scratch, scratchIfShouldCheckMasqueradesAsUndefined);
</ins><span class="cx">         if (std::holds_alternative<JSGlobalObject*>(globalObject))
</span><span class="cx">             move(TrustedImmPtr(std::get<JSGlobalObject*>(globalObject)), scratchIfShouldCheckMasqueradesAsUndefined);
</span><span class="cx">         else
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/AssemblyHelpers.h 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1123,7 +1123,7 @@
</span><span class="cx">     Jump branchStructure(RelationalCondition condition, T leftHandSide, Structure* structure)
</span><span class="cx">     {
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>-        return branch32(condition, leftHandSide, TrustedImm32(structure->id().bits()));
</del><ins>+        return branch32(condition, leftHandSide, TrustedImm32(structure->id()));
</ins><span class="cx"> #else
</span><span class="cx">         return branchPtr(condition, leftHandSide, TrustedImmPtr(structure));
</span><span class="cx"> #endif
</span><span class="lines">@@ -1577,9 +1577,8 @@
</span><span class="cx">         return argumentCount(codeOrigin.inlineCallFrame());
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    void emitNonNullDecodeStructureID(RegisterID source, RegisterID dest);
-    void emitLoadStructure(VM&, RegisterID source, RegisterID dest);
-    void emitLoadPrototype(VM&, GPRReg objectGPR, JSValueRegs resultRegs, JumpList& slowPath);
</del><ins>+    void emitLoadStructure(VM&, RegisterID source, RegisterID dest, RegisterID scratch);
+    void emitLoadPrototype(VM&, GPRReg objectGPR, JSValueRegs resultRegs, GPRReg scratchGPR, JumpList& slowPath);
</ins><span class="cx"> 
</span><span class="cx">     void emitStoreStructureWithTypeInfo(TrustedImmPtr structure, RegisterID dest, RegisterID)
</span><span class="cx">     {
</span><span class="lines">@@ -1664,13 +1663,13 @@
</span><span class="cx">     void nukeStructureAndStoreButterfly(VM& vm, GPRReg butterfly, GPRReg object)
</span><span class="cx">     {
</span><span class="cx">         if (isX86()) {
</span><del>-            or32(TrustedImm32(bitwise_cast<int32_t>(StructureID::nukedStructureIDBit)), Address(object, JSCell::structureIDOffset()));
</del><ins>+            or32(TrustedImm32(bitwise_cast<int32_t>(nukedStructureIDBit())), Address(object, JSCell::structureIDOffset()));
</ins><span class="cx">             storePtr(butterfly, Address(object, JSObject::butterflyOffset()));
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         Jump ok = jumpIfMutatorFenceNotNeeded(vm);
</span><del>-        or32(TrustedImm32(bitwise_cast<int32_t>(StructureID::nukedStructureIDBit)), Address(object, JSCell::structureIDOffset()));
</del><ins>+        or32(TrustedImm32(bitwise_cast<int32_t>(nukedStructureIDBit())), Address(object, JSCell::structureIDOffset()));
</ins><span class="cx">         storeFence();
</span><span class="cx">         storePtr(butterfly, Address(object, JSObject::butterflyOffset()));
</span><span class="cx">         storeFence();
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitGCAwareJITStubRoutinecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx">     for (auto& key : cases)
</span><span class="cx">         WTF::add(hasher, key->hash());
</span><span class="cx">     for (auto& structureID : weakStructures)
</span><del>-        WTF::add(hasher, structureID.bits());
</del><ins>+        WTF::add(hasher, structureID);
</ins><span class="cx">     return hasher.hash();
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitJITInlineCacheGeneratorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -136,7 +136,7 @@
</span><span class="cx"> static void generateGetByIdInlineAccess(JIT& jit, GPRReg stubInfoGPR, JSValueRegs baseJSR, GPRReg scratchGPR, JSValueRegs resultJSR)
</span><span class="cx"> {
</span><span class="cx">     jit.load32(CCallHelpers::Address(baseJSR.payloadGPR(), JSCell::structureIDOffset()), scratchGPR);
</span><del>-    auto doInlineAccess = jit.branch32(CCallHelpers::Equal, scratchGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfInlineAccessBaseStructureID()));
</del><ins>+    auto doInlineAccess = jit.branch32(CCallHelpers::Equal, scratchGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfInlineAccessBaseStructure()));
</ins><span class="cx">     jit.farJump(CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfCodePtr()), JITStubRoutinePtrTag);
</span><span class="cx">     doInlineAccess.link(&jit);
</span><span class="cx">     jit.load32(CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfByIdSelfOffset()), scratchGPR);
</span><span class="lines">@@ -221,7 +221,7 @@
</span><span class="cx">     using BaselinePutByIdRegisters::scratch2GPR;
</span><span class="cx"> 
</span><span class="cx">     jit.load32(CCallHelpers::Address(baseJSR.payloadGPR(), JSCell::structureIDOffset()), scratchGPR);
</span><del>-    auto doInlineAccess = jit.branch32(CCallHelpers::Equal, scratchGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfInlineAccessBaseStructureID()));
</del><ins>+    auto doInlineAccess = jit.branch32(CCallHelpers::Equal, scratchGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfInlineAccessBaseStructure()));
</ins><span class="cx">     jit.farJump(CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfCodePtr()), JITStubRoutinePtrTag);
</span><span class="cx">     doInlineAccess.link(&jit);
</span><span class="cx">     jit.load32(CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfByIdSelfOffset()), scratchGPR);
</span><span class="lines">@@ -412,7 +412,7 @@
</span><span class="cx">     CCallHelpers::JumpList done;
</span><span class="cx"> 
</span><span class="cx">     jit.load32(CCallHelpers::Address(baseJSR.payloadGPR(), JSCell::structureIDOffset()), scratchGPR);
</span><del>-    auto skipInlineAccess = jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfInlineAccessBaseStructureID()));
</del><ins>+    auto skipInlineAccess = jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfInlineAccessBaseStructure()));
</ins><span class="cx">     jit.boxBoolean(true, resultJSR);
</span><span class="cx">     auto finished = jit.jump();
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITOpcodes.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -256,7 +256,7 @@
</span><span class="cx">     Jump notMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><del>-    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT1);
</del><ins>+    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT1, regT2);
</ins><span class="cx">     loadGlobalObject(regT0);
</span><span class="cx">     loadPtr(Address(regT1, Structure::globalObjectOffset()), regT1);
</span><span class="cx">     comparePtr(Equal, regT0, regT1, regT0);
</span><span class="lines">@@ -514,7 +514,7 @@
</span><span class="cx"> 
</span><span class="cx">     // First, handle JSCell cases - check MasqueradesAsUndefined bit on the structure.
</span><span class="cx">     Jump isNotMasqueradesAsUndefined = branchTest8(Zero, Address(jsRegT10.payloadGPR(), JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined));
</span><del>-    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2);
</del><ins>+    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2, regT1);
</ins><span class="cx">     loadGlobalObject(regT0);
</span><span class="cx">     addJump(branchPtr(Equal, Address(regT2, Structure::globalObjectOffset()), regT0), target);
</span><span class="cx">     Jump masqueradesGlobalObjectIsForeign = jump();
</span><span class="lines">@@ -539,7 +539,7 @@
</span><span class="cx"> 
</span><span class="cx">     // First, handle JSCell cases - check MasqueradesAsUndefined bit on the structure.
</span><span class="cx">     addJump(branchTest8(Zero, Address(jsRegT10.payloadGPR(), JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)), target);
</span><del>-    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2);
</del><ins>+    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2, regT1);
</ins><span class="cx">     loadGlobalObject(regT0);
</span><span class="cx">     addJump(branchPtr(NotEqual, Address(regT2, Structure::globalObjectOffset()), regT0), target);
</span><span class="cx">     Jump wasNotImmediate = jump();
</span><span class="lines">@@ -1196,7 +1196,7 @@
</span><span class="cx">     Jump wasNotMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><del>-    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2);
</del><ins>+    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2, regT1);
</ins><span class="cx">     loadGlobalObject(regT0);
</span><span class="cx">     loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
</span><span class="cx">     comparePtr(Equal, regT0, regT2, regT0);
</span><span class="lines">@@ -1228,7 +1228,7 @@
</span><span class="cx">     Jump wasNotMasqueradesAsUndefined = jump();
</span><span class="cx"> 
</span><span class="cx">     isMasqueradesAsUndefined.link(this);
</span><del>-    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2);
</del><ins>+    emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2, regT1);
</ins><span class="cx">     loadGlobalObject(regT0);
</span><span class="cx">     loadPtr(Address(regT2, Structure::globalObjectOffset()), regT2);
</span><span class="cx">     comparePtr(NotEqual, regT0, regT2, regT0);
</span><span class="lines">@@ -1959,7 +1959,7 @@
</span><span class="cx">     slowCases.append(branchIfNotCell(jsRegT10));
</span><span class="cx">     slowCases.append(branchIfNotObject(jsRegT10.payloadGPR()));
</span><span class="cx"> 
</span><del>-    emitLoadPrototype(vm(), jsRegT10.payloadGPR(), jsRegT32, slowCases);
</del><ins>+    emitLoadPrototype(vm(), jsRegT10.payloadGPR(), jsRegT32, regT4, slowCases);
</ins><span class="cx">     addSlowCase(slowCases);
</span><span class="cx"> 
</span><span class="cx">     emitValueProfilingSite(bytecode, jsRegT32);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITPropertyAccess.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -2731,7 +2731,7 @@
</span><span class="cx">     and32(TrustedImm32(IndexingTypeMask), regT1);
</span><span class="cx">     genericCases.append(branch32(Above, regT1, TrustedImm32(ArrayWithUndecided)));
</span><span class="cx"> 
</span><del>-    emitLoadStructure(vm(), regT0, regT1);
</del><ins>+    emitLoadStructure(vm(), regT0, regT1, regT2);
</ins><span class="cx">     loadPtr(Address(regT1, Structure::previousOrRareDataOffset()), regT1);
</span><span class="cx">     genericCases.append(branchTestPtr(Zero, regT1));
</span><span class="cx">     genericCases.append(branchIfStructure(regT1));
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorejitJITStubRoutineh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITStubRoutine.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITStubRoutine.h       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/jit/JITStubRoutine.h  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include "ExecutableAllocator.h"
</span><span class="cx"> #include "MacroAssemblerCodeRef.h"
</span><del>-#include "StructureID.h"
</del><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -36,6 +35,12 @@
</span><span class="cx"> class JITStubRoutineSet;
</span><span class="cx"> class VM;
</span><span class="cx"> 
</span><ins>+#if USE(JSVALUE64)
+using StructureID = uint32_t;
+#else
+using StructureID = Structure*;
+#endif
+
</ins><span class="cx"> class AccessCase;
</span><span class="cx"> 
</span><span class="cx"> // This is a base-class for JIT stub routines, and also the class you want
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -685,7 +685,7 @@
</span><span class="cx">         {
</span><span class="cx">             StructureID oldStructureID = metadata.m_structureID;
</span><span class="cx">             if (oldStructureID) {
</span><del>-                Structure* a = oldStructureID.decode();
</del><ins>+                Structure* a = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 Structure* b = baseValue.asCell()->structure(vm);
</span><span class="cx"> 
</span><span class="cx">                 if (Structure::shouldConvertToPolyProto(a, b)) {
</span><span class="lines">@@ -699,7 +699,7 @@
</span><span class="cx">         Structure* structure = baseCell->structure(vm);
</span><span class="cx">         if (slot.isValue()) {
</span><span class="cx">             // Start out by clearing out the old cache.
</span><del>-            metadata.m_structureID = StructureID();
</del><ins>+            metadata.m_structureID = 0;
</ins><span class="cx">             metadata.m_offset = 0;
</span><span class="cx"> 
</span><span class="cx">             if (structure->propertyAccessesAreCacheable() && !structure->needImpurePropertyWatchpoint()) {
</span><span class="lines">@@ -812,10 +812,10 @@
</span><span class="cx">                 oldStructureID = metadata.protoLoadMode.structureID;
</span><span class="cx">                 break;
</span><span class="cx">             default:
</span><del>-                oldStructureID = StructureID();
</del><ins>+                oldStructureID = 0;
</ins><span class="cx">             }
</span><span class="cx">             if (oldStructureID) {
</span><del>-                Structure* a = oldStructureID.decode();
</del><ins>+                Structure* a = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 Structure* b = baseValue.asCell()->structure(vm);
</span><span class="cx"> 
</span><span class="cx">                 if (Structure::shouldConvertToPolyProto(a, b)) {
</span><span class="lines">@@ -950,7 +950,7 @@
</span><span class="cx">         {
</span><span class="cx">             StructureID oldStructureID = metadata.m_oldStructureID;
</span><span class="cx">             if (oldStructureID) {
</span><del>-                Structure* a = oldStructureID.decode();
</del><ins>+                Structure* a = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 Structure* b = baseValue.asCell()->structure(vm);
</span><span class="cx">                 if (slot.type() == PutPropertySlot::NewProperty)
</span><span class="cx">                     b = b->previousID();
</span><span class="lines">@@ -963,9 +963,9 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         // Start out by clearing out the old cache.
</span><del>-        metadata.m_oldStructureID = StructureID();
</del><ins>+        metadata.m_oldStructureID = 0;
</ins><span class="cx">         metadata.m_offset = 0;
</span><del>-        metadata.m_newStructureID = StructureID();
</del><ins>+        metadata.m_newStructureID = 0;
</ins><span class="cx">         metadata.m_structureChain.clear();
</span><span class="cx">         
</span><span class="cx">         JSCell* baseCell = baseValue.asCell();
</span><span class="lines">@@ -1139,7 +1139,7 @@
</span><span class="cx">         {
</span><span class="cx">             StructureID oldStructureID = metadata.m_structureID;
</span><span class="cx">             if (oldStructureID) {
</span><del>-                Structure* a = oldStructureID.decode();
</del><ins>+                Structure* a = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 Structure* b = baseValue.asCell()->structure(vm);
</span><span class="cx"> 
</span><span class="cx">                 if (Structure::shouldConvertToPolyProto(a, b)) {
</span><span class="lines">@@ -1153,7 +1153,7 @@
</span><span class="cx">         Structure* structure = baseCell->structure(vm);
</span><span class="cx">         if (slot.isValue()) {
</span><span class="cx">             // Start out by clearing out the old cache.
</span><del>-            metadata.m_structureID = StructureID();
</del><ins>+            metadata.m_structureID = 0;
</ins><span class="cx">             metadata.m_offset = 0;
</span><span class="cx"> 
</span><span class="cx">             if (!structure->isUncacheableDictionary()) {
</span><span class="lines">@@ -1272,7 +1272,7 @@
</span><span class="cx">         {
</span><span class="cx">             StructureID oldStructureID = metadata.m_oldStructureID;
</span><span class="cx">             if (oldStructureID) {
</span><del>-                Structure* a = oldStructureID.decode();
</del><ins>+                Structure* a = vm.heap.structureIDTable().get(oldStructureID);
</ins><span class="cx">                 Structure* b = baseValue.asCell()->structure(vm);
</span><span class="cx">                 if (slot.type() == PutPropertySlot::NewProperty)
</span><span class="cx">                     b = b->previousID();
</span><span class="lines">@@ -1285,9 +1285,9 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         // Start out by clearing out the old cache.
</span><del>-        metadata.m_oldStructureID = StructureID();
</del><ins>+        metadata.m_oldStructureID = 0;
</ins><span class="cx">         metadata.m_offset = 0;
</span><del>-        metadata.m_newStructureID = StructureID();
</del><ins>+        metadata.m_newStructureID = 0;
</ins><span class="cx">         metadata.m_property.clear();
</span><span class="cx">         
</span><span class="cx">         JSCell* baseCell = baseValue.asCell();
</span><span class="lines">@@ -1361,8 +1361,8 @@
</span><span class="cx">         ASSERT(oldStructure->transitionWatchpointSetHasBeenInvalidated());
</span><span class="cx"> 
</span><span class="cx">         // Start out by clearing out the old cache.
</span><del>-        metadata.m_oldStructureID = StructureID();
-        metadata.m_newStructureID = StructureID();
</del><ins>+        metadata.m_oldStructureID = 0;
+        metadata.m_newStructureID = 0;
</ins><span class="cx">         metadata.m_brand.clear();
</span><span class="cx"> 
</span><span class="cx">         if (!newStructure->isDictionary()) {
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter.asm      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -212,6 +212,11 @@
</span><span class="cx">     const LowestTag = constexpr JSValue::LowestTag
</span><span class="cx"> end
</span><span class="cx"> 
</span><ins>+if JSVALUE64
+    const NumberOfStructureIDEntropyBits = constexpr StructureIDTable::s_numberOfEntropyBits
+    const StructureEntropyBitsShift = constexpr StructureIDTable::s_entropyBitsShiftForStructurePointer
+end
+
</ins><span class="cx"> if LARGE_TYPED_ARRAYS
</span><span class="cx">     const SmallTypedArrayMaxLength = constexpr ArrayProfile::s_smallTypedArrayMaxLength
</span><span class="cx"> end
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -694,16 +694,20 @@
</span><span class="cx">         end)
</span><span class="cx"> end
</span><span class="cx"> 
</span><del>-macro structureIDToStructureWithScratch(structureIDThenStructure, scratch)
-    andq constexpr structureIDMask, structureIDThenStructure
-    leap JSCConfig + constexpr JSC::offsetOfJSCConfigStartOfStructureHeap, scratch
-    loadp [scratch], scratch
-    addp scratch, structureIDThenStructure
</del><ins>+macro structureIDToStructureWithScratch(structureIDThenStructure, scratch, scratch2)
+    loadp CodeBlock[cfr], scratch
+    move structureIDThenStructure, scratch2
+    loadp CodeBlock::m_vm[scratch], scratch
+    rshifti NumberOfStructureIDEntropyBits, scratch2
+    loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[scratch], scratch
+    loadp [scratch, scratch2, PtrSize], scratch2
+    lshiftp StructureEntropyBitsShift, structureIDThenStructure
+    xorp scratch2, structureIDThenStructure
</ins><span class="cx"> end
</span><span class="cx"> 
</span><del>-macro loadStructureWithScratch(cell, structure, scratch)
</del><ins>+macro loadStructureWithScratch(cell, structure, scratch, scratch2)
</ins><span class="cx">     loadi JSCell::m_structureID[cell], structure
</span><del>-    structureIDToStructureWithScratch(structure, scratch)
</del><ins>+    structureIDToStructureWithScratch(structure, scratch, scratch2)
</ins><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> # Entrypoints into the interpreter.
