sonyoss-vita-webkit/Source/JavaScriptCore/ChangeLog-2013-04-24

2013-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA filters CheckFunction in a really weird way, and assumes that the function's structure won't change
        https://bugs.webkit.org/show_bug.cgi?id=115077

        Reviewed by Oliver Hunt.
        
        The filtering did three things that are unusual:
        
        1) AbstractValue::filterByValue() assumed that the passed value's structure wouldn't change, in
           the sense that at it assumed it could use that value's *current* structure to do structure
           filtering. Filtering by structure only makes sense if you can prove that the given value will
           always have that structure (for example by either using a watchpoing or emitting code that
           checks that structure at run-time).
        
        2) AbstractValue::filterByValue() and the CheckFunction case in AbstractState::executeEffects()
           tried to invalidate the CFA based on whether the filtration led to an empty value. This is
           well-intentioned, but it's not how the CFA currently works. It's inconsistent with other
           parts of the CFA. We shouldn't introduce this feature into just one kind of filtration and
           not have it elsewhere.
        
        3) The attempt to detect when the value was empty was actually implemented incorrectly. It
           relied on AbstractValue::validate(). That method says that a concrete value does not belong
           to the abstract value if it has a different structure. This makes sense for the other place
           where AbstractValue::validate() is called: during OSR entry, where we are talking about a
           JSValue that we see *right now*. It doesn't make sense in the CFA, since in the CFA any
           value we observe in the code is a value whose structure may change when the code starts
           running, and so we cannot use the value's current structure to infer things about the code
           when it starts running.
        
        I fixed the above problems by (1) changing filterByValue() to not filter the structure, (2)
        changing filterByValue() and the CheckFunction case to not invalidate the CFA, and (3)
        making sure that nobody else was misusing AbstractValue::validate() (they weren't).

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::filterByValue):

2013-04-23  Oliver Hunt  <oliver@apple.com>

        Default ParserError() initialiser doesn't initialise all fields
        https://bugs.webkit.org/show_bug.cgi?id=115074

        Reviewed by Joseph Pecoraro.

        Only the jsc command prompt depended on this, but we'll fix it to
        be on the safe side.

        * parser/ParserError.h:
        (JSC::ParserError::ParserError):

2013-04-23  Christophe Dumez  <ch.dumez@sisa.samsung.com>

        Global constructors should be configurable and not enumerable
        https://bugs.webkit.org/show_bug.cgi?id=110573

        Reviewed by Geoffrey Garen.

        Update JSObject::deleteProperty() so that mark to set the property
        value to undefined if it is in static hashtable of properties. The
        previous code was not doing anything in this case and this meant
        we could not remove builtin DOMWindow properties such as
        "ProgressEvent" even if marked as Deletable.

        * runtime/JSObject.cpp:
        (JSC::JSObject::deleteProperty):
        * runtime/Lookup.h:
        (JSC):
        (JSC::putEntry):
        (JSC::lookupPut):

2013-04-23  Geoffrey Garen  <ggaren@apple.com>

        Filled out more cases of branch folding in bytecode when emitting
        expressions into a branching context
        https://bugs.webkit.org/show_bug.cgi?id=115057

        Reviewed by Filip Pizlo.

        This covers a few cases like:

            - while (true) { }
            - while (1) { }
            - if (x) break;
            - if (x) continue;
            - if (boolean_expr == boolean_const) { }
            - if (boolean_expr == 1_or_0) { }
            - if (bitop == 1_or_0) { }

        This also works, but will bring shame on your family:

            - while ("hello world") { }

        No change on the benchmarks we track, but a 2.5X speedup on a microbenchmark
        that uses these techniques.

        * JavaScriptCore.order: Order!

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitThrowReferenceError):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::shouldEmitDebugHooks): Updated ancillary code
        for interface simplifications.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstantNode::emitBytecodeInConditionContext): Constants can
        jump unconditionally when used within a condition context.

        (JSC::ConstantNode::emitBytecode):
        (JSC::StringNode::jsValue): Gave constants a common base class so I
        could implement their codegen just once.

        (JSC::BinaryOpNode::emitBytecodeInConditionContext):
        (JSC::canFoldToBranch):
        (JSC::BinaryOpNode::tryFoldToBranch): Fold (!/=)= and (!/=)== where
        appropriate. A lot of cases are not appropriate because of the surprising
        type conversion semantics of ==. For example, if (number == true) { } is
        not the same as if (number) { } because the former will up-convert true
        to number and then do numeric comparison.

        (JSC::singleStatement):
        (JSC::IfElseNode::tryFoldBreakAndContinue):
        (JSC::IfElseNode::emitBytecode):
        (JSC::ContinueNode::trivialTarget):
        (JSC::BreakNode::trivialTarget): Fold "if (expression) break" and
        "if (expression) continue" into direct jumps from expression.

        * parser/ASTBuilder.h:
        (ASTBuilder):
        (JSC::ASTBuilder::createIfStatement):
        * parser/NodeConstructors.h:
        (JSC::ConstantNode::ConstantNode):
        (JSC):
        (JSC::NullNode::NullNode):
        (JSC::BooleanNode::BooleanNode):
        (JSC::NumberNode::NumberNode):
        (JSC::StringNode::StringNode):
        (JSC::IfElseNode::IfElseNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isConstant):
        (JSC::ExpressionNode::isBoolean):
        (JSC::StatementNode::isBreak):
        (JSC::StatementNode::isContinue):
        (ConstantNode):
        (JSC::ConstantNode::isPure):
        (JSC::ConstantNode::isConstant):
        (NullNode):
        (JSC::NullNode::jsValue):
        (JSC::BooleanNode::value):
        (JSC::BooleanNode::isBoolean):
        (JSC::BooleanNode::jsValue):
        (JSC::NumberNode::value):
        (NumberNode):
        (JSC::NumberNode::jsValue):
        (StringNode):
        (BinaryOpNode):
        (IfElseNode):
        (ContinueNode):
        (JSC::ContinueNode::isContinue):
        (BreakNode):
        (JSC::BreakNode::isBreak):
        * parser/Parser.cpp:
        (JSC::::parseIfStatement):
        * parser/ResultType.h:
        (JSC::ResultType::definitelyIsBoolean):
        (ResultType):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::pureToBoolean):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::pureToBoolean): Updated for interface changes above.

2013-04-23  Mark Lam  <mark.lam@apple.com>

        Simplify the baseline JIT loop hint call site.
        https://bugs.webkit.org/show_bug.cgi?id=115052.

        Reviewed by Geoffrey Garen.

        Moved the watchdog timer check after the JIT optimization check. This
        ensures that the JIT opimization counter is incremented on every loop
        hint even if the watchdog timer fires.

        Removed the code that allows the JIT OSR to happen if the watchdog
        timer fires but does not result in a termination. It is extremely rare
        that the JIT optimization counter would trigger an OSR on the same pass
        as when the watchdog timer fire. If it does happen, we'll simply hold
        off on servicing the watchdog timer until the next pass (because it's
        not time critical).

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):

2013-04-23  Roger Fong  <roger_fong@apple.com>

        AppleWin build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2013-04-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Update public header documentation
        https://bugs.webkit.org/show_bug.cgi?id=114841

        Reviewed by Geoffrey Garen.

        Added documentation for the newly added object lifetime-related stuff.

        * API/JSManagedValue.h:
        * API/JSVirtualMachine.h:

2013-04-22  Mark Lam  <mark.lam@apple.com>

        Fix a typo in MacroAssemblerARMv7.h.
        https://bugs.webkit.org/show_bug.cgi?id=115011.

        Reviewed by Geoffrey Garen.

        * assembler/ARMAssembler.h: Fix a comment.
        * assembler/ARMv7Assembler.h: Added some comments.
        * assembler/MacroAssemblerARMv7.h:
          - ARMAssembler::PL should be ARMv7Assembler::ConditionPL.

2013-04-22  Julien Brianceau  <jbrianceau@nds.com>

        Add branchAdd32 missing implementation in SH4 base JIT.
        This should fix SH4 build, broken since r148893.
        https://bugs.webkit.org/show_bug.cgi?id=114993.

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchAdd32):
        (MacroAssemblerSH4):

2013-04-22  Benjamin Poulain  <bpoulain@apple.com>

        Windows build fix after r148921

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-22  Benjamin Poulain  <benjamin@webkit.org>

        Remove the memory instrumentation code
        https://bugs.webkit.org/show_bug.cgi?id=114931

        Reviewed by Andreas Kling.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-22  Mark Lam  <mark.lam@apple.com>

        Fix broken 32-bit build to green the bots.
        https://bugs.webkit.org/show_bug.cgi?id=114968.

        Unreviewed.

        Basically, I moved a JIT::emit_op_loop_hint() and JIT::emitSlow_op_loop_hint()
        into common code where they belong, instead of the 64-bit specific section.

        Also fixed some SH4 assertions failures which were also caused by
        https://bugs.webkit.org/show_bug.cgi?id=114963. Thanks to Julien Brianceau
        for pointing this out.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchAdd32):
        * jit/JITOpcodes.cpp:
        (JSC):
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):

2013-04-22  Oliver Hunt  <oliver@apple.com>

        Perform null check before trying to use the result of readline()

        RS=Gavin

        * jsc.cpp:
        (runInteractive):

2013-04-22  Oliver Hunt  <oliver@apple.com>

        Fix assertions to account for new Vector layout

        RS=Gavin

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):

2013-04-22  Mark Lam  <mark.lam@apple.com>

        Change baseline JIT watchdog timer check to use the proper fast slow path
        infrastructure.
        https://bugs.webkit.org/show_bug.cgi?id=114963.

        Reviewed by Oliver Hunt.

        Edit: The PositiveOrZero condition is added because it is needed for
        the JIT optimization check. Previously, the JIT check branches around
        the slow path if the test result is 'Signed' i.e. negative. Since we
        now need to test for a condition that branches to the slow path (not
        around it), we need the complement of 'Signed / Negative' i.e. Positive
        or zero.

        SH4 parts contributed by Julien Brianceau.

        * assembler/ARMAssembler.h:
        * assembler/MacroAssemblerARM.h:
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchAdd32):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchAdd32):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/SH4Assembler.h:
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::emitEnterOptimizationCheck):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_enter):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter):

2013-04-22  Andreas Kling  <akling@apple.com>

        Shrink baseline size of WTF::Vector on 64-bit by switching to unsigned capacity and size.
        <http://webkit.org/b/97268>
        <rdar://problem/12376519>

        Reviewed by Sam Weinig.

        Update LLInt WTF::Vector offset constants to match the new memory layout.

        * llint/LowLevelInterpreter.asm:

2013-04-21  Oliver Hunt  <oliver@apple.com>

        JS Lexer and Parser should be more informative when they encounter errors
        https://bugs.webkit.org/show_bug.cgi?id=114924

        Reviewed by Filip Pizlo.

        Add new tokens to represent the various ways that parsing and lexing have failed.
        This gives us the ability to produce better error messages in some cases,
        and to indicate whether or not the failure was due to invalid source, or simply
        early termination.

        The jsc prompt now makes use of this so that you can write functions that
        are more than one line long.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * jsc.cpp:
        (stringFromUTF):
        (jscSource):
        (runInteractive):
        * parser/Lexer.cpp:
        (JSC::::parseFourDigitUnicodeHex):
        (JSC::::parseIdentifierSlowCase):
        (JSC::::parseString):
        (JSC::::parseStringSlowCase):
        (JSC::::lex):
        * parser/Lexer.h:
        (UnicodeHexValue):
        (JSC::Lexer::UnicodeHexValue::UnicodeHexValue):
        (JSC::Lexer::UnicodeHexValue::valueType):
        (JSC::Lexer::UnicodeHexValue::isValid):
        (JSC::Lexer::UnicodeHexValue::value):
        (Lexer):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        (JSC::::parse):
        * parser/ParserError.h:
        (ParserError):
        (JSC::ParserError::ParserError):
        * parser/ParserTokens.h:
        * runtime/Completion.cpp:
        (JSC):
        (JSC::checkSyntax):
        * runtime/Completion.h:
        (JSC):

2013-04-21  Mark Lam  <mark.lam@apple.com>

        Refactor identical inline functions in JSVALUE64 and JSVALUE32_64 sections
        out into the common section.
        https://bugs.webkit.org/show_bug.cgi?id=114910.

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::callOperation):

2013-04-20  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        LLint should be able to use x87 instead of SSE for floating pointer
        https://bugs.webkit.org/show_bug.cgi?id=112239

        Reviewed by Filip Pizlo.

        Implements LLInt floating point operations in x87, to ensure we support
        x86 without SSE2.

        X86 (except 64bit) now defaults to using x87 instructions in order to
        support all 32bit x86 back to i686. The implementation uses the fucomi
        instruction from i686 which sets the new minimum.

        The FPU registers must always be empty on entering or exiting a function.
        We make sure to only use two X87 registers, and they are always emptied
        before calling deeper functions or returning from the LLInt.

        * jit/JITStubs.cpp:
        (JSC): Empty FPU registers before exiting.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2013-04-19  Roger Fong  <roger_fong@apple.com>

        Remove uses of WebKit_Source from AppleWin build in JavaScriptCore.

        * JavaScriptCore.vcxproj/JavaScriptCore.make:
        * JavaScriptCore.vcxproj/build-generated-files.sh:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:

2013-04-19  Benjamin Poulain  <bpoulain@apple.com>

        Rename JSStringJoiner::build() to join()
        https://bugs.webkit.org/show_bug.cgi?id=114845

        Reviewed by Geoffrey Garen.

        The method name build() came from StringBuilder history. It does not make much
        sense on the StringJoiner.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::join):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):

2013-04-19  Roger Fong  <roger_fong@apple.com>

        Unreviewed. WebKit_Source is incorrectly set.

        * JavaScriptCore.vcxproj/JavaScriptCore.make:

2013-04-19  Martin Robinson  <mrobinson@igalia.com>

        [GTK] JSCore.gir.in has a few problems
        https://bugs.webkit.org/show_bug.cgi?id=114710

        Reviewed by Philippe Normand.

        * GNUmakefile.am: Add the gobject introspection steps for JavaScriptCore here,
        because they are shared between WebKit1 and WebKit2.
        * JavaScriptCore.gir.in: Added. Moved from the WebKit1 directory. Now written
        as foreign interfaces and referencing the javascriptcoregtk library.

2013-04-18  Benjamin Poulain  <bpoulain@apple.com>

        Use StringJoiner to create the JSString of arrayProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=114779

        Reviewed by Geoffrey Garen.

        The function arrayProtoFuncToString was just a glorified JSStringJoiner.
        This patch replaces it by JSStringJoiner to simplify the code and enjoy any optimization
        made on JSStringJoiner.

        For some reason, this makes the execution 3.4% faster, despite having almost identical code.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):

2013-04-18  Oliver Hunt  <oliver@apple.com>

        StackFrame::column() returning bogus value
        https://bugs.webkit.org/show_bug.cgi?id=114840

        Reviewed by Gavin Barraclough.

        Don't add one part of the expression offset to the other part of the expression.
        Make StackFrame::toString() include the column info.

        * interpreter/Interpreter.cpp:
        (JSC::StackFrame::expressionInfo):
        (JSC::StackFrame::toString):

2013-04-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com
        https://bugs.webkit.org/show_bug.cgi?id=114774

        Reviewed by Geoffrey Garen.

        We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_put_to_base):

2013-04-18  Mark Lam  <mark.lam@apple.com>

        Interpreter entry points should throw the TerminatedExecutionException from the caller frame.
        https://bugs.webkit.org/show_bug.cgi?id=114816.

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):

2013-04-18  Gabor Rapcsanyi  <rgabor@webkit.org>

        LLInt ARM backend should not use the d8 register as scratch register
        https://bugs.webkit.org/show_bug.cgi?id=114811

        Reviewed by Filip Pizlo.

        The d8 register must preserved across function calls and should
        not used as scratch register. Changing it to d6.

        * offlineasm/arm.rb:

2013-04-18  Geoffrey Garen  <ggaren@apple.com>

        Removed HeapTimer::synchronize
        https://bugs.webkit.org/show_bug.cgi?id=114832

        Reviewed by Mark Hahnenberg.

        HeapTimer::synchronize was a flawed attempt to make HeapTimer thread-safe.
        Instead, we use proper locking now.

        This is a slight API change, since the GC timer will now only fire in the
        run loop that created the JS VM, even if another run loop later executes
        some JS.

        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        * heap/HeapTimer.cpp:
        (JSC):
        * heap/HeapTimer.h:
        (HeapTimer):

2013-04-17  Geoffrey Garen  <ggaren@apple.com>

        Renamed JSGlobalData to VM
        https://bugs.webkit.org/show_bug.cgi?id=114777

        Reviewed by Phil Pizlo.

