Changeset 200416 in webkit

Timestamp:

May 4, 2016 8:48:16 AM (8 years ago)

Author:

Chris Dumez

Message:

Unreviewed, rolling out r200383 and r200406.

Seems to have caused crashes on iOS / ARMv7s

Reverted changesets:

"Speed up JSGlobalObject initialization by making some
properties lazy"
​https://bugs.webkit.org/show_bug.cgi?id=157045
​http://trac.webkit.org/changeset/200383

"REGRESSION(r200383): Setting lazily initialized properties
across frame boundaries crashes"
​https://bugs.webkit.org/show_bug.cgi?id=157333
​http://trac.webkit.org/changeset/200406

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/dom/cross-window-put-math-expected.txt (deleted)
• LayoutTests/js/dom/cross-window-put-math.html (deleted)
• Source/JavaScriptCore/API/JSCallbackFunction.cpp (modified) (2 diffs)
• Source/JavaScriptCore/API/ObjCCallbackFunction.h (modified) (2 diffs)
• Source/JavaScriptCore/API/ObjCCallbackFunction.mm (modified) (3 diffs)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (8 diffs)
• Source/JavaScriptCore/create_hash_table (modified) (3 diffs)
• Source/JavaScriptCore/debugger/DebuggerScope.cpp (modified) (2 diffs)
• Source/JavaScriptCore/debugger/DebuggerScope.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractValue.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGArrayMode.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ClonedArguments.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionPrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/InternalFunction.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/InternalFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBoundFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (19 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (21 diffs)
• Source/JavaScriptCore/runtime/JSNativeStdFunction.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSWithScope.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSWithScope.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/LazyClassStructure.cpp (deleted)
• Source/JavaScriptCore/runtime/LazyClassStructure.h (deleted)
• Source/JavaScriptCore/runtime/LazyClassStructureInlines.h (deleted)
• Source/JavaScriptCore/runtime/LazyProperty.h (deleted)
• Source/JavaScriptCore/runtime/LazyPropertyInlines.h (deleted)
• Source/JavaScriptCore/runtime/Lookup.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/Lookup.h (modified) (9 diffs)
• Source/JavaScriptCore/runtime/PropertySlot.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/TypedArrayType.h (modified) (2 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/StdLibExtras.h (modified) (4 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSHTMLElementCustom.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-05-04  Chris Dumez  <cdumez@apple.com>
+
+        Unreviewed, rolling out r200383 and r200406.
+
+        Seems to have caused crashes on iOS / ARMv7s
+
+        Reverted changesets:
+
+        "Speed up JSGlobalObject initialization by making some
+        properties lazy"
+        https://bugs.webkit.org/show_bug.cgi?id=157045
+        http://trac.webkit.org/changeset/200383
+
+        "REGRESSION(r200383): Setting lazily initialized properties
+        across frame boundaries crashes"
+        https://bugs.webkit.org/show_bug.cgi?id=157333
+        http://trac.webkit.org/changeset/200406
+
 2016-05-04  Joanmarie Diggs  <jdiggs@igalia.com>
 

trunk/Source/JavaScriptCore/API/JSCallbackFunction.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2008, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -59 +59 @@
 JSCallbackFunction* JSCallbackFunction::create(VM& vm, JSGlobalObject* globalObject, JSObjectCallAsFunctionCallback callback, const String& name)
 {
-    Structure* structure = globalObject->callbackFunctionStructure();
-    JSCallbackFunction* function = new (NotNull, allocateCell<JSCallbackFunction>(vm.heap)) JSCallbackFunction(vm, structure, callback);
+    JSCallbackFunction* function = new (NotNull, allocateCell<JSCallbackFunction>(vm.heap)) JSCallbackFunction(vm, globalObject->callbackFunctionStructure(), callback);
     function->finishCreation(vm, name);
     return function;

trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -63 +63 @@
 
 protected:
-    ObjCCallbackFunction(VM&, Structure*, JSObjectCallAsFunctionCallback, JSObjectCallAsConstructorCallback, std::unique_ptr<ObjCCallbackFunctionImpl>);
+    ObjCCallbackFunction(VM&, JSGlobalObject*, JSObjectCallAsFunctionCallback, JSObjectCallAsConstructorCallback, std::unique_ptr<ObjCCallbackFunctionImpl>);
 
 private:

trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -499 +499 @@
 const JSC::ClassInfo ObjCCallbackFunction::s_info = { "CallbackFunction", &Base::s_info, 0, CREATE_METHOD_TABLE(ObjCCallbackFunction) };
 
-ObjCCallbackFunction::ObjCCallbackFunction(JSC::VM& vm, JSC::Structure* structure, JSObjectCallAsFunctionCallback functionCallback, JSObjectCallAsConstructorCallback constructCallback, std::unique_ptr<ObjCCallbackFunctionImpl> impl)
-    : Base(vm, structure)
+ObjCCallbackFunction::ObjCCallbackFunction(JSC::VM& vm, JSC::JSGlobalObject* globalObject, JSObjectCallAsFunctionCallback functionCallback, JSObjectCallAsConstructorCallback constructCallback, std::unique_ptr<ObjCCallbackFunctionImpl> impl)
+    : Base(vm, globalObject->objcCallbackFunctionStructure())
     , m_functionCallback(functionCallback)
     , m_constructCallback(constructCallback)
@@ -509 +509 @@
 ObjCCallbackFunction* ObjCCallbackFunction::create(JSC::VM& vm, JSC::JSGlobalObject* globalObject, const String& name, std::unique_ptr<ObjCCallbackFunctionImpl> impl)
 {
-    Structure* structure = globalObject->objcCallbackFunctionStructure();
-    ObjCCallbackFunction* function = new (NotNull, allocateCell<ObjCCallbackFunction>(vm.heap)) ObjCCallbackFunction(vm, structure, objCCallbackFunctionCallAsFunction, objCCallbackFunctionCallAsConstructor, WTFMove(impl));
+    ObjCCallbackFunction* function = new (NotNull, allocateCell<ObjCCallbackFunction>(vm.heap)) ObjCCallbackFunction(vm, globalObject, objCCallbackFunctionCallAsFunction, objCCallbackFunctionCallAsConstructor, WTFMove(impl));
     function->finishCreation(vm, name);
     return function;

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -741 +741 @@
     runtime/JSWithScope.cpp
     runtime/JSWrapperObject.cpp
-    runtime/LazyClassStructure.cpp
     runtime/LiteralParser.cpp
     runtime/Lookup.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-05-04  Chris Dumez  <cdumez@apple.com>
+
+        Unreviewed, rolling out r200383 and r200406.
+
+        Seems to have caused crashes on iOS / ARMv7s
+
+        Reverted changesets:
+
+        "Speed up JSGlobalObject initialization by making some
+        properties lazy"
+        https://bugs.webkit.org/show_bug.cgi?id=157045
+        http://trac.webkit.org/changeset/200383
+
+        "REGRESSION(r200383): Setting lazily initialized properties
+        across frame boundaries crashes"
+        https://bugs.webkit.org/show_bug.cgi?id=157333
+        http://trac.webkit.org/changeset/200406
+
 2016-05-04  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1996 +1996 @@
                 DC2143071CA32E55000A8869 /* ICStats.h in Headers */ = {isa = PBXBuildFile; fileRef = DC2143061CA32E52000A8869 /* ICStats.h */; };
                 DC2143081CA32E58000A8869 /* ICStats.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC2143051CA32E52000A8869 /* ICStats.cpp */; };
-                DCF3D5691CD2946D003D5C65 /* LazyClassStructure.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCF3D5641CD29468003D5C65 /* LazyClassStructure.cpp */; };
-                DCF3D56A1CD29470003D5C65 /* LazyClassStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF3D5651CD29468003D5C65 /* LazyClassStructure.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                DCF3D56B1CD29472003D5C65 /* LazyClassStructureInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF3D5661CD29468003D5C65 /* LazyClassStructureInlines.h */; };
-                DCF3D56C1CD29475003D5C65 /* LazyProperty.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF3D5671CD29468003D5C65 /* LazyProperty.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                DCF3D56D1CD29476003D5C65 /* LazyPropertyInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF3D5681CD29468003D5C65 /* LazyPropertyInlines.h */; };
                 DE26E9031CB5DD0500D2BE82 /* BuiltinExecutableCreator.h in Headers */ = {isa = PBXBuildFile; fileRef = DE26E9021CB5DD0500D2BE82 /* BuiltinExecutableCreator.h */; };
                 DE26E9071CB5DEFB00D2BE82 /* BuiltinExecutableCreator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DE26E9061CB5DD9600D2BE82 /* BuiltinExecutableCreator.cpp */; };
@@ -4210 +4205 @@
                 DC2143051CA32E52000A8869 /* ICStats.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ICStats.cpp; sourceTree = "<group>"; };
                 DC2143061CA32E52000A8869 /* ICStats.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ICStats.h; sourceTree = "<group>"; };
-                DCF3D5641CD29468003D5C65 /* LazyClassStructure.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LazyClassStructure.cpp; sourceTree = "<group>"; };
-                DCF3D5651CD29468003D5C65 /* LazyClassStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LazyClassStructure.h; sourceTree = "<group>"; };
-                DCF3D5661CD29468003D5C65 /* LazyClassStructureInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LazyClassStructureInlines.h; sourceTree = "<group>"; };
-                DCF3D5671CD29468003D5C65 /* LazyProperty.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LazyProperty.h; sourceTree = "<group>"; };
-                DCF3D5681CD29468003D5C65 /* LazyPropertyInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LazyPropertyInlines.h; sourceTree = "<group>"; };
                 DE26E9021CB5DD0500D2BE82 /* BuiltinExecutableCreator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BuiltinExecutableCreator.h; sourceTree = "<group>"; };
                 DE26E9061CB5DD9600D2BE82 /* BuiltinExecutableCreator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = BuiltinExecutableCreator.cpp; sourceTree = "<group>"; };
@@ -5507 +5497 @@
                         isa = PBXGroup;
                         children = (
-                                DCF3D5641CD29468003D5C65 /* LazyClassStructure.cpp */,
-                                DCF3D5651CD29468003D5C65 /* LazyClassStructure.h */,
-                                DCF3D5661CD29468003D5C65 /* LazyClassStructureInlines.h */,
-                                DCF3D5671CD29468003D5C65 /* LazyProperty.h */,
-                                DCF3D5681CD29468003D5C65 /* LazyPropertyInlines.h */,
                                 BCF605110E203EF800B9A64D /* ArgList.cpp */,
                                 BCF605120E203EF800B9A64D /* ArgList.h */,
@@ -7143 +7128 @@
                                 0FFC99D1184EC8AD009C10AB /* ConstantMode.h in Headers */,
                                 E354622B1B6065D100545386 /* ConstructAbility.h in Headers */,
-                                DCF3D56D1CD29476003D5C65 /* LazyPropertyInlines.h in Headers */,
                                 BC18C3F60E16F5CD00B34460 /* ConstructData.h in Headers */,
                                 A57D23F21891B5B40031C7FA /* ContentSearchUtilities.h in Headers */,
@@ -7787 +7771 @@
                                 BC18C4310E16F5CD00B34460 /* Lexer.h in Headers */,
                                 BC18C52E0E16FCE100B34460 /* Lexer.lut.h in Headers */,
-                                DCF3D56B1CD29472003D5C65 /* LazyClassStructureInlines.h in Headers */,
                                 FE187A021BFBE5610038BBCA /* JITMulGenerator.h in Headers */,
                                 86D3B3C310159D7F002865E7 /* LinkBuffer.h in Headers */,
@@ -7865 +7848 @@
                                 86F3EEBF168CDE930077B92A /* ObjcRuntimeExtras.h in Headers */,
                                 14CA958D16AB50FA00938A06 /* ObjectAllocationProfile.h in Headers */,
-                                DCF3D56C1CD29475003D5C65 /* LazyProperty.h in Headers */,
                                 BC18C4450E16F5CD00B34460 /* ObjectConstructor.h in Headers */,
                                 996B73221BDA08EF00331B84 /* ObjectConstructor.lut.h in Headers */,
@@ -7881 +7863 @@
                                 93052C350FB792190048FDC3 /* ParserArena.h in Headers */,
                                 0FCCAE4516D0CF7400D0C65B /* ParserError.h in Headers */,
-                                DCF3D56A1CD29470003D5C65 /* LazyClassStructure.h in Headers */,
                                 A77F1825164192C700640A47 /* ParserModes.h in Headers */,
                                 65303D641447B9E100D3F904 /* ParserTokens.h in Headers */,
@@ -8947 +8928 @@
                                 FE1C0FFF1B194FD100B53FCA /* Exception.cpp in Sources */,
                                 0F12DE0F1979D5FD0006FF4E /* ExceptionFuzz.cpp in Sources */,
-                                DCF3D5691CD2946D003D5C65 /* LazyClassStructure.cpp in Sources */,
                                 1429D8780ED21ACD00B89619 /* ExceptionHelpers.cpp in Sources */,
                                 86CA032E1038E8440028A609 /* Executable.cpp in Sources */,

trunk/Source/JavaScriptCore/create_hash_table

@@ -6 +6 @@
 #                  David Faure <faure@kde.org>
 # Modified (c) 2004 by Nikolas Zimmermann <wildfox@kde.org>
-# Copyright (C) 2007, 2008, 2009, 2015-2016 Apple Inc. All rights reserved.
+# Copyright (C) 2007, 2008, 2009, 2015 Apple Inc. All rights reserved.
 #
 # This library is free software; you can redistribute it and/or
@@ -98 +98 @@
             $hasSetter = "true";
             push(@values, { "type" => "Accessor", "get" => $get, "put" => $put });
-        } elsif ($att =~ m/CellProperty/) {
-            my $property = $val;
-            push(@values, { "type" => "CellProperty", "property" => $property });
-        } elsif ($att =~ m/ClassStructure/) {
-            my $property = $val;
-            push(@values, { "type" => "ClassStructure", "property" => $property });
-        } elsif ($att =~ m/PropertyCallback/) {
-            my $cback = $val;
-            push(@values, { "type" => "PropertyCallback", "cback" => $cback });
         } elsif (length($att)) {
             my $get = $val;
@@ -308 +299 @@
             $firstValue = $values[$i]{"value"};
             $secondValue = "0";
-        } elsif ($values[$i]{"type"} eq "CellProperty" || $values[$i]{"type"} eq "ClassStructure") {
-            $values[$i]{"property"} =~ /\A([a-zA-Z0-9_]+)::(.*)\Z/ or die;
-            $firstValue = "OBJECT_OFFSETOF($1, $2)";
-            $secondValue = "0";
-        } elsif ($values[$i]{"type"} eq "PropertyCallback") {
-            $firstCastStr = "static_cast<LazyPropertyCallback>";
-            $firstValue = $values[$i]{"cback"};
-            $secondValue = "0";
         }
 

trunk/Source/JavaScriptCore/debugger/DebuggerScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2009, 2014, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2009, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 const ClassInfo DebuggerScope::s_info = { "DebuggerScope", &Base::s_info, 0, CREATE_METHOD_TABLE(DebuggerScope) };
 
