]> git.saurik.com Git - apple/javascriptcore.git/blobdiff - runtime/Structure.cpp
JavaScriptCore-1218.34.tar.gz
[apple/javascriptcore.git] / runtime / Structure.cpp
index 8133cd2e0c0c48f8e3586d682e3b0fdadd9f12ca..950728cca637b3be41582820e6c7f023dcbb3dbe 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2009, 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 #include "config.h"
 #include "Structure.h"
 
-#include "Identifier.h"
+#include "CodeBlock.h"
 #include "JSObject.h"
+#include "JSPropertyNameIterator.h"
+#include "Lookup.h"
 #include "PropertyNameArray.h"
 #include "StructureChain.h"
-#include "Lookup.h"
+#include "StructureRareDataInlines.h"
 #include <wtf/RefCountedLeakCounter.h>
 #include <wtf/RefPtr.h>
-
-#if ENABLE(JSC_MULTIPLE_THREADS)
 #include <wtf/Threading.h>
-#endif
 
 #define DUMP_STRUCTURE_ID_STATISTICS 0
 
 using namespace std;
 using namespace WTF;
 
+#if DUMP_PROPERTYMAP_STATS
+
+int numProbes;
+int numCollisions;
+int numRehashes;
+int numRemoves;
+
+#endif
+
 namespace JSC {
 
-// Choose a number for the following so that most property maps are smaller,
-// but it's not going to blow out the stack to allocate this number of pointers.
-static const int smallMapThreshold = 1024;
+#if DUMP_STRUCTURE_ID_STATISTICS
+static HashSet<Structure*>& liveStructureSet = *(new HashSet<Structure*>);
+#endif
 
-// The point at which the function call overhead of the qsort implementation
-// becomes small compared to the inefficiency of insertion sort.
-static const unsigned tinyMapThreshold = 20;
+bool StructureTransitionTable::contains(StringImpl* rep, unsigned attributes) const
+{
+    if (isUsingSingleSlot()) {
+        Structure* transition = singleTransition();
+        return transition && transition->m_nameInPrevious == rep && transition->m_attributesInPrevious == attributes;
+    }
+    return map()->get(make_pair(rep, attributes));
+}
 
-static const unsigned newTableSize = 16;
+inline Structure* StructureTransitionTable::get(StringImpl* rep, unsigned attributes) const
+{
+    if (isUsingSingleSlot()) {
+        Structure* transition = singleTransition();
+        return (transition && transition->m_nameInPrevious == rep && transition->m_attributesInPrevious == attributes) ? transition : 0;
+    }
+    return map()->get(make_pair(rep, attributes));
+}
 
-#ifndef NDEBUG
-static WTF::RefCountedLeakCounter structureCounter("Structure");
+inline void StructureTransitionTable::add(VM& vm, Structure* structure)
+{
+    if (isUsingSingleSlot()) {
+        Structure* existingTransition = singleTransition();
 
-#if ENABLE(JSC_MULTIPLE_THREADS)
-static Mutex ignoreSetMutex;
-#endif
+        // This handles the first transition being added.
+        if (!existingTransition) {
+            setSingleTransition(vm, structure);
+            return;
+        }
 
-static bool shouldIgnoreLeaks;
-static HashSet<Structure*> ignoreSet;
-#endif
+        // This handles the second transition being added
+        // (or the first transition being despecified!)
+        setMap(new TransitionMap());
+        add(vm, existingTransition);
+    }
 
-#if DUMP_STRUCTURE_ID_STATISTICS
-static HashSet<Structure*> liveStructureSet;
-#endif
+    // Add the structure to the map.
+
+    // Newer versions of the STL have an std::make_pair function that takes rvalue references.
+    // When either of the parameters are bitfields, the C++ compiler will try to bind them as lvalues, which is invalid. To work around this, use unary "+" to make the parameter an rvalue.
+    // See https://bugs.webkit.org/show_bug.cgi?id=59261 for more details
+    map()->set(make_pair(structure->m_nameInPrevious, +structure->m_attributesInPrevious), structure);
+}
 
 void Structure::dumpStatistics()
 {
@@ -88,940 +118,879 @@ void Structure::dumpStatistics()
     HashSet<Structure*>::const_iterator end = liveStructureSet.end();
     for (HashSet<Structure*>::const_iterator it = liveStructureSet.begin(); it != end; ++it) {
         Structure* structure = *it;
-        if (structure->m_usingSingleTransitionSlot) {
-            if (!structure->m_transitions.singleTransition)
+
+        switch (structure->m_transitionTable.size()) {
+            case 0:
                 ++numberLeaf;
-            else
-                ++numberUsingSingleSlot;
+                if (!structure->previousID())
+                    ++numberSingletons;
+                break;
 
-           if (!structure->m_previous && !structure->m_transitions.singleTransition)
-                ++numberSingletons;
+            case 1:
+                ++numberUsingSingleSlot;
+                break;
         }
 
-        if (structure->m_propertyTable) {
+        if (structure->propertyTable()) {
             ++numberWithPropertyMaps;
-            totalPropertyMapsSize += PropertyMapHashTable::allocationSize(structure->m_propertyTable->size);
-            if (structure->m_propertyTable->deletedOffsets)
-                totalPropertyMapsSize += (structure->m_propertyTable->deletedOffsets->capacity() * sizeof(unsigned)); 
+            totalPropertyMapsSize += structure->propertyTable()->sizeInMemory();
         }
     }
 
-    printf("Number of live Structures: %d\n", liveStructureSet.size());
-    printf("Number of Structures using the single item optimization for transition map: %d\n", numberUsingSingleSlot);
-    printf("Number of Structures that are leaf nodes: %d\n", numberLeaf);
-    printf("Number of Structures that singletons: %d\n", numberSingletons);
-    printf("Number of Structures with PropertyMaps: %d\n", numberWithPropertyMaps);
+    dataLogF("Number of live Structures: %d\n", liveStructureSet.size());
+    dataLogF("Number of Structures using the single item optimization for transition map: %d\n", numberUsingSingleSlot);
+    dataLogF("Number of Structures that are leaf nodes: %d\n", numberLeaf);
+    dataLogF("Number of Structures that singletons: %d\n", numberSingletons);
+    dataLogF("Number of Structures with PropertyMaps: %d\n", numberWithPropertyMaps);
 
-    printf("Size of a single Structures: %d\n", static_cast<unsigned>(sizeof(Structure)));
-    printf("Size of sum of all property maps: %d\n", totalPropertyMapsSize);
-    printf("Size of average of all property maps: %f\n", static_cast<double>(totalPropertyMapsSize) / static_cast<double>(liveStructureSet.size()));
+    dataLogF("Size of a single Structures: %d\n", static_cast<unsigned>(sizeof(Structure)));
+    dataLogF("Size of sum of all property maps: %d\n", totalPropertyMapsSize);
+    dataLogF("Size of average of all property maps: %f\n", static_cast<double>(totalPropertyMapsSize) / static_cast<double>(liveStructureSet.size()));
 #else
-    printf("Dumping Structure statistics is not enabled.\n");
+    dataLogF("Dumping Structure statistics is not enabled.\n");
 #endif
 }
 