        * API/APICast.h:
        (JSC):
        (toJS):
        (toRef):
        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        (APIEntryShimWithoutLock):
        (JSC::APIEntryShim::APIEntryShim):
        (APIEntryShim):
        (JSC::APIEntryShim::~APIEntryShim):
        (JSC::APICallbackShim::APICallbackShim):
        (JSC::APICallbackShim::~APICallbackShim):
        (APICallbackShim):
        * API/JSAPIWrapperObject.h:
        (JSAPIWrapperObject):
        * API/JSAPIWrapperObject.mm:
        (JSC::::createStructure):
        (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
        (JSC::JSAPIWrapperObject::finishCreation):
        (JSC::JSAPIWrapperObject::visitChildren):
        * API/JSBase.cpp:
        (JSGarbageCollect):
        (JSReportExtraMemoryCost):
        (JSSynchronousGarbageCollectForDebugging):
        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        (JSC::JSCallbackFunction::create):
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.cpp:
        (JSC::::create):
        (JSC::::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::setPrivateProperty):
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
        (JSCallbackObject):
        (JSC::JSCallbackObject::setPrivateProperty):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        (JSC::::put):
        (JSC::::staticFunctionGetter):
        * API/JSClassRef.cpp:
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::contextData):
        (OpaqueJSClass::prototype):
        * API/JSClassRef.h:
        (OpaqueJSClassContextData):
        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext initWithGlobalContextRef:]):
        (+[JSContext contextWithGlobalContextRef:]):
        * API/JSContextRef.cpp:
        (JSContextGroupCreate):
        (JSContextGroupRelease):
        (JSGlobalContextCreate):
        (JSGlobalContextCreateInGroup):
        (JSGlobalContextRetain):
        (JSGlobalContextRelease):
        (JSContextGetGroup):
        (JSContextCreateBacktrace):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectMakeConstructor):
        (JSObjectMakeFunction):
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectDeleteProperty):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        (OpaqueJSPropertyNameArray::OpaqueJSPropertyNameArray):
        (OpaqueJSPropertyNameArray):
        (JSObjectCopyPropertyNames):
        (JSPropertyNameArrayRelease):
        (JSPropertyNameAccumulatorAddName):
        * API/JSScriptRef.cpp:
        (OpaqueJSScript::create):
        (OpaqueJSScript::vm):
        (OpaqueJSScript::OpaqueJSScript):
        (OpaqueJSScript):
        (parseScript):
        * API/JSVirtualMachine.mm:
        (scanExternalObjectGraph):
        * API/JSVirtualMachineInternal.h:
        (JSC):
        * API/JSWrapperMap.mm:
        (makeWrapper):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::createStructure):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::create):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):
        * API/OpaqueJSString.h:
        (JSC):
        (OpaqueJSString):
        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h:
        (JSC):
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * KeywordLookupGenerator.py:
        (Trie.printSubTreeAsC):
        * Target.pri:
        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        (ARMAssembler):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::executableCopy):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode):
        * assembler/LinkBuffer.h:
        (JSC):
        (JSC::LinkBuffer::LinkBuffer):
        (LinkBuffer):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h:
        (CallLinkInfo):
        * bytecode/CodeBlock.cpp:
        (JSC::dumpStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitStructures):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::createActivation):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::findClosureCallForReturnPC):
        (JSC::ProgramCodeBlock::jettisonImpl):
        (JSC::EvalCodeBlock::jettisonImpl):
        (JSC::FunctionCodeBlock::jettisonImpl):
        (JSC::CodeBlock::predictedMachineCodeSize):
        (JSC::CodeBlock::usesOpcode):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::appendWeakReference):
        (JSC::CodeBlock::appendWeakReferenceTransition):
        (JSC::CodeBlock::setJITCode):
        (JSC::CodeBlock::setGlobalData):
        (JSC::CodeBlock::vm):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::addConstant):
        (JSC::CodeBlock::setConstantRegisters):
        (CodeBlock):
        (JSC::CodeBlock::WeakReferenceTransition::WeakReferenceTransition):
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::getSlow):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (GetByIdStatus):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfile::initialize):
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
        * bytecode/PolymorphicAccessStructureList.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::computePreciseJumpTargets):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (JSC):
        (PutByIdStatus):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::computeForStructure):
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::notifyOfScope):
        * bytecode/SamplingTool.h:
        (JSC::ScriptSampleRecord::ScriptSampleRecord):
        (SamplingTool):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdSelf):
        (JSC::StructureStubInfo::initGetByIdProto):
        (JSC::StructureStubInfo::initGetByIdChain):
        (JSC::StructureStubInfo::initPutByIdTransition):
        (JSC::StructureStubInfo::initPutByIdReplace):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        (UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::finishCreation):
        (JSC::UnlinkedFunctionExecutable::createStructure):
        (JSC::UnlinkedCodeBlock::addRegExp):
        (JSC::UnlinkedCodeBlock::addConstant):
        (JSC::UnlinkedCodeBlock::addFunctionDecl):
        (JSC::UnlinkedCodeBlock::addFunctionExpr):
        (JSC::UnlinkedCodeBlock::vm):
        (UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::finishCreation):
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
        (JSC::UnlinkedProgramCodeBlock::create):
        (JSC::UnlinkedProgramCodeBlock::addFunctionDeclaration):
        (JSC::UnlinkedProgramCodeBlock::UnlinkedProgramCodeBlock):
        (JSC::UnlinkedProgramCodeBlock::createStructure):
        (JSC::UnlinkedEvalCodeBlock::create):
        (JSC::UnlinkedEvalCodeBlock::UnlinkedEvalCodeBlock):
        (JSC::UnlinkedEvalCodeBlock::createStructure):
        (JSC::UnlinkedFunctionCodeBlock::create):
        (JSC::UnlinkedFunctionCodeBlock::UnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionCodeBlock::createStructure):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::addConstant):
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
        (JSC::BytecodeGenerator::emitThrowReferenceError):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::vm):
        (JSC::BytecodeGenerator::propertyNames):
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::RegExpNode::emitBytecode):
        (JSC::ArrayNode::toArgumentList):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::InstanceOfNode::emitBytecode):
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        (JSC::evaluateInGlobalCallFrame):
        * debugger/Debugger.h:
        (JSC):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        (JSC::DebuggerActivation::finishCreation):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        (JSC::DebuggerActivation::createStructure):
        (DebuggerActivation):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::vm):
        (JSC::DFG::AssemblyHelpers::debugCall):
        (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
        (AssemblyHelpers):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGByteCodeParser.h:
        (JSC):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::CCallHelpers):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::canHandleOpcodes):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::reportToProfiler):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGDriver.h:
        (JSC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):
        (JSC::getHostCallReturnValueWithExecState):
        * dfg/DFGPhase.h:
        (JSC::DFG::Phase::vm):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::tryBuildPutByIdList):
        (JSC::DFG::linkSlowFor):
        (JSC::DFG::dfgLinkFor):
        (JSC::DFG::dfgLinkSlowFor):
        (JSC::DFG::dfgLinkClosureCall):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
        (JSC::DFG::slowPathFor):
        (JSC::DFG::linkForThunkGenerator):
        (JSC::DFG::linkCallThunkGenerator):
        (JSC::DFG::linkConstructThunkGenerator):
        (JSC::DFG::linkClosureCallThunkGenerator):
        (JSC::DFG::virtualForThunkGenerator):
        (JSC::DFG::virtualCallThunkGenerator):
        (JSC::DFG::virtualConstructThunkGenerator):
        * dfg/DFGThunks.h:
        (JSC):
        (DFG):
        * heap/BlockAllocator.h:
        (JSC):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateSlowCase):
        (JSC::CopiedSpace::tryReallocate):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::tryAllocate):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        (JSC::GCThreadSharedData::reset):
        * heap/GCThreadSharedData.h:
        (JSC):
        (GCThreadSharedData):
        * heap/HandleSet.cpp:
        (JSC::HandleSet::HandleSet):
        (JSC::HandleSet::~HandleSet):
        (JSC::HandleSet::grow):
        * heap/HandleSet.h:
        (JSC):
        (HandleSet):
        (JSC::HandleSet::vm):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC):
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::protect):
        (JSC::Heap::unprotect):
        (JSC::Heap::stack):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::deleteAllCompiledCode):
        (JSC::Heap::collect):
        (JSC::Heap::isValidAllocation):
        * heap/Heap.h:
        (JSC):
        (Heap):
        (JSC::Heap::vm):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::HeapTimer):
        (JSC::HeapTimer::timerDidFire):
        (JSC::HeapTimer::timerEvent):
        * heap/HeapTimer.h:
        (JSC):
        (HeapTimer):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::IncrementalSweeper):
        (JSC::IncrementalSweeper::sweepNextBlock):
        (JSC::IncrementalSweeper::willFinishSweeping):
        (JSC::IncrementalSweeper::create):
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):
        * heap/Local.h:
        (Local):
        (JSC::::Local):
        (JSC::LocalStack::LocalStack):
        (JSC::LocalStack::push):
        (LocalStack):
        * heap/LocalScope.h:
        (JSC):
        (LocalScope):
        (JSC::LocalScope::LocalScope):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::vm):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):
        (JSC::SlotVisitor::setup):
        * heap/Strong.h:
        (JSC):
        (Strong):
        (JSC::Strong::operator=):
        * heap/StrongInlines.h:
        (JSC::::Strong):
        (JSC::::set):
        * heap/SuperRegion.h:
        (JSC):
        * heap/WeakSet.cpp:
        * heap/WeakSet.h:
        (WeakSet):
        (JSC::WeakSet::WeakSet):
        (JSC::WeakSet::vm):
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/AbstractPC.h:
        (JSC):
        (AbstractPC):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/CallFrame.h:
        (ExecState):
        (JSC::ExecState::clearException):
        (JSC::ExecState::clearSupplementaryExceptionInfo):
        (JSC::ExecState::exception):
        (JSC::ExecState::hadException):
        (JSC::ExecState::propertyNames):
        (JSC::ExecState::emptyList):
        (JSC::ExecState::interpreter):
        (JSC::ExecState::heap):
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dateTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::jsonTable):
        (JSC::ExecState::mathTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectConstructorTable):
        (JSC::ExecState::privateNamePrototypeTable):
        (JSC::ExecState::regExpTable):
        (JSC::ExecState::regExpConstructorTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable):
        (JSC::ExecState::abstractReturnPC):
        * interpreter/CallFrameClosure.h:
        (CallFrameClosure):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::eval):
        (JSC::loadVarargs):
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::appendSourceToError):
        (JSC::getCallerInfo):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::retrieveArgumentsFromVMCode):
        (JSC::Interpreter::retrieveCallerFromVMCode):
        * interpreter/Interpreter.h:
        (JSC):
        (JSC::TopCallFrameSetter::TopCallFrameSetter):
        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
        (TopCallFrameSetter):
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        (Interpreter):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        * interpreter/JSStack.h:
        (JSC):
        * jit/ClosureCallStubRoutine.cpp:
        (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
        * jit/ClosureCallStubRoutine.h:
        (ClosureCallStubRoutine):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        (JSC):
        (ExecutableAllocator):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::allocate):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        (JSC::MarkingGCAwareJITStubRoutineWithOneObject::MarkingGCAwareJITStubRoutineWithOneObject):
        (JSC::createJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h:
        (GCAwareJITStubRoutine):
        (MarkingGCAwareJITStubRoutineWithOneObject):
        (JSC):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkFor):
        (JSC::JIT::linkSlowCall):
        * jit/JIT.h:
        (JSC::JIT::compile):
        (JSC::JIT::compileClosureCall):
        (JSC::JIT::compileGetByIdProto):
        (JSC::JIT::compileGetByIdSelfList):
        (JSC::JIT::compileGetByIdProtoList):
        (JSC::JIT::compileGetByIdChainList):
        (JSC::JIT::compileGetByIdChain):
        (JSC::JIT::compilePutByIdTransition):
        (JSC::JIT::compileGetByVal):
        (JSC::JIT::compilePutByVal):
        (JSC::JIT::compileCTINativeCall):
        (JSC::JIT::compilePatchGetArrayLength):
        (JIT):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCode.h:
        (JSC):
        (JSC::JITCode::execute):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITExceptions.cpp:
        (JSC::genericThrow):
        (JSC::jitThrow):
        * jit/JITExceptions.h:
        (JSC):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::updateTopCallFrame):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emitSlow_op_convert_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emitSlow_op_convert_this):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        (JSC::ctiTrampoline):
        (JSC):
        (JSC::performPlatformSpecificJITAssertions):
        (JSC::tryCachePutByID):
        (JSC::tryCacheGetByID):
        (JSC::returnToThrowTrampoline):
        (JSC::throwExceptionFromOpCall):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        (JSC::putByVal):
        * jit/JITStubs.h:
        (JSC):
        (JITStackFrame):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        (JSC):
        (JITThunks):
        * jit/JITWriteBarrier.h:
        (JSC):
        (JSC::JITWriteBarrierBase::set):
        (JSC::JITWriteBarrier::set):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerator.h:
        (JSC):
        * jit/ThunkGenerators.cpp:
        (JSC::generateSlowCaseFor):
        (JSC::linkForGenerator):
        (JSC::linkCallGenerator):
        (JSC::linkConstructGenerator):
        (JSC::linkClosureCallGenerator):
        (JSC::virtualForGenerator):
        (JSC::virtualCallGenerator):
        (JSC::virtualConstructGenerator):
        (JSC::stringLengthTrampolineGenerator):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::stringCharLoad):
        (JSC::charToString):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        * jit/ThunkGenerators.h:
        (JSC):
        * jsc.cpp:
        (GlobalObject):
        (GlobalObject::create):
        (GlobalObject::createStructure):
        (GlobalObject::finishCreation):
        (GlobalObject::addFunction):
        (GlobalObject::addConstructableFunction):
        (functionDumpCallFrame):
        (functionJSCStack):
        (functionReleaseExecutableMemory):
        (functionRun):
        (main):
        (runWithScripts):
        (jscmain):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntData.h:
        (JSC):
        (Data):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp:
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntEntrypoints.h:
        (JSC):
        (LLInt):
        (JSC::LLInt::getEntrypoint):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::shouldJIT):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h:
        (JSC):
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/cloop.rb:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::createSourceElements):
        (JSC::ASTBuilder::createCommaExpr):
        (JSC::ASTBuilder::createLogicalNot):
        (JSC::ASTBuilder::createUnaryPlus):
        (JSC::ASTBuilder::createVoid):
        (JSC::ASTBuilder::thisExpr):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createObjectLiteral):
        (JSC::ASTBuilder::createArray):
        (JSC::ASTBuilder::createNumberExpr):
        (JSC::ASTBuilder::createString):
        (JSC::ASTBuilder::createBoolean):
        (JSC::ASTBuilder::createNull):
        (JSC::ASTBuilder::createBracketAccess):
        (JSC::ASTBuilder::createDotAccess):
        (JSC::ASTBuilder::createRegExp):
        (JSC::ASTBuilder::createNewExpr):
        (JSC::ASTBuilder::createConditionalExpr):
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createArguments):
        (JSC::ASTBuilder::createArgumentsList):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::createPropertyList):
        (JSC::ASTBuilder::createElementList):
        (JSC::ASTBuilder::createFormalParameterList):
        (JSC::ASTBuilder::createClause):
        (JSC::ASTBuilder::createClauseList):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createBlockStatement):
        (JSC::ASTBuilder::createExprStatement):
        (JSC::ASTBuilder::createIfStatement):
        (JSC::ASTBuilder::createForLoop):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createEmptyStatement):
        (JSC::ASTBuilder::createVarStatement):
        (JSC::ASTBuilder::createReturnStatement):
        (JSC::ASTBuilder::createBreakStatement):
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createSwitchStatement):
        (JSC::ASTBuilder::createWhileStatement):
        (JSC::ASTBuilder::createDoWhileStatement):
        (JSC::ASTBuilder::createLabelStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::createThrowStatement):
        (JSC::ASTBuilder::createDebugger):
        (JSC::ASTBuilder::createConstStatement):
        (JSC::ASTBuilder::appendConstDecl):
        (JSC::ASTBuilder::addVar):
        (JSC::ASTBuilder::combineCommaNodes):
        (JSC::ASTBuilder::Scope::Scope):
        (JSC::ASTBuilder::createNumber):
        (ASTBuilder):
        (JSC::ASTBuilder::makeTypeOfNode):
        (JSC::ASTBuilder::makeDeleteNode):
        (JSC::ASTBuilder::makeNegateNode):
        (JSC::ASTBuilder::makeBitwiseNotNode):
        (JSC::ASTBuilder::makeMultNode):
        (JSC::ASTBuilder::makeDivNode):
        (JSC::ASTBuilder::makeModNode):
        (JSC::ASTBuilder::makeAddNode):
        (JSC::ASTBuilder::makeSubNode):
        (JSC::ASTBuilder::makeLeftShiftNode):
        (JSC::ASTBuilder::makeRightShiftNode):
        (JSC::ASTBuilder::makeURightShiftNode):
        (JSC::ASTBuilder::makeBitOrNode):
        (JSC::ASTBuilder::makeBitAndNode):
        (JSC::ASTBuilder::makeBitXOrNode):
        (JSC::ASTBuilder::makeFunctionCallNode):
        (JSC::ASTBuilder::makeBinaryNode):
        (JSC::ASTBuilder::makeAssignNode):
        (JSC::ASTBuilder::makePrefixNode):
        (JSC::ASTBuilder::makePostfixNode):
        * parser/Lexer.cpp:
        (JSC::Keywords::Keywords):
        (JSC::::Lexer):
        (JSC::::parseIdentifier):
        (JSC::::parseIdentifierSlowCase):
        * parser/Lexer.h:
        (JSC::Keywords::isKeyword):
        (JSC::Keywords::getKeyword):
        (Keywords):
        (Lexer):
        (JSC::::makeIdentifier):
        (JSC::::makeRightSizedIdentifier):
        (JSC::::makeIdentifierLCharFromUChar):
        (JSC::::makeLCharIdentifier):
        * parser/NodeConstructors.h:
        (JSC::ParserArenaFreeable::operator new):
        (JSC::ParserArenaDeletable::operator new):
        (JSC::ParserArenaRefCounted::ParserArenaRefCounted):
        (JSC::PropertyNode::PropertyNode):
        (JSC::ContinueNode::ContinueNode):
        (JSC::BreakNode::BreakNode):
        (JSC::ForInNode::ForInNode):
        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (ParserArenaFreeable):
        (ParserArenaDeletable):
        (ParserArenaRefCounted):
        (ArrayNode):
        (ForInNode):
        (ContinueNode):
        (BreakNode):
        (ScopeNode):
        (ProgramNode):
        (EvalNode):
        (FunctionBodyNode):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseInner):
        (JSC::::parseSourceElements):
        (JSC::::parseTryStatement):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        (JSC::::parseAssignmentExpression):
        (JSC::::parseProperty):
        (JSC::::parsePrimaryExpression):
        (JSC::::parseMemberExpression):
        (JSC::::parseUnaryExpression):
        * parser/Parser.h:
        (JSC):
        (JSC::Scope::Scope):
        (JSC::Scope::declareVariable):
        (JSC::Scope::declareParameter):
        (Scope):
        (Parser):
        (JSC::Parser::pushScope):
        (JSC::::parse):
        (JSC::parse):
        * parser/ParserArena.h:
        (IdentifierArena):
        (JSC::IdentifierArena::makeIdentifier):
        (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
        (JSC::IdentifierArena::makeNumericIdentifier):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::SyntaxChecker):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::startProfiling):
        (JSC::LegacyProfiler::stopProfiling):
        * profiler/LegacyProfiler.h:
        (JSC):
        * profiler/ProfilerBytecode.cpp:
        (JSC::Profiler::Bytecode::toJS):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        (JSC::Profiler::BytecodeSequence::addSequenceProperties):
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::toJS):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompiledBytecode.cpp:
        (JSC::Profiler::CompiledBytecode::toJS):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::Database):
        (JSC::Profiler::Database::toJS):
        (JSC::Profiler::Database::toJSON):
        * profiler/ProfilerDatabase.h:
        (Database):
        * profiler/ProfilerOSRExit.cpp:
        (JSC::Profiler::OSRExit::toJS):
        * profiler/ProfilerOrigin.cpp:
        (JSC::Profiler::Origin::toJS):
        * profiler/ProfilerProfiledBytecodes.cpp:
        (JSC::Profiler::ProfiledBytecodes::toJS):
        * runtime/ArgList.h:
        (MarkedArgumentBuffer):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putByIndex):
        (JSC::Arguments::put):
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        (JSC::Arguments::tearOff):
        (JSC::Arguments::didTearOffActivation):
        (JSC::Arguments::tearOffForInlineCallFrame):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::createStructure):
        (Arguments):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::trySetArgument):
        (JSC::Arguments::finishCreation):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
        (BatchedTransitionOptimizer):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        (JSC::constructBoolean):
        (JSC::constructBooleanFromImmediateBoolean):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::createStructure):
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        (JSC::BooleanObject::finishCreation):
        * runtime/BooleanObject.h:
        (BooleanObject):
        (JSC::BooleanObject::create):
        (JSC::BooleanObject::createStructure):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::finishCreation):
        (JSC::booleanProtoFuncToString):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/Butterfly.h:
        (JSC):
        (Butterfly):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::create):
        (JSC::Butterfly::growPropertyStorage):
        (JSC::Butterfly::createOrGrowArrayRight):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::resizeArray):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        (JSC):
        (JSC::SourceCodeValue::SourceCodeValue):
        (CodeCache):
        * runtime/CommonIdentifiers.cpp:
        (JSC):
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        (CommonIdentifiers):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        (JSC::DateInstance::finishCreation):
        (JSC::DateInstance::calculateGregorianDateTime):
        (JSC::DateInstance::calculateGregorianDateTimeUTC):
        * runtime/DateInstance.h:
        (DateInstance):
        (JSC::DateInstance::create):
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::finishCreation):
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        (JSC::dateProtoFuncToJSON):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/Error.cpp:
        (JSC::createError):
        (JSC::createEvalError):
        (JSC::createRangeError):
        (JSC::createReferenceError):
        (JSC::createSyntaxError):
        (JSC::createTypeError):
        (JSC::createURIError):
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):
        (JSC::StrictModeTypeErrorFunction::create):
        (JSC::StrictModeTypeErrorFunction::createStructure):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::createStructure):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        (JSC::ErrorInstance::create):
        (ErrorInstance):
        (JSC::ErrorInstance::finishCreation):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createInterruptedExecutionException):
        (JSC::createTerminatedExecutionException):
        * runtime/ExceptionHelpers.h:
        (JSC):
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::InterruptedExecutionError::create):
        (JSC::InterruptedExecutionError::createStructure):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        (JSC::TerminatedExecutionError::create):
        (JSC::TerminatedExecutionError::createStructure):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::EvalExecutable::compileOptimized):
        (JSC::EvalExecutable::compileInternal):
        (JSC::EvalExecutable::jettisonOptimizedCode):
        (JSC::ProgramExecutable::checkSyntax):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::jettisonOptimizedCode):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::finishCreation):
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::createStructure):
        (JSC::NativeExecutable::finishCreation):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::finishCreation):
        (JSC::EvalExecutable::compile):
        (EvalExecutable):
        (JSC::EvalExecutable::create):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::create):
        (ProgramExecutable):
        (JSC::ProgramExecutable::compile):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::compileForCall):
        (FunctionExecutable):
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
        (JSC::FunctionExecutable::createStructure):
        (JSC::JSFunction::JSFunction):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::createStructure):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::finishCreation):
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::doWork):
        (JSC::DefaultGCActivityCallback::didAllocate):
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::GCActivityCallback):
        * runtime/GCActivityCallbackBlackBerry.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::doWork):
        (JSC::DefaultGCActivityCallback::didAllocate):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::GetterSetter):
        (JSC::GetterSetter::create):
        (JSC::GetterSetter::setGetter):
        (JSC::GetterSetter::setSetter):
        (JSC::GetterSetter::createStructure):
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        (JSC::Identifier::addSlowCase):
        (JSC::Identifier::from):
        (JSC::Identifier::checkCurrentIdentifierTable):
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
        (JSC::Identifier::createLCharFromUChar):
        (Identifier):
        (JSC::Identifier::add):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::displayName):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        (InternalFunction):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        (JSC::JSAPIValueWrapper::finishCreation):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        (JSC::JSActivation::getOwnPropertySlot):
        (JSC::JSActivation::put):
        (JSC::JSActivation::putDirectVirtual):
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        (JSActivation):
        (JSC::JSActivation::create):
        (JSC::JSActivation::createStructure):
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::tearOff):
        * runtime/JSArray.cpp:
        (JSC::createArrayButterflyInDictionaryIndexingMode):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLength):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        (JSC::ContiguousTypeAccessor::setWithValue):
        (JSC::JSArray::sortCompactedVector):
        (JSC::JSArray::sortVector):
        * runtime/JSArray.h:
        (JSC::JSArray::JSArray):
        (JSArray):
        (JSC::JSArray::shiftCountForShift):
        (JSC::JSArray::unshiftCountForShift):
        (JSC::JSArray::createStructure):
        (JSC::createContiguousArrayButterfly):
        (JSC::createArrayButterfly):
        (JSC):
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        (JSC::constructArray):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::JSBoundFunction):
        * runtime/JSBoundFunction.h:
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::toStringSlowCase):
        * runtime/JSCJSValue.h:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        (JSC::allocateCell):
        (JSC::JSCell::setStructure):
        (JSC::JSCell::fastGetOwnProperty):
        * runtime/JSDateMath.cpp:
        (JSC::getDSTOffset):
        (JSC::getUTCOffset):
        (JSC::parseDate):
        * runtime/JSDestructibleObject.h:
        (JSC::JSDestructibleObject::JSDestructibleObject):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::createAllocationProfile):
        (JSC::JSFunction::name):
        (JSC::JSFunction::displayName):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::deleteProperty):
        * runtime/JSFunction.h:
        (JSFunction):
        (JSC::JSFunction::create):
        (JSC::JSFunction::setScope):
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalData.cpp: Removed.
        * runtime/JSGlobalData.h: Removed.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::~JSGlobalObject):
        (JSC::JSGlobalObject::setGlobalThis):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::putDirectVirtual):
        (JSC::JSGlobalObject::reset):
        (JSC):
        (JSC::JSGlobalObject::haveABadTime):
        (JSC::JSGlobalObject::createThrowTypeError):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::addStaticGlobals):
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSGlobalObject):
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::vm):
        (JSC::JSGlobalObject::createStructure):
        (JSC::ExecState::dynamicGlobalObject):
        (JSC::constructEmptyArray):
        (DynamicGlobalObjectScope):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoSetter):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::willDestroyGlobalData):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        (JSC):
        (JSLockHolder):
        (JSLock):
        (JSC::JSLock::vm):
        (DropAllLocks):
        * runtime/JSNameScope.h:
        (JSC::JSNameScope::createStructure):
        (JSC::JSNameScope::finishCreation):
        (JSC::JSNameScope::JSNameScope):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::JSNotAnObject):
        (JSC::JSNotAnObject::create):
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        (Holder):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::Holder):
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::Walker):
        (JSC::Walker::walk):
        (JSC::JSONProtoFuncParse):
        (JSC::JSONProtoFuncStringify):
        (JSC::JSONStringify):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::createInitialArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToContiguous):
        (JSC::JSObject::rageConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::convertUndecidedForValue):
        (JSC::JSObject::convertInt32ForValue):
        (JSC::JSObject::setIndexQuicklyToUndecided):
        (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
        (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::rageEnsureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::putIndexedDescriptor):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::allocateSparseIndexMap):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::putDirectNativeFunction):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::growOutOfLineStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::putDescriptor):
        (JSC::JSObject::putDirectMayBeIndex):
        (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope):
        (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope):
        (DefineOwnPropertyScope):
        (JSC::JSObject::defineOwnNonIndexProperty):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::putByIndexInline):
        (JSC::JSObject::putDirectIndex):
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectOffset):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::ensureInt32):
        (JSC::JSObject::ensureDouble):
        (JSC::JSObject::ensureContiguous):
        (JSC::JSObject::rageEnsureContiguous):
        (JSC::JSObject::ensureArrayStorage):
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::createStructure):
        (JSC::JSObject::ensureLength):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSNonFinalObject::JSNonFinalObject):
        (JSC::JSNonFinalObject::finishCreation):
        (JSC::JSFinalObject::createStructure):
        (JSC::JSFinalObject::finishCreation):
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::JSFinalObject::create):
        (JSC::JSObject::setButterfly):
        (JSC::JSObject::JSObject):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        (JSC::JSPropertyNameIterator::setCachedStructure):
        (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
        (JSC::JSPropertyNameIterator::finishCreation):
        (JSC::StructureRareData::setEnumerationCache):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/JSProxy.h:
        (JSC::JSProxy::create):
        (JSC::JSProxy::createStructure):
        (JSC::JSProxy::JSProxy):
        (JSC::JSProxy::finishCreation):
        (JSProxy):
        * runtime/JSScope.cpp:
        (JSC::executeResolveOperations):
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolveWithBase):
        (JSC::JSScope::resolveWithThis):
        (JSC::JSScope::resolvePut):
        * runtime/JSScope.h:
        (JSScope):
        (JSC::JSScope::JSScope):
        (JSC::JSScope::vm):
        (JSC::ExecState::vm):
        * runtime/JSSegmentedVariableObject.h:
        (JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
        (JSC::JSSegmentedVariableObject::finishCreation):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::RopeBuilder::expand):
        (JSC::StringObject::create):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        (JSC::JSString::JSString):
        (JSC::JSString::finishCreation):
        (JSC::JSString::create):
        (JSC::JSString::createHasOtherOwner):
        (JSC::JSString::createStructure):
        (JSRopeString):
        (JSC::JSRopeString::RopeBuilder::RopeBuilder):
        (JSC::JSRopeString::RopeBuilder::append):
        (RopeBuilder):
        (JSC::JSRopeString::JSRopeString):
        (JSC::JSRopeString::finishCreation):
        (JSC::JSRopeString::append):
        (JSC::JSRopeString::createNull):
        (JSC::JSRopeString::create):
        (JSC::jsEmptyString):
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsNontrivialString):
        (JSC::jsString):
        (JSC::jsSubstring):
        (JSC::jsSubstring8):
        (JSC::jsOwnedString):
        (JSC::jsStringBuilder):
        (JSC::inlineJSValueNotStringtoString):
        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSSymbolTableObject.h:
        (JSC::JSSymbolTableObject::JSSymbolTableObject):
        (JSC::JSSymbolTableObject::finishCreation):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::create):
        (JSC::JSWithScope::createStructure):
        (JSC::JSWithScope::JSWithScope):
        * runtime/JSWrapperObject.h:
        (JSWrapperObject):
        (JSC::JSWrapperObject::createStructure):
        (JSC::JSWrapperObject::JSWrapperObject):
        (JSC::JSWrapperObject::setInternalValue):
        * runtime/LiteralParser.cpp:
        (JSC::::tryJSONPParse):
        (JSC::::makeIdentifier):
        (JSC::::parse):
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTable::initializeIfNeeded):
        (JSC::HashTable::entry):
        (JSC::HashTable::begin):
        (JSC::HashTable::end):
        (HashTable):
        (JSC::lookupPut):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncSin):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/MemoryStatistics.cpp:
        * runtime/MemoryStatistics.h:
        * runtime/NameConstructor.cpp:
        (JSC::NameConstructor::finishCreation):
        (JSC::constructPrivateName):
        * runtime/NameConstructor.h:
        (JSC::NameConstructor::createStructure):
        * runtime/NameInstance.cpp:
        (JSC::NameInstance::NameInstance):
        * runtime/NameInstance.h:
        (JSC::NameInstance::createStructure):
        (JSC::NameInstance::create):
        (NameInstance):
        (JSC::NameInstance::finishCreation):
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::NamePrototype):
        (JSC::NamePrototype::finishCreation):
        * runtime/NamePrototype.h:
        (JSC::NamePrototype::createStructure):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        (JSC::constructWithNumberConstructor):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        (JSC::NumberObject::finishCreation):
        (JSC::constructNumber):
        * runtime/NumberObject.h:
        (NumberObject):
        (JSC::NumberObject::create):
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::finishCreation):
        (JSC::integerValueToString):
        (JSC::numberProtoFuncToString):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorPreventExtensions):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        (JSC::constructEmptyObject):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::objectProtoFuncToString):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        * runtime/Operations.h:
        (JSC):
        (JSC::jsString):
        (JSC::jsStringFromArguments):
        (JSC::normalizePrototypeChainForChainAccess):
        (JSC::normalizePrototypeChain):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry):
        (JSC::PropertyTable::createStructure):
        (PropertyTable):
        (JSC::PropertyTable::copy):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::PropertyNameArray):
        (JSC::PropertyNameArray::vm):
        (JSC::PropertyNameArray::addKnownUnique):
        (PropertyNameArray):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::finishCreation):
        (JSC::RegExp::createWithoutCaching):
        (JSC::RegExp::create):
        (JSC::RegExp::compile):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::match):
        (JSC::RegExp::compileMatchOnly):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
        * runtime/RegExp.h:
        (JSC):
        (RegExp):
        (JSC::RegExp::createStructure):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate):
        (JSC::RegExpCache::RegExpCache):
        (JSC::RegExpCache::addToStrongCache):
        * runtime/RegExpCache.h:
        (RegExpCache):
        * runtime/RegExpCachedResult.cpp:
        (JSC::RegExpCachedResult::lastResult):
        (JSC::RegExpCachedResult::setInput):
        * runtime/RegExpCachedResult.h:
        (JSC::RegExpCachedResult::RegExpCachedResult):
        (JSC::RegExpCachedResult::record):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::constructRegExp):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        (JSC::RegExpMatchesArray::create):
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::reifyAllProperties):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):
        (JSC::RegExpMatchesArray::createStructure):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::finishCreation):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        (JSC::RegExpObject::setRegExp):
        (JSC::RegExpObject::setLastIndex):
        (JSC::RegExpObject::createStructure):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::initializeCommonStrings):
        (JSC::SmallStrings::createEmptyString):
        (JSC::SmallStrings::createSingleCharacterString):
        (JSC::SmallStrings::initialize):
        * runtime/SmallStrings.h:
        (JSC):
        (JSC::SmallStrings::singleCharacterString):
        (SmallStrings):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::SparseArrayValueMap):
        (JSC::SparseArrayValueMap::finishCreation):
        (JSC::SparseArrayValueMap::create):
        (JSC::SparseArrayValueMap::createStructure):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::SparseArrayEntry::put):
        * runtime/SparseArrayValueMap.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        (JSC::StrictEvalActivation::createStructure):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        (JSC::StringObject::finishCreation):
        (JSC::constructString):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        (JSC::StringObject::createStructure):
        (StringObject):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        (JSC::StringPrototype::finishCreation):
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSplit):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        (JSC::StringRecursionChecker::~StringRecursionChecker):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add):
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::toCacheableDictionaryTransition):
        (JSC::Structure::toUncacheableDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::allocateRareData):
        (JSC::Structure::cloneRareDataFrom):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::finishCreation):
        (JSC::Structure::setPrototypeWithoutTransition):
        (JSC::Structure::setGlobalObject):
        (JSC::Structure::setObjectToStringValue):
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        (JSC::Structure::setPreviousID):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        (JSC::StructureChain::createStructure):
        (JSC::StructureChain::finishCreation):
        (StructureChain):
        * runtime/StructureInlines.h:
        (JSC::Structure::create):
        (JSC::Structure::createStructure):
        (JSC::Structure::get):
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::prototypeChain):
        (JSC::Structure::propertyTable):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::createStructure):
        (JSC::StructureRareData::create):
        (JSC::StructureRareData::clone):
        (JSC::StructureRareData::StructureRareData):
        * runtime/StructureRareData.h:
        (StructureRareData):
        * runtime/StructureRareDataInlines.h:
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::setObjectToStringValue):
        * runtime/StructureTransitionTable.h:
        (StructureTransitionTable):
        (JSC::StructureTransitionTable::setSingleTransition):
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::create):
        (JSC::SharedSymbolTable::createStructure):
        (JSC::SharedSymbolTable::SharedSymbolTable):
        * runtime/VM.cpp: Copied from Source/JavaScriptCore/runtime/JSGlobalData.cpp.
        (JSC::VM::VM):
        (JSC::VM::~VM):
        (JSC::VM::createContextGroup):
        (JSC::VM::create):
        (JSC::VM::createLeaked):
        (JSC::VM::sharedInstanceExists):
        (JSC::VM::sharedInstance):
        (JSC::VM::sharedInstanceInternal):
        (JSC::VM::getHostFunction):
        (JSC::VM::ClientData::~ClientData):
        (JSC::VM::resetDateCache):
        (JSC::VM::startSampling):
        (JSC::VM::stopSampling):
        (JSC::VM::discardAllCode):
        (JSC::VM::dumpSampleData):
        (JSC::VM::addSourceProviderCache):
        (JSC::VM::clearSourceProviderCaches):
        (JSC::VM::releaseExecutableMemory):
        (JSC::releaseExecutableMemory):
        (JSC::VM::gatherConservativeRoots):
        (JSC::VM::addRegExpToTrace):
        (JSC::VM::dumpRegExpTrace):
        * runtime/VM.h: Copied from Source/JavaScriptCore/runtime/JSGlobalData.h.
        (VM):
        (JSC::VM::isSharedInstance):
        (JSC::VM::usingAPI):
        (JSC::VM::isInitializingObject):
        (JSC::VM::setInitializingObjectClass):
        (JSC::WeakSet::heap):
        * runtime/WriteBarrier.h:
        (JSC):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::setMayBeNull):
        (JSC::WriteBarrierBase::setEarlyValue):
        (JSC::WriteBarrier::WriteBarrier):
        * testRegExp.cpp:
        (GlobalObject):
        (GlobalObject::create):
        (GlobalObject::createStructure):
        (GlobalObject::finishCreation):
        (main):
        (testOneRegExp):
        (parseRegExpLine):
        (runFromFiles):
        (realMain):
        * yarr/YarrInterpreter.h:
        (BytecodePattern):
        * yarr/YarrJIT.cpp:
        (YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):
        * yarr/YarrJIT.h:
        (JSC):

