Changeset 205504 in webkit

Timestamp:

Sep 6, 2016 2:13:25 PM (8 years ago)

Author:

sbarati@apple.com

Message:

Make JSMap and JSSet faster
​https://bugs.webkit.org/show_bug.cgi?id=160989

Reviewed by Filip Pizlo.

JSTests:

• microbenchmarks/dense-set.js: Added.

(bench):

• microbenchmarks/large-map-iteration-with-additions.js: Added.

(bar):
(foo):

• microbenchmarks/large-map-iteration-with-mutation.js: Added.

(bar):
(foo):

• microbenchmarks/large-map-iteration.js: Added.

(bar):
(foo):

• microbenchmarks/map-get-get-cse.js: Added.

(bar):
(foo):

• microbenchmarks/map-has-get-cse-opportunity.js: Added.

(bar):
(foo):

• microbenchmarks/sparse-set.js: Added.

(bench):

• stress/map-cse-correctness.js: Added.

(assert):
(testHas):
(testGet):
(foo):

• stress/map-iteration.js: Added.

(assert):
(test1):
(test2):
(test3):
(test4):
(test5):
(test6):
(test7):
(test8):
(test9):
(test10):
(test11):
(test12):
(test13):
(test14):
(test15):
(test16):
(test17):
(test18):

Source/JavaScriptCore:

This patch revamps how we implement Map and Set. It uses
a new hash map implementation. The hash map uses linear
probing and it uses Wang's 64 bit hash function for JSValues
that aren't strings. Strings use StringImpl's hash function.
The reason I wanted to roll our own HashTable is twofold:
I didn't want to inline WTF::HashMap's implementation into our
JIT, since that seems error prone and unmaintainable. Also, I wanted
a different structure for hash map buckets where buckets also exist in
a linked list.

The reason for making buckets part of a linked list is that iteration
is now simple. Iteration works by just traversing a linked list.
This design also allows for a simple implementation when doing iteration
while the hash table is mutating. Whenever we remove a bucket from
the hash table, it is removed from the list, meaning items in the
list don't point to it. However, the removed bucket will still point
to things that are either in the list, or have also been removed.
e.g, from a removed bucket, you can always follow pointers until you
either find an item in the list, or you find the tail of the list.
This is a really nice property because it means that a Map or Set
does not need to reason about the all the iterators that point
into its list. Also, whenever we add items to the Map or Set, we
hijack the tail as the new item, and make the new item point to a newly
created tail. This means that any iterator that pointed to the "tail" now
points to non-tail items. This makes the implementation of adding things
to the Map/Set while iterating easy.

I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
into intrinsics in the DFG. The IR can now reason about hash map
operations and can even do CSE over Wang's hash function, hash map
bucket lookups, hash map bucket loads, and testing if a key is in
the hash table. This makes code patterns for Map like so, super fast
in the FTL, since we will only be doing a single hash and hash bucket lookup:

`
function getKeyIfPresent(map, key) {

if (map.has(key))

return map.get(key);

}
`

This patch is roughly an 8% speedup on ES6SampleBench.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/SpeculatedType.cpp:

(JSC::speculationFromClassInfo):

• bytecode/SpeculatedType.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGEdge.h:

(JSC::DFG::Edge::shift):
(JSC::DFG::Edge::makeWord):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

• dfg/DFGHeapLocation.h:
• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::speculateMapObject):
(JSC::DFG::SpeculativeJIT::speculateSetObject):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
(JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
(JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
(JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
(JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
(JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::wangsInt64Hash):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.

• jit/JITOperations.h:
• parser/ModuleAnalyzer.cpp:

(JSC::ModuleAnalyzer::ModuleAnalyzer):

• runtime/HashMapImpl.cpp: Added.

(JSC::HashMapBucket<Data>::visitChildren):
(JSC::HashMapImpl<HashMapBucket>::visitChildren):
(JSC::HashMapImpl<HashMapBucket>::copyBackingStore):

• runtime/HashMapImpl.h: Added.

(JSC::HashMapBucket::selectStructure):
(JSC::HashMapBucket::createStructure):
(JSC::HashMapBucket::create):
(JSC::HashMapBucket::HashMapBucket):
(JSC::HashMapBucket::setNext):
(JSC::HashMapBucket::setPrev):
(JSC::HashMapBucket::setKey):
(JSC::HashMapBucket::setValue):
(JSC::HashMapBucket::key):
(JSC::HashMapBucket::value):
(JSC::HashMapBucket::next):
(JSC::HashMapBucket::prev):
(JSC::HashMapBucket::deleted):
(JSC::HashMapBucket::setDeleted):
(JSC::HashMapBucket::offsetOfKey):
(JSC::HashMapBucket::offsetOfValue):
(JSC::HashMapBuffer::allocationSize):
(JSC::HashMapBuffer::buffer):
(JSC::HashMapBuffer::create):
(JSC::areKeysEqual):
(JSC::normalizeMapKey):
(JSC::jsMapHash):
(JSC::HashMapImpl::selectStructure):
(JSC::HashMapImpl::createStructure):
(JSC::HashMapImpl::create):
(JSC::HashMapImpl::HashMapImpl):
(JSC::HashMapImpl::buffer):
(JSC::HashMapImpl::finishCreation):
(JSC::HashMapImpl::emptyValue):
(JSC::HashMapImpl::isEmpty):
(JSC::HashMapImpl::deletedValue):
(JSC::HashMapImpl::isDeleted):
(JSC::HashMapImpl::findBucket):
(JSC::HashMapImpl::get):
(JSC::HashMapImpl::has):
(JSC::HashMapImpl::add):
(JSC::HashMapImpl::remove):
(JSC::HashMapImpl::size):
(JSC::HashMapImpl::clear):
(JSC::HashMapImpl::bufferSizeInBytes):
(JSC::HashMapImpl::offsetOfBuffer):
(JSC::HashMapImpl::offsetOfCapacity):
(JSC::HashMapImpl::head):
(JSC::HashMapImpl::tail):
(JSC::HashMapImpl::approximateSize):
(JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
(JSC::HashMapImpl::rehash):
(JSC::HashMapImpl::makeAndSetNewBuffer):

• runtime/Intrinsic.h:
• runtime/JSCJSValue.h:
• runtime/JSCJSValueInlines.h:

(JSC::sameValue):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• runtime/JSMap.cpp:

(JSC::JSMap::destroy): Deleted.
(JSC::JSMap::estimatedSize): Deleted.
(JSC::JSMap::visitChildren): Deleted.
(JSC::JSMap::copyBackingStore): Deleted.
(JSC::JSMap::has): Deleted.
(JSC::JSMap::size): Deleted.
(JSC::JSMap::get): Deleted.
(JSC::JSMap::set): Deleted.
(JSC::JSMap::clear): Deleted.
(JSC::JSMap::remove): Deleted.

• runtime/JSMap.h:

(JSC::JSMap::createStructure):
(JSC::JSMap::create):
(JSC::JSMap::get):
(JSC::JSMap::set):
(JSC::JSMap::JSMap):
(JSC::JSMap::Entry::key): Deleted.
(JSC::JSMap::Entry::value): Deleted.
(JSC::JSMap::Entry::visitChildren): Deleted.
(JSC::JSMap::Entry::setKey): Deleted.
(JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
(JSC::JSMap::Entry::setValue): Deleted.
(JSC::JSMap::Entry::clear): Deleted.

• runtime/JSMapIterator.cpp:

(JSC::JSMapIterator::finishCreation):
(JSC::JSMapIterator::visitChildren):
(JSC::JSMapIterator::clone):

• runtime/JSMapIterator.h:

(JSC::JSMapIterator::advanceIter):
(JSC::JSMapIterator::next):
(JSC::JSMapIterator::nextKeyValue):
(JSC::JSMapIterator::JSMapIterator):
(JSC::JSMapIterator::setIterator):
(JSC::JSMapIterator::finish): Deleted.
(JSC::JSMapIterator::iteratorData): Deleted.

• runtime/JSModuleLoader.cpp:

(JSC::JSModuleLoader::finishCreation):

• runtime/JSModuleLoader.h:

(JSC::JSModuleLoader::create):

• runtime/JSModuleRecord.cpp:

(JSC::JSModuleRecord::finishCreation):

• runtime/JSModuleRecord.h:

(JSC::JSModuleRecord::create):

• runtime/JSSet.cpp:

(JSC::JSSet::destroy): Deleted.
(JSC::JSSet::estimatedSize): Deleted.
(JSC::JSSet::visitChildren): Deleted.
(JSC::JSSet::copyBackingStore): Deleted.
(JSC::JSSet::has): Deleted.
(JSC::JSSet::size): Deleted.
(JSC::JSSet::add): Deleted.
(JSC::JSSet::clear): Deleted.
(JSC::JSSet::remove): Deleted.

• runtime/JSSet.h:

(JSC::JSSet::createStructure):
(JSC::JSSet::create):
(JSC::JSSet::add):
(JSC::JSSet::JSSet):
(JSC::JSSet::Entry::key): Deleted.
(JSC::JSSet::Entry::value): Deleted.
(JSC::JSSet::Entry::visitChildren): Deleted.
(JSC::JSSet::Entry::setKey): Deleted.
(JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
(JSC::JSSet::Entry::setValue): Deleted.
(JSC::JSSet::Entry::clear): Deleted.

• runtime/JSSetIterator.cpp:

(JSC::JSSetIterator::finishCreation):
(JSC::JSSetIterator::visitChildren):
(JSC::JSSetIterator::clone):

• runtime/JSSetIterator.h:

(JSC::JSSetIterator::advanceIter):
(JSC::JSSetIterator::next):
(JSC::JSSetIterator::JSSetIterator):
(JSC::JSSetIterator::setIterator):
(JSC::JSSetIterator::finish): Deleted.
(JSC::JSSetIterator::iteratorData): Deleted.

• runtime/JSType.h:
• runtime/MapBase.cpp: Added.

(JSC::MapBase<HashMapBucketType>::visitChildren):
(JSC::MapBase<HashMapBucketType>::estimatedSize):

• runtime/MapBase.h: Added.

(JSC::MapBase::size):
(JSC::MapBase::has):
(JSC::MapBase::clear):
(JSC::MapBase::remove):
(JSC::MapBase::findBucket):
(JSC::MapBase::offsetOfHashMapImpl):
(JSC::MapBase::impl):
(JSC::MapBase::finishCreation):
(JSC::MapBase::MapBase):

• runtime/MapConstructor.cpp:

(JSC::constructMap):

• runtime/MapIteratorPrototype.cpp:

(JSC::MapIteratorPrototypeFuncNext):

• runtime/MapPrototype.cpp:

(JSC::MapPrototype::finishCreation):
(JSC::getMap):
(JSC::privateFuncIsMap):
(JSC::privateFuncMapIteratorNext):

• runtime/PropertyDescriptor.cpp:

(JSC::sameValue): Deleted.

• runtime/PropertyDescriptor.h:
• runtime/SetConstructor.cpp:

(JSC::constructSet):

• runtime/SetIteratorPrototype.cpp:

(JSC::SetIteratorPrototypeFuncNext):

• runtime/SetPrototype.cpp:

(JSC::SetPrototype::finishCreation):
(JSC::getSet):
(JSC::privateFuncSetIteratorNext):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Source/WebCore:

• ForwardingHeaders/runtime/HashMapImpl.h: Added.
• ForwardingHeaders/runtime/MapBase.h: Added.
• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::deserialize):

Source/WTF:

I made s_flagCount public since JSC's JITs now use this field.