-Structure::Structure(JSValuePtr prototype, const TypeInfo& typeInfo)
-    : m_typeInfo(typeInfo)
-    , m_prototype(prototype)
-    , m_propertyTable(0)
-    , m_propertyStorageCapacity(JSObject::inlineStorageCapacity)
-    , m_offset(noOffset)
-    , m_isDictionary(false)
+Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
+    : JSCell(vm, vm.structureStructure.get())
+    , m_globalObject(vm, this, globalObject, WriteBarrier<JSGlobalObject>::MayBeNull)
+    , m_prototype(vm, this, prototype)
+    , m_classInfo(classInfo)
+    , m_transitionWatchpointSet(InitializedWatching)
+    , m_offset(invalidOffset)
+    , m_typeInfo(typeInfo)
+    , m_indexingType(indexingType)
+    , m_inlineCapacity(inlineCapacity)
+    , m_dictionaryKind(NoneDictionaryKind)
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(false)
-    , m_usingSingleTransitionSlot(true)
+    , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(false)
+    , m_hasNonEnumerableProperties(false)
     , m_attributesInPrevious(0)
+    , m_specificFunctionThrashCount(0)
+    , m_preventExtensions(false)
+    , m_didTransition(false)
+    , m_staticFunctionReified(false)
+{
+    ASSERT(inlineCapacity <= JSFinalObject::maxInlineCapacity());
+    ASSERT(static_cast<PropertyOffset>(inlineCapacity) < firstOutOfLineOffset);
+    ASSERT(!typeInfo.structureHasRareData());
+}
+
+const ClassInfo Structure::s_info = { "Structure", 0, 0, 0, CREATE_METHOD_TABLE(Structure) };
+
+Structure::Structure(VM& vm)
+    : JSCell(CreatingEarlyCell)
+    , m_prototype(vm, this, jsNull())
+    , m_classInfo(&s_info)
+    , m_transitionWatchpointSet(InitializedWatching)
+    , m_offset(invalidOffset)
+    , m_typeInfo(CompoundType, OverridesVisitChildren)
+    , m_indexingType(0)
+    , m_inlineCapacity(0)
+    , m_dictionaryKind(NoneDictionaryKind)
+    , m_isPinnedPropertyTable(false)
+    , m_hasGetterSetterProperties(false)
+    , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(false)
+    , m_hasNonEnumerableProperties(false)
+    , m_attributesInPrevious(0)
+    , m_specificFunctionThrashCount(0)
+    , m_preventExtensions(false)
+    , m_didTransition(false)
+    , m_staticFunctionReified(false)
+{
+}
+
+Structure::Structure(VM& vm, const Structure* previous)
+    : JSCell(vm, vm.structureStructure.get())
+    , m_prototype(vm, this, previous->storedPrototype())
+    , m_classInfo(previous->m_classInfo)
+    , m_transitionWatchpointSet(InitializedWatching)
+    , m_offset(invalidOffset)
+    , m_typeInfo(previous->typeInfo().type(), previous->typeInfo().flags() & ~StructureHasRareData)
+    , m_indexingType(previous->indexingTypeIncludingHistory())
+    , m_inlineCapacity(previous->m_inlineCapacity)
+    , m_dictionaryKind(previous->m_dictionaryKind)
+    , m_isPinnedPropertyTable(false)
+    , m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
+    , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto)
+    , m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)
+    , m_attributesInPrevious(0)
+    , m_specificFunctionThrashCount(previous->m_specificFunctionThrashCount)
+    , m_preventExtensions(previous->m_preventExtensions)
+    , m_didTransition(true)
+    , m_staticFunctionReified(previous->m_staticFunctionReified)
 {
-    ASSERT(m_prototype);
-    ASSERT(m_prototype.isObject() || m_prototype.isNull());
-
-    m_transitions.singleTransition = 0;
-
-#ifndef NDEBUG
-#if ENABLE(JSC_MULTIPLE_THREADS)
-    MutexLocker protect(ignoreSetMutex);
-#endif
-    if (shouldIgnoreLeaks)
-        ignoreSet.add(this);
-    else
-        structureCounter.increment();
-#endif
-
-#if DUMP_STRUCTURE_ID_STATISTICS
-    liveStructureSet.add(this);
-#endif
-}
-
-Structure::~Structure()
-{
-    if (m_previous) {
-        if (m_previous->m_usingSingleTransitionSlot) {
-            m_previous->m_transitions.singleTransition = 0;
-        } else {
-            ASSERT(m_previous->m_transitions.table->contains(make_pair(m_nameInPrevious.get(), m_attributesInPrevious)));
-            m_previous->m_transitions.table->remove(make_pair(m_nameInPrevious.get(), m_attributesInPrevious));
-        }
-    }
-
-    if (m_cachedPropertyNameArrayData)
-        m_cachedPropertyNameArrayData->setCachedStructure(0);
-
-    if (!m_usingSingleTransitionSlot)
-        delete m_transitions.table;
-
-    if (m_propertyTable) {
-        unsigned entryCount = m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount;
-        for (unsigned i = 1; i <= entryCount; i++) {
-            if (UString::Rep* key = m_propertyTable->entries()[i].key)
-                key->deref();
-        }
-
-        delete m_propertyTable->deletedOffsets;
-        fastFree(m_propertyTable);
-    }
-
-#ifndef NDEBUG
-#if ENABLE(JSC_MULTIPLE_THREADS)
-    MutexLocker protect(ignoreSetMutex);
-#endif
-    HashSet<Structure*>::iterator it = ignoreSet.find(this);
-    if (it != ignoreSet.end())
-        ignoreSet.remove(it);
-    else
-        structureCounter.decrement();
-#endif
-
-#if DUMP_STRUCTURE_ID_STATISTICS
-    liveStructureSet.remove(this);
-#endif
-}
-
-void Structure::startIgnoringLeaks()
-{
-#ifndef NDEBUG
-    shouldIgnoreLeaks = true;
-#endif
-}
-
-void Structure::stopIgnoringLeaks()
-{
-#ifndef NDEBUG
-    shouldIgnoreLeaks = false;
-#endif
-}
-
-static bool isPowerOf2(unsigned v)
-{
-    // Taken from http://www.cs.utk.edu/~vose/c-stuff/bithacks.html
-    
-    return !(v & (v - 1)) && v;
-}
+    if (previous->typeInfo().structureHasRareData() && previous->rareData()->needsCloning())
+        cloneRareDataFrom(vm, previous);
+    else if (previous->previousID())
+        m_previousOrRareData.set(vm, this, previous->previousID());
 
-static unsigned nextPowerOf2(unsigned v)
-{
-    // Taken from http://www.cs.utk.edu/~vose/c-stuff/bithacks.html
-    // Devised by Sean Anderson, Sepember 14, 2001
-
-    v--;
-    v |= v >> 1;
-    v |= v >> 2;
-    v |= v >> 4;
-    v |= v >> 8;
-    v |= v >> 16;
-    v++;
-
-    return v;
+    previous->notifyTransitionFromThisStructure();
+    if (previous->m_globalObject)
+        m_globalObject.set(vm, this, previous->m_globalObject.get());
 }
 
-static unsigned sizeForKeyCount(size_t keyCount)
+void Structure::destroy(JSCell* cell)
 {
-    if (keyCount == notFound)
-        return newTableSize;
-
-    if (keyCount < 8)
-        return newTableSize;
-
-    if (isPowerOf2(keyCount))
-        return keyCount * 4;
-
-    return nextPowerOf2(keyCount) * 2;
+    static_cast<Structure*>(cell)->Structure::~Structure();
 }
 
-void Structure::materializePropertyMap()
+void Structure::materializePropertyMap(VM& vm)
 {
-    ASSERT(!m_propertyTable);
+    ASSERT(structure()->classInfo() == &s_info);
+    ASSERT(!propertyTable());
 
     Vector<Structure*, 8> structures;
     structures.append(this);
 
     Structure* structure = this;
 
-    // Search for the last Structure with a property table. 
+    // Search for the last Structure with a property table.
     while ((structure = structure->previousID())) {
         if (structure->m_isPinnedPropertyTable) {
-            ASSERT(structure->m_propertyTable);
-            ASSERT(!structure->m_previous);
+            ASSERT(structure->propertyTable());
+            ASSERT(!structure->previousID());
 
-            m_propertyTable = structure->copyPropertyTable();
+            propertyTable().set(vm, this, structure->propertyTable()->copy(vm, 0, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity)));
             break;
         }
 
         structures.append(structure);
     }
 
-    if (!m_propertyTable)
-        createPropertyMapHashTable(sizeForKeyCount(m_offset + 1));
-    else {
-        if (sizeForKeyCount(m_offset + 1) > m_propertyTable->size)
-            rehashPropertyMapHashTable(sizeForKeyCount(m_offset + 1)); // This could be made more efficient by combining with the copy above. 
-    }
+    if (!propertyTable())
+        createPropertyMap(vm, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
 
-    for (ptrdiff_t i = structures.size() - 2; i >= 0; --i) {
+    for (ptrdiff_t i = structures.size() - 1; i >= 0; --i) {
         structure = structures[i];
-        structure->m_nameInPrevious->ref();
-        PropertyMapEntry entry(structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, ++m_propertyTable->lastIndexUsed); 
-        insertIntoPropertyMapHashTable(entry);
+        if (!structure->m_nameInPrevious)
+            continue;
+        PropertyMapEntry entry(vm, this, structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious.get());
+        propertyTable()->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange);
     }
+    
+    checkOffsetConsistency();
 }
 
