Backed out changeset c34ec3e0884c (bug 1248163) for hazard failures
authorCarsten "Tomcat" Book <cbook@mozilla.com>
Thu, 30 Jun 2016 07:20:30 +0200
changeset 303238 633d41ede644bf0fed6ca98328168d9c8f44c1de
parent 303237 4cddfe07a253953f313966401fb8239f24b35be0
child 303239 bcf4ff0c3eef498cd853a88270c75c161e524549
child 303301 3edd30710d5e2b3f555d4b251b9ba0962eb4f25d
push id30377
push usercbook@mozilla.com
push dateThu, 30 Jun 2016 10:54:18 +0000
treeherderautoland@fc64969ac221 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1248163
milestone50.0a1
backs outc34ec3e0884c31f128cf051619e78ffd9461a1c4
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset c34ec3e0884c (bug 1248163) for hazard failures
js/src/jit-test/tests/ion/recover-typed-array.js
js/src/jit/BaselineIC.cpp
js/src/jit/CodeGenerator.cpp
js/src/jit/InlinableNatives.h
js/src/jit/IonBuilder.h
js/src/jit/MCallOptimize.cpp
js/src/jit/MIR.h
js/src/jit/MacroAssembler.cpp
js/src/jit/Recover.cpp
js/src/jit/VMFunctions.h
js/src/vm/ObjectGroup.cpp
js/src/vm/TypedArrayObject.cpp
js/src/vm/TypedArrayObject.h
deleted file mode 100644
--- a/js/src/jit-test/tests/ion/recover-typed-array.js
+++ /dev/null
@@ -1,13 +0,0 @@
-function f () {
-    var x = new Uint8Array(4);
-    empty();
-    assertRecoveredOnBailout(x, true);
-    var res = inIon();
-    bailout();
-    return res;
-}
-
-function empty() {
-}
-
-while(!f());
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -27,17 +27,16 @@
 #endif
 #include "jit/SharedICHelpers.h"
 #include "jit/VMFunctions.h"
 #include "js/Conversions.h"
 #include "js/GCVector.h"
 #include "vm/Opcodes.h"
 #include "vm/SelfHosting.h"
 #include "vm/TypedArrayCommon.h"
-#include "vm/TypedArrayObject.h"
 
 #include "jsboolinlines.h"
 #include "jsscriptinlines.h"
 
 #include "jit/JitFrames-inl.h"
 #include "jit/MacroAssembler-inl.h"
 #include "jit/shared/Lowering-shared-inl.h"
 #include "vm/Interpreter-inl.h"
@@ -5497,22 +5496,16 @@ GetTemplateObjectForNative(JSContext* cx
             // don't end up with a template whose structure might change later.
             res.set(NewFullyAllocatedArrayForCallingAllocationSite(cx, count, TenuredObject));
             if (!res)
                 return false;
             return true;
         }
     }
 
-    if (args.length() == 1 && args[0].isInt32() && args[0].toInt32() >= 0) {
-        uint32_t len = args[0].toInt32();
-        if (TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
-            return !!res;
-    }
-
     if (native == js::array_slice) {
         if (args.thisv().isObject()) {
             JSObject* obj = &args.thisv().toObject();
             if (!obj->isSingleton()) {
                 if (obj->group()->maybePreliminaryObjects()) {
                     *skipAttach = true;
                     return true;
                 }
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -5441,61 +5441,44 @@ static const VMFunction NewInitObjectWit
 typedef JSObject* (*NewInitObjectFn)(JSContext*, HandleScript, jsbytecode* pc, NewObjectKind);
 static const VMFunction NewInitObjectInfo =
     FunctionInfo<NewInitObjectFn>(NewObjectOperation, "NewObjectOperation");
 
 typedef PlainObject* (*ObjectCreateWithTemplateFn)(JSContext*, HandlePlainObject);
 static const VMFunction ObjectCreateWithTemplateInfo =
     FunctionInfo<ObjectCreateWithTemplateFn>(ObjectCreateWithTemplate, "ObjectCreateWithTemplate");
 
-typedef TypedArrayObject* (*TypedArrayCreateWithTemplateFn)(JSContext*, HandleObject);
-static const VMFunction TypedArrayCreateWithTemplateInfo =
-    FunctionInfo<TypedArrayCreateWithTemplateFn>(TypedArrayCreateWithTemplate,
-                                                 "TypedArrayCreateWithTemplate");
-
-
 void
 CodeGenerator::visitNewObjectVMCall(LNewObject* lir)
 {
     Register objReg = ToRegister(lir->output());
 
     MOZ_ASSERT(!lir->isCall());
     saveLive(lir);
 
     JSObject* templateObject = lir->mir()->templateObject();
 