-DebuggerScope* DebuggerScope::create(VM& vm, JSScope* scope)
-{
-    Structure* structure = scope->globalObject()->debuggerScopeStructure();
-    DebuggerScope* debuggerScope = new (NotNull, allocateCell<DebuggerScope>(vm.heap)) DebuggerScope(vm, structure, scope);
-    debuggerScope->finishCreation(vm);
-    return debuggerScope;
-}
-
-DebuggerScope::DebuggerScope(VM& vm, Structure* structure, JSScope* scope)
-    : JSNonFinalObject(vm, structure)
+DebuggerScope::DebuggerScope(VM& vm, JSScope* scope)
+    : JSNonFinalObject(vm, scope->globalObject()->debuggerScopeStructure())
 {
     ASSERT(scope);

trunk/Source/JavaScriptCore/debugger/DebuggerScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2009, 2014, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2009, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39 +39 @@
     static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
 
-    JS_EXPORT_PRIVATE static DebuggerScope* create(VM& vm, JSScope* scope);
+    static DebuggerScope* create(VM& vm, JSScope* scope)
+    {
+        DebuggerScope* debuggerScope = new (NotNull, allocateCell<DebuggerScope>(vm.heap)) DebuggerScope(vm, scope);
+        debuggerScope->finishCreation(vm);
+        return debuggerScope;
+    }
 
     static void visitChildren(JSCell*, SlotVisitor&);
@@ -92 +97 @@
 
 private:
-    DebuggerScope(VM&, Structure*, JSScope*);
-    void finishCreation(VM&);
+    JS_EXPORT_PRIVATE DebuggerScope(VM&, JSScope*);
+    JS_EXPORT_PRIVATE void finishCreation(VM&);
 
     JSScope* jsScope() const { return m_scope.get(); }

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1867 +1867 @@
         forNode(node).set(
             m_graph,
-            m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructureConcurrently(
+            m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructure(
                 node->typedArrayType()));
         break;

trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -78 +78 @@
 void AbstractValue::set(Graph& graph, Structure* structure)
 {
-    RELEASE_ASSERT(structure);
-    
     m_structure = structure;
     m_arrayModes = asArrayModes(structure->indexingType());

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

@@ -324 +324 @@
         default:
             CRASH();
-            return nullptr;
+            return 0;
         }
     }
@@ -331 +331 @@
         TypedArrayType type = typedArrayType();
         if (type == NotTypedArray)
-            return nullptr;
-        
-        return globalObject->typedArrayStructureConcurrently(type);
-    }
-        
-    default:
-        return nullptr;
+            return 0;
+        
+        return globalObject->typedArrayStructure(type);
+    }
+        
+    default:
+        return 0;
     }
 }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2575 +2575 @@
     
     if (argumentCountIncludingThis != 2)
-        return false;
-    
-    if (!function->globalObject()->typedArrayStructureConcurrently(type))
         return false;
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -6764 +6764 @@
     JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic);
     TypedArrayType type = node->typedArrayType();
-    Structure* structure = globalObject->typedArrayStructureConcurrently(type);
-    RELEASE_ASSERT(structure);
+    Structure* structure = globalObject->typedArrayStructure(type);
     
     SpeculateInt32Operand size(this, node->child1());

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3805 +3805 @@
             callOperation(
                 operationNewTypedArrayWithOneArgumentForType(node->typedArrayType()),
-                resultGPR, globalObject->typedArrayStructureConcurrently(node->typedArrayType()),
+                resultGPR, globalObject->typedArrayStructure(node->typedArrayType()),
                 argumentTagGPR, argumentPayloadGPR);
             m_jit.exceptionCheck();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3862 +3862 @@
             callOperation(
                 operationNewTypedArrayWithOneArgumentForType(node->typedArrayType()),
-                resultGPR, globalObject->typedArrayStructureConcurrently(node->typedArrayType()),
+                resultGPR, globalObject->typedArrayStructure(node->typedArrayType()),
                 argumentGPR);
             m_jit.exceptionCheck();

trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -121 +121 @@
                     
                 case NewTypedArray:
-                    registerStructure(m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructureConcurrently(node->typedArrayType()));
+                    registerStructure(m_graph.globalObjectFor(node->origin.semantic)->typedArrayStructure(node->typedArrayType()));
                     break;
                     

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -3909 +3909 @@
         switch (m_node->child1().useKind()) {
         case Int32Use: {
-            Structure* structure = globalObject->typedArrayStructureConcurrently(type);
+            Structure* structure = globalObject->typedArrayStructure(type);
 
             LValue size = lowInt32(m_node->child1());
@@ -3970 +3970 @@
             LValue result = vmCall(
                 m_out.intPtr, m_out.operation(operationNewTypedArrayWithOneArgumentForType(type)),
-                m_callFrame, weakPointer(globalObject->typedArrayStructureConcurrently(type)), argument);
+                m_callFrame, weakPointer(globalObject->typedArrayStructure(type)), argument);
 
             setJSValue(result);

trunk/Source/JavaScriptCore/runtime/ClonedArguments.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -159 +159 @@
         if (isStrictMode) {
             if (ident == vm.propertyNames->callee) {
-                slot.setGetterSlot(thisObject, DontDelete | DontEnum | Accessor, thisObject->globalObject()->throwTypeErrorGetterSetter());
+                slot.setGetterSlot(thisObject, DontDelete | DontEnum | Accessor, thisObject->globalObject()->throwTypeErrorGetterSetter(vm));
                 return true;
             }
             if (ident == vm.propertyNames->caller) {
-                slot.setGetterSlot(thisObject, DontDelete | DontEnum | Accessor, thisObject->globalObject()->throwTypeErrorGetterSetter());
+                slot.setGetterSlot(thisObject, DontDelete | DontEnum | Accessor, thisObject->globalObject()->throwTypeErrorGetterSetter(vm));
                 return true;
             }
@@ -239 +239 @@
     
     if (isStrictMode) {
-        putDirectAccessor(exec, vm.propertyNames->callee, globalObject()->throwTypeErrorGetterSetter(), DontDelete | DontEnum | Accessor);
-        putDirectAccessor(exec, vm.propertyNames->caller, globalObject()->throwTypeErrorGetterSetter(), DontDelete | DontEnum | Accessor);
+        putDirectAccessor(exec, vm.propertyNames->callee, globalObject()->throwTypeErrorGetterSetter(vm), DontDelete | DontEnum | Accessor);
+        putDirectAccessor(exec, vm.propertyNames->caller, globalObject()->throwTypeErrorGetterSetter(vm), DontDelete | DontEnum | Accessor);
     } else
         putDirect(vm, vm.propertyNames->callee, JSValue(m_callee.get()));

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -763 +763 @@
     int scopeReg = pc[3].u.operand;
     JSScope* currentScope = exec->uncheckedR(scopeReg).Register::scope();
-    RETURN(JSWithScope::create(vm, exec->lexicalGlobalObject(), newScope, currentScope));
+    RETURN(JSWithScope::create(exec, newScope, currentScope));
 }
 

trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp

@@ -105 +105 @@
     if (thisValue.inherits(InternalFunction::info())) {
         InternalFunction* function = asInternalFunction(thisValue);
-        return JSValue::encode(jsMakeNontrivialString(exec, "function ", function->name(), "() {\n    [native code]\n}"));
+        return JSValue::encode(jsMakeNontrivialString(exec, "function ", function->name(exec), "() {\n    [native code]\n}"));
     }
 

trunk/Source/JavaScriptCore/runtime/InternalFunction.cpp

@@ -59 +59 @@
 }
 
-const String& InternalFunction::name()
+const String& InternalFunction::name(ExecState*)
 {
     const String& name = m_originalName->tryGetValue();
@@ -89 +89 @@
         return explicitName;
     
-    return name();
+    return name(exec);
 }
 

trunk/Source/JavaScriptCore/runtime/InternalFunction.h

@@ -41 +41 @@
     JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
 
-    JS_EXPORT_PRIVATE const String& name();
+    JS_EXPORT_PRIVATE const String& name(ExecState*);
     const String displayName(ExecState*);
     const String calculatedDisplayName(ExecState*);

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

@@ -197 +197 @@
     ASSERT(inherits(info()));
 
-    putDirectNonIndexAccessor(vm, vm.propertyNames->arguments, globalObject()->throwTypeErrorGetterSetter(), DontDelete | DontEnum | Accessor);
-    putDirectNonIndexAccessor(vm, vm.propertyNames->caller, globalObject()->throwTypeErrorGetterSetter(), DontDelete | DontEnum | Accessor);
+    putDirectNonIndexAccessor(vm, vm.propertyNames->arguments, globalObject()->throwTypeErrorGetterSetter(vm), DontDelete | DontEnum | Accessor);
+    putDirectNonIndexAccessor(vm, vm.propertyNames->caller, globalObject()->throwTypeErrorGetterSetter(vm), DontDelete | DontEnum | Accessor);
 }
 

trunk/Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp

@@ -65 +65 @@
     NativeExecutable* executable = vm.getHostFunction(boundSlotBaseFunctionCall, callHostFunctionAsConstructor, name);
 
-    Structure* structure = globalObject->boundSlotBaseFunctionStructure();
-    JSBoundSlotBaseFunction* function = new (NotNull, allocateCell<JSBoundSlotBaseFunction>(vm.heap)) JSBoundSlotBaseFunction(vm, globalObject, structure, type);
+    JSBoundSlotBaseFunction* function = new (NotNull, allocateCell<JSBoundSlotBaseFunction>(vm.heap)) JSBoundSlotBaseFunction(vm, globalObject, globalObject->boundSlotBaseFunctionStructure(), type);
 
     // Can't do this during initialization because getHostFunction might do a GC allocation.

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -320 +320 @@
 }
 
-static GetterSetter* getThrowTypeErrorGetterSetter(JSFunction* function)
+static GetterSetter* getThrowTypeErrorGetterSetter(ExecState* exec, JSFunction* function)
 {
     return function->jsExecutable()->isClassConstructorFunction() || function->jsExecutable()->parseMode() == SourceParseMode::MethodMode
-        ? function->globalObject()->throwTypeErrorArgumentsAndCallerGetterSetter()
-        : function->globalObject()->throwTypeErrorGetterSetter();
+        ? function->globalObject()->throwTypeErrorArgumentsAndCallerGetterSetter(exec->vm())
+        : function->globalObject()->throwTypeErrorGetterSetter(exec->vm());
 }
 
@@ -376 +376 @@
             bool result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
             if (!result) {
-                GetterSetter* errorGetterSetter = getThrowTypeErrorGetterSetter(thisObject);
+                GetterSetter* errorGetterSetter = getThrowTypeErrorGetterSetter(exec, thisObject);
                 thisObject->putDirectAccessor(exec, propertyName, errorGetterSetter, DontDelete | DontEnum | Accessor);
                 result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
@@ -391 +391 @@
             bool result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
             if (!result) {
-                GetterSetter* errorGetterSetter = getThrowTypeErrorGetterSetter(thisObject);
+                GetterSetter* errorGetterSetter = getThrowTypeErrorGetterSetter(exec, thisObject);
                 thisObject->putDirectAccessor(exec, propertyName, errorGetterSetter, DontDelete | DontEnum | Accessor);
                 result = Base::getOwnPropertySlot(thisObject, exec, propertyName, slot);
@@ -500 +500 @@
             PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
             if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
-                thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject()->throwTypeErrorGetterSetter(), DontDelete | DontEnum | Accessor);
+                thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject()->throwTypeErrorGetterSetter(exec->vm()), DontDelete | DontEnum | Accessor);
             return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
         }
@@ -508 +508 @@
             PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
             if (!Base::getOwnPropertySlot(thisObject, exec, propertyName, slot))
-                thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject()->throwTypeErrorGetterSetter(), DontDelete | DontEnum | Accessor);
+                thisObject->putDirectAccessor(exec, propertyName, thisObject->globalObject()->throwTypeErrorGetterSetter(exec->vm()), DontDelete | DontEnum | Accessor);
             return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
         }

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

@@ -222 +222 @@
 EncodedJSValue JSC_HOST_CALL constructGenericTypedArrayView(ExecState* exec)
 {
-    InternalFunction* function = asInternalFunction(exec->callee());
-    Structure* parentStructure = function->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType);
-    Structure* structure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), parentStructure);
+    Structure* structure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), asInternalFunction(exec->callee())->globalObject()->typedArrayStructure(ViewClass::TypedArrayStorageType));
     if (exec->hadException())
         return JSValue::encode(JSValue());