-void Structure::getEnumerablePropertyNames(ExecState* exec, PropertyNameArray& propertyNames, JSObject* baseObject)
+inline size_t nextOutOfLineStorageCapacity(size_t currentCapacity)
 {
-    bool shouldCache = propertyNames.shouldCache() && !(propertyNames.size() || m_isDictionary);
+    if (!currentCapacity)
+        return initialOutOfLineCapacity;
+    return currentCapacity * outOfLineGrowthFactor;
+}
 
-    if (shouldCache && m_cachedPropertyNameArrayData) {
-        if (m_cachedPropertyNameArrayData->cachedPrototypeChain() == prototypeChain(exec)) {
-            propertyNames.setData(m_cachedPropertyNameArrayData);
-            return;
-        }
-        clearEnumerationCache();
-    }
+size_t Structure::suggestedNewOutOfLineStorageCapacity()
+{
+    return nextOutOfLineStorageCapacity(outOfLineCapacity());
+}
+void Structure::despecifyDictionaryFunction(VM& vm, PropertyName propertyName)
+{
+    StringImpl* rep = propertyName.uid();
 
-    getEnumerableNamesFromPropertyTable(propertyNames);
-    getEnumerableNamesFromClassInfoTable(exec, baseObject->classInfo(), propertyNames);
+    materializePropertyMapIfNecessary(vm);
 
-    if (m_prototype.isObject()) {
-        propertyNames.setShouldCache(false); // No need for our prototypes to waste memory on caching, since they're not being enumerated directly.
-        asObject(m_prototype)->getPropertyNames(exec, propertyNames);
-    }
+    ASSERT(isDictionary());
+    ASSERT(propertyTable());
 
-    if (shouldCache) {
-        m_cachedPropertyNameArrayData = propertyNames.data();
-        m_cachedPropertyNameArrayData->setCachedPrototypeChain(prototypeChain(exec));
-        m_cachedPropertyNameArrayData->setCachedStructure(this);
-    }
+    PropertyMapEntry* entry = propertyTable()->find(rep).first;
+    ASSERT(entry);
+    entry->specificValue.clear();
 }
 
-void Structure::clearEnumerationCache()
+Structure* Structure::addPropertyTransitionToExistingStructure(Structure* structure, PropertyName propertyName, unsigned attributes, JSCell* specificValue, PropertyOffset& offset)
 {
-    if (m_cachedPropertyNameArrayData)
-        m_cachedPropertyNameArrayData->setCachedStructure(0);
-    m_cachedPropertyNameArrayData.clear();
+    ASSERT(!structure->isDictionary());
+    ASSERT(structure->isObject());
+
+    if (Structure* existingTransition = structure->m_transitionTable.get(propertyName.uid(), attributes)) {
+        JSCell* specificValueInPrevious = existingTransition->m_specificValueInPrevious.get();
+        if (specificValueInPrevious && specificValueInPrevious != specificValue)
+            return 0;
+        validateOffset(existingTransition->m_offset, existingTransition->inlineCapacity());
+        offset = existingTransition->m_offset;
+        return existingTransition;
+    }
+
+    return 0;
 }
 
-void Structure::growPropertyStorageCapacity()
+bool Structure::anyObjectInChainMayInterceptIndexedAccesses() const
 {
-    if (m_propertyStorageCapacity == JSObject::inlineStorageCapacity)
-        m_propertyStorageCapacity = JSObject::nonInlineBaseStorageCapacity;
-    else
-        m_propertyStorageCapacity *= 2;
+    for (const Structure* current = this; ;) {
+        if (current->mayInterceptIndexedAccesses())
+            return true;
+        
+        JSValue prototype = current->storedPrototype();
+        if (prototype.isNull())
+            return false;
+        
+        current = asObject(prototype)->structure();
+    }
 }
 
-PassRefPtr<Structure> Structure::addPropertyTransitionToExistingStructure(Structure* structure, const Identifier& propertyName, unsigned attributes, size_t& offset)
+bool Structure::needsSlowPutIndexing() const
 {
-    ASSERT(!structure->m_isDictionary);
-    ASSERT(structure->typeInfo().type() == ObjectType);
-
-    if (structure->m_usingSingleTransitionSlot) {
-        Structure* existingTransition = structure->m_transitions.singleTransition;
-        if (existingTransition && existingTransition->m_nameInPrevious.get() == propertyName.ustring().rep() && existingTransition->m_attributesInPrevious == attributes) {
-            ASSERT(structure->m_transitions.singleTransition->m_offset != noOffset);
-            offset = structure->m_transitions.singleTransition->m_offset;
-            return existingTransition;
-        }
-    } else {
-        if (Structure* existingTransition = structure->m_transitions.table->get(make_pair(propertyName.ustring().rep(), attributes))) {
-            ASSERT(existingTransition->m_offset != noOffset);
-            offset = existingTransition->m_offset;
-            return existingTransition;
-        }
-    }
+    return anyObjectInChainMayInterceptIndexedAccesses()
+        || globalObject()->isHavingABadTime();
+}
 
-    return 0;
+NonPropertyTransition Structure::suggestedArrayStorageTransition() const
+{
+    if (needsSlowPutIndexing())
+        return AllocateSlowPutArrayStorage;
+    
+    return AllocateArrayStorage;
 }
 
-PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, const Identifier& propertyName, unsigned attributes, size_t& offset)
+Structure* Structure::addPropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes, JSCell* specificValue, PropertyOffset& offset)
 {
-    ASSERT(!structure->m_isDictionary);
-    ASSERT(structure->typeInfo().type() == ObjectType);
-    ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, offset));
+    // If we have a specific function, we may have got to this point if there is
+    // already a transition with the correct property name and attributes, but
+    // specialized to a different function.  In this case we just want to give up
+    // and despecialize the transition.
+    // In this case we clear the value of specificFunction which will result
+    // in us adding a non-specific transition, and any subsequent lookup in
+    // Structure::addPropertyTransitionToExistingStructure will just use that.
+    if (specificValue && structure->m_transitionTable.contains(propertyName.uid(), attributes))
+        specificValue = 0;
+
+    ASSERT(!structure->isDictionary());
+    ASSERT(structure->isObject());
+    ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, specificValue, offset));
+    
+    if (structure->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
+        specificValue = 0;
 
     if (structure->transitionCount() > s_maxTransitionLength) {
-        RefPtr<Structure> transition = toDictionaryTransition(structure);
-        offset = transition->put(propertyName, attributes);
-        if (transition->propertyStorageSize() > transition->propertyStorageCapacity())
-            transition->growPropertyStorageCapacity();
-        return transition.release();
+        Structure* transition = toCacheableDictionaryTransition(vm, structure);
+        ASSERT(structure != transition);
+        offset = transition->putSpecificValue(vm, propertyName, attributes, specificValue);
+        return transition;
     }
+    
+    Structure* transition = create(vm, structure);
 
-    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
-    transition->m_cachedPrototypeChain = structure->m_cachedPrototypeChain;
-    transition->m_previous = structure;
-    transition->m_nameInPrevious = propertyName.ustring().rep();
+    transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
+    transition->setPreviousID(vm, transition, structure);
+    transition->m_nameInPrevious = propertyName.uid();
     transition->m_attributesInPrevious = attributes;
-    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
-    transition->m_hasGetterSetterProperties = structure->m_hasGetterSetterProperties;
-
-    if (structure->m_propertyTable) {
-        if (structure->m_isPinnedPropertyTable)
-            transition->m_propertyTable = structure->copyPropertyTable();
-        else {
-            transition->m_propertyTable = structure->m_propertyTable;
-            structure->m_propertyTable = 0;
-        }
-    } else {
-        if (structure->m_previous)
-            transition->materializePropertyMap();
-        else
-            transition->createPropertyMapHashTable();
-    }
+    transition->m_specificValueInPrevious.setMayBeNull(vm, transition, specificValue);
+    transition->propertyTable().set(vm, transition, structure->takePropertyTableOrCloneIfPinned(vm, transition));
+    transition->m_offset = structure->m_offset;
 