-    MNewObject::Mode mode_ = lir->mir()->mode();
-
-    MOZ_ASSERT_IF(mode_ != MNewObject::TypedArray && templateObject,
-                  !templateObject->is<TypedArrayObject>());
-
     // If we're making a new object with a class prototype (that is, an object
     // that derives its class from its prototype instead of being
     // PlainObject::class_'d) from self-hosted code, we need a different init
     // function.
-    switch (mode_) {
-      case MNewObject::ObjectLiteral:
+    if (lir->mir()->mode() == MNewObject::ObjectLiteral) {
         if (templateObject) {
             pushArg(ImmGCPtr(templateObject));
             callVM(NewInitObjectWithTemplateInfo, lir);
         } else {
             pushArg(Imm32(GenericObject));
             pushArg(ImmPtr(lir->mir()->resumePoint()->pc()));
             pushArg(ImmGCPtr(lir->mir()->block()->info().script()));
             callVM(NewInitObjectInfo, lir);
         }
-        break;
-      case MNewObject::ObjectCreate:
+    } else {
+        MOZ_ASSERT(lir->mir()->mode() == MNewObject::ObjectCreate);
         pushArg(ImmGCPtr(templateObject));
         callVM(ObjectCreateWithTemplateInfo, lir);
-        break;
-      case MNewObject::TypedArray:
-        pushArg(ImmGCPtr(templateObject));
-        callVM(TypedArrayCreateWithTemplateInfo, lir);
-        break;
     }
 
     if (ReturnReg != objReg)
         masm.movePtr(ReturnReg, objReg);
 
     restoreLive(lir);
 }
 
--- a/js/src/jit/InlinableNatives.h
+++ b/js/src/jit/InlinableNatives.h
@@ -121,17 +121,16 @@
     _(IntrinsicIsStringIterator)    \
     _(IntrinsicIsListIterator)      \
                                     \
     _(IntrinsicGetNextMapEntryForIterator) \
                                     \
     _(IntrinsicArrayBufferByteLength) \
     _(IntrinsicPossiblyWrappedArrayBufferByteLength) \
                                     \
-    _(TypedArrayConstructor)        \
     _(IntrinsicIsTypedArray)        \
     _(IntrinsicIsPossiblyWrappedTypedArray) \
     _(IntrinsicTypedArrayLength)    \
     _(IntrinsicPossiblyWrappedTypedArrayLength)    \
     _(IntrinsicSetDisjointTypedElements) \
                                     \
     _(IntrinsicObjectIsTypedObject) \
     _(IntrinsicObjectIsTransparentTypedObject) \
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@@ -885,17 +885,16 @@ class IonBuilder
     InliningStatus inlineGetNextMapEntryForIterator(CallInfo& callInfo);
 
     // ArrayBuffer intrinsics.
     InliningStatus inlineArrayBufferByteLength(CallInfo& callInfo);
     InliningStatus inlinePossiblyWrappedArrayBufferByteLength(CallInfo& callInfo);
 
     // TypedArray intrinsics.
     enum WrappingBehavior { AllowWrappedTypedArrays, RejectWrappedTypedArrays };
-    InliningStatus inlineTypedArray(CallInfo& callInfo, Native native);
     InliningStatus inlineIsTypedArrayHelper(CallInfo& callInfo, WrappingBehavior wrappingBehavior);
     InliningStatus inlineIsTypedArray(CallInfo& callInfo);
     InliningStatus inlineIsPossiblyWrappedTypedArray(CallInfo& callInfo);
     InliningStatus inlineTypedArrayLength(CallInfo& callInfo);
     InliningStatus inlinePossiblyWrappedTypedArrayLength(CallInfo& callInfo);
     InliningStatus inlineSetDisjointTypedElements(CallInfo& callInfo);
 
     // TypedObject intrinsics and natives.
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@@ -1,16 +1,14 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "mozilla/Casting.h"
-
 #include "jsmath.h"
 #include "jsobj.h"
 #include "jsstr.h"
 
 #include "builtin/AtomicsObject.h"
 #include "builtin/SIMD.h"
 #include "builtin/TestingFunctions.h"
 #include "builtin/TypedObject.h"
@@ -18,27 +16,25 @@
 #include "jit/InlinableNatives.h"
 #include "jit/IonBuilder.h"
 #include "jit/Lowering.h"
 #include "jit/MIR.h"
 #include "jit/MIRGraph.h"
 #include "vm/ArgumentsObject.h"
 #include "vm/ProxyObject.h"
 #include "vm/SelfHosting.h"
-#include "vm/TypedArrayObject.h"
 
 #include "jsscriptinlines.h"
 