• wtf/text/StringImpl.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/microbenchmarks/dense-set.js (added)
• JSTests/microbenchmarks/large-map-iteration-with-additions.js (added)
• JSTests/microbenchmarks/large-map-iteration-with-mutation.js (added)
• JSTests/microbenchmarks/large-map-iteration.js (added)
• JSTests/microbenchmarks/map-get-get-cse.js (added)
• JSTests/microbenchmarks/map-has-get-cse-opportunity.js (added)
• JSTests/microbenchmarks/sparse-set.js (added)
• JSTests/stress/map-cse-correctness.js (added)
• JSTests/stress/map-iteration.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (8 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGEdge.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGHeapLocation.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGUseKind.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGUseKind.h (modified) (3 diffs)
• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (10 diffs)
• Source/JavaScriptCore/jit/AssemblyHelpers.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (1 diff)
• Source/JavaScriptCore/parser/ModuleAnalyzer.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/HashMapImpl.cpp (added)
• Source/JavaScriptCore/runtime/HashMapImpl.h (added)
• Source/JavaScriptCore/runtime/Intrinsic.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValue.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValueInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSMap.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSMap.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSMapIterator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSMapIterator.h (modified) (5 diffs)
• Source/JavaScriptCore/runtime/JSModuleLoader.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSModuleLoader.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSModuleRecord.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSModuleRecord.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSSet.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSSet.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSSetIterator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSSetIterator.h (modified) (5 diffs)
• Source/JavaScriptCore/runtime/JSType.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/MapBase.cpp (copied) (copied from trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp) (2 diffs)
• Source/JavaScriptCore/runtime/MapBase.h (added)
• Source/JavaScriptCore/runtime/MapConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/MapPrototype.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/PropertyDescriptor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertyDescriptor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/SetConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/SetPrototype.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/VM.h (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/text/StringImpl.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/ForwardingHeaders/runtime/HashMapImpl.h (added)
• Source/WebCore/ForwardingHeaders/runtime/MapBase.h (added)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-09-06  Saam Barati  <sbarati@apple.com>
+
+        Make JSMap and JSSet faster
+        https://bugs.webkit.org/show_bug.cgi?id=160989
+
+        Reviewed by Filip Pizlo.
+
+        * microbenchmarks/dense-set.js: Added.
+        (bench):
+        * microbenchmarks/large-map-iteration-with-additions.js: Added.
+        (bar):
+        (foo):
+        * microbenchmarks/large-map-iteration-with-mutation.js: Added.
+        (bar):
+        (foo):
+        * microbenchmarks/large-map-iteration.js: Added.
+        (bar):
+        (foo):
+        * microbenchmarks/map-get-get-cse.js: Added.
+        (bar):
+        (foo):
+        * microbenchmarks/map-has-get-cse-opportunity.js: Added.
+        (bar):
+        (foo):
+        * microbenchmarks/sparse-set.js: Added.
+        (bench):
+        * stress/map-cse-correctness.js: Added.
+        (assert):
+        (testHas):
+        (testGet):
+        (foo):
+        * stress/map-iteration.js: Added.
+        (assert):
+        (test1):
+        (test2):
+        (test3):
+        (test4):
+        (test5):
+        (test6):
+        (test7):
+        (test8):
+        (test9):
+        (test10):
+        (test11):
+        (test12):
+        (test13):
+        (test14):
+        (test15):
+        (test16):
+        (test17):
+        (test18):
+
 2016-08-31  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -673 +673 @@
     runtime/GeneratorPrototype.cpp
     runtime/GetterSetter.cpp
+    runtime/HashMapImpl.cpp
     runtime/Identifier.cpp
     runtime/IndexingType.cpp
@@ -758 +759 @@
     runtime/LiteralParser.cpp
     runtime/Lookup.cpp
+    runtime/MapBase.cpp
     runtime/MapConstructor.cpp
     runtime/MapIteratorPrototype.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-09-06  Saam Barati  <sbarati@apple.com>
+
+        Make JSMap and JSSet faster
+        https://bugs.webkit.org/show_bug.cgi?id=160989
+
+        Reviewed by Filip Pizlo.
+
+        This patch revamps how we implement Map and Set. It uses
+        a new hash map implementation. The hash map uses linear
+        probing and it uses Wang's 64 bit hash function for JSValues
+        that aren't strings. Strings use StringImpl's hash function.
+        The reason I wanted to roll our own HashTable is twofold:
+        I didn't want to inline WTF::HashMap's implementation into our
+        JIT, since that seems error prone and unmaintainable. Also, I wanted
+        a different structure for hash map buckets where buckets also exist in
+        a linked list.
+
+        The reason for making buckets part of a linked list is that iteration
+        is now simple. Iteration works by just traversing a linked list.
+        This design also allows for a simple implementation when doing iteration
+        while the hash table is mutating. Whenever we remove a bucket from
+        the hash table, it is removed from the list, meaning items in the
+        list don't point to it. However, the removed bucket will still point
+        to things that are either in the list, or have also been removed.
+        e.g, from a removed bucket, you can always follow pointers until you
+        either find an item in the list, or you find the tail of the list.
+        This is a really nice property because it means that a Map or Set
+        does not need to reason about the all the iterators that point
+        into its list. Also, whenever we add items to the Map or Set, we
+        hijack the tail as the new item, and make the new item point to a newly
+        created tail. This means that any iterator that pointed to the "tail" now
+        points to non-tail items. This makes the implementation of adding things
+        to the Map/Set while iterating easy.
+
+        I also made Map.prototype.get, Map.prototype.has, and Set.prototype.has
+        into intrinsics in the DFG. The IR can now reason about hash map
+        operations and can even do CSE over Wang's hash function, hash map
+        bucket lookups, hash map bucket loads, and testing if a key is in
+        the hash table. This makes code patterns for Map like so, super fast
+        in the FTL, since we will only be doing a single hash and hash bucket lookup:
+
+        ```
+        function getKeyIfPresent(map, key) {
+            if (map.has(key))
+                return map.get(key);
+        }
+        ```
+
+        This patch is roughly an 8% speedup on ES6SampleBench.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromClassInfo):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGEdge.h:
+        (JSC::DFG::Edge::shift):
+        (JSC::DFG::Edge::makeWord):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateMapObject):
+        (JSC::DFG::SpeculativeJIT::speculateSetObject):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::isCell):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::lowMapObject):
+        (JSC::FTL::DFG::LowerDFGToB3::lowSetObject):
+        (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateMapObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateSetObject):
+        (JSC::FTL::DFG::LowerDFGToB3::setMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::lowRegExpObject): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::lowStorage): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::speculateRegExpObject): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::setStorage): Deleted.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::wangsInt64Hash):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
+        * jit/JITOperations.h:
+        * parser/ModuleAnalyzer.cpp:
+        (JSC::ModuleAnalyzer::ModuleAnalyzer):
+        * runtime/HashMapImpl.cpp: Added.
+        (JSC::HashMapBucket<Data>::visitChildren):
+        (JSC::HashMapImpl<HashMapBucket>::visitChildren):
+        (JSC::HashMapImpl<HashMapBucket>::copyBackingStore):
+        * runtime/HashMapImpl.h: Added.
+        (JSC::HashMapBucket::selectStructure):
+        (JSC::HashMapBucket::createStructure):
+        (JSC::HashMapBucket::create):
+        (JSC::HashMapBucket::HashMapBucket):
+        (JSC::HashMapBucket::setNext):
+        (JSC::HashMapBucket::setPrev):
+        (JSC::HashMapBucket::setKey):
+        (JSC::HashMapBucket::setValue):
+        (JSC::HashMapBucket::key):
+        (JSC::HashMapBucket::value):
+        (JSC::HashMapBucket::next):
+        (JSC::HashMapBucket::prev):
+        (JSC::HashMapBucket::deleted):
+        (JSC::HashMapBucket::setDeleted):
+        (JSC::HashMapBucket::offsetOfKey):
+        (JSC::HashMapBucket::offsetOfValue):
+        (JSC::HashMapBuffer::allocationSize):
+        (JSC::HashMapBuffer::buffer):
+        (JSC::HashMapBuffer::create):
+        (JSC::areKeysEqual):
+        (JSC::normalizeMapKey):
+        (JSC::jsMapHash):
+        (JSC::HashMapImpl::selectStructure):
+        (JSC::HashMapImpl::createStructure):
+        (JSC::HashMapImpl::create):
+        (JSC::HashMapImpl::HashMapImpl):
+        (JSC::HashMapImpl::buffer):
+        (JSC::HashMapImpl::finishCreation):
+        (JSC::HashMapImpl::emptyValue):
+        (JSC::HashMapImpl::isEmpty):
+        (JSC::HashMapImpl::deletedValue):
+        (JSC::HashMapImpl::isDeleted):
+        (JSC::HashMapImpl::findBucket):
+        (JSC::HashMapImpl::get):
+        (JSC::HashMapImpl::has):
+        (JSC::HashMapImpl::add):
+        (JSC::HashMapImpl::remove):
+        (JSC::HashMapImpl::size):
+        (JSC::HashMapImpl::clear):
+        (JSC::HashMapImpl::bufferSizeInBytes):
+        (JSC::HashMapImpl::offsetOfBuffer):
+        (JSC::HashMapImpl::offsetOfCapacity):
+        (JSC::HashMapImpl::head):
+        (JSC::HashMapImpl::tail):
+        (JSC::HashMapImpl::approximateSize):
+        (JSC::HashMapImpl::findBucketAlreadyHashedAndNormalized):
+        (JSC::HashMapImpl::rehash):
+        (JSC::HashMapImpl::makeAndSetNewBuffer):
+        * runtime/Intrinsic.h:
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::sameValue):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::destroy): Deleted.
+        (JSC::JSMap::estimatedSize): Deleted.
+        (JSC::JSMap::visitChildren): Deleted.
+        (JSC::JSMap::copyBackingStore): Deleted.
+        (JSC::JSMap::has): Deleted.
+        (JSC::JSMap::size): Deleted.
+        (JSC::JSMap::get): Deleted.
+        (JSC::JSMap::set): Deleted.
+        (JSC::JSMap::clear): Deleted.
+        (JSC::JSMap::remove): Deleted.
+        * runtime/JSMap.h:
+        (JSC::JSMap::createStructure):
+        (JSC::JSMap::create):
+        (JSC::JSMap::get):
+        (JSC::JSMap::set):
+        (JSC::JSMap::JSMap):
+        (JSC::JSMap::Entry::key): Deleted.
+        (JSC::JSMap::Entry::value): Deleted.
+        (JSC::JSMap::Entry::visitChildren): Deleted.
+        (JSC::JSMap::Entry::setKey): Deleted.
+        (JSC::JSMap::Entry::setKeyWithoutWriteBarrier): Deleted.
+        (JSC::JSMap::Entry::setValue): Deleted.
+        (JSC::JSMap::Entry::clear): Deleted.
+        * runtime/JSMapIterator.cpp:
+        (JSC::JSMapIterator::finishCreation):
+        (JSC::JSMapIterator::visitChildren):
+        (JSC::JSMapIterator::clone):
+        * runtime/JSMapIterator.h:
+        (JSC::JSMapIterator::advanceIter):
+        (JSC::JSMapIterator::next):
+        (JSC::JSMapIterator::nextKeyValue):
+        (JSC::JSMapIterator::JSMapIterator):
+        (JSC::JSMapIterator::setIterator):
+        (JSC::JSMapIterator::finish): Deleted.
+        (JSC::JSMapIterator::iteratorData): Deleted.
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::finishCreation):
+        * runtime/JSModuleLoader.h:
+        (JSC::JSModuleLoader::create):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::finishCreation):
+        * runtime/JSModuleRecord.h:
+        (JSC::JSModuleRecord::create):
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::destroy): Deleted.
+        (JSC::JSSet::estimatedSize): Deleted.
+        (JSC::JSSet::visitChildren): Deleted.
+        (JSC::JSSet::copyBackingStore): Deleted.
+        (JSC::JSSet::has): Deleted.
+        (JSC::JSSet::size): Deleted.
+        (JSC::JSSet::add): Deleted.
+        (JSC::JSSet::clear): Deleted.
+        (JSC::JSSet::remove): Deleted.
+        * runtime/JSSet.h:
+        (JSC::JSSet::createStructure):
+        (JSC::JSSet::create):
+        (JSC::JSSet::add):
+        (JSC::JSSet::JSSet):
+        (JSC::JSSet::Entry::key): Deleted.
+        (JSC::JSSet::Entry::value): Deleted.
+        (JSC::JSSet::Entry::visitChildren): Deleted.
+        (JSC::JSSet::Entry::setKey): Deleted.
+        (JSC::JSSet::Entry::setKeyWithoutWriteBarrier): Deleted.
+        (JSC::JSSet::Entry::setValue): Deleted.
+        (JSC::JSSet::Entry::clear): Deleted.
+        * runtime/JSSetIterator.cpp:
+        (JSC::JSSetIterator::finishCreation):
+        (JSC::JSSetIterator::visitChildren):
+        (JSC::JSSetIterator::clone):
+        * runtime/JSSetIterator.h:
+        (JSC::JSSetIterator::advanceIter):
+        (JSC::JSSetIterator::next):
+        (JSC::JSSetIterator::JSSetIterator):
+        (JSC::JSSetIterator::setIterator):
+        (JSC::JSSetIterator::finish): Deleted.
+        (JSC::JSSetIterator::iteratorData): Deleted.
+        * runtime/JSType.h:
+        * runtime/MapBase.cpp: Added.
+        (JSC::MapBase<HashMapBucketType>::visitChildren):
+        (JSC::MapBase<HashMapBucketType>::estimatedSize):
+        * runtime/MapBase.h: Added.
+        (JSC::MapBase::size):
+        (JSC::MapBase::has):
+        (JSC::MapBase::clear):
+        (JSC::MapBase::remove):
+        (JSC::MapBase::findBucket):
+        (JSC::MapBase::offsetOfHashMapImpl):
+        (JSC::MapBase::impl):
+        (JSC::MapBase::finishCreation):
+        (JSC::MapBase::MapBase):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/MapIteratorPrototype.cpp:
+        (JSC::MapIteratorPrototypeFuncNext):
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        (JSC::getMap):
+        (JSC::privateFuncIsMap):
+        (JSC::privateFuncMapIteratorNext):
+        * runtime/PropertyDescriptor.cpp:
+        (JSC::sameValue): Deleted.
+        * runtime/PropertyDescriptor.h:
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/SetIteratorPrototype.cpp:
+        (JSC::SetIteratorPrototypeFuncNext):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+        (JSC::getSet):
+        (JSC::privateFuncSetIteratorNext):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1319 +1319 @@
                 792CB3491C4EED5C00D13AF3 /* PCToCodeOriginMap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 792CB3471C4EED5C00D13AF3 /* PCToCodeOriginMap.cpp */; };
                 792CB34A1C4EED5C00D13AF3 /* PCToCodeOriginMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 792CB3481C4EED5C00D13AF3 /* PCToCodeOriginMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                795B19971D78BE3500262FA0 /* MapBase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 795B19951D78BE3500262FA0 /* MapBase.cpp */; };
+                795B19981D78BE3500262FA0 /* MapBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 795B19961D78BE3500262FA0 /* MapBase.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 7964656A1B952FF0003059EE /* GetPutInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 796465681B952FF0003059EE /* GetPutInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 797E07A91B8FCFB9008400BA /* JSGlobalLexicalEnvironment.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 797E07A71B8FCFB9008400BA /* JSGlobalLexicalEnvironment.cpp */; };
                 797E07AA1B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = 797E07A81B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 799EF7C41C56ED96002B0534 /* B3PCToOriginMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 799EF7C31C56ED96002B0534 /* B3PCToOriginMap.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                79A0907F1D768465008B889B /* HashMapImpl.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 79A0907D1D768465008B889B /* HashMapImpl.cpp */; };
+                79A090801D768465008B889B /* HashMapImpl.h in Headers */ = {isa = PBXBuildFile; fileRef = 79A0907E1D768465008B889B /* HashMapImpl.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 79A228351D35D71E00D8E067 /* ArithProfile.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 79A228331D35D71E00D8E067 /* ArithProfile.cpp */; };
                 79A228361D35D71F00D8E067 /* ArithProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 79A228341D35D71E00D8E067 /* ArithProfile.h */; };
@@ -3570 +3574 @@
                 792CB3471C4EED5C00D13AF3 /* PCToCodeOriginMap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PCToCodeOriginMap.cpp; sourceTree = "<group>"; };
                 792CB3481C4EED5C00D13AF3 /* PCToCodeOriginMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PCToCodeOriginMap.h; sourceTree = "<group>"; };
+                795B19951D78BE3500262FA0 /* MapBase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MapBase.cpp; sourceTree = "<group>"; };
+                795B19961D78BE3500262FA0 /* MapBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MapBase.h; sourceTree = "<group>"; };
                 796465681B952FF0003059EE /* GetPutInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GetPutInfo.h; sourceTree = "<group>"; };
                 797E07A71B8FCFB9008400BA /* JSGlobalLexicalEnvironment.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSGlobalLexicalEnvironment.cpp; sourceTree = "<group>"; };
                 797E07A81B8FCFB9008400BA /* JSGlobalLexicalEnvironment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGlobalLexicalEnvironment.h; sourceTree = "<group>"; };
                 799EF7C31C56ED96002B0534 /* B3PCToOriginMap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3PCToOriginMap.h; path = b3/B3PCToOriginMap.h; sourceTree = "<group>"; };
+                79A0907D1D768465008B889B /* HashMapImpl.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HashMapImpl.cpp; sourceTree = "<group>"; };
+                79A0907E1D768465008B889B /* HashMapImpl.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HashMapImpl.h; sourceTree = "<group>"; };
                 79A228331D35D71E00D8E067 /* ArithProfile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArithProfile.cpp; sourceTree = "<group>"; };
                 79A228341D35D71E00D8E067 /* ArithProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArithProfile.h; sourceTree = "<group>"; };
@@ -5826 +5834 @@
                                 BC02E9B80E184545000F9297 /* GetterSetter.cpp */,
                                 BC337BDE0E1AF0B80076918A /* GetterSetter.h */,
+                                79A0907D1D768465008B889B /* HashMapImpl.cpp */,
+                                79A0907E1D768465008B889B /* HashMapImpl.h */,
                                 933A349D038AE80F008635CE /* Identifier.cpp */,
                                 933A349A038AE7C6008635CE /* Identifier.h */,
@@ -6036 +6046 @@
                                 F692A8680255597D01FF60F7 /* Lookup.cpp */,
                                 F692A8690255597D01FF60F7 /* Lookup.h */,
+                                795B19951D78BE3500262FA0 /* MapBase.cpp */,
+                                795B19961D78BE3500262FA0 /* MapBase.h */,
                                 A700873717CBE85300C3E643 /* MapConstructor.cpp */,
                                 A700873817CBE85300C3E643 /* MapConstructor.h */,
@@ -7327 +7339 @@
                                 1429D8DE0ED2205B00B89619 /* CallFrame.h in Headers */,
                                 62EC9BB71B7EB07C00303AD1 /* CallFrameShuffleData.h in Headers */,
+                                795B19981D78BE3500262FA0 /* MapBase.h in Headers */,
                                 62D755D71B84FB4A001801FA /* CallFrameShuffler.h in Headers */,
                                 0F0B83B114BCF71800885B4F /* CallLinkInfo.h in Headers */,
@@ -7494 +7507 @@
                                 A7D89CF817A0B8CC00773AD8 /* DFGFlushFormat.h in Headers */,
                                 0F2DD8151AB3D8BE00BBB8E8 /* DFGForAllKills.h in Headers */,
+                                79A090801D768465008B889B /* HashMapImpl.h in Headers */,
                                 0F69CC89193AC60A0045759E /* DFGFrozenValue.h in Headers */,
                                 86EC9DC61328DF82002B2AD7 /* DFGGenerationInfo.h in Headers */,
@@ -9226 +9240 @@
                                 0FB105851675480F00F8AB6E /* ExitKind.cpp in Sources */,
                                 0FEA0A1C1708B00700BB722C /* FTLAbstractHeap.cpp in Sources */,
+                                79A0907F1D768465008B889B /* HashMapImpl.cpp in Sources */,
                                 0FEA0A1E1708B00700BB722C /* FTLAbstractHeapRepository.cpp in Sources */,
                                 0F93274D1C1F66AA00CF6564 /* GPRInfo.cpp in Sources */,
@@ -9270 +9285 @@
                                 FE4BFF2B1AD476E700088F87 /* FunctionOverrides.cpp in Sources */,
                                 147F39CC107EC37600427A48 /* FunctionPrototype.cpp in Sources */,
+                                795B19971D78BE3500262FA0 /* MapBase.cpp in Sources */,
                                 62D2D38F1ADF103F000206C1 /* FunctionRareData.cpp in Sources */,
                                 2AACE63C18CA5A0300ED0191 /* GCActivityCallback.cpp in Sources */,