-    offset = transition->put(propertyName, attributes);
-    if (transition->propertyStorageSize() > transition->propertyStorageCapacity())
-        transition->growPropertyStorageCapacity();
+    offset = transition->putSpecificValue(vm, propertyName, attributes, specificValue);
 
-    transition->m_offset = offset;
-
-    if (structure->m_usingSingleTransitionSlot) {
-        if (!structure->m_transitions.singleTransition) {
-            structure->m_transitions.singleTransition = transition.get();
-            return transition.release();
-        }
-
-        Structure* existingTransition = structure->m_transitions.singleTransition;
-        structure->m_usingSingleTransitionSlot = false;
-        StructureTransitionTable* transitionTable = new StructureTransitionTable;
-        structure->m_transitions.table = transitionTable;
-        transitionTable->add(make_pair(existingTransition->m_nameInPrevious.get(), existingTransition->m_attributesInPrevious), existingTransition);
-    }
-    structure->m_transitions.table->add(make_pair(propertyName.ustring().rep(), attributes), transition.get());
-    return transition.release();
+    checkOffset(transition->m_offset, transition->inlineCapacity());
+    structure->m_transitionTable.add(vm, transition);
+    transition->checkOffsetConsistency();
+    structure->checkOffsetConsistency();
+    return transition;
 }
 
-PassRefPtr<Structure> Structure::removePropertyTransition(Structure* structure, const Identifier& propertyName, size_t& offset)
+Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, PropertyName propertyName, PropertyOffset& offset)
 {
-    ASSERT(!structure->m_isDictionary);
+    ASSERT(!structure->isUncacheableDictionary());
 
-    RefPtr<Structure> transition = toDictionaryTransition(structure);
+    Structure* transition = toUncacheableDictionaryTransition(vm, structure);
 
     offset = transition->remove(propertyName);
 
-    return transition.release();
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-PassRefPtr<Structure> Structure::changePrototypeTransition(Structure* structure, JSValuePtr prototype)
+Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype)
 {
-    RefPtr<Structure> transition = create(prototype, structure->typeInfo());
-
-    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
-    transition->m_hasGetterSetterProperties = structure->m_hasGetterSetterProperties;
+    Structure* transition = create(vm, structure);
 
-    // Don't set m_offset, as one can not transition to this.
+    transition->m_prototype.set(vm, transition, prototype);
 
-    structure->materializePropertyMapIfNecessary();
-    transition->m_propertyTable = structure->copyPropertyTable();
-    transition->m_isPinnedPropertyTable = true;
+    structure->materializePropertyMapIfNecessary(vm);
+    transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
+    transition->m_offset = structure->m_offset;
+    transition->pin();
 
-    return transition.release();
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-PassRefPtr<Structure> Structure::getterSetterTransition(Structure* structure)
+Structure* Structure::despecifyFunctionTransition(VM& vm, Structure* structure, PropertyName replaceFunction)
 {
-    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
-    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
-    transition->m_hasGetterSetterProperties = transition->m_hasGetterSetterProperties;
+    ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount);
+    Structure* transition = create(vm, structure);
 
-    // Don't set m_offset, as one can not transition to this.
+    ++transition->m_specificFunctionThrashCount;
 
-    structure->materializePropertyMapIfNecessary();
-    transition->m_propertyTable = structure->copyPropertyTable();
-    transition->m_isPinnedPropertyTable = true;
+    structure->materializePropertyMapIfNecessary(vm);
+    transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
+    transition->m_offset = structure->m_offset;
+    transition->pin();
 
-    return transition.release();
-}
-
-PassRefPtr<Structure> Structure::toDictionaryTransition(Structure* structure)
-{
-    ASSERT(!structure->m_isDictionary);
-
-    RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
-    transition->m_isDictionary = true;
-    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
-    transition->m_hasGetterSetterProperties = structure->m_hasGetterSetterProperties;
-
-    structure->materializePropertyMapIfNecessary();
-    transition->m_propertyTable = structure->copyPropertyTable();
-    transition->m_isPinnedPropertyTable = true;
+    if (transition->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
+        transition->despecifyAllFunctions(vm);
+    else {
+        bool removed = transition->despecifyFunction(vm, replaceFunction);
+        ASSERT_UNUSED(removed, removed);
+    }
 
-    return transition.release();
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-PassRefPtr<Structure> Structure::fromDictionaryTransition(Structure* structure)
+Structure* Structure::attributeChangeTransition(VM& vm, Structure* structure, PropertyName propertyName, unsigned attributes)
 {
-    ASSERT(structure->m_isDictionary);
+    if (!structure->isUncacheableDictionary()) {
+        Structure* transition = create(vm, structure);
 
-    // Since dictionary Structures are not shared, and no opcodes specialize
-    // for them, we don't need to allocate a new Structure when transitioning
-    // to non-dictionary status.
+        structure->materializePropertyMapIfNecessary(vm);
+        transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
+        transition->m_offset = structure->m_offset;
+        transition->pin();
+        
+        structure = transition;
+    }
 
-    // FIMXE: We can make this more efficient by canonicalizing the Structure (draining the
-    // deleted offsets vector) before transitioning from dictionary. 
-    if (!structure->m_propertyTable || !structure->m_propertyTable->deletedOffsets || structure->m_propertyTable->deletedOffsets->isEmpty())
-        structure->m_isDictionary = false;
+    ASSERT(structure->propertyTable());
+    PropertyMapEntry* entry = structure->propertyTable()->find(propertyName.uid()).first;
+    ASSERT(entry);
+    entry->attributes = attributes;
 
+    structure->checkOffsetConsistency();
     return structure;
 }
 
-size_t Structure::addPropertyWithoutTransition(const Identifier& propertyName, unsigned attributes)
+Structure* Structure::toDictionaryTransition(VM& vm, Structure* structure, DictionaryKind kind)
 {
-    ASSERT(!m_transitions.singleTransition);
+    ASSERT(!structure->isUncacheableDictionary());
+    
+    Structure* transition = create(vm, structure);
 
-    materializePropertyMapIfNecessary();
+    structure->materializePropertyMapIfNecessary(vm);
+    transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
+    transition->m_offset = structure->m_offset;
+    transition->m_dictionaryKind = kind;
+    transition->pin();
 
-    m_isPinnedPropertyTable = true;
-    size_t offset = put(propertyName, attributes);
-    if (propertyStorageSize() > propertyStorageCapacity())
-        growPropertyStorageCapacity();
-    clearEnumerationCache();
-    return offset;
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-size_t Structure::removePropertyWithoutTransition(const Identifier& propertyName)
+Structure* Structure::toCacheableDictionaryTransition(VM& vm, Structure* structure)
 {
-    ASSERT(!m_transitions.singleTransition);
-    ASSERT(m_isDictionary);
-
-    materializePropertyMapIfNecessary();
-
-    m_isPinnedPropertyTable = true;
-    size_t offset = remove(propertyName);
-    clearEnumerationCache();
-    return offset;
+    return toDictionaryTransition(vm, structure, CachedDictionaryKind);
 }
 
-#if DUMP_PROPERTYMAP_STATS
-
-static int numProbes;
-static int numCollisions;
-static int numRehashes;
-static int numRemoves;
-
-struct PropertyMapStatisticsExitLogger {
-    ~PropertyMapStatisticsExitLogger();
-};
-
-static PropertyMapStatisticsExitLogger logger;
-
-PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger()
+Structure* Structure::toUncacheableDictionaryTransition(VM& vm, Structure* structure)
 {
-    printf("\nJSC::PropertyMap statistics\n\n");
-    printf("%d probes\n", numProbes);
-    printf("%d collisions (%.1f%%)\n", numCollisions, 100.0 * numCollisions / numProbes);
-    printf("%d rehashes\n", numRehashes);
-    printf("%d removes\n", numRemoves);
+    return toDictionaryTransition(vm, structure, UncachedDictionaryKind);
 }
 
-#endif
-
-static const unsigned deletedSentinelIndex = 1;
+// In future we may want to cache this transition.
+Structure* Structure::sealTransition(VM& vm, Structure* structure)
+{
+    Structure* transition = preventExtensionsTransition(vm, structure);
 