 #include "jit/shared/Lowering-shared-inl.h"
 #include "vm/NativeObject-inl.h"
 #include "vm/StringObject-inl.h"
 #include "vm/UnboxedObject-inl.h"
 
 using mozilla::ArrayLength;
-using mozilla::AssertedCast;
 
 using JS::DoubleNaNValue;
 using JS::TrackedOutcome;
 using JS::TrackedStrategy;
 using JS::TrackedTypeSite;
 
 namespace js {
 namespace jit {
@@ -297,18 +293,16 @@ IonBuilder::inlineNativeCall(CallInfo& c
 
       // ArrayBuffer intrinsics.
       case InlinableNative::IntrinsicArrayBufferByteLength:
         return inlineArrayBufferByteLength(callInfo);
       case InlinableNative::IntrinsicPossiblyWrappedArrayBufferByteLength:
         return inlinePossiblyWrappedArrayBufferByteLength(callInfo);
 
       // TypedArray intrinsics.
-      case InlinableNative::TypedArrayConstructor:
-        return inlineTypedArray(callInfo, target->native());
       case InlinableNative::IntrinsicIsTypedArray:
         return inlineIsTypedArray(callInfo);
       case InlinableNative::IntrinsicIsPossiblyWrappedTypedArray:
         return inlineIsPossiblyWrappedTypedArray(callInfo);
       case InlinableNative::IntrinsicPossiblyWrappedTypedArrayLength:
         return inlinePossiblyWrappedTypedArrayLength(callInfo);
       case InlinableNative::IntrinsicTypedArrayLength:
         return inlineTypedArrayLength(callInfo);
@@ -2277,88 +2271,16 @@ IonBuilder::inlinePossiblyWrappedArrayBu
     MInstruction* ins = addArrayBufferByteLength(objArg);
     current->push(ins);
 
     callInfo.setImplicitlyUsedUnchecked();
     return InliningStatus_Inlined;
 }
 
 IonBuilder::InliningStatus
-IonBuilder::inlineTypedArray(CallInfo& callInfo, Native native)
-{
-    if (!callInfo.constructing()) {
-        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
-        return InliningStatus_NotInlined;
-    }
-
-    if (getInlineReturnType() != MIRType::Object)
-        return InliningStatus_NotInlined;
-    if (callInfo.argc() != 1)
-        return InliningStatus_NotInlined;
-
-    MDefinition* arg = callInfo.getArg(0);
-
-    if (arg->type() != MIRType::Int32)
-        return InliningStatus_NotInlined;
-
-    if (!arg->maybeConstantValue())
-        return InliningStatus_NotInlined;
-
-    JSObject* templateObject = inspector->getTemplateObjectForNative(pc, native);
-
-    if (!templateObject) {
-        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeNoTemplateObj);
-        return InliningStatus_NotInlined;
-    }
-
-    MOZ_ASSERT(templateObject->is<TypedArrayObject>());
-    TypedArrayObject* obj = &templateObject->as<TypedArrayObject>();
-
-    // Do not optimize when we see a template object with a singleton type,
-    // since it hits at most once.
-    if (templateObject->isSingleton())
-        return InliningStatus_NotInlined;
-
-    // Negative lengths must throw a RangeError.  (We don't track that this
-    // might have previously thrown, when determining whether to inline, so we
-    // have to deal with this error case when inlining.)
-    int32_t providedLen = arg->maybeConstantValue()->toInt32();
-    if (providedLen < 0)
-        return InliningStatus_NotInlined;
-
-    uint32_t len = AssertedCast<uint32_t>(providedLen);
-
-    if (obj->length() != len)
-        return InliningStatus_NotInlined;
-
-    // Large typed arrays have a separate buffer object, while small arrays
-    // have their values stored inline.
-    bool createBuffer = len > TypedArrayObject::INLINE_BUFFER_LIMIT / obj->bytesPerElement();
-
-    // Buffers are not supported yet!
-    if (createBuffer)
-        return InliningStatus_NotInlined;
-
-    callInfo.setImplicitlyUsedUnchecked();
-
-    MConstant* templateConst = MConstant::NewConstraintlessObject(alloc(), obj);
-    current->add(templateConst);
-
-    MNewObject* ins = MNewObject::New(alloc(), constraints(), templateConst,
-                                      obj->group()->initialHeap(constraints()),
-                                      MNewObject::TypedArray);
-    current->add(ins);
-    current->push(ins);
-    if (!resumeAfter(ins))
-        return InliningStatus_Error;
-
-    return InliningStatus_Inlined;
-}
-
-IonBuilder::InliningStatus
 IonBuilder::inlineIsTypedArrayHelper(CallInfo& callInfo, WrappingBehavior wrappingBehavior)
 {
     MOZ_ASSERT(!callInfo.constructing());
     MOZ_ASSERT(callInfo.argc() == 1);
 
     if (callInfo.getArg(0)->type() != MIRType::Object)
         return InliningStatus_NotInlined;
     if (getInlineReturnType() != MIRType::Boolean)
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -3274,17 +3274,17 @@ class MNewArrayDynamicLength
     }
 };
 
 class MNewObject
   : public MUnaryInstruction,
     public NoTypePolicy::Data
 {
   public:
-    enum Mode { ObjectLiteral, ObjectCreate, TypedArray };
+    enum Mode { ObjectLiteral, ObjectCreate };
 
   private:
     gc::InitialHeap initialHeap_;
     Mode mode_;
     bool vmCall_;
 