2013-04-18  Xuefei Ren  <xren@blackberry.com>

        remove build warning(unused parameter)
        https://bugs.webkit.org/show_bug.cgi?id=114670

        Reviewed by Rob Buis.

        remove warning in Source/JavaScriptCore/runtime/GCActivityCallbackBlackBerry.cpp

        * runtime/GCActivityCallbackBlackBerry.cpp:
        (JSC::DefaultGCActivityCallback::didAllocate):

2013-04-18  Jonathan Liu  <net147@gmail.com>

        Implement JIT for MinGW-w64 64-bit
        https://bugs.webkit.org/show_bug.cgi?id=114580

        Reviewed by Jocelyn Turcotte.

        * jit/JITStubs.cpp:
        (JSC):

2013-04-17  Mark Lam  <mark.lam@apple.com>

        Avoid using a branch range that is too far for some CPU architectures.
        https://bugs.webkit.org/show_bug.cgi?id=114782.

        Reviewed by David Kilzer.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-04-17  Julien Brianceau  <jbrianceau@nds.com>

        Fix SH4 build (broken since r148639).
        https://bugs.webkit.org/show_bug.cgi?id=114773.

        Allow longer displacements for specific branches in SH4 LLINT.

        Reviewed by Oliver Hunt.

        * offlineasm/sh4.rb:

2013-04-14  Roger Fong  <roger_fong@apple.com>

        Unreviewed. More Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-14  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-17  Mark Lam  <mark.lam@apple.com>

        Fix broken build. Replaced a static const with a #define.
        https://bugs.webkit.org/show_bug.cgi?id=114577.

        Unreviewed.

        * runtime/Watchdog.cpp:
        (JSC::Watchdog::Watchdog):
        (JSC::Watchdog::isEnabled):

2013-04-17  Mark Lam  <mark.lam@apple.com>

        Add LLINT and baseline JIT support for timing out scripts.
        https://bugs.webkit.org/show_bug.cgi?id=114577.

        Reviewed by Geoffrey Garen.

        Introduces the new Watchdog class which is used to track script
        execution time, and initiate script termination if needed.

        * API/JSContextRef.cpp:
        (internalScriptTimeoutCallback):
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        * API/JSContextRefPrivate.h:
        - Added new script execution time limit APIs.
        * API/tests/testapi.c:
        (currentCPUTime):
        (shouldTerminateCallback):
        (cancelTerminateCallback):
        (extendTerminateCallback):
        (main):
        - Added new API tests for script execution time limit.
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoopHint):
        - loop hints are needed for the llint as well. Hence, it will be
          emitted unconditionally.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        - Added checks for script termination before entering script code.
        * jit/JIT.cpp:
        (JSC::JIT::emitWatchdogTimerCheck):
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_hint):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION(void, handle_watchdog_timer)):
        * jit/JITStubs.h:
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::doThrow):
        - Factored out some common code from returnToThrow() and callToThrow().
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ExceptionHelpers.cpp:
        (JSC::throwTerminatedExecutionException):
        - Also removed the now unused InterruptedExecutionException.
        * runtime/ExceptionHelpers.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        - Added watchdog, and removed the now obsolete Terminator.
        * runtime/Terminator.h: Removed.
        * runtime/Watchdog.cpp: Added.
        (JSC::Watchdog::Watchdog):
        (JSC::Watchdog::~Watchdog):
        (JSC::Watchdog::setTimeLimit):
        (JSC::Watchdog::didFire):
        (JSC::Watchdog::isEnabled):
        (JSC::Watchdog::fire):
        (JSC::Watchdog::arm):
        (JSC::Watchdog::disarm):
        (JSC::Watchdog::startCountdownIfNeeded):
        (JSC::Watchdog::startCountdown):
        (JSC::Watchdog::stopCountdown):
        (JSC::Watchdog::Scope::Scope):
        (JSC::Watchdog::Scope::~Scope):
        * runtime/Watchdog.h: Added.
        (Watchdog):
        (JSC::Watchdog::didFire):
        (JSC::Watchdog::timerDidFireAddress):
        (JSC::Watchdog::isArmed):
        (Watchdog::Scope):
        * runtime/WatchdogMac.cpp: Added.
        (JSC::Watchdog::initTimer):
        (JSC::Watchdog::destroyTimer):
        (JSC::Watchdog::startTimer):
        (JSC::Watchdog::stopTimer):
        * runtime/WatchdogNone.cpp: Added.
        (JSC::Watchdog::initTimer):
        (JSC::Watchdog::destroyTimer):
        (JSC::Watchdog::startTimer):
        (JSC::Watchdog::stopTimer):

2013-04-14  Roger Fong  <roger_fong@apple.com>

        Unreviewed. VS2010 Windows build fix.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:

2013-04-14  Roger Fong  <roger_fong@apple.com>

        Copy make-file-export-generator script to the the Source folders of the projects that use it.
        <rdar://problem/13675604>

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Copied from Source/WebCore/make-export-file-generator.

2013-04-17  Brent Fulgham  <bfulgham@webkit.org>

        [Windows, WinCairo] Stop individually building WTF files in JSC.
        https://bugs.webkit.org/show_bug.cgi?id=114705

        Reviewed by Anders Carlsson.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        Export additional String/fastMalloc symbols needed by JSC program.
        * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build
        WTF implementation files (a second time!) in this project.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        Export additional String/fastMalloc symbols needed by JSC program.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually
        build WTF implementation files (a second time!) in this project.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto.

2013-04-17  Mark Lam  <mark.lam@apple.com>

        releaseExecutableMemory() should canonicalize cell liveness data before
        it scans the GC roots.
        https://bugs.webkit.org/show_bug.cgi?id=114733.

        Reviewed by Mark Hahnenberg.