-#if !DO_PROPERTYMAP_CONSTENCY_CHECK
+    if (transition->propertyTable()) {
+        PropertyTable::iterator end = transition->propertyTable()->end();
+        for (PropertyTable::iterator iter = transition->propertyTable()->begin(); iter != end; ++iter)
+            iter->attributes |= DontDelete;
+    }
 
-inline void Structure::checkConsistency()
-{
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-#endif
-
-PropertyMapHashTable* Structure::copyPropertyTable()
+// In future we may want to cache this transition.
+Structure* Structure::freezeTransition(VM& vm, Structure* structure)
 {
-    if (!m_propertyTable)
-        return 0;
-
-    size_t tableSize = PropertyMapHashTable::allocationSize(m_propertyTable->size);
-    PropertyMapHashTable* newTable = static_cast<PropertyMapHashTable*>(fastMalloc(tableSize));
-    memcpy(newTable, m_propertyTable, tableSize);
+    Structure* transition = preventExtensionsTransition(vm, structure);
 
-    unsigned entryCount = m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount;
-    for (unsigned i = 1; i <= entryCount; ++i) {
-        if (UString::Rep* key = newTable->entries()[i].key)
-            key->ref();
+    if (transition->propertyTable()) {
+        PropertyTable::iterator iter = transition->propertyTable()->begin();
+        PropertyTable::iterator end = transition->propertyTable()->end();
+        if (iter != end)
+            transition->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true;
+        for (; iter != end; ++iter)
+            iter->attributes |= iter->attributes & Accessor ? DontDelete : (DontDelete | ReadOnly);
     }
 
-    // Copy the deletedOffsets vector.
-    if (m_propertyTable->deletedOffsets)
-        newTable->deletedOffsets = new Vector<unsigned>(*m_propertyTable->deletedOffsets);
-
-    return newTable;
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-size_t Structure::get(const Identifier& propertyName, unsigned& attributes)
+// In future we may want to cache this transition.
+Structure* Structure::preventExtensionsTransition(VM& vm, Structure* structure)
 {
-    ASSERT(!propertyName.isNull());
-
-    materializePropertyMapIfNecessary();
-    if (!m_propertyTable)
-        return notFound;
-
-    UString::Rep* rep = propertyName._ustring.rep();
+    Structure* transition = create(vm, structure);
 
-    unsigned i = rep->computedHash();
-
-#if DUMP_PROPERTYMAP_STATS
-    ++numProbes;
-#endif
-
-    unsigned entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
-    if (entryIndex == emptyEntryIndex)
-        return notFound;
-
-    if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
-        attributes = m_propertyTable->entries()[entryIndex - 1].attributes;
-        return m_propertyTable->entries()[entryIndex - 1].offset;
-    }
-
-#if DUMP_PROPERTYMAP_STATS
-    ++numCollisions;
-#endif
-
-    unsigned k = 1 | doubleHash(rep->computedHash());
+    // Don't set m_offset, as one can not transition to this.
 
-    while (1) {
-        i += k;
+    structure->materializePropertyMapIfNecessary(vm);
+    transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm, transition));
+    transition->m_offset = structure->m_offset;
+    transition->m_preventExtensions = true;
+    transition->pin();
 
-#if DUMP_PROPERTYMAP_STATS
-        ++numRehashes;
-#endif
+    transition->checkOffsetConsistency();
+    return transition;
+}
 
-        entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
-        if (entryIndex == emptyEntryIndex)
-            return notFound;
+PropertyTable* Structure::takePropertyTableOrCloneIfPinned(VM& vm, Structure* owner)
+{
+    materializePropertyMapIfNecessaryForPinning(vm);
+    if (m_isPinnedPropertyTable)
+        return propertyTable()->copy(vm, owner, propertyTable()->size() + 1);
+    PropertyTable* takenPropertyTable = propertyTable().get();
+    propertyTable().clear();
+    return takenPropertyTable;
+}
 
-        if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
-            attributes = m_propertyTable->entries()[entryIndex - 1].attributes;
-            return m_propertyTable->entries()[entryIndex - 1].offset;
+Structure* Structure::nonPropertyTransition(VM& vm, Structure* structure, NonPropertyTransition transitionKind)
+{
+    unsigned attributes = toAttributes(transitionKind);
+    IndexingType indexingType = newIndexingType(structure->indexingTypeIncludingHistory(), transitionKind);
+    
+    if (JSGlobalObject* globalObject = structure->m_globalObject.get()) {
+        if (globalObject->isOriginalArrayStructure(structure)) {
+            Structure* result = globalObject->originalArrayStructureForIndexingType(indexingType);
+            if (result->indexingTypeIncludingHistory() == indexingType) {
+                structure->notifyTransitionFromThisStructure();
+                return result;
+            }
         }
     }
+    
+    if (Structure* existingTransition = structure->m_transitionTable.get(0, attributes)) {
+        ASSERT(existingTransition->m_attributesInPrevious == attributes);
+        ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingType);
+        return existingTransition;
+    }
+    
+    Structure* transition = create(vm, structure);
+    transition->setPreviousID(vm, transition, structure);
+    transition->m_attributesInPrevious = attributes;
+    transition->m_indexingType = indexingType;
+    transition->propertyTable().set(vm, transition, structure->takePropertyTableOrCloneIfPinned(vm, transition));
+    transition->m_offset = structure->m_offset;
+    checkOffset(transition->m_offset, transition->inlineCapacity());
+    
+    structure->m_transitionTable.add(vm, transition);
+    transition->checkOffsetConsistency();
+    return transition;
 }
 
-size_t Structure::put(const Identifier& propertyName, unsigned attributes)
+// In future we may want to cache this property.
+bool Structure::isSealed(VM& vm)
 {
-    ASSERT(!propertyName.isNull());
-    ASSERT(get(propertyName) == notFound);
+    if (isExtensible())
+        return false;
 
-    checkConsistency();
+    materializePropertyMapIfNecessary(vm);
+    if (!propertyTable())
+        return true;
 
-    UString::Rep* rep = propertyName._ustring.rep();
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
+        if ((iter->attributes & DontDelete) != DontDelete)
+            return false;
+    }
+    return true;
+}
 
-    if (!m_propertyTable)
-        createPropertyMapHashTable();
+// In future we may want to cache this property.
+bool Structure::isFrozen(VM& vm)
+{
+    if (isExtensible())
+        return false;
 
-    // FIXME: Consider a fast case for tables with no deleted sentinels.
+    materializePropertyMapIfNecessary(vm);
+    if (!propertyTable())
+        return true;
 
-    unsigned i = rep->computedHash();
-    unsigned k = 0;
-    bool foundDeletedElement = false;
-    unsigned deletedElementIndex = 0; // initialize to make the compiler happy
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
+        if (!(iter->attributes & DontDelete))
+            return false;
+        if (!(iter->attributes & (ReadOnly | Accessor)))
+            return false;
+    }
+    return true;
+}
 
-#if DUMP_PROPERTYMAP_STATS
-    ++numProbes;
-#endif
+Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
+{
+    checkOffsetConsistency();
+    ASSERT(isDictionary());
+    if (isUncacheableDictionary()) {
+        ASSERT(propertyTable());
 
-    while (1) {
-        unsigned entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
-        if (entryIndex == emptyEntryIndex)
-            break;
+        size_t propertyCount = propertyTable()->size();
 
-        if (entryIndex == deletedSentinelIndex) {
-            // If we find a deleted-element sentinel, remember it for use later.
-            if (!foundDeletedElement) {
-                foundDeletedElement = true;
-                deletedElementIndex = i;
-            }
-        }
+        // Holds our values compacted by insertion order.
+        Vector<JSValue> values(propertyCount);
 
-        if (k == 0) {
-            k = 1 | doubleHash(rep->computedHash());
-#if DUMP_PROPERTYMAP_STATS
-            ++numCollisions;
-#endif
+        // Copies out our values from their hashed locations, compacting property table offsets as we go.
+        unsigned i = 0;
+        PropertyTable::iterator end = propertyTable()->end();
+        m_offset = invalidOffset;
+        for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter, ++i) {
+            values[i] = object->getDirect(iter->offset);
+            m_offset = iter->offset = offsetForPropertyNumber(i, m_inlineCapacity);
         }
+        
+        // Copies in our values to their compacted locations.
+        for (unsigned i = 0; i < propertyCount; i++)
+            object->putDirect(vm, offsetForPropertyNumber(i, m_inlineCapacity), values[i]);
 