     MNewObject(CompilerConstraintList* constraints, MConstant* templateConst,
                gc::InitialHeap initialHeap, Mode mode, bool vmCall = false)
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -1123,57 +1123,26 @@ MacroAssembler::initGCThing(Register obj
         } else if (ntemplate->is<ArgumentsObject>()) {
             // The caller will initialize the reserved slots.
             MOZ_ASSERT(!initContents);
             MOZ_ASSERT(!ntemplate->hasPrivate());
             storePtr(ImmPtr(emptyObjectElements), Address(obj, NativeObject::offsetOfElements()));
         } else {
             // If the target type could be a TypedArray that maps shared memory
             // then this would need to store emptyObjectElementsShared in that case.
-            MOZ_ASSERT(!ntemplate->isSharedMemory());
-
+            // That cannot happen at present; TypedArray allocation is always
+            // a VM call.
             storePtr(ImmPtr(emptyObjectElements), Address(obj, NativeObject::offsetOfElements()));
 
             initGCSlots(obj, temp, ntemplate, initContents);
 
-            if (ntemplate->is<TypedArrayObject>()) {
-                TypedArrayObject* ttemplate = &ntemplate->as<TypedArrayObject>();
-                MOZ_ASSERT(ntemplate->hasPrivate());
-                MOZ_ASSERT(!ttemplate->hasBuffer());
-
-                size_t dataSlotOffset = TypedArrayObject::dataOffset();
-                size_t dataOffset = TypedArrayObject::dataOffset() + sizeof(HeapSlot);
-
-                static_assert(TypedArrayObject::FIXED_DATA_START == TypedArrayObject::DATA_SLOT + 1,
-                              "fixed inline element data assumed to begin after the data slot");
-
-                computeEffectiveAddress(Address(obj, dataOffset), temp);
-                storePtr(temp, Address(obj, dataSlotOffset));
-
-                // Initialise inline data elements to zero.
-                size_t n = ttemplate->length() * ttemplate->bytesPerElement();
-                MOZ_ASSERT(dataOffset + n <= JSObject::MAX_BYTE_SIZE);
-
-                // Write enough zero pointers into fixed data to zero every
-                // element.  (This zeroes past the end of a byte count that's
-                // not a multiple of pointer size.  That's okay, because fixed
-                // data is a count of 8-byte HeapSlots (i.e. <= pointer size),
-                // and we won't inline unless the desired memory fits in that
-                // space.)
-                static_assert(sizeof(HeapSlot) == 8, "Assumed 8 bytes alignment");
-
-                size_t numZeroPointers = ((n + 7) & ~0x7) / sizeof(char *);
-                for (size_t i = 0; i < numZeroPointers; i++)
-                    storePtr(ImmWord(0), Address(obj, dataOffset + i * sizeof(char *)));
-            } else {
-                if (ntemplate->hasPrivate()) {
-                    uint32_t nfixed = ntemplate->numFixedSlots();
-                    storePtr(ImmPtr(ntemplate->getPrivate()),
-                             Address(obj, NativeObject::getPrivateDataOffset(nfixed)));
-                }
+            if (ntemplate->hasPrivate()) {
+                uint32_t nfixed = ntemplate->numFixedSlots();
+                storePtr(ImmPtr(ntemplate->getPrivate()),
+                         Address(obj, NativeObject::getPrivateDataOffset(nfixed)));
             }
         }
     } else if (templateObj->is<InlineTypedObject>()) {
         size_t nbytes = templateObj->as<InlineTypedObject>().size();
         const uint8_t* memory = templateObj->as<InlineTypedObject>().inlineTypedMem();
 
         // Memcpy the contents of the template object to the new object.
         size_t offset = 0;
--- a/js/src/jit/Recover.cpp
+++ b/js/src/jit/Recover.cpp
@@ -1197,26 +1197,21 @@ RNewObject::RNewObject(CompactBufferRead
 bool
 RNewObject::recover(JSContext* cx, SnapshotIterator& iter) const
 {
     RootedObject templateObject(cx, &iter.read().toObject());
     RootedValue result(cx);
     JSObject* resultObject = nullptr;
 