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -111 +111 @@
 #include "JSWeakSet.h"
 #include "JSWithScope.h"
-#include "LazyClassStructureInlines.h"
-#include "LazyPropertyInlines.h"
 #include "LegacyProfiler.h"
 #include "Lookup.h"
@@ -175 +173 @@
 #endif
 
-namespace JSC {
-
-static JSValue createProxyProperty(VM& vm, JSObject* object)
-{
-    JSGlobalObject* global = jsCast<JSGlobalObject*>(object);
-    return ProxyConstructor::create(vm, ProxyConstructor::createStructure(vm, global, global->functionPrototype()));
-}
-
-static JSValue createJSONProperty(VM& vm, JSObject* object)
-{
-    JSGlobalObject* global = jsCast<JSGlobalObject*>(object);
-    return JSONObject::create(vm, JSONObject::createStructure(vm, global, global->objectPrototype()));
-}
-
-static JSValue createMathProperty(VM& vm, JSObject* object)
-{
-    JSGlobalObject* global = jsCast<JSGlobalObject*>(object);
-    return MathObject::create(vm, global, MathObject::createStructure(vm, global, global->objectPrototype()));
-}
-
-} // namespace JSC
-
 #include "JSGlobalObject.lut.h"
 
@@ -207 +183 @@
 /* Source for JSGlobalObject.lut.h
 @begin globalObjectTable
-  parseFloat            globalFuncParseFloat                         DontEnum|Function 1
-  isNaN                 globalFuncIsNaN                              DontEnum|Function 1
-  isFinite              globalFuncIsFinite                           DontEnum|Function 1
-  escape                globalFuncEscape                             DontEnum|Function 1
-  unescape              globalFuncUnescape                           DontEnum|Function 1
-  decodeURI             globalFuncDecodeURI                          DontEnum|Function 1
-  decodeURIComponent    globalFuncDecodeURIComponent                 DontEnum|Function 1
-  encodeURI             globalFuncEncodeURI                          DontEnum|Function 1
-  encodeURIComponent    globalFuncEncodeURIComponent                 DontEnum|Function 1
-  EvalError             JSGlobalObject::m_evalErrorConstructor       DontEnum|CellProperty
-  ReferenceError        JSGlobalObject::m_referenceErrorConstructor  DontEnum|CellProperty
-  SyntaxError           JSGlobalObject::m_syntaxErrorConstructor     DontEnum|CellProperty
-  URIError              JSGlobalObject::m_URIErrorConstructor        DontEnum|CellProperty
-  Proxy                 createProxyProperty                          DontEnum|PropertyCallback
-  JSON                  createJSONProperty                           DontEnum|PropertyCallback
-  Math                  createMathProperty                           DontEnum|PropertyCallback
-  Int8Array             JSGlobalObject::m_typedArrayInt8             DontEnum|ClassStructure
-  Int16Array            JSGlobalObject::m_typedArrayInt16            DontEnum|ClassStructure
-  Int32Array            JSGlobalObject::m_typedArrayInt32            DontEnum|ClassStructure
-  Uint8Array            JSGlobalObject::m_typedArrayUint8            DontEnum|ClassStructure
-  Uint8ClampedArray     JSGlobalObject::m_typedArrayUint8Clamped     DontEnum|ClassStructure
-  Uint16Array           JSGlobalObject::m_typedArrayUint16           DontEnum|ClassStructure
-  Uint32Array           JSGlobalObject::m_typedArrayUint32           DontEnum|ClassStructure
-  Float32Array          JSGlobalObject::m_typedArrayFloat32          DontEnum|ClassStructure
-  Float64Array          JSGlobalObject::m_typedArrayFloat64          DontEnum|ClassStructure
-  DataView              JSGlobalObject::m_typedArrayDataView         DontEnum|ClassStructure
-  Set                   JSGlobalObject::m_setStructure               DontEnum|ClassStructure
-  Map                   JSGlobalObject::m_mapStructure               DontEnum|ClassStructure
-  Date                  JSGlobalObject::m_dateStructure              DontEnum|ClassStructure
-  Boolean               JSGlobalObject::m_booleanObjectStructure     DontEnum|ClassStructure
-  Number                JSGlobalObject::m_numberObjectStructure      DontEnum|ClassStructure
-  WeakMap               JSGlobalObject::m_weakMapStructure           DontEnum|ClassStructure
-  WeakSet               JSGlobalObject::m_weakSetStructure           DontEnum|ClassStructure
+  parseFloat            globalFuncParseFloat            DontEnum|Function 1
+  isNaN                 globalFuncIsNaN                 DontEnum|Function 1
+  isFinite              globalFuncIsFinite              DontEnum|Function 1
+  escape                globalFuncEscape                DontEnum|Function 1
+  unescape              globalFuncUnescape              DontEnum|Function 1
+  decodeURI             globalFuncDecodeURI             DontEnum|Function 1
+  decodeURIComponent    globalFuncDecodeURIComponent    DontEnum|Function 1
+  encodeURI             globalFuncEncodeURI             DontEnum|Function 1
+  encodeURIComponent    globalFuncEncodeURIComponent    DontEnum|Function 1
 @end
 */
@@ -340 +292 @@
 
     m_functionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
-    m_boundSlotBaseFunctionStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSBoundSlotBaseFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
-        });
-    m_boundFunctionStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSBoundFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
-        });
+    m_boundSlotBaseFunctionStructure.set(vm, this, JSBoundSlotBaseFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_boundFunctionStructure.set(vm, this, JSBoundFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_getterSetterStructure.set(vm, this, GetterSetter::createStructure(vm, this, jsNull()));
-    m_nativeStdFunctionStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSNativeStdFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
-        });
-    m_namedFunctionStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(Structure::addPropertyTransition(init.vm, init.owner->m_functionStructure.get(), init.vm.propertyNames->name, DontDelete | ReadOnly | DontEnum, init.owner->m_functionNameOffset));
-        });
+    m_nativeStdFunctionStructure.set(vm, this, JSNativeStdFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_namedFunctionStructure.set(vm, this, Structure::addPropertyTransition(vm, m_functionStructure.get(), vm.propertyNames->name, DontDelete | ReadOnly | DontEnum, m_functionNameOffset));
+    m_internalFunctionStructure.set(vm, this, InternalFunction::createStructure(vm, this, m_functionPrototype.get()));
     JSFunction* callFunction = 0;
     JSFunction* applyFunction = 0;
@@ -363 +304 @@
     m_callFunction.set(vm, this, callFunction);
     m_applyFunction.set(vm, this, applyFunction);
-    m_arrayProtoValuesFunction.initLater(
-        [] (const Initializer<JSFunction>& init) {
-            init.set(JSFunction::create(init.vm, init.owner, 0, init.vm.propertyNames->values.string(), arrayProtoFuncValues));
-        });
-    m_initializePromiseFunction.initLater(
-        [] (const Initializer<JSFunction>& init) {
-            init.set(JSFunction::createBuiltinFunction(init.vm, promiseOperationsInitializePromiseCodeGenerator(init.vm), init.owner));
-        });
+    m_arrayProtoValuesFunction.set(vm, this, JSFunction::create(vm, this, 0, vm.propertyNames->values.string(), arrayProtoFuncValues));
+    m_initializePromiseFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsInitializePromiseCodeGenerator(vm), this));
     m_newPromiseCapabilityFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsNewPromiseCapabilityCodeGenerator(vm), this));
     m_functionProtoHasInstanceSymbolFunction.set(vm, this, hasInstanceSymbolFunction);
-    m_throwTypeErrorGetterSetter.initLater(
-        [] (const Initializer<GetterSetter>& init) {
-            JSFunction* thrower = JSFunction::create(init.vm, init.owner, 0, String(), globalFuncThrowTypeError);
-            GetterSetter* getterSetter = GetterSetter::create(init.vm, init.owner);
-            getterSetter->setGetter(init.vm, init.owner, thrower);
-            getterSetter->setSetter(init.vm, init.owner, thrower);
-            init.set(getterSetter);
-        });
-    m_throwTypeErrorArgumentsAndCallerGetterSetter.initLater(
-        [] (const Initializer<GetterSetter>& init) {
-            JSFunction* thrower = JSFunction::create(init.vm, init.owner, 0, String(), globalFuncThrowTypeErrorArgumentsAndCaller);
-            GetterSetter* getterSetter = GetterSetter::create(init.vm, init.owner);
-            getterSetter->setGetter(init.vm, init.owner, thrower);
-            getterSetter->setSetter(init.vm, init.owner, thrower);
-            init.set(getterSetter);
-        });
     m_nullGetterFunction.set(vm, this, NullGetterFunction::create(vm, NullGetterFunction::createStructure(vm, this, m_functionPrototype.get())));
     m_nullSetterFunction.set(vm, this, NullSetterFunction::create(vm, NullSetterFunction::createStructure(vm, this, m_functionPrototype.get())));
@@ -398 +317 @@
     m_functionPrototype->structure()->setPrototypeWithoutTransition(vm, m_objectPrototype.get());
 
-    m_speciesGetterSetter.set(vm, this, GetterSetter::create(vm, this));
-    m_speciesGetterSetter->setGetter(vm, this, JSFunction::createBuiltinFunction(vm, globalObjectSpeciesGetterCodeGenerator(vm), this, "get [Symbol.species]"));
-
-    m_typedArrayProto.initLater(
-        [] (const Initializer<JSTypedArrayViewPrototype>& init) {
-            init.set(JSTypedArrayViewPrototype::create(init.vm, init.owner, JSTypedArrayViewPrototype::createStructure(init.vm, init.owner, init.owner->m_objectPrototype.get())));
-            
-            // Make sure that the constructor gets initialized, too.
-            init.owner->m_typedArraySuperConstructor.get(init.owner);
-        });
-    m_typedArraySuperConstructor.initLater(
-        [] (const Initializer<JSTypedArrayViewConstructor>& init) {
-            JSTypedArrayViewPrototype* prototype = init.owner->m_typedArrayProto.get(init.owner);
-            JSTypedArrayViewConstructor* constructor = JSTypedArrayViewConstructor::create(init.vm, init.owner, JSTypedArrayViewConstructor::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()), prototype, init.owner->m_speciesGetterSetter.get());
-            prototype->putDirectWithoutTransition(init.vm, init.vm.propertyNames->constructor, constructor, DontEnum);
-            init.set(constructor);
-        });
-    
-#define INIT_TYPED_ARRAY_LATER(type) \
-    m_typedArray ## type.initLater( \
-        [] (LazyClassStructure::Initializer& init) { \
-            init.setPrototype(JS ## type ## ArrayPrototype::create(init.vm, init.global, JS ## type ## ArrayPrototype::createStructure(init.vm, init.global, init.global->m_typedArrayProto.get(init.global)))); \
-            init.setStructure(JS ## type ## Array::createStructure(init.vm, init.global, init.prototype)); \
-            init.setConstructor(JS ## type ## ArrayConstructor::create(init.vm, init.global, JS ## type ## ArrayConstructor::createStructure(init.vm, init.global, init.global->m_typedArraySuperConstructor.get(init.global)), init.prototype, ASCIILiteral(#type "Array"), typedArrayConstructorAllocate ## type ## ArrayCodeGenerator(init.vm))); \
-            init.global->putDirectWithoutTransition(init.vm, init.vm.propertyNames->type ## ArrayPrivateName, init.constructor, DontEnum); \
-        });
-    FOR_EACH_TYPED_ARRAY_TYPE_EXCLUDING_DATA_VIEW(INIT_TYPED_ARRAY_LATER)
-#undef INIT_TYPED_ARRAY_LATER
-    
-    m_typedArrayDataView.initLater(
-        [] (LazyClassStructure::Initializer& init) {
-            init.setPrototype(JSDataViewPrototype::create(init.vm, JSDataViewPrototype::createStructure(init.vm, init.global, init.global->m_objectPrototype.get())));
-            init.setStructure(JSDataView::createStructure(init.vm, init.global, init.prototype));
-            init.setConstructor(JSDataViewConstructor::create(init.vm, init.global, JSDataViewConstructor::createStructure(init.vm, init.global, init.global->m_functionPrototype.get()), init.prototype, ASCIILiteral("DataView"), nullptr));
-        });
+    JSTypedArrayViewPrototype* typedArrayProto = JSTypedArrayViewPrototype::create(vm, this, JSTypedArrayViewPrototype::createStructure(vm, this, m_objectPrototype.get()));
+
+    m_typedArrays[toIndex(TypeInt8)].prototype.set(vm, this, JSInt8ArrayPrototype::create(vm, this, JSInt8ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeInt16)].prototype.set(vm, this, JSInt16ArrayPrototype::create(vm, this, JSInt16ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeInt32)].prototype.set(vm, this, JSInt32ArrayPrototype::create(vm, this, JSInt32ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeUint8)].prototype.set(vm, this, JSUint8ArrayPrototype::create(vm, this, JSUint8ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeUint8Clamped)].prototype.set(vm, this, JSUint8ClampedArrayPrototype::create(vm, this, JSUint8ClampedArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeUint16)].prototype.set(vm, this, JSUint16ArrayPrototype::create(vm, this, JSUint16ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeUint32)].prototype.set(vm, this, JSUint32ArrayPrototype::create(vm, this, JSUint32ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeFloat32)].prototype.set(vm, this, JSFloat32ArrayPrototype::create(vm, this, JSFloat32ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeFloat64)].prototype.set(vm, this, JSFloat64ArrayPrototype::create(vm, this, JSFloat64ArrayPrototype::createStructure(vm, this, typedArrayProto)));
+    m_typedArrays[toIndex(TypeDataView)].prototype.set(vm, this, JSDataViewPrototype::create(vm, JSDataViewPrototype::createStructure(vm, this, m_objectPrototype.get())));
+    
+    m_typedArrays[toIndex(TypeInt8)].structure.set(vm, this, JSInt8Array::createStructure(vm, this, m_typedArrays[toIndex(TypeInt8)].prototype.get()));
+    m_typedArrays[toIndex(TypeInt16)].structure.set(vm, this, JSInt16Array::createStructure(vm, this, m_typedArrays[toIndex(TypeInt16)].prototype.get()));
+    m_typedArrays[toIndex(TypeInt32)].structure.set(vm, this, JSInt32Array::createStructure(vm, this, m_typedArrays[toIndex(TypeInt32)].prototype.get()));
+    m_typedArrays[toIndex(TypeUint8)].structure.set(vm, this, JSUint8Array::createStructure(vm, this, m_typedArrays[toIndex(TypeUint8)].prototype.get()));
+    m_typedArrays[toIndex(TypeUint8Clamped)].structure.set(vm, this, JSUint8ClampedArray::createStructure(vm, this, m_typedArrays[toIndex(TypeUint8Clamped)].prototype.get()));
+    m_typedArrays[toIndex(TypeUint16)].structure.set(vm, this, JSUint16Array::createStructure(vm, this, m_typedArrays[toIndex(TypeUint16)].prototype.get()));
+    m_typedArrays[toIndex(TypeUint32)].structure.set(vm, this, JSUint32Array::createStructure(vm, this, m_typedArrays[toIndex(TypeUint32)].prototype.get()));
+    m_typedArrays[toIndex(TypeFloat32)].structure.set(vm, this, JSFloat32Array::createStructure(vm, this, m_typedArrays[toIndex(TypeFloat32)].prototype.get()));
+    m_typedArrays[toIndex(TypeFloat64)].structure.set(vm, this, JSFloat64Array::createStructure(vm, this, m_typedArrays[toIndex(TypeFloat64)].prototype.get()));
+    m_typedArrays[toIndex(TypeDataView)].structure.set(vm, this, JSDataView::createStructure(vm, this, m_typedArrays[toIndex(TypeDataView)].prototype.get()));
     