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp

@@ -31 +31 @@
 
 #include "DirectArguments.h"
+#include "JSCInlines.h"
 #include "JSArray.h"
 #include "JSFunction.h"
-#include "JSCInlines.h"
+#include "JSMap.h"
+#include "JSSet.h"
 #include "ScopedArguments.h"
 #include "StringObject.h"
@@ -347 +349 @@
     if (classInfo == RegExpObject::info())
         return SpecRegExpObject;
+
+    if (classInfo == JSMap::info())
+        return SpecMapObject;
+
+    if (classInfo == JSSet::info())
+        return SpecSetObject;
     
     if (classInfo->isSubClassOf(JSFunction::info()))

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -40 +40 @@
 typedef uint64_t SpeculatedType;
 static const SpeculatedType SpecNone               = 0; // We don't know anything yet.
-static const SpeculatedType SpecFinalObject        = 1u << 0; // It's definitely a JSFinalObject.
-static const SpeculatedType SpecArray              = 1u << 1; // It's definitely a JSArray.
-static const SpeculatedType SpecFunction           = 1u << 2; // It's definitely a JSFunction.
-static const SpeculatedType SpecInt8Array          = 1u << 3; // It's definitely an Int8Array or one of its subclasses.
-static const SpeculatedType SpecInt16Array         = 1u << 4; // It's definitely an Int16Array or one of its subclasses.
-static const SpeculatedType SpecInt32Array         = 1u << 5; // It's definitely an Int32Array or one of its subclasses.
-static const SpeculatedType SpecUint8Array         = 1u << 6; // It's definitely an Uint8Array or one of its subclasses.
-static const SpeculatedType SpecUint8ClampedArray  = 1u << 7; // It's definitely an Uint8ClampedArray or one of its subclasses.
-static const SpeculatedType SpecUint16Array        = 1u << 8; // It's definitely an Uint16Array or one of its subclasses.
-static const SpeculatedType SpecUint32Array        = 1u << 9; // It's definitely an Uint32Array or one of its subclasses.
-static const SpeculatedType SpecFloat32Array       = 1u << 10; // It's definitely an Uint16Array or one of its subclasses.
-static const SpeculatedType SpecFloat64Array       = 1u << 11; // It's definitely an Uint16Array or one of its subclasses.
+static const SpeculatedType SpecFinalObject        = 1ull << 0; // It's definitely a JSFinalObject.
+static const SpeculatedType SpecArray              = 1ull << 1; // It's definitely a JSArray.
+static const SpeculatedType SpecFunction           = 1ull << 2; // It's definitely a JSFunction.
+static const SpeculatedType SpecInt8Array          = 1ull << 3; // It's definitely an Int8Array or one of its subclasses.
+static const SpeculatedType SpecInt16Array         = 1ull << 4; // It's definitely an Int16Array or one of its subclasses.
+static const SpeculatedType SpecInt32Array         = 1ull << 5; // It's definitely an Int32Array or one of its subclasses.
+static const SpeculatedType SpecUint8Array         = 1ull << 6; // It's definitely an Uint8Array or one of its subclasses.
+static const SpeculatedType SpecUint8ClampedArray  = 1ull << 7; // It's definitely an Uint8ClampedArray or one of its subclasses.
+static const SpeculatedType SpecUint16Array        = 1ull << 8; // It's definitely an Uint16Array or one of its subclasses.
+static const SpeculatedType SpecUint32Array        = 1ull << 9; // It's definitely an Uint32Array or one of its subclasses.
+static const SpeculatedType SpecFloat32Array       = 1ull << 10; // It's definitely an Uint16Array or one of its subclasses.
+static const SpeculatedType SpecFloat64Array       = 1ull << 11; // It's definitely an Uint16Array or one of its subclasses.
 static const SpeculatedType SpecTypedArrayView     = SpecInt8Array | SpecInt16Array | SpecInt32Array | SpecUint8Array | SpecUint8ClampedArray | SpecUint16Array | SpecUint32Array | SpecFloat32Array | SpecFloat64Array;
-static const SpeculatedType SpecDirectArguments    = 1u << 12; // It's definitely a DirectArguments object.
-static const SpeculatedType SpecScopedArguments    = 1u << 13; // It's definitely a ScopedArguments object.
-static const SpeculatedType SpecStringObject       = 1u << 14; // It's definitely a StringObject.
-static const SpeculatedType SpecRegExpObject       = 1u << 15; // It's definitely a RegExpObject (and not any subclass of RegExpObject).
-static const SpeculatedType SpecObjectOther        = 1u << 16; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
-static const SpeculatedType SpecObject             = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecRegExpObject | SpecObjectOther; // Bitmask used for testing for any kind of object prediction.
-static const SpeculatedType SpecStringIdent        = 1u << 17; // It's definitely a JSString, and it's an identifier.
-static const SpeculatedType SpecStringVar          = 1u << 18; // It's definitely a JSString, and it's not an identifier.
+static const SpeculatedType SpecDirectArguments    = 1ull << 12; // It's definitely a DirectArguments object.
+static const SpeculatedType SpecScopedArguments    = 1ull << 13; // It's definitely a ScopedArguments object.
+static const SpeculatedType SpecStringObject       = 1ull << 14; // It's definitely a StringObject.
+static const SpeculatedType SpecRegExpObject       = 1ull << 15; // It's definitely a RegExpObject (and not any subclass of RegExpObject).
+static const SpeculatedType SpecMapObject          = 1ull << 16; // It's definitely Map object (can it be a subclass? FIXME).
+static const SpeculatedType SpecSetObject          = 1ull << 17; // It's definitely s Set object (can it be a subclass? FIXME).
+static const SpeculatedType SpecObjectOther        = 1ull << 18; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
+static const SpeculatedType SpecObject             = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecRegExpObject | SpecMapObject | SpecSetObject | SpecObjectOther; // Bitmask used for testing for any kind of object prediction.
+static const SpeculatedType SpecStringIdent        = 1ull << 19; // It's definitely a JSString, and it's an identifier.
+static const SpeculatedType SpecStringVar          = 1ull << 20; // It's definitely a JSString, and it's not an identifier.
 static const SpeculatedType SpecString             = SpecStringIdent | SpecStringVar; // It's definitely a JSString.
-static const SpeculatedType SpecSymbol             = 1u << 19; // It's definitely a Symbol.
-static const SpeculatedType SpecCellOther          = 1u << 20; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol. FIXME: This shouldn't be part of heap-top or bytecode-top. https://bugs.webkit.org/show_bug.cgi?id=133078
+static const SpeculatedType SpecSymbol             = 1ull << 21; // It's definitely a Symbol.
+static const SpeculatedType SpecCellOther          = 1ull << 22; // It's definitely a JSCell but not a subclass of JSObject and definitely not a JSString or a Symbol. FIXME: This shouldn't be part of heap-top or bytecode-top. https://bugs.webkit.org/show_bug.cgi?id=133078
 static const SpeculatedType SpecCell               = SpecObject | SpecString | SpecSymbol | SpecCellOther; // It's definitely a JSCell.
-static const SpeculatedType SpecBoolInt32          = 1u << 21; // It's definitely an Int32 with value 0 or 1.
-static const SpeculatedType SpecNonBoolInt32       = 1u << 22; // It's definitely an Int32 with value other than 0 or 1.
+static const SpeculatedType SpecBoolInt32          = 1ull << 23; // It's definitely an Int32 with value 0 or 1.
+static const SpeculatedType SpecNonBoolInt32       = 1ull << 24; // It's definitely an Int32 with value other than 0 or 1.
 static const SpeculatedType SpecInt32Only          = SpecBoolInt32 | SpecNonBoolInt32; // It's definitely an Int32.
-static const SpeculatedType SpecInt52Only          = 1u << 23; // It's definitely an Int52 and we intend it to unbox it. It's also definitely not an Int32.
+static const SpeculatedType SpecInt52Only          = 1ull << 25; // It's definitely an Int52 and we intend it to unbox it. It's also definitely not an Int32.
 static const SpeculatedType SpecAnyInt             = SpecInt32Only | SpecInt52Only; // It's something that we can do machine int arithmetic on.
-static const SpeculatedType SpecAnyIntAsDouble     = 1u << 24; // It's definitely an Int52 and it's inside a double.
-static const SpeculatedType SpecNonIntAsDouble     = 1u << 25; // It's definitely not an Int52 but it's a real number and it's a double.
+static const SpeculatedType SpecAnyIntAsDouble     = 1ull << 26; // It's definitely an Int52 and it's inside a double.
+static const SpeculatedType SpecNonIntAsDouble     = 1ull << 27; // It's definitely not an Int52 but it's a real number and it's a double.
 static const SpeculatedType SpecDoubleReal         = SpecNonIntAsDouble | SpecAnyIntAsDouble; // It's definitely a non-NaN double.
-static const SpeculatedType SpecDoublePureNaN      = 1u << 26; // It's definitely a NaN that is sae to tag (i.e. pure).
-static const SpeculatedType SpecDoubleImpureNaN    = 1u << 27; // It's definitely a NaN that is unsafe to tag (i.e. impure).
+static const SpeculatedType SpecDoublePureNaN      = 1ull << 28; // It's definitely a NaN that is sae to tag (i.e. pure).
+static const SpeculatedType SpecDoubleImpureNaN    = 1ull << 29; // It's definitely a NaN that is unsafe to tag (i.e. impure).
 static const SpeculatedType SpecDoubleNaN          = SpecDoublePureNaN | SpecDoubleImpureNaN; // It's definitely some kind of NaN.
 static const SpeculatedType SpecBytecodeDouble     = SpecDoubleReal | SpecDoublePureNaN; // It's either a non-NaN or a NaN double, but it's definitely not impure NaN.
@@ -82 +84 @@
 static const SpeculatedType SpecBytecodeNumber     = SpecInt32Only | SpecBytecodeDouble; // It's either an Int32 or a Double, and the Double cannot be an impure NaN.
 static const SpeculatedType SpecFullNumber         = SpecAnyInt | SpecFullDouble; // It's either an Int32, Int52, or a Double, and the Double can be impure NaN.
-static const SpeculatedType SpecBoolean            = 1u << 28; // It's definitely a Boolean.
-static const SpeculatedType SpecOther              = 1u << 29; // It's definitely either Null or Undefined.
+static const SpeculatedType SpecBoolean            = 1ull << 30; // It's definitely a Boolean.
+static const SpeculatedType SpecOther              = 1ull << 31; // It's definitely either Null or Undefined.
 static const SpeculatedType SpecMisc               = SpecBoolean | SpecOther; // It's definitely either a boolean, Null, or Undefined.
 static const SpeculatedType SpecHeapTop            = SpecCell | SpecBytecodeNumber | SpecMisc; // It can be any of the above, except for SpecInt52Only and SpecDoubleImpureNaN.
 static const SpeculatedType SpecPrimitive          = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc; // It's any non-Object JSValue.
-static const SpeculatedType SpecEmpty              = 1u << 30; // It's definitely an empty value marker.
+static const SpeculatedType SpecEmpty              = 1ull << 32; // It's definitely an empty value marker.
 static const SpeculatedType SpecBytecodeTop        = SpecHeapTop | SpecEmpty; // It can be any of the above, except for SpecInt52Only and SpecDoubleImpureNaN. Corresponds to what could be found in a bytecode local.
 static const SpeculatedType SpecFullTop            = SpecBytecodeTop | SpecFullNumber; // It can be anything that bytecode could see plus exotic encodings of numbers.

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -977 +977 @@
         break;
     }
+
+    case MapHash:
+        forNode(node).setType(SpecInt32Only);
+        break;
+
+    case LoadFromJSMapBucket:
+        forNode(node).makeHeapTop();
+        break;
+
+    case GetMapBucket:
+        forNode(node).setType(m_graph, SpecCellOther);
+        break;
+
+    case IsNonEmptyMapBucket:
+        forNode(node).setType(SpecBoolean);
+        break;
 
     case IsEmpty:
@@ -2884 +2900 @@
 {
     Node* node = m_state.block()->at(indexInBlock);
-    
+
     startExecuting();
     executeEdges(node);

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2539 +2539 @@
         return true;
     }
-        
+
+    case JSMapGetIntrinsic: {
+        if (argumentCountIncludingThis != 2)
+            return false;
+
+        insertChecks();
+        Node* map = get(virtualRegisterForArgument(0, registerOffset));
+        Node* key = get(virtualRegisterForArgument(1, registerOffset));
+        Node* hash = addToGraph(MapHash, key);
+        Node* bucket = addToGraph(GetMapBucket, Edge(map, MapObjectUse), Edge(key), Edge(hash));
+        Node* result = addToGraph(LoadFromJSMapBucket, OpInfo(), OpInfo(prediction), bucket);
+        set(VirtualRegister(resultOperand), result);
+        return true;
+    }
+
+    case JSSetHasIntrinsic:
+    case JSMapHasIntrinsic: {
+        if (argumentCountIncludingThis != 2)
+            return false;
+
+        insertChecks();
+        Node* mapOrSet = get(virtualRegisterForArgument(0, registerOffset));
+        Node* key = get(virtualRegisterForArgument(1, registerOffset));
+        Node* hash = addToGraph(MapHash, key);
+        UseKind useKind = intrinsic == JSSetHasIntrinsic ? SetObjectUse : MapObjectUse;
+        Node* bucket = addToGraph(GetMapBucket, OpInfo(0), Edge(mapOrSet, useKind), Edge(key), Edge(hash));
+        Node* result = addToGraph(IsNonEmptyMapBucket, bucket);
+        set(VirtualRegister(resultOperand), result);
+        return true;
+    }
+
     default:
         return false;

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -1244 +1244 @@
         write(SideState);
         return;
+
+    case MapHash:
+        def(PureValue(node));
+        return;
+    case GetMapBucket: {
+        read(MiscFields);
+        Edge& mapEdge = node->child1();
+        Edge& keyEdge = node->child2();
+        def(HeapLocation(MapBucketLoc, MiscFields, mapEdge, keyEdge), LazyNode(node));
+        return;
+    }
+    case LoadFromJSMapBucket: {
+        read(MiscFields);
+        Edge& bucketEdge = node->child1();
+        def(HeapLocation(JSMapGetLoc, MiscFields, bucketEdge), LazyNode(node));
+        return;
+    }
+    case IsNonEmptyMapBucket:
+        read(MiscFields);
+        def(HeapLocation(MapHasLoc, MiscFields, node->child1()), LazyNode(node));
+        return;
         
     case LastNodeType:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -186 +186 @@
     case CheckWatchdogTimer:
     case StringFromCharCode:
+    case MapHash:
+    case GetMapBucket:
+    case LoadFromJSMapBucket:
+    case IsNonEmptyMapBucket:
     case Unreachable:
     case ExtractOSREntryLocal:

trunk/Source/JavaScriptCore/dfg/DFGEdge.h

@@ -190 +190 @@
     
 #if USE(JSVALUE64)
-    static uint32_t shift() { return 7; }
+    static constexpr uint32_t shift() { return 8; }
     
     static uintptr_t makeWord(Node* node, UseKind useKind, ProofStatus proofStatus, KillStatus killStatus)
@@ -198 +198 @@
         ASSERT((shiftedValue >> shift()) == bitwise_cast<uintptr_t>(node));
         ASSERT(useKind >= 0 && useKind < LastUseKind);
-        ASSERT((static_cast<uintptr_t>(LastUseKind) << 2) <= (static_cast<uintptr_t>(2) << shift()));
-        return shiftedValue | (static_cast<uintptr_t>(useKind) << 2) | (DFG::doesKill(killStatus) << 1) | static_cast<uintptr_t>(DFG::isProved(proofStatus));
+        static_assert((static_cast<uintptr_t>(LastUseKind) << 2) < (static_cast<uintptr_t>(1) << shift()), "We rely on this being true to not clobber the node pointer.");
+        uintptr_t result = shiftedValue | (static_cast<uintptr_t>(useKind) << 2) | (DFG::doesKill(killStatus) << 1) | static_cast<uintptr_t>(DFG::isProved(proofStatus));
+        if (!ASSERT_DISABLED) {
+            union U {
+                U() { word = 0; }
+                uintptr_t word;
+                Edge edge;
+            } u;
+            u.word = result;
+            ASSERT(u.edge.useKindUnchecked() == useKind);
+            ASSERT(u.edge.node() == node);
+            ASSERT(u.edge.proofStatusUnchecked() == proofStatus);
+            ASSERT(u.edge.killStatusUnchecked() == killStatus);
+        }
+        return result;
     }
     