-        i += k;
-
-#if DUMP_PROPERTYMAP_STATS
-        ++numRehashes;
-#endif
+        propertyTable()->clearDeletedOffsets();
+        checkOffsetConsistency();
     }
 
-    // Figure out which entry to use.
-    unsigned entryIndex = m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount + 2;
-    if (foundDeletedElement) {
-        i = deletedElementIndex;
-        --m_propertyTable->deletedSentinelCount;
-
-        // Since we're not making the table bigger, we can't use the entry one past
-        // the end that we were planning on using, so search backwards for the empty
-        // slot that we can use. We know it will be there because we did at least one
-        // deletion in the past that left an entry empty.
-        while (m_propertyTable->entries()[--entryIndex - 1].key) { }
-    }
+    m_dictionaryKind = NoneDictionaryKind;
 
-    // Create a new hash table entry.
-    m_propertyTable->entryIndices[i & m_propertyTable->sizeMask] = entryIndex;
+    // If the object had a Butterfly but after flattening/compacting we no longer have need of it,
+    // we need to zero it out because the collector depends on the Structure to know the size for copying.
+    if (object->butterfly() && !this->outOfLineCapacity() && !hasIndexingHeader(this->indexingType()))
+        object->setButterfly(vm, 0, this);
 
-    // Create a new hash table entry.
-    rep->ref();
-    m_propertyTable->entries()[entryIndex - 1].key = rep;
-    m_propertyTable->entries()[entryIndex - 1].attributes = attributes;
-    m_propertyTable->entries()[entryIndex - 1].index = ++m_propertyTable->lastIndexUsed;
+    return this;
+}
 
-    unsigned newOffset;
-    if (m_propertyTable->deletedOffsets && !m_propertyTable->deletedOffsets->isEmpty()) {
-        newOffset = m_propertyTable->deletedOffsets->last();
-        m_propertyTable->deletedOffsets->removeLast();
-    } else
-        newOffset = m_propertyTable->keyCount;
-    m_propertyTable->entries()[entryIndex - 1].offset = newOffset;
+PropertyOffset Structure::addPropertyWithoutTransition(VM& vm, PropertyName propertyName, unsigned attributes, JSCell* specificValue)
+{
+    ASSERT(!enumerationCache());
 
-    ++m_propertyTable->keyCount;
+    if (m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
+        specificValue = 0;
 
-    if ((m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount) * 2 >= m_propertyTable->size)
-        expandPropertyMapHashTable();
+    materializePropertyMapIfNecessaryForPinning(vm);
+    
+    pin();
 
-    checkConsistency();
-    return newOffset;
+    return putSpecificValue(vm, propertyName, attributes, specificValue);
 }
 
-size_t Structure::remove(const Identifier& propertyName)
+PropertyOffset Structure::removePropertyWithoutTransition(VM& vm, PropertyName propertyName)
 {
-    ASSERT(!propertyName.isNull());
+    ASSERT(isUncacheableDictionary());
+    ASSERT(!enumerationCache());
 
-    checkConsistency();
+    materializePropertyMapIfNecessaryForPinning(vm);
 
-    UString::Rep* rep = propertyName._ustring.rep();
+    pin();
+    return remove(propertyName);
+}
 
-    if (!m_propertyTable)
-        return notFound;
+void Structure::pin()
+{
+    ASSERT(propertyTable());
+    m_isPinnedPropertyTable = true;
+    clearPreviousID();
+    m_nameInPrevious.clear();
+}
 
-#if DUMP_PROPERTYMAP_STATS
-    ++numProbes;
-    ++numRemoves;
-#endif
+void Structure::allocateRareData(VM& vm)
+{
+    ASSERT(!typeInfo().structureHasRareData());
+    StructureRareData* rareData = StructureRareData::create(vm, previous());
+    m_typeInfo = TypeInfo(typeInfo().type(), typeInfo().flags() | StructureHasRareData);
+    m_previousOrRareData.set(vm, this, rareData);
+}
 
-    // Find the thing to remove.
-    unsigned i = rep->computedHash();
-    unsigned k = 0;
-    unsigned entryIndex;
-    UString::Rep* key = 0;
-    while (1) {
-        entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
-        if (entryIndex == emptyEntryIndex)
-            return notFound;
-
-        key = m_propertyTable->entries()[entryIndex - 1].key;
-        if (rep == key)
-            break;
+void Structure::cloneRareDataFrom(VM& vm, const Structure* other)
+{
+    ASSERT(other->typeInfo().structureHasRareData());
+    StructureRareData* newRareData = StructureRareData::clone(vm, other->rareData());
+    m_typeInfo = TypeInfo(typeInfo().type(), typeInfo().flags() | StructureHasRareData);
+    m_previousOrRareData.set(vm, this, newRareData);
+}
 
-        if (k == 0) {
-            k = 1 | doubleHash(rep->computedHash());
 #if DUMP_PROPERTYMAP_STATS
-            ++numCollisions;
-#endif
-        }
-
-        i += k;
 
-#if DUMP_PROPERTYMAP_STATS
-        ++numRehashes;
-#endif
-    }
+struct PropertyMapStatisticsExitLogger {
+    ~PropertyMapStatisticsExitLogger();
+};
 
-    // Replace this one element with the deleted sentinel. Also clear out
-    // the entry so we can iterate all the entries as needed.
-    m_propertyTable->entryIndices[i & m_propertyTable->sizeMask] = deletedSentinelIndex;
+static PropertyMapStatisticsExitLogger logger;
 
-    size_t offset = m_propertyTable->entries()[entryIndex - 1].offset;
+PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger()
+{
+    dataLogF("\nJSC::PropertyMap statistics\n\n");
+    dataLogF("%d probes\n", numProbes);
+    dataLogF("%d collisions (%.1f%%)\n", numCollisions, 100.0 * numCollisions / numProbes);
+    dataLogF("%d rehashes\n", numRehashes);
+    dataLogF("%d removes\n", numRemoves);
+}
 
-    key->deref();
-    m_propertyTable->entries()[entryIndex - 1].key = 0;
-    m_propertyTable->entries()[entryIndex - 1].attributes = 0;
-    m_propertyTable->entries()[entryIndex - 1].offset = 0;
+#endif
 
-    if (!m_propertyTable->deletedOffsets)
-        m_propertyTable->deletedOffsets = new Vector<unsigned>;
-    m_propertyTable->deletedOffsets->append(offset);
+#if !DO_PROPERTYMAP_CONSTENCY_CHECK
 
-    ASSERT(m_propertyTable->keyCount >= 1);
-    --m_propertyTable->keyCount;
-    ++m_propertyTable->deletedSentinelCount;
+inline void Structure::checkConsistency()
+{
+    checkOffsetConsistency();
+}
 
-    if (m_propertyTable->deletedSentinelCount * 4 >= m_propertyTable->size)
-        rehashPropertyMapHashTable();
+#endif
 
-    checkConsistency();
-    return offset;
+PropertyTable* Structure::copyPropertyTable(VM& vm, Structure* owner)
+{
+    if (!propertyTable())
+        return 0;
+    return PropertyTable::clone(vm, owner, *propertyTable().get());
 }
 
-void Structure::insertIntoPropertyMapHashTable(const PropertyMapEntry& entry)
+PropertyTable* Structure::copyPropertyTableForPinning(VM& vm, Structure* owner)
 {
-    ASSERT(m_propertyTable);
-
-    unsigned i = entry.key->computedHash();
-    unsigned k = 0;
+    if (propertyTable())
+        return PropertyTable::clone(vm, owner, *propertyTable().get());
+    return PropertyTable::create(vm, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
+}
 
-#if DUMP_PROPERTYMAP_STATS
-    ++numProbes;
-#endif
+PropertyOffset Structure::get(VM& vm, PropertyName propertyName, unsigned& attributes, JSCell*& specificValue)
+{
+    ASSERT(structure()->classInfo() == &s_info);
 