     // See CodeGenerator::visitNewObjectVMCall
-    switch (mode_) {
-      case MNewObject::ObjectLiteral:
+    if (mode_ == MNewObject::ObjectLiteral) {
         resultObject = NewObjectOperationWithTemplate(cx, templateObject);
-        break;
-      case MNewObject::ObjectCreate:
+    } else {
+        MOZ_ASSERT(mode_ == MNewObject::ObjectCreate);
         resultObject = ObjectCreateWithTemplate(cx, templateObject.as<PlainObject>());
-        break;
-      case MNewObject::TypedArray:
-        resultObject = TypedArrayCreateWithTemplate(cx, templateObject.as<TypedArrayObject>());
-        break;
     }
 
     if (!resultObject)
         return false;
 
     result.setObject(*resultObject);
     iter.storeInstructionResult(result);
     return true;
--- a/js/src/jit/VMFunctions.h
+++ b/js/src/jit/VMFunctions.h
@@ -15,17 +15,16 @@
 #include "jit/JitFrames.h"
 
 namespace js {
 
 class DeclEnvObject;
 class StaticWithScope;
 class InlineTypedObject;
 class GeneratorObject;
-class TypedArrayObject;
 
 namespace jit {
 
 enum DataType {
     Type_Void,
     Type_Bool,
     Type_Int32,
     Type_Double,
@@ -277,17 +276,16 @@ struct VMFunction
 template <class> struct TypeToDataType { /* Unexpected return type for a VMFunction. */ };
 template <> struct TypeToDataType<bool> { static const DataType result = Type_Bool; };
 template <> struct TypeToDataType<JSObject*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<NativeObject*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<PlainObject*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<InlineTypedObject*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<DeclEnvObject*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<ArrayObject*> { static const DataType result = Type_Object; };
-template <> struct TypeToDataType<TypedArrayObject*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<JSString*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<JSFlatString*> { static const DataType result = Type_Object; };
 template <> struct TypeToDataType<HandleObject> { static const DataType result = Type_Handle; };
 template <> struct TypeToDataType<HandleString> { static const DataType result = Type_Handle; };
 template <> struct TypeToDataType<HandlePropertyName> { static const DataType result = Type_Handle; };
 template <> struct TypeToDataType<HandleFunction> { static const DataType result = Type_Handle; };
 template <> struct TypeToDataType<Handle<NativeObject*> > { static const DataType result = Type_Handle; };
 template <> struct TypeToDataType<Handle<InlineTypedObject*> > { static const DataType result = Type_Handle; };
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -200,25 +200,28 @@ ObjectGroup::useSingletonForNewObject(JS
 ObjectGroup::useSingletonForAllocationSite(JSScript* script, jsbytecode* pc, JSProtoKey key)
 {
     // The return value of this method can either be tested like a boolean or
     // passed to a NewObject method.
     JS_STATIC_ASSERT(GenericObject == 0);
 
     /*
      * Objects created outside loops in global and eval scripts should have
-     * singleton types. For now this is only done for plain objects, but not
-     * typed arrays or normal arrays.
+     * singleton types. For now this is only done for plain objects and typed
+     * arrays, but not normal arrays.
      */
 
     if (script->functionNonDelazifying() && !script->treatAsRunOnce())
         return GenericObject;
 
-    if (key != JSProto_Object)
+    if (key != JSProto_Object &&
+        !(key >= JSProto_Int8Array && key <= JSProto_Uint8ClampedArray))
+    {
         return GenericObject;
+    }
 
     // All loops in the script will have a try note indicating their boundary.
 
     if (!script->hasTrynotes())
         return SingletonObject;
 
     unsigned offset = script->pcToOffset(pc);
 
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -2,17 +2,16 @@
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "vm/TypedArrayObject.h"
 
 #include "mozilla/Alignment.h"
-#include "mozilla/Casting.h"
 #include "mozilla/FloatingPoint.h"
 #include "mozilla/PodOperations.h"
 
 #include <string.h>
 #ifndef XP_WIN
 # include <sys/mman.h>
 #endif
 
@@ -27,17 +26,16 @@
 #ifdef XP_WIN
 # include "jswin.h"
 #endif
 #include "jswrapper.h"
 
 #include "builtin/TypedObjectConstants.h"
 #include "gc/Barrier.h"
 #include "gc/Marking.h"
-#include "jit/InlinableNatives.h"
 #include "js/Conversions.h"
 #include "vm/ArrayBufferObject.h"
 #include "vm/GlobalObject.h"
 #include "vm/Interpreter.h"
 #include "vm/SelfHosting.h"
 #include "vm/TypedArrayCommon.h"
 #include "vm/WrapperObject.h"
 