</span><span class="lines">@@ -926,7 +930,7 @@
</span><span class="cx">         move 0, t0
</span><span class="cx">         jmp .done
</span><span class="cx">     .masqueradesAsUndefined:
</span><del>-        loadStructureWithScratch(t0, t2, t1)
</del><ins>+        loadStructureWithScratch(t0, t2, t1, t3)
</ins><span class="cx">         loadp CodeBlock[cfr], t0
</span><span class="cx">         loadp CodeBlock::m_globalObject[t0], t0
</span><span class="cx">         cpeq Structure::m_globalObject[t2], t0, t0
</span><span class="lines">@@ -1428,7 +1432,7 @@
</span><span class="cx">     move ValueFalse, t1
</span><span class="cx">     return(t1)
</span><span class="cx"> .masqueradesAsUndefined:
</span><del>-    loadStructureWithScratch(t0, t3, t1)
</del><ins>+    loadStructureWithScratch(t0, t3, t1, t2)
</ins><span class="cx">     loadp CodeBlock[cfr], t1
</span><span class="cx">     loadp CodeBlock::m_globalObject[t1], t1
</span><span class="cx">     cpeq Structure::m_globalObject[t3], t1, t0
</span><span class="lines">@@ -1623,7 +1627,7 @@
</span><span class="cx">     btqnz t0, notCellMask, .opGetPrototypeOfSlow
</span><span class="cx">     bbb JSCell::m_type[t0], ObjectType, .opGetPrototypeOfSlow
</span><span class="cx"> 
</span><del>-    loadStructureWithScratch(t0, t2, t1)
</del><ins>+    loadStructureWithScratch(t0, t2, t1, t3)
</ins><span class="cx">     loadh Structure::m_outOfLineTypeFlags[t2], t3
</span><span class="cx">     btinz t3, OverridesGetPrototypeOutOfLine, .opGetPrototypeOfSlow
</span><span class="cx"> 
</span><span class="lines">@@ -1663,8 +1667,20 @@
</span><span class="cx">     loadp OpPutById::Metadata::m_structureChain[t5], t3
</span><span class="cx">     btpz t3, .opPutByIdTransitionDirect
</span><span class="cx"> 
</span><del>-    structureIDToStructureWithScratch(t2, t1)
</del><ins>+    loadp CodeBlock[cfr], t1
+    loadp CodeBlock::m_vm[t1], t1
+    loadp VM::heap + Heap::m_structureIDTable + StructureIDTable::m_table[t1], t1
</ins><span class="cx"> 
</span><ins>+    macro structureIDToStructureWithScratchAndTable(structureIDThenStructure, table, scratch)
+        move structureIDThenStructure, scratch
+        rshifti NumberOfStructureIDEntropyBits, scratch
+        loadp [table, scratch, PtrSize], scratch
+        lshiftp StructureEntropyBitsShift, structureIDThenStructure
+        xorp scratch, structureIDThenStructure
+    end
+
+    structureIDToStructureWithScratchAndTable(t2, t1, t0)
+
</ins><span class="cx">     loadp StructureChain::m_vector[t3], t3
</span><span class="cx">     assert(macro (ok) btpnz t3, ok end)
</span><span class="cx"> 
</span><span class="lines">@@ -1674,7 +1690,7 @@
</span><span class="cx">     loadi JSCell::m_structureID[t2], t2
</span><span class="cx">     bineq t2, [t3], .opPutByIdSlow
</span><span class="cx">     addp 4, t3
</span><del>-    structureIDToStructureWithScratch(t2, t1)
</del><ins>+    structureIDToStructureWithScratchAndTable(t2, t1, t0)
</ins><span class="cx">     loadq Structure::m_prototype[t2], t2
</span><span class="cx">     bqneq t2, ValueNull, .opPutByIdTransitionChainLoop
</span><span class="cx"> 
</span><span class="lines">@@ -2049,7 +2065,7 @@
</span><span class="cx">         assertNotConstant(size, t0)
</span><span class="cx">         loadq [cfr, t0, 8], t0
</span><span class="cx">         btqnz t0, notCellMask, .immediate
</span><del>-        loadStructureWithScratch(t0, t2, t1)
</del><ins>+        loadStructureWithScratch(t0, t2, t1, t3)
</ins><span class="cx">         cellHandler(t2, JSCell::m_flags[t0], .target)
</span><span class="cx">         dispatch()
</span><span class="cx"> 
</span><span class="lines">@@ -2768,7 +2784,7 @@
</span><span class="cx"> macro loadWithStructureCheck(opcodeStruct, get, slowPath)
</span><span class="cx">     get(m_scope, t0)
</span><span class="cx">     loadq [cfr, t0, 8], t0
</span><del>-    loadStructureWithScratch(t0, t2, t1)
</del><ins>+    loadStructureWithScratch(t0, t2, t1, t3)
</ins><span class="cx">     loadp %opcodeStruct%::Metadata::m_structure[t5], t1
</span><span class="cx">     bpneq t2, t1, slowPath
</span><span class="cx"> end
</span><span class="lines">@@ -3219,7 +3235,7 @@
</span><span class="cx">     andi IndexingTypeMask, t1
</span><span class="cx">     bia t1, ArrayWithUndecided, .slowPath
</span><span class="cx"> 
</span><del>-    loadStructureWithScratch(t0, t1, t2)
</del><ins>+    loadStructureWithScratch(t0, t1, t2, t3)
</ins><span class="cx">     loadp Structure::m_previousOrRareData[t1], t1
</span><span class="cx">     btpz t1, .slowPath
</span><span class="cx">     bbeq JSCell::m_type[t1], StructureType, .slowPath
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ArrayPrototype.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -602,7 +602,7 @@
</span><span class="cx">     JSObject* thisObject = thisValue.toObject(globalObject);
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, encodedJSValue());
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(thisObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObject->structureID());
</ins><span class="cx">     if (!canUseDefaultArrayJoinForToString(vm, thisObject)) {
</span><span class="cx">         // 2. Let func be the result of calling the [[Get]] internal method of array with argument "join".
</span><span class="cx">         JSValue function = thisObject->get(globalObject, vm.propertyNames->join);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeBigIntPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BigIntPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BigIntPrototype.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BigIntPrototype.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -113,7 +113,7 @@
</span><span class="cx"> 
</span><span class="cx">     ASSERT(value);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(value->structureID());
</del><ins>+    Integrity::auditStructureID(vm, value->structureID());
</ins><span class="cx">     int32_t radix = extractToStringRadixArgument(globalObject, callFrame->argument(0), scope);
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, { });
</span><span class="cx"> 
</span><span class="lines">@@ -156,7 +156,7 @@
</span><span class="cx">     JSBigInt* value = toThisBigIntValue(globalObject, callFrame->thisValue());
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, { });
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(value->structureID());
</del><ins>+    Integrity::auditStructureID(vm, value->structureID());
</ins><span class="cx">     return JSValue::encode(value);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeBooleanPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BooleanPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BooleanPrototype.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/BooleanPrototype.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -76,7 +76,7 @@
</span><span class="cx">     if (UNLIKELY(!thisObject))
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(thisObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObject->structureID());
</ins><span class="cx">     if (thisObject->internalValue() == jsBoolean(false))
</span><span class="cx">         return JSValue::encode(vm.smallStrings.falseString());
</span><span class="cx"> 
</span><span class="lines">@@ -96,7 +96,7 @@
</span><span class="cx">     if (UNLIKELY(!thisObject))
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(thisObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObject->structureID());
</ins><span class="cx">     return JSValue::encode(thisObject->internalValue());
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -355,11 +355,11 @@
</span><span class="cx">             if (otherStructureID)
</span><span class="cx">                 metadata.m_toThisStatus = ToThisConflicted;
</span><span class="cx">             metadata.m_cachedStructureID = myStructureID;
</span><del>-            vm.writeBarrier(codeBlock, myStructureID.decode());
</del><ins>+            vm.writeBarrier(codeBlock, vm.getStructure(myStructureID));
</ins><span class="cx">         }
</span><span class="cx">     } else {
</span><span class="cx">         metadata.m_toThisStatus = ToThisConflicted;
</span><del>-        metadata.m_cachedStructureID = StructureID();
</del><ins>+        metadata.m_cachedStructureID = 0;
</ins><span class="cx">     }
</span><span class="cx">     // Note: We only need to do this value profiling here on the slow path. The fast path
</span><span class="cx">     // just returns the input to to_this if the structure check succeeds. If the structure
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeDatePrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/DatePrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/DatePrototype.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/DatePrototype.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -99,7 +99,7 @@
</span><span class="cx">     if (UNLIKELY(!thisDateObj))
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(thisDateObj->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisDateObj->structureID());
</ins><span class="cx">     const GregorianDateTime* gregorianDateTime = asUTCVariant
</span><span class="cx">         ? thisDateObj->gregorianDateTimeUTC(cache)
</span><span class="cx">         : thisDateObj->gregorianDateTime(cache);
</span><span class="lines">@@ -315,7 +315,7 @@
</span><span class="cx">     if (UNLIKELY(!thisDateObj))
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(thisDateObj->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisDateObj->structureID());
</ins><span class="cx">     if (!std::isfinite(thisDateObj->internalNumber()))
</span><span class="cx">         return throwVMError(globalObject, scope, createRangeError(globalObject, "Invalid Date"_s));
</span><span class="cx"> 
</span><span class="lines">@@ -363,7 +363,7 @@
</span><span class="cx">     if (!thisValue.isObject())
</span><span class="cx">         return throwVMTypeError(globalObject, scope, "Date.prototype[Symbol.toPrimitive] expected |this| to be an object.");
</span><span class="cx">     JSObject* thisObject = jsCast<JSObject*>(thisValue);
</span><del>-    Integrity::auditStructureID(thisObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObject->structureID());
</ins><span class="cx"> 
</span><span class="cx">     if (!callFrame->argumentCount())
</span><span class="cx">         return throwVMTypeError(globalObject, scope, "Date.prototype[Symbol.toPrimitive] expected a first argument.");
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeErrorInstancecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorInstance.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorInstance.cpp  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorInstance.cpp     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -154,7 +154,7 @@
</span><span class="cx"> {
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><del>-    Integrity::auditStructureID(structureID());
</del><ins>+    Integrity::auditStructureID(vm, structureID());
</ins><span class="cx"> 
</span><span class="cx">     JSValue messageValue;
</span><span class="cx">     auto messagePropertName = vm.propertyNames->message;
</span><span class="lines">@@ -172,7 +172,7 @@
</span><span class="cx"> {
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><del>-    Integrity::auditStructureID(structureID());
</del><ins>+    Integrity::auditStructureID(vm, structureID());
</ins><span class="cx"> 
</span><span class="cx">     JSValue nameValue;
</span><span class="cx">     auto namePropertName = vm.propertyNames->name;
</span><span class="lines">@@ -203,7 +203,7 @@
</span><span class="cx"> {
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><del>-    Integrity::auditStructureID(structureID());
</del><ins>+    Integrity::auditStructureID(vm, structureID());
</ins><span class="cx"> 
</span><span class="cx">     String nameString = sanitizedNameString(globalObject);
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, String());
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeErrorPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorPrototype.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ErrorPrototype.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -79,7 +79,7 @@
</span><span class="cx">     if (!thisValue.isObject())
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx">     JSObject* thisObj = asObject(thisValue);
</span><del>-    Integrity::auditStructureID(thisObj->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObj->structureID());
</ins><span class="cx"> 
</span><span class="cx">     // Guard against recursion!