        * heap/Heap.cpp:
        (JSC::Heap::canonicalizeCellLivenessData):
        * heap/Heap.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::releaseExecutableMemory):

2013-04-16  Commit Queue  <rniwa@webkit.org>

        Unreviewed, rolling out r148576.
        http://trac.webkit.org/changeset/148576
        https://bugs.webkit.org/show_bug.cgi?id=114714

        WebCore is building some of these same files (Requested by
        bfulgham on #webkit).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters:

2013-04-16  Brent Fulgham  <bfulgham@webkit.org>

        [Windows, WinCairo] Stop individually building WTF files in JSC.
        https://bugs.webkit.org/show_bug.cgi?id=114705

        Reviewed by Anders Carlsson.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        Export additional String/fastMalloc symbols needed by JSC program.
        * JavaScriptCore.vcproj/jsc/jsc.vcproj: Don't manually build
        WTF implementation files (a second time!) in this project.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        Export additional String/fastMalloc symbols needed by JSC program.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Don't manually
        build WTF implementation files (a second time!) in this project.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Ditto.

2013-04-16  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Do not use JAVASCRIPTCORE_DIR in add_custom_command() of JavaScriptCore project
        https://bugs.webkit.org/show_bug.cgi?id=114265

        Reviewed by Brent Fulgham.

        Use CMAKE_CURRENT_SOURCE_DIR instead, since it provides the same value and is more
        understandable. Also move the GENERATE_HASH_LUT macro into the CMakeLists.txt
        of JavaScriptCore to avoid the usage of JAVASCRIPTCORE_DIR there too.

        * CMakeLists.txt:

2013-04-16  Anders Carlsson  <andersca@apple.com>

        Another Windows build fix attempt.

        * runtime/JSGlobalData.h:
        (JSGlobalData):

2013-04-16  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        * runtime/JSGlobalData.h:

2013-04-16  Brent Fulgham  <bfulgham@webkit.org>

        [Windows] Unreviewed VS2010 build correction.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
        Specify proper link library to avoid mixture of ICU 4.0 and 4.6
        symbols during link.

2013-04-15  Ryosuke Niwa  <rniwa@webkit.org>

        Windows clean build fix after r148479.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-15  Anders Carlsson  <andersca@apple.com>

        ScriptWrappable subclasses shouldn't have to include WeakInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=114641

        Reviewed by Alexey Proskuryakov.

        Move back the Weak constructor, destructor and clear() to Weak.h. Add a new weakClearSlowCase function
        and put it in Weak.cpp.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/Weak.cpp: Added.
        * heap/Weak.h:
        * heap/WeakInlines.h:
        * heap/WeakSetInlines.h:

2013-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        HeapTimer lifetime should be less complicated
        https://bugs.webkit.org/show_bug.cgi?id=114529

        Reviewed by Oliver Hunt.

        Right now our HeapTimer lifetime is rather complicated. HeapTimers are "owned" by the JSGlobalData, 
        but there's an issue in that there can be races between a thread that is trying to tear down a JSGlobalData 
        and the HeapTimer's fire function. Our current code for tearing down HeapTimers is an intricate and delicate 
        dance which probably contains subtle bugs.

        We can make our lives easier by changing things around a bit. 

        1) We should free the API lock from being solely owned by the JSGlobalData so we don't have to worry about 
           grabbing the lock out of invalid memory when our HeapTimer callback fires. 

        2) We should also make it so that we deref the JSGlobalData first, then unlock the API lock so that when we 
           have the lock, the JSGlobalData is in one of two states: fully valid or completely destroyed, and we know exactly which one. 

        3) The JSLock can tell us this information by keeping a back pointer to the JSGlobalData. When the JSGlobalData's 
           destructor is called, it clears this pointer in the JSLock. Other clients of the API lock can then check 
           this pointer to determine whether or not the JSGlobalData is still around.

        4) The CFRunLoopTimer will use the API lock as its context rather than the HeapTimer itself. The only way 
           the HeapTimer's callback can get to the HeapTimer is through the API lock's JSGlobalData pointer.

        5) The CFRunLoopTimerContext struct has two fields for retain and release callbacks for the context's info field. 
           We'll provide these callbacks to ref() and deref() the JSLock as necessary. Thus, the timer becomes the other 
           owner of the JSLock apart from the JSGlobalData.

        * API/APIShims.h: Remove the cruft that was required by the previous design, such as RefGlobalDataTag.
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
        (APIEntryShimWithoutLock):
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APIEntryShim::~APIEntryShim): Protect the API lock with a RefPtr, deref the JSGlobalData, which could destroy it,
        then unlock the API lock. This ordering prevents others from obtaining the API lock while the JSGlobalData is in the 
        middle of being torn down.
        (JSC::APIEntryShim::init): We now take the lock, then ref the JSGlobalData, which is the opposite order of when we 
        tear down the shim.
        * heap/Heap.cpp:
        (JSC::Heap::setActivityCallback): Use PassOwnPtr now.
        (JSC::Heap::activityCallback): Ditto.
        (JSC::Heap::sweeper): Ditto.
        (JSC):
        * heap/Heap.h:
        (Heap):
        * heap/HeapTimer.cpp:
        (JSC::retainAPILock): Retain callback for CFRunLoopTimerContext struct.
        (JSC::releaseAPILock): Release callback for the CFRunLoopTimerContext struct.
        (JSC::HeapTimer::HeapTimer): Use the API lock as the context's info field rather than the HeapTimer.
        (JSC::HeapTimer::timerDidFire): Grab the API lock. Return early if the JSGlobalData has already been destroyed.
        Otherwise, figure out which kind of HeapTimer we are based on the CFRunLoopTimerRef passed to the callback and 
        call the HeapTimer's callback.
        * heap/HeapTimer.h:
        (HeapTimer):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::create): PassOwnPtr all the things.
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):
        * jsc.cpp:
        (jscmain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to 
        tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly.
        * runtime/GCActivityCallback.h:
        (DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::create):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData): Notify the API lock that the JSGlobalData is being torn down.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::apiLock):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder): Ref, then lock (just like the API shim).
        (JSC):
        (JSC::JSLock::willDestroyGlobalData):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder): Protect, deref, then unlock (just like the API shim).
        (JSC::JSLock::JSLock):
        * runtime/JSLock.h: Add back pointer to the JSGlobalData and a callback for when the JSGlobalData is being
        torn down that clears this pointer to notify other clients (i.e. timer callbacks) that the JSGlobalData is no
        longer valid.
        (JSLockHolder):
        (JSLock):
        (JSC::JSLock::globalData):
        * testRegExp.cpp:
        (realMain): We use an APIEntryShim instead of a RefPtr for the JSGlobalData because we need to 
        tear down the JSGlobalData while we still hold the lock, which the APIEntryShim handles correctly.

2013-04-15  Julien Brianceau  <jbrianceau@nds.com>

        LLInt SH4 backend implementation
        https://bugs.webkit.org/show_bug.cgi?id=112886

        Reviewed by Oliver Hunt.

        * dfg/DFGOperations.cpp:
        (JSC):
        * jit/JITStubs.cpp:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/arm.rb:
        * offlineasm/ast.rb:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:
        * offlineasm/risc.rb:
        * offlineasm/sh4.rb: Added.

2013-04-15  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Add WTF_USE_*_UNICODE variables
        https://bugs.webkit.org/show_bug.cgi?id=114556

        Reviewed by Brent Fulgham.

        WTF_USE_ICU_UNICODE and WTF_USE_WCHAR_UNICODE are used to
        reduce duplication in the platform specific CMake files.

        * CMakeLists.txt:
        * PlatformEfl.cmake:

2013-04-13  Patrick Gansterer  <paroga@webkit.org>

        Add missing export macro to SymbolTableEntry::freeFatEntrySlow()

        * runtime/SymbolTable.h:
        (SymbolTableEntry):

2013-04-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Block freeing thread should call Region::destroy instead of delete
        https://bugs.webkit.org/show_bug.cgi?id=114544

        Reviewed by Oliver Hunt.

        Since Region doesn't have a virtual destructor, calling delete will not properly clean up all of 
        the state of the Region. We should call destroy() instead.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::releaseFreeRegions):
        (JSC::BlockAllocator::blockFreeingThreadMain):

2013-04-11  Benjamin Poulain  <bpoulain@apple.com>

        Merge CharacterClassTable into CharacterClass
        https://bugs.webkit.org/show_bug.cgi?id=114409

        Reviewed by Darin Adler.

        CharacterClassTable is only a pointer and a boolean.
        It is a little overkill to make a separate allocation
        for that.

        * create_regex_tables:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::matchCharacterClass):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::charClass):
        * yarr/YarrPattern.h:
        (CharacterClass):
        (JSC::Yarr::CharacterClass::CharacterClass):

2013-04-11  Michael Saboff  <msaboff@apple.com>

        Added UNLIKELY() suggested in https://bugs.webkit.org/show_bug.cgi?id=114366
        after checking in the original change. 

        Rubber-stamped by Jessie Berlin.

        * dfg/DFGOperations.cpp:

2013-04-10  Benjamin Poulain  <benjamin@webkit.org>

        Unify JSC Parser's error and error message
        https://bugs.webkit.org/show_bug.cgi?id=114363

        Reviewed by Geoffrey Garen.

        The parser kept the error state over two attributes:
        error and errorMessage. They were changed in sync,
        but had some discrepancy (for example, the error message
        was always defined to something).

        This patch unifies the two. There is an error if
        if the error message is non-null or if the parsing finished
        before the end.

        This also gets rid of the allocation of the error message
        when instantiating a parser.

        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseInner):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclaration):
        (JSC::::parseConstDeclaration):
        (JSC::::parseForStatement):
        (JSC::::parseSwitchStatement):
        (JSC::::parsePrimaryExpression):
        * parser/Parser.h:
        (JSC::Parser::updateErrorMessage):
        (JSC::Parser::updateErrorWithNameAndMessage):
        (JSC::Parser::hasError):
        (Parser):

2013-04-10  Oliver Hunt  <oliver@apple.com>

        Set trap is not being called for API objects
        https://bugs.webkit.org/show_bug.cgi?id=114403

        Reviewed by Anders Carlsson.

        Intercept putByIndex on the callback object and add tests
        to make sure we don't regress in future.

        * API/JSCallbackObject.h:
        (JSCallbackObject):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::putByIndex):
        (JSC):
        * API/tests/testapi.c:
        (PropertyCatchalls_setProperty):
        * API/tests/testapi.js:

2013-04-10  Benjamin Poulain  <bpoulain@apple.com>

        Mass remove all the empty directories

        Rubberstamped by Ryosuke Niwa.

        * qt/api: Removed.
        * qt/benchmarks/qscriptengine: Removed.
        * qt/benchmarks/qscriptvalue: Removed.
        * qt/tests/qscriptengine: Removed.
        * qt/tests/qscriptstring: Removed.
        * qt/tests/qscriptvalue: Removed.
        * qt/tests/qscriptvalueiterator: Removed.

2013-04-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=114235

        Reviewed by Filip Pizlo.

        If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are 
        accessible in the base object's backing store, which is bad.

        * runtime/JSObject.cpp:
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::PropertyNameArray):
        (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
        (JSC::PropertyNameArray::setBaseObject):
        (PropertyNameArray):

2013-04-10  Patrick Gansterer  <paroga@webkit.org>

        Remove code duplicates from MacroAssemblerARM
        https://bugs.webkit.org/show_bug.cgi?id=104457

        Reviewed by Oliver Hunt.

        Reuse some existing methods to avoid duplicated code.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::store8):
        (JSC::MacroAssemblerARM::store32):
        (JSC::MacroAssemblerARM::swap):
        (JSC::MacroAssemblerARM::add32):
        (JSC::MacroAssemblerARM::sub32):

2013-04-10  Michael Saboff  <msaboff@apple.com>

        DFG: Negative size for new Array() interpreted as large unsigned int
        https://bugs.webkit.org/show_bug.cgi?id=114366

        Reviewed by Oliver Hunt.

        Added new check in operationNewArrayWithSize() for a negative
        size.  If size is negative throw a "RangeError: Array size is not a
        small enough positive integer" exception.

        * dfg/DFGOperations.cpp:

2013-04-10  peavo@outlook.com  <peavo@outlook.com>

        WinCairo build fails to link.
        https://bugs.webkit.org/show_bug.cgi?id=114358

        Reviewed by Brent Fulgham.

        Export the symbol WTF::MD5::checksum().

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-08  Anders Carlsson  <andersca@apple.com>

        Remove unneeded headers from FrameLoader.h
        https://bugs.webkit.org/show_bug.cgi?id=114223

        Reviewed by Geoffrey Garen.

        Update for WTF changes.

        * bytecode/SpeculatedType.h:
        * runtime/JSCJSValue.h:

2013-04-09  Geoffrey Garen  <ggaren@apple.com>

        Removed bitrotted TimeoutChecker code
        https://bugs.webkit.org/show_bug.cgi?id=114336

        Reviewed by Alexey Proskuryakov.

        This mechanism hasn't worked for a while.

        MarkL is working on a new version of this feature with a distinct
        implementation.

        * API/APIShims.h:
        (JSC::APIEntryShim::~APIEntryShim):
        (JSC::APIEntryShim::init):
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGGPRInfo.h:
        * jit/JIT.cpp:
        * jit/JIT.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Walker::walk):
        * runtime/TimeoutChecker.cpp: Removed.
        * runtime/TimeoutChecker.h: Removed.

2013-04-10  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r148073): WebKit Nightly r148082 crashes on launch in JSObjectSetPrivate
        https://bugs.webkit.org/show_bug.cgi?id=114341

        Reviewed by Alexey Proskuryakov.

        Make JSObjectSetPrivate use uncheckedToJS as some clients
        clear their private data during finalization for some reason.

        * API/JSObjectRef.cpp:
        (JSObjectSetPrivate):

2013-04-09  Oliver Hunt  <oliver@apple.com>

        Add liveness tests to JSC API entry points
        https://bugs.webkit.org/show_bug.cgi?id=114318

        Reviewed by Geoffrey Garen.

        Add simple checks for the existence of a method table on any
        JSCells passed across the API.  This in turn forces a structure
        validity test.

        * API/APICast.h:
        (toJS):
        (toJSForGC):
        (unsafeToJS):
        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):

2013-04-09  Oliver Hunt  <oliver@apple.com>

        Rollout last patch as it destroyed everything

        * API/APICast.h:
        (toJS):
        (toJSForGC):

2013-04-09  Oliver Hunt  <oliver@apple.com>

        Add liveness tests to JSC API entry points
        https://bugs.webkit.org/show_bug.cgi?id=114318

        Reviewed by Filip Pizlo.

        Add simple checks for the existence of a method table on any
        JSCells passed across the API.  This in turn forces a structure
        validity test.

        * API/APICast.h:
        (toJS):
        (toJSForGC):

2013-04-09  Balazs Kilvady  <kilvadyb@homejinni.com>

        LLInt conditional branch compilation fault on MIPS.
        https://bugs.webkit.org/show_bug.cgi?id=114264

        Reviewed by Filip Pizlo.

        Fix conditional branch compilation in LLInt offlineasm.

        * offlineasm/mips.rb:

2013-04-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=114235

        Reviewed by Geoffrey Garen.

        Due to the way that numCacheableSlots is currently calculated, checking an object's prototype for enumerable 
        properties causes us not to cache any properties at all. We should only cache properties on the object itself
        since we currently don't take advantage of any sort of name caching for properties in the prototype chain.
        This fix undoes a ~2% SunSpider regression caused by http://trac.webkit.org/changeset/147570.

        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnNonIndexPropertyNames):

2013-04-09  Ryosuke Niwa  <rniwa@webkit.org>

        Remove yarr.gyp
        https://bugs.webkit.org/show_bug.cgi?id=114247

        Reviewed by Benjamin Poulain.

        * yarr/yarr.gyp: Removed.

2013-04-08  Ryosuke Niwa  <rniwa@webkit.org>

        Remove JavaScriptCore.gyp/gypi
        https://bugs.webkit.org/show_bug.cgi?id=114238

        Reviewed by Benjamin Poulain.

        * JavaScriptCore.gyp: Removed.
        * JavaScriptCore.gyp/.gitignore: Removed.
        * JavaScriptCore.gypi: Removed.

2013-04-08  Vahag Vardanyan  <vaag@ispras.ru>

        Adds fromCharCode intrinsic support.
        https://bugs.webkit.org/show_bug.cgi?id=104807

        Reviewed by Oliver Hunt.

        Switch to using fromCharCode intrinsic instead of call operation in some cases.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC):
        * runtime/StringConstructor.h:
        (JSC):

2013-04-08  Benjamin Poulain  <benjamin@webkit.org>

        Remove HTML Notification
        https://bugs.webkit.org/show_bug.cgi?id=114231

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2013-04-05  Roger Fong  <roger_fong@apple.com>

        Build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to inline string equality comparisons
        https://bugs.webkit.org/show_bug.cgi?id=114224

        Reviewed by Oliver Hunt.
        
        Inline 8-bit string equality, go to slow path for 16-bit strings. 2x speed-up for string equality
        comparisons on 8-bit strings. 20-50% speed-up on JSRegress/HashMap tests. 30% speed-up on
        string-fasta. 2% speed-up on SunSpider overall. Some small speed-ups elsewhere.

        This is a gnarly change but we have loads of test coverage already between the HashMap tests and
        preexisting DFG string equality tests (which appear to have been designed to test OSR exits, but
        also give us good overall coverage on string equality behavior).

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-04-08  Geoffrey Garen  <ggaren@apple.com>

        Stop #include-ing all of JavaScriptCore in every DOM-related file
        https://bugs.webkit.org/show_bug.cgi?id=114220

        Reviewed by Sam Weinig.

        I separated WeakInlines.h from Weak.h so WebCore data types that need
        to declare a Weak<T> data member don't have to #include all of the
        infrastructure for accessing that data member.

        This also required separating Weak<T> from PassWeak<T> by removing the
        WeakImplAccessor class template and pushing code down into its subclasses.

        * API/JSWeakObjectMapRefPrivate.cpp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/UnlinkedCodeBlock.h:
        * heap/PassWeak.h:
        (JSC):
        (PassWeak):
        (JSC::::PassWeak):
        (JSC::::operator):
        (JSC::::get):
        * heap/SlotVisitorInlines.h:
        * heap/Weak.h:
        (JSC):
        (Weak):
        * heap/WeakInlines.h: Copied from Source/JavaScriptCore/heap/Weak.h.
        (JSC):
        (JSC::::Weak):
        (JSC::::operator):
        (JSC::::get):
        (JSC::::was):
        (JSC::weakClear):
        * jit/JITThunks.h:
        * runtime/RegExpCache.h:
        * runtime/Structure.h:
        * runtime/WeakGCMap.h:

2013-04-05  Roger Fong  <roger_fong@apple.com>

        Windows build fix fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-04-05  Roger Fong  <roger_fong@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-08  Oliver Hunt  <oliver@apple.com>

        Make resolve more robust in the face of lookup misses
        https://bugs.webkit.org/show_bug.cgi?id=114211

        Reviewed by Filip Pizlo.

        This simply short circuits the resolve operations in the
        event that we don't find a path to a property.  There's no
        repro case for this happening unfortunately.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2013-04-08  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):

2013-04-08  Justin Haygood  <jhaygood@reaktix.com>

        Allow KeywordLookupGenerator.py to work on Windows with Windows style line endings
        https://bugs.webkit.org/show_bug.cgi?id=63234

        Reviewed by Oliver Hunt.

        * KeywordLookupGenerator.py:
        (parseKeywords):

2013-04-08  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests
        https://bugs.webkit.org/show_bug.cgi?id=114129
        <rdar://problem/13594898>

        Reviewed by Darin Adler.
        
        The check to see if we need a cell check when simplifying a GetById or PutById needs to be hoisted to
        above where we abstractly execute the instruction, since after we abstracting execute it, it will
        seem like it no longer needs the cell check.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2013-04-07  Oliver Hunt  <oliver@apple.com>

        Add bounds checking for WTF::Vector::operator[]
        https://bugs.webkit.org/show_bug.cgi?id=89600

        Reviewed by Filip Pizlo.

        Make a few JSC classes opt-out of release mode bounds checking.