     m_lexicalEnvironmentStructure.set(vm, this, JSLexicalEnvironment::createStructure(vm, this));
-    m_moduleEnvironmentStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSModuleEnvironment::createStructure(init.vm, init.owner));
-        });
+    m_moduleEnvironmentStructure.set(vm, this, JSModuleEnvironment::createStructure(vm, this));
     m_strictEvalActivationStructure.set(vm, this, StrictEvalActivation::createStructure(vm, this, jsNull()));
-    m_debuggerScopeStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(DebuggerScope::createStructure(init.vm, init.owner));
-        });
-    m_withScopeStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSWithScope::createStructure(init.vm, init.owner, jsNull()));
-        });
-    
-    m_nullPrototypeObjectStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSFinalObject::createStructure(init.vm, init.owner, jsNull(), JSFinalObject::defaultInlineCapacity()));
-        });
-    
-    m_callbackFunctionStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSCallbackFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
-        });
+    m_debuggerScopeStructure.set(m_vm, this, DebuggerScope::createStructure(m_vm, this));
+    m_withScopeStructure.set(vm, this, JSWithScope::createStructure(vm, this, jsNull()));
+    
+    m_nullPrototypeObjectStructure.set(vm, this, JSFinalObject::createStructure(vm, this, jsNull(), JSFinalObject::defaultInlineCapacity()));
+    
+    m_callbackFunctionStructure.set(vm, this, JSCallbackFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_directArgumentsStructure.set(vm, this, DirectArguments::createStructure(vm, this, m_objectPrototype.get()));
     m_scopedArgumentsStructure.set(vm, this, ScopedArguments::createStructure(vm, this, m_objectPrototype.get()));
     m_clonedArgumentsStructure.set(vm, this, ClonedArguments::createStructure(vm, this, m_objectPrototype.get()));
-    m_callbackConstructorStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSCallbackConstructor::createStructure(init.vm, init.owner, init.owner->m_objectPrototype.get()));
-        });
-    m_callbackObjectStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSCallbackObject<JSDestructibleObject>::createStructure(init.vm, init.owner, init.owner->m_objectPrototype.get()));
-        });
+    m_callbackConstructorStructure.set(vm, this, JSCallbackConstructor::createStructure(vm, this, m_objectPrototype.get()));
+    m_callbackObjectStructure.set(vm, this, JSCallbackObject<JSDestructibleObject>::createStructure(vm, this, m_objectPrototype.get()));
 
 #if JSC_OBJC_API_ENABLED
-    m_objcCallbackFunctionStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(ObjCCallbackFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
-        });
-    m_objcWrapperObjectStructure.initLater(
-        [] (const Initializer<Structure>& init) {
-            init.set(JSCallbackObject<JSAPIWrapperObject>::createStructure(init.vm, init.owner, init.owner->m_objectPrototype.get()));
-        });
+    m_objcCallbackFunctionStructure.set(vm, this, ObjCCallbackFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_objcWrapperObjectStructure.set(vm, this, JSCallbackObject<JSAPIWrapperObject>::createStructure(vm, this, m_objectPrototype.get()));
 #endif
     
@@ -522 +402 @@
 #undef CREATE_PROTOTYPE_FOR_SIMPLE_TYPE
 
-#define CREATE_PROTOTYPE_FOR_LAZY_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-    m_ ## properName ## Structure.initLater(\
-        [] (LazyClassStructure::Initializer& init) { \
-            init.setPrototype(capitalName##Prototype::create(init.vm, init.global, capitalName##Prototype::createStructure(init.vm, init.global, init.global->m_objectPrototype.get()))); \
-            init.setStructure(instanceType::createStructure(init.vm, init.global, init.prototype)); \
-            init.setConstructor(capitalName ## Constructor::create(init.vm, capitalName ## Constructor::createStructure(init.vm, init.global, init.global->m_functionPrototype.get()), jsCast<capitalName ## Prototype*>(init.prototype), init.global->m_speciesGetterSetter.get())); \
-        });
-    
-    FOR_EACH_LAZY_BUILTIN_TYPE(CREATE_PROTOTYPE_FOR_LAZY_TYPE)
-    
-#undef CREATE_PROTOTYPE_FOR_LAZY_TYPE
-    
     m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get())));
 
 #define CREATE_PROTOTYPE_FOR_DERIVED_ITERATOR_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-    m_ ## lowerName ## Structure.initLater( \
-        [] (const Initializer<Structure>& init) { \
-            JSObject* prototype = capitalName ## Prototype::create(init.vm, init.owner, capitalName ## Prototype::createStructure(init.vm, init.owner, init.owner->m_iteratorPrototype.get())); \
-            init.set(instanceType::createStructure(init.vm, init.owner, prototype)); \
-        });
+m_ ## lowerName ## Prototype.set(vm, this, capitalName##Prototype::create(vm, this, capitalName##Prototype::createStructure(vm, this, m_iteratorPrototype.get()))); \
+m_ ## properName ## Structure.set(vm, this, instanceType::createStructure(vm, this, m_ ## lowerName ## Prototype.get()));
+    
     FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(CREATE_PROTOTYPE_FOR_DERIVED_ITERATOR_TYPE)
-#undef CREATE_PROTOTYPE_FOR_DERIVED_ITERATOR_TYPE
-
     m_propertyNameIteratorStructure.set(vm, this, JSPropertyNameIterator::createStructure(vm, this, m_iteratorPrototype.get()));
     m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get())));
     
+#undef CREATE_PROTOTYPE_FOR_DERIVED_ITERATOR_TYPE
+
     // Constructors
+
+    GetterSetter* speciesGetterSetter = GetterSetter::create(vm, this);
+    speciesGetterSetter->setGetter(vm, this, JSFunction::createBuiltinFunction(vm, globalObjectSpeciesGetterCodeGenerator(vm), this, "get [Symbol.species]"));
 
     ObjectConstructor* objectConstructor = ObjectConstructor::create(vm, this, ObjectConstructor::createStructure(vm, this, m_functionPrototype.get()), m_objectPrototype.get());
@@ -557 +426 @@
 
     JSCell* functionConstructor = FunctionConstructor::create(vm, FunctionConstructor::createStructure(vm, this, m_functionPrototype.get()), m_functionPrototype.get());
-    JSObject* arrayConstructor = ArrayConstructor::create(vm, this, ArrayConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayPrototype.get(), m_speciesGetterSetter.get());
-    
-    m_regExpConstructor.set(vm, this, RegExpConstructor::create(vm, RegExpConstructor::createStructure(vm, this, m_functionPrototype.get()), m_regExpPrototype.get(), m_speciesGetterSetter.get()));
+    JSObject* arrayConstructor = ArrayConstructor::create(vm, this, ArrayConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayPrototype.get(), speciesGetterSetter);
+    
+    m_regExpConstructor.set(vm, this, RegExpConstructor::create(vm, RegExpConstructor::createStructure(vm, this, m_functionPrototype.get()), m_regExpPrototype.get(), speciesGetterSetter));
     
 #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \
+capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), speciesGetterSetter); \
 m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \
 
@@ -568 +437 @@
     
 #undef CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE
-
+    
     m_errorConstructor.set(vm, this, errorConstructor);
     m_promiseConstructor.set(vm, this, promiseConstructor);
     m_internalPromiseConstructor.set(vm, this, internalPromiseConstructor);
     
-    m_nativeErrorPrototypeStructure.set(vm, this, NativeErrorPrototype::createStructure(vm, this, m_errorPrototype.get()));
-    m_nativeErrorStructure.set(vm, this, NativeErrorConstructor::createStructure(vm, this, m_functionPrototype.get()));
-    m_evalErrorConstructor.initLater(
-        [] (const Initializer<NativeErrorConstructor>& init) {
-            init.set(NativeErrorConstructor::create(init.vm, init.owner, init.owner->m_nativeErrorStructure.get(), init.owner->m_nativeErrorPrototypeStructure.get(), ASCIILiteral("EvalError")));
-        });
-    m_rangeErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, m_nativeErrorStructure.get(), m_nativeErrorPrototypeStructure.get(), ASCIILiteral("RangeError")));
-    m_referenceErrorConstructor.initLater(
-        [] (const Initializer<NativeErrorConstructor>& init) {
-            init.set(NativeErrorConstructor::create(init.vm, init.owner, init.owner->m_nativeErrorStructure.get(), init.owner->m_nativeErrorPrototypeStructure.get(), ASCIILiteral("ReferenceError")));
-        });
-    m_syntaxErrorConstructor.initLater(
-        [] (const Initializer<NativeErrorConstructor>& init) {
-            init.set(NativeErrorConstructor::create(init.vm, init.owner, init.owner->m_nativeErrorStructure.get(), init.owner->m_nativeErrorPrototypeStructure.get(), ASCIILiteral("SyntaxError")));
-        });
-    m_typeErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, m_nativeErrorStructure.get(), m_nativeErrorPrototypeStructure.get(), ASCIILiteral("TypeError")));
-    m_URIErrorConstructor.initLater(
-        [] (const Initializer<NativeErrorConstructor>& init) {
-            init.set(NativeErrorConstructor::create(init.vm, init.owner, init.owner->m_nativeErrorStructure.get(), init.owner->m_nativeErrorPrototypeStructure.get(), ASCIILiteral("URIError")));
-        });
+    Structure* nativeErrorPrototypeStructure = NativeErrorPrototype::createStructure(vm, this, m_errorPrototype.get());
+    Structure* nativeErrorStructure = NativeErrorConstructor::createStructure(vm, this, m_functionPrototype.get());
+    m_evalErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, nativeErrorStructure, nativeErrorPrototypeStructure, ASCIILiteral("EvalError")));
+    m_rangeErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, nativeErrorStructure, nativeErrorPrototypeStructure, ASCIILiteral("RangeError")));
+    m_referenceErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, nativeErrorStructure, nativeErrorPrototypeStructure, ASCIILiteral("ReferenceError")));
+    m_syntaxErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, nativeErrorStructure, nativeErrorPrototypeStructure, ASCIILiteral("SyntaxError")));
+    m_typeErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, nativeErrorStructure, nativeErrorPrototypeStructure, ASCIILiteral("TypeError")));
+    m_URIErrorConstructor.set(vm, this, NativeErrorConstructor::create(vm, this, nativeErrorStructure, nativeErrorPrototypeStructure, ASCIILiteral("URIError")));
 
     m_generatorFunctionPrototype.set(vm, this, GeneratorFunctionPrototype::create(vm, GeneratorFunctionPrototype::createStructure(vm, this, m_functionPrototype.get())));
@@ -611 +468 @@
     putDirectWithoutTransition(vm, vm.propertyNames->Array, arrayConstructor, DontEnum);
     putDirectWithoutTransition(vm, vm.propertyNames->RegExp, m_regExpConstructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->EvalError, m_evalErrorConstructor.get(), DontEnum);
     putDirectWithoutTransition(vm, vm.propertyNames->RangeError, m_rangeErrorConstructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->ReferenceError, m_referenceErrorConstructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->SyntaxError, m_syntaxErrorConstructor.get(), DontEnum);
     putDirectWithoutTransition(vm, vm.propertyNames->TypeError, m_typeErrorConstructor.get(), DontEnum);
-
-    putDirectWithoutTransition(vm, vm.propertyNames->ObjectPrivateName, objectConstructor, DontEnum | DontDelete | ReadOnly);
-    putDirectWithoutTransition(vm, vm.propertyNames->ArrayPrivateName, arrayConstructor, DontEnum | DontDelete | ReadOnly);
-
+    putDirectWithoutTransition(vm, vm.propertyNames->URIError, m_URIErrorConstructor.get(), DontEnum);
+
+    putDirectWithoutTransition(vm, vm.propertyNames->Proxy, ProxyConstructor::create(vm, ProxyConstructor::createStructure(vm, this, m_functionPrototype.get())), DontEnum);
+    
+    
 #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
 putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \
@@ -632 +493 @@
     putDirectWithoutTransition(vm, vm.propertyNames->Intl, intl, DontEnum);
 #endif // ENABLE(INTL)
+    putDirectWithoutTransition(vm, vm.propertyNames->JSON, JSONObject::create(vm, JSONObject::createStructure(vm, this, m_objectPrototype.get())), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Math, MathObject::create(vm, this, MathObject::createStructure(vm, this, m_objectPrototype.get())), DontEnum);
     ReflectObject* reflectObject = ReflectObject::create(vm, this, ReflectObject::createStructure(vm, this, m_objectPrototype.get()));
     putDirectWithoutTransition(vm, vm.propertyNames->Reflect, reflectObject, DontEnum);
 