</span><span class="cx">     StringRecursionChecker checker(globalObject, thisObj);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeFunctionExecutablecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -78,7 +78,7 @@
</span><span class="cx">     visitor.append(thisObject->m_codeBlockForConstruct);
</span><span class="cx">     visitor.append(thisObject->m_unlinkedExecutable);
</span><span class="cx">     if (RareData* rareData = thisObject->m_rareData.get()) {
</span><del>-        visitor.append(rareData->m_cachedPolyProtoStructureID);
</del><ins>+        visitor.append(rareData->m_cachedPolyProtoStructure);
</ins><span class="cx">         visitor.append(rareData->m_asString);
</span><span class="cx">         if (TemplateObjectMap* map = rareData->m_templateObjectMap.get()) {
</span><span class="cx">             Locker locker { thisObject->cellLock() };
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeFunctionExecutableh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.h       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionExecutable.h  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -257,12 +257,12 @@
</span><span class="cx">     Structure* cachedPolyProtoStructure()
</span><span class="cx">     {
</span><span class="cx">         if (UNLIKELY(m_rareData))
</span><del>-            return m_rareData->m_cachedPolyProtoStructureID.get();
</del><ins>+            return m_rareData->m_cachedPolyProtoStructure.get();
</ins><span class="cx">         return nullptr;
</span><span class="cx">     }
</span><span class="cx">     void setCachedPolyProtoStructure(VM& vm, Structure* structure)
</span><span class="cx">     {
</span><del>-        ensureRareData().m_cachedPolyProtoStructureID.set(vm, this, structure);
</del><ins>+        ensureRareData().m_cachedPolyProtoStructure.set(vm, this, structure);
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     InlineWatchpointSet& ensurePolyProtoWatchpoint()
</span><span class="lines">@@ -310,8 +310,8 @@
</span><span class="cx">         unsigned m_parametersStartOffset { 0 };
</span><span class="cx">         unsigned m_typeProfilingStartOffset { UINT_MAX };
</span><span class="cx">         unsigned m_typeProfilingEndOffset { UINT_MAX };
</span><del>-        WriteBarrierStructureID m_cachedPolyProtoStructureID;
</del><span class="cx">         std::unique_ptr<TemplateObjectMap> m_templateObjectMap;
</span><ins>+        WriteBarrier<Structure> m_cachedPolyProtoStructure;
</ins><span class="cx">         WriteBarrier<JSString> m_asString;
</span><span class="cx">     };
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeFunctionPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionPrototype.cpp      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionPrototype.cpp 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -81,19 +81,19 @@
</span><span class="cx">     JSValue thisValue = callFrame->thisValue();
</span><span class="cx">     if (thisValue.inherits<JSFunction>(vm)) {
</span><span class="cx">         JSFunction* function = jsCast<JSFunction*>(thisValue);
</span><del>-        Integrity::auditStructureID(function->structureID());
</del><ins>+        Integrity::auditStructureID(vm, function->structureID());
</ins><span class="cx">         RELEASE_AND_RETURN(scope, JSValue::encode(function->toString(globalObject)));
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (thisValue.inherits<InternalFunction>(vm)) {
</span><span class="cx">         InternalFunction* function = jsCast<InternalFunction*>(thisValue);
</span><del>-        Integrity::auditStructureID(function->structureID());
</del><ins>+        Integrity::auditStructureID(vm, function->structureID());
</ins><span class="cx">         RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, "function ", function->name(), "() {\n    [native code]\n}")));
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (thisValue.isObject()) {
</span><span class="cx">         JSObject* object = asObject(thisValue);
</span><del>-        Integrity::auditStructureID(object->structureID());
</del><ins>+        Integrity::auditStructureID(vm, object->structureID());
</ins><span class="cx">         if (object->isCallable(vm))
</span><span class="cx">             RELEASE_AND_RETURN(scope, JSValue::encode(jsMakeNontrivialString(globalObject, "function ", object->classInfo(vm)->className, "() {\n    [native code]\n}")));
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeFunctionRareDatacpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -60,7 +60,7 @@
</span><span class="cx"> 
</span><span class="cx">     rareData->m_objectAllocationProfile.visitAggregate(visitor);
</span><span class="cx">     rareData->m_internalFunctionAllocationProfile.visitAggregate(visitor);
</span><del>-    visitor.append(rareData->m_boundFunctionStructureID);
</del><ins>+    visitor.append(rareData->m_boundFunctionStructure);
</ins><span class="cx">     visitor.append(rareData->m_executable);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeFunctionRareDatah"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/FunctionRareData.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -72,7 +72,9 @@
</span><span class="cx">     static inline ptrdiff_t offsetOfObjectAllocationProfile() { return OBJECT_OFFSETOF(FunctionRareData, m_objectAllocationProfile); }
</span><span class="cx">     static inline ptrdiff_t offsetOfAllocationProfileWatchpointSet() { return OBJECT_OFFSETOF(FunctionRareData, m_allocationProfileWatchpointSet); }
</span><span class="cx">     static inline ptrdiff_t offsetOfInternalFunctionAllocationProfile() { return OBJECT_OFFSETOF(FunctionRareData, m_internalFunctionAllocationProfile); }
</span><ins>+    static inline ptrdiff_t offsetOfBoundFunctionStructure() { return OBJECT_OFFSETOF(FunctionRareData, m_boundFunctionStructure); }
</ins><span class="cx">     static inline ptrdiff_t offsetOfExecutable() { return OBJECT_OFFSETOF(FunctionRareData, m_executable); }
</span><ins>+    static inline ptrdiff_t offsetOfAllocationProfileClearingWatchpoint() { return OBJECT_OFFSETOF(FunctionRareData, m_allocationProfileClearingWatchpoint); }
</ins><span class="cx"> 
</span><span class="cx">     ObjectAllocationProfileWithPrototype* objectAllocationProfile()
</span><span class="cx">     {
</span><span class="lines">@@ -111,8 +113,8 @@
</span><span class="cx">             m_allocationProfileWatchpointSet.startWatching();
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Structure* getBoundFunctionStructure() { return m_boundFunctionStructureID.get(); }
-    void setBoundFunctionStructure(VM& vm, Structure* structure) { m_boundFunctionStructureID.set(vm, this, structure); }
</del><ins>+    Structure* getBoundFunctionStructure() { return m_boundFunctionStructure.get(); }
+    void setBoundFunctionStructure(VM& vm, Structure* structure) { m_boundFunctionStructure.set(vm, this, structure); }
</ins><span class="cx"> 
</span><span class="cx">     ExecutableBase* executable() const { return m_executable.get(); }
</span><span class="cx"> 
</span><span class="lines">@@ -158,7 +160,7 @@
</span><span class="cx">     ObjectAllocationProfileWithPrototype m_objectAllocationProfile;
</span><span class="cx">     InlineWatchpointSet m_allocationProfileWatchpointSet;
</span><span class="cx">     InternalFunctionAllocationProfile m_internalFunctionAllocationProfile;
</span><del>-    WriteBarrierStructureID m_boundFunctionStructureID;
</del><ins>+    WriteBarrier<Structure> m_boundFunctionStructure;
</ins><span class="cx">     WriteBarrier<ExecutableBase> m_executable;
</span><span class="cx">     std::unique_ptr<AllocationProfileClearingWatchpoint> m_allocationProfileClearingWatchpoint;
</span><span class="cx">     bool m_hasReifiedLength : 1;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeHasOwnPropertyCacheh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/HasOwnPropertyCache.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/HasOwnPropertyCache.h      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/HasOwnPropertyCache.h 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx">         static ptrdiff_t offsetOfResult() { return OBJECT_OFFSETOF(Entry, result); }
</span><span class="cx"> 
</span><span class="cx">         RefPtr<UniquedStringImpl> impl;
</span><del>-        StructureID structureID;
</del><ins>+        StructureID structureID { 0 };
</ins><span class="cx">         bool result { false };
</span><span class="cx">     };
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeInitializeThreadingcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/InitializeThreading.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -36,7 +36,6 @@
</span><span class="cx"> #include "LLIntData.h"
</span><span class="cx"> #include "Options.h"
</span><span class="cx"> #include "SigillCrashAnalyzer.h"
</span><del>-#include "StructureAlignedMemoryAllocator.h"
</del><span class="cx"> #include "SuperSampler.h"
</span><span class="cx"> #include "VMTraps.h"
</span><span class="cx"> #include "WasmCalleeRegistry.h"
</span><span class="lines">@@ -66,7 +65,6 @@
</span><span class="cx"> #endif
</span><span class="cx">         {
</span><span class="cx">             Options::AllowUnfinalizedAccessScope scope;
</span><del>-            StructureAlignedMemoryAllocator::initializeStructureAddressSpace();
</del><span class="cx">             JITOperationList::initialize();
</span><span class="cx">             ExecutableAllocator::initialize();
</span><span class="cx">             VM::computeCanUseJIT();
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSCConfigh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCConfig.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCConfig.h        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCConfig.h   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2019-2021 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -40,12 +40,6 @@
</span><span class="cx"> using JITWriteSeparateHeapsFunction = void (*)(off_t, const void*, size_t);
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-#if PLATFORM(IOS_FAMILY) && CPU(ARM64) && !CPU(ARM64E)
-constexpr uintptr_t structureHeapAddressSize = 512 * MB;
-#else
-constexpr uintptr_t structureHeapAddressSize = 1 * GB;
-#endif
-
</del><span class="cx"> struct Config {
</span><span class="cx">     static Config& singleton();
</span><span class="cx"> 
</span><span class="lines">@@ -87,7 +81,6 @@
</span><span class="cx">     void* startExecutableMemory;
</span><span class="cx">     void* endExecutableMemory;
</span><span class="cx">     uintptr_t startOfFixedWritableMemoryPool;
</span><del>-    uintptr_t startOfStructureHeap;
</del><span class="cx"> 
</span><span class="cx"> #if ENABLE(SEPARATED_WX_HEAP)
</span><span class="cx">     JITWriteSeparateHeapsFunction jitWriteSeparateHeaps;
</span><span class="lines">@@ -125,7 +118,6 @@
</span><span class="cx"> 
</span><span class="cx"> constexpr size_t offsetOfJSCConfigInitializeHasBeenCalled = offsetof(JSC::Config, initializeHasBeenCalled);
</span><span class="cx"> constexpr size_t offsetOfJSCConfigGateMap = offsetof(JSC::Config, llint.gateMap);
</span><del>-constexpr size_t offsetOfJSCConfigStartOfStructureHeap = offsetof(JSC::Config, startOfStructureHeap);
</del><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSCJSValuecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCJSValue.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCJSValue.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCJSValue.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -320,7 +320,7 @@
</span><span class="cx">             out.print(" (", inContext(*structure, context), ")");
</span><span class="cx">         }
</span><span class="cx"> #if USE(JSVALUE64)
</span><del>-        out.print(", StructureID: ", asCell()->structureID().bits());
</del><ins>+        out.print(", StructureID: ", asCell()->structureID());
</ins><span class="cx"> #endif
</span><span class="cx">     } else if (isTrue())
</span><span class="cx">         out.print("True");
</span><span class="lines">@@ -357,9 +357,15 @@
</span><span class="cx">                 out.print("(unresolved string)");
</span><span class="cx">         } else if (asCell()->inherits<Structure>(vm)) {
</span><span class="cx">             out.print("Structure[ ", asCell()->structure()->classInfo()->className);
</span><ins>+#if USE(JSVALUE64)
+            out.print(" ID: ", asCell()->structureID());
+#endif
</ins><span class="cx">             out.print("]: ", RawPointer(asCell()));
</span><span class="cx">         } else {
</span><span class="cx">             out.print("Cell[", asCell()->structure()->classInfo()->className);
</span><ins>+#if USE(JSVALUE64)
+            out.print(" ID: ", asCell()->structureID());
+#endif
</ins><span class="cx">             out.print("]: ", RawPointer(asCell()));
</span><span class="cx">         }
</span><span class="cx">     } else if (isTrue())
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSCellcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -173,7 +173,7 @@
</span><span class="cx"> 
</span><span class="cx"> JSObject* JSCell::toObjectSlow(JSGlobalObject* globalObject) const
</span><span class="cx"> {
</span><del>-    Integrity::auditStructureID(structureID());
</del><ins>+    Integrity::auditStructureID(globalObject->vm(), structureID());
</ins><span class="cx">     ASSERT(!isObject());
</span><span class="cx">     if (isString())
</span><span class="cx">         return static_cast<const JSString*>(this)->toObject(globalObject);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSCellh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.h   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCell.h      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -135,7 +135,7 @@
</span><span class="cx">     Structure* structure(VM&) const;
</span><span class="cx">     void setStructure(VM&, Structure*);
</span><span class="cx">     void setStructureIDDirectly(StructureID id) { m_structureID = id; }
</span><del>-    void clearStructure() { m_structureID = StructureID(); }
</del><ins>+    void clearStructure() { m_structureID = 0; }
</ins><span class="cx"> 
</span><span class="cx">     TypeInfo::InlineTypeFlags inlineTypeFlags() const { return m_flags; }
</span><span class="cx">     
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCellInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCellInlines.h    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSCellInlines.h       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -133,13 +133,12 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE Structure* JSCell::structure() const
</span><span class="cx"> {
</span><del>-    return m_structureID.decode();
</del><ins>+    return structure(vm());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-// FIXME: Delete this in a cleanup fixup.
-ALWAYS_INLINE Structure* JSCell::structure(VM&) const
</del><ins>+ALWAYS_INLINE Structure* JSCell::structure(VM& vm) const
</ins><span class="cx"> {
</span><del>-    return structure();
</del><ins>+    return vm.getStructure(m_structureID);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename Visitor>
</span><span class="lines">@@ -305,7 +304,7 @@
</span><span class="cx">     ASSERT(structure->classInfo() == this->structure(vm)->classInfo());
</span><span class="cx">     ASSERT(!this->structure(vm)
</span><span class="cx">         || this->structure(vm)->transitionWatchpointSetHasBeenInvalidated()
</span><del>-        || structure->id().decode() == structure);
</del><ins>+        || Heap::heap(this)->structureIDTable().get(structure->id()) == structure);
</ins><span class="cx">     m_structureID = structure->id();
</span><span class="cx">     m_flags = TypeInfo::mergeInlineTypeFlags(structure->typeInfo().inlineTypeFlags(), m_flags);
</span><span class="cx">     m_type = structure->typeInfo().type();
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -2281,16 +2281,13 @@
</span><span class="cx">     for (auto& property : thisObject->m_linkTimeConstants)
</span><span class="cx">         property.visit(visitor);
</span><span class="cx"> 
</span><del>-#define VISIT_SIMPLE_TYPE_PROTOTYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) if (featureFlag) \
</del><ins>+#define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) if (featureFlag) { \
</ins><span class="cx">         visitor.append(thisObject->m_ ## lowerName ## Prototype); \
</span><del>-
-#define VISIT_SIMPLE_TYPE_STRUCTURE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) if (featureFlag) \
</del><span class="cx">         visitor.append(thisObject->m_ ## properName ## Structure); \
</span><ins>+    }
</ins><span class="cx"> 
</span><del>-    FOR_EACH_SIMPLE_BUILTIN_TYPE(VISIT_SIMPLE_TYPE_STRUCTURE)
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(VISIT_SIMPLE_TYPE_STRUCTURE)
-    FOR_EACH_SIMPLE_BUILTIN_TYPE(VISIT_SIMPLE_TYPE_PROTOTYPE)
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(VISIT_SIMPLE_TYPE_PROTOTYPE)
</del><ins>+    FOR_EACH_SIMPLE_BUILTIN_TYPE(VISIT_SIMPLE_TYPE)
+    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(VISIT_SIMPLE_TYPE)
</ins><span class="cx"> 
</span><span class="cx"> #define VISIT_LAZY_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) if (featureFlag) \
</span><span class="cx">         thisObject->m_ ## properName ## Structure.visit(visitor);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSGlobalObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.h   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSGlobalObject.h      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -376,7 +376,20 @@
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_debuggerScopeStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_withScopeStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_strictEvalActivationStructure;
</span><ins>+    WriteBarrier<Structure> m_lexicalEnvironmentStructure;
</ins><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_moduleEnvironmentStructure;
</span><ins>+    WriteBarrier<Structure> m_directArgumentsStructure;
+    WriteBarrier<Structure> m_scopedArgumentsStructure;
+    WriteBarrier<Structure> m_clonedArgumentsStructure;
+
+    WriteBarrier<Structure> m_objectStructureForObjectConstructor;
+        
+    // Lists the actual structures used for having these particular indexing shapes.
+    WriteBarrier<Structure> m_originalArrayStructureForIndexingShape[NumberOfArrayIndexingModes];
+    // Lists the structures we should use during allocation for these particular indexing shapes.
+    // These structures will differ from the originals list above when we are having a bad time.
+    WriteBarrier<Structure> m_arrayStructureForIndexingShapeDuringAllocation[NumberOfArrayIndexingModes];
+
</ins><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_callbackConstructorStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_callbackFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_callbackObjectStructure;
</span><span class="lines">@@ -388,57 +401,42 @@
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_glibCallbackFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_glibWrapperObjectStructure;
</span><span class="cx"> #endif
</span><ins>+    WriteBarrier<Structure> m_nullPrototypeObjectStructure;
+    WriteBarrier<Structure> m_calleeStructure;
</ins><span class="cx"> 
</span><del>-    WriteBarrierStructureID m_lexicalEnvironmentStructure;
-    WriteBarrierStructureID m_directArgumentsStructure;
-    WriteBarrierStructureID m_scopedArgumentsStructure;
-    WriteBarrierStructureID m_clonedArgumentsStructure;
</del><ins>+    WriteBarrier<Structure> m_hostFunctionStructure;
</ins><span class="cx"> 
</span><del>-    WriteBarrierStructureID m_objectStructureForObjectConstructor;
-
-    // Lists the actual structures used for having these particular indexing shapes.
-    WriteBarrierStructureID m_originalArrayStructureForIndexingShape[NumberOfArrayIndexingModes];
-    // Lists the structures we should use during allocation for these particular indexing shapes.
-    // These structures will differ from the originals list above when we are having a bad time.