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1545 +1545 @@
             break;
         }
+
+        case GetMapBucket:
+            if (node->child1().useKind() == MapObjectUse)
+                fixEdge<MapObjectUse>(node->child1());
+            else if (node->child1().useKind() == SetObjectUse)
+                fixEdge<SetObjectUse>(node->child1());
+            else
+                RELEASE_ASSERT_NOT_REACHED();
+            fixEdge<UntypedUse>(node->child2());
+            fixEdge<Int32Use>(node->child3());
+            break;
+
+        case LoadFromJSMapBucket:
+            fixEdge<KnownCellUse>(node->child1());
+            break;
+
+        case IsNonEmptyMapBucket:
+            fixEdge<KnownCellUse>(node->child1());
+            break;
+
+        case MapHash:
+            fixEdge<UntypedUse>(node->child1());
+            break;
 
 #if !ASSERT_DISABLED

trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp

@@ -144 +144 @@
         out.print("RegExpObjectLastIndexLoc");
         return;
+    case MapBucketLoc:
+        out.print("MapBucketLoc");
+        return;
+    case JSMapGetLoc:
+        out.print("JSMapGetLoc");
+        return;
+    case MapHasLoc:
+        out.print("MapHasLoc");
+        return;
     }
     

trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h

@@ -59 +59 @@
     TypedArrayByteOffsetLoc,
     StackLoc,
-    StackPayloadLoc
+    StackPayloadLoc,
+    MapBucketLoc,
+    JSMapGetLoc,
+    MapHasLoc
 };
 

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1422 +1422 @@
         case StringReplaceRegExp:
         case ToNumber:
+        case LoadFromJSMapBucket:
             return true;
         default:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -389 +389 @@
     macro(GetEnumeratorStructurePname, NodeMustGenerate | NodeResultJS) \
     macro(GetEnumeratorGenericPname, NodeMustGenerate | NodeResultJS) \
-    macro(ToIndexString, NodeResultJS)
+    macro(ToIndexString, NodeResultJS) \
+    /* Nodes for JSMap and JSSet */ \
+    macro(MapHash, NodeResultInt32) \
+    macro(GetMapBucket, NodeResultJS) \
+    macro(LoadFromJSMapBucket, NodeResultJS) \
+    macro(IsNonEmptyMapBucket, NodeResultBoolean) \
 
 // This enum generates a monotonically increasing id for all Node types,

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -51 +51 @@
 #include "JSGenericTypedArrayViewConstructorInlines.h"
 #include "JSLexicalEnvironment.h"
+#include "JSMap.h"
+#include "JSSet.h"
 #include "ObjectConstructor.h"
 #include "Repatch.h"
@@ -1816 +1818 @@
 }
 
+int32_t JIT_OPERATION operationMapHash(ExecState* exec, EncodedJSValue input)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+
+    return jsMapHash(exec, vm, normalizeMapKey(JSValue::decode(input)));
+}
+
+JSCell* JIT_OPERATION operationJSMapFindBucket(ExecState* exec, JSCell* map, EncodedJSValue key, int32_t hash)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    JSMap::BucketType** bucket = jsCast<JSMap*>(map)->findBucket(exec, normalizeMapKey(JSValue::decode(key)), hash);
+    if (!bucket)
+        return nullptr;
+    return *bucket;
+}
+
+JSCell* JIT_OPERATION operationJSSetFindBucket(ExecState* exec, JSCell* map, EncodedJSValue key, int32_t hash)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    JSSet::BucketType** bucket = jsCast<JSSet*>(map)->findBucket(exec, normalizeMapKey(JSValue::decode(key)), hash);
+    if (!bucket)
+        return nullptr;
+    return *bucket;
+}
+
 extern "C" void JIT_OPERATION triggerReoptimizationNow(CodeBlock* codeBlock, OSRExitBase* exit)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -143 +143 @@
 JSString* JIT_OPERATION operationSingleCharacterString(ExecState*, int32_t);
 
+int32_t JIT_OPERATION operationMapHash(ExecState*, EncodedJSValue input);
+JSCell* JIT_OPERATION operationJSMapFindBucket(ExecState*, JSCell*, EncodedJSValue, int32_t);
+JSCell* JIT_OPERATION operationJSSetFindBucket(ExecState*, JSCell*, EncodedJSValue, int32_t);
+
 JSCell* JIT_OPERATION operationNewStringObject(ExecState*, JSString*, Structure*);
 JSCell* JIT_OPERATION operationToStringOnCell(ExecState*, JSCell*);

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -709 +709 @@
         case GetClosureVar:
         case GetFromArguments:
+        case LoadFromJSMapBucket:
         case ToNumber: {
             setPrediction(m_currentNode->getHeapPrediction());
@@ -738 +739 @@
             break;
         }
+
+        case MapHash:
+            setPrediction(SpecInt32Only);
+            break;
+        case GetMapBucket:
+            setPrediction(SpecCellOther);
+            break;
+        case IsNonEmptyMapBucket:
+            setPrediction(SpecBoolean);
+            break;
 
         case GetRestLength: {

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -59 +59 @@
         case FinalObjectUse:
         case RegExpObjectUse:
+        case MapObjectUse:
+        case SetObjectUse:
         case ObjectOrOtherUse:
         case StringIdentUse:
@@ -356 +358 @@
     case PutDynamicVar:
     case ResolveScope:
+    case MapHash:
+    case GetMapBucket:
+    case LoadFromJSMapBucket:
+    case IsNonEmptyMapBucket:
         return true;
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -7408 +7408 @@
 }
 
+void SpeculativeJIT::speculateMapObject(Edge edge, GPRReg cell)
+{
+    speculateCellType(edge, cell, SpecMapObject, JSMapType);
+}
+
+void SpeculativeJIT::speculateMapObject(Edge edge)
+{
+    if (!needsTypeCheck(edge, SpecMapObject))
+        return;
+
+    SpeculateCellOperand operand(this, edge);
+    speculateMapObject(edge, operand.gpr());
+}
+
+void SpeculativeJIT::speculateSetObject(Edge edge, GPRReg cell)
+{
+    speculateCellType(edge, cell, SpecSetObject, JSSetType);
+}
+
+void SpeculativeJIT::speculateSetObject(Edge edge)
+{
+    if (!needsTypeCheck(edge, SpecSetObject))
+        return;
+
+    SpeculateCellOperand operand(this, edge);
+    speculateSetObject(edge, operand.gpr());
+}
+
 void SpeculativeJIT::speculateObjectOrOther(Edge edge)
 {
@@ -7694 +7722 @@
     case RegExpObjectUse:
         speculateRegExpObject(edge);
+        break;
+    case MapObjectUse:
+        speculateMapObject(edge);
+        break;
+    case SetObjectUse:
+        speculateSetObject(edge);
         break;
     case ObjectOrOtherUse:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1312 +1312 @@
 #if USE(JSVALUE64)
 
+    JITCompiler::Call callOperation(C_JITOperation_ECJZ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+        return appendCallSetResult(operation, result);
+    }
+
     JITCompiler::Call callOperation(J_JITOperation_EJJMic operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2, TrustedImmPtr mathIC)
     {
@@ -1692 +1698 @@
     }
 
+    JITCompiler::Call callOperation(Z_JITOperation_EJ operation, GPRReg result, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallSetResult(operation, result);
+    }
+
     JITCompiler::Call callOperation(Z_JITOperation_EJZZ operation, GPRReg result, GPRReg arg1, unsigned arg2, unsigned arg3)
     {
@@ -1739 +1751 @@
     }
 #else // USE(JSVALUE32_64)
+
+    JITCompiler::Call callOperation(C_JITOperation_ECJZ operation, GPRReg result, GPRReg arg1, JSValueRegs arg2, GPRReg arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2.payloadGPR(), arg2.tagGPR(), arg3);
+        return appendCallSetResult(operation, result);
+    }
+
+    JITCompiler::Call callOperation(Z_JITOperation_EJ operation, GPRReg result, JSValueRegs arg1)
+    {
+        m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1.payloadGPR(), arg1.tagGPR());
+        return appendCallSetResult(operation, result);
+    }
 
     JITCompiler::Call callOperation(J_JITOperation_EJJMic operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2, TrustedImmPtr mathIC)
@@ -2655 +2679 @@
     void speculateRegExpObject(Edge, GPRReg cell);
     void speculateRegExpObject(Edge);
+    void speculateMapObject(Edge);
+    void speculateMapObject(Edge, GPRReg cell);
+    void speculateSetObject(Edge);
+    void speculateSetObject(Edge, GPRReg cell);
     void speculateObjectOrOther(Edge);
     void speculateString(Edge edge, GPRReg cell);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -38 +38 @@
 #include "DirectArguments.h"
 #include "GetterSetter.h"
+#include "HashMapImpl.h"
 #include "JSEnvironmentRecord.h"
 #include "JSLexicalEnvironment.h"
@@ -4720 +4721 @@
     }
 
+    case MapHash: {
+        JSValueOperand input(this, node->child1());
+
+        JSValueRegs inputRegs = input.jsValueRegs();
+
+        GPRFlushedCallResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationMapHash, resultGPR, inputRegs);
+        m_jit.exceptionCheck();
+        int32Result(resultGPR, node);
+        break;
+    }
+
+    case GetMapBucket: {
+        SpeculateCellOperand map(this, node->child1());
+        JSValueOperand key(this, node->child2());
+        SpeculateInt32Operand hash(this, node->child3());
+        GPRFlushedCallResult result(this);
+
+        GPRReg mapGPR = map.gpr();
+        JSValueRegs keyRegs = key.jsValueRegs();
+        GPRReg hashGPR = hash.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        if (node->child1().useKind() == MapObjectUse)
+            speculateMapObject(node->child1(), mapGPR);
+        else if (node->child1().useKind() == SetObjectUse)
+            speculateSetObject(node->child1(), mapGPR);
+        else
+            RELEASE_ASSERT_NOT_REACHED();
+
+        flushRegisters();
+        if (node->child1().useKind() == MapObjectUse)
+            callOperation(operationJSMapFindBucket, resultGPR, mapGPR, keyRegs, hashGPR);
+        else
+            callOperation(operationJSSetFindBucket, resultGPR, mapGPR, keyRegs, hashGPR);
+        m_jit.exceptionCheck();
+        cellResult(resultGPR, node);
+        break;
+    }
+
+    case LoadFromJSMapBucket: {
+        SpeculateCellOperand bucket(this, node->child1());
+        GPRTemporary resultPayload(this);
+        GPRTemporary resultTag(this);
+
+        GPRReg bucketGPR = bucket.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+
+        auto notBucket = m_jit.branchTestPtr(MacroAssembler::Zero, bucketGPR);
+        m_jit.loadValue(MacroAssembler::Address(bucketGPR, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfValue()), JSValueRegs(resultTagGPR, resultPayloadGPR));
+        auto done = m_jit.jump();
+
+        notBucket.link(&m_jit);
+        m_jit.move(TrustedImm32(JSValue::UndefinedTag), resultTagGPR);
+        m_jit.move(TrustedImm32(0), resultPayloadGPR);
+        done.link(&m_jit);
+        jsValueResult(resultTagGPR, resultPayloadGPR, node);
+        break;
+    }
+
+    case IsNonEmptyMapBucket: {
+        SpeculateCellOperand bucket(this, node->child1());
+        GPRTemporary result(this);
+
+        GPRReg bucketGPR = bucket.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        m_jit.comparePtr(MacroAssembler::NotEqual, bucketGPR, TrustedImm32(0), resultGPR);
+        booleanResult(resultGPR, node);
+        break;
+    }
+
     case Flush:
         break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -40 +40 @@
 #include "JSEnvironmentRecord.h"
 #include "JSLexicalEnvironment.h"
+#include "JSMap.h"
 #include "JSPropertyNameEnumerator.h"
+#include "JSSet.h"
 #include "ObjectPrototype.h"
 #include "SetupVarargsFrame.h"
@@ -4616 +4618 @@
     }
 