     putDirectWithoutTransition(vm, vm.propertyNames->console, ConsoleObject::create(vm, this, ConsoleObject::createStructure(vm, this, m_objectPrototype.get())), DontEnum);
+
+    JSTypedArrayViewConstructor* typedArraySuperConstructor = JSTypedArrayViewConstructor::create(vm, this, JSTypedArrayViewConstructor::createStructure(vm, this, m_functionPrototype.get()), typedArrayProto, speciesGetterSetter);
+    typedArrayProto->putDirectWithoutTransition(vm, vm.propertyNames->constructor, typedArraySuperConstructor, DontEnum);
+
+    m_typedArrays[toIndex(TypeInt8)].constructor.set(vm , this, JSInt8ArrayConstructor::create(vm, this, JSInt8ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeInt8)].prototype.get(), ASCIILiteral("Int8Array"), typedArrayConstructorAllocateInt8ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeInt16)].constructor.set(vm, this, JSInt16ArrayConstructor::create(vm, this, JSInt16ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeInt16)].prototype.get(), ASCIILiteral("Int16Array"), typedArrayConstructorAllocateInt16ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeInt32)].constructor.set(vm, this, JSInt32ArrayConstructor::create(vm, this, JSInt32ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeInt32)].prototype.get(), ASCIILiteral("Int32Array"), typedArrayConstructorAllocateInt32ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeUint8)].constructor.set(vm, this, JSUint8ArrayConstructor::create(vm, this, JSUint8ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeUint8)].prototype.get(), ASCIILiteral("Uint8Array"), typedArrayConstructorAllocateUint8ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeUint8Clamped)].constructor.set(vm, this, JSUint8ClampedArrayConstructor::create(vm, this, JSUint8ClampedArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeUint8Clamped)].prototype.get(), ASCIILiteral("Uint8ClampedArray"), typedArrayConstructorAllocateUint8ClampedArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeUint16)].constructor.set(vm, this, JSUint16ArrayConstructor::create(vm, this, JSUint16ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeUint16)].prototype.get(), ASCIILiteral("Uint16Array"), typedArrayConstructorAllocateUint16ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeUint32)].constructor.set(vm, this, JSUint32ArrayConstructor::create(vm, this, JSUint32ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeUint32)].prototype.get(), ASCIILiteral("Uint32Array"), typedArrayConstructorAllocateUint32ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeFloat32)].constructor.set(vm, this, JSFloat32ArrayConstructor::create(vm, this, JSFloat32ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeFloat32)].prototype.get(), ASCIILiteral("Float32Array"), typedArrayConstructorAllocateFloat32ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeFloat64)].constructor.set(vm, this, JSFloat64ArrayConstructor::create(vm, this, JSFloat64ArrayConstructor::createStructure(vm, this, typedArraySuperConstructor), m_typedArrays[toIndex(TypeFloat64)].prototype.get(), ASCIILiteral("Float64Array"), typedArrayConstructorAllocateFloat64ArrayCodeGenerator(vm)));
+    m_typedArrays[toIndex(TypeDataView)].constructor.set(vm, this, JSDataViewConstructor::create(vm, this, JSDataViewConstructor::createStructure(vm, this, m_functionPrototype.get()), m_typedArrays[toIndex(TypeDataView)].prototype.get(), ASCIILiteral("DataView"), nullptr));
+    
+    for (unsigned typedArrayIndex = NUMBER_OF_TYPED_ARRAY_TYPES; typedArrayIndex--;) {
+        m_typedArrays[typedArrayIndex].prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, m_typedArrays[typedArrayIndex].constructor.get(), DontEnum);
+        putDirectWithoutTransition(vm, Identifier::fromString(exec, m_typedArrays[typedArrayIndex].constructor.get()->name(exec)), m_typedArrays[typedArrayIndex].constructor.get(), DontEnum);
+    }
+
+    putDirectWithoutTransition(vm, vm.propertyNames->Int8ArrayPrivateName, m_typedArrays[toIndex(TypeInt8)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Int16ArrayPrivateName, m_typedArrays[toIndex(TypeInt16)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Int32ArrayPrivateName, m_typedArrays[toIndex(TypeInt32)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Uint8ArrayPrivateName, m_typedArrays[toIndex(TypeUint8)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Uint8ClampedArrayPrivateName, m_typedArrays[toIndex(TypeUint8Clamped)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Uint16ArrayPrivateName, m_typedArrays[toIndex(TypeUint16)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Uint32ArrayPrivateName, m_typedArrays[toIndex(TypeUint32)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Float32ArrayPrivateName, m_typedArrays[toIndex(TypeFloat32)].constructor.get(), DontEnum);
+    putDirectWithoutTransition(vm, vm.propertyNames->Float64ArrayPrivateName, m_typedArrays[toIndex(TypeFloat64)].constructor.get(), DontEnum);
 
     m_moduleLoader.set(vm, this, ModuleLoaderObject::create(vm, this, ModuleLoaderObject::createStructure(vm, this, m_objectPrototype.get())));
@@ -989 +881 @@
 }
 
+void JSGlobalObject::createThrowTypeError(VM& vm)
+{
+    JSFunction* thrower = JSFunction::create(vm, this, 0, String(), globalFuncThrowTypeError);
+    GetterSetter* getterSetter = GetterSetter::create(vm, this);
+    getterSetter->setGetter(vm, this, thrower);
+    getterSetter->setSetter(vm, this, thrower);
+    m_throwTypeErrorGetterSetter.set(vm, this, getterSetter);
+}
+
+void JSGlobalObject::createThrowTypeErrorArgumentsAndCaller(VM& vm)
+{
+    JSFunction* thrower = JSFunction::create(vm, this, 0, String(), globalFuncThrowTypeErrorArgumentsAndCaller);
+    GetterSetter* getterSetter = GetterSetter::create(vm, this);
+    getterSetter->setGetter(vm, this, thrower);
+    getterSetter->setSetter(vm, this, thrower);
+    m_throwTypeErrorArgumentsAndCallerGetterSetter.set(vm, this, getterSetter);
+}
+
 // Set prototype, and also insert the object prototype at the end of the chain.
 void JSGlobalObject::resetPrototype(VM& vm, JSValue prototype)
@@ -1015 +925 @@
     visitor.append(&thisObject->m_regExpConstructor);
     visitor.append(&thisObject->m_errorConstructor);
-    visitor.append(&thisObject->m_nativeErrorPrototypeStructure);
-    visitor.append(&thisObject->m_nativeErrorStructure);
-    thisObject->m_evalErrorConstructor.visit(visitor);
+    visitor.append(&thisObject->m_evalErrorConstructor);
     visitor.append(&thisObject->m_rangeErrorConstructor);
-    thisObject->m_referenceErrorConstructor.visit(visitor);
-    thisObject->m_syntaxErrorConstructor.visit(visitor);
+    visitor.append(&thisObject->m_referenceErrorConstructor);
+    visitor.append(&thisObject->m_syntaxErrorConstructor);
     visitor.append(&thisObject->m_typeErrorConstructor);
-    thisObject->m_URIErrorConstructor.visit(visitor);
+    visitor.append(&thisObject->m_URIErrorConstructor);
     visitor.append(&thisObject->m_objectConstructor);
     visitor.append(&thisObject->m_promiseConstructor);
+    visitor.append(&thisObject->m_internalPromiseConstructor);
 
     visitor.append(&thisObject->m_nullGetterFunction);
@@ -1034 +943 @@
     visitor.append(&thisObject->m_applyFunction);
     visitor.append(&thisObject->m_definePropertyFunction);
-    thisObject->m_arrayProtoValuesFunction.visit(visitor);
-    thisObject->m_initializePromiseFunction.visit(visitor);
+    visitor.append(&thisObject->m_arrayProtoValuesFunction);
+    visitor.append(&thisObject->m_initializePromiseFunction);
     visitor.append(&thisObject->m_newPromiseCapabilityFunction);
     visitor.append(&thisObject->m_functionProtoHasInstanceSymbolFunction);
-    thisObject->m_throwTypeErrorGetterSetter.visit(visitor);
-    thisObject->m_throwTypeErrorArgumentsAndCallerGetterSetter.visit(visitor);
+    visitor.append(&thisObject->m_throwTypeErrorGetterSetter);
+    visitor.append(&thisObject->m_throwTypeErrorArgumentsAndCallerGetterSetter);
     visitor.append(&thisObject->m_moduleLoader);
 
@@ -1050 +959 @@
     visitor.append(&thisObject->m_generatorPrototype);
 
-    thisObject->m_debuggerScopeStructure.visit(visitor);
-    thisObject->m_withScopeStructure.visit(visitor);
+    visitor.append(&thisObject->m_debuggerScopeStructure);
+    visitor.append(&thisObject->m_withScopeStructure);
     visitor.append(&thisObject->m_strictEvalActivationStructure);
     visitor.append(&thisObject->m_lexicalEnvironmentStructure);
-    thisObject->m_moduleEnvironmentStructure.visit(visitor);
+    visitor.append(&thisObject->m_moduleEnvironmentStructure);
     visitor.append(&thisObject->m_directArgumentsStructure);
     visitor.append(&thisObject->m_scopedArgumentsStructure);
@@ -1062 +971 @@
     for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)
         visitor.append(&thisObject->m_arrayStructureForIndexingShapeDuringAllocation[i]);
-    thisObject->m_callbackConstructorStructure.visit(visitor);
-    thisObject->m_callbackFunctionStructure.visit(visitor);
-    thisObject->m_callbackObjectStructure.visit(visitor);
+    visitor.append(&thisObject->m_booleanObjectStructure);
+    visitor.append(&thisObject->m_callbackConstructorStructure);
+    visitor.append(&thisObject->m_callbackFunctionStructure);
+    visitor.append(&thisObject->m_callbackObjectStructure);
     visitor.append(&thisObject->m_propertyNameIteratorStructure);
 #if JSC_OBJC_API_ENABLED
-    thisObject->m_objcCallbackFunctionStructure.visit(visitor);
-    thisObject->m_objcWrapperObjectStructure.visit(visitor);
+    visitor.append(&thisObject->m_objcCallbackFunctionStructure);
+    visitor.append(&thisObject->m_objcWrapperObjectStructure);
 #endif
-    thisObject->m_nullPrototypeObjectStructure.visit(visitor);
+    visitor.append(&thisObject->m_nullPrototypeObjectStructure);
     visitor.append(&thisObject->m_errorStructure);
     visitor.append(&thisObject->m_calleeStructure);
     visitor.append(&thisObject->m_functionStructure);
-    thisObject->m_boundSlotBaseFunctionStructure.visit(visitor);
-    thisObject->m_boundFunctionStructure.visit(visitor);
+    visitor.append(&thisObject->m_boundSlotBaseFunctionStructure);
+    visitor.append(&thisObject->m_boundFunctionStructure);
     visitor.append(&thisObject->m_getterSetterStructure);
-    thisObject->m_nativeStdFunctionStructure.visit(visitor);
-    thisObject->m_namedFunctionStructure.visit(visitor);
+    visitor.append(&thisObject->m_nativeStdFunctionStructure);
+    visitor.append(&thisObject->m_namedFunctionStructure);
     visitor.append(&thisObject->m_symbolObjectStructure);
     visitor.append(&thisObject->m_regExpStructure);
@@ -1088 +998 @@
     visitor.append(&thisObject->m_moduleNamespaceObjectStructure);
     visitor.append(&thisObject->m_dollarVMStructure);
+    visitor.append(&thisObject->m_internalFunctionStructure);
     visitor.append(&thisObject->m_proxyObjectStructure);
     visitor.append(&thisObject->m_callableProxyObjectStructure);
@@ -1100 +1011 @@
 
     FOR_EACH_SIMPLE_BUILTIN_TYPE(VISIT_SIMPLE_TYPE)
+    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(VISIT_SIMPLE_TYPE)
 
 #undef VISIT_SIMPLE_TYPE
 
-#define VISIT_LAZY_TYPE(CapitalName, lowerName, properName, instanceType, jsName) \
-    thisObject->m_ ## properName ## Structure.visit(visitor);
-    
-    FOR_EACH_LAZY_BUILTIN_TYPE(VISIT_LAZY_TYPE)
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(VISIT_LAZY_TYPE)
-
-#undef VISIT_LAZY_TYPE
-
-    for (unsigned i = NUMBER_OF_TYPED_ARRAY_TYPES; i--;)
-        thisObject->lazyTypedArrayStructure(indexToTypedArrayType(i)).visit(visitor);
-    
-    visitor.append(&thisObject->m_speciesGetterSetter);
-    thisObject->m_typedArrayProto.visit(visitor);
-    thisObject->m_typedArraySuperConstructor.visit(visitor);
+    for (unsigned i = NUMBER_OF_TYPED_ARRAY_TYPES; i--;) {
+        visitor.append(&thisObject->m_typedArrays[i].prototype);
+        visitor.append(&thisObject->m_typedArrays[i].constructor);
+        visitor.append(&thisObject->m_typedArrays[i].structure);
+    }
 }
 