-    while (1) {
-        unsigned entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
-        if (entryIndex == emptyEntryIndex)
-            break;
+    materializePropertyMapIfNecessary(vm);
+    if (!propertyTable())
+        return invalidOffset;
 
-        if (k == 0) {
-            k = 1 | doubleHash(entry.key->computedHash());
-#if DUMP_PROPERTYMAP_STATS
-            ++numCollisions;
-#endif
-        }
+    PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first;
+    if (!entry)
+        return invalidOffset;
 
-        i += k;
+    attributes = entry->attributes;
+    specificValue = entry->specificValue.get();
+    return entry->offset;
+}
 
-#if DUMP_PROPERTYMAP_STATS
-        ++numRehashes;
-#endif
-    }
+bool Structure::despecifyFunction(VM& vm, PropertyName propertyName)
+{
+    materializePropertyMapIfNecessary(vm);
+    if (!propertyTable())
+        return false;
 
-    unsigned entryIndex = m_propertyTable->keyCount + 2;
-    m_propertyTable->entryIndices[i & m_propertyTable->sizeMask] = entryIndex;
-    m_propertyTable->entries()[entryIndex - 1] = entry;
+    PropertyMapEntry* entry = propertyTable()->find(propertyName.uid()).first;
+    if (!entry)
+        return false;
 
-    ++m_propertyTable->keyCount;
+    ASSERT(entry->specificValue);
+    entry->specificValue.clear();
+    return true;
 }
 
-void Structure::createPropertyMapHashTable()
+void Structure::despecifyAllFunctions(VM& vm)
 {
-    ASSERT(sizeForKeyCount(7) == newTableSize);
-    createPropertyMapHashTable(newTableSize);
+    materializePropertyMapIfNecessary(vm);
+    if (!propertyTable())
+        return;
+
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter)
+        iter->specificValue.clear();
 }
 
-void Structure::createPropertyMapHashTable(unsigned newTableSize)
+PropertyOffset Structure::putSpecificValue(VM& vm, PropertyName propertyName, unsigned attributes, JSCell* specificValue)
 {
-    ASSERT(!m_propertyTable);
-    ASSERT(isPowerOf2(newTableSize));
+    ASSERT(!JSC::isValidOffset(get(vm, propertyName)));
 
     checkConsistency();
+    if (attributes & DontEnum)
+        m_hasNonEnumerableProperties = true;
 
-    m_propertyTable = static_cast<PropertyMapHashTable*>(fastZeroedMalloc(PropertyMapHashTable::allocationSize(newTableSize)));
-    m_propertyTable->size = newTableSize;
-    m_propertyTable->sizeMask = newTableSize - 1;
+    StringImpl* rep = propertyName.uid();
 
-    checkConsistency();
-}
+    if (!propertyTable())
+        createPropertyMap(vm);
 
-void Structure::expandPropertyMapHashTable()
-{
-    ASSERT(m_propertyTable);
-    rehashPropertyMapHashTable(m_propertyTable->size * 2);
-}
+    PropertyOffset newOffset = propertyTable()->nextOffset(m_inlineCapacity);
 
-void Structure::rehashPropertyMapHashTable()
-{
-    ASSERT(m_propertyTable);
-    ASSERT(m_propertyTable->size);
-    rehashPropertyMapHashTable(m_propertyTable->size);
+    propertyTable()->add(PropertyMapEntry(vm, this, rep, newOffset, attributes, specificValue), m_offset, PropertyTable::PropertyOffsetMayChange);
+    
+    checkConsistency();
+    return newOffset;
 }
 
-void Structure::rehashPropertyMapHashTable(unsigned newTableSize)
+PropertyOffset Structure::remove(PropertyName propertyName)
 {
-    ASSERT(m_propertyTable);
-    ASSERT(isPowerOf2(newTableSize));
-
     checkConsistency();
 
-    PropertyMapHashTable* oldTable = m_propertyTable;
+    StringImpl* rep = propertyName.uid();
 
-    m_propertyTable = static_cast<PropertyMapHashTable*>(fastZeroedMalloc(PropertyMapHashTable::allocationSize(newTableSize)));
-    m_propertyTable->size = newTableSize;
-    m_propertyTable->sizeMask = newTableSize - 1;
+    if (!propertyTable())
+        return invalidOffset;
 
-    unsigned lastIndexUsed = 0;
-    unsigned entryCount = oldTable->keyCount + oldTable->deletedSentinelCount;
-    for (unsigned i = 1; i <= entryCount; ++i) {
-        if (oldTable->entries()[i].key) {
-            lastIndexUsed = max(oldTable->entries()[i].index, lastIndexUsed);
-            insertIntoPropertyMapHashTable(oldTable->entries()[i]);
-        }
-    }
-    m_propertyTable->lastIndexUsed = lastIndexUsed;
-    m_propertyTable->deletedOffsets = oldTable->deletedOffsets;
+    PropertyTable::find_iterator position = propertyTable()->find(rep);
+    if (!position.first)
+        return invalidOffset;
 
-    fastFree(oldTable);
+    PropertyOffset offset = position.first->offset;
+
+    propertyTable()->remove(position);
+    propertyTable()->addDeletedOffset(offset);
 
     checkConsistency();
+    return offset;
 }
 
-static int comparePropertyMapEntryIndices(const void* a, const void* b)
+void Structure::createPropertyMap(VM& vm, unsigned capacity)
 {
-    unsigned ia = static_cast<PropertyMapEntry* const*>(a)[0]->index;
-    unsigned ib = static_cast<PropertyMapEntry* const*>(b)[0]->index;
-    if (ia < ib)
-        return -1;
-    if (ia > ib)
-        return +1;
-    return 0;
+    ASSERT(!propertyTable());
+
+    checkConsistency();
+    propertyTable().set(vm, this, PropertyTable::create(vm, capacity));
 }
 
-void Structure::getEnumerableNamesFromPropertyTable(PropertyNameArray& propertyNames)
+void Structure::getPropertyNamesFromStructure(VM& vm, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
-    materializePropertyMapIfNecessary();
-    if (!m_propertyTable)
+    materializePropertyMapIfNecessary(vm);
+    if (!propertyTable())
         return;
 
-    if (m_propertyTable->keyCount < tinyMapThreshold) {
-        PropertyMapEntry* a[tinyMapThreshold];
-        int i = 0;
-        unsigned entryCount = m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount;
-        for (unsigned k = 1; k <= entryCount; k++) {
-            if (m_propertyTable->entries()[k].key && !(m_propertyTable->entries()[k].attributes & DontEnum)) {
-                PropertyMapEntry* value = &m_propertyTable->entries()[k];
-                int j;
-                for (j = i - 1; j >= 0 && a[j]->index > value->index; --j)
-                    a[j + 1] = a[j];
-                a[j + 1] = value;
-                ++i;
-            }
-        }
-        if (!propertyNames.size()) {
-            for (int k = 0; k < i; ++k)
-                propertyNames.addKnownUnique(a[k]->key);
-        } else {
-            for (int k = 0; k < i; ++k)
-                propertyNames.add(a[k]->key);
-        }
+    bool knownUnique = !propertyNames.size();
 
-        return;
+    PropertyTable::iterator end = propertyTable()->end();
+    for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
+        ASSERT(m_hasNonEnumerableProperties || !(iter->attributes & DontEnum));
+        if (iter->key->isIdentifier() && (!(iter->attributes & DontEnum) || mode == IncludeDontEnumProperties)) {
+            if (knownUnique)
+                propertyNames.addKnownUnique(iter->key);
+            else
+                propertyNames.add(iter->key);
+        }
     }
+}
 
-    // Allocate a buffer to use to sort the keys.
-    Vector<PropertyMapEntry*, smallMapThreshold> sortedEnumerables(m_propertyTable->keyCount);
+JSValue Structure::prototypeForLookup(CodeBlock* codeBlock) const
+{
+    return prototypeForLookup(codeBlock->globalObject());
+}
 
-    // Get pointers to the enumerable entries in the buffer.
-    PropertyMapEntry** p = sortedEnumerables.data();
-    unsigned entryCount = m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount;
-    for (unsigned i = 1; i <= entryCount; i++) {
-        if (m_propertyTable->entries()[i].key && !(m_propertyTable->entries()[i].attributes & DontEnum))
-            *p++ = &m_propertyTable->entries()[i];
-    }
+void Structure::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+    Structure* thisObject = jsCast<Structure*>(cell);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, &s_info);
+    ASSERT(thisObject->structure()->typeInfo().overridesVisitChildren());
 