-    WriteBarrierStructureID m_arrayStructureForIndexingShapeDuringAllocation[NumberOfArrayIndexingModes];
-
-    WriteBarrierStructureID m_nullPrototypeObjectStructure;
-    WriteBarrierStructureID m_calleeStructure;
-
-    WriteBarrierStructureID m_hostFunctionStructure;
-
</del><span class="cx">     struct FunctionStructures {
</span><del>-        WriteBarrierStructureID arrowFunctionStructure;
-        WriteBarrierStructureID sloppyFunctionStructure;
-        WriteBarrierStructureID strictFunctionStructure;
</del><ins>+        WriteBarrier<Structure> arrowFunctionStructure;
+        WriteBarrier<Structure> sloppyFunctionStructure;
+        WriteBarrier<Structure> strictFunctionStructure;
</ins><span class="cx">     };
</span><span class="cx">     FunctionStructures m_builtinFunctions;
</span><span class="cx">     FunctionStructures m_ordinaryFunctions;
</span><span class="cx"> 
</span><del>-    PropertyOffset m_functionNameOffset;
-    WriteBarrierStructureID m_shadowRealmObjectStructure;
-    WriteBarrierStructureID m_regExpStructure;
-    WriteBarrierStructureID m_asyncFunctionStructure;
-    WriteBarrierStructureID m_asyncGeneratorFunctionStructure;
-    WriteBarrierStructureID m_generatorFunctionStructure;
-    WriteBarrierStructureID m_generatorStructure;
-    WriteBarrierStructureID m_asyncGeneratorStructure;
-    WriteBarrierStructureID m_arrayIteratorStructure;
-    WriteBarrierStructureID m_mapIteratorStructure;
-    WriteBarrierStructureID m_setIteratorStructure;
-    WriteBarrierStructureID m_regExpMatchesArrayStructure;
-    WriteBarrierStructureID m_regExpMatchesArrayWithIndicesStructure;
-    WriteBarrierStructureID m_regExpMatchesIndicesArrayStructure;
-
</del><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_boundFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_customGetterFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_customSetterFunctionStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_nativeStdFunctionStructure;
</span><ins>+    PropertyOffset m_functionNameOffset;
+    WriteBarrier<Structure> m_shadowRealmObjectStructure;
+    WriteBarrier<Structure> m_regExpStructure;
</ins><span class="cx">     WriteBarrier<AsyncFunctionPrototype> m_asyncFunctionPrototype;
</span><span class="cx">     WriteBarrier<AsyncGeneratorFunctionPrototype> m_asyncGeneratorFunctionPrototype;
</span><ins>+    WriteBarrier<Structure> m_asyncFunctionStructure;
+    WriteBarrier<Structure> m_asyncGeneratorFunctionStructure;
+    WriteBarrier<Structure> m_generatorFunctionStructure;
+    WriteBarrier<Structure> m_generatorStructure;
+    WriteBarrier<Structure> m_asyncGeneratorStructure;
+    WriteBarrier<Structure> m_arrayIteratorStructure;
+    WriteBarrier<Structure> m_mapIteratorStructure;
+    WriteBarrier<Structure> m_setIteratorStructure;
</ins><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_iteratorResultObjectStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_dataPropertyDescriptorObjectStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_accessorPropertyDescriptorObjectStructure;
</span><ins>+    WriteBarrier<Structure> m_regExpMatchesArrayStructure;
+    WriteBarrier<Structure> m_regExpMatchesArrayWithIndicesStructure;
+    WriteBarrier<Structure> m_regExpMatchesIndicesArrayStructure;
</ins><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_moduleRecordStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_moduleNamespaceObjectStructure;
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_proxyObjectStructure;
</span><span class="lines">@@ -446,19 +444,15 @@
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_proxyRevokeStructure;
</span><span class="cx">     LazyClassStructure m_sharedArrayBufferStructure;
</span><span class="cx"> 
</span><del>-#define DEFINE_STORAGE_FOR_SIMPLE_TYPE_PROTOTYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
-    WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype;
</del><ins>+#define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
+    WriteBarrier<capitalName ## Prototype> m_ ## lowerName ## Prototype; \
+    WriteBarrier<Structure> m_ ## properName ## Structure;
</ins><span class="cx"> 
</span><del>-#define DEFINE_STORAGE_FOR_SIMPLE_TYPE_STRUCTURE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
-    WriteBarrierStructureID m_ ## properName ## Structure;
-
</del><span class="cx"> #define DEFINE_STORAGE_FOR_LAZY_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase, featureFlag) \
</span><span class="cx">     LazyClassStructure m_ ## properName ## Structure;
</span><span class="cx"> 
</span><del>-    FOR_EACH_SIMPLE_BUILTIN_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE_STRUCTURE)
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE_STRUCTURE)
-    FOR_EACH_SIMPLE_BUILTIN_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE_PROTOTYPE)
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE_PROTOTYPE)
</del><ins>+    FOR_EACH_SIMPLE_BUILTIN_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE)
+    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE)
</ins><span class="cx">     
</span><span class="cx"> #if ENABLE(WEBASSEMBLY)
</span><span class="cx">     LazyProperty<JSGlobalObject, Structure> m_webAssemblyModuleRecordStructure;
</span><span class="lines">@@ -470,8 +464,7 @@
</span><span class="cx"> 
</span><span class="cx">     FOR_EACH_LAZY_BUILTIN_TYPE(DEFINE_STORAGE_FOR_LAZY_TYPE)
</span><span class="cx"> 
</span><del>-#undef DEFINE_STORAGE_FOR_SIMPLE_TYPE_PROTOTYPE
-#undef DEFINE_STORAGE_FOR_SIMPLE_TYPE_STRUCTURE
</del><ins>+#undef DEFINE_STORAGE_FOR_SIMPLE_TYPE
</ins><span class="cx"> #undef DEFINE_STORAGE_FOR_LAZY_TYPE
</span><span class="cx"> 
</span><span class="cx">     WriteBarrier<GetterSetter> m_speciesGetterSetter;
</span><span class="lines">@@ -581,7 +574,6 @@
</span><span class="cx"> 
</span><span class="cx">     bool m_evalEnabled { true };
</span><span class="cx">     bool m_webAssemblyEnabled { true };
</span><del>-    bool m_needsSiteSpecificQuirks { false };
</del><span class="cx">     unsigned m_globalLexicalBindingEpoch { 1 };
</span><span class="cx">     String m_evalDisabledErrorMessage;
</span><span class="cx">     String m_webAssemblyDisabledErrorMessage;
</span><span class="lines">@@ -1202,6 +1194,7 @@
</span><span class="cx"> 
</span><span class="cx">     JS_EXPORT_PRIVATE static void clearRareData(JSCell*);
</span><span class="cx"> 
</span><ins>+    bool m_needsSiteSpecificQuirks { false };
</ins><span class="cx"> #if JSC_OBJC_API_ENABLED
</span><span class="cx">     RetainPtr<JSWrapperMap> m_wrapperMap;
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -369,9 +369,9 @@
</span><span class="cx">     // https://pdfs.semanticscholar.org/343f/7182cde7669ca2a7de3dc01127927f384ef7.pdf
</span><span class="cx">     
</span><span class="cx">     StructureID structureID = this->structureID();
</span><del>-    if (structureID.isNuked())
</del><ins>+    if (isNuked(structureID))
</ins><span class="cx">         return nullptr;
</span><del>-    structure = structureID.decode();
</del><ins>+    structure = vm.getStructure(structureID);
</ins><span class="cx">     maxOffset = structure->maxOffset();
</span><span class="cx">     IndexingType indexingMode;
</span><span class="cx">     Dependency indexingModeDependency = structure->fencedIndexingMode(indexingMode);
</span><span class="lines">@@ -1169,7 +1169,7 @@
</span><span class="cx">     DeferGC deferGC(vm);
</span><span class="cx">     Butterfly* newButterfly = createInitialIndexedStorage(vm, length);
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, TransitionKind::AllocateUndecided);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1183,7 +1183,7 @@
</span><span class="cx">     for (unsigned i = newButterfly->vectorLength(); i--;)
</span><span class="cx">         newButterfly->contiguous().at(this, i).setWithoutWriteBarrier(JSValue());
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, TransitionKind::AllocateInt32);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1197,7 +1197,7 @@
</span><span class="cx">     for (unsigned i = newButterfly->vectorLength(); i--;)
</span><span class="cx">         newButterfly->contiguousDouble().at(this, i) = PNaN;
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, TransitionKind::AllocateDouble);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1211,7 +1211,7 @@
</span><span class="cx">     for (unsigned i = newButterfly->vectorLength(); i--;)
</span><span class="cx">         newButterfly->contiguous().at(this, i).setWithoutWriteBarrier(JSValue());
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, TransitionKind::AllocateContiguous);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, newButterfly);
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1241,7 +1241,7 @@
</span><span class="cx"> {
</span><span class="cx">     DeferGC deferGC(vm);
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     IndexingType oldType = indexingType();
</span><span class="cx">     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
</span><span class="cx"> 
</span><span class="lines">@@ -1331,7 +1331,7 @@
</span><span class="cx">         storage->m_vector[i].setWithoutWriteBarrier(JSValue());
</span><span class="cx">     
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, storage->butterfly());
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1390,7 +1390,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly());
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1444,7 +1444,7 @@
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
</span><span class="cx">     nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly());
</span><span class="cx">     setStructure(vm, newStructure);
</span><span class="lines">@@ -1522,7 +1522,7 @@
</span><span class="cx"> 
</span><span class="cx">     ASSERT(newStorage->butterfly() != butterfly);
</span><span class="cx">     StructureID oldStructureID = this->structureID();
</span><del>-    Structure* oldStructure = oldStructureID.decode();
</del><ins>+    Structure* oldStructure = vm.getStructure(oldStructureID);
</ins><span class="cx">     Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition);
</span><span class="cx"> 
</span><span class="cx">     // Ensure new Butterfly initialization is correctly done before exposing it to the concurrent threads.
</span><span class="lines">@@ -2024,7 +2024,7 @@
</span><span class="cx">     ASSERT(attributes & PropertyAttribute::CustomAccessorOrValue);
</span><span class="cx"> 
</span><span class="cx">     StructureID structureID = this->structureID();
</span><del>-    Structure* structure = structureID.decode();
</del><ins>+    Structure* structure = vm.heap.structureIDTable().get(structureID);
</ins><span class="cx">     PropertyOffset offset = prepareToPutDirectWithoutTransition(vm, propertyName, attributes, structureID, structure);
</span><span class="cx">     putDirect(vm, offset, value);
</span><span class="cx"> 
</span><span class="lines">@@ -2051,7 +2051,7 @@
</span><span class="cx"> {
</span><span class="cx">     ASSERT(attributes & PropertyAttribute::Accessor);
</span><span class="cx">     StructureID structureID = this->structureID();
</span><del>-    Structure* structure = structureID.decode();
</del><ins>+    Structure* structure = vm.heap.structureIDTable().get(structureID);
</ins><span class="cx">     PropertyOffset offset = prepareToPutDirectWithoutTransition(vm, propertyName, attributes, structureID, structure);
</span><span class="cx">     putDirect(vm, offset, accessor);
</span><span class="cx">     if (attributes & PropertyAttribute::ReadOnly)
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObject.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1367,7 +1367,7 @@
</span><span class="cx"> inline void JSObject::nukeStructureAndSetButterfly(VM& vm, StructureID oldStructureID, Butterfly* butterfly)
</span><span class="cx"> {
</span><span class="cx">     if (isX86() || vm.heap.mutatorShouldBeFenced()) {
</span><del>-        setStructureIDDirectly(oldStructureID.nuke());
</del><ins>+        setStructureIDDirectly(nuke(oldStructureID));
</ins><span class="cx">         WTF::storeStoreFence();
</span><span class="cx">         m_butterfly.set(vm, this, butterfly);
</span><span class="cx">         WTF::storeStoreFence();
</span><span class="lines">@@ -1500,6 +1500,7 @@
</span><span class="cx"> ALWAYS_INLINE bool JSObject::getPropertySlot(JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
</span><span class="cx"> {
</span><span class="cx">     VM& vm = getVM(globalObject);
</span><ins>+    auto& structureIDTable = vm.heap.structureIDTable();
</ins><span class="cx">     JSObject* object = this;
</span><span class="cx">     while (true) {
</span><span class="cx">         if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
</span><span class="lines">@@ -1514,10 +1515,10 @@
</span><span class="cx">             return object->getNonIndexPropertySlot(globalObject, propertyName, slot);
</span><span class="cx">         }
</span><span class="cx">         ASSERT(object->type() != ProxyObjectType);
</span><del>-        Structure* structure = object->structureID().decode();
</del><ins>+        Structure* structure = structureIDTable.get(object->structureID());
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx">         if (checkNullStructure && UNLIKELY(!structure))
</span><del>-            CRASH_WITH_INFO(object->type(), object->structureID().bits());
</del><ins>+            CRASH_WITH_INFO(object->type(), object->structureID(), structureIDTable.size());
</ins><span class="cx"> #endif
</span><span class="cx">         if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
</span><span class="cx">             return true;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSObjectInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObjectInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObjectInlines.h  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSObjectInlines.h     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -110,9 +110,10 @@
</span><span class="cx"> {
</span><span class="cx">     VM& vm = getVM(globalObject);
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><ins>+    auto& structureIDTable = vm.heap.structureIDTable();
</ins><span class="cx">     JSObject* object = this;
</span><span class="cx">     while (true) {
</span><del>-        Structure* structure = object->structureID().decode();
</del><ins>+        Structure* structure = structureIDTable.get(object->structureID());
</ins><span class="cx">         bool hasSlot = structure->classInfo()->methodTable.getOwnPropertySlotByIndex(object, globalObject, propertyName, slot);
</span><span class="cx">         RETURN_IF_EXCEPTION(scope, false);
</span><span class="cx">         if (hasSlot)
</span><span class="lines">@@ -150,9 +151,10 @@
</span><span class="cx"> 
</span><span class="cx">     VM& vm = getVM(globalObject);
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><ins>+    auto& structureIDTable = vm.heap.structureIDTable();
</ins><span class="cx">     JSObject* object = this;
</span><span class="cx">     while (true) {
</span><del>-        Structure* structure = object->structureID().decode();
</del><ins>+        Structure* structure = structureIDTable.get(object->structureID());
</ins><span class="cx">         if (LIKELY(!TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
</span><span class="cx">             if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
</span><span class="cx">                 return true;
</span><span class="lines">@@ -217,7 +219,7 @@
</span><span class="cx">     ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));
</span><span class="cx">     ASSERT(!value.isCustomGetterSetter());
</span><span class="cx">     StructureID structureID = this->structureID();
</span><del>-    Structure* structure = structureID.decode();
</del><ins>+    Structure* structure = vm.heap.structureIDTable().get(structureID);
</ins><span class="cx">     PropertyOffset offset = prepareToPutDirectWithoutTransition(vm, propertyName, attributes, structureID, structure);
</span><span class="cx">     putDirect(vm, offset, value);
</span><span class="cx">     if (attributes & PropertyAttribute::ReadOnly)
</span><span class="lines">@@ -326,7 +328,7 @@
</span><span class="cx">     ASSERT(!parseIndex(propertyName));
</span><span class="cx"> 
</span><span class="cx">     StructureID structureID = this->structureID();
</span><del>-    Structure* structure = structureID.decode();
</del><ins>+    Structure* structure = vm.heap.structureIDTable().get(structureID);
</ins><span class="cx">     if (structure->isDictionary()) {
</span><span class="cx">         ASSERT(!isCopyOnWrite(indexingMode()));
</span><span class="cx">         
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx"> JSPropertyNameEnumerator::JSPropertyNameEnumerator(VM& vm, Structure* structure, uint32_t indexedLength, uint32_t numberStructureProperties, WriteBarrier<JSString>* propertyNamesBuffer, unsigned propertyNamesSize)
</span><span class="cx">     : JSCell(vm, vm.propertyNameEnumeratorStructure.get())
</span><span class="cx">     , m_propertyNames(vm, this, propertyNamesBuffer)
</span><del>-    , m_cachedStructureID(vm, this, structure, WriteBarrierStructureID::MayBeNull)
</del><ins>+    , m_cachedStructureID(structure ? structure->id() : 0)
</ins><span class="cx">     , m_indexedLength(indexedLength)
</span><span class="cx">     , m_endStructurePropertyIndex(numberStructureProperties)
</span><span class="cx">     , m_endGenericPropertyIndex(propertyNamesSize)
</span><span class="lines">@@ -86,7 +86,11 @@
</span><span class="cx">         visitor.markAuxiliary(propertyNames);
</span><span class="cx">         visitor.append(propertyNames, propertyNames + thisObject->sizeOfPropertyNames());
</span><span class="cx">     }
</span><del>-    visitor.append(thisObject->m_cachedStructureID);
</del><ins>+
+    if (thisObject->cachedStructureID()) {
+        VM& vm = visitor.vm();
+        visitor.appendUnbarriered(vm.getStructure(thisObject->cachedStructureID()));
+    }
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> DEFINE_VISIT_CHILDREN(JSPropertyNameEnumerator);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeJSPropertyNameEnumeratorh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -72,10 +72,11 @@
</span><span class="cx"> 
</span><span class="cx">     Structure* cachedStructure(VM& vm) const
</span><span class="cx">     {
</span><del>-        UNUSED_PARAM(vm);
-        return m_cachedStructureID.get();
</del><ins>+        if (!m_cachedStructureID)
+            return nullptr;
+        return vm.heap.structureIDTable().get(m_cachedStructureID);
</ins><span class="cx">     }
</span><del>-    StructureID cachedStructureID() const { return m_cachedStructureID.value(); }
</del><ins>+    StructureID cachedStructureID() const { return m_cachedStructureID; }
</ins><span class="cx">     uint32_t indexedLength() const { return m_indexedLength; }
</span><span class="cx">     uint32_t endStructurePropertyIndex() const { return m_endStructurePropertyIndex; }
</span><span class="cx">     uint32_t endGenericPropertyIndex() const { return m_endGenericPropertyIndex; }
</span><span class="lines">@@ -106,7 +107,7 @@
</span><span class="cx">     // JSPropertyNameEnumerator is immutable data structure, which allows VM to cache the empty one.
</span><span class="cx">     // After instantiating JSPropertyNameEnumerator, we must not change any fields.
</span><span class="cx">     AuxiliaryBarrier<WriteBarrier<JSString>*> m_propertyNames;
</span><del>-    WriteBarrierStructureID m_cachedStructureID;
</del><ins>+    StructureID m_cachedStructureID;
</ins><span class="cx">     uint32_t m_indexedLength;
</span><span class="cx">     uint32_t m_endStructurePropertyIndex;
</span><span class="cx">     uint32_t m_endGenericPropertyIndex;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeNumberPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/NumberPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/NumberPrototype.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/NumberPrototype.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -94,7 +94,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     if (auto* numberObject = jsDynamicCast<NumberObject*>(vm, thisValue)) {
</span><del>-        Integrity::auditStructureID(numberObject->structureID());
</del><ins>+        Integrity::auditStructureID(vm, numberObject->structureID());
</ins><span class="cx">         x = numberObject->internalValue().asNumber();
</span><span class="cx">         return true;
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeObjectPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ObjectPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ObjectPrototype.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/ObjectPrototype.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -85,7 +85,7 @@
</span><span class="cx">     JSObject* valueObj = thisValue.toObject(globalObject);
</span><span class="cx">     if (UNLIKELY(!valueObj))
</span><span class="cx">         return encodedJSValue();
</span><del>-    Integrity::auditStructureID(valueObj->structureID());
</del><ins>+    Integrity::auditStructureID(globalObject->vm(), valueObj->structureID());
</ins><span class="cx">     return JSValue::encode(valueObj);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -361,7 +361,7 @@
</span><span class="cx">     JSObject* thisObject = thisValue.toObject(globalObject);
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, nullptr);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(thisObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObject->structureID());
</ins><span class="cx">     auto result = thisObject->structure(vm)->cachedSpecialProperty(CachedSpecialPropertyKey::ToStringTag);
</span><span class="cx">     if (result)
</span><span class="cx">         return asString(result);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeRegExpPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/RegExpPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/RegExpPrototype.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/RegExpPrototype.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -199,7 +199,7 @@
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx"> 
</span><span class="cx">     JSObject* thisObject = asObject(thisValue);
</span><del>-    Integrity::auditStructureID(thisObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, thisObject->structureID());
</ins><span class="cx"> 
</span><span class="cx">     StringRecursionChecker checker(globalObject, thisObject);
</span><span class="cx">     EXCEPTION_ASSERT(!scope.exception() || checker.earlyReturnValue());
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStringPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StringPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StringPrototype.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StringPrototype.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -960,7 +960,7 @@
</span><span class="cx">     // Also used for valueOf.