@@ -1158 +1061 @@
 {
     JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
-    if (getStaticPropertySlot<JSGlobalObject, Base>(exec, globalObjectTable, thisObject, propertyName, slot))
+    if (getStaticFunctionSlot<Base>(exec, globalObjectTable, thisObject, propertyName, slot))
         return true;
     return symbolTableGet(thisObject, propertyName, slot);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -32 +32 @@
 #include "JSSegmentedVariableObject.h"
 #include "JSWeakObjectMapRefInternal.h"
-#include "LazyProperty.h"
-#include "LazyClassStructure.h"
 #include "NumberPrototype.h"
 #include "RuntimeFlags.h"
@@ -78 +76 @@
 class JSPromisePrototype;
 class JSStack;
-class JSTypedArrayViewConstructor;
-class JSTypedArrayViewPrototype;
 class LLIntOffsetsExtractor;
 class Microtask;
@@ -102 +98 @@
 
 #define FOR_EACH_SIMPLE_BUILTIN_TYPE_WITH_CONSTRUCTOR(macro) \
+    macro(Set, set, set, JSSet, Set) \
+    macro(Map, map, map, JSMap, Map) \
+    macro(Date, date, date, DateInstance, Date) \
     macro(String, string, stringObject, StringObject, String) \
     macro(Symbol, symbol, symbolObject, SymbolObject, Symbol) \
+    macro(Boolean, boolean, booleanObject, BooleanObject, Boolean) \
     macro(Number, number, numberObject, NumberObject, Number) \
     macro(Error, error, error, ErrorInstance, Error) \
-    macro(Map, map, map, JSMap, Map) \
     macro(JSPromise, promise, promise, JSPromise, Promise) \
     macro(JSArrayBuffer, arrayBuffer, arrayBuffer, JSArrayBuffer, ArrayBuffer) \
+    DEFINE_STANDARD_BUILTIN(macro, WeakMap, weakMap) \
+    DEFINE_STANDARD_BUILTIN(macro, WeakSet, weakSet) \
 
 #define FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(macro) \
@@ -124 +125 @@
     macro(JSInternalPromise, internalPromise, internalPromise, JSInternalPromise, InternalPromise) \
 
-#define FOR_EACH_LAZY_BUILTIN_TYPE(macro) \
-    macro(Set, set, set, JSSet, Set) \
-    macro(Date, date, date, DateInstance, Date) \
-    macro(Boolean, boolean, booleanObject, BooleanObject, Boolean) \
-    DEFINE_STANDARD_BUILTIN(macro, WeakMap, weakMap) \
-    DEFINE_STANDARD_BUILTIN(macro, WeakSet, weakSet) \
-
 #define DECLARE_SIMPLE_BUILTIN_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
     class JS ## capitalName; \
@@ -138 +132 @@
 class IteratorPrototype;
 FOR_EACH_SIMPLE_BUILTIN_TYPE(DECLARE_SIMPLE_BUILTIN_TYPE)
-FOR_EACH_LAZY_BUILTIN_TYPE(DECLARE_SIMPLE_BUILTIN_TYPE)
 FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DECLARE_SIMPLE_BUILTIN_TYPE)
 
 #undef DECLARE_SIMPLE_BUILTIN_TYPE
-
-class JSInternalPromise;
-class InternalPromisePrototype;
-class InternalPromiseConstructor;
 
 typedef Vector<ExecState*, 16> ExecStateStack;
@@ -209 +198 @@
     };
 
-// Our hashtable code-generator tries to access these properties, so we make them public.
-// However, we'd like it better if they could be protected.
-public:
-    template<typename T> using Initializer = typename LazyProperty<JSGlobalObject, T>::Initializer;
-    
+protected:
     Register m_globalCallFrame[JSStack::CallFrameHeaderSize];
 
@@ -222 +207 @@
     WriteBarrier<RegExpConstructor> m_regExpConstructor;
     WriteBarrier<ErrorConstructor> m_errorConstructor;
-    WriteBarrier<Structure> m_nativeErrorPrototypeStructure;
-    WriteBarrier<Structure> m_nativeErrorStructure;
-    LazyProperty<JSGlobalObject, NativeErrorConstructor> m_evalErrorConstructor;
+    WriteBarrier<NativeErrorConstructor> m_evalErrorConstructor;
     WriteBarrier<NativeErrorConstructor> m_rangeErrorConstructor;
-    LazyProperty<JSGlobalObject, NativeErrorConstructor> m_referenceErrorConstructor;
-    LazyProperty<JSGlobalObject, NativeErrorConstructor> m_syntaxErrorConstructor;
+    WriteBarrier<NativeErrorConstructor> m_referenceErrorConstructor;
+    WriteBarrier<NativeErrorConstructor> m_syntaxErrorConstructor;
     WriteBarrier<NativeErrorConstructor> m_typeErrorConstructor;
-    LazyProperty<JSGlobalObject, NativeErrorConstructor> m_URIErrorConstructor;
+    WriteBarrier<NativeErrorConstructor> m_URIErrorConstructor;
     WriteBarrier<ObjectConstructor> m_objectConstructor;
     WriteBarrier<JSPromiseConstructor> m_promiseConstructor;
@@ -243 +226 @@
     WriteBarrier<JSFunction> m_applyFunction;
     WriteBarrier<JSFunction> m_definePropertyFunction;
-    LazyProperty<JSGlobalObject, JSFunction> m_arrayProtoValuesFunction;
-    LazyProperty<JSGlobalObject, JSFunction> m_initializePromiseFunction;
+    WriteBarrier<JSFunction> m_arrayProtoValuesFunction;
+    WriteBarrier<JSFunction> m_initializePromiseFunction;
     WriteBarrier<JSFunction> m_newPromiseCapabilityFunction;
     WriteBarrier<JSFunction> m_functionProtoHasInstanceSymbolFunction;
-    LazyProperty<JSGlobalObject, GetterSetter> m_throwTypeErrorGetterSetter;
     WriteBarrier<JSObject> m_regExpProtoExec;
     WriteBarrier<JSObject> m_regExpProtoSymbolReplace;
     WriteBarrier<JSObject> m_regExpProtoGlobalGetter;
     WriteBarrier<JSObject> m_regExpProtoUnicodeGetter;
-    LazyProperty<JSGlobalObject, GetterSetter> m_throwTypeErrorArgumentsAndCallerGetterSetter;
+    WriteBarrier<GetterSetter> m_throwTypeErrorGetterSetter;
+    WriteBarrier<GetterSetter> m_throwTypeErrorArgumentsAndCallerGetterSetter;
 
     WriteBarrier<ModuleLoaderObject> m_moduleLoader;
@@ -264 +247 @@
     WriteBarrier<GeneratorPrototype> m_generatorPrototype;
 
-    LazyProperty<JSGlobalObject, Structure> m_debuggerScopeStructure;
-    LazyProperty<JSGlobalObject, Structure> m_withScopeStructure;
+    WriteBarrier<Structure> m_debuggerScopeStructure;
+    WriteBarrier<Structure> m_withScopeStructure;
     WriteBarrier<Structure> m_strictEvalActivationStructure;
     WriteBarrier<Structure> m_lexicalEnvironmentStructure;
-    LazyProperty<JSGlobalObject, Structure> m_moduleEnvironmentStructure;
+    WriteBarrier<Structure> m_moduleEnvironmentStructure;
     WriteBarrier<Structure> m_directArgumentsStructure;
     WriteBarrier<Structure> m_scopedArgumentsStructure;
@@ -279 +262 @@
     WriteBarrier<Structure> m_arrayStructureForIndexingShapeDuringAllocation[NumberOfIndexingShapes];
 
-    LazyProperty<JSGlobalObject, Structure> m_callbackConstructorStructure;
-    LazyProperty<JSGlobalObject, Structure> m_callbackFunctionStructure;
-    LazyProperty<JSGlobalObject, Structure> m_callbackObjectStructure;
+    WriteBarrier<Structure> m_callbackConstructorStructure;
+    WriteBarrier<Structure> m_callbackFunctionStructure;
+    WriteBarrier<Structure> m_callbackObjectStructure;
     WriteBarrier<Structure> m_propertyNameIteratorStructure;
 #if JSC_OBJC_API_ENABLED
-    LazyProperty<JSGlobalObject, Structure> m_objcCallbackFunctionStructure;
-    LazyProperty<JSGlobalObject, Structure> m_objcWrapperObjectStructure;
+    WriteBarrier<Structure> m_objcCallbackFunctionStructure;
+    WriteBarrier<Structure> m_objcWrapperObjectStructure;
 #endif
-    LazyProperty<JSGlobalObject, Structure> m_nullPrototypeObjectStructure;
+    WriteBarrier<Structure> m_nullPrototypeObjectStructure;
     WriteBarrier<Structure> m_calleeStructure;
     WriteBarrier<Structure> m_functionStructure;
-    LazyProperty<JSGlobalObject, Structure> m_boundFunctionStructure;
-    LazyProperty<JSGlobalObject, Structure> m_boundSlotBaseFunctionStructure;
+    WriteBarrier<Structure> m_boundFunctionStructure;
+    WriteBarrier<Structure> m_boundSlotBaseFunctionStructure;
     WriteBarrier<Structure> m_getterSetterStructure;
-    LazyProperty<JSGlobalObject, Structure> m_nativeStdFunctionStructure;
-    LazyProperty<JSGlobalObject, Structure> m_namedFunctionStructure;
+    WriteBarrier<Structure> m_nativeStdFunctionStructure;
+    WriteBarrier<Structure> m_namedFunctionStructure;
     PropertyOffset m_functionNameOffset;
     WriteBarrier<Structure> m_privateNameStructure;
@@ -300 +283 @@
     WriteBarrier<Structure> m_generatorFunctionStructure;
     WriteBarrier<Structure> m_dollarVMStructure;
+    WriteBarrier<Structure> m_internalFunctionStructure;
     WriteBarrier<Structure> m_iteratorResultObjectStructure;
     WriteBarrier<Structure> m_regExpMatchesArrayStructure;
@@ -317 +301 @@
 
     FOR_EACH_SIMPLE_BUILTIN_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE)
+    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_STORAGE_FOR_SIMPLE_TYPE)
 
 #undef DEFINE_STORAGE_FOR_SIMPLE_TYPE
 
-#define DEFINE_STORAGE_FOR_ITERATOR_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-    LazyProperty<JSGlobalObject, Structure> m_ ## properName ## Structure;
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_STORAGE_FOR_ITERATOR_TYPE)
-#undef DEFINE_STORAGE_FOR_ITERATOR_TYPE
+    struct TypedArrayData {
+        WriteBarrier<JSObject> prototype;
+        WriteBarrier<InternalFunction> constructor;
+        WriteBarrier<Structure> structure;
+    };
     
-#define DEFINE_STORAGE_FOR_LAZY_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-    LazyClassStructure m_ ## properName ## Structure;
-    FOR_EACH_LAZY_BUILTIN_TYPE(DEFINE_STORAGE_FOR_LAZY_TYPE)
-#undef DEFINE_STORAGE_FOR_LAZY_TYPE
-
-    WriteBarrier<GetterSetter> m_speciesGetterSetter;
-    
-    LazyProperty<JSGlobalObject, JSTypedArrayViewPrototype> m_typedArrayProto;
-    LazyProperty<JSGlobalObject, JSTypedArrayViewConstructor> m_typedArraySuperConstructor;
-    
-#define DECLARE_TYPED_ARRAY_TYPE_STRUCTURE(name) LazyClassStructure m_typedArray ## name;
-    FOR_EACH_TYPED_ARRAY_TYPE(DECLARE_TYPED_ARRAY_TYPE_STRUCTURE)
-#undef DECLARE_TYPED_ARRAY_TYPE_STRUCTURE
+    std::array<TypedArrayData, NUMBER_OF_TYPED_ARRAY_TYPES> m_typedArrays;
 
     JSCell* m_specialPointers[Special::TableSize]; // Special pointers used by the LLInt and JIT.
@@ -464 +438 @@
     JSPromiseConstructor* promiseConstructor() const { return m_promiseConstructor.get(); }
     JSInternalPromiseConstructor* internalPromiseConstructor() const { return m_internalPromiseConstructor.get(); }
-    NativeErrorConstructor* evalErrorConstructor() const { return m_evalErrorConstructor.get(this); }
+    NativeErrorConstructor* evalErrorConstructor() const { return m_evalErrorConstructor.get(); }
     NativeErrorConstructor* rangeErrorConstructor() const { return m_rangeErrorConstructor.get(); }
-    NativeErrorConstructor* referenceErrorConstructor() const { return m_referenceErrorConstructor.get(this); }
-    NativeErrorConstructor* syntaxErrorConstructor() const { return m_syntaxErrorConstructor.get(this); }
+    NativeErrorConstructor* referenceErrorConstructor() const { return m_referenceErrorConstructor.get(); }
+    NativeErrorConstructor* syntaxErrorConstructor() const { return m_syntaxErrorConstructor.get(); }
     NativeErrorConstructor* typeErrorConstructor() const { return m_typeErrorConstructor.get(); }
-    NativeErrorConstructor* URIErrorConstructor() const { return m_URIErrorConstructor.get(this); }
+    NativeErrorConstructor* URIErrorConstructor() const { return m_URIErrorConstructor.get(); }
 