+    case MapHash: {
+        JSValueOperand input(this, node->child1());
+        GPRTemporary temp(this);
+        GPRTemporary result(this);
+
+        GPRReg inputGPR = input.gpr();
+        GPRReg resultGPR = result.gpr();
+        GPRReg tempGPR = temp.gpr();
+
+        MacroAssembler::JumpList straightHash;
+        MacroAssembler::JumpList done;
+        auto isNotCell = m_jit.branchIfNotCell(inputGPR);
+        MacroAssembler::JumpList slowPath;
+        straightHash.append(m_jit.branch8(MacroAssembler::NotEqual, MacroAssembler::Address(inputGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+        m_jit.loadPtr(MacroAssembler::Address(inputGPR, JSString::offsetOfValue()), resultGPR);
+        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, resultGPR));
+        m_jit.load32(MacroAssembler::Address(resultGPR, StringImpl::flagsOffset()), resultGPR);
+        m_jit.urshift64(MacroAssembler::TrustedImm32(StringImpl::s_flagCount), resultGPR);
+        slowPath.append(m_jit.branchTest32(MacroAssembler::Zero, resultGPR));
+        done.append(m_jit.jump());
+
+        isNotCell.link(&m_jit);
+        straightHash.append(m_jit.branchIfNotNumber(inputGPR));
+        straightHash.append(m_jit.branchIfInt32(JSValueRegs(inputGPR)));
+        slowPath.append(m_jit.jump());
+
+        straightHash.link(&m_jit);
+        m_jit.move(inputGPR, resultGPR);
+        m_jit.wangsInt64Hash(resultGPR, tempGPR);
+        done.append(m_jit.jump());
+
+        slowPath.link(&m_jit);
+        silentSpillAllRegisters(resultGPR);
+        callOperation(operationMapHash, resultGPR, inputGPR);
+        silentFillAllRegisters(resultGPR);
+        m_jit.exceptionCheck();
+
+        done.link(&m_jit);
+        int32Result(resultGPR, node);
+        break;
+    }
+    case GetMapBucket: {
+        SpeculateCellOperand map(this, node->child1());
+        JSValueOperand key(this, node->child2());
+        SpeculateInt32Operand hash(this, node->child3());
+        GPRTemporary mask(this);
+        GPRTemporary index(this);
+        GPRTemporary buffer(this);
+        GPRTemporary bucket(this);
+        GPRTemporary result(this);
+
+        GPRReg hashGPR = hash.gpr();
+        GPRReg mapGPR = map.gpr();
+        GPRReg maskGPR = mask.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg bufferGPR = buffer.gpr();
+        GPRReg bucketGPR = bucket.gpr();
+        GPRReg keyGPR = key.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        if (node->child1().useKind() == MapObjectUse)
+            speculateMapObject(node->child1(), mapGPR);
+        else if (node->child1().useKind() == SetObjectUse)
+            speculateSetObject(node->child1(), mapGPR);
+        else
+            RELEASE_ASSERT_NOT_REACHED();
+
+        m_jit.loadPtr(MacroAssembler::Address(mapGPR, node->child1().useKind() == MapObjectUse ? JSMap::offsetOfHashMapImpl() : JSSet::offsetOfHashMapImpl()), bufferGPR);
+        m_jit.load32(MacroAssembler::Address(bufferGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()), maskGPR);
+        m_jit.loadPtr(MacroAssembler::Address(bufferGPR, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()), bufferGPR);
+        m_jit.sub32(TrustedImm32(1), maskGPR);
+        m_jit.move(hashGPR, indexGPR);
+
+        MacroAssembler::Label loop = m_jit.label();
+        MacroAssembler::JumpList done;
+        MacroAssembler::JumpList slowPathCases;
+        MacroAssembler::JumpList loopAround;
+
+        m_jit.and32(maskGPR, indexGPR);
+        m_jit.loadPtr(MacroAssembler::BaseIndex(bufferGPR, indexGPR, MacroAssembler::TimesEight), bucketGPR);
+        m_jit.move(bucketGPR, resultGPR);
+        auto notPresentInTable = m_jit.branchPtr(MacroAssembler::Equal, 
+            bucketGPR, TrustedImmPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::emptyValue()));
+        loopAround.append(m_jit.branchPtr(MacroAssembler::Equal, 
+            bucketGPR, TrustedImmPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::deletedValue())));
+
+        m_jit.load64(MacroAssembler::Address(bucketGPR, HashMapBucket<HashMapBucketDataKey>::offsetOfKey()), bucketGPR);
+
+        // Perform Object.is()
+        done.append(m_jit.branch64(MacroAssembler::Equal, bucketGPR, keyGPR)); // They're definitely the same value, we found the bucket we were looking for!
+        auto oneIsntCell = m_jit.branchIfNotCell(JSValueRegs(bucketGPR));
+        // first is a cell here.
+        loopAround.append(m_jit.branchIfNotCell(JSValueRegs(keyGPR)));
+        // Both are cells here.
+        loopAround.append(m_jit.branch8(JITCompiler::NotEqual,
+            JITCompiler::Address(bucketGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+        // The first is a string here.
+        slowPathCases.append(m_jit.branch8(JITCompiler::Equal,
+            JITCompiler::Address(keyGPR, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+        // The first is a string, but the second is not, we continue to loop around.
+        loopAround.append(m_jit.jump());
+
+        oneIsntCell.link(&m_jit);
+        // We've already done a 64-bit compare at this point, so if one is not a number, they're definitely not equal.
+        loopAround.append(m_jit.branchIfNotNumber(bucketGPR));
+        loopAround.append(m_jit.branchIfNotNumber(keyGPR));
+        // Both are definitely numbers. If we see a double, we go to the slow path.
+        slowPathCases.append(m_jit.branchIfNotInt32(bucketGPR));
+        slowPathCases.append(m_jit.branchIfNotInt32(keyGPR));
+        
+        loopAround.link(&m_jit);
+        m_jit.add32(TrustedImm32(1), indexGPR);
+        m_jit.jump().linkTo(loop, &m_jit);
+
+        slowPathCases.link(&m_jit);
+        silentSpillAllRegisters(indexGPR);
+        if (node->child1().useKind() == MapObjectUse)
+            callOperation(operationJSMapFindBucket, resultGPR, mapGPR, keyGPR, hashGPR);
+        else
+            callOperation(operationJSSetFindBucket, resultGPR, mapGPR, keyGPR, hashGPR);
+        silentFillAllRegisters(indexGPR);
+        m_jit.exceptionCheck();
+        done.append(m_jit.jump());
+
+        notPresentInTable.link(&m_jit);
+        m_jit.move(TrustedImmPtr(nullptr), resultGPR);
+        done.link(&m_jit);
+        cellResult(resultGPR, node);
+        break;
+    }
+
+    case LoadFromJSMapBucket: {
+        SpeculateCellOperand bucket(this, node->child1());
+        GPRTemporary result(this);
+
+        GPRReg bucketGPR = bucket.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        auto notBucket = m_jit.branchTestPtr(MacroAssembler::Zero, bucketGPR);
+        m_jit.load64(MacroAssembler::Address(bucketGPR, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfValue()), resultGPR);
+        auto done = m_jit.jump();
+
+        notBucket.link(&m_jit);
+        m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsUndefined())), resultGPR);
+        done.link(&m_jit);
+        jsValueResult(resultGPR, node);
+        break;
+    }
+
+    case IsNonEmptyMapBucket: {
+        SpeculateCellOperand bucket(this, node->child1());
+        GPRTemporary result(this);
+
+        GPRReg bucketGPR = bucket.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        m_jit.comparePtr(MacroAssembler::NotEqual, bucketGPR, TrustedImm32(0), resultGPR);
+        m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
+        jsValueResult(resultGPR, node, DataFormatJSBoolean);
+        break;
+    }
+
     case IsObject: {
         JSValueOperand value(this, node->child1());

trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp

@@ -95 +95 @@
         out.print("RegExpObject");
         return;
+    case MapObjectUse:
+        out.print("MapObjectUse");
+        return;
+    case SetObjectUse:
+        out.print("SetObjectUse");
+        return;
     case ObjectOrOtherUse:
         out.print("ObjectOrOther");

trunk/Source/JavaScriptCore/dfg/DFGUseKind.h

@@ -64 +64 @@
     KnownPrimitiveUse, // This bizarre type arises for op_strcat, which has a bytecode guarantee that it will only see primitives (i.e. not objects).
     SymbolUse,
+    MapObjectUse,
+    SetObjectUse,
     StringObjectUse,
     StringOrStringObjectUse,
@@ -135 +137 @@
     case SymbolUse:
         return SpecSymbol;
+    case MapObjectUse:
+        return SpecMapObject;
+    case SetObjectUse:
+        return SpecSetObject;
     case StringObjectUse:
         return SpecStringObject;
@@ -222 +228 @@
     case StringObjectUse:
     case StringOrStringObjectUse:
+    case MapObjectUse:
+    case SetObjectUse:
         return true;
     default:

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -33 +33 @@
 #include "FTLAbstractHeap.h"
 #include "IndexingType.h"
+#include "JSMap.h"
+#include "JSSet.h"
 
 namespace JSC { namespace FTL {
@@ -102 +104 @@
     macro(Structure_globalObject, Structure::globalObjectOffset()) \
     macro(Structure_prototype, Structure::prototypeOffset()) \
-    macro(Structure_structureID, Structure::structureIDOffset())
+    macro(Structure_structureID, Structure::structureIDOffset()) \
+    macro(JSMap_hashMapImpl, JSMap::offsetOfHashMapImpl()) \
+    macro(JSSet_hashMapImpl, JSSet::offsetOfHashMapImpl()) \
+    macro(HashMapImpl_capacity, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfCapacity()) \
+    macro(HashMapImpl_buffer,  HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::offsetOfBuffer()) \
+    macro(HashMapBucket_value, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfValue()) \
+    macro(HashMapBucket_key, HashMapBucket<HashMapBucketDataKeyValue>::offsetOfKey()) \
 
 #define FOR_EACH_INDEXED_ABSTRACT_HEAP(macro) \

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -182 +182 @@
     case In:
     case IsJSArray:
+    case MapHash:
+    case GetMapBucket:
+    case LoadFromJSMapBucket:
+    case IsNonEmptyMapBucket:
     case IsEmpty:
     case IsUndefined:
@@ -426 +430 @@
                 case StringOrStringObjectUse:
                 case SymbolUse:
+                case MapObjectUse:
+                case SetObjectUse:
                 case FinalObjectUse:
                 case RegExpObjectUse:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -71 +71 @@
 #include "JSGeneratorFunction.h"
 #include "JSLexicalEnvironment.h"
+#include "JSMap.h"
 #include "OperandsInlines.h"
 #include "ScopedArguments.h"
@@ -898 +899 @@
         case IsJSArray:
             compileIsJSArray();
+            break;
+        case MapHash:
+            compileMapHash();
+            break;
+        case GetMapBucket:
+            compileGetMapBucket();
+            break;
+        case LoadFromJSMapBucket:
+            compileLoadFromJSMapBucket();
+            break;
+        case IsNonEmptyMapBucket:
+            compileIsNonEmptyMapBucket();
             break;
         case IsObject:
@@ -6288 +6301 @@
         m_out.appendTo(continuation, lastNext);
         setBoolean(m_out.phi(Int32, notCellResult, cellResult));
+    }
+
+    void compileMapHash()
+    {
+        LValue value = lowJSValue(m_node->child1());
+
+        LBasicBlock isCellCase = m_out.newBlock();
+        LBasicBlock notCell = m_out.newBlock();
+        LBasicBlock slowCase = m_out.newBlock();
+        LBasicBlock straightHash = m_out.newBlock();
+        LBasicBlock isNumberCase = m_out.newBlock();
+        LBasicBlock isStringCase = m_out.newBlock();
+        LBasicBlock nonEmptyStringCase = m_out.newBlock();
+        LBasicBlock continuation = m_out.newBlock();
+
+        m_out.branch(
+            isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(notCell));
+
+        LBasicBlock lastNext = m_out.appendTo(isCellCase, isStringCase);
+        LValue isString = m_out.equal(m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType), m_out.constInt32(StringType));
+        m_out.branch(
+            isString, unsure(isStringCase), unsure(straightHash));
+
+        m_out.appendTo(isStringCase, nonEmptyStringCase);
+        LValue stringImpl = m_out.loadPtr(value, m_heaps.JSString_value);
+        m_out.branch(
+            m_out.equal(stringImpl, m_out.constIntPtr(0)), rarely(slowCase), usually(nonEmptyStringCase));
+
+        m_out.appendTo(nonEmptyStringCase, notCell);
+        LValue hash = m_out.lShr(m_out.load32(stringImpl, m_heaps.StringImpl_hashAndFlags), m_out.constInt32(StringImpl::s_flagCount));
+        ValueFromBlock nonEmptyStringHashResult = m_out.anchor(hash);
+        m_out.branch(m_out.equal(hash, m_out.constInt32(0)),
+            rarely(slowCase), usually(continuation));
+
+        m_out.appendTo(notCell, isNumberCase);
+        m_out.branch(
+            isNumber(value), unsure(isNumberCase), unsure(straightHash));
+
+        m_out.appendTo(isNumberCase, straightHash);
+        m_out.branch(
+            isInt32(value), unsure(straightHash), unsure(slowCase));
+
+        m_out.appendTo(straightHash, slowCase);
+        // key += ~(key << 32);
+        LValue key = value;
+        LValue temp = key;
+        temp = m_out.shl(temp, m_out.constInt32(32));
+        temp = m_out.bitNot(temp);
+        key = m_out.add(key, temp);
+        // key ^= (key >> 22);
+        temp = key;
+        temp = m_out.lShr(temp, m_out.constInt32(22));
+        key = m_out.bitXor(key, temp);
+        // key += ~(key << 13);
+        temp = key;
+        temp = m_out.shl(temp, m_out.constInt32(13));
+        temp = m_out.bitNot(temp);
+        key = m_out.add(key, temp);
+        // key ^= (key >> 8);
+        temp = key;
+        temp = m_out.lShr(temp, m_out.constInt32(8));
+        key = m_out.bitXor(key, temp);
+        // key += (key << 3);
+        temp = key;
+        temp = m_out.shl(temp, m_out.constInt32(3));
+        key = m_out.add(key, temp);
+        // key ^= (key >> 15);
+        temp = key;
+        temp = m_out.lShr(temp, m_out.constInt32(15));
+        key = m_out.bitXor(key, temp);
+        // key += ~(key << 27);
+        temp = key;
+        temp = m_out.shl(temp, m_out.constInt32(27));
+        temp = m_out.bitNot(temp);
+        key = m_out.add(key, temp);
+        // key ^= (key >> 31);
+        temp = key;
+        temp = m_out.lShr(temp, m_out.constInt32(31));
+        key = m_out.bitXor(key, temp);
+        key = m_out.castToInt32(key);
+
+        ValueFromBlock fastResult = m_out.anchor(key);
+        m_out.jump(continuation);
+
+        m_out.appendTo(slowCase, continuation);
+        ValueFromBlock slowResult = m_out.anchor(
+            vmCall(Int32, m_out.operation(operationMapHash), m_callFrame, value));
+        m_out.jump(continuation);
+
+        m_out.appendTo(continuation, lastNext);
+        setInt32(m_out.phi(Int32, fastResult, slowResult, nonEmptyStringHashResult));
+    }
+
+    void compileGetMapBucket()
+    {
+        LBasicBlock loopStart = m_out.newBlock();
+        LBasicBlock loopAround = m_out.newBlock();
+        LBasicBlock slowPath = m_out.newBlock();
+        LBasicBlock notPresentInTable = m_out.newBlock();
+        LBasicBlock notEmptyValue = m_out.newBlock();
+        LBasicBlock notDeletedValue = m_out.newBlock();
+        LBasicBlock notBitEqual = m_out.newBlock();
+        LBasicBlock bucketKeyNotCell = m_out.newBlock();
+        LBasicBlock bucketKeyIsCell = m_out.newBlock();
+        LBasicBlock bothAreCells = m_out.newBlock();
+        LBasicBlock bucketKeyIsString = m_out.newBlock();
+        LBasicBlock bucketKeyIsNumber = m_out.newBlock();
+        LBasicBlock bothAreNumbers = m_out.newBlock();
+        LBasicBlock bucketKeyIsInt32 = m_out.newBlock();
+        LBasicBlock continuation = m_out.newBlock();
+
+        LBasicBlock lastNext = m_out.insertNewBlocksBefore(loopStart);
+
+        LValue map;
+        if (m_node->child1().useKind() == MapObjectUse)
+            map = lowMapObject(m_node->child1());
+        else if (m_node->child1().useKind() == SetObjectUse)
+            map = lowSetObject(m_node->child1());
+        else
+            RELEASE_ASSERT_NOT_REACHED();
+
+        LValue key = lowJSValue(m_node->child2());
+        LValue hash = lowInt32(m_node->child3());
+
+        LValue hashMapImpl = m_out.loadPtr(map, m_node->child1().useKind() == MapObjectUse ? m_heaps.JSMap_hashMapImpl : m_heaps.JSSet_hashMapImpl);
+        LValue buffer = m_out.loadPtr(hashMapImpl, m_heaps.HashMapImpl_buffer);
+        LValue mask = m_out.sub(m_out.load32(hashMapImpl, m_heaps.HashMapImpl_capacity), m_out.int32One);
+
+        ValueFromBlock indexStart = m_out.anchor(hash);
+        m_out.jump(loopStart);
+
+        m_out.appendTo(loopStart, notEmptyValue);
+        LValue unmaskedIndex = m_out.phi(Int32, indexStart);
+        LValue index = m_out.bitAnd(mask, unmaskedIndex);
+        LValue hashMapBucket = m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), buffer, m_out.zeroExt(index, Int64), ScaleEight));
+        ValueFromBlock bucketResult = m_out.anchor(hashMapBucket);
+        m_out.branch(m_out.equal(hashMapBucket, m_out.constIntPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::emptyValue())),
+            unsure(notPresentInTable), unsure(notEmptyValue));
+
+        m_out.appendTo(notEmptyValue, notDeletedValue);
+        m_out.branch(m_out.equal(hashMapBucket, m_out.constIntPtr(HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::deletedValue())),
+            unsure(loopAround), unsure(notDeletedValue));
+
+        m_out.appendTo(notDeletedValue, notBitEqual);
+        LValue bucketKey = m_out.load64(hashMapBucket, m_heaps.HashMapBucket_key);
+        // Perform Object.is()
+        m_out.branch(m_out.equal(key, bucketKey),
+            unsure(continuation), unsure(notBitEqual));
+
+        m_out.appendTo(notBitEqual, bucketKeyIsCell);
+        m_out.branch(isCell(bucketKey),
+            unsure(bucketKeyIsCell), unsure(bucketKeyNotCell));
+
+        m_out.appendTo(bucketKeyIsCell, bothAreCells);
+        m_out.branch(isCell(key),
+            unsure(bothAreCells), unsure(loopAround));
+
+        m_out.appendTo(bothAreCells, bucketKeyIsString);
+        m_out.branch(isString(bucketKey),
+            unsure(bucketKeyIsString), unsure(loopAround));
+
+        m_out.appendTo(bucketKeyIsString, bucketKeyNotCell);
+        m_out.branch(isString(key),
+            unsure(slowPath), unsure(loopAround));
+
+        m_out.appendTo(bucketKeyNotCell, bucketKeyIsNumber);
+        m_out.branch(isNotNumber(bucketKey),
+            unsure(loopAround), unsure(bucketKeyIsNumber));
+
+        m_out.appendTo(bucketKeyIsNumber, bothAreNumbers);
+        m_out.branch(isNotNumber(key),
+            unsure(loopAround), unsure(bothAreNumbers));
+
+        m_out.appendTo(bothAreNumbers, bucketKeyIsInt32);
+        m_out.branch(isNotInt32(bucketKey),
+            unsure(slowPath), unsure(bucketKeyIsInt32));
+
+        m_out.appendTo(bucketKeyIsInt32, loopAround);
+        m_out.branch(isNotInt32(key),
+            unsure(slowPath), unsure(loopAround));
+
+        m_out.appendTo(loopAround, slowPath);
+        m_out.addIncomingToPhi(unmaskedIndex, m_out.anchor(m_out.add(index, m_out.int32One)));
+        m_out.jump(loopStart);
+
+        m_out.appendTo(slowPath, notPresentInTable);
+        ValueFromBlock slowPathResult = m_out.anchor(vmCall(pointerType(),
+            m_out.operation(m_node->child1().useKind() == MapObjectUse ? operationJSMapFindBucket : operationJSSetFindBucket), m_callFrame, map, key, hash));
+        m_out.jump(continuation);
+
+        m_out.appendTo(notPresentInTable, continuation);
+        ValueFromBlock notPresentResult = m_out.anchor(m_out.constIntPtr(0));
+        m_out.jump(continuation);
+
+        m_out.appendTo(continuation, lastNext);
+        setMapBucket(m_out.phi(pointerType(), bucketResult, slowPathResult, notPresentResult));
+    }
+
+    void compileLoadFromJSMapBucket()
+    {
+        LValue mapBucket = lowMapBucket(m_node->child1());
+
+        LBasicBlock continuation = m_out.newBlock();
+        LBasicBlock hasBucket = m_out.newBlock();
+
+        ValueFromBlock noBucketResult = m_out.anchor(m_out.constInt64(JSValue::encode(jsUndefined())));
+
+        m_out.branch(m_out.equal(mapBucket, m_out.constIntPtr(0)),
+            unsure(continuation), unsure(hasBucket));
+
+        LBasicBlock lastNext = m_out.appendTo(hasBucket, continuation);
+        ValueFromBlock bucketResult = m_out.anchor(m_out.load64(mapBucket, m_heaps.HashMapBucket_value));
+        m_out.jump(continuation);
+
+        m_out.appendTo(continuation, lastNext);
+        setJSValue(m_out.phi(Int64, noBucketResult, bucketResult));
+    }
+
+    void compileIsNonEmptyMapBucket()
+    {
+        LValue bucket = lowMapBucket(m_node->child1());
+        LValue result = m_out.notEqual(bucket, m_out.constIntPtr(0));
+        setBoolean(result);
     }
 