</span><span class="cx"> 
</span><span class="cx">     if (thisValue.isString()) {
</span><del>-        Integrity::auditStructureID(thisValue.asCell()->structureID());
</del><ins>+        Integrity::auditStructureID(vm, thisValue.asCell()->structureID());
</ins><span class="cx">         return JSValue::encode(thisValue);
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -968,7 +968,7 @@
</span><span class="cx">     if (!stringObject)
</span><span class="cx">         return throwVMTypeError(globalObject, scope);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(stringObject->structureID());
</del><ins>+    Integrity::auditStructureID(vm, stringObject->structureID());
</ins><span class="cx">     return JSValue::encode(stringObject->internalValue());
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructurecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.cpp      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.cpp 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -197,7 +197,7 @@
</span><span class="cx"> 
</span><span class="cx"> Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
</span><span class="cx">     : JSCell(vm, vm.structureStructure.get())
</span><del>-    , m_blob(StructureID::encode(this), indexingType, typeInfo)
</del><ins>+    , m_blob(vm.heap.structureIDTable().allocateID(this), indexingType, typeInfo)
</ins><span class="cx">     , m_outOfLineTypeFlags(typeInfo.outOfLineTypeFlags())
</span><span class="cx">     , m_inlineCapacity(inlineCapacity)
</span><span class="cx">     , m_bitField(0)
</span><span class="lines">@@ -264,7 +264,7 @@
</span><span class="cx">     setMaxOffset(vm, invalidOffset);
</span><span class="cx">  
</span><span class="cx">     TypeInfo typeInfo = TypeInfo(StructureType, StructureFlags);
</span><del>-    m_blob = StructureIDBlob(StructureID::encode(this), 0, typeInfo);
</del><ins>+    m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), 0, typeInfo);
</ins><span class="cx">     m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
</span><span class="cx"> 
</span><span class="cx">     ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
</span><span class="lines">@@ -301,7 +301,7 @@
</span><span class="cx">     setMaxOffset(vm, invalidOffset);
</span><span class="cx">  
</span><span class="cx">     TypeInfo typeInfo = previous->typeInfo();
</span><del>-    m_blob = StructureIDBlob(StructureID::encode(this), previous->indexingModeIncludingHistory(), typeInfo);
</del><ins>+    m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), previous->indexingModeIncludingHistory(), typeInfo);
</ins><span class="cx">     m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
</span><span class="cx"> 
</span><span class="cx">     ASSERT(!previous->typeInfo().structureIsImmortal());
</span><span class="lines">@@ -326,6 +326,7 @@
</span><span class="cx"> 
</span><span class="cx">     if (isBrandedStructure())
</span><span class="cx">         static_cast<BrandedStructure*>(this)->destruct();
</span><ins>+    Heap::heap(this)->structureIDTable().deallocateID(this, m_blob.structureID());
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void Structure::destroy(JSCell* cell)
</span><span class="lines">@@ -909,7 +910,7 @@
</span><span class="cx">     
</span><span class="cx">     GCSafeConcurrentJSLocker locker(m_lock, vm);
</span><span class="cx">     
</span><del>-    object->setStructureIDDirectly(id().nuke());
</del><ins>+    object->setStructureIDDirectly(nuke(id()));
</ins><span class="cx">     WTF::storeStoreFence();
</span><span class="cx"> 
</span><span class="cx">     size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
</span><span class="lines">@@ -1369,7 +1370,7 @@
</span><span class="cx"> 
</span><span class="cx"> void Structure::dump(PrintStream& out) const
</span><span class="cx"> {
</span><del>-    auto* structureID = reinterpret_cast<void*>(id().bits());
</del><ins>+    auto* structureID = reinterpret_cast<void*>(id());
</ins><span class="cx">     out.print(RawPointer(this), ":[", RawPointer(structureID),
</span><span class="cx">         "/", (uint32_t)(reinterpret_cast<uintptr_t>(structureID)), ", ",
</span><span class="cx">         classInfo()->className, ", (", inlineSize(), "/", inlineCapacity(), ", ",
</span><span class="lines">@@ -1469,7 +1470,7 @@
</span><span class="cx">     return rareData()->cachedPropertyNameEnumeratorAndFlag();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool Structure::canCachePropertyNameEnumerator(VM&) const
</del><ins>+bool Structure::canCachePropertyNameEnumerator(VM& vm) const
</ins><span class="cx"> {
</span><span class="cx">     if (!this->canCacheOwnPropertyNames())
</span><span class="cx">         return false;
</span><span class="lines">@@ -1481,7 +1482,7 @@
</span><span class="cx">         StructureID structureID = *currentStructureID;
</span><span class="cx">         if (!structureID)
</span><span class="cx">             return true;
</span><del>-        Structure* structure = structureID.decode();
</del><ins>+        Structure* structure = vm.getStructure(structureID);
</ins><span class="cx">         if (!structure->canCacheOwnPropertyNames())
</span><span class="cx">             return false;
</span><span class="cx">         currentStructureID++;
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.h        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/Structure.h   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -118,7 +118,6 @@
</span><span class="cx"> 
</span><span class="cx">     typedef JSCell Base;
</span><span class="cx">     static constexpr unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
</span><del>-    static constexpr uint8_t numberOfLowerTierCells = 0;
</del><span class="cx">     
</span><span class="cx">     enum PolyProtoTag { PolyProto };
</span><span class="cx">     static Structure* create(VM&, JSGlobalObject*, JSValue prototype, const TypeInfo&, const ClassInfo*, IndexingType = NonArray, unsigned inlineCapacity = 0);
</span><span class="lines">@@ -165,7 +164,7 @@
</span><span class="cx">     void validateFlags();
</span><span class="cx"> 
</span><span class="cx"> public:
</span><del>-    StructureID id() const { ASSERT(m_blob.structureID() == StructureID::encode(this)); return m_blob.structureID(); }
</del><ins>+    StructureID id() const { return m_blob.structureID(); }
</ins><span class="cx">     int32_t objectInitializationBlob() const { return m_blob.blobExcludingStructureID(); }
</span><span class="cx">     int64_t idBlob() const { return m_blob.blob(); }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureChaincpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureChain.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureChain.cpp 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureChain.cpp    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -49,7 +49,6 @@
</span><span class="cx">     ++size; // Sentinel nullptr.
</span><span class="cx">     size_t bytes = Checked<size_t>(size) * sizeof(StructureID);
</span><span class="cx">     void* vector = vm.jsValueGigacageAuxiliarySpace().allocateNonVirtual(vm, bytes, nullptr, AllocationFailureMode::Assert);
</span><del>-    static_assert(!StructureID().bits(), "Make sure the value we're going to memcpy below matches the default StructureID");
</del><span class="cx">     memset(vector, 0, bytes);
</span><span class="cx">     StructureChain* chain = new (NotNull, allocateCell<StructureChain>(vm)) StructureChain(vm, vm.structureChainStructure.get(), static_cast<StructureID*>(vector));
</span><span class="cx">     chain->finishCreation(vm, head);
</span><span class="lines">@@ -74,9 +73,10 @@
</span><span class="cx">     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
</span><span class="cx">     Base::visitChildren(thisObject, visitor);
</span><span class="cx">     visitor.markAuxiliary(thisObject->m_vector.get());
</span><ins>+    VM& vm = visitor.vm();
</ins><span class="cx">     for (auto* current = thisObject->m_vector.get(); *current; ++current) {
</span><span class="cx">         StructureID structureID = *current;
</span><del>-        Structure* structure = structureID.decode();
</del><ins>+        Structure* structure = vm.getStructure(structureID);
</ins><span class="cx">         visitor.appendUnbarriered(structure);
</span><span class="cx">     }
</span><span class="cx"> }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDh"></a>
<div class="delfile"><h4>Deleted: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureID.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureID.h      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureID.h 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,120 +0,0 @@
</span><del>-/*
- * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#include "JSCConfig.h"
-#include <wtf/HashTraits.h>
-#include <wtf/StdIntExtras.h>
-
-namespace JSC {
-
-class Structure;
-
-constexpr CPURegister structureIDMask = structureHeapAddressSize - 1;
-
-class StructureID {
-public:
-    static constexpr uint32_t nukedStructureIDBit = 1;
-
-    StructureID() = default;
-    StructureID(StructureID const&) = default;
-    StructureID& operator=(StructureID const&) = default;
-
-    StructureID nuke() const { return StructureID(m_bits | nukedStructureIDBit); }
-    bool isNuked() const { return m_bits & nukedStructureIDBit; }
-    StructureID decontaminate() const { return StructureID(m_bits & ~nukedStructureIDBit); }
-
-    inline Structure* decode() const;
-    static StructureID encode(const Structure*);
-
-    explicit operator bool() const { return !!m_bits; }
-    bool operator==(StructureID const& other) const  { return m_bits == other.m_bits; }
-    bool operator!=(StructureID const& other) const  { return m_bits != other.m_bits; }
-    constexpr uint32_t bits() const { return m_bits; }
-
-    StructureID(WTF::HashTableDeletedValueType) : m_bits(nukedStructureIDBit) { }
-    bool isHashTableDeletedValue() const { return *this == StructureID(WTF::HashTableDeletedValue); }
-
-private:
-    explicit StructureID(uint32_t bits) : m_bits(bits) { }
-
-    uint32_t m_bits { 0 };
-};
-static_assert(sizeof(StructureID) == sizeof(uint32_t));
-
-#if CPU(ADDRESS64)
-
-ALWAYS_INLINE Structure* StructureID::decode() const
-{
-    // Take care to only use the bits from m_bits in the structure's address reservation.
-    ASSERT(decontaminate());
-    return reinterpret_cast<Structure*>((static_cast<uintptr_t>(decontaminate().m_bits) & structureIDMask) + g_jscConfig.startOfStructureHeap);
-}
-
-ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure)
-{
-    ASSERT(structure);
-    ASSERT(g_jscConfig.startOfStructureHeap <= reinterpret_cast<uintptr_t>(structure) && reinterpret_cast<uintptr_t>(structure) < g_jscConfig.startOfStructureHeap + structureHeapAddressSize);
-    auto result = StructureID(reinterpret_cast<uintptr_t>(structure) & structureIDMask);
-    ASSERT(result.decode() == structure);
-    return result;
-}
-
-#else // CPU(ADDRESS64)
-
-ALWAYS_INLINE Structure* StructureID::decode() const
-{
-    ASSERT(decontaminate());
-    return reinterpret_cast<Structure*>(m_bits);
-}
-
-ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure)
-{
-    ASSERT(structure);
-    return StructureID(reinterpret_cast<uint32_t>(structure));
-}
-
-#endif
-
-struct StructureIDHash {
-    static unsigned hash(const StructureID& key) { return key.bits(); }
-    static bool equal(const StructureID& a, const StructureID& b) { return a == b; }
-    static constexpr bool safeToCompareToEmptyOrDeleted = true;
-};
-
-} // namespace JSC
-
-namespace WTF {
-
-template<typename T> struct DefaultHash;
-template<> struct DefaultHash<JSC::StructureID> : JSC::StructureIDHash { };
-
-template<typename T> struct HashTraits;
-template<> struct HashTraits<JSC::StructureID> : SimpleClassHashTraits<JSC::StructureID> {
-    static constexpr bool emptyValueIsZero = true;
-};
-
-}
</del></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDBlobh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDBlob.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDBlob.h  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDBlob.h     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -28,7 +28,7 @@
</span><span class="cx"> #include "CellState.h"
</span><span class="cx"> #include "IndexingType.h"
</span><span class="cx"> #include "JSTypeInfo.h"
</span><del>-#include "StructureID.h"
</del><ins>+#include "StructureIDTable.h"
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -35,7 +35,10 @@
</span><span class="cx"> class StructureIDBlob {
</span><span class="cx">     friend class LLIntOffsetsExtractor;
</span><span class="cx"> public:
</span><del>-    StructureIDBlob() = default;
</del><ins>+    StructureIDBlob()
+    {
+        u.doubleWord = 0xbbadbeef;
+    }
</ins><span class="cx"> 
</span><span class="cx">     StructureIDBlob(StructureID structureID, IndexingType indexingModeIncludingHistory, const TypeInfo& typeInfo)
</span><span class="cx">     {
</span><span class="lines">@@ -74,9 +77,8 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    union Data {
</del><ins>+    union {
</ins><span class="cx">         struct {
</span><del>-            // FIXME: We should remove this since the structureID can be directly computed from the Structure*
</del><span class="cx">             StructureID structureID;
</span><span class="cx">             IndexingType indexingModeIncludingHistory;
</span><span class="cx">             JSType type;
</span><span class="lines">@@ -88,11 +90,7 @@
</span><span class="cx">             int32_t word2;
</span><span class="cx">         } words;
</span><span class="cx">         int64_t doubleWord;
</span><del>-
-        Data() { doubleWord = 0xbbadbeef; }
-    };
-
-    Data u;
</del><ins>+    } u;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDTablecpp"></a>
<div class="addfile"><h4>Added: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.cpp (0 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.cpp                               (rev 0)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -0,0 +1,204 @@
</span><ins>+/*
+ * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "StructureIDTable.h"
+
+#include "ResourceExhaustion.h"
+#include <wtf/Atomics.h>
+#include <wtf/DataLog.h>
+#include <wtf/RawPointer.h>
+
+namespace JSC {
+
+#if USE(JSVALUE64)
+
+namespace StructureIDTableInternal {
+static constexpr bool verbose = false;
+}
+
+StructureIDTable::StructureIDTable()
+    : m_table(makeUniqueArray<StructureOrOffset>(s_initialSize))
+    , m_size(1)
+    , m_capacity(s_initialSize)
+{
+    // We pre-allocate the first offset so that the null Structure
+    // can still be represented as the StructureID '0'.
+    table()[0].encodedStructureBits = 0;
+
+    makeFreeListFromRange(1, m_capacity - 1);
+}
+
+void StructureIDTable::makeFreeListFromRange(uint32_t first, uint32_t last)
+{
+    ASSERT(!m_firstFreeOffset);
+    ASSERT(!m_lastFreeOffset);
+
+    // Put all the new IDs on the free list sequentially.
+    uint32_t head = first;
+    uint32_t tail = last;
+    for (uint32_t i = first; i < last; ++i)
+        table()[i].offset = i + 1;
+    table()[last].offset = 0;
+
+    // Randomize the free list.
+    uint32_t size = last - first + 1;
+    uint32_t maxIterations = (size * 2) / 3;
+    for (uint32_t count = 0; count < maxIterations; ++count) {
+        // Move a random pick either to the head or the tail of the free list.
+        uint32_t random = m_weakRandom.getUint32();
+        uint32_t nodeBefore = first + (random % size);
+        uint32_t pick = table()[nodeBefore].offset;
+        if (pick) {
+            uint32_t nodeAfter = table()[pick].offset;
+            table()[nodeBefore].offset = nodeAfter;
+            if ((random & 1) || !nodeAfter) {
+                // Move to the head.
+                table()[pick].offset = head;
+                head = pick;
+                if (!nodeAfter)
+                    tail = nodeBefore;
+            } else {
+                // Move to the tail.
+                table()[pick].offset = 0;
+                table()[tail].offset = pick;
+                tail = pick;
+            }
+        }
+    }
+
+    // Cut list in half and swap halves.
+    uint32_t cut = first + (m_weakRandom.getUint32() % size);
+    uint32_t afterCut = table()[cut].offset;
+    if (afterCut) {
+        table()[tail].offset = head;
+        tail = cut;
+        head = afterCut;
+        table()[cut].offset = 0;
+    }
+
+    m_firstFreeOffset = head;
+    m_lastFreeOffset = tail;
+}
+
+void StructureIDTable::resize(size_t newCapacity)
+{
+    if (newCapacity > s_maximumNumberOfStructures)
+        newCapacity = s_maximumNumberOfStructures;
+
+    // If m_size is already s_maximumNumberOfStructures, newCapacity becomes s_maximumNumberOfStructures in the above code.
+    // In that case, we should crash because of exhaust of StructureIDs.
+    RELEASE_ASSERT_RESOURCE_AVAILABLE(m_size < newCapacity, StructureIDExhaustion, "Crash intentionally because of exhaust of StructureIDs.");
+
+    // Create the new table.
+    auto newTable = makeUniqueArray<StructureOrOffset>(newCapacity);
+
+    // Copy the contents of the old table to the new table.
+    memcpy(newTable.get(), table(), m_capacity * sizeof(StructureOrOffset));
+
+    // Store fence to make sure we've copied everything before doing the swap.
+    WTF::storeStoreFence();
+
+    // Swap the old and new tables.
+    swap(m_table, newTable);
+
+    // Put the old table (now labeled as new) into the list of old tables.
+    m_oldTables.append(WTFMove(newTable));
+
+    // Update the capacity.
+    m_capacity = newCapacity;
+
+    makeFreeListFromRange(m_size, m_capacity - 1);
+}
+
+void StructureIDTable::flushOldTables()
+{
+    m_oldTables.clear();
+}
+
+StructureID StructureIDTable::allocateID(Structure* structure)
+{
+    if (UNLIKELY(!m_firstFreeOffset)) {
+        RELEASE_ASSERT(m_capacity <= s_maximumNumberOfStructures);
+        ASSERT(m_size == m_capacity);
+        resize(m_capacity * 2);
+        ASSERT(m_size < m_capacity);
+        RELEASE_ASSERT(m_firstFreeOffset);
+    }
+
+    // entropyBits must not be zero. This ensures that if a corrupted
+    // structureID is encountered (with incorrect entropyBits), the decoded
+    // structure pointer for that ID will be always be a bad pointer with
+    // high bits set.