-    size_t enumerableCount = p - sortedEnumerables.data();
-    // Sort the entries by index.
-    qsort(sortedEnumerables.data(), enumerableCount, sizeof(PropertyMapEntry*), comparePropertyMapEntryIndices);
-    sortedEnumerables.resize(enumerableCount);
-
-    // Put the keys of the sorted entries into the list.
-    if (!propertyNames.size()) {
-        for (size_t i = 0; i < sortedEnumerables.size(); ++i)
-            propertyNames.addKnownUnique(sortedEnumerables[i]->key);
-    } else {
-        for (size_t i = 0; i < sortedEnumerables.size(); ++i)
-            propertyNames.add(sortedEnumerables[i]->key);
+    JSCell::visitChildren(thisObject, visitor);
+    visitor.append(&thisObject->m_globalObject);
+    if (!thisObject->isObject())
+        thisObject->m_cachedPrototypeChain.clear();
+    else {
+        visitor.append(&thisObject->m_prototype);
+        visitor.append(&thisObject->m_cachedPrototypeChain);
     }
+    visitor.append(&thisObject->m_previousOrRareData);
+    visitor.append(&thisObject->m_specificValueInPrevious);
+
+    if (thisObject->m_isPinnedPropertyTable) {
+        ASSERT(thisObject->m_propertyTableUnsafe);
+        visitor.append(&thisObject->m_propertyTableUnsafe);
+    } else if (thisObject->m_propertyTableUnsafe)
+        thisObject->m_propertyTableUnsafe.clear();
 }
 
-void Structure::getEnumerableNamesFromClassInfoTable(ExecState* exec, const ClassInfo* classInfo, PropertyNameArray& propertyNames)
+bool Structure::prototypeChainMayInterceptStoreTo(VM& vm, PropertyName propertyName)
 {
-    // Add properties from the static hashtables of properties
-    for (; classInfo; classInfo = classInfo->parentClass) {
-        const HashTable* table = classInfo->propHashTable(exec);
-        if (!table)
+    unsigned i = propertyName.asIndex();
+    if (i != PropertyName::NotAnIndex)
+        return anyObjectInChainMayInterceptIndexedAccesses();
+    
+    for (Structure* current = this; ;) {
+        JSValue prototype = current->storedPrototype();
+        if (prototype.isNull())
+            return false;
+        
+        current = prototype.asCell()->structure();
+        
+        unsigned attributes;
+        JSCell* specificValue;
+        PropertyOffset offset = current->get(vm, propertyName, attributes, specificValue);
+        if (!JSC::isValidOffset(offset))
             continue;
-        table->initializeIfNeeded(exec);
-        ASSERT(table->table);
-#if ENABLE(PERFECT_HASH_SIZE)
-        int hashSizeMask = table->hashSizeMask;
-#else
-        int hashSizeMask = table->compactSize - 1;
-#endif
-        const HashEntry* entry = table->table;
-        for (int i = 0; i <= hashSizeMask; ++i, ++entry) {
-            if (entry->key() && !(entry->attributes() & DontEnum))
-                propertyNames.add(entry->key());
-        }
+        
+        if (attributes & (ReadOnly | Accessor))
+            return true;
+        
+        return false;
     }
 }
 
 #if DO_PROPERTYMAP_CONSTENCY_CHECK
 
-void Structure::checkConsistency()
+void PropertyTable::checkConsistency()
 {
-    if (!m_propertyTable)
-        return;
-
-    ASSERT(m_propertyTable->size >= newTableSize);
-    ASSERT(m_propertyTable->sizeMask);
-    ASSERT(m_propertyTable->size == m_propertyTable->sizeMask + 1);
-    ASSERT(!(m_propertyTable->size & m_propertyTable->sizeMask));
-
-    ASSERT(m_propertyTable->keyCount <= m_propertyTable->size / 2);
-    ASSERT(m_propertyTable->deletedSentinelCount <= m_propertyTable->size / 4);
+    checkOffsetConsistency();
+    ASSERT(m_indexSize >= PropertyTable::MinimumTableSize);
+    ASSERT(m_indexMask);
+    ASSERT(m_indexSize == m_indexMask + 1);
+    ASSERT(!(m_indexSize & m_indexMask));
 
-    ASSERT(m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount <= m_propertyTable->size / 2);
+    ASSERT(m_keyCount <= m_indexSize / 2);
+    ASSERT(m_keyCount + m_deletedCount <= m_indexSize / 2);
+    ASSERT(m_deletedCount <= m_indexSize / 4);
 
     unsigned indexCount = 0;
     unsigned deletedIndexCount = 0;
-    for (unsigned a = 0; a != m_propertyTable->size; ++a) {
-        unsigned entryIndex = m_propertyTable->entryIndices[a];
-        if (entryIndex == emptyEntryIndex)
+    for (unsigned a = 0; a != m_indexSize; ++a) {
+        unsigned entryIndex = m_index[a];
+        if (entryIndex == PropertyTable::EmptyEntryIndex)
             continue;
-        if (entryIndex == deletedSentinelIndex) {
+        if (entryIndex == deletedEntryIndex()) {
             ++deletedIndexCount;
             continue;
         }
-        ASSERT(entryIndex > deletedSentinelIndex);
-        ASSERT(entryIndex - 1 <= m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount);
+        ASSERT(entryIndex < deletedEntryIndex());
+        ASSERT(entryIndex - 1 <= usedCount());
         ++indexCount;
 
-        for (unsigned b = a + 1; b != m_propertyTable->size; ++b)
-            ASSERT(m_propertyTable->entryIndices[b] != entryIndex);
+        for (unsigned b = a + 1; b != m_indexSize; ++b)
+            ASSERT(m_index[b] != entryIndex);
     }
-    ASSERT(indexCount == m_propertyTable->keyCount);
-    ASSERT(deletedIndexCount == m_propertyTable->deletedSentinelCount);
+    ASSERT(indexCount == m_keyCount);
+    ASSERT(deletedIndexCount == m_deletedCount);
 
-    ASSERT(m_propertyTable->entries()[0].key == 0);
+    ASSERT(!table()[deletedEntryIndex() - 1].key);
 
     unsigned nonEmptyEntryCount = 0;
-    for (unsigned c = 1; c <= m_propertyTable->keyCount + m_propertyTable->deletedSentinelCount; ++c) {
-        UString::Rep* rep = m_propertyTable->entries()[c].key;
-        if (!rep)
+    for (unsigned c = 0; c < usedCount(); ++c) {
+        StringImpl* rep = table()[c].key;
+        if (rep == PROPERTY_MAP_DELETED_ENTRY_KEY)
             continue;
         ++nonEmptyEntryCount;
-        unsigned i = rep->computedHash();
+        unsigned i = rep->existingHash();
         unsigned k = 0;
         unsigned entryIndex;
         while (1) {
-            entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
-            ASSERT(entryIndex != emptyEntryIndex);
-            if (rep == m_propertyTable->entries()[entryIndex - 1].key)
+            entryIndex = m_index[i & m_indexMask];
+            ASSERT(entryIndex != PropertyTable::EmptyEntryIndex);
+            if (rep == table()[entryIndex - 1].key)
                 break;
             if (k == 0)
-                k = 1 | doubleHash(rep->computedHash());
+                k = 1 | doubleHash(rep->existingHash());
             i += k;
         }
         ASSERT(entryIndex == c + 1);
     }
 
-    ASSERT(nonEmptyEntryCount == m_propertyTable->keyCount);
+    ASSERT(nonEmptyEntryCount == m_keyCount);
+}
+
+void Structure::checkConsistency()
+{
+    if (!propertyTable())
+        return;
+
+    if (!m_hasNonEnumerableProperties) {
+        PropertyTable::iterator end = propertyTable()->end();
+        for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
+            ASSERT(!(iter->attributes & DontEnum));
+        }
+    }
+
+    propertyTable()->checkConsistency();
 }
 
 #endif // DO_PROPERTYMAP_CONSTENCY_CHECK