     NullGetterFunction* nullGetterFunction() const { return m_nullGetterFunction.get(); }
@@ -480 +454 @@
     JSFunction* applyFunction() const { return m_applyFunction.get(); }
     JSFunction* definePropertyFunction() const { return m_definePropertyFunction.get(); }
-    JSFunction* arrayProtoValuesFunction() const { return m_arrayProtoValuesFunction.get(this); }
-    JSFunction* initializePromiseFunction() const { return m_initializePromiseFunction.get(this); }
+    JSFunction* arrayProtoValuesFunction() const { return m_arrayProtoValuesFunction.get(); }
+    JSFunction* initializePromiseFunction() const { return m_initializePromiseFunction.get(); }
     JSFunction* newPromiseCapabilityFunction() const { return m_newPromiseCapabilityFunction.get(); }
     JSFunction* functionProtoHasInstanceSymbolFunction() const { return m_functionProtoHasInstanceSymbolFunction.get(); }
@@ -488 +462 @@
     JSObject* regExpProtoGlobalGetter() const { return m_regExpProtoGlobalGetter.get(); }
     JSObject* regExpProtoUnicodeGetter() const { return m_regExpProtoUnicodeGetter.get(); }
-    GetterSetter* throwTypeErrorGetterSetter()
-    {
-        return m_throwTypeErrorGetterSetter.get(this);
-    }
-
-    GetterSetter* throwTypeErrorArgumentsAndCallerGetterSetter()
-    {
-        return m_throwTypeErrorArgumentsAndCallerGetterSetter.get(this);
+    GetterSetter* throwTypeErrorGetterSetter(VM& vm)
+    {
+        if (!m_throwTypeErrorGetterSetter)
+            createThrowTypeError(vm);
+        return m_throwTypeErrorGetterSetter.get();
+    }
+
+    GetterSetter* throwTypeErrorArgumentsAndCallerGetterSetter(VM& vm)
+    {
+        if (!m_throwTypeErrorArgumentsAndCallerGetterSetter)
+            createThrowTypeErrorArgumentsAndCaller(vm);
+        return m_throwTypeErrorArgumentsAndCallerGetterSetter.get();
     }
     
@@ -503 +481 @@
     FunctionPrototype* functionPrototype() const { return m_functionPrototype.get(); }
     ArrayPrototype* arrayPrototype() const { return m_arrayPrototype.get(); }
-    JSObject* booleanPrototype() const { return m_booleanObjectStructure.prototype(this); }
+    BooleanPrototype* booleanPrototype() const { return m_booleanPrototype.get(); }
     StringPrototype* stringPrototype() const { return m_stringPrototype.get(); }
     SymbolPrototype* symbolPrototype() const { return m_symbolPrototype.get(); }
-    JSObject* numberPrototype() const { return m_numberPrototype.get(); }
-    JSObject* datePrototype() const { return m_dateStructure.prototype(this); }
+    NumberPrototype* numberPrototype() const { return m_numberPrototype.get(); }
+    DatePrototype* datePrototype() const { return m_datePrototype.get(); }
     RegExpPrototype* regExpPrototype() const { return m_regExpPrototype.get(); }
     ErrorPrototype* errorPrototype() const { return m_errorPrototype.get(); }
@@ -514 +492 @@
     GeneratorPrototype* generatorPrototype() const { return m_generatorPrototype.get(); }
 
-    Structure* debuggerScopeStructure() const { return m_debuggerScopeStructure.get(this); }
-    Structure* withScopeStructure() const { return m_withScopeStructure.get(this); }
+    Structure* debuggerScopeStructure() const { return m_debuggerScopeStructure.get(); }
+    Structure* withScopeStructure() const { return m_withScopeStructure.get(); }
     Structure* strictEvalActivationStructure() const { return m_strictEvalActivationStructure.get(); }
     Structure* activationStructure() const { return m_lexicalEnvironmentStructure.get(); }
-    Structure* moduleEnvironmentStructure() const { return m_moduleEnvironmentStructure.get(this); }
+    Structure* moduleEnvironmentStructure() const { return m_moduleEnvironmentStructure.get(); }
     Structure* directArgumentsStructure() const { return m_directArgumentsStructure.get(); }
     Structure* scopedArgumentsStructure() const { return m_scopedArgumentsStructure.get(); }
@@ -546 +524 @@
     }
         
-    Structure* booleanObjectStructure() const { return m_booleanObjectStructure.get(this); }
-    Structure* callbackConstructorStructure() const { return m_callbackConstructorStructure.get(this); }
-    Structure* callbackFunctionStructure() const { return m_callbackFunctionStructure.get(this); }
-    Structure* callbackObjectStructure() const { return m_callbackObjectStructure.get(this); }
+    Structure* booleanObjectStructure() const { return m_booleanObjectStructure.get(); }
+    Structure* callbackConstructorStructure() const { return m_callbackConstructorStructure.get(); }
+    Structure* callbackFunctionStructure() const { return m_callbackFunctionStructure.get(); }
+    Structure* callbackObjectStructure() const { return m_callbackObjectStructure.get(); }
     Structure* propertyNameIteratorStructure() const { return m_propertyNameIteratorStructure.get(); }
 #if JSC_OBJC_API_ENABLED
-    Structure* objcCallbackFunctionStructure() const { return m_objcCallbackFunctionStructure.get(this); }
-    Structure* objcWrapperObjectStructure() const { return m_objcWrapperObjectStructure.get(this); }
+    Structure* objcCallbackFunctionStructure() const { return m_objcCallbackFunctionStructure.get(); }
+    Structure* objcWrapperObjectStructure() const { return m_objcWrapperObjectStructure.get(); }
 #endif
-    Structure* dateStructure() const { return m_dateStructure.get(this); }
-    Structure* nullPrototypeObjectStructure() const { return m_nullPrototypeObjectStructure.get(this); }
+    Structure* dateStructure() const { return m_dateStructure.get(); }
+    Structure* nullPrototypeObjectStructure() const { return m_nullPrototypeObjectStructure.get(); }
     Structure* errorStructure() const { return m_errorStructure.get(); }
     Structure* calleeStructure() const { return m_calleeStructure.get(); }
     Structure* functionStructure() const { return m_functionStructure.get(); }
-    Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(this); }
-    Structure* boundSlotBaseFunctionStructure() const { return m_boundSlotBaseFunctionStructure.get(this); }
+    Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(); }
+    Structure* boundSlotBaseFunctionStructure() const { return m_boundSlotBaseFunctionStructure.get(); }
     Structure* getterSetterStructure() const { return m_getterSetterStructure.get(); }
-    Structure* nativeStdFunctionStructure() const { return m_nativeStdFunctionStructure.get(this); }
-    Structure* namedFunctionStructure() const { return m_namedFunctionStructure.get(this); }
+    Structure* nativeStdFunctionStructure() const { return m_nativeStdFunctionStructure.get(); }
+    Structure* namedFunctionStructure() const { return m_namedFunctionStructure.get(); }
     PropertyOffset functionNameOffset() const { return m_functionNameOffset; }
     Structure* numberObjectStructure() const { return m_numberObjectStructure.get(); }
     Structure* privateNameStructure() const { return m_privateNameStructure.get(); }
+    Structure* internalFunctionStructure() const { return m_internalFunctionStructure.get(); }
     Structure* mapStructure() const { return m_mapStructure.get(); }
     Structure* regExpStructure() const { return m_regExpStructure.get(); }
     Structure* generatorFunctionStructure() const { return m_generatorFunctionStructure.get(); }
-    Structure* setStructure() const { return m_setStructure.get(this); }
+    Structure* setStructure() const { return m_setStructure.get(); }
     Structure* stringObjectStructure() const { return m_stringObjectStructure.get(); }
     Structure* symbolObjectStructure() const { return m_symbolObjectStructure.get(); }
@@ -616 +595 @@
 
     FOR_EACH_SIMPLE_BUILTIN_TYPE(DEFINE_ACCESSORS_FOR_SIMPLE_TYPE)
+    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_ACCESSORS_FOR_SIMPLE_TYPE)
 
 #undef DEFINE_ACCESSORS_FOR_SIMPLE_TYPE
 
-#define DEFINE_ACCESSORS_FOR_ITERATOR_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-    Structure* properName ## Structure() { return m_ ## properName ## Structure.get(this); }
-
-    FOR_EACH_BUILTIN_DERIVED_ITERATOR_TYPE(DEFINE_ACCESSORS_FOR_ITERATOR_TYPE)
-
-#undef DEFINE_ACCESSORS_FOR_ITERATOR_TYPE
-
-#define DEFINE_ACCESSORS_FOR_LAZY_TYPE(capitalName, lowerName, properName, instanceType, jsName) \
-    Structure* properName ## Structure() { return m_ ## properName ## Structure.get(this); }
-
-    FOR_EACH_LAZY_BUILTIN_TYPE(DEFINE_ACCESSORS_FOR_LAZY_TYPE)
-
-#undef DEFINE_ACCESSORS_FOR_LAZY_TYPE
-
-    LazyClassStructure& lazyTypedArrayStructure(TypedArrayType type)
-    {
-        switch (type) {
-        case NotTypedArray:
-            RELEASE_ASSERT_NOT_REACHED();
-            return m_typedArrayInt8;
-#define TYPED_ARRAY_TYPE_CASE(name) case Type ## name: return m_typedArray ## name;
-            FOR_EACH_TYPED_ARRAY_TYPE(TYPED_ARRAY_TYPE_CASE)
-#undef TYPED_ARRAY_TYPE_CASE
-        }
-        RELEASE_ASSERT_NOT_REACHED();
-        return m_typedArrayInt8;
-    }
-    const LazyClassStructure& lazyTypedArrayStructure(TypedArrayType type) const
-    {
-        return const_cast<const LazyClassStructure&>(const_cast<JSGlobalObject*>(this)->lazyTypedArrayStructure(type));
-    }
-    
     Structure* typedArrayStructure(TypedArrayType type) const
     {
-        return lazyTypedArrayStructure(type).get(this);
-    }
-    Structure* typedArrayStructureConcurrently(TypedArrayType type) const
-    {
-        return lazyTypedArrayStructure(type).getConcurrently();
+        return m_typedArrays[toIndex(type)].structure.get();
     }
     bool isOriginalTypedArrayStructure(Structure* structure)
@@ -664 +608 @@
         if (type == NotTypedArray)
             return false;
-        return typedArrayStructureConcurrently(type) == structure;
+        return typedArrayStructure(type) == structure;
     }
 
     JSObject* typedArrayConstructor(TypedArrayType type) const
     {
-        return lazyTypedArrayStructure(type).constructor(this);
+        return m_typedArrays[toIndex(type)].constructor.get();
     }
 
@@ -796 +740 @@
     JS_EXPORT_PRIVATE void init(VM&);
 
+    void createThrowTypeError(VM&);
+    void createThrowTypeErrorArgumentsAndCaller(VM&);
+
     JS_EXPORT_PRIVATE static void clearRareData(JSCell*);
 };

trunk/Source/JavaScriptCore/runtime/JSNativeStdFunction.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -69 +69 @@
     NativeExecutable* executable = lookUpOrCreateNativeExecutable(vm, runStdFunction, intrinsic, nativeConstructor, name);
     NativeStdFunctionCell* functionCell = NativeStdFunctionCell::create(vm, WTFMove(nativeStdFunction));
-    Structure* structure = globalObject->nativeStdFunctionStructure();
-    JSNativeStdFunction* function = new (NotNull, allocateCell<JSNativeStdFunction>(vm.heap)) JSNativeStdFunction(vm, globalObject, structure);
+    JSNativeStdFunction* function = new (NotNull, allocateCell<JSNativeStdFunction>(vm.heap)) JSNativeStdFunction(vm, globalObject, globalObject->nativeStdFunctionStructure());
     function->finishCreation(vm, executable, length, name, functionCell);
     return function;

trunk/Source/JavaScriptCore/runtime/JSWithScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2012 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 const ClassInfo JSWithScope::s_info = { "WithScope", &Base::s_info, 0, CREATE_METHOD_TABLE(JSWithScope) };
 
-JSWithScope* JSWithScope::create(
-    VM& vm, JSGlobalObject* globalObject, JSObject* object, JSScope* next)
-{
-    Structure* structure = globalObject->withScopeStructure();
-    JSWithScope* withScope = new (NotNull, allocateCell<JSWithScope>(vm.heap)) JSWithScope(vm, structure, object, next);
-    withScope->finishCreation(vm);
-    return withScope;
-}
-
 void JSWithScope::visitChildren(JSCell* cell, SlotVisitor& visitor)
 {
@@ -50 +41 @@
 }
 
-Structure* JSWithScope::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto)
-{
-    return Structure::create(vm, globalObject, proto, TypeInfo(WithScopeType, StructureFlags), info());
-}
-
-JSWithScope::JSWithScope(VM& vm, Structure* structure, JSObject* object, JSScope* next)
-    : Base(vm, structure, next)
-    , m_object(vm, this, object)
-{
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSWithScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2012 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35 +35 @@
     typedef JSScope Base;
 
-    JS_EXPORT_PRIVATE static JSWithScope* create(VM&, JSGlobalObject*, JSObject*, JSScope* next);
+    static JSWithScope* create(ExecState* exec, JSObject* object, JSScope* next)
+    {
+        JSWithScope* withScope = new (NotNull, allocateCell<JSWithScope>(*exec->heap())) JSWithScope(exec, object, next);
+        withScope->finishCreation(exec->vm());
+        return withScope;
+    }
 
     JSObject* object() { return m_object.get(); }
@@ -41 +46 @@
     static void visitChildren(JSCell*, SlotVisitor&);
 
-    static Structure* createStructure(VM&, JSGlobalObject*, JSValue proto);
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto)
+    {
+        return Structure::create(vm, globalObject, proto, TypeInfo(WithScopeType, StructureFlags), info());
+    }
 