+    constexpr uint32_t entropyBitsMask = (1 << s_numberOfEntropyBits) - 1;
+    uint32_t entropyBits = m_weakRandom.getUint32() & entropyBitsMask;
+    if (UNLIKELY(!entropyBits)) {
+        constexpr uint32_t numberOfValuesToPickFrom = entropyBitsMask;
+        entropyBits = (m_weakRandom.getUint32() % numberOfValuesToPickFrom) + 1;
+    }
+
+    uint32_t structureIndex = m_firstFreeOffset;
+    m_firstFreeOffset = table()[m_firstFreeOffset].offset;
+    if (!m_firstFreeOffset)
+        m_lastFreeOffset = 0;
+
+    StructureID result = (structureIndex << s_numberOfEntropyBits) | entropyBits;
+    table()[structureIndex].encodedStructureBits = encode(structure, result);
+    m_size++;
+    ASSERT(!isNuked(result));
+
+    dataLogLnIf(StructureIDTableInternal::verbose, "Allocated StructureID ", result, " for Structure ", RawPointer(structure));
+    return result;
+}
+
+void StructureIDTable::deallocateID(Structure* structure, StructureID structureID)
+{
+    dataLogLnIf(StructureIDTableInternal::verbose, "Deallocated StructureID ", structureID);
+    ASSERT(structureID != s_unusedID);
+    uint32_t structureIndex = structureID >> s_numberOfEntropyBits;
+    ASSERT(structureIndex && structureIndex < s_maximumNumberOfStructures);
+    RELEASE_ASSERT(table()[structureIndex].encodedStructureBits == encode(structure, structureID));
+    m_size--;
+    if (!m_firstFreeOffset) {
+        table()[structureIndex].offset = 0;
+        m_firstFreeOffset = structureIndex;
+        m_lastFreeOffset = structureIndex;
+        return;
+    }
+
+    bool insertAtHead = m_weakRandom.getUint32() & 1;
+    if (insertAtHead) {
+        table()[structureIndex].offset = m_firstFreeOffset;
+        m_firstFreeOffset = structureIndex;
+    } else {
+        table()[structureIndex].offset = 0;
+        table()[m_lastFreeOffset].offset = structureIndex;
+        m_lastFreeOffset = structureIndex;
+    }
+}
+
+#endif // USE(JSVALUE64)
+
+} // namespace JSC
</ins></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureIDTableh"></a>
<div class="addfile"><h4>Added: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.h (0 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.h                         (rev 0)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureIDTable.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -0,0 +1,225 @@
</span><ins>+/*
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "EnsureStillAliveHere.h"
+#include "UnusedPointer.h"
+#include <wtf/UniqueArray.h>
+#include <wtf/Vector.h>
+#include <wtf/WeakRandom.h>
+
+namespace JSC {
+
+class Structure;
+
+#if USE(JSVALUE64)
+using StructureID = uint32_t;
+
+inline StructureID nukedStructureIDBit()
+{
+    return 0x80000000u;
+}
+
+inline StructureID nuke(StructureID id)
+{
+    return id | nukedStructureIDBit();
+}
+
+inline bool isNuked(StructureID id)
+{
+    return !!(id & nukedStructureIDBit());
+}
+
+inline StructureID decontaminate(StructureID id)
+{
+    return id & ~nukedStructureIDBit();
+}
+#else // not USE(JSVALUE64)
+using StructureID = Structure*;
+
+inline StructureID nukedStructureIDBit()
+{
+    return bitwise_cast<StructureID>(static_cast<uintptr_t>(1));
+}
+
+inline StructureID nuke(StructureID id)
+{
+    return bitwise_cast<StructureID>(bitwise_cast<uintptr_t>(id) | bitwise_cast<uintptr_t>(nukedStructureIDBit()));
+}
+
+inline bool isNuked(StructureID id)
+{
+    return !!(bitwise_cast<uintptr_t>(id) & bitwise_cast<uintptr_t>(nukedStructureIDBit()));
+}
+
+inline StructureID decontaminate(StructureID id)
+{
+    return bitwise_cast<StructureID>(bitwise_cast<uintptr_t>(id) & ~bitwise_cast<uintptr_t>(nukedStructureIDBit()));
+}
+#endif // not USE(JSVALUE64)
+
+#if USE(JSVALUE64)
+
+using EncodedStructureBits = uintptr_t;
+
+class StructureIDTable {
+    friend class LLIntOffsetsExtractor;
+public:
+    StructureIDTable();
+
+    void** base() { return reinterpret_cast<void**>(&m_table); }
+
+    ALWAYS_INLINE void validate(StructureID);
+
+    // FIXME: rdar://69036888: remove this when no longer needed.
+    // This is only used for a special case mitigation. It is not for general use.
+    Structure* tryGet(StructureID);
+
+    Structure* get(StructureID);
+    void deallocateID(Structure*, StructureID);
+    StructureID allocateID(Structure*);
+
+    void flushOldTables();
+    
+    size_t size() const { return m_size; }
+
+private:
+    void resize(size_t newCapacity);
+    void makeFreeListFromRange(uint32_t first, uint32_t last);
+
+    union StructureOrOffset {
+        WTF_MAKE_FAST_ALLOCATED;
+    public:
+        EncodedStructureBits encodedStructureBits;
+        uintptr_t offset;
+    };
+
+    StructureOrOffset* table() const { return m_table.get(); }
+    static Structure* decode(EncodedStructureBits, StructureID);
+    static EncodedStructureBits encode(Structure*, StructureID);
+
+    static constexpr size_t s_initialSize = 512;
+
+    Vector<UniqueArray<StructureOrOffset>> m_oldTables;
+
+    uint32_t m_firstFreeOffset { 0 };
+    uint32_t m_lastFreeOffset { 0 };
+    UniqueArray<StructureOrOffset> m_table;
+
+    size_t m_size { 0 };
+    size_t m_capacity;
+
+    WeakRandom m_weakRandom;
+
+    static constexpr StructureID s_unusedID = 0;
+
+public:
+    // 1. StructureID is encoded as:
+    //
+    //    ----------------------------------------------------------------
+    //    | 1 Nuke Bit | 26 StructureIDTable index bits | 5 entropy bits |
+    //    ----------------------------------------------------------------
+    //
+    //    The entropy bits are chosen at random and assigned when a StructureID
+    //    is allocated.
+    //
+    // 2. For each StructureID, the StructureIDTable stores encodedStructureBits
+    //    which are encoded from the structure pointer as such:
+    //
+    //    ------------------------------------------------------------------
+    //    | 11 low index bits | 5 entropy bits | 48 structure pointer bits |
+    //    ------------------------------------------------------------------
+    //
+    //    The entropy bits here are the same 5 bits used in the encoding of the
+    //    StructureID for this structure entry in the StructureIDTable.
+
+    static constexpr uint32_t s_numberOfNukeBits = 1;
+    static constexpr uint32_t s_numberOfEntropyBits = 5;
+    static constexpr uint32_t s_entropyBitsShiftForStructurePointer = (sizeof(EncodedStructureBits) * 8) - 16;
+
+    static constexpr uint32_t s_maximumNumberOfStructures = 1 << (32 - s_numberOfEntropyBits - s_numberOfNukeBits);
+};
+
+ALWAYS_INLINE Structure* StructureIDTable::decode(EncodedStructureBits bits, StructureID structureID)
+{
+    return bitwise_cast<Structure*>(bits ^ (static_cast<uintptr_t>(structureID) << s_entropyBitsShiftForStructurePointer));
+}
+
+ALWAYS_INLINE EncodedStructureBits StructureIDTable::encode(Structure* structure, StructureID structureID)
+{
+    return bitwise_cast<EncodedStructureBits>(structure) ^ (static_cast<EncodedStructureBits>(structureID) << s_entropyBitsShiftForStructurePointer);
+}
+
+inline Structure* StructureIDTable::get(StructureID structureID)
+{
+    ASSERT_WITH_SECURITY_IMPLICATION(structureID);
+    ASSERT_WITH_SECURITY_IMPLICATION(!isNuked(structureID));
+    uint32_t structureIndex = structureID >> s_numberOfEntropyBits;
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(structureIndex < m_capacity);
+    return decode(table()[structureIndex].encodedStructureBits, structureID);
+}
+
+// FIXME: rdar://69036888: remove this function when no longer needed.
+inline Structure* StructureIDTable::tryGet(StructureID structureID)
+{
+    uint32_t structureIndex = structureID >> s_numberOfEntropyBits;
+    if (structureIndex >= m_capacity)
+        return nullptr;
+    return decode(table()[structureIndex].encodedStructureBits, structureID);
+}
+
+ALWAYS_INLINE void StructureIDTable::validate(StructureID structureID)
+{
+    uint32_t structureIndex = structureID >> s_numberOfEntropyBits;
+    Structure* structure = decode(table()[structureIndex].encodedStructureBits, structureID);
+    RELEASE_ASSERT(structureIndex < m_capacity);
+    *bitwise_cast<volatile uint64_t*>(structure);
+}
+
+#else // not USE(JSVALUE64)
+
+class StructureIDTable {
+    friend class LLIntOffsetsExtractor;
+public:
+    StructureIDTable() = default;
+
+    // FIXME: rdar://69036888: remove this function when no longer needed.
+    Structure* tryGet(StructureID structureID) { return structureID; }
+    Structure* get(StructureID structureID) { return structureID; }
+    void deallocateID(Structure*, StructureID) { }
+    StructureID allocateID(Structure* structure)
+    {
+        ASSERT(!isNuked(structure));
+        return structure;
+    };
+
+    void flushOldTables() { }
+    void validate(StructureID) { }
+};
+
+#endif // not USE(JSVALUE64)
+
+} // namespace JSC
</ins></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureRareDatacpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.cpp      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.cpp 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -60,10 +60,11 @@
</span><span class="cx"> 
</span><span class="cx"> StructureRareData::StructureRareData(VM& vm, Structure* previous)
</span><span class="cx">     : JSCell(vm, vm.structureRareDataStructure.get())
</span><del>-    , m_previous(vm, this, previous, WriteBarrierStructureID::MayBeNull)
</del><span class="cx">     , m_maxOffset(invalidOffset)
</span><span class="cx">     , m_transitionOffset(invalidOffset)
</span><span class="cx"> {
</span><ins>+    if (previous)
+        m_previous.set(vm, this, previous);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename Visitor>
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureRareDatah"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.h        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareData.h   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -140,6 +140,7 @@
</span><span class="cx"> 
</span><span class="cx">     bool tryCachePropertyNameEnumeratorViaWatchpoint(VM&, Structure*, StructureChain*);
</span><span class="cx"> 
</span><ins>+    WriteBarrier<Structure> m_previous;
</ins><span class="cx">     // FIXME: We should have some story for clearing these property names caches in GC.
</span><span class="cx">     // https://bugs.webkit.org/show_bug.cgi?id=192659
</span><span class="cx">     uintptr_t m_cachedPropertyNameEnumeratorAndFlag { 0 };
</span><span class="lines">@@ -155,7 +156,6 @@
</span><span class="cx">     std::unique_ptr<SpecialPropertyCache> m_specialPropertyCache;
</span><span class="cx">     Box<InlineWatchpointSet> m_polyProtoWatchpoint;
</span><span class="cx"> 
</span><del>-    WriteBarrierStructureID m_previous;
</del><span class="cx">     PropertyOffset m_maxOffset;
</span><span class="cx">     PropertyOffset m_transitionOffset;
</span><span class="cx"> };
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeStructureRareDataInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareDataInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareDataInlines.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/StructureRareDataInlines.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -177,7 +177,7 @@
</span><span class="cx">     m_structureRareData->clearCachedPropertyNameEnumerator();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline bool StructureRareData::tryCachePropertyNameEnumeratorViaWatchpoint(VM&, Structure* baseStructure, StructureChain* chain)
</del><ins>+inline bool StructureRareData::tryCachePropertyNameEnumeratorViaWatchpoint(VM& vm, Structure* baseStructure, StructureChain* chain)
</ins><span class="cx"> {
</span><span class="cx">     if (baseStructure->hasPolyProto())
</span><span class="cx">         return false;
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx">     for (auto* current = chain->head(); *current; ++current) {
</span><span class="cx">         ++size;
</span><span class="cx">         StructureID structureID = *current;
</span><del>-        Structure* structure = structureID.decode();
</del><ins>+        Structure* structure = vm.getStructure(structureID);
</ins><span class="cx">         if (!structure->propertyNameEnumeratorShouldWatch())
</span><span class="cx">             return false;
</span><span class="cx">     }
</span><span class="lines">@@ -194,7 +194,7 @@
</span><span class="cx">     unsigned index = 0;
</span><span class="cx">     for (auto* current = chain->head(); *current; ++current) {
</span><span class="cx">         StructureID structureID = *current;
</span><del>-        Structure* structure = structureID.decode();
</del><ins>+        Structure* structure = vm.getStructure(structureID);
</ins><span class="cx">         m_cachedPropertyNameEnumeratorWatchpoints[index].install(this, structure);
</span><span class="cx">         ++index;
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeSymbolPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/SymbolPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/SymbolPrototype.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/SymbolPrototype.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -96,7 +96,7 @@
</span><span class="cx">     if (!symbol)
</span><span class="cx">         return throwVMTypeError(globalObject, scope, SymbolDescriptionTypeError);
</span><span class="cx">     scope.release();
</span><del>-    Integrity::auditStructureID(symbol->structureID());
</del><ins>+    Integrity::auditStructureID(vm, symbol->structureID());
</ins><span class="cx">     const auto description = symbol->description();
</span><span class="cx">     return JSValue::encode(description.isNull() ? jsUndefined() : jsString(vm, description));
</span><span class="cx"> }
</span><span class="lines">@@ -109,7 +109,7 @@
</span><span class="cx">     Symbol* symbol = tryExtractSymbol(vm, callFrame->thisValue());
</span><span class="cx">     if (!symbol)
</span><span class="cx">         return throwVMTypeError(globalObject, scope, SymbolToStringTypeError);
</span><del>-    Integrity::auditStructureID(symbol->structureID());
</del><ins>+    Integrity::auditStructureID(vm, symbol->structureID());
</ins><span class="cx">     RELEASE_AND_RETURN(scope, JSValue::encode(jsNontrivialString(vm, symbol->descriptiveString())));
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -122,7 +122,7 @@
</span><span class="cx">     if (!symbol)
</span><span class="cx">         return throwVMTypeError(globalObject, scope, SymbolValueOfTypeError);
</span><span class="cx"> 
</span><del>-    Integrity::auditStructureID(symbol->structureID());
</del><ins>+    Integrity::auditStructureID(vm, symbol->structureID());
</ins><span class="cx">     RELEASE_AND_RETURN(scope, JSValue::encode(symbol));
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeTypeProfilerLogcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/TypeProfilerLog.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -80,7 +80,7 @@
</span><span class="cx">         Structure* structure = nullptr;
</span><span class="cx">         bool sawPolyProtoStructure = false;
</span><span class="cx">         if (id) {
</span><del>-            structure = id.decode();
</del><ins>+            structure = Heap::heap(value.asCell())->structureIDTable().get(id);
</ins><span class="cx">             auto iter = cachedMonoProtoShapes.find(structure);
</span><span class="cx">             if (iter == cachedMonoProtoShapes.end()) {
</span><span class="cx">                 auto key = std::make_pair(structure, value.asCell());
</span><span class="lines">@@ -131,7 +131,7 @@
</span><span class="cx">     for (LogEntry* entry = m_logStartPtr; entry != m_currentLogEntryPtr; ++entry) {
</span><span class="cx">         visitor.appendUnbarriered(entry->value);
</span><span class="cx">         if (StructureID id = entry->structureID) {
</span><del>-            Structure* structure = id.decode();
</del><ins>+            Structure* structure = visitor.heap()->structureIDTable().get(id); 
</ins><span class="cx">             visitor.appendUnbarriered(structure);
</span><span class="cx">         }
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/VM.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/VM.h       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/VM.h  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -743,6 +743,17 @@
</span><span class="cx">         return result;
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    ALWAYS_INLINE Structure* getStructure(StructureID id)
+    {
+        return heap.structureIDTable().get(decontaminate(id));
+    }
+
+    // FIXME: rdar://69036888: remove this function when no longer needed.