        * assembler/AssemblerBuffer.h:
        (AssemblerBuffer):
        * assembler/AssemblerBufferWithConstantPool.h:
        (AssemblerBufferWithConstantPool):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC):
        (JSC::replaceExistingEntries):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
        (JSC::CodeBlock::callReturnIndexVector):
        (JSC::CodeBlock::codeOrigins):
        (RareData):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedEvalCodeBlock::adoptVariables):
        (UnlinkedEvalCodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (CallArguments):
        (JSC::BytecodeGenerator::instructions):
        (BytecodeGenerator):
        * bytecompiler/StaticPropertyAnalysis.h:
        (JSC::StaticPropertyAnalysis::create):
        (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
        (StaticPropertyAnalysis):
        * bytecompiler/StaticPropertyAnalyzer.h:
        (StaticPropertyAnalyzer):
        (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * parser/ASTBuilder.h:
        (ASTBuilder):
        * runtime/ArgList.h:
        (MarkedArgumentBuffer):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):

2013-04-07  Benjamin Poulain  <benjamin@webkit.org>

        Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime
        https://bugs.webkit.org/show_bug.cgi?id=114111

        Reviewed by Andreas Kling.

        Almost all the code was already using Vector::reserveInitialCapacity()
        and Vector::uncheckedAppend(). Fix the remaining parts.

        * runtime/ArgList.h:
        (MarkedArgumentBuffer): The type VectorType is unused.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        Move the variable closer to where it is needed.

        * runtime/JSArray.cpp:
        (JSC::JSArray::setLengthWithArrayStorage):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyNames):

2013-04-07  Patrick Gansterer  <paroga@webkit.org>

        Remove references to Skia and V8 from CMake files
        https://bugs.webkit.org/show_bug.cgi?id=114130

        Reviewed by Geoffrey Garen.

        * shell/PlatformBlackBerry.cmake:

2013-04-07  David Kilzer  <ddkilzer@apple.com>

        Remove the rest of SVG_DOM_OBJC_BINDINGS
        <http://webkit.org/b/114112>

        Reviewed by Geoffrey Garen.

        * Configurations/FeatureDefines.xcconfig:
        - Remove ENABLE_SVG_DOM_OBJC_BINDINGS macro.

2013-04-07  Oliver Hunt  <oliver@apple.com>

        Inspector should display information about non-object exceptions
        https://bugs.webkit.org/show_bug.cgi?id=114123

        Reviewed by Adele Peterson.

        Make sure we store the right stack information, even when throwing
        a primitive.

        * interpreter/CallFrame.h:
        (JSC::ExecState::clearSupplementaryExceptionInfo):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::throwException):

2013-04-06  Oliver Hunt  <oliver@apple.com>

        Unify the many and varied stack trace mechanisms, and make the result sane.
        https://bugs.webkit.org/show_bug.cgi?id=114072

        Reviewed by Filip Pizlo.

        Makes JSC::StackFrame record the bytecode offset and other necessary data
        rather than requiring us to perform eager evaluation of the line number, etc.
        Then remove most of the users of retrieveLastCaller, as most of them were
        using it to create a stack trace in a fairly incomplete and inefficient way.

        StackFrame now also has a couple of helpers to get the line and column info.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getBytecodeOffsetForCallFrame):
        (JSC::getCallerInfo):
        (JSC::StackFrame::line):
        (JSC::StackFrame::column):
        (JSC::StackFrame::expressionInfo):
        (JSC::StackFrame::toString):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::retrieveCallerFromVMCode):
        * interpreter/Interpreter.h:
        (StackFrame):
        (Interpreter):
        * runtime/Error.cpp:
        (JSC::throwError):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):

2013-04-06  Geoffrey Garen  <ggaren@apple.com>

        Removed v8 bindings hooks from IDL files
        https://bugs.webkit.org/show_bug.cgi?id=114091

        Reviewed by Anders Carlsson and Sam Weinig.

        * heap/HeapStatistics.h:

2013-04-03  Roger Fong  <roger_fong@apple.com>

        Windows VS2010 build fix.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-06  Zan Dobersek  <zdobersek@igalia.com>

        Remove the remaining PLATFORM(CHROMIUM) guard in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=114082

        Reviewed by Ryosuke Niwa.

        * runtime/JSExportMacros.h: Remove the remaining PLATFORM(CHROMIUM) guard.

2013-04-06  Ed Bartosh  <bartosh@gmail.com>

        --minimal build fails with error: control reaches end of non-void function
        https://bugs.webkit.org/show_bug.cgi?id=114085

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp: return 0 if JIT is not enabled
        (JSC::getBytecodeOffsetForCallFrame):

2013-04-06  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        Added back a symbol that is exported.

2013-04-06  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        Removed symbols that aren't exported.

2013-04-06  Geoffrey Garen  <ggaren@apple.com>

        Rolled out 147820 and 147818 because they caused plugins tests to ASSERT
        https://bugs.webkit.org/show_bug.cgi?id=114094

        Reviewed by Anders Carlsson.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getLineNumberForCallFrame):
        (JSC::getCallerInfo):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::retrieveCallerFromVMCode):
        * interpreter/Interpreter.h:
        (StackFrame):
        (JSC::StackFrame::toString):
        (JSC::StackFrame::friendlyLineNumber):
        (Interpreter):
        * runtime/Error.cpp:
        (JSC::throwError):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):

2013-04-06  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed build fix after r146932.

        * profiler/ProfilerDatabase.cpp:
        (Profiler):

2013-04-06  Patrick Gansterer  <paroga@webkit.org>

        Do not call getenv() on Windows CE where it does not exist.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2013-04-05  Benjamin Poulain  <benjamin@webkit.org>

        Second attempt to fix the Windows bot

        Unreviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Attempt to fix the Windows bot

        Unreviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        r147825 removed the symbol for nullptr_t. Add it back.

2013-04-02  Roger Fong  <roger_fong@apple.com>

        Build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-05  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * interpreter/Interpreter.cpp:
        (JSC::getBytecodeOffsetForCallFrame):

2013-04-05  Oliver Hunt  <oliver@apple.com>

        Unify the many and varied stack trace mechanisms, and make the result sane.
        https://bugs.webkit.org/show_bug.cgi?id=114072

        Reviewed by Filip Pizlo.

        Makes JSC::StackFrame record the bytecode offset and other necessary data
        rather than requiring us to perform eager evaluation of the line number, etc.
        Then remove most of the users of retrieveLastCaller, as most of them were
        using it to create a stack trace in a fairly incomplete and inefficient way.

        StackFrame now also has a couple of helpers to get the line and column info.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getBytecodeOffsetForCallFrame):
        (JSC::getCallerInfo):
        (JSC::StackFrame::line):
        (JSC::StackFrame::column):
        (JSC::StackFrame::expressionInfo):
        (JSC::StackFrame::toString):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::retrieveCallerFromVMCode):
        * interpreter/Interpreter.h:
        (StackFrame):
        (Interpreter):
        * runtime/Error.cpp:
        (JSC::throwError):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):

2013-04-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        tryCacheGetByID sets StructureStubInfo accessType to an incorrect value
        https://bugs.webkit.org/show_bug.cgi?id=114068

        Reviewed by Geoffrey Garen.

        In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to 
        get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to 
        incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, 
        which leads to loading a GetterSetter directly out of an object.

        * jit/JITStubs.cpp:
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):

2013-04-05  Filip Pizlo  <fpizlo@apple.com>

        If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame, then it should give up and return 0 and all callers should be robust against this
        https://bugs.webkit.org/show_bug.cgi?id=114062

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::canGetCodeOrigin):
        (CodeBlock):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallFrame):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::getStackTrace):

2013-04-05  Geoffrey Garen  <ggaren@apple.com>

        Made USE(JSC) unconditional
        https://bugs.webkit.org/show_bug.cgi?id=114058

        Reviewed by Anders Carlsson.

        * config.h:

2013-04-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, rolling out http://trac.webkit.org/changeset/147729

        It's causing a bunch of breakage on some more strict compilers:
        <inline asm>:1267:2: error: ambiguous instructions require an explicit suffix (could be 'ficomps', or 'ficompl')

        * offlineasm/x86.rb:

2013-04-05  Roger Fong  <roger_fong@apple.com>

        More VS2010 solution makefile fixes.
        <rdar://problem/13588964>

        * JavaScriptCore.vcxproj/JavaScriptCore.make:

2013-04-05  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        LLint should be able to use x87 instead of SSE for floating pointer

        https://bugs.webkit.org/show_bug.cgi?id=112239

        Reviewed by Filip Pizlo.

        Implements LLInt floating point operations in x87, to ensure we support
        x86 without SSE2.

        X86 (except 64bit) now defaults to using x87 instructions in order to
        support all 32bit x86 back to i686. The implementation uses the fucomi
        instruction from i686 which sets the new minimum.

        * offlineasm/x86.rb:

2013-04-04  Christophe Dumez  <ch.dumez@sisa.samsung.com>

        Unreviewed EFL build fix.

        We had undefined reference to `JSC::CodeOrigin::maximumBytecodeIndex'.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::findClosureCallForReturnPC):
        (JSC::CodeBlock::bytecodeOffset):

2013-04-04  Geoffrey Garen  <ggaren@apple.com>

        Stop pretending that statements return a value
        https://bugs.webkit.org/show_bug.cgi?id=113969

        Reviewed by Oliver Hunt.

        Expressions have an intrinsic value, which they return to their parent
        in the AST.

        Statements just execute for effect in sequence.

        This patch moves emitBytecode into the ExpressionNode and StatementNode
        subclasses, and changes the SatementNode subclass to return void. This
        eliminates some cruft where we used to return 0, or try to save a bogus
        register and return it, as if a statement had a consuming parent in the
        AST.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstStatementNode::emitBytecode):
        (JSC::BlockNode::emitBytecode):
        (JSC::EmptyStatementNode::emitBytecode):
        (JSC::DebuggerStatementNode::emitBytecode):
        (JSC::ExprStatementNode::emitBytecode):
        (JSC::VarStatementNode::emitBytecode):
        (JSC::IfNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::CaseClauseNode::emitBytecode):
        (JSC::CaseBlockNode::emitBytecodeForBlock):
        (JSC::SwitchNode::emitBytecode):
        (JSC::LabelNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        (JSC::ScopeNode::emitStatementsBytecode):
        (JSC::ProgramNode::emitBytecode):
        (JSC::EvalNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode):
        (JSC::FuncDeclNode::emitBytecode):
        * parser/NodeConstructors.h:
        (JSC::PropertyListNode::PropertyListNode):
        (JSC::ArgumentListNode::ArgumentListNode):
        * parser/Nodes.h:
        (Node):
        (ExpressionNode):
        (StatementNode):
        (ConstStatementNode):
        (BlockNode):
        (EmptyStatementNode):
        (DebuggerStatementNode):
        (ExprStatementNode):
        (VarStatementNode):
        (IfNode):
        (IfElseNode):
        (DoWhileNode):
        (WhileNode):
        (ForNode):
        (ForInNode):
        (ContinueNode):
        (BreakNode):
        (ReturnNode):
        (WithNode):
        (LabelNode):
        (ThrowNode):
        (TryNode):
        (ProgramNode):
        (EvalNode):
        (FunctionBodyNode):
        (FuncDeclNode):
        (CaseBlockNode):
        (SwitchNode):

2013-04-04  Oliver Hunt  <oliver@apple.com>

        Exception stack unwinding doesn't handle inline callframes correctly
        https://bugs.webkit.org/show_bug.cgi?id=113952

        Reviewed by Geoffrey Garen.

        The basic problem here is that the exception stack unwinding was
        attempting to be "clever" and avoid doing a correct stack walk
        as it "knew" inline callframes couldn't have exception handlers.

        This used to be safe as the exception handling machinery was
        designed to fail gently and just claim that no handler existed.
        This was "safe" and even "correct" inasmuch as we currently
        don't run any code with exception handlers through the dfg.

        This patch fixes the logic by simply making everything uniformly
        use the safe stack walking machinery, and making the correct
        boundary checks occur everywhere that they should.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::findClosureCallForReturnPC):
        (JSC::CodeBlock::bytecodeOffset):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getCallerInfo):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::retrieveCallerFromVMCode):

2013-04-04  Geoffrey Garen  <ggaren@apple.com>

        Removed a defunct comment
        https://bugs.webkit.org/show_bug.cgi?id=113948

        Reviewed by Oliver Hunt.

        This is also a convenient way to test the EWS.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC):

2013-04-04  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Remove the gyp build
        https://bugs.webkit.org/show_bug.cgi?id=113942

        Reviewed by Gustavo Noronha Silva.

        * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Removed.
        * JavaScriptCore.gyp/redirect-stdout.sh: Removed.

2013-04-04  Geoffrey Garen  <ggaren@apple.com>

        Simplified bytecode generation by merging prefix and postfix nodes
        https://bugs.webkit.org/show_bug.cgi?id=113925

        Reviewed by Filip Pizlo.

        PostfixNode now inherits from PrefixNode, so when we detect that we're
        in a context where postifx and prefix are equivalent, PostFixNode can
        just call through to PrefixNode codegen, instead of duplicating the
        logic.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PostfixNode::emitBracket):
        (JSC::PostfixNode::emitDot):
        * parser/NodeConstructors.h:
        (JSC::PostfixNode::PostfixNode):
        * parser/Nodes.h:
        (JSC):
        (PrefixNode):
        (PostfixNode):

2013-04-04  Andras Becsi  <andras.becsi@digia.com>

        Fix the build with GCC 4.8
        https://bugs.webkit.org/show_bug.cgi?id=113147

        Reviewed by Allan Sandfeld Jensen.

        Initialize JSObject* exception to suppress warnings that make
        the build fail because of -Werror=maybe-uninitialized.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2013-04-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        get_by_pname can become confused when iterating over objects with static properties
        https://bugs.webkit.org/show_bug.cgi?id=113831

        Reviewed by Geoffrey Garen.

        get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly 
        access an object's backing store. One way to fix this is to not cache any properties when iterating over 
        objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.

        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::PropertyNameArray):
        (JSC::PropertyNameArray::numCacheableSlots):
        (JSC::PropertyNameArray::setNumCacheableSlots):
        (PropertyNameArray):

2013-04-02  Geoffrey Garen  <ggaren@apple.com>

        DFG should compile a little sooner
        https://bugs.webkit.org/show_bug.cgi?id=113835

        Unreviewed.

        Rolled out r147511 because it was based on incorrect performance
        measurement.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::optimizationThresholdScalingFactor):

2013-04-02  Geoffrey Garen  <ggaren@apple.com>

        DFG should compile a little sooner
        https://bugs.webkit.org/show_bug.cgi?id=113835

        Reviewed by Michael Saboff.

        2% speedup on SunSpider.

        2% speedup on JSRegress.

        Neutral on Octane, v8, and Kraken.

        The worst-hit single sub-test is kraken-stanford-crypto-ccm.js, which gets
        18% slower. Since Kraken is neutral overall in its preferred mean, I
        think that's OK for now.

        (Our array indexing speculation fails pathologically on
        kraken-stanford-crypto-ccm.js. Compiling sooner is a regression because
        it triggers those failures sooner. I'm going to file some follow-up bugs
        explaining how to fix our speculations on this sub-test, at which point
        compiling earlier should become a slight speedup on Kraken overall.)

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::optimizationThresholdScalingFactor): I experimented
        with a few different options, including reducing the coefficient 'a'.
        A simple linear reduction on instruction count worked best.

2013-04-01  Benjamin Poulain  <benjamin@webkit.org>

        Use Vector::reserveInitialCapacity and Vector::uncheckedAppend for JSC's APIs
        https://bugs.webkit.org/show_bug.cgi?id=113651

        Reviewed by Andreas Kling.

        This removes a bunch of branches on initialization and when
        filling the vector.

        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::construct):
        (JSC::::call):
        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames):

2013-04-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing borked VS 2010 project file

        Unreviewed bot greening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-04-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        One more Windows build fix

        Unreviewed.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-04-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        More build fallout fixes.

        Unreviewed build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add new export symbols.
        * heap/SuperRegion.cpp: Windows didn't like "LLU". 

2013-04-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        r147324 broke the world
        https://bugs.webkit.org/show_bug.cgi?id=113704

        Unreviewed build fix.

        Remove a bunch of unused variables and use the correctly sized types for 32-bit platforms.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        * heap/BlockAllocator.h:
        (BlockAllocator):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        * heap/SuperRegion.cpp:
        (JSC::SuperRegion::SuperRegion):
        * heap/SuperRegion.h:
        (SuperRegion):

2013-04-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        32-bit Windows build fix

        Unreviewed build fix.

        * heap/SuperRegion.cpp:
        * heap/SuperRegion.h: Use uint64_t instead of size_t.
        (SuperRegion):

2013-04-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        EFL build fix

        Unreviewed build fix.

        * CMakeLists.txt:

2013-03-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        Regions should be allocated from the same contiguous segment of virtual memory
        https://bugs.webkit.org/show_bug.cgi?id=113662

        Reviewed by Filip Pizlo.

        Instead of letting the OS spread our Regions all over the place, we should allocate them all within 
        some range of each other. This change will open the door to some other optimizations, e.g. doing simple 
        range checks for our write barriers and compressing JSCell pointers to 32-bits.

        Added new SuperRegion class that encapsulates allocating Regions from a contiguous reserved chunk of 
        virtual address space. It functions very similarly to the FixedVMPoolExecutableAllocator class used by the JIT.

        Also added two new subclasses of Region, NormalRegion and ExcessRegion. 
        
        NormalRegion is the type of Region that is normally allocated when there is available space remaining 
        in the SuperRegion. If we ever run out of space in the SuperRegion, we fall back to allocating 
        ExcessRegions, which are identical to how Regions have behaved up until now, i.e. they contain a 
        PageAllocationAligned.

        We only use the SuperRegion (and NormalRegions) on 64-bit systems, since it doesn't make sense to reserve the 
        entire 4 GB address space on 32-bit systems just for the JS heap.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        * heap/BlockAllocator.h:
        (JSC):
        (BlockAllocator):
        (JSC::BlockAllocator::allocate):
        (JSC::BlockAllocator::allocateCustomSize):
        (JSC::BlockAllocator::deallocateCustomSize):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC):
        (JSC::Heap::didExceedFixedHeapSizeLimit):
        * heap/Heap.h:
        (Heap):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        * heap/Region.h:
        (Region):
        (JSC):
        (NormalRegion):
        (JSC::NormalRegion::base):
        (JSC::NormalRegion::size):
        (ExcessRegion):
        (JSC::ExcessRegion::base):
        (JSC::ExcessRegion::size):
        (JSC::NormalRegion::NormalRegion):
        (JSC::NormalRegion::tryCreate):
        (JSC::NormalRegion::tryCreateCustomSize):
        (JSC::NormalRegion::reset):
        (JSC::ExcessRegion::ExcessRegion):
        (JSC::ExcessRegion::~ExcessRegion):
        (JSC::ExcessRegion::create):
        (JSC::ExcessRegion::createCustomSize):
        (JSC::ExcessRegion::reset):
        (JSC::Region::Region):
        (JSC::Region::initializeBlockList):
        (JSC::Region::create):
        (JSC::Region::createCustomSize):
        (JSC::Region::~Region):
        (JSC::Region::destroy):
        (JSC::Region::reset):
        (JSC::Region::deallocate):
        (JSC::Region::base):
        (JSC::Region::size):
        * heap/SuperRegion.cpp: Added.
        (JSC):
        (JSC::SuperRegion::SuperRegion):
        (JSC::SuperRegion::getAlignedBase):
        (JSC::SuperRegion::allocateNewSpace):
        (JSC::SuperRegion::notifyNeedPage):
        (JSC::SuperRegion::notifyPageIsFree):
        * heap/SuperRegion.h: Added.
        (JSC):
        (SuperRegion):

2013-04-01  Benjamin Poulain  <benjamin@webkit.org>

        Remove an unused variable from the ARMv7 Assembler
        https://bugs.webkit.org/show_bug.cgi?id=113653

        Reviewed by Andreas Kling.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):

2013-03-31  Adam Barth  <abarth@webkit.org>

        [Chromium] Yarr should build using a separate GYP file from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=113652

        Reviewed by Nico Weber.

        This patch moves JavaScriptCore.gyp to yarr.gyp because Chromium only
        uses this GYP file to build yarr.

        * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp:
        * JavaScriptCore.gypi:
        * yarr/yarr.gyp: Renamed from Source/JavaScriptCore/JavaScriptCore.gyp/JavaScriptCore.gyp.