@@ -9980 +10216 @@
         return result;
     }
+
+    LValue lowMapObject(Edge edge)
+    {
+        LValue result = lowCell(edge);
+        speculateMapObject(edge, result);
+        return result;
+    }
+
+    LValue lowSetObject(Edge edge)
+    {
+        LValue result = lowCell(edge);
+        speculateSetObject(edge, result);
+        return result;
+    }
     
     LValue lowString(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
@@ -10103 +10353 @@
         return result;
     }
+
+    LValue lowMapBucket(Edge edge)
+    {
+        LoweredNodeValue value = m_mapBucketValues.get(edge.node());
+        if (isValid(value))
+            return value.value();
+        
+        LValue result = lowCell(edge);
+        setStorage(edge.node(), result);
+        return result;
+    }
     
     LValue strictInt52ToInt32(Edge edge, LValue value)
@@ -10405 +10666 @@
         case RegExpObjectUse:
             speculateRegExpObject(edge);
+            break;
+        case MapObjectUse:
+            speculateMapObject(edge);
+            break;
+        case SetObjectUse:
+            speculateSetObject(edge);
             break;
         case StringUse:
@@ -10734 +11001 @@
         speculateRegExpObject(edge, lowCell(edge));
     }
+
+    void speculateMapObject(Edge edge, LValue cell)
+    {
+        FTL_TYPE_CHECK(
+            jsValueValue(cell), edge, SpecMapObject, isNotType(cell, JSMapType));
+    }
+
+    void speculateMapObject(Edge edge)
+    {
+        speculateMapObject(edge, lowCell(edge));
+    }
+
+    void speculateSetObject(Edge edge, LValue cell)
+    {
+        FTL_TYPE_CHECK(
+            jsValueValue(cell), edge, SpecSetObject, isNotType(cell, JSSetType));
+    }
+
+    void speculateSetObject(Edge edge)
+    {
+        speculateSetObject(edge, lowCell(edge));
+    }
     
     void speculateString(Edge edge, LValue cell)
@@ -11502 +11791 @@
         m_storageValues.set(node, LoweredNodeValue(value, m_highBlock));
     }
+    void setMapBucket(Node* node, LValue value)
+    {
+        m_mapBucketValues.set(node, LoweredNodeValue(value, m_highBlock));
+    }
     void setDouble(Node* node, LValue value)
     {
@@ -11534 +11827 @@
     {
         setStorage(m_node, value);
+    }
+    void setMapBucket(LValue value)
+    {
+        setMapBucket(m_node, value);
     }
     void setDouble(LValue value)
@@ -11718 +12015 @@
     HashMap<Node*, LoweredNodeValue> m_booleanValues;
     HashMap<Node*, LoweredNodeValue> m_storageValues;
+    HashMap<Node*, LoweredNodeValue> m_mapBucketValues;
     HashMap<Node*, LoweredNodeValue> m_doubleValues;
     

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -627 +627 @@
 }
 
+#if USE(JSVALUE64)
+void AssemblyHelpers::wangsInt64Hash(GPRReg inputAndResult, GPRReg scratch)
+{
+    GPRReg input = inputAndResult;
+    // key += ~(key << 32);
+    move(input, scratch);
+    lshift64(TrustedImm32(32), scratch);
+    not64(scratch);
+    add64(scratch, input);
+    // key ^= (key >> 22);
+    move(input, scratch);
+    urshift64(TrustedImm32(22), scratch);
+    xor64(scratch, input);
+    // key += ~(key << 13);
+    move(input, scratch);
+    lshift64(TrustedImm32(13), scratch);
+    not64(scratch);
+    add64(scratch, input);
+    // key ^= (key >> 8);
+    move(input, scratch);
+    urshift64(TrustedImm32(8), scratch);
+    xor64(scratch, input);
+    // key += (key << 3);
+    move(input, scratch);
+    lshift64(TrustedImm32(3), scratch);
+    add64(scratch, input);
+    // key ^= (key >> 15);
+    move(input, scratch);
+    urshift64(TrustedImm32(15), scratch);
+    xor64(scratch, input);
+    // key += ~(key << 27);
+    move(input, scratch);
+    lshift64(TrustedImm32(27), scratch);
+    not64(scratch);
+    add64(scratch, input);
+    // key ^= (key >> 31);
+    move(input, scratch);
+    urshift64(TrustedImm32(31), scratch);
+    xor64(scratch, input);
+
+    // return static_cast<unsigned>(result)
+    void* mask = bitwise_cast<void*>(static_cast<uintptr_t>(UINT_MAX));
+    and64(TrustedImmPtr(mask), inputAndResult);
+}
+#endif // USE(JSVALUE64)
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -62 +62 @@
         }
     }
-    
+
     CodeBlock* codeBlock() { return m_codeBlock; }
     VM* vm() { return m_vm; }
@@ -1529 +1529 @@
         storePtr(TrustedImmPtr(structure->classInfo()), Address(resultGPR, JSDestructibleObject::classInfoOffset()));
     }
+
+#if USE(JSVALUE64)
+    void wangsInt64Hash(GPRReg inputAndResult, GPRReg scratch);
+#endif
     
 protected:

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -206 +206 @@
 typedef JSCell* (JIT_OPERATION *C_JITOperation_EZ)(ExecState*, int32_t);
 typedef JSCell* (JIT_OPERATION *C_JITOperation_EJscI)(ExecState*, JSScope*, UniquedStringImpl*);
+typedef JSCell* (JIT_OPERATION *C_JITOperation_ECJZ)(ExecState*, JSCell*, EncodedJSValue, int32_t);
 typedef double (JIT_OPERATION *D_JITOperation_D)(double);
 typedef double (JIT_OPERATION *D_JITOperation_G)(JSGlobalObject*);

trunk/Source/JavaScriptCore/parser/ModuleAnalyzer.cpp

@@ -38 +38 @@
 ModuleAnalyzer::ModuleAnalyzer(ExecState* exec, const Identifier& moduleKey, const SourceCode& sourceCode, const VariableEnvironment& declaredVariables, const VariableEnvironment& lexicalVariables)
     : m_vm(&exec->vm())
-    , m_moduleRecord(exec->vm(), JSModuleRecord::create(exec->vm(), exec->lexicalGlobalObject()->moduleRecordStructure(), moduleKey, sourceCode, declaredVariables, lexicalVariables))
+    , m_moduleRecord(exec->vm(), JSModuleRecord::create(exec, exec->vm(), exec->lexicalGlobalObject()->moduleRecordStructure(), moduleKey, sourceCode, declaredVariables, lexicalVariables))
 {
 }

trunk/Source/JavaScriptCore/runtime/Intrinsic.h

@@ -63 +63 @@
     IsTypedArrayViewIntrinsic,
     BoundThisNoArgsFunctionCallIntrinsic,
+    JSMapGetIntrinsic,
+    JSMapHasIntrinsic,
+    JSSetHasIntrinsic,
 
     // Getter intrinsics.

trunk/Source/JavaScriptCore/runtime/JSCJSValue.h

@@ -607 +607 @@
 bool isThisValueAltered(const PutPropertySlot&, JSObject* baseObject);
 
+// See section 7.2.9: https://tc39.github.io/ecma262/#sec-samevalue
+bool sameValue(ExecState*, JSValue a, JSValue b);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

@@ -1059 +1059 @@
 }
 
+// See section 7.2.9: https://tc39.github.io/ecma262/#sec-samevalue
+ALWAYS_INLINE bool sameValue(ExecState* exec, JSValue a, JSValue b)
+{
+    if (!a.isNumber())
+        return JSValue::strictEqual(exec, a, b);
+    if (!b.isNumber())
+        return false;
+    double x = a.asNumber();
+    double y = b.asNumber();
+    bool xIsNaN = std::isnan(x);
+    bool yIsNaN = std::isnan(y);
+    if (xIsNaN || yIsNaN)
+        return xIsNaN && yIsNaN;
+    return bitwise_cast<uint64_t>(x) == bitwise_cast<uint64_t>(y);
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -642 +642 @@
 
     m_moduleLoaderStructure.set(vm, this, JSModuleLoader::createStructure(vm, this, m_moduleLoaderPrototype.get()));
-    m_moduleLoader.set(vm, this, JSModuleLoader::create(vm, this, m_moduleLoaderStructure.get()));
+    m_moduleLoader.set(vm, this, JSModuleLoader::create(globalExec(), vm, this, m_moduleLoaderStructure.get()));
     if (Options::exposeInternalModuleLoader())
         putDirectWithoutTransition(vm, vm.propertyNames->Loader, m_moduleLoader.get(), DontEnum);

trunk/Source/JavaScriptCore/runtime/JSMap.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "JSMap.h"
 
-#include "CopiedBlockInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSMapIterator.h"
-#include "MapDataInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
 
 namespace JSC {
 
 const ClassInfo JSMap::s_info = { "Map", &Base::s_info, 0, CREATE_METHOD_TABLE(JSMap) };
-
-void JSMap::destroy(JSCell* cell)
-{
-    JSMap* thisObject = jsCast<JSMap*>(cell);
-    thisObject->JSMap::~JSMap();
-}
-
-size_t JSMap::estimatedSize(JSCell* cell)
-{
-    JSMap* thisObject = jsCast<JSMap*>(cell);
-    size_t mapDataSize = thisObject->m_mapData.capacityInBytes();
-    return Base::estimatedSize(cell) + mapDataSize;
-}
 
 String JSMap::toStringName(const JSObject*, ExecState*)
@@ -56 +38 @@
 }
 
-void JSMap::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
-    Base::visitChildren(cell, visitor);
-    jsCast<JSMap*>(cell)->m_mapData.visitChildren(cell, visitor);
 }
-
-void JSMap::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
-    Base::copyBackingStore(cell, visitor, token);
-    jsCast<JSMap*>(cell)->m_mapData.copyBackingStore(visitor, token);
-}
-
-bool JSMap::has(ExecState* exec, JSValue key)
-{
-    return m_mapData.contains(exec, key);
-}
-
-size_t JSMap::size(ExecState* exec)
-{
-    return m_mapData.size(exec);
-}
-
-JSValue JSMap::get(ExecState* exec, JSValue key)
-{
-    JSValue result = m_mapData.get(exec, key);
-    if (!result)
-        return jsUndefined();
-    return result;
-}
-
-void JSMap::set(ExecState* exec, JSValue key, JSValue value)
-{
-    m_mapData.set(exec, this, key, value);
-}
-
-void JSMap::clear(ExecState*)
-{
-    m_mapData.clear();
-}
-
-bool JSMap::remove(ExecState* exec, JSValue key)
-{
-    return m_mapData.remove(exec, key);
-}
-
-}

trunk/Source/JavaScriptCore/runtime/JSMap.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #define JSMap_h
 
-#include "JSDestructibleObject.h"
 #include "JSObject.h"
-#include "MapData.h"
+#include "MapBase.h"
 
 namespace JSC {
@@ -35 +34 @@
 class JSMapIterator;
 
-class JSMap : public JSDestructibleObject {
+class JSMap : public MapBase<HashMapBucket<HashMapBucketDataKeyValue>> {
+    typedef MapBase<HashMapBucket<HashMapBucketDataKeyValue>> Base;
 public:
-    typedef JSDestructibleObject Base;
-
     friend class JSMapIterator;
-
-    // Our marking functions expect Entry to maintain this layout, and have all
-    // fields be WriteBarrier<Unknown>
-    class Entry {
-    private:
-        WriteBarrier<Unknown> m_key;
-        WriteBarrier<Unknown> m_value;
-
-    public:
-        const WriteBarrier<Unknown>& key() const
-        {
-            return m_key;
-        }
-
-        const WriteBarrier<Unknown>& value() const
-        {
-            return m_value;
-        }
-
-        void visitChildren(SlotVisitor& visitor)
-        {
-            visitor.append(&m_key);
-            visitor.append(&m_value);
-        }
-
-        void setKey(VM& vm, const JSCell* owner, JSValue key)
-        {
-            m_key.set(vm, owner, key);
-        }
-
-        void setKeyWithoutWriteBarrier(JSValue key)
-        {
-            m_key.setWithoutWriteBarrier(key);
-        }
-
-        void setValue(VM& vm, const JSCell* owner, JSValue value)
-        {
-            m_value.set(vm, owner, value);
-        }
-
-        void clear()
-        {
-            m_key.clear();
-            m_value.clear();
-        }
-    };
-
-    typedef MapDataImpl<Entry, JSMapIterator> MapData;
 
     DECLARE_EXPORT_INFO;
@@ -93 +43 @@
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSMapType, StructureFlags), info());
     }
 