+    ALWAYS_INLINE Structure* tryGetStructure(StructureID id)
+    {
+        return heap.structureIDTable().tryGet(decontaminate(id));
+    }
+
</ins><span class="cx">     void* stackPointerAtVMEntry() const { return m_stackPointerAtVMEntry; }
</span><span class="cx">     void setStackPointerAtVMEntry(void*);
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeWriteBarrierh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrier.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrier.h     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrier.h        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include "GCAssertions.h"
</span><span class="cx"> #include "HandleTypes.h"
</span><del>-#include "StructureID.h"
</del><span class="cx"> #include <type_traits>
</span><span class="cx"> #include <wtf/RawPtrTraits.h>
</span><span class="cx"> #include <wtf/RawValueTraits.h>
</span><span class="lines">@@ -249,104 +248,4 @@
</span><span class="cx">     return lhs.get() == rhs.get();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-class WriteBarrierStructureID {
-public:
-    constexpr WriteBarrierStructureID() = default;
-
-    WriteBarrierStructureID(VM& vm, const JSCell* owner, Structure* value)
-    {
-        set(vm, owner, value);
-    }
-
-    WriteBarrierStructureID(DFG::DesiredWriteBarrier&, Structure* value)
-    {
-        ASSERT(isCompilationThread());
-        setWithoutWriteBarrier(value);
-    }
-
-    enum MayBeNullTag { MayBeNull };
-    WriteBarrierStructureID(VM& vm, const JSCell* owner, Structure* value, MayBeNullTag)
-    {
-        setMayBeNull(vm, owner, value);
-    }
-
-    void set(VM&, const JSCell* owner, Structure* value);
-
-    void setMayBeNull(VM&, const JSCell* owner, Structure* value);
-
-    // Should only be used by JSCell during early initialisation
-    // when some basic types aren't yet completely instantiated
-    void setEarlyValue(VM&, const JSCell* owner, Structure* value);
-
-    Structure* get() const
-    {
-        // Copy m_structureID to a local to avoid multiple-read issues. (See <http://webkit.org/b/110854>)
-        StructureID structureID = m_structureID;
-        if (structureID) {
-            Structure* structure = structureID.decode();
-            validateCell(reinterpret_cast<JSCell*>(structure));
-            return structure;
-        }
-        return nullptr;
-    }
-
-    Structure* operator*() const
-    {
-        StructureID structureID = m_structureID;
-        ASSERT(structureID);
-        Structure* structure = structureID.decode();
-        validateCell(reinterpret_cast<JSCell*>(structure));
-        return structure;
-    }
-
-    Structure* operator->() const
-    {
-        StructureID structureID = m_structureID;
-        ASSERT(structureID);
-        Structure* structure = structureID.decode();
-        validateCell(reinterpret_cast<JSCell*>(structure));
-        return structure;
-    }
-
-    void clear()
-    {
-        m_structureID = { };
-    }
-
-    explicit operator bool() const
-    {
-        return !!m_structureID;
-    }
-
-    bool operator!() const
-    {
-        return !m_structureID;
-    }
-
-    void setWithoutWriteBarrier(Structure* value)
-    {
-#if ENABLE(WRITE_BARRIER_PROFILING)
-        WriteBarrierCounters::usesWithoutBarrierFromCpp.count();
-#endif
-        if (!value) {
-            m_structureID = { };
-            return;
-        }
-        m_structureID = StructureID::encode(value);
-    }
-
-    Structure* unvalidatedGet() const
-    {
-        StructureID structureID = m_structureID;
-        if (structureID)
-            return structureID.decode();
-        return nullptr;
-    }
-
-    StructureID value() const { return m_structureID; }
-
-private:
-    StructureID m_structureID;
-};
-
</del><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoreruntimeWriteBarrierInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrierInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrierInlines.h      2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/runtime/WriteBarrierInlines.h 2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -61,29 +61,4 @@
</span><span class="cx">     vm.writeBarrier(owner, value);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void WriteBarrierStructureID::set(VM& vm, const JSCell* owner, Structure* value)
-{
-    ASSERT(value);
-    ASSERT(!Options::useConcurrentJIT() || !isCompilationThread());
-    validateCell(reinterpret_cast<JSCell*>(value));
-    setEarlyValue(vm, owner, value);
-}
-
-inline void WriteBarrierStructureID::setMayBeNull(VM& vm, const JSCell* owner, Structure* value)
-{
-    if (value)
-        validateCell(reinterpret_cast<JSCell*>(value));
-    setEarlyValue(vm, owner, value);
-}
-
-inline void WriteBarrierStructureID::setEarlyValue(VM& vm, const JSCell* owner, Structure* value)
-{
-    if (!value) {
-        m_structureID = { };
-        return;
-    }
-    m_structureID = StructureID::encode(value);
-    vm.writeBarrier(owner, reinterpret_cast<JSCell*>(value));
-}
-
</del><span class="cx"> } // namespace JSC 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoretoolsHeapVerifiercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/HeapVerifier.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/HeapVerifier.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/HeapVerifier.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -230,10 +230,14 @@
</span><span class="cx"> 
</span><span class="cx">         // 2. Validate the cell's structure
</span><span class="cx"> 
</span><del>-        Structure* structure = structureID.decode();
</del><ins>+        Structure* structure = vm.getStructure(structureID);
</ins><span class="cx">         if (!structure) {
</span><span class="cx">             printHeaderAndCell();
</span><del>-            uint32_t structureIDAsUint32 = structureID.bits();
</del><ins>+#if USE(JSVALUE64)
+            uint32_t structureIDAsUint32 = structureID;
+#else
+            uint32_t structureIDAsUint32 = reinterpret_cast<uint32_t>(structureID);
+#endif
</ins><span class="cx">             dataLog(" with structureID ", structureIDAsUint32, " maps to a NULL Structure pointer\n");
</span><span class="cx">             return false;
</span><span class="cx">         }
</span><span class="lines">@@ -281,7 +285,7 @@
</span><span class="cx"> 
</span><span class="cx">         // 3. Validate the cell's structure's structure.
</span><span class="cx">         
</span><del>-        Structure* structureStructure = structureID.decode();
</del><ins>+        Structure* structureStructure = vm.getStructure(structureID);
</ins><span class="cx">         if (!structureStructure) {
</span><span class="cx">             printHeaderAndCell();
</span><span class="cx">             dataLog(" has structure ", RawPointer(structure), " whose structure is NULL\n");
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoretoolsIntegritycpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2019-2021 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoretoolsIntegrityh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.h  2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/Integrity.h     2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2019-2021 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -26,7 +26,7 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "JSCJSValue.h"
</span><del>-#include "StructureID.h"
</del><ins>+#include "StructureIDTable.h"
</ins><span class="cx"> #include <wtf/Gigacage.h>
</span><span class="cx"> #include <wtf/Lock.h>
</span><span class="cx"> 
</span><span class="lines">@@ -100,7 +100,8 @@
</span><span class="cx">         auditCell<auditLevel>(vm, value.asCell());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ALWAYS_INLINE void auditStructureID(StructureID);
</del><ins>+ALWAYS_INLINE void auditStructureID(StructureIDTable&, StructureID);
+ALWAYS_INLINE void auditStructureID(VM&, StructureID);
</ins><span class="cx"> 
</span><span class="cx"> } // namespace Integrity
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoretoolsIntegrityInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/IntegrityInlines.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/IntegrityInlines.h   2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/IntegrityInlines.h      2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -73,13 +73,14 @@
</span><span class="cx">         auditCellFully(vm, cell);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+ALWAYS_INLINE void auditStructureID(StructureIDTable& table, StructureID id)
+{
+    table.validate(id);
+}
</ins><span class="cx"> 
</span><del>-ALWAYS_INLINE void auditStructureID(StructureID structureID)
</del><ins>+ALWAYS_INLINE void auditStructureID(VM& vm, StructureID id)
</ins><span class="cx"> {
</span><del>-    UNUSED_PARAM(structureID);
-#if CPU(ADDRESS64)
-    ASSERT(structureID.bits() <= structureHeapAddressSize + StructureID::nukedStructureIDBit);
-#endif
</del><ins>+    auditStructureID(vm.heap.structureIDTable(), id);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> } // namespace Integrity
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoretoolsJSDollarVMcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.cpp       2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.cpp  2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -3585,7 +3585,7 @@
</span><span class="cx"> 
</span><span class="cx">     for (size_t i = 0; i < structures.size(); ++i) {
</span><span class="cx">         auto* structure = structures[structures.size() - i - 1];
</span><del>-        result->push(globalObject, JSValue(structure->id().bits()));
</del><ins>+        result->push(globalObject, JSValue(structure->id()));
</ins><span class="cx">         RETURN_IF_EXCEPTION(scope, { });
</span><span class="cx">         result->push(globalObject, JSValue(structure->transitionOffset()));
</span><span class="cx">         RETURN_IF_EXCEPTION(scope, { });
</span><span class="lines">@@ -4012,7 +4012,7 @@
</span><span class="cx"> 
</span><span class="cx">     addFunction(vm, "ensureArrayStorage", functionEnsureArrayStorage, 1);
</span><span class="cx"> 
</span><del>-    m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructureID.set(vm, this, ObjectDoingSideEffectPutWithoutCorrectSlotStatus::createStructure(vm, globalObject, jsNull()));
</del><ins>+    m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure.set(vm, this, ObjectDoingSideEffectPutWithoutCorrectSlotStatus::createStructure(vm, globalObject, jsNull()));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JSDollarVM::addFunction(VM& vm, JSGlobalObject* globalObject, const char* name, NativeFunction function, unsigned arguments)
</span><span class="lines">@@ -4034,7 +4034,7 @@
</span><span class="cx"> {
</span><span class="cx">     JSDollarVM* thisObject = jsCast<JSDollarVM*>(cell);
</span><span class="cx">     Base::visitChildren(thisObject, visitor);
</span><del>-    visitor.append(thisObject->m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructureID);
</del><ins>+    visitor.append(thisObject->m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> DEFINE_VISIT_CHILDREN(JSDollarVM);
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCoretoolsJSDollarVMh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.h 2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/tools/JSDollarVM.h    2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx">         return instance;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    Structure* objectDoingSideEffectPutWithoutCorrectSlotStatusStructure() { return m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructureID.get(); }
</del><ins>+    Structure* objectDoingSideEffectPutWithoutCorrectSlotStatusStructure() { return m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure.get(); }
</ins><span class="cx">     
</span><span class="cx"> private:
</span><span class="cx">     JSDollarVM(VM& vm, Structure* structure)
</span><span class="lines">@@ -76,7 +76,7 @@
</span><span class="cx"> 
</span><span class="cx">     DECLARE_VISIT_CHILDREN;
</span><span class="cx"> 
</span><del>-    WriteBarrierStructureID m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructureID;
</del><ins>+    WriteBarrier<Structure> m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorewasmjsWebAssemblyFunctioncpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -266,7 +266,7 @@
</span><span class="cx">                 slowPath.append(jit.branchIfNotCell(scratchGPR));
</span><span class="cx"> 
</span><span class="cx">                 stackLimitGPRIsClobbered = true;
</span><del>-                jit.emitLoadStructure(vm, scratchGPR, scratchGPR);
</del><ins>+                jit.emitLoadStructure(vm, scratchGPR, scratchGPR, stackLimitGPR);
</ins><span class="cx">                 jit.loadPtr(CCallHelpers::Address(scratchGPR, Structure::classInfoOffset()), scratchGPR);
</span><span class="cx"> 
</span><span class="cx">                 static_assert(std::is_final<WebAssemblyFunction>::value, "We do not check for subtypes below");
</span></span></pre></div>
<a id="branchessafari613111branchSourceJavaScriptCorewasmjsWebAssemblyGlobalPrototypecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyGlobalPrototype.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyGlobalPrototype.cpp     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/JavaScriptCore/wasm/js/WebAssemblyGlobalPrototype.cpp        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -64,7 +64,7 @@
</span><span class="cx">             createTypeError(globalObject, "expected |this| value to be an instance of WebAssembly.Global"_s));
</span><span class="cx">         return nullptr;
</span><span class="cx">     }
</span><del>-    Integrity::auditStructureID(result->structureID());
</del><ins>+    Integrity::auditStructureID(vm, result->structureID());
</ins><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari613111branchSourceWTFChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/WTF/ChangeLog (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/WTF/ChangeLog     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/WTF/ChangeLog        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -1,5 +1,359 @@
</span><span class="cx"> 2021-12-13  Russell Epstein  <repstein@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r286994. rdar://problem/86445989
+
+    Roll back r286345, r286387, r286471, r286667, r286849
+    https://bugs.webkit.org/show_bug.cgi?id=234268
+    
+    Reviewed by Mark Lam.
+    
+    Source/JavaScriptCore:
+    
+    * CMakeLists.txt:
+    * JavaScriptCore.xcodeproj/project.pbxproj:
+    * Sources.txt:
+    * bytecode/AccessCase.cpp:
+    (JSC::AccessCase::AccessCase):
+    (JSC::AccessCase::forEachDependentCell const):
+    (JSC::AccessCase::dump const):
+    (JSC::AccessCase::propagateTransitions const):
+    (JSC::AccessCase::generateWithGuard):
+    (JSC::AccessCase::canBeShared):
+    * bytecode/AccessCase.h:
+    (JSC::AccessCase::structure const):
+    (JSC::AccessCase::newStructure const):
+    (JSC::AccessCase::hash const):
+    (JSC::AccessCase::AccessCase):
+    * bytecode/ArrayProfile.cpp:
+    (JSC::ArrayProfile::computeUpdatedPrediction):
+    * bytecode/ArrayProfile.h:
+    * bytecode/CheckPrivateBrandStatus.cpp:
+    (JSC::CheckPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/CodeBlock.cpp:
+    (JSC::CodeBlock::propagateTransitions):
+    (JSC::CodeBlock::determineLiveness):
+    (JSC::CodeBlock::finalizeLLIntInlineCaches):
+    (JSC::CodeBlock::stronglyVisitWeakReferences):
+    * bytecode/DeleteByStatus.cpp:
+    (JSC::DeleteByStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/GetByIdMetadata.h:
+    (JSC::GetByIdModeMetadata::GetByIdModeMetadata):
+    (JSC::GetByIdModeMetadata::clearToDefaultModeWithoutCache):
+    * bytecode/GetByStatus.cpp:
+    (JSC::GetByStatus::computeFromLLInt):
+    (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/InByStatus.cpp:
+    (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/InlineAccess.cpp:
+    (JSC::InlineAccess::rewireStubAsJumpInAccess):
+    (JSC::InlineAccess::resetStubAsJumpInAccess):
+    * bytecode/InstanceOfStatus.cpp:
+    (JSC::InstanceOfStatus::computeForStubInfo):
+    * bytecode/InternalFunctionAllocationProfile.h:
+    (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
+    (JSC::InternalFunctionAllocationProfile::structure):
+    (JSC::InternalFunctionAllocationProfile::clear):
+    (JSC::InternalFunctionAllocationProfile::visitAggregate):
+    (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+    (JSC::InternalFunctionAllocationProfile::offsetOfStructureID): Deleted.
+    * bytecode/PolyProtoAccessChain.cpp:
+    (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
+    * bytecode/PolyProtoAccessChain.h:
+    * bytecode/PolymorphicAccess.cpp:
+    (JSC::PolymorphicAccess::visitWeak const):
+    * bytecode/PutByIdFlags.h:
+    * bytecode/PutByStatus.cpp:
+    (JSC::PutByStatus::computeFromLLInt):
+    (JSC::PutByStatus::computeForStubInfo):
+    * bytecode/SetPrivateBrandStatus.cpp:
+    (JSC::SetPrivateBrandStatus::computeForStubInfoWithoutExitSiteFeedback):
+    * bytecode/SpeculatedType.cpp:
+    (JSC::speculationFromCell):
+    * bytecode/StructureStubInfo.cpp:
+    (JSC::StructureStubInfo::initGetByIdSelf):
+    (JSC::StructureStubInfo::initPutByIdReplace):
+    (JSC::StructureStubInfo::initInByIdSelf):
+    (JSC::StructureStubInfo::deref):
+    (JSC::StructureStubInfo::aboutToDie):
+    (JSC::StructureStubInfo::addAccessCase):
+    (JSC::StructureStubInfo::reset):
+    (JSC::StructureStubInfo::visitAggregateImpl):
+    (JSC::StructureStubInfo::visitWeakReferences):
+    (JSC::StructureStubInfo::propagateTransitions):
+    (JSC::StructureStubInfo::summary const):
+    (JSC::StructureStubInfo::containsPC const):
+    * bytecode/StructureStubInfo.h:
+    (JSC::StructureStubInfo::offsetOfByIdSelfOffset):
+    (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructure):
+    (JSC::StructureStubInfo::inlineAccessBaseStructure):
+    (JSC::StructureStubInfo::offsetOfInlineAccessBaseStructureID): Deleted.
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+    * dfg/DFGByteCodeParser.cpp:
+    (JSC::DFG::ByteCodeParser::parseBlock):
+    * dfg/DFGGraph.cpp:
+    (JSC::DFG::Graph::dump):
+    * dfg/DFGJITCompiler.h:
+    (JSC::DFG::JITCompiler::branchWeakStructure):
+    * dfg/DFGPlan.cpp:
+    (JSC::DFG::Plan::finalize):
+    * dfg/DFGSpeculativeJIT.cpp:
+    * dfg/DFGSpeculativeJIT64.cpp:
+    (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
+    (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
+    (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
+    (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+    (JSC::DFG::SpeculativeJIT::emitUntypedBranch):
+    (JSC::DFG::SpeculativeJIT::compile):
+    * ftl/FTLAbstractHeapRepository.h:
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
+    (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
+    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+    * heap/AbstractSlotVisitor.h:
+    * heap/AbstractSlotVisitorInlines.h:
+    * heap/Heap.cpp:
+    (JSC::Heap::Heap):
+    (JSC::Heap::runEndPhase):
+    * heap/Heap.h:
+    (JSC::Heap::structureIDTable):
+    * heap/IsoAlignedMemoryAllocator.cpp:
+    (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
+    (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+    (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+    (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+    (JSC::IsoAlignedMemoryAllocator::tryMallocBlock): Deleted.
+    (JSC::IsoAlignedMemoryAllocator::freeBlock): Deleted.
+    (JSC::IsoAlignedMemoryAllocator::commitBlock): Deleted.
+    (JSC::IsoAlignedMemoryAllocator::decommitBlock): Deleted.
+    * heap/IsoAlignedMemoryAllocator.h:
+    * heap/IsoMemoryAllocatorBase.cpp: Removed.
+    * heap/IsoMemoryAllocatorBase.h: Removed.
+    * heap/IsoSubspace.cpp:
+    (JSC::IsoSubspace::IsoSubspace):
+    (JSC::IsoSubspace::tryAllocateFromLowerTier):
+    * heap/IsoSubspace.h:
+    * heap/PreciseAllocation.cpp:
+    (JSC::PreciseAllocation::createForLowerTier):
+    (JSC::PreciseAllocation::tryCreateForLowerTier): Deleted.
+    * heap/PreciseAllocation.h:
+    * heap/SlotVisitor.cpp:
+    (JSC::SlotVisitor::appendJSCellOrAuxiliary):
+    * heap/SlotVisitor.h:
+    * heap/SlotVisitorInlines.h:
+    * heap/StructureAlignedMemoryAllocator.cpp: Removed.
+    * heap/StructureAlignedMemoryAllocator.h: Removed.