@@ -46,17 +44,16 @@
 #include "gc/StoreBuffer-inl.h"
 #include "vm/ArrayBufferObject-inl.h"
 #include "vm/NativeObject-inl.h"
 #include "vm/Shape-inl.h"
 
 using namespace js;
 using namespace js::gc;
 
-using mozilla::AssertedCast;
 using JS::CanonicalizeNaN;
 using JS::ToInt32;
 using JS::ToUint32;
 
 /*
  * TypedArrayObject
  *
  * The non-templated base class for the specific typed implementations.
@@ -173,27 +170,16 @@ js::ClampDoubleToUint8(const double x)
 
     return y;
 }
 
 template<typename ElementType>
 static inline JSObject*
 NewArray(JSContext* cx, uint32_t nelements);
 
-#define JS_FOR_EACH_TYPED_ARRAY(macro) \
-    macro(int8_t, Int8) \
-    macro(uint8_t, Uint8) \
-    macro(int16_t, Int16) \
-    macro(uint16_t, Uint16) \
-    macro(int32_t, Int32) \
-    macro(uint32_t, Uint32) \
-    macro(float, Float32) \
-    macro(double, Float64) \
-    macro(uint8_clamped, Uint8Clamped)
-
 namespace {
 
 // We allow nullptr for newTarget for all the creation methods, to allow for
 // JSFriendAPI functions that don't care about subclassing
 static bool
 GetPrototypeForInstance(JSContext* cx, HandleObject newTarget, MutableHandleObject proto)
 {
     if (newTarget) {
@@ -234,26 +220,21 @@ class TypedArrayObjectTemplate : public 
     static JSObject*
     createConstructor(JSContext* cx, JSProtoKey key)
     {
         Handle<GlobalObject*> global = cx->global();
         RootedFunction ctorProto(cx, GlobalObject::getOrCreateTypedArrayConstructor(cx, global));
         if (!ctorProto)
             return nullptr;
 
-        JSFunction* fun = NewFunctionWithProto(cx, class_constructor, 3,
-                                               JSFunction::NATIVE_CTOR, nullptr,
-                                               ClassName(key, cx),
-                                               ctorProto, gc::AllocKind::FUNCTION,
-                                               SingletonObject);
-
-        if (fun)
-            fun->setJitInfo(&jit::JitInfo_TypedArrayConstructor);
-
-        return fun;
+        return NewFunctionWithProto(cx, class_constructor, 3,
+                                    JSFunction::NATIVE_CTOR, nullptr,
+                                    ClassName(key, cx),
+                                    ctorProto, gc::AllocKind::FUNCTION,
+                                    SingletonObject);
     }
 
     static bool
     finishClassInit(JSContext* cx, HandleObject ctor, HandleObject proto)
     {
         RootedValue bytesValue(cx, Int32Value(BYTES_PER_ELEMENT));
         if (!DefineProperty(cx, ctor, cx->names().BYTES_PER_ELEMENT, bytesValue,
                             nullptr, nullptr, JSPROP_PERMANENT | JSPROP_READONLY) ||
@@ -452,55 +433,16 @@ class TypedArrayObjectTemplate : public 
     static TypedArrayObject*
     makeInstance(JSContext* cx, Handle<ArrayBufferObjectMaybeShared*> buffer,
                  uint32_t byteOffset, uint32_t len)
     {
         RootedObject proto(cx, nullptr);
         return makeInstance(cx, buffer, byteOffset, len, proto);
     }
 
-    static TypedArrayObject*
-    makeTemplateObject(JSContext* cx, uint32_t len, NewObjectKind newKind)
-    {
-        MOZ_ASSERT(len <= TypedArrayObject::INLINE_BUFFER_LIMIT / sizeof(NativeType));
-        gc::AllocKind allocKind = AllocKindForLazyBuffer(len * sizeof(NativeType));
-
-        AutoSetNewObjectMetadata metadata(cx);
-        MOZ_ASSERT(len * sizeof(NativeType) < TypedArrayObject::SINGLETON_BYTE_LENGTH);
-
-        const Class* clasp = instanceClass();
-        jsbytecode* pc;
-        RootedScript script(cx, cx->currentScript(&pc));
-        if (script && ObjectGroup::useSingletonForAllocationSite(script, pc, clasp))
-            newKind = SingletonObject;
-        RootedObject tmp(cx, NewBuiltinClassInstance(cx, clasp, allocKind, newKind));
-        if (!tmp)
-            return nullptr;
-        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tmp,
-                                                                 newKind == SingletonObject))
-        {
-            return nullptr;
-        }
-
-        TypedArrayObject* tarray = &tmp->as<TypedArrayObject>();
-
-        void* data = tarray->fixedData(FIXED_DATA_START);
-        tarray->initPrivate(data);
-        memset(data, 0, len * sizeof(NativeType));
-
-        tarray->setFixedSlot(TypedArrayObject::BUFFER_SLOT, NullValue());
-        tarray->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(AssertedCast<int32_t>(len)));
-        tarray->setFixedSlot(TypedArrayObject::BYTEOFFSET_SLOT, Int32Value(0));
-
-        // Verify that the private slot is at the expected place.
-        MOZ_ASSERT(tarray->numFixedSlots() == TypedArrayObject::DATA_SLOT);
-
-        return tarray;
-    }
-
     /*
      * new [Type]Array(length)
      * new [Type]Array(otherTypedArray)
      * new [Type]Array(JSArray)
      * new [Type]Array(ArrayBuffer, [optional] byteOffset, [optional] length)
      */
     static bool
     class_constructor(JSContext* cx, unsigned argc, Value* vp)
@@ -781,62 +723,28 @@ class TypedArrayObjectTemplate : public 
     {
         MOZ_ASSERT(index < tarray.length());
         jit::AtomicOperations::storeSafeWhenRacy(tarray.viewDataEither().cast<NativeType*>() + index, val);
     }
 