-    static JSMap* create(VM& vm, Structure* structure)
+    static JSMap* create(ExecState* exec, VM& vm, Structure* structure)
     {
         JSMap* instance = new (NotNull, allocateCell<JSMap>(vm.heap)) JSMap(vm, structure);
-        instance->finishCreation(vm);
+        instance->finishCreation(exec, vm);
         return instance;
     }
 
-    static JSMap* create(ExecState* exec, Structure* structure)
+    ALWAYS_INLINE JSValue get(ExecState* exec, JSValue key)
     {
-        return create(exec->vm(), structure);
+        return m_map->get(exec, key);
     }
 
-    bool has(ExecState*, JSValue);
-    size_t size(ExecState*);
-    JSValue get(ExecState*, JSValue);
-    JS_EXPORT_PRIVATE void set(ExecState*, JSValue key, JSValue value);
-    void clear(ExecState*);
-    bool remove(ExecState*, JSValue);
+    ALWAYS_INLINE void set(ExecState* exec, JSValue key, JSValue value)
+    {
+        m_map->add(exec, key, value);
+    }
 
 private:
     JSMap(VM& vm, Structure* structure)
         : Base(vm, structure)
-        , m_mapData(vm, this)
     {
     }
 
-    static void destroy(JSCell*);
-    static size_t estimatedSize(JSCell*);
-    static void visitChildren(JSCell*, SlotVisitor&);
-    static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
     static String toStringName(const JSObject*, ExecState*);
-
-    MapData m_mapData;
 };
 

trunk/Source/JavaScriptCore/runtime/JSMapIterator.cpp

@@ -39 +39 @@
     Base::finishCreation(vm);
     m_map.set(vm, this, iteratedObject);
+    setIterator(vm, m_map->impl()->head());
 }
 
@@ -47 +48 @@
     Base::visitChildren(thisObject, visitor);
     visitor.append(&thisObject->m_map);
+    visitor.append(&thisObject->m_iter);
 }
 
@@ -60 +62 @@
 JSMapIterator* JSMapIterator::clone(ExecState* exec)
 {
-    auto clone = JSMapIterator::create(exec->vm(), exec->callee()->globalObject()->mapIteratorStructure(), m_map.get(), m_kind);
-    clone->m_iterator = m_iterator;
+    VM& vm = exec->vm();
+    auto clone = JSMapIterator::create(vm, exec->callee()->globalObject()->mapIteratorStructure(), m_map.get(), m_kind);
+    clone->setIterator(vm, m_iter.get());
     return clone;
 }

trunk/Source/JavaScriptCore/runtime/JSMapIterator.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35 +35 @@
 
 class JSMapIterator : public JSNonFinalObject {
+    typedef HashMapBucket<HashMapBucketDataKeyValue> HashMapBucketType;
 public:
     typedef JSNonFinalObject Base;
@@ -52 +53 @@
     }
 
-    bool next(CallFrame* callFrame, JSValue& value)
+    ALWAYS_INLINE HashMapBucketType* advanceIter(ExecState* exec)
     {
-        WTF::KeyValuePair<JSValue, JSValue> pair;
-        if (!m_iterator.next(pair))
+        HashMapBucketType* prev = m_iter.get();
+        if (!prev)
+            return nullptr;
+        HashMapBucketType* bucket = m_iter->next();
+        while (bucket && bucket->deleted()) {
+            prev = bucket;
+            bucket = bucket->next();
+        }
+        if (!bucket) {
+            setIterator(exec->vm(), nullptr);
+            return nullptr;
+        }
+        setIterator(exec->vm(), bucket); // We keep m_iter on the last value since the first thing we do in this function is call next().
+        return bucket;
+    }
+    bool next(ExecState* exec, JSValue& value)
+    {
+        HashMapBucketType* bucket = advanceIter(exec);
+        if (!bucket)
             return false;
 
         if (m_kind == IterateValue)
-            value = pair.value;
+            value = bucket->value();
         else if (m_kind == IterateKey)
-            value = pair.key;
+            value = bucket->key();
         else
-            value = createPair(callFrame, pair.key, pair.value);
+            value = createPair(exec, bucket->key(), bucket->value());
         return true;
     }
 
-    bool nextKeyValue(JSValue& key, JSValue& value)
+    bool nextKeyValue(ExecState* exec, JSValue& key, JSValue& value)
     {
-        WTF::KeyValuePair<JSValue, JSValue> pair;
-        if (!m_iterator.next(pair))
+        HashMapBucketType* bucket = advanceIter(exec);
+        if (!bucket)
             return false;
 
-        key = pair.key;
-        value = pair.value;
+        key = bucket->key();
+        value = bucket->value();
         return true;
-    }
-
-    void finish()
-    {
-        m_iterator.finish();
     }
 
@@ -87 +100 @@
     JSMapIterator* clone(ExecState*);
 
-    JSMap::MapData::IteratorData* iteratorData()
+private:
+    JSMapIterator(VM& vm, Structure* structure, JSMap*, IterationKind kind)
+        : Base(vm, structure)
+        , m_kind(kind)
+    { }
+
+    void setIterator(VM& vm, HashMapBucketType* bucket)
     {
-        return &m_iterator;
-    }
-
-private:
-    JSMapIterator(VM& vm, Structure* structure, JSMap* iteratedObject, IterationKind kind)
-        : Base(vm, structure)
-        , m_iterator(iteratedObject->m_mapData.createIteratorData(this))
-        , m_kind(kind)
-    {
+        m_iter.setMayBeNull(vm, this, bucket);
     }
 
@@ -105 +116 @@
 
     WriteBarrier<JSMap> m_map;
-    JSMap::MapData::IteratorData m_iterator;
+    WriteBarrier<HashMapBucketType> m_iter;
     IterationKind m_kind;
 };

trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp

@@ -56 +56 @@
 }
 
-void JSModuleLoader::finishCreation(VM& vm, JSGlobalObject* globalObject)
+void JSModuleLoader::finishCreation(ExecState* exec, VM& vm, JSGlobalObject* globalObject)
 {
     Base::finishCreation(vm);
     ASSERT(inherits(info()));
-    putDirect(vm, Identifier::fromString(&vm, "registry"), JSMap::create(vm, globalObject->mapStructure()));
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    JSMap* map = JSMap::create(exec, vm, globalObject->mapStructure());
+    RELEASE_ASSERT(!scope.exception());
+    putDirect(vm, Identifier::fromString(&vm, "registry"), map);
 }
 

trunk/Source/JavaScriptCore/runtime/JSModuleLoader.h

@@ -48 +48 @@
     };
 
-    static JSModuleLoader* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
+    static JSModuleLoader* create(ExecState* exec, VM& vm, JSGlobalObject* globalObject, Structure* structure)
     {
         JSModuleLoader* object = new (NotNull, allocateCell<JSModuleLoader>(vm.heap)) JSModuleLoader(vm, structure);
-        object->finishCreation(vm, globalObject);
+        object->finishCreation(exec, vm, globalObject);
         return object;
     }
@@ -78 +78 @@
 
 protected:
-    void finishCreation(VM&, JSGlobalObject*);
+    void finishCreation(ExecState*, VM&, JSGlobalObject*);
 };
 

trunk/Source/JavaScriptCore/runtime/JSModuleRecord.cpp

@@ -45 +45 @@
 }
 
-void JSModuleRecord::finishCreation(VM& vm)
+void JSModuleRecord::finishCreation(ExecState* exec, VM& vm)
 {
     Base::finishCreation(vm);
@@ -52 +52 @@
     putDirect(vm, Identifier::fromString(&vm, ASCIILiteral("evaluated")), jsBoolean(false));
 
-    m_dependenciesMap.set(vm, this, JSMap::create(vm, globalObject()->mapStructure()));
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    JSMap* map = JSMap::create(exec, vm, globalObject()->mapStructure());
+    RELEASE_ASSERT(!scope.exception());
+    m_dependenciesMap.set(vm, this, map);
     putDirect(vm, Identifier::fromString(&vm, ASCIILiteral("dependenciesMap")), m_dependenciesMap.get());
 }

trunk/Source/JavaScriptCore/runtime/JSModuleRecord.h

@@ -88 +88 @@
     }
 
-    static JSModuleRecord* create(VM& vm, Structure* structure, const Identifier& moduleKey, const SourceCode& sourceCode, const VariableEnvironment& declaredVariables, const VariableEnvironment& lexicalVariables)
+    static JSModuleRecord* create(ExecState* exec, VM& vm, Structure* structure, const Identifier& moduleKey, const SourceCode& sourceCode, const VariableEnvironment& declaredVariables, const VariableEnvironment& lexicalVariables)
     {
         JSModuleRecord* instance = new (NotNull, allocateCell<JSModuleRecord>(vm.heap)) JSModuleRecord(vm, structure, moduleKey, sourceCode, declaredVariables, lexicalVariables);
-        instance->finishCreation(vm);
+        instance->finishCreation(exec, vm);
         return instance;
     }
@@ -153 +153 @@
     }
 
-    void finishCreation(VM&);
+    void finishCreation(ExecState*, VM&);
 
     JSModuleNamespaceObject* getModuleNamespace(ExecState*);

trunk/Source/JavaScriptCore/runtime/JSSet.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "JSSet.h"
 
-#include "CopiedBlockInlines.h"
-#include "JSCJSValueInlines.h"
-#include "JSSetIterator.h"
-#include "MapDataInlines.h"
-#include "SlotVisitorInlines.h"
-#include "StructureInlines.h"
+#include "JSCInlines.h"
 
 namespace JSC {
 
 const ClassInfo JSSet::s_info = { "Set", &Base::s_info, 0, CREATE_METHOD_TABLE(JSSet) };
-
-void JSSet::destroy(JSCell* cell)
-{
-    JSSet* thisObject = jsCast<JSSet*>(cell);
-    thisObject->JSSet::~JSSet();
-}
 
 String JSSet::toStringName(const JSObject*, ExecState*)
@@ -49 +38 @@
 }
 
-size_t JSSet::estimatedSize(JSCell* cell)
-{
-    JSSet* thisObject = jsCast<JSSet*>(cell);
-    size_t setDataSize = thisObject->m_setData.capacityInBytes();
-    return Base::estimatedSize(cell) + setDataSize;
 }
-
-void JSSet::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
-    Base::visitChildren(cell, visitor);
-    jsCast<JSSet*>(cell)->m_setData.visitChildren(cell, visitor);
-}
-
-void JSSet::copyBackingStore(JSCell* cell, CopyVisitor& visitor, CopyToken token)
-{
-    Base::copyBackingStore(cell, visitor, token);
-    jsCast<JSSet*>(cell)->m_setData.copyBackingStore(visitor, token);
-}
-
-bool JSSet::has(ExecState* exec, JSValue value)
-{
-    return m_setData.contains(exec, value);
-}
-
-size_t JSSet::size(ExecState* exec)
-{
-    return m_setData.size(exec);
-}
-
-void JSSet::add(ExecState* exec, JSValue value)
-{
-    m_setData.set(exec, this, value, value);
-}
-
-void JSSet::clear(ExecState*)
-{
-    m_setData.clear();
-}
-
-bool JSSet::remove(ExecState* exec, JSValue value)
-{
-    return m_setData.remove(exec, value);
-}
-
-}

trunk/Source/JavaScriptCore/runtime/JSSet.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #define JSSet_h
 
-#include "JSDestructibleObject.h"
 #include "JSObject.h"
-#include "MapData.h"
+#include "MapBase.h"
 
 namespace JSC {
@@ -35 +34 @@
 class JSSetIterator;
 
-class JSSet : public JSDestructibleObject {
+class JSSet : public MapBase<HashMapBucket<HashMapBucketDataKey>> {
+    typedef MapBase<HashMapBucket<HashMapBucketDataKey>> Base;
 public:
-    typedef JSDestructibleObject Base;
 
     friend class JSSetIterator;
-
-    // Our marking functions expect Entry to maintain this layout, and have all
-    // fields be WriteBarrier<Unknown>
-    class Entry {
-    private:
-        WriteBarrier<Unknown> m_key;
-
-    public:
-        const WriteBarrier<Unknown>& key() const
-        {
-            return m_key;
-        }
-
-        const WriteBarrier<Unknown>& value() const
-        {
-            return m_key;
-        }
-
-        void visitChildren(SlotVisitor& visitor)
-        {
-            visitor.append(&m_key);
-        }
-
-        void setKey(VM& vm, const JSCell* owner, JSValue key)
-        {
-            m_key.set(vm, owner, key);
-        }
-
-        void setKeyWithoutWriteBarrier(JSValue key)
-        {
-            m_key.setWithoutWriteBarrier(key);
-        }
-
-        void setValue(VM&, const JSCell*, JSValue)
-        {
-        }
-
-        void clear()
-        {
-            m_key.clear();
-        }
-    };
-
-    typedef MapDataImpl<Entry, JSSetIterator> SetData;
 
     DECLARE_EXPORT_INFO;
@@ -89 +44 @@
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSSetType, StructureFlags), info());
     }
 
-    static JSSet* create(VM& vm, Structure* structure)
+    static JSSet* create(ExecState* exec, VM& vm, Structure* structure)
     {
         JSSet* instance = new (NotNull, allocateCell<JSSet>(vm.heap)) JSSet(vm, structure);
-        instance->finishCreation(vm);
+        instance->finishCreation(exec, vm);
         return instance;
     }
 
-    static JSSet* create(ExecState* exec, Structure* structure)
+    ALWAYS_INLINE void add(ExecState* exec, JSValue key)
     {
-        return create(exec->vm(), structure);
+        m_map->add(exec, key);
     }
-
-    bool has(ExecState*, JSValue);
-    size_t size(ExecState*);
-    JS_EXPORT_PRIVATE void add(ExecState*, JSValue);
-    void clear(ExecState*);
-    bool remove(ExecState*, JSValue);
 
 private:
     JSSet(VM& vm, Structure* structure)
         : Base(vm, structure)
-        , m_setData(vm, this)
     {
     }
 
-    static void destroy(JSCell*);
-    static size_t estimatedSize(JSCell*);
-    static void visitChildren(JSCell*, SlotVisitor&);
-    static void copyBackingStore(JSCell*, CopyVisitor&, CopyToken);
     static String toStringName(const JSObject*, ExecState*);
-
-    SetData m_setData;
 };
 

trunk/Source/JavaScriptCore/runtime/JSSetIterator.cpp

@@ -39 +39 @@
     Base::finishCreation(vm);
     m_set.set(vm, this, iteratedObject);
+    setIterator(vm, m_set->impl()->head());
 }
 
@@ -47 +48 @@
     Base::visitChildren(thisObject, visitor);
     visitor.append(&thisObject->m_set);
+    visitor.append(&thisObject->m_iter);
 }
 
@@ -60 +62 @@
 JSSetIterator* JSSetIterator::clone(ExecState* exec)
 {
-    auto clone = JSSetIterator::create(exec->vm(), exec->callee()->globalObject()->setIteratorStructure(), m_set.get(), m_kind);
-    clone->m_iterator = m_iterator;
+    VM& vm = exec->vm();
+    auto clone = JSSetIterator::create(vm, exec->callee()->globalObject()->setIteratorStructure(), m_set.get(), m_kind);
+    clone->setIterator(vm, m_iter.get());
     return clone;
 }

trunk/Source/JavaScriptCore/runtime/JSSetIterator.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple, Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -36 +36 @@
 
 class JSSetIterator : public JSNonFinalObject {
+    typedef HashMapBucket<HashMapBucketDataKey> HashMapBucketType;
 public:
     typedef JSNonFinalObject Base;
@@ -53 +54 @@
     }
 