     DECLARE_EXPORT_INFO;
 
 private:
-    JSWithScope(VM&, Structure*, JSObject*, JSScope* next);
+    JSWithScope(ExecState* exec, JSObject* object, JSScope* next)
+        : Base(
+            exec->vm(),
+            exec->lexicalGlobalObject()->withScopeStructure(),
+            next
+        )
+        , m_object(exec->vm(), this, object)
+    {
+    }
 
     WriteBarrier<JSObject> m_object;

trunk/Source/JavaScriptCore/runtime/Lookup.cpp

@@ -1 +1 @@
 /*
- *  Copyright (C) 2008, 2012, 2015-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2008, 2012, 2015 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -46 +46 @@
 {
     ASSERT(thisObj->globalObject());
-    ASSERT(entry->attributes() & BuiltinOrFunctionOrAccessorOrLazyProperty);
+    ASSERT(entry->attributes() & BuiltinOrFunctionOrAccessor);
     VM& vm = exec->vm();
     unsigned attributes;
@@ -64 +64 @@
                 vm, thisObj->globalObject(), propertyName, entry->functionLength(),
                 entry->function(), entry->intrinsic(), attributesForStructure(entry->attributes()));
-        } else if (isAccessor)
+        } else {
+            ASSERT(isAccessor);
             reifyStaticAccessor(vm, *entry, *thisObj, propertyName);
-        else if (entry->attributes() & CellProperty) {
-            LazyCellProperty* property = bitwise_cast<LazyCellProperty*>(
-                bitwise_cast<char*>(thisObj) + entry->lazyCellPropertyOffset());
-            JSCell* result = property->get(thisObj);
-            thisObj->putDirect(vm, propertyName, result, attributesForStructure(entry->attributes()));
-        } else if (entry->attributes() & ClassStructure) {
-            LazyClassStructure* structure = bitwise_cast<LazyClassStructure*>(
-                bitwise_cast<char*>(thisObj) + entry->lazyClassStructureOffset());
-            structure->get(jsCast<JSGlobalObject*>(thisObj));
-        } else if (entry->attributes() & PropertyCallback) {
-            JSValue result = entry->lazyPropertyCallback()(vm, thisObj);
-            thisObj->putDirect(vm, propertyName, result, attributesForStructure(entry->attributes()));
-        } else
-            RELEASE_ASSERT_NOT_REACHED();
+        }
 
         offset = thisObj->getDirectOffset(vm, propertyName, attributes);
-        RELEASE_ASSERT(isValidOffset(offset));
+        ASSERT(isValidOffset(offset));
     }
 

trunk/Source/JavaScriptCore/runtime/Lookup.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2006, 2007, 2008, 2009, 2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -29 +29 @@
 #include "Intrinsic.h"
 #include "JSGlobalObject.h"
-#include "LazyProperty.h"
 #include "PropertySlot.h"
 #include "PutPropertySlot.h"
@@ -47 +46 @@
 typedef PutPropertySlot::PutValueFunc PutFunction;
 typedef FunctionExecutable* (*BuiltinGenerator)(VM&);
-typedef JSValue (*LazyPropertyCallback)(VM&, JSObject*);
 
 // Hash table generated by the create_hash_table script.
@@ -77 +75 @@
     unsigned char functionLength() const { ASSERT(m_attributes & Function); return static_cast<unsigned char>(m_values.value2); }
 
-    GetFunction propertyGetter() const { ASSERT(!(m_attributes & BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant)); return reinterpret_cast<GetFunction>(m_values.value1); }
-    PutFunction propertyPutter() const { ASSERT(!(m_attributes & BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant)); return reinterpret_cast<PutFunction>(m_values.value2); }
+    GetFunction propertyGetter() const { ASSERT(!(m_attributes & BuiltinOrFunctionOrAccessorOrConstant)); return reinterpret_cast<GetFunction>(m_values.value1); }
+    PutFunction propertyPutter() const { ASSERT(!(m_attributes & BuiltinOrFunctionOrAccessorOrConstant)); return reinterpret_cast<PutFunction>(m_values.value2); }
 
     NativeFunction accessorGetter() const { ASSERT(m_attributes & Accessor); return reinterpret_cast<NativeFunction>(m_values.value1); }
@@ -88 +86 @@
 
     intptr_t lexerValue() const { ASSERT(!m_attributes); return m_values.value1; }
-    
-    ptrdiff_t lazyCellPropertyOffset() const { ASSERT(m_attributes & CellProperty); return m_values.value1; }
-    ptrdiff_t lazyClassStructureOffset() const { ASSERT(m_attributes & ClassStructure); return m_values.value1; }
-    LazyPropertyCallback lazyPropertyCallback() const { ASSERT(m_attributes & PropertyCallback); return reinterpret_cast<LazyPropertyCallback>(m_values.value1); }
 };
 
@@ -228 +222 @@
         return false;
 
-    if (entry->attributes() & BuiltinOrFunctionOrAccessorOrLazyProperty)
+    if (entry->attributes() & BuiltinOrFunctionOrAccessor)
         return setUpStaticFunctionSlot(exec, entry, thisObj, propertyName, slot);
 
@@ -278 +272 @@
         return false;
 
-    ASSERT(!(entry->attributes() & BuiltinOrFunctionOrAccessorOrLazyProperty));
+    ASSERT(!(entry->attributes() & BuiltinOrFunctionOrAccessor));
 
     if (entry->attributes() & ConstantInteger) {
@@ -294 +288 @@
 inline bool putEntry(ExecState* exec, const HashTableValue* entry, JSObject* base, JSObject* thisValue, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
-    if (entry->attributes() & BuiltinOrFunctionOrLazyProperty) {
+    if (entry->attributes() & BuiltinOrFunction) {
         if (!(entry->attributes() & ReadOnly)) {
-            // If this is a function or lazy property put then we just do the put because
-            // logically the object already had the property, so this is just a replace.
+            // If this is a function put it as an override property.
             if (JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue))
                 thisObject->putDirect(exec->vm(), propertyName, value);
@@ -368 +361 @@
         return;
     }
-    
-    if (value.attributes() & CellProperty) {
-        LazyCellProperty* property = bitwise_cast<LazyCellProperty*>(
-            bitwise_cast<char*>(&thisObj) + value.lazyCellPropertyOffset());
-        JSCell* result = property->get(&thisObj);
-        thisObj.putDirect(vm, propertyName, result, attributesForStructure(value.attributes()));
-        return;
-    }
-    
-    if (value.attributes() & ClassStructure) {
-        LazyClassStructure* structure = bitwise_cast<LazyClassStructure*>(
-            bitwise_cast<char*>(&thisObj) + value.lazyClassStructureOffset());
-        structure->get(jsCast<JSGlobalObject*>(&thisObj));
-        return;
-    }
-    
-    if (value.attributes() & PropertyCallback) {
-        JSValue result = value.lazyPropertyCallback()(vm, &thisObj);
-        thisObj.putDirect(vm, propertyName, result, attributesForStructure(value.attributes()));
-        return;
-    }
 
     CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, value.propertyGetter(), value.propertyPutter());

trunk/Source/JavaScriptCore/runtime/PropertySlot.h

@@ -1 +1 @@
 /*
- *  Copyright (C) 2005, 2007, 2008, 2015-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2005, 2007, 2008, 2015 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -47 +47 @@
     Builtin           = 1 << 9,  // property is a builtin function - only used by static hashtables
     ConstantInteger   = 1 << 10, // property is a constant integer - only used by static hashtables
-    CellProperty      = 1 << 11, // property is a lazy property - only used by static hashtables
-    ClassStructure    = 1 << 12, // property is a lazy class structure - only used by static hashtables
-    PropertyCallback  = 1 << 13, // property that is a lazy property callback - only used by static hashtables
     BuiltinOrFunction = Builtin | Function, // helper only used by static hashtables
-    BuiltinOrFunctionOrLazyProperty = Builtin | Function | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables
-    BuiltinOrFunctionOrAccessorOrLazyProperty = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables
-    BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback | ConstantInteger // helper only used by static hashtables
+    BuiltinOrFunctionOrAccessor = Builtin | Function | Accessor, // helper only used by static hashtables
+    BuiltinOrFunctionOrAccessorOrConstant = Builtin | Function | Accessor | ConstantInteger, // helper only used by static hashtables
 };
 

trunk/Source/JavaScriptCore/runtime/TypedArrayType.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 struct ClassInfo;
 
-#define FOR_EACH_TYPED_ARRAY_TYPE(macro) \
-    macro(Int8) \
-    macro(Uint8) \
-    macro(Uint8Clamped) \
-    macro(Int16) \
-    macro(Uint16) \
-    macro(Int32) \
-    macro(Uint32) \
-    macro(Float32) \
-    macro(Float64) \
-    macro(DataView)
-
-#define FOR_EACH_TYPED_ARRAY_TYPE_EXCLUDING_DATA_VIEW(macro) \
-    macro(Int8) \
-    macro(Uint8) \
-    macro(Uint8Clamped) \
-    macro(Int16) \
-    macro(Uint16) \
-    macro(Int32) \
-    macro(Uint32) \
-    macro(Float32) \
-    macro(Float64)
-
 enum TypedArrayType {
     NotTypedArray,
-#define DECLARE_TYPED_ARRAY_TYPE(name) Type ## name,
-    FOR_EACH_TYPED_ARRAY_TYPE(DECLARE_TYPED_ARRAY_TYPE)
-#undef DECLARE_TYPED_ARRAY_TYPE
+    TypeInt8,
+    TypeUint8,
+    TypeUint8Clamped,
+    TypeInt16,
+    TypeUint16,
+    TypeInt32,
+    TypeUint32,
+    TypeFloat32,
+    TypeFloat64,
+    TypeDataView
 };
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2016-05-04  Chris Dumez  <cdumez@apple.com>
+
+        Unreviewed, rolling out r200383 and r200406.
+
+        Seems to have caused crashes on iOS / ARMv7s
+
+        Reverted changesets:
+
+        "Speed up JSGlobalObject initialization by making some
+        properties lazy"
+        https://bugs.webkit.org/show_bug.cgi?id=157045
+        http://trac.webkit.org/changeset/200383
+
+        "REGRESSION(r200383): Setting lazily initialized properties
+        across frame boundaries crashes"
+        https://bugs.webkit.org/show_bug.cgi?id=157333
+        http://trac.webkit.org/changeset/200406
+
 2016-05-03  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/WTF/wtf/StdLibExtras.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008 Apple Inc. All Rights Reserved.
  * Copyright (C) 2013 Patrick Gansterer <paroga@paroga.com>
  *
@@ -30 +30 @@
 #include <chrono>
 #include <memory>
-#include <string.h>
 #include <wtf/Assertions.h>
 #include <wtf/CheckedArithmetic.h>
@@ -286 +285 @@
 WTF_EXPORT_PRIVATE bool isCompilationThread();
 
-template<typename Func>
-bool isStatelessLambda()
-{
-    return std::is_empty<Func>::value;
-}
-
-template<typename ResultType, typename Func, typename... ArgumentTypes>
-ResultType callStatelessLambda(ArgumentTypes&&... arguments)
-{
-    uint64_t data[(sizeof(Func) + sizeof(uint64_t) - 1) / sizeof(uint64_t)];
-    memset(data, 0, sizeof(data));
-    return (*bitwise_cast<Func*>(data))(std::forward<ArgumentTypes>(arguments)...);
-}
-
 } // namespace WTF
 
@@ -419 +404 @@
 using WTF::bitwise_cast;
 using WTF::safeCast;
-using WTF::isStatelessLambda;
-using WTF::callStatelessLambda;
 
 #if COMPILER_SUPPORTS(CXX_USER_LITERALS)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-05-04  Chris Dumez  <cdumez@apple.com>
+
+        Unreviewed, rolling out r200383 and r200406.
+
+        Seems to have caused crashes on iOS / ARMv7s
+
+        Reverted changesets:
+
+        "Speed up JSGlobalObject initialization by making some
+        properties lazy"
+        https://bugs.webkit.org/show_bug.cgi?id=157045
+        http://trac.webkit.org/changeset/200383
+
+        "REGRESSION(r200383): Setting lazily initialized properties
+        across frame boundaries crashes"
+        https://bugs.webkit.org/show_bug.cgi?id=157333
+        http://trac.webkit.org/changeset/200406
+
 2016-05-04  Joanmarie Diggs  <jdiggs@igalia.com>
 

trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2007, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2007 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -102 +102 @@
 
     // The document is put on first, fall back to searching it only after the element and form.
-    // FIXME: This probably may use the wrong global object. If this is called from a native
-    // function, then it would be correct but not optimal since the native function would *know*
-    // the global object. But, it may be that globalObject() is more correct.
-    // https://bugs.webkit.org/show_bug.cgi?id=134932
-    VM& vm = exec->vm();
-    JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
-    
-    scope = JSWithScope::create(vm, lexicalGlobalObject, asObject(toJS(exec, globalObject(), &element.document())), scope);
+    scope = JSWithScope::create(exec, asObject(toJS(exec, globalObject(), &element.document())), scope);
 
     // The form is next, searched before the document, but after the element itself.
     if (HTMLFormElement* form = element.form())
-        scope = JSWithScope::create(vm, lexicalGlobalObject, asObject(toJS(exec, globalObject(), form)), scope);
+        scope = JSWithScope::create(exec, asObject(toJS(exec, globalObject(), form)), scope);
 
     // The element is on top, searched first.
-    return JSWithScope::create(vm, lexicalGlobalObject, asObject(toJS(exec, globalObject(), &element)), scope);
+    return JSWithScope::create(exec, asObject(toJS(exec, globalObject(), &element)), scope);
 }