     static Value getIndexValue(JSObject* tarray, uint32_t index);
 };
 
-#define CREATE_TYPE_FOR_TYPED_ARRAY(T, N) \
-    typedef TypedArrayObjectTemplate<T> N##Array;
-JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPE_FOR_TYPED_ARRAY)
-#undef CREATE_TYPE_FOR_TYPED_ARRAY
+typedef TypedArrayObjectTemplate<int8_t> Int8Array;
+typedef TypedArrayObjectTemplate<uint8_t> Uint8Array;
+typedef TypedArrayObjectTemplate<int16_t> Int16Array;
+typedef TypedArrayObjectTemplate<uint16_t> Uint16Array;
+typedef TypedArrayObjectTemplate<int32_t> Int32Array;
+typedef TypedArrayObjectTemplate<uint32_t> Uint32Array;
+typedef TypedArrayObjectTemplate<float> Float32Array;
+typedef TypedArrayObjectTemplate<double> Float64Array;
+typedef TypedArrayObjectTemplate<uint8_clamped> Uint8ClampedArray;
 
 } /* anonymous namespace */
 
-static void
-UpdateTypedArrayAfterMove(JSObject* obj, const JSObject* old)
-{
-    MOZ_ASSERT(obj->is<TypedArrayObject>());
-    MOZ_ASSERT(old->is<TypedArrayObject>());
-    TypedArrayObject* newObj = &obj->as<TypedArrayObject>();
-    const TypedArrayObject* oldObj = &old->as<TypedArrayObject>();
-
-    // Typed arrays with a buffer or small typed arrays with a *shared* buffer object are not
-    // supported yet!
-    if (oldObj->hasBuffer())
-        return;
-
-    // Update the data slot pointer if it points to the old JSObject.
-    void* oldData = newObj->fixedData(TypedArrayObject::FIXED_DATA_START);
-    if (oldData == ((char *)oldObj) + oldObj->dataOffset()) {
-        void* newData = newObj->fixedData(TypedArrayObject::FIXED_DATA_START);
-        *(void **)((((char *)newObj) + newObj->dataOffset())) = newData;
-    }
-}
-
-TypedArrayObject*
-js::TypedArrayCreateWithTemplate(JSContext* cx, HandleObject templateObj)
-{
-    MOZ_ASSERT(templateObj->is<TypedArrayObject>());
-    TypedArrayObject* obj = &templateObj->as<TypedArrayObject>();
-    size_t len = obj->length();
-
-    switch (obj->type()) {
-#define CREATE_TYPED_ARRAY(T, N) \
-      case Scalar::N: \
-        return TypedArrayObjectTemplate<T>::makeTemplateObject(cx, len, GenericObject);
-JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
-#undef CREATE_TYPED_ARRAY
-      default:
-        MOZ_CRASH("Unsupported TypedArray type");
-    }
-}
-
 template<typename T>
 struct TypedArrayObject::OfType
 {
     typedef TypedArrayObjectTemplate<T> Type;
 };
 
 // ES 2016 draft Mar 25, 2016 24.1.1.1.
 // byteLength = count * unit
@@ -1108,32 +1016,16 @@ TypedArrayObjectTemplate<T>::fromObject(
 
 bool
 TypedArrayConstructor(JSContext* cx, unsigned argc, Value* vp)
 {
     JS_ReportError(cx, "%%TypedArray%% calling/constructing not implemented yet");
     return false;
 }
 