2013-03-31  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix a comment. While thinking about TBAA for array accesses,
        I realized that we have to be super careful about aliasing of typed arrays.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getByValLoadElimination):

2013-03-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move Region into its own header
        https://bugs.webkit.org/show_bug.cgi?id=113617

        Reviewed by Geoffrey Garen.

        BlockAllocator.h is getting a little crowded. We should move the Region class into its own 
        header, since it's pretty independent from the BlockAllocator.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/BlockAllocator.h:
        (JSC):
        * heap/Region.h: Added.
        (JSC):
        (DeadBlock):
        (JSC::DeadBlock::DeadBlock):
        (Region):
        (JSC::Region::blockSize):
        (JSC::Region::isFull):
        (JSC::Region::isEmpty):
        (JSC::Region::isCustomSize):
        (JSC::Region::create):
        (JSC::Region::createCustomSize):
        (JSC::Region::Region):
        (JSC::Region::~Region):
        (JSC::Region::reset):
        (JSC::Region::allocate):
        (JSC::Region::deallocate):

2013-03-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Remove -[JSManagedValue managedValueWithValue:owner:]
        https://bugs.webkit.org/show_bug.cgi?id=113602

        Reviewed by Geoffrey Garen.

        Since we put the primary way of keeping track of external object graphs (i.e. "managed" references) 
        in JSVirtualMachine, there is some overlap in the functionality of that interface and JSManagedValue.
        Specifically, we no longer need the methods that include an owner, since ownership is now tracked 
        by JSVirtualMachine. These JSManagedValues will become weak pointers unless they are used 
        with [JSVirtualMachine addManagedReference:withOwner:], in which case their lifetime is tied to that 
        of their owner.

        * API/JSManagedValue.h:
        * API/JSManagedValue.mm:
        (-[JSManagedValue init]):
        (-[JSManagedValue initWithValue:]):
        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
        * API/JSVirtualMachine.mm:
        (getInternalObjcObject):
        * API/tests/testapi.mm:
        (-[TextXYZ setOnclick:]):
        (-[TextXYZ dealloc]):

2013-03-29  Geoffrey Garen  <ggaren@apple.com>

        Simplified bytecode generation by unforking "condition context" codegen
        https://bugs.webkit.org/show_bug.cgi?id=113554

        Reviewed by Mark Hahnenberg.

        Now, a node that establishes a condition context can always ask its child
        nodes to generate into that context.

        This has a few advantages:

        (*) Removes a bunch of code;

        (*) Optimizes a few missed cases like "if (!(x < 2))", "if (!!x)", and
        "if (!x || !y)";

        (*) Paves the way to removing more opcodes.

        * bytecode/Opcode.h:
        (JSC): Separated out the branching opcodes for clarity.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ExpressionNode::emitBytecodeInConditionContext): All expressions
        can be emitted in a condition context now -- the default behavior is
        to branch based on the expression's value.

        (JSC::LogicalNotNode::emitBytecodeInConditionContext):
        (JSC::LogicalOpNode::emitBytecodeInConditionContext):
        (JSC::ConditionalNode::emitBytecode):
        (JSC::IfNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isSubtract):
        (ExpressionNode):
        (LogicalNotNode):
        (LogicalOpNode): Removed lots of code for handling expressions
        that couldn't generate into a condition context because all expressions
        can now.

2013-03-28  Geoffrey Garen  <ggaren@apple.com>

        Simplified the bytecode by removing op_loop and op_loop_if_*
        https://bugs.webkit.org/show_bug.cgi?id=113548

        Reviewed by Filip Pizlo.

        Regular jumps will suffice.

        These opcodes are identical to branches, except they also do timeout
        checking. That style of timeout checking has been broken for a long 
        time, and when we add back timeout checking, it won't use these opcodes.

        * JavaScriptCore.order:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::computePreciseJumpTargets):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJump):
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        (JSC):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-03-28  Geoffrey Garen  <ggaren@apple.com>

        Simplified the bytecode by removing op_jmp_scopes
        https://bugs.webkit.org/show_bug.cgi?id=113545

        Reviewed by Filip Pizlo.

        We already have op_pop_scope and op_jmp, so we don't need op_jmp_scopes.
        Using op_jmp_scopes was also adding a "jump to self" to codegen for
        return statements, which was pretty silly.

        * JavaScriptCore.order:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::computePreciseJumpTargets):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitComplexPopScopes):
        (JSC::BytecodeGenerator::emitPopScopes):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:

2013-03-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Safari hangs during test262 run in CodeCache::pruneSlowCase
        https://bugs.webkit.org/show_bug.cgi?id=113469

        Reviewed by Geoffrey Garen.

        We can end up hanging for quite some time if we add a lot of small keys to the CodeCache.
        By the time we get around to pruning the cache, we have a potentially tens or hundreds of 
        thousands of small entries, which can cause a noticeable hang when pruning them.

        To fix this issue we added a hard cap to the number of entries in the cache because we 
        could potentially have to remove every element in the map.

        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase): We need to prune until we're both under the hard cap and the
        capacity in bytes.
        * runtime/CodeCache.h:
        (CodeCacheMap):
        (JSC::CodeCacheMap::numberOfEntries): Convenience accessor function to the number of entries in 
        the map that does the cast to size_t of m_map.size() for us. 
        (JSC::CodeCacheMap::canPruneQuickly): Checks that the total number is under the hard cap. We put this 
        check inside a function to more accurately describe why we're doing the check and to abstract out 
        the actual calculation in case we want to coalesce calls to pruneSlowCase in the future.
        (JSC::CodeCacheMap::prune): Check the number of entries against our hard cap. If it's greater than
        the cap then we need to drop down to pruneSlowCase.

2013-03-28  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed build fix for the EFL and GTK ports.

        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase): Pass a 0 casted to the int64_t type instead of 0LL
        to the std::max call so the arguments' types match.

2013-03-27  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed build fix: Removed a dead field.

        Pointed out by Mark Lam.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):

2013-03-27  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed build fix: Removed a dead field.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):

2013-03-27  Geoffrey Garen  <ggaren@apple.com>

        Removed some dead code in the DFG bytecode parser
        https://bugs.webkit.org/show_bug.cgi?id=113472

        Reviewed by Sam Weinig.

        Now that Phi creation and liveness analysis are separate passes, we can
        remove the vestiges of code that used to do that in the bytecode
        parser.

        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::parse):

2013-03-27  Filip Pizlo  <fpizlo@apple.com>

        JIT and DFG should NaN-check loads from Float32 arrays
        https://bugs.webkit.org/show_bug.cgi?id=113462
        <rdar://problem/13490804>

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):

2013-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase
        https://bugs.webkit.org/show_bug.cgi?id=113453

        Reviewed by Geoffrey Garen.

        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase): We make sure that m_minCapacity doesn't drop below zero now.
        This prevents m_capacity from doing the same.

2013-03-27  Filip Pizlo  <fpizlo@apple.com>

        DFG should use CheckStructure for typed array checks whenever possible
        https://bugs.webkit.org/show_bug.cgi?id=113374

        Reviewed by Geoffrey Garen.
        
        We used to do the right thing, but it appears that this regressed at some point. Since the
        FixupPhase now has the ability to outright remove spurious CheckStructures on array
        operations, it is profitable for the ByteCodeParser to insert CheckStructures whenver there
        is a chance that it might be profitable, and when the profiling tells us what structure to
        check.
        
        Also added some code for doing ArrayProfile debugging.
        
        This is a slightly speed-up. Maybe 3% on Mandreel.

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::benefitsFromStructureCheck):

2013-03-27  Zeno Albisser  <zeno@webkit.org>

        [Qt] Remove Qt specific WorkQueueItem definitions.
        https://bugs.webkit.org/show_bug.cgi?id=112891

        This patch is preparation work for removing
        WorkQueue related code from TestRunnerQt and
        replacing it with generic TestRunner code.

        Reviewed by Benjamin Poulain.

        * API/JSStringRefQt.cpp:
        (JSStringCreateWithQString):
            Adding a convenience function to create a
            JSStringRef from a QString.
        * API/JSStringRefQt.h:

2013-03-26  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype
        https://bugs.webkit.org/show_bug.cgi?id=113353
        <rdar://problem/13510778>

        Reviewed by Mark Hahnenberg and Geoffrey Garen.
        
        ToString should call speculateStringObject() even if you know that it's a string object, since
        it calls it to also get the watchpoint. Note that even with this change, if you do
        Phantom(Check:StringObject:@a), it might get eliminated just because we proved that @a is a
        string object (thereby eliminating the prototype watchpoint); that's fine since ToString is
        MustGenerate and never decays to Phantom.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):

2013-03-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=112106

        Rubber stamped by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): Get rid of the case for constants because
        we would have done constant folding anyways on a ValueToInt32.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): Fixed a random compile error with this flag enabled.

2013-03-26  Filip Pizlo  <fpizlo@apple.com>

        JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere
        https://bugs.webkit.org/show_bug.cgi?id=113144

        Reviewed by Geoffrey Garen.
        
        Forgot to include Geoff's requested change in the original commit.

        * profiler/ProfilerDatabase.cpp:
        (Profiler):

2013-03-25  Filip Pizlo  <fpizlo@apple.com>

        JSC_enableProfiler=true should also cause JSGlobalData to save the profiler output somewhere
        https://bugs.webkit.org/show_bug.cgi?id=113144

        Reviewed by Geoffrey Garen.
        
        Added the ability to save profiler output with JSC_enableProfiler=true. It will save it
        to the current directory, or JSC_PROFILER_PATH if the latter was specified.
        
        This works by saving the Profiler::Database either when it is destroyed or atexit(),
        whichever happens first.
        
        This allows use of the profiler from any WebKit client.

        * jsc.cpp:
        (jscmain):
        * profiler/ProfilerDatabase.cpp:
        (Profiler):
        (JSC::Profiler::Database::Database):
        (JSC::Profiler::Database::~Database):
        (JSC::Profiler::Database::registerToSaveAtExit):
        (JSC::Profiler::Database::addDatabaseToAtExit):
        (JSC::Profiler::Database::removeDatabaseFromAtExit):
        (JSC::Profiler::Database::performAtExitSave):
        (JSC::Profiler::Database::removeFirstAtExitDatabase):
        (JSC::Profiler::Database::atExitCallback):
        * profiler/ProfilerDatabase.h:
        (JSC::Profiler::Database::databaseID):
        (Database):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2013-03-25  Filip Pizlo  <fpizlo@apple.com>

        ArrayMode should not consider SpecOther when refining the base
        https://bugs.webkit.org/show_bug.cgi?id=113271

        Reviewed by Geoffrey Garen.
        
        9% speed-up on Octane/pdfjs.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):

2013-03-26  Csaba Osztrogonác  <ossy@webkit.org>

        Fix unused parameter warnings in JITInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=112560

        Reviewed by Zoltan Herczeg.

        * jit/JITInlines.h:
        (JSC::JIT::beginUninterruptedSequence):
        (JSC::JIT::endUninterruptedSequence):
        (JSC):

2013-03-25  Kent Tamura  <tkent@chromium.org>

        Rename ENABLE_INPUT_TYPE_DATETIME
        https://bugs.webkit.org/show_bug.cgi?id=113254

        Reviewed by Kentaro Hara.

        Rename ENABLE_INPUT_TYPE_DATETIME to ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE.
        Actually I'd like to remove the code, but we shouldn't remove it yet
        because we shipped products with it on some platforms.

        * Configurations/FeatureDefines.xcconfig:

2013-03-25  Mark Lam  <mark.lam@apple.com>

        Offlineasm cloop backend compiles op+branch incorrectly.
        https://bugs.webkit.org/show_bug.cgi?id=113146.

        Reviewed by Geoffrey Garen.

        * dfg/DFGRepatch.h:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        - These functions never return when the DFG is dsiabled, not just when
          asserts are enabled. Changing the attribute from NO_RETURN_DUE_TO_ASSERT
          to NO_RETURN.
        * llint/LLIntOfflineAsmConfig.h:
        - Added some #defines needed to get the cloop building again.
        * offlineasm/cloop.rb:
        - Fix cloopEmitOpAndBranchIfOverflow() and cloopEmitOpAndBranch() to
          emit code that unconditionally executes the specified operation before
          doing the conditional branch.

2013-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::enterDictionaryIndexingMode doesn't have a case for ALL_BLANK_INDEXING_TYPES
        https://bugs.webkit.org/show_bug.cgi?id=113236

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingMode): We forgot blank indexing types.

2013-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        HandleSet should use HeapBlocks for storing handles
        https://bugs.webkit.org/show_bug.cgi?id=113145

        Reviewed by Geoffrey Garen.

        * GNUmakefile.list.am: Build project changes.
        * JavaScriptCore.gypi: Ditto.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * heap/BlockAllocator.cpp: Rename the RegionSet to m_fourKBBlockRegionSet because there are 
        too many block types to include them all in the name now.
        (JSC::BlockAllocator::BlockAllocator):
        * heap/BlockAllocator.h:
        (BlockAllocator): Add the appropriate override for regionSetFor.
        (JSC::WeakBlock):
        (JSC::MarkStackSegment):
        (JSC::HandleBlock):
        * heap/HandleBlock.h: Added.
        (HandleBlock): New class for HandleBlocks.
        (JSC::HandleBlock::blockFor): Static method to get the block of the given HandleNode pointer. Allows
        us to quickly figure out which HandleSet the HandleNode belongs to without storing the pointer to it
        in the HandleNode.
        (JSC::HandleBlock::handleSet): Getter.
        * heap/HandleBlockInlines.h: Added.
        (JSC::HandleBlock::create):
        (JSC::HandleBlock::HandleBlock):
        (JSC::HandleBlock::payloadEnd):
        (JSC::HandleBlock::payload):
        (JSC::HandleBlock::nodes):
        (JSC::HandleBlock::nodeAtIndex):
        (JSC::HandleBlock::nodeCapacity):
        * heap/HandleSet.cpp:
        (JSC::HandleSet::~HandleSet): 
        (JSC::HandleSet::grow):
        * heap/HandleSet.h:
        (HandleNode): Move the internal Node class from HandleSet to be its own public class so it can be 
        used by HandleBlock.
        (HandleSet): Add a typedef so that Node refers to the new HandleNode class.
        (JSC::HandleSet::toHandle):
        (JSC::HandleSet::toNode):
        (JSC::HandleSet::allocate):
        (JSC::HandleSet::deallocate):
        (JSC::HandleNode::HandleNode):
        (JSC::HandleNode::slot):
        (JSC::HandleNode::handleSet): Use the new blockFor static function to get the right HandleBlock and lookup 
        the HandleSet.
        (JSC::HandleNode::setPrev):
        (JSC::HandleNode::prev):
        (JSC::HandleNode::setNext):
        (JSC::HandleNode::next):
        (JSC::HandleSet::forEachStrongHandle):
        * heap/Heap.h: Friend HandleSet so that it can access the BlockAllocator when allocating HandleBlocks.

2013-03-22  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX (r145119): Make JSValue* properties default to (assign)
        <rdar://problem/13380794>

        Reviewed by Mark Hahnenberg.

        Fixes the following build failures:

            Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute]
            @property JSValue *onclick;
            ^
            Source/JavaScriptCore/API/tests/testapi.mm:106:1: error: default property attrib ute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute]
            Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: no 'assign', 'retain', or 'copy' attribute is specified - 'assign' is assumed [-Werror,-Wobjc-property-no-attribute]
            @property JSValue *weakOnclick;
            ^
            Source/JavaScriptCore/API/tests/testapi.mm:107:1: error: default property attribute 'assign' not appropriate for non-GC object [-Werror,-Wobjc-property-no-attribute]
            4 errors generated.

        * API/tests/testapi.mm: Default to (assign) for JSValue*
        properties.

2013-03-22  Ryosuke Niwa  <rniwa@webkit.org>

        testLeakingPrototypesAcrossContexts added in r146682 doesn't compile on Win and fails on Mac
        https://bugs.webkit.org/show_bug.cgi?id=113125

        Reviewed by Mark Hahnenberg

        Remove the test added in r146682 as it's now failing on Mac.
        This is the test that was causing a compilation failure on Windows.

        * API/tests/testapi.c:
        (main):

2013-03-22  Ryosuke Niwa  <rniwa@webkit.org>

        Fix the typo: WIN -> WINDOWS.

        * API/tests/testapi.c:
        (main):

2013-03-22  Ryosuke Niwa  <rniwa@webkit.org>

        I really can't figure out what's wrong with this one.
        Temporarily disable the test added by r146682 on Windows since it doesn't compile.

        * API/tests/testapi.c:
        (main):

2013-03-22  Ryosuke Niwa  <rniwa@webkit.org>

        Another build fix (after r146693) for r146682.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-03-22  Roger Fong  <roger_fong@apple.com>

        Unreviewed. AppleWin build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.vcxproj/copy-files.cmd:

2013-03-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        -[TinyDOMNode dealloc] should call [super dealloc] when ARC is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=113054

        Reviewed by Geoffrey Garen.

        * API/tests/testapi.mm:
        (-[TinyDOMNode dealloc]):

2013-03-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        opaqueJSClassData should be cached on JSGlobalObject, not the JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=113086

        Reviewed by Geoffrey Garen.

        opaqueJSClassData stores cached prototypes for JSClassRefs in the C API. It doesn't make sense to 
        share these prototypes within a JSGlobalData across JSGlobalObjects, and in fact doing so will cause 
        a leak of the original JSGlobalObject that these prototypes were created in. Therefore we should move 
        this cache to JSGlobalObject where it belongs and where it won't cause memory leaks.

        * API/JSBase.cpp: Needed to add an extern "C" so that testapi.c can use the super secret GC function.
        * API/JSClassRef.cpp: We now grab the cached context data from the global object rather than the global data.
        (OpaqueJSClass::contextData):
        * API/JSClassRef.h: Remove this header because it's unnecessary and causes circular dependencies.
        * API/tests/testapi.c: Added a new test that makes sure that using the same JSClassRef in two different contexts
        doesn't cause leaks of the original global object.
        (leakFinalize):
        (nestedAllocateObject): This is a hack to bypass the conservative scan of the GC, which was unnecessarily marking
        objects and keeping them alive, ruining the test result.
        (testLeakingPrototypesAcrossContexts):
        (main):
        * API/tests/testapi.mm: extern "C" this so we can continue using it here.
        * runtime/JSGlobalData.cpp: Remove JSClassRef related stuff.
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.h: Add the stuff that JSGlobalData had. We add it to JSGlobalObjectRareData so that 
        clients who don't use the C API don't have to pay the memory cost of this extra HashMap.
        (JSGlobalObject):
        (JSGlobalObjectRareData):
        (JSC::JSGlobalObject::opaqueJSClassData):

2013-03-19  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Add support for building the WebCore bindings to the gyp build
        https://bugs.webkit.org/show_bug.cgi?id=112638

        Reviewed by Nico Weber.

        * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Export all include directories to direct
        dependents and fix the indentation of the libjavascriptcore target.

2013-03-21  Filip Pizlo  <fpizlo@apple.com>

        Fix some minor issues in the DFG's profiling of heap accesses
        https://bugs.webkit.org/show_bug.cgi?id=113010

        Reviewed by Goeffrey Garen.
        
        1) If a CodeBlock gets jettisoned by GC, we should count the exit sites.

        2) If a CodeBlock clears a structure stub during GC, it should record this, and
        the DFG should prefer to not inline that access (i.e. treat it as if it had an
        exit site).

        3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it,
        but it chose not to, then assume that it will take slow path.

        4) If we frequently exited because of a structure check on a weak constant,
        don't try to inline that access in the future.

        5) Treat all exits that were counted as being frequent.
        
        81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC):
        (JSC::CodeBlock::resetStubDuringGCInternal):
        (JSC::CodeBlock::reoptimize):
        (JSC::CodeBlock::jettison):
        (JSC::ProgramCodeBlock::jettisonImpl):
        (JSC::EvalCodeBlock::jettisonImpl):
        (JSC::FunctionCodeBlock::jettisonImpl):
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::StructureStubInfo):
        (StructureStubInfo):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
        (OSRExit):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Options.h:
        (JSC):

2013-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG folding of PutById to SimpleReplace should consider the specialized function case
        https://bugs.webkit.org/show_bug.cgi?id=113093

        Reviewed by Geoffrey Garen and Mark Hahnenberg.