-    bool next(CallFrame* callFrame, JSValue& value)
+    ALWAYS_INLINE HashMapBucketType* advanceIter(ExecState* exec)
     {
-        WTF::KeyValuePair<JSValue, JSValue> pair;
-        if (!m_iterator.next(pair))
-            return false;
-        if (m_kind == IterateValue || m_kind == IterateKey)
-            value = pair.key;
-        else
-            value = createPair(callFrame, pair.key, pair.key);
-        return true;
+        HashMapBucketType* prev = m_iter.get();
+        if (!prev)
+            return nullptr;
+        HashMapBucketType* bucket = m_iter->next();
+        while (bucket && bucket->deleted()) {
+            prev = bucket;
+            bucket = bucket->next();
+        }
+        if (!bucket) {
+            setIterator(exec->vm(), nullptr);
+            return nullptr;
+        }
+        setIterator(exec->vm(), bucket); // We keep m_iter on the last value since the first thing we do in this function is call next().
+        return bucket;
     }
 
-    void finish()
+    bool next(ExecState* exec, JSValue& value)
     {
-        m_iterator.finish();
+        HashMapBucketType* bucket = advanceIter(exec);
+        if (!bucket)
+            return false;
+
+        if (m_kind == IterateValue || m_kind == IterateKey)
+            value = bucket->key();
+        else
+            value = createPair(exec, bucket->key(), bucket->key());
+        return true;
     }
 
@@ -74 +89 @@
     JSSetIterator* clone(ExecState*);
 
-    JSSet::SetData::IteratorData* iteratorData()
+private:
+    JSSetIterator(VM& vm, Structure* structure, JSSet*, IterationKind kind)
+        : Base(vm, structure)
+        , m_kind(kind)
     {
-        return &m_iterator;
     }
 
-private:
-    JSSetIterator(VM& vm, Structure* structure, JSSet* iteratedObject, IterationKind kind)
-        : Base(vm, structure)
-        , m_iterator(iteratedObject->m_setData.createIteratorData(this))
-        , m_kind(kind)
+    void setIterator(VM& vm, HashMapBucketType* bucket)
     {
+        m_iter.setMayBeNull(vm, this, bucket); 
     }
 
@@ -92 +106 @@
 
     WriteBarrier<JSSet> m_set;
-    JSSet::SetData::IteratorData m_iterator;
+    WriteBarrier<HashMapBucketType> m_iter;
     IterationKind m_kind;
 };

trunk/Source/JavaScriptCore/runtime/JSType.h

@@ -83 +83 @@
     RegExpObjectType,
     ProxyObjectType,
+    JSMapType,
+    JSSetType,
 
-    LastJSCObjectType = ProxyObjectType,
+    LastJSCObjectType = JSSetType,
 };
 

trunk/Source/JavaScriptCore/runtime/MapBase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple, Inc. All rights reserved.
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -25 +25 @@
 
 #include "config.h"
-#include "JSMapIterator.h"
+#include "MapBase.h"
 
-#include "JSCInlines.h"
-#include "JSMap.h"
-#include "MapDataInlines.h"
+#include "SlotVisitorInlines.h"
 
 namespace JSC {
 
-const ClassInfo JSMapIterator::s_info = { "Map Iterator", &Base::s_info, 0, CREATE_METHOD_TABLE(JSMapIterator) };
-
-void JSMapIterator::finishCreation(VM& vm, JSMap* iteratedObject)
+template <typename HashMapBucketType>
+void MapBase<HashMapBucketType>::visitChildren(JSCell* cell, SlotVisitor& visitor)
 {
-    Base::finishCreation(vm);
-    m_map.set(vm, this, iteratedObject);
-}
-
-void JSMapIterator::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
-    JSMapIterator* thisObject = jsCast<JSMapIterator*>(cell);
-    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+    MapBase* thisObject = static_cast<MapBase*>(cell);
     Base::visitChildren(thisObject, visitor);
     visitor.append(&thisObject->m_map);
 }
 
-JSValue JSMapIterator::createPair(CallFrame* callFrame, JSValue key, JSValue value)
+template <typename HashMapBucketType>
+size_t MapBase<HashMapBucketType>::estimatedSize(JSCell* cell)
 {
-    MarkedArgumentBuffer args;
-    args.append(key);
-    args.append(value);
-    JSGlobalObject* globalObject = callFrame->callee()->globalObject();
-    return constructArray(callFrame, 0, globalObject, args);
+    return Base::estimatedSize(cell) + static_cast<MapBase*>(cell)->m_map->approximateSize();
 }
 
-JSMapIterator* JSMapIterator::clone(ExecState* exec)
-{
-    auto clone = JSMapIterator::create(exec->vm(), exec->callee()->globalObject()->mapIteratorStructure(), m_map.get(), m_kind);
-    clone->m_iterator = m_iterator;
-    return clone;
-}
+template class MapBase<HashMapBucket<HashMapBucketDataKeyValue>>;
+template class MapBase<HashMapBucket<HashMapBucketDataKey>>;
 
-}
+} // namespace JSC

trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp

@@ -62 +62 @@
     JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
     Structure* mapStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->mapStructure());
-    if (exec->hadException())
+    if (UNLIKELY(scope.exception()))
         return JSValue::encode(JSValue());
-    JSMap* map = JSMap::create(exec, mapStructure);
+    JSMap* map = JSMap::create(exec, vm, mapStructure);
+    if (UNLIKELY(scope.exception()))
+        return JSValue::encode(JSValue());
     JSValue iterable = exec->argument(0);
     if (iterable.isUndefinedOrNull())

trunk/Source/JavaScriptCore/runtime/MapIteratorPrototype.cpp

@@ -59 +59 @@
     if (iterator->next(callFrame, result))
         return JSValue::encode(createIteratorResultObject(callFrame, result, false));
-    iterator->finish();
     return JSValue::encode(createIteratorResultObject(callFrame, jsUndefined(), true));
 }

trunk/Source/JavaScriptCore/runtime/MapPrototype.cpp

@@ -69 +69 @@
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->clear, mapProtoFuncClear, DontEnum, 0);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->deleteKeyword, mapProtoFuncDelete, DontEnum, 1);
-    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->get, mapProtoFuncGet, DontEnum, 1);
-    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, mapProtoFuncHas, DontEnum, 1);
+    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->get, mapProtoFuncGet, DontEnum, 1, JSMapGetIntrinsic);
+    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, mapProtoFuncHas, DontEnum, 1, JSMapHasIntrinsic);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->set, mapProtoFuncSet, DontEnum, 2);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().keysPublicName(), mapProtoFuncKeys, DontEnum, 0);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().valuesPublicName(), mapProtoFuncValues, DontEnum, 0);
 
-    // Private get / set operations.
-    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getPrivateName(), mapProtoFuncGet, DontEnum, 1);
+    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().getPrivateName(), mapProtoFuncGet, DontEnum, 1, JSMapGetIntrinsic);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().setPrivateName(), mapProtoFuncSet, DontEnum, 2);
 
@@ -92 +91 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (!thisValue.isObject()) {
+    if (UNLIKELY(!thisValue.isCell())) {
         throwVMError(callFrame, scope, createNotAnObjectError(callFrame, thisValue));
         return nullptr;
     }
-    JSMap* map = jsDynamicCast<JSMap*>(thisValue);
-    if (!map) {
-        throwTypeError(callFrame, scope, ASCIILiteral("Map operation called on non-Map object"));
-        return nullptr;
-    }
-    return map;
+
+    if (LIKELY(thisValue.asCell()->type() == JSMapType))
+        return jsCast<JSMap*>(thisValue);
+    throwTypeError(callFrame, scope, ASCIILiteral("Map operation called on non-Map object"));
+    return nullptr;
+}
+
+EncodedJSValue JSC_HOST_CALL privateFuncIsMap(ExecState* exec)
+{
+    JSValue value = exec->uncheckedArgument(0);
+    return JSValue::encode(jsBoolean(value.isCell() && value.asCell()->type() == JSMapType));
 }
 
@@ -188 +192 @@
 }
 
-EncodedJSValue JSC_HOST_CALL privateFuncIsMap(ExecState* exec)
-{
-    return JSValue::encode(jsBoolean(jsDynamicCast<JSMap*>(exec->uncheckedArgument(0))));
-}
-
 EncodedJSValue JSC_HOST_CALL privateFuncMapIterator(ExecState* exec)
 {
@@ -205 +204 @@
     JSMapIterator* iterator = jsCast<JSMapIterator*>(exec->thisValue());
     JSValue key, value;
-    if (iterator->nextKeyValue(key, value)) {
+    if (iterator->nextKeyValue(exec, key, value)) {
         JSArray* resultArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
         resultArray->putDirectIndex(exec, 0, key);
@@ -211 +210 @@
         return JSValue::encode(jsBoolean(false));
     }
-    iterator->finish();
     return JSValue::encode(jsBoolean(true));
 }

trunk/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp

@@ -192 +192 @@
 }
 
-// See ES5.1 9.12
-bool sameValue(ExecState* exec, JSValue a, JSValue b)
-{
-    if (!a.isNumber())
-        return JSValue::strictEqual(exec, a, b);
-    if (!b.isNumber())
-        return false;
-    double x = a.asNumber();
-    double y = b.asNumber();
-    bool xIsNaN = std::isnan(x);
-    bool yIsNaN = std::isnan(y);
-    if (xIsNaN || yIsNaN)
-        return xIsNaN && yIsNaN;
-    return bitwise_cast<uint64_t>(x) == bitwise_cast<uint64_t>(y);
-}
-
 bool PropertyDescriptor::equalTo(ExecState* exec, const PropertyDescriptor& other) const
 {

trunk/Source/JavaScriptCore/runtime/PropertyDescriptor.h

@@ -32 +32 @@
 
 class GetterSetter;
-
-// See ES5.1 9.12
-bool sameValue(ExecState*, JSValue, JSValue);
 
 class PropertyDescriptor {

trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp

@@ -63 +63 @@
     JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
     Structure* setStructure = InternalFunction::createSubclassStructure(exec, exec->newTarget(), globalObject->setStructure());
-    if (exec->hadException())
+    if (UNLIKELY(scope.exception()))
         return JSValue::encode(JSValue());
-    JSSet* set = JSSet::create(exec, setStructure);
+    JSSet* set = JSSet::create(exec, vm, setStructure);
+    if (UNLIKELY(scope.exception()))
+        return JSValue::encode(JSValue());
     JSValue iterable = exec->argument(0);
     if (iterable.isUndefinedOrNull())

trunk/Source/JavaScriptCore/runtime/SetIteratorPrototype.cpp

@@ -59 +59 @@
     if (iterator->next(callFrame, result))
         return JSValue::encode(createIteratorResultObject(callFrame, result, false));
-    iterator->finish();
     return JSValue::encode(createIteratorResultObject(callFrame, jsUndefined(), true));
 }

trunk/Source/JavaScriptCore/runtime/SetPrototype.cpp

@@ -69 +69 @@
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->clear, setProtoFuncClear, DontEnum, 0);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->deleteKeyword, setProtoFuncDelete, DontEnum, 1);
-    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, setProtoFuncHas, DontEnum, 1);
+    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->has, setProtoFuncHas, DontEnum, 1, JSSetHasIntrinsic);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->builtinNames().entriesPublicName(), setProtoFuncEntries, DontEnum, 0);
 
@@ -86 +86 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    if (!thisValue.isObject()) {
+    if (UNLIKELY(!thisValue.isCell())) {
         throwVMError(callFrame, scope, createNotAnObjectError(callFrame, thisValue));
         return nullptr;
     }
-    JSSet* set = jsDynamicCast<JSSet*>(thisValue);
-    if (!set) {
-        throwTypeError(callFrame, scope, ASCIILiteral("Set operation called on non-Set object"));
-        return nullptr;
-    }
-    return set;
+    if (LIKELY(thisValue.asCell()->type() == JSSetType))
+        return jsCast<JSSet*>(thisValue);
+    throwTypeError(callFrame, scope, ASCIILiteral("Set operation called on non-Set object"));
+    return nullptr;
 }
 
@@ -185 +183 @@
         return JSValue::encode(jsBoolean(false));
     }
-    iterator->finish();
     return JSValue::encode(jsBoolean(true));
 }

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -66 +66 @@
 #include "JSLexicalEnvironment.h"
 #include "JSLock.h"
+#include "JSMap.h"
 #include "JSPromiseDeferred.h"
 #include "JSPropertyNameEnumerator.h"
@@ -254 +255 @@
     webAssemblyCodeBlockStructure.set(*this, WebAssemblyCodeBlock::createStructure(*this, 0, jsNull()));
 #endif
+    hashMapBucketSetStructure.set(*this, HashMapBucket<HashMapBucketDataKey>::createStructure(*this, 0, jsNull()));
+    hashMapBucketMapStructure.set(*this, HashMapBucket<HashMapBucketDataKeyValue>::createStructure(*this, 0, jsNull()));
+    hashMapImplSetStructure.set(*this, HashMapImpl<HashMapBucket<HashMapBucketDataKey>>::createStructure(*this, 0, jsNull()));
+    hashMapImplMapStructure.set(*this, HashMapImpl<HashMapBucket<HashMapBucketDataKeyValue>>::createStructure(*this, 0, jsNull()));
 
     iterationTerminator.set(*this, JSFinalObject::create(*this, JSFinalObject::createStructure(*this, 0, jsNull(), 1)));

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -335 +335 @@
     Strong<Structure> functionCodeBlockStructure;
     Strong<Structure> webAssemblyCodeBlockStructure;
+    Strong<Structure> hashMapBucketSetStructure;
+    Strong<Structure> hashMapBucketMapStructure;
+    Strong<Structure> hashMapImplSetStructure;
+    Strong<Structure> hashMapImplMapStructure;
 
     Strong<JSCell> iterationTerminator;

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2016-09-06  Saam Barati  <sbarati@apple.com>
+
+        Make JSMap and JSSet faster
+        https://bugs.webkit.org/show_bug.cgi?id=160989
+
+        Reviewed by Filip Pizlo.
+
+        I made s_flagCount public since JSC's JITs now use this field.
+
+        * wtf/text/StringImpl.h:
+
 2016-09-06  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/WTF/wtf/text/StringImpl.h

@@ -149 +149 @@
 
     // The bottom 6 bits in the hash are flags.
+public:
     static const unsigned s_flagCount = 6;
+private:
     static const unsigned s_flagMask = (1u << s_flagCount) - 1;
     COMPILE_ASSERT(s_flagCount <= StringHasher::flagCount, StringHasher_reserves_enough_bits_for_StringImpl_flags);

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-06  Saam Barati  <sbarati@apple.com>
+
+        Make JSMap and JSSet faster
+        https://bugs.webkit.org/show_bug.cgi?id=160989
+
+        Reviewed by Filip Pizlo.
+
+        * ForwardingHeaders/runtime/HashMapImpl.h: Added.
+        * ForwardingHeaders/runtime/MapBase.h: Added.
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneSerializer::serialize):
+        (WebCore::CloneDeserializer::deserialize):
+
 2016-09-05  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -1369 +1369 @@
                 JSMapIterator* iterator = mapIteratorStack.last();
                 JSValue key, value;
-                if (!iterator->nextKeyValue(key, value)) {
+                if (!iterator->nextKeyValue(m_exec, key, value)) {
                     mapIteratorStack.removeLast();
                     JSObject* object = inputObjectStack.last();
@@ -2546 +2546 @@
             if (outputObjectStack.size() > maximumFilterRecursion)
                 return std::make_pair(JSValue(), StackOverflowError);
-            JSMap* map = JSMap::create(m_exec->vm(), m_globalObject->mapStructure());
+            JSMap* map = JSMap::create(m_exec, m_exec->vm(), m_globalObject->mapStructure());
+            if (UNLIKELY(m_exec->hadException()))
+                goto error;
             m_gcBuffer.append(map);
             outputObjectStack.append(map);
@@ -2575 +2577 @@
             if (outputObjectStack.size() > maximumFilterRecursion)
                 return std::make_pair(JSValue(), StackOverflowError);
-            JSSet* set = JSSet::create(m_exec->vm(), m_globalObject->setStructure());
+            JSSet* set = JSSet::create(m_exec, m_exec->vm(), m_globalObject->setStructure());
+            if (UNLIKELY(m_exec->hadException()))
+                goto error;
             m_gcBuffer.append(set);
             outputObjectStack.append(set);