-/* static */ bool
-TypedArrayObject::GetTemplateObjectForNative(JSContext* cx, Native native, uint32_t len,
-                                             MutableHandleObject res)
-{
-#define CHECK_TYPED_ARRAY_CONSTRUCTOR(T, N) \
-    if (native == &TypedArrayObjectTemplate<T>::class_constructor &&  \
-            len <= TypedArrayObject::INLINE_BUFFER_LIMIT / sizeof(T)) \
-    { \
-        res.set(TypedArrayObjectTemplate<T>::makeTemplateObject(cx, len, TenuredObject)); \
-        return true; \
-    }
-JS_FOR_EACH_TYPED_ARRAY(CHECK_TYPED_ARRAY_CONSTRUCTOR)
-#undef CHECK_TYPED_ARRAY_CONSTRUCTOR
-    return false;
-}
-
 /*
  * These next 3 functions are brought to you by the buggy GCC we use to build
  * B2G ICS. Older GCC versions have a bug in which they fail to compile
  * reinterpret_casts of templated functions with the message: "insufficient
  * contextual information to determine type". JS_PSG needs to
  * reinterpret_cast<JSGetterOp>, so this causes problems for us here.
  *
  * We could restructure all this code to make this nicer, but since ICS isn't
@@ -2299,21 +2191,16 @@ static const ClassOps TypedArrayClassOps
     nullptr,                 /* mayResolve  */
     nullptr,                 /* finalize    */
     nullptr,                 /* call        */
     nullptr,                 /* hasInstance */
     nullptr,                 /* construct   */
     TypedArrayObject::trace, /* trace  */
 };
 
-static const ClassExtension TypedArrayClassExtension = {
-    nullptr,
-    UpdateTypedArrayAfterMove,
-};
-
 #define IMPL_TYPED_ARRAY_CLASS_SPEC(_type)                                     \
 {                                                                              \
     _type##Array::createConstructor,                                           \
     _type##Array::createPrototype,                                             \
     nullptr,                                                                   \
     nullptr,                                                                   \
     nullptr,                                                                   \
     nullptr,                                                                   \
@@ -2336,18 +2223,17 @@ static const ClassSpec TypedArrayObjectC
 #define IMPL_TYPED_ARRAY_CLASS(_type)                                          \
 {                                                                              \
     #_type "Array",                                                            \
     JSCLASS_HAS_RESERVED_SLOTS(TypedArrayObject::RESERVED_SLOTS) |             \
     JSCLASS_HAS_PRIVATE |                                                      \
     JSCLASS_HAS_CACHED_PROTO(JSProto_##_type##Array) |                         \
     JSCLASS_DELAY_METADATA_BUILDER,                                            \
     &TypedArrayClassOps,                                                       \
-    &TypedArrayObjectClassSpecs[Scalar::Type::_type],                          \
-    &TypedArrayClassExtension                                                  \
+    &TypedArrayObjectClassSpecs[Scalar::Type::_type]                           \
 }
 
 const Class TypedArrayObject::classes[Scalar::MaxTypedArrayViewType] = {
     IMPL_TYPED_ARRAY_CLASS(Int8),
     IMPL_TYPED_ARRAY_CLASS(Uint8),
     IMPL_TYPED_ARRAY_CLASS(Int16),
     IMPL_TYPED_ARRAY_CLASS(Uint16),
     IMPL_TYPED_ARRAY_CLASS(Int32),
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@@ -150,20 +150,16 @@ class TypedArrayObject : public NativeOb
         return lengthValue(const_cast<TypedArrayObject*>(this)).toInt32();
     }
 
     Value getElement(uint32_t index);
     static void setElement(TypedArrayObject& obj, uint32_t index, double d);
 
     void notifyBufferDetached(void* newData);
 
-    static bool
-    GetTemplateObjectForNative(JSContext* cx, Native native, uint32_t len,
-                               MutableHandleObject res);
-
     /*
      * Byte length above which created typed arrays and data views will have
      * singleton types regardless of the context in which they are created.
      */
     static const uint32_t SINGLETON_BYTE_LENGTH = 1024 * 1024 * 10;
 
     static bool isOriginalLengthGetter(Native native);
 
@@ -266,19 +262,16 @@ class TypedArrayObject : public NativeOb
 
     /* Accessors and functions */
 
     static bool is(HandleValue v);
 
     static bool set(JSContext* cx, unsigned argc, Value* vp);
 };
 
-extern TypedArrayObject*
-TypedArrayCreateWithTemplate(JSContext* cx, HandleObject templateObj);
-
 inline bool
 IsTypedArrayClass(const Class* clasp)
 {
     return &TypedArrayObject::classes[0] <= clasp &&
            clasp < &TypedArrayObject::classes[Scalar::MaxTypedArrayViewType];
 }
 
 bool