        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):

2013-03-22  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX (r146558): Build testapi.mm with ARC enabled for armv7s
        <http://webkit.org/b/112608>

        Fixes the following build failure:

            Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls]
            }
            ^
            1 error generated.

        * Configurations/ToolExecutable.xcconfig: Enable ARC for armv7s
        architecture.

2013-03-22  David Kilzer  <ddkilzer@apple.com>

        Revert "BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]"

        This fixes a build failure introduced by this change:

            Source/JavaScriptCore/API/tests/testapi.mm:206:6: error: ARC forbids explicit message send of 'dealloc'
                [super dealloc];
                 ^     ~~~~~~~
            1 error generated.

        Not sure why this didn't fail locally on my Mac Pro.

        * API/tests/testapi.mm:
        (-[TinyDOMNode dealloc]): Remove call to [super dealloc].

2013-03-22  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]
        <http://webkit.org/b/112608>

        Fixes the following build failure:

            Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls]
            }
            ^
            1 error generated.

        * API/tests/testapi.mm:
        (-[TinyDOMNode dealloc]): Call [super dealloc].

2013-03-22  Ryosuke Niwa  <rniwa@webkit.org>

        Leak bots erroneously report JSC::WatchpointSet as leaking
        https://bugs.webkit.org/show_bug.cgi?id=107781

        Reviewed by Filip Pizlo.

        Since leaks doesn't support tagged pointers, avoid using it by flipping the bit flag to indicate
        the entry is "fat". We set the flag when the entry is NOT fat; i.e. slim.

        Replaced FatFlag by SlimFlag and initialized m_bits with this flag to indicate that the entry is
        initially "slim".

        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::copySlow): Don't set FatFlag since it has been replaced by SlimFlag.
        (JSC::SymbolTableEntry::inflateSlow): Ditto.

        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::Fast::Fast): Set SlimFlag by default.
        (JSC::SymbolTableEntry::Fast::isNull): Ignore SlimFlag.
        (JSC::SymbolTableEntry::Fast::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag
        is not set.

        (JSC::SymbolTableEntry::SymbolTableEntry): Set SlimFlag by default.
        (JSC::SymbolTableEntry::SymbolTableEntry::getFast): Set SlimFlag when creating Fast from a fat entry.
        (JSC::SymbolTableEntry::isNull): Ignore SlimFlag.
        (JSC::SymbolTableEntry::FatEntry::FatEntry): Strip SlimFlag.
        (JSC::SymbolTableEntry::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag is unset.
        (JSC::SymbolTableEntry::fatEntry): Don't strip FatFlag as this flag doesn't exist anymore.
        (JSC::SymbolTableEntry::pack): Preserve SlimFlag.

        (JSC::SymbolTableIndexHashTraits): empty value is no longer zero so don't set emptyValueIsZero true.

2013-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Need a good way to preserve custom properties on JS wrappers
        https://bugs.webkit.org/show_bug.cgi?id=112608

        Reviewed by Geoffrey Garen.

        Currently, we just use a weak map, which means that garbage collection can cause a wrapper to 
        disappear if it isn't directly exported to JavaScript.

        The most straightforward and safe way (with respect to garbage collection and concurrency) is to have 
        clients add and remove their external references along with their owners. Effectively, the client is 
        recording the structure of the external object graph so that the garbage collector can make sure to 
        mark any wrappers that are reachable through either the JS object graph of the external Obj-C object 
        graph. By keeping these wrappers alive, this has the effect that custom properties on these wrappers 
        will also remain alive.

        The rule for if an object needs to be tracked by the runtime (and therefore whether the client should report it) is as follows:
        For a particular object, its references to its children should be added if:
        1. The child is referenced from JavaScript.
        2. The child contains references to other objects for which (1) or (2) are true.

        * API/JSAPIWrapperObject.mm:
        (JSAPIWrapperObjectHandleOwner::finalize):
        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots): A wrapper object is kept alive only if its JSGlobalObject
        is marked and its corresponding Objective-C object was added to the set of opaque roots.
        (JSC::JSAPIWrapperObject::visitChildren): We now call out to scanExternalObjectGraph, which handles adding all Objective-C
        objects to the set of opaque roots.
        * API/JSAPIWrapperObject.h:
        (JSAPIWrapperObject):
        * API/JSContext.mm: Moved dealloc to its proper place in the main implementation.
        (-[JSContext dealloc]):
        * API/JSVirtualMachine.h:
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (getInternalObjcObject): Helper funciton to get the Objective-C object out of JSManagedValues or JSValues if there is one.
        (-[JSVirtualMachine addManagedReference:withOwner:]): Adds the Objective-C object to the set of objects 
        owned by the owner object in that particular virtual machine.
        (-[JSVirtualMachine removeManagedReference:withOwner:]): Removes the relationship between the two objects.
        (-[JSVirtualMachine externalObjectGraph]):
        (scanExternalObjectGraph): Does a depth-first search of the external object graph in a particular virtual machine starting at
        the specified root. Each new object it encounters it adds to the set of opaque roots. These opaque roots will keep their 
        corresponding wrapper objects alive if they have them. 
        * API/JSManagedReferenceInternal.h: Added.
        * API/JSVirtualMachine.mm: Added the per-JSVirtualMachine map between objects and the objects they own, which is more formally
        known as that virtual machine's external object graph.
        * API/JSWrapperMap.mm:
        (-[JSWrapperMap dealloc]): We were leaking this before :-(
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (-[JSVirtualMachine externalObjectGraph]):
        * API/JSVirtualMachineInternal.h:
        * API/tests/testapi.mm: Added two new tests using the TinyDOMNode class. The first tests that a custom property added to a wrapper 
        doesn't vanish after GC, even though that wrapper isn't directly accessible to the JS garbage collector but is accessible through 
        the external Objective-C object graph. The second test makes sure that adding an object to the external object graph with the same 
        owner doesn't cause any sort of problems.
        (+[TinyDOMNode sharedVirtualMachine]):
        (-[TinyDOMNode init]):
        (-[TinyDOMNode dealloc]):
        (-[TinyDOMNode appendChild:]):
        (-[TinyDOMNode numberOfChildren]):
        (-[TinyDOMNode childAtIndex:]):
        (-[TinyDOMNode removeChildAtIndex:]):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::containsOpaqueRootTriState): Added a new method to SlotVisitor to allow scanExternalObjectGraph to have a 
        thread-safe view of opaque roots during parallel marking. The set of opaque roots available to any one SlotVisitor isn't guaranteed
        to be 100% correct, but that just results in a small duplication of work in scanExternalObjectGraph. To indicate this change for
        false negatives we return a TriState that's either true or mixed, but never false.

2013-03-21  Mark Lam  <mark.lam@apple.com>

        Fix O(n^2) op_debug bytecode charPosition to column computation.
        https://bugs.webkit.org/show_bug.cgi?id=112957.

        Reviewed by Geoffrey Garen.

        The previous algorithm does a linear reverse scan of the source string
        to find the line start for any given char position. This results in a
        O(n^2) algortithm when the source string has no line breaks.

        The new algorithm computes a line start column table for a
        SourceProvider on first use. This line start table is used to fix up
        op_debug's charPosition operand into a column operand when an
        UnlinkedCodeBlock is linked into a CodeBlock. The initialization of
        the line start table is O(n), and the CodeBlock column fix up is
        O(log(n)).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): 
        (JSC::CodeBlock::CodeBlock): - do column fix up.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug): - no need to do column fixup anymore.
        * interpreter/Interpreter.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::lineStarts):
        (JSC::charPositionExtractor):
        (JSC::SourceProvider::charPositionToColumnNumber):
        - initialize line start column table if needed.
        - look up line start for the given char position.
        * parser/SourceProvider.h:

2013-03-21  Filip Pizlo  <fpizlo@apple.com>

        JSC profiler should have an at-a-glance report of the success of DFG optimization
        https://bugs.webkit.org/show_bug.cgi?id=112988

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::Compilation):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        (JSC::Profiler::Compilation::noticeInlinedGetById):
        (JSC::Profiler::Compilation::noticeInlinedPutById):
        (JSC::Profiler::Compilation::noticeInlinedCall):
        (Compilation):
        * runtime/CommonIdentifiers.h:

2013-03-21  Mark Lam  <mark.lam@apple.com>

        Fix lexer charPosition computation when "rewind"ing the lexer.
        https://bugs.webkit.org/show_bug.cgi?id=112952.

        Reviewed by Michael Saboff.

        Changed the Lexer to no longer keep a m_charPosition. Instead, we compute
        currentCharPosition() from m_code and m_codeStartPlusOffset, where
        m_codeStartPlusOffset is the SourceProvider m_codeStart + the SourceCode
        start offset. This ensures that the charPosition is always in sync with
        m_code.

        * parser/Lexer.cpp:
        (JSC::::setCode):
        (JSC::::internalShift):
        (JSC::::shift):
        (JSC::::lex):
        * parser/Lexer.h:
        (JSC::Lexer::currentCharPosition):
        (JSC::::lexExpectIdentifier):

2013-03-21  Alberto Garcia  <agarcia@igalia.com>

        [BlackBerry] GCActivityCallback: replace JSLock with JSLockHolder
        https://bugs.webkit.org/show_bug.cgi?id=112448

        Reviewed by Xan Lopez.

        This changed in r121381.

        * runtime/GCActivityCallbackBlackBerry.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2013-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: wrapperClass holds a static JSClassRef, which causes JSGlobalObjects to leak
        https://bugs.webkit.org/show_bug.cgi?id=112856

        Reviewed by Geoffrey Garen.

        Through a very convoluted path that involves the caching of prototypes on the JSClassRef, we can leak 
        JSGlobalObjects when inserting an Objective-C object into multiple independent JSContexts.

        * API/JSAPIWrapperObject.cpp: Removed.
        * API/JSAPIWrapperObject.h:
        (JSAPIWrapperObject):
        * API/JSAPIWrapperObject.mm: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.cpp. Made this an
        Objective-C++ file so that we can call release on the wrappedObject. Also added a WeakHandleOwner for 
        JSAPIWrapperObjects. This will also be used in a future patch for https://bugs.webkit.org/show_bug.cgi?id=112608.
        (JSAPIWrapperObjectHandleOwner):
        (jsAPIWrapperObjectHandleOwner):
        (JSAPIWrapperObjectHandleOwner::finalize): This finalize replaces the old finalize that was done through
        the C API.
        (JSC::JSAPIWrapperObject::finishCreation): Allocate the WeakImpl. Balanced in finalize.
        (JSC::JSAPIWrapperObject::setWrappedObject): We now do the retain of the wrappedObject here rather than in random
        places scattered around JSWrapperMap.mm
        * API/JSObjectRef.cpp: Added some ifdefs for platforms that don't support the Obj-C API.
        (JSObjectGetPrivate): Ditto.
        (JSObjectSetPrivate): Ditto.
        (JSObjectGetPrivateProperty): Ditto.
        (JSObjectSetPrivateProperty): Ditto.
        (JSObjectDeletePrivateProperty): Ditto.
        * API/JSValueRef.cpp: Ditto.
        (JSValueIsObjectOfClass): Ditto.
        * API/JSWrapperMap.mm: Remove wrapperClass().
        (objectWithCustomBrand): Change to no longer use a parent class, which was only used to give the ability to 
        finalize wrapper objects.
        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Change to no longer use wrapperClass(). 
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Ditto.
        (tryUnwrapObjcObject): We now check if the object inherits from JSAPIWrapperObject.
        * API/tests/testapi.mm: Added a test that exports an Objective-C object to two different JSContexts and makes 
        sure that the first one is collected properly by using a weak JSManagedValue for the wrapper in the first JSContext.
        * CMakeLists.txt: Build file modifications.
        * GNUmakefile.list.am: Ditto.
        * JavaScriptCore.gypi: Ditto.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * runtime/JSGlobalObject.cpp: More ifdefs for unsupported platforms.
        (JSC::JSGlobalObject::reset): Ditto.
        (JSC::JSGlobalObject::visitChildren): Ditto.
        * runtime/JSGlobalObject.h: Ditto.
        (JSGlobalObject): Ditto.
        (JSC::JSGlobalObject::objcCallbackFunctionStructure): Ditto.

2013-03-21  Anton Muhin  <antonm@chromium.org>

        Unreviewed, rolling out r146483.
        http://trac.webkit.org/changeset/146483
        https://bugs.webkit.org/show_bug.cgi?id=111695

        Breaks debug builds.

        * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.

2013-03-21  Gabor Rapcsanyi  <rgabor@webkit.org>

        Implement LLInt for CPU(ARM_TRADITIONAL)
        https://bugs.webkit.org/show_bug.cgi?id=97589

        Reviewed by Zoltan Herczeg.

        Enable LLInt for ARMv5 and ARMv7 traditional as well.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/arm.rb:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:

2013-03-20  Cosmin Truta  <ctruta@blackberry.com>

        [QNX][ARM] REGRESSION(r135330): Various failures in Octane
        https://bugs.webkit.org/show_bug.cgi?id=112863

        Reviewed by Yong Li.

        This was fixed in http://trac.webkit.org/changeset/146396 on Linux only.
        Enable this fix on QNX.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::maxJumpReplacementSize):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):

2013-03-20  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSString.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSString.h:

2013-03-20  Filip Pizlo  <fpizlo@apple.com>

        "" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion
        https://bugs.webkit.org/show_bug.cgi?id=112845

        Reviewed by Mark Hahnenberg.
        
        I like to do "" + x. So I decided to make DFG recognize it, and related idioms.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToPrimitive):
        (FixupPhase):
        (JSC::DFG::FixupPhase::fixupToString):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::resultOfToPrimitive):
        (DFG):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGPredictionPropagationPhase.h:
        (DFG):

2013-03-20  Zoltan Herczeg  <zherczeg@webkit.org>

        ARMv7 replaceWithJump ASSERT failure after r135330.
        https://bugs.webkit.org/show_bug.cgi?id=103146

        Reviewed by Filip Pizlo.

        On Linux, the 24 bit distance range of jumps sometimes does not
        enough to cover all targets addresses. This patch supports jumps
        outside of this range using a mov/movt/bx 10 byte long sequence.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
        (JSC::ARMv7Assembler::nopw):
        (JSC::ARMv7Assembler::label):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::maxJumpReplacementSize):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):

2013-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Fix over-releasing in allocateConstructorAndPrototypeWithSuperClassInfo:
        https://bugs.webkit.org/show_bug.cgi?id=112832

        Reviewed by Geoffrey Garen.

        If either the m_constructor or m_prototype (but not both) is collected, we will call 
        allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one 
        that was collected, but at the end of the method we call release on both of them. 
        This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be 
        reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool.

        * API/JSWrapperMap.mm:
        (objectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method,
        which autoreleases for us.
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We no longer call release on the 
        constructor or prototype JSValues.
        * API/tests/testapi.mm: Added a new test that crashes on ToT due to over-releasing.

2013-03-19  Filip Pizlo  <fpizlo@apple.com>

        It's called "Hash Consing" not "Hash Consting"
        https://bugs.webkit.org/show_bug.cgi?id=112768

        Rubber stamped by Mark Hahnenberg.
        
        See http://en.wikipedia.org/wiki/Hash_consing

        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        (JSC::GCThreadSharedData::reset):
        * heap/GCThreadSharedData.h:
        (GCThreadSharedData):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):
        (JSC::SlotVisitor::setup):
        (JSC::SlotVisitor::reset):
        (JSC::JSString::tryHashConsLock):
        (JSC::JSString::releaseHashConsLock):
        (JSC::JSString::shouldTryHashCons):
        (JSC::SlotVisitor::internalAppend):
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::haveEnoughNewStringsToHashCons):
        (JSC::JSGlobalData::resetNewStringsSinceLastHashCons):
        * runtime/JSString.h:
        (JSC::JSString::finishCreation):
        (JSString):
        (JSC::JSString::isHashConsSingleton):
        (JSC::JSString::clearHashConsSingleton):
        (JSC::JSString::setHashConsSingleton):

2013-03-20  Filip Pizlo  <fpizlo@apple.com>

        DFG implementation of op_strcat should inline rope allocations
        https://bugs.webkit.org/show_bug.cgi?id=112780

        Reviewed by Oliver Hunt.
        
        This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can
        take either two or three operands, and allocates a rope string with either two or
        three fibers. (The magic choice of three children for non-VarArg nodes happens to
        match exactly with the magic choice of three fibers for rope strings.)
        
        ValueAdd on KnownString is replaced with MakeRope with two children.
        
        StrCat gets replaced by an appropriate sequence of MakeRope's.
        
        MakeRope does not do the dynamic check to see if its children are empty strings.
        This is replaced by a static check, instead. The downside is that we may use more
        memory if the strings passed to MakeRope turn out to dynamically be empty. The
        upside is that we do fewer checks in the cases where either the strings are not
        empty, or where the strings are statically known to be empty. I suspect both of
        those cases are more common, than the case where the string is dynamically empty.
        
        This also results in some badness for X86. MakeRope needs six registers if it is
        allocating a three-rope. We don't have six registers to spare on X86. Currently,
        the code side-steps this problem by just never usign three-ropes in optimized
        code on X86. All other architectures, including X86_64, don't have this problem.
        
        This is a shocking speed-up. 9% progressions on both V8/splay and
        SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression
        on SunSpider. 2x speed-up on microbenchmarks that test op_strcat.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAdjacencyList.h:
        (AdjacencyList):
        (JSC::DFG::AdjacencyList::removeEdge):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::createToString):
        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
        (JSC::DFG::FixupPhase::convertStringAddUse):
        (FixupPhase):
        (JSC::DFG::FixupPhase::convertToMakeRope):
        (JSC::DFG::FixupPhase::fixupMakeRope):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (JSC::DFG::SpeculateCellOperand::use):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSString.h:
        (JSRopeString):

2013-03-20  Peter Gal  <galpeter@inf.u-szeged.hu>

        Implement and32 on MIPS platform
        https://bugs.webkit.org/show_bug.cgi?id=112665

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::and32): Added missing method.
        (MacroAssemblerMIPS):

2013-03-20  Mark Lam  <mark.lam@apple.com>

        Fix incorrect debugger column number value.
        https://bugs.webkit.org/show_bug.cgi?id=112741.

        Reviewed by Oliver Hunt.

        1. In lexer, parser, and debugger code, renamed column to charPosition.
        2. Convert the charPosition to the equivalent column number before
           passing it to the debugger.
        3. Changed ScopeNodes to take both a startLocation and an endLocation.
           This allows FunctionBodyNodes, ProgramNodes, and EvalNodess to emit
           correct debug hooks with correct starting line and column numbers.
        4. Fixed the Lexer to not reset the charPosition (previously
           columnNumber) in Lexer::lex().

        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::toArgumentList):
        (JSC::ConstStatementNode::emitBytecode):
        (JSC::EmptyStatementNode::emitBytecode):
        (JSC::DebuggerStatementNode::emitBytecode):
        (JSC::ExprStatementNode::emitBytecode):
        (JSC::VarStatementNode::emitBytecode):
        (JSC::IfNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::LabelNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        (JSC::ProgramNode::emitBytecode):
        (JSC::EvalNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug):
        - convert charPosition to column for the debugger.
        * interpreter/Interpreter.h:
        * jit/JITStubs.cpp:
        (DEFINE_STUB_FUNCTION(void, op_debug)):
        * llint/LLIntSlowPaths.cpp:
        (LLINT_SLOW_PATH_DECL(slow_op_debug)):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createBlockStatement):
        (JSC::ASTBuilder::createExprStatement):
        (JSC::ASTBuilder::createIfStatement):
        (JSC::ASTBuilder::createForLoop):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createVarStatement):
        (JSC::ASTBuilder::createReturnStatement):
        (JSC::ASTBuilder::createBreakStatement):
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createSwitchStatement):
        (JSC::ASTBuilder::createWhileStatement):
        (JSC::ASTBuilder::createDoWhileStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::createThrowStatement):
        (JSC::ASTBuilder::createDebugger):
        (JSC::ASTBuilder::createConstStatement):
        * parser/Lexer.cpp:
        (JSC::::setCode):
        (JSC::::internalShift):
        (JSC::::shift):
        (JSC::::lex):
        * parser/Lexer.h:
        (JSC::Lexer::currentCharPosition):
        (Lexer):
        (JSC::::lexExpectIdentifier):
        * parser/NodeConstructors.h:
        (JSC::Node::Node):
        * parser/Nodes.cpp:
        (JSC::StatementNode::setLoc):
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (JSC::Node::charPosition):
        (Node):
        (StatementNode):
        (JSC::StatementNode::lastLine):
        (ScopeNode):
        (JSC::ScopeNode::startLine):
        (JSC::ScopeNode::startCharPosition):
        (ProgramNode):
        (EvalNode):
        (FunctionBodyNode):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::::parse):
        * parser/ParserTokens.h:
        (JSC::JSTokenLocation::JSTokenLocation):
        (JSTokenLocation):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionBody):

2013-03-20  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2
        https://bugs.webkit.org/show_bug.cgi?id=112676

        Rubber-stamped by Filip Pizlo.