+    * jit/AssemblyHelpers.cpp:
+    (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+    (JSC::AssemblyHelpers::emitLoadStructure):
+    (JSC::AssemblyHelpers::emitLoadPrototype):
+    (JSC::AssemblyHelpers::emitRandomThunk):
+    (JSC::AssemblyHelpers::emitConvertValueToBoolean):
+    (JSC::AssemblyHelpers::branchIfValue):
+    (JSC::AssemblyHelpers::emitNonNullDecodeStructureID): Deleted.
+    * jit/AssemblyHelpers.h:
+    (JSC::AssemblyHelpers::branchStructure):
+    (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
+    * jit/GCAwareJITStubRoutine.cpp:
+    (JSC::PolymorphicAccessJITStubRoutine::computeHash):
+    * jit/JITInlineCacheGenerator.cpp:
+    (JSC::generateGetByIdInlineAccess):
+    (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
+    (JSC::JITInByIdGenerator::generateBaselineDataICFastPath):
+    * jit/JITOpcodes.cpp:
+    (JSC::JIT::emit_op_typeof_is_undefined):
+    (JSC::JIT::emit_op_jeq_null):
+    (JSC::JIT::emit_op_jneq_null):
+    (JSC::JIT::emit_op_eq_null):
+    (JSC::JIT::emit_op_neq_null):
+    (JSC::JIT::emit_op_get_prototype_of):
+    * jit/JITPropertyAccess.cpp:
+    (JSC::JIT::emit_op_get_property_enumerator):
+    * jit/JITStubRoutine.h:
+    * llint/LLIntSlowPaths.cpp:
+    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+    (JSC::LLInt::performLLIntGetByID):
+    * llint/LowLevelInterpreter.asm:
+    * llint/LowLevelInterpreter64.asm:
+    * runtime/ArrayPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/BigIntPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/BooleanPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/CommonSlowPaths.cpp:
+    (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
+    * runtime/DatePrototype.cpp:
+    (JSC::formateDateInstance):
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/ErrorInstance.cpp:
+    (JSC::ErrorInstance::sanitizedMessageString):
+    (JSC::ErrorInstance::sanitizedNameString):
+    (JSC::ErrorInstance::sanitizedToString):
+    * runtime/ErrorPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/FunctionExecutable.cpp:
+    (JSC::FunctionExecutable::visitChildrenImpl):
+    * runtime/FunctionExecutable.h:
+    * runtime/FunctionPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/FunctionRareData.cpp:
+    (JSC::FunctionRareData::visitChildrenImpl):
+    * runtime/FunctionRareData.h:
+    * runtime/HasOwnPropertyCache.h:
+    * runtime/InitializeThreading.cpp:
+    (JSC::initialize):
+    * runtime/JSCConfig.h:
+    * runtime/JSCJSValue.cpp:
+    (JSC::JSValue::dumpInContextAssumingStructure const):
+    (JSC::JSValue::dumpForBacktrace const):
+    * runtime/JSCell.cpp:
+    (JSC::JSCell::toObjectSlow const):
+    * runtime/JSCell.h:
+    (JSC::JSCell::clearStructure):
+    * runtime/JSCellInlines.h:
+    (JSC::JSCell::structure const):
+    (JSC::JSCell::setStructure):
+    * runtime/JSGlobalObject.cpp:
+    (JSC::JSGlobalObject::visitChildrenImpl):
+    * runtime/JSGlobalObject.h:
+    * runtime/JSObject.cpp:
+    (JSC::JSObject::visitButterflyImpl):
+    (JSC::JSObject::createInitialUndecided):
+    (JSC::JSObject::createInitialInt32):
+    (JSC::JSObject::createInitialDouble):
+    (JSC::JSObject::createInitialContiguous):
+    (JSC::JSObject::createArrayStorage):
+    (JSC::JSObject::convertUndecidedToArrayStorage):
+    (JSC::JSObject::convertInt32ToArrayStorage):
+    (JSC::JSObject::convertDoubleToArrayStorage):
+    (JSC::JSObject::convertContiguousToArrayStorage):
+    (JSC::JSObject::putDirectCustomGetterSetterWithoutTransition):
+    (JSC::JSObject::putDirectNonIndexAccessorWithoutTransition):
+    * runtime/JSObject.h:
+    (JSC::JSObject::nukeStructureAndSetButterfly):
+    (JSC::JSObject::getPropertySlot):
+    * runtime/JSObjectInlines.h:
+    (JSC::JSObject::getPropertySlot):
+    (JSC::JSObject::getNonIndexPropertySlot):
+    (JSC::JSObject::putDirectWithoutTransition):
+    (JSC::JSObject::putDirectInternal):
+    * runtime/JSPropertyNameEnumerator.cpp:
+    (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
+    (JSC::JSPropertyNameEnumerator::visitChildrenImpl):
+    * runtime/JSPropertyNameEnumerator.h:
+    * runtime/NumberPrototype.cpp:
+    (JSC::toThisNumber):
+    * runtime/ObjectPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    (JSC::objectPrototypeToString):
+    * runtime/RegExpPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/StringPrototype.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/Structure.cpp:
+    (JSC::Structure::Structure):
+    (JSC::Structure::~Structure):
+    (JSC::Structure::flattenDictionaryStructure):
+    (JSC::Structure::dump const):
+    (JSC::Structure::canCachePropertyNameEnumerator const):
+    * runtime/Structure.h:
+    (JSC::Structure::id const):
+    * runtime/StructureChain.cpp:
+    (JSC::StructureChain::create):
+    (JSC::StructureChain::visitChildrenImpl):
+    * runtime/StructureID.h: Removed.
+    * runtime/StructureIDBlob.h:
+    (JSC::StructureIDBlob::StructureIDBlob):
+    * runtime/StructureIDTable.cpp: Added.
+    (JSC::StructureIDTable::StructureIDTable):
+    (JSC::StructureIDTable::makeFreeListFromRange):
+    (JSC::StructureIDTable::resize):
+    (JSC::StructureIDTable::flushOldTables):
+    (JSC::StructureIDTable::allocateID):
+    (JSC::StructureIDTable::deallocateID):
+    * runtime/StructureIDTable.h: Added.
+    (JSC::nukedStructureIDBit):
+    (JSC::nuke):
+    (JSC::isNuked):
+    (JSC::decontaminate):
+    (JSC::StructureIDTable::base):
+    (JSC::StructureIDTable::size const):
+    (JSC::StructureIDTable::table const):
+    (JSC::StructureIDTable::decode):
+    (JSC::StructureIDTable::encode):
+    (JSC::StructureIDTable::get):
+    (JSC::StructureIDTable::tryGet):
+    (JSC::StructureIDTable::validate):
+    (JSC::StructureIDTable::deallocateID):
+    (JSC::StructureIDTable::allocateID):
+    (JSC::StructureIDTable::flushOldTables):
+    * runtime/StructureRareData.cpp:
+    (JSC::StructureRareData::StructureRareData):
+    * runtime/StructureRareData.h:
+    * runtime/StructureRareDataInlines.h:
+    (JSC::StructureRareData::tryCachePropertyNameEnumeratorViaWatchpoint):
+    * runtime/SymbolPrototype.cpp:
+    (JSC::JSC_DEFINE_CUSTOM_GETTER):
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/TypeProfilerLog.cpp:
+    (JSC::TypeProfilerLog::processLogEntries):
+    (JSC::TypeProfilerLog::visit):
+    * runtime/VM.h:
+    (JSC::VM::getStructure):
+    (JSC::VM::tryGetStructure):
+    * runtime/WriteBarrier.h:
+    (JSC::WriteBarrierStructureID::WriteBarrierStructureID): Deleted.
+    (JSC::WriteBarrierStructureID::get const): Deleted.
+    (JSC::WriteBarrierStructureID::operator* const): Deleted.
+    (JSC::WriteBarrierStructureID::operator-> const): Deleted.
+    (JSC::WriteBarrierStructureID::clear): Deleted.
+    (JSC::WriteBarrierStructureID::operator bool const): Deleted.
+    (JSC::WriteBarrierStructureID::operator! const): Deleted.
+    (JSC::WriteBarrierStructureID::setWithoutWriteBarrier): Deleted.
+    (JSC::WriteBarrierStructureID::unvalidatedGet const): Deleted.
+    (JSC::WriteBarrierStructureID::value const): Deleted.
+    * runtime/WriteBarrierInlines.h:
+    (JSC::WriteBarrierStructureID::set): Deleted.
+    (JSC::WriteBarrierStructureID::setMayBeNull): Deleted.
+    (JSC::WriteBarrierStructureID::setEarlyValue): Deleted.
+    * tools/HeapVerifier.cpp:
+    (JSC::HeapVerifier::validateJSCell):
+    * tools/Integrity.cpp:
+    * tools/Integrity.h:
+    * tools/IntegrityInlines.h:
+    (JSC::Integrity::auditStructureID):
+    * tools/JSDollarVM.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    (JSC::JSDollarVM::finishCreation):
+    (JSC::JSDollarVM::visitChildrenImpl):
+    * tools/JSDollarVM.h:
+    * wasm/js/WebAssemblyFunction.cpp:
+    (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+    * wasm/js/WebAssemblyGlobalPrototype.cpp:
+    (JSC::getGlobal):
+    
+    Source/WTF:
+    
+    * wtf/OSAllocator.h:
+    * wtf/posix/OSAllocatorPOSIX.cpp:
+    (WTF::OSAllocator::reserveUncommittedAligned): Deleted.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286994 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-12-13  Saam Barati  <sbarati@apple.com>
+
+            Roll back r286345, r286387, r286471, r286667, r286849
+            https://bugs.webkit.org/show_bug.cgi?id=234268
+
+            Reviewed by Mark Lam.
+
+            * wtf/OSAllocator.h:
+            * wtf/posix/OSAllocatorPOSIX.cpp:
+            (WTF::OSAllocator::reserveUncommittedAligned): Deleted.
+
+2021-12-13  Russell Epstein  <repstein@apple.com>
+
</ins><span class="cx">         Cherry-pick r286849. rdar://problem/86445989
</span><span class="cx"> 
</span><span class="cx">     Reduce maximum mmap size for Structure regions to help placate ios
</span></span></pre></div>
<a id="branchessafari613111branchSourceWTFwtfOSAllocatorh"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/WTF/wtf/OSAllocator.h (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/WTF/wtf/OSAllocator.h     2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/WTF/wtf/OSAllocator.h        2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -39,14 +39,11 @@
</span><span class="cx">         JSJITCodePages = VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY,
</span><span class="cx">     };
</span><span class="cx"> 
</span><del>-    // These methods are symmetric; reserveUncommitted(Aligned) allocates VM in an uncommitted state,
</del><ins>+    // These methods are symmetric; reserveUncommitted allocates VM in an uncommitted state,
</ins><span class="cx">     // releaseDecommitted should be called on a region of VM allocated by a single reservation,
</span><del>-    // the memory must all currently be in a decommitted state. reserveUncommitted(Aligned) returns to
</del><ins>+    // the memory must all currently be in a decommitted state. reserveUncommitted returns to
</ins><span class="cx">     // you memory that is zeroed.
</span><span class="cx">     WTF_EXPORT_PRIVATE static void* reserveUncommitted(size_t, Usage = UnknownUsage, bool writable = true, bool executable = false, bool jitCageEnabled = false, bool includesGuardPages = false);
</span><del>-    // This guarantees the memory will be aligned to a multiple of the requested size. The requested
-    // size must be a power of two and greater than the system page size.
-    WTF_EXPORT_PRIVATE static void* reserveUncommittedAligned(size_t, Usage = UnknownUsage, bool writable = true, bool executable = false, bool jitCageEnabled = false, bool includesGuardPages = false);
</del><span class="cx">     WTF_EXPORT_PRIVATE static void releaseDecommitted(void*, size_t);
</span><span class="cx"> 
</span><span class="cx">     // These methods are symmetric; they commit or decommit a region of VM (uncommitted VM should
</span></span></pre></div>
<a id="branchessafari613111branchSourceWTFwtfposixOSAllocatorPOSIXcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp        2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/WTF/wtf/posix/OSAllocatorPOSIX.cpp   2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -29,7 +29,6 @@
</span><span class="cx"> #include <errno.h>
</span><span class="cx"> #include <sys/mman.h>
</span><span class="cx"> #include <wtf/Assertions.h>
</span><del>-#include <wtf/MathExtras.h>
</del><span class="cx"> #include <wtf/PageBlock.h>
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(JIT_CAGE)
</span><span class="lines">@@ -44,10 +43,6 @@
</span><span class="cx"> #endif // OS(DARWIN)
</span><span class="cx"> #endif // ENABLE(JIT_CAGE)
</span><span class="cx"> 
</span><del>-#if OS(DARWIN)
-#include <wtf/spi/cocoa/MachVMSPI.h>
-#endif
-
</del><span class="cx"> namespace WTF {
</span><span class="cx"> 
</span><span class="cx"> void* OSAllocator::reserveUncommitted(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
</span><span class="lines">@@ -77,56 +72,6 @@
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* OSAllocator::reserveUncommittedAligned(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
-{
-    ASSERT(hasOneBitSet(bytes) && bytes >= pageSize());
-
-#if PLATFORM(MAC) || USE(APPLE_INTERNAL_SDK)
-    UNUSED_PARAM(usage); // Not supported for mach API.
-    ASSERT_UNUSED(includesGuardPages, !includesGuardPages);
-    ASSERT_UNUSED(jitCageEnabled, !jitCageEnabled); // Not supported for mach API.
-    vm_prot_t protections = VM_PROT_READ;
-    if (writable)
-        protections |= VM_PROT_WRITE;
-    if (executable)
-        protections |= VM_PROT_EXECUTE;
-
-    const vm_inherit_t childProcessInheritance = VM_INHERIT_DEFAULT;
-    const bool copy = false;
-    const int flags = VM_FLAGS_ANYWHERE;
-
-    void* aligned = nullptr;
-    kern_return_t result = mach_vm_map(mach_task_self(), reinterpret_cast<mach_vm_address_t*>(&aligned), bytes, bytes - 1, flags, MEMORY_OBJECT_NULL, 0, copy, protections, protections, childProcessInheritance);
-    RELEASE_ASSERT(result == KERN_SUCCESS, result, bytes);
-#if HAVE(MADV_FREE_REUSE)
-    if (aligned) {
-        // To support the "reserve then commit" model, we have to initially decommit.
-        while (madvise(aligned, bytes, MADV_FREE_REUSABLE) == -1 && errno == EAGAIN) { }
-    }
-#endif
-
-    return aligned;
-#else
-    // Double the size so we can ensure enough mapped memory to get an aligned start.
-    size_t mappedSize = bytes * 2;
-    char* mapped = reinterpret_cast<char*>(reserveUncommitted(mappedSize, usage, writable, executable, jitCageEnabled, includesGuardPages));
-    char* mappedEnd = mapped + mappedSize;
-
-    char* aligned = reinterpret_cast<char*>(roundUpToMultipleOf(bytes, reinterpret_cast<uintptr_t>(mapped)));
-    char* alignedEnd = aligned + bytes;
-
-    RELEASE_ASSERT(alignedEnd <= mappedEnd);
-
-    if (size_t leftExtra = aligned - mapped)
-        releaseDecommitted(mapped, leftExtra);
-
-    if (size_t rightExtra = mappedEnd - alignedEnd)
-        releaseDecommitted(alignedEnd, rightExtra);
-
-    return aligned;
-#endif
-}
-
</del><span class="cx"> void* OSAllocator::reserveAndCommit(size_t bytes, Usage usage, bool writable, bool executable, bool jitCageEnabled, bool includesGuardPages)
</span><span class="cx"> {
</span><span class="cx">     // All POSIX reservations start out logically committed.
</span></span></pre></div>
<a id="branchessafari613111branchSourceWTFwtfwinOSAllocatorWincpp"></a>
<div class="modfile"><h4>Modified: branches/safari-613.1.11-branch/Source/WTF/wtf/win/OSAllocatorWin.cpp (287007 => 287008)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-613.1.11-branch/Source/WTF/wtf/win/OSAllocatorWin.cpp    2021-12-14 03:28:02 UTC (rev 287007)
+++ branches/safari-613.1.11-branch/Source/WTF/wtf/win/OSAllocatorWin.cpp       2021-12-14 03:28:24 UTC (rev 287008)
</span><span class="lines">@@ -52,26 +52,6 @@
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void* OSAllocator::reserveUncommittedAligned(size_t bytes, Usage usage, bool writable, bool executable, bool, bool)
-{
-    ASSERT(hasOneBitSet(bytes) && bytes >= pageSize());
-    if (VirtualAlloc2Ptr()) {
-        MEM_ADDRESS_REQUIREMENTS addressReqs = { };
-        MEM_EXTENDED_PARAMETER param = { };
-        addressReqs.Alignment = bytes;
-        param.Type = MemExtendedParameterAddressRequirements;
-        param.Pointer = &addressReqs;
-        void* result = VirtualAlloc2Ptr()(nullptr, nullptr, bytes, MEM_RESERVE, protection(writable, executable), &param, 1);
-        if (!result)
-            CRASH();
-        return result;
-    }
-    void* result = reserveUncommitted(2 * bytes, usage, writable, executable);
-
-    char* aligned = reinterpret_cast<char*>(roundUpToMultipleOf(bytes, reinterpret_cast<uintptr_t>(result)));
-    return aligned;
-}
-
</del><span class="cx"> void* OSAllocator::reserveAndCommit(size_t bytes, Usage, bool writable, bool executable, bool, bool)
</span><span class="cx"> {
</span><span class="cx">     void* result = VirtualAlloc(nullptr, bytes, MEM_RESERVE | MEM_COMMIT, protection(writable, executable));
</span></span></pre>
</div>
</div>

</body>
</html>