        Add one more EABI_32BIT_DUMMY_ARG to make DFG JIT ARM EABI compatible
        again after r146089 similar to https://bugs.webkit.org/show_bug.cgi?id=84449

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2013-03-19  Michael Saboff  <msaboff@apple.com>

        Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData
        https://bugs.webkit.org/show_bug.cgi?id=112694

        Reviewed by Filip Pizlo.

        We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle
        nodes with variable arguments.  Added code to insert a Phantom node in front of all the
        live children of a var args node.  Added ASSERT not var args for convertToPhantom to
        catch any other similar cases.  Added a new convertToPhantomUnchecked() for converting 
        var arg nodes.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs))
        (JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked):
        (JSC::DFG::Node::convertToPhantomUnchecked):

2013-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux
        https://bugs.webkit.org/show_bug.cgi?id=112738

        Reviewed by Filip Pizlo.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixIntEdge): We shouldn't be killing this node because it could be
        referenced by other people.

2013-03-19  Oliver Hunt  <oliver@apple.com>

        RELEASE_ASSERT fires in exception handler lookup

        RS=Geoff Garen.

        Temporarily switch this RELEASE_ASSERT into a regular ASSERT 
        as currently this is producing fairly bad crashiness.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::handlerForBytecodeOffset):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize StringObject.length and StringOrStringObject.length
        https://bugs.webkit.org/show_bug.cgi?id=112658

        Reviewed by Mark Hahnenberg.
        
        Implemented by injecting a ToString(StringObject:@a) or ToString(StringOrStringObject:@a) prior
        to GetArrayLength with ArrayMode(Array::String) if @a is predicted StringObject or
        StringOrStringObject.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::createToString):
        (FixupPhase):
        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
        (JSC::DFG::FixupPhase::convertStringAddUse):

2013-03-19  Gabor Rapcsanyi  <rgabor@webkit.org>

        Implement and32 on ARMv7 and ARM traditional platforms
        https://bugs.webkit.org/show_bug.cgi?id=112663

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::and32): Add missing method.
        (MacroAssemblerARM):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::and32): Add missing method.
        (MacroAssemblerARMv7):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        DFG ToString generic cases should work correctly
        https://bugs.webkit.org/show_bug.cgi?id=112654
        <rdar://problem/13447250>

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-18  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for 32 bit builds.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-18  Michael Saboff  <msaboff@apple.com>

        EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()
        https://bugs.webkit.org/show_bug.cgi?id=112609

        Reviewed by Geoffrey Garen.

        Created local valueFPR and scratchFPR and filled them with valueOp.fpr() and scratch.fpr()
        respectively so that if valueOp.fpr() causes a spill during allocation, it occurs before the
        branch and also to follow convention.  Added register allocation checks to FPRTemporary.
        Cleaned up a couple of other places to follow the "AllocatVirtualRegType foo, get machine
        reg from foo" pattern.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::fprAllocate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline binary string concatenations (i.e. ValueAdd with string children)
        https://bugs.webkit.org/show_bug.cgi?id=112599

        Reviewed by Oliver Hunt.
        
        This does as advertised: if you do x + y where x and y are strings, you'll get
        a fast inlined JSRopeString allocation (along with whatever checks are necessary).
        It also does good things if either x or y (or both) are StringObjects, or some
        other thing like StringOrStringObject. It also lays the groundwork for making this
        fast if either x or y are numbers, or some other reasonably-cheap-to-convert
        value.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::isStringObjectUse):
        (JSC::DFG::FixupPhase::convertStringAddUse):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        * runtime/JSString.h:
        (JSC::JSString::offsetOfFlags):
        (JSString):
        (JSRopeString):
        (JSC::JSRopeString::offsetOfFibers):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else
        https://bugs.webkit.org/show_bug.cgi?id=112639

        Reviewed by Michael Saboff.
        
        Change it to take a string instead.

        * runtime/JSObject.h:
        (JSC):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):

2013-03-18  Brent Fulgham  <bfulgham@webkit.org>

        [WinCairo] Get build working under VS2010.
        https://bugs.webkit.org/show_bug.cgi?id=112604

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Use CFLite-specific
        build target (standard version links against CoreFoundation.lib
        instead of CFLite.lib).
        * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Added.

2013-03-18  Roger Fong  <roger_fong@apple.com>

        AppleWin VS2010 Debug configuration build fix..

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2013-03-18  Brent Fulgham  <bfulgham@webkit.org>

        [WinCairo] Get build working under VS2010.
        https://bugs.webkit.org/show_bug.cgi?id=112604

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add build targets for
        Debug_WinCairo and Release_WinCairo using CFLite.
        * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
        Add Debug_WinCairo and Release_WinCairo build targets to
        make sure headers are copied to proper build folder.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Added.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        Add Debug_WinCairo and Release_WinCairo build targets to
        make sure headers are copied to proper build folder.
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        Ditto.
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        Ditto.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto.

2013-03-18  Michael Saboff  <msaboff@apple.com>

        Potentially unsafe register allocations in DFG code generation
        https://bugs.webkit.org/show_bug.cgi?id=112477

        Reviewed by Geoffrey Garen.

        Moved allocation of temporary GPRs to be before any generated branches in the functions below.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):

2013-03-15  Filip Pizlo  <fpizlo@apple.com>

        DFG string conversions and allocations should be inlined
        https://bugs.webkit.org/show_bug.cgi?id=112376

        Reviewed by Geoffrey Garen.
        
        This turns new String(), String(), String.prototype.valueOf(), and
        String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
        conversions from StringObject to JSString and vice-versa, and also gives it the
        ability to handle cases where a variable may be either a StringObject or a JSString.
        To do this, I added StringObject to value profiling (and removed the stale
        distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
        handling, using some of the new functionality but also taking advantage of the
        existence of Identity(String:@a).
        
        This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
        On microbenchmarks that stress new String() this is a 14x speed-up.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::hasExitSite):
        (JSC):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::ExitProfile::hasExitSite):
        (DFG):
        * bytecode/DFGExitProfile.h:
        (ExitProfile):
        (JSC::DFG::ExitProfile::hasExitSite):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromClassInfo):
        * bytecode/SpeculatedType.h:
        (JSC):
        (JSC::isStringObjectSpeculation):
        (JSC::isStringOrStringObjectSpeculation):
        * create_hash_table:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::filterEdgeByUse):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
        (DFG):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::shift):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        (FixupPhase):
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasGlobalExitSite):
        (Graph):
        (JSC::DFG::Graph::hasExitSite):
        (JSC::DFG::Graph::clobbersWorld):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToToString):
        (Node):
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::shouldSpeculateStringObject):
        (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (DFG):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * interpreter/CallFrame.h:
        (JSC::ExecState::regExpPrototypeTable):
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSDestructibleObject.h:
        (JSDestructibleObject):
        (JSC::JSDestructibleObject::classInfoOffset):
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        (JSC):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::allocationSize):
        (JSWrapperObject):
        (JSC::JSWrapperObject::internalValueOffset):
        (JSC::JSWrapperObject::internalValueCellOffset):
        * runtime/StringPrototype.cpp:
        (JSC):
        (JSC::StringPrototype::finishCreation):
        (JSC::StringPrototype::create):
        * runtime/StringPrototype.h:
        (StringPrototype):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        ObjectPrototype properties should be eagerly created rather than lazily via static tables
        https://bugs.webkit.org/show_bug.cgi?id=112539

        Reviewed by Oliver Hunt.
        
        This is the first part of https://bugs.webkit.org/show_bug.cgi?id=112233. Rolling this
        in first since it's the less-likely-to-be-broken part.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectConstructorTable):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunction):
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        (JSC):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectPrototype.cpp:
        (JSC):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::ObjectPrototype::create):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):

2013-03-16  Pratik Solanki  <psolanki@apple.com>

        Disable High DPI Canvas on iOS
        https://bugs.webkit.org/show_bug.cgi?id=112511

        Reviewed by Joseph Pecoraro.

        * Configurations/FeatureDefines.xcconfig:

2013-03-15  Andreas Kling  <akling@apple.com>

        Don't also clone StructureRareData when cloning Structure.
        <http://webkit.org/b/111672>

        Reviewed by Mark Hahnenberg.

        We were cloning a lot of StructureRareData with only the previousID pointer set since
        the enumerationCache is not shared between clones.

        Let the Structure copy constructor decide whether it wants to clone the rare data.
        The decision is made by StructureRareData::needsCloning() and will currently always
        return false, since StructureRareData only holds on to caches at present.
        This may change in the future as more members are added to StructureRareData.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::cloneRareDataFrom):
        * runtime/StructureInlines.h:
        (JSC::Structure::create):

2013-03-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Roll out r145838
        https://bugs.webkit.org/show_bug.cgi?id=112458

        Unreviewed. Requested by Filip Pizlo.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectPrototypeTable):
        * jit/JITStubs.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/CommonIdentifiers.h:
        * runtime/JSCell.cpp:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSCellInlines.h:
        (JSC):
        (JSC::JSCell::fastGetOwnProperty):
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        (JSC):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectPrototype.cpp:
        (JSC):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        (ObjectPrototype):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::findWithString):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2013-03-15  Michael Saboff  <msaboff@apple.com>

        Cleanup of DFG and Baseline JIT debugging code
        https://bugs.webkit.org/show_bug.cgi?id=111871

        Reviewed by Geoffrey Garen.

        Fixed various debug related issue in baseline and DFG JITs. See below.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
        * dfg/DFGScratchRegisterAllocator.h: Now use ScratchBuffer::activeLengthPtr() to get
        pointer to scratch register length.
        (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkConsistency): Added missing case labels for DataFormatOSRMarker,
        DataFormatDead, and DataFormatArguments and made them RELEASE_ASSERT_NOT_REACHED();
        * jit/JITCall.cpp:
        (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
        * jit/JITCall32_64.cpp:
        (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::ScratchBuffer): Fixed buffer allocation alignment to
        be on a double boundary.
        (JSC::ScratchBuffer::setActiveLength):
        (JSC::ScratchBuffer::activeLength):
        (JSC::ScratchBuffer::activeLengthPtr):

2013-03-15  Michael Saboff  <msaboff@apple.com>

        Add runtime check for improper register allocations in DFG
        https://bugs.webkit.org/show_bug.cgi?id=112380

        Reviewed by Geoffrey Garen.

        Added framework to check for register allocation within a branch source - target range.  All register allocations
        are saved using the offset in the code stream where the allocation occurred.  Later when a jump is linked, the
        currently saved register allocations are checked to make sure that they didn't occur in the range of code that was
        jumped over.  This protects against the case where an allocation could have spilled register contents to free up 
        a register and that spill only occurs on one path of a many through the code.  A subsequent fill of the spilled
        register may load garbage.  See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug.
        This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION).
        The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees.
 
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link.
        (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link.
        (AbstractMacroAssembler):
        (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a 
        jump range.
        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset):
        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check):
        (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset):
        (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): 
        (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::allocate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-14  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r145000): Crash loading arstechnica.com when Safari Web Inspector is open
        https://bugs.webkit.org/show_bug.cgi?id=111868

        Reviewed by Antti Koivisto.

        Don't allow non-local property lookup when the debugger is enabled.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):

2013-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Objective-C functions exposed to JavaScript have the wrong type (object instead of function)
        https://bugs.webkit.org/show_bug.cgi?id=105892

        Reviewed by Geoffrey Garen.

        Changed ObjCCallbackFunction to subclass JSCallbackFunction which already has all of the machinery to call
        functions using the C API. Since ObjCCallbackFunction is now a JSCell, we changed the old implementation of
        ObjCCallbackFunction to be the internal implementation and keep track of all the proper data so that we 
        don't have to put all of that in the header, which will now be included from C++ files (e.g. JSGlobalObject.cpp).

        * API/JSCallbackFunction.cpp: Change JSCallbackFunction to allow subclassing. Originally it was internally
        passing its own Structure up the chain of constructors, but we now want to be able to pass other Structures as well.
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::create):
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
        * API/JSWrapperMap.mm: Changed interface to tryUnwrapBlock.
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.h:
        (ObjCCallbackFunction): Moved into the JSC namespace, just like JSCallbackFunction.
        (JSC::ObjCCallbackFunction::createStructure): Overridden so that the correct ClassInfo gets used since we have 
        a destructor.
        (JSC::ObjCCallbackFunction::impl): Getter for the internal impl.
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): What used to be ObjCCallbackFunction is now 
        ObjCCallbackFunctionImpl. It handles the Objective-C specific parts of managing callback functions.
        (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl):
        (JSC::objCCallbackFunctionCallAsFunction): Same as the old one, but now it casts to ObjCCallbackFunction and grabs the impl 
        rather than using JSObjectGetPrivate.
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction): New bits to allow being part of the JSCell hierarchy.
        (JSC::ObjCCallbackFunction::create):
        (JSC::ObjCCallbackFunction::destroy):
        (JSC::ObjCCallbackFunctionImpl::call): Handles the actual invocation, just like it used to.
        (objCCallbackFunctionForInvocation):
        (tryUnwrapBlock): Changed to check the ClassInfo for inheritance directly, rather than going through the C API call.
        * API/tests/testapi.mm: Added new test to make sure that doing Function.prototype.toString.call(f) won't result in 
        an error when f is an Objective-C method or block underneath the covers.
        * runtime/JSGlobalObject.cpp: Added new Structure for ObjCCallbackFunction.
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):

2013-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Nested dictionaries are not converted properly in the Objective-C binding
        https://bugs.webkit.org/show_bug.cgi?id=112377

        Reviewed by Oliver Hunt.

        Accidental reassignment of the root task in the container conversion logic was causing the last 
        array or dictionary processed to be returned in the case of nested containers.

        * API/JSValue.mm:
        (containerValueToObject):
        * API/tests/testapi.mm:

2013-03-13  Filip Pizlo  <fpizlo@apple.com>

        JSObject fast by-string access optimizations should work even on the prototype chain, and even when the result is undefined
        https://bugs.webkit.org/show_bug.cgi?id=112233

        Reviewed by Oliver Hunt.
        
        Extended the existing fast access path for String keys to work over the entire prototype chain,
        not just the self access case. This will fail as soon as it sees an object that intercepts
        getOwnPropertySlot, so this patch also ensures that ObjectPrototype does not fall into that
        category. This is accomplished by making ObjectPrototype eagerly reify all of its properties.
        This is safe for ObjectPrototype because it's so common and we expect all of its properties to
        be reified for any interesting programs anyway. A new idiom for adding native functions to
        prototypes is introduced, which ought to work well for any other prototypes that we wish to do
        this conversion for.
        
        This is a >60% speed-up in the case that you frequently do by-string lookups that "miss", i.e.
        they don't turn up anything.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectConstructorTable):
        * jit/JITStubs.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/CommonIdentifiers.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getByStringSlow):
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSCellInlines.h:
        (JSC):
        (JSC::JSCell::getByStringAndKey):
        (JSC::JSCell::getByString):
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunction):
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        (JSC):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectPrototype.cpp:
        (JSC):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::ObjectPrototype::create):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::findWithString):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        (JSC):

2013-03-13  Filip Pizlo  <fpizlo@apple.com>

        DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables
        https://bugs.webkit.org/show_bug.cgi?id=112287
        <rdar://problem/13342340>

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeUnconditionally):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):

2013-03-13  Ryosuke Niwa  <rniwa@webkit.org>

        Threaded HTML Parser is missing feature define flags in all but Chromium port's build files
        https://bugs.webkit.org/show_bug.cgi?id=112277

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:

2013-03-13  Csaba Osztrogonác  <ossy@webkit.org>

        LLINT C loop warning fix for GCC
        https://bugs.webkit.org/show_bug.cgi?id=112145

        Reviewed by Filip Pizlo.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):

2013-02-13  Simon Hausmann  <simon.hausmann@digia.com>

        Add support for convenient conversion from JSStringRef to QString
        https://bugs.webkit.org/show_bug.cgi?id=109694

        Reviewed by Allan Sandfeld Jensen.

        Add JSStringCopyQString helper function that allows for the convenient
        extraction of a QString out of a JSStringRef.

        * API/JSStringRefQt.cpp: Added.
        (JSStringCopyQString):
        * API/JSStringRefQt.h: Added.
        * API/OpaqueJSString.h:
        (OpaqueJSString):
        (OpaqueJSString::qString):
        (OpaqueJSString::OpaqueJSString):
        * Target.pri:

2013-03-13  Peter Gal  <galpeter@inf.u-szeged.hu>

        Token 'not' is ignored in the offlineasm.
        https://bugs.webkit.org/show_bug.cgi?id=111568

        Reviewed by Filip Pizlo.

        * offlineasm/parser.rb: Build the Not AST node if the 'not' token is found.

2013-03-12  Tim Horton  <timothy_horton@apple.com>

        WTF uses macros for exports. Try to fix the Windows build. Unreviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-03-12  Filip Pizlo  <fpizlo@apple.com>

        Array.prototype.sort should at least try to be PTIME even when the array is in some bizarre mode
        https://bugs.webkit.org/show_bug.cgi?id=112187
        <rdar://problem/13393550>

        Reviewed by Michael Saboff and Gavin Barraclough.
        
        If we have an array-like object in crazy mode passed into Array.prototype.sort, and its length is large,
        then first copy all elements into a separate, compact, un-holy array and sort that. Then copy back.
        This means that sorting will be at worst O(n^2) in the actual number of things in the array, rather than
        O(n^2) in the array's length.

        * runtime/ArrayPrototype.cpp:
        (JSC::attemptFastSort):
        (JSC::performSlowSort):
        (JSC):
        (JSC::arrayProtoFuncSort):

2013-03-12  Tim Horton  <timothy_horton@apple.com>

        Try to fix the Windows build.

        Not reviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-03-12  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        Not reviewed.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        Export a thing.

2013-03-11  Oliver Hunt  <oliver@apple.com>

        Harden JSStringJoiner
        https://bugs.webkit.org/show_bug.cgi?id=112093

        Reviewed by Filip Pizlo.

        Harden JSStringJoiner, make it use our CheckedArithmetic
        class to simplify everything.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2013-03-12  Filip Pizlo  <fpizlo@apple.com>

        DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be
        https://bugs.webkit.org/show_bug.cgi?id=112183

        Reviewed by Oliver Hunt.
        
        Slight speed-up on string-unpack-code.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::findAndRemoveUnnecessaryStructureCheck):
        (FixupPhase):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):

2013-03-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        https://bugs.webkit.org/show_bug.cgi?id=112141
        LLInt CLoop backend misses Double2Ints() on 32bit architectures

        Reviewed by Filip Pizlo.

        Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures.

        * llint/LowLevelInterpreter.cpp:
        (LLInt):
        (JSC::LLInt::Double2Ints):
        * offlineasm/cloop.rb:

2013-03-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        Making more sophisticated cache flush on ARM Linux platform
        https://bugs.webkit.org/show_bug.cgi?id=111854

        Reviewed by Zoltan Herczeg.

        The cache flush on ARM Linux invalidates whole pages
        instead of just the required area.

        * assembler/ARMAssembler.h:
        (ARMAssembler):
        (JSC::ARMAssembler::linuxPageFlush):
        (JSC::ARMAssembler::cacheFlush):
        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::linuxPageFlush):
        (JSC::ARMv7Assembler::cacheFlush):

2013-03-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        Renaming the armv7.rb LLINT backend to arm.rb
        https://bugs.webkit.org/show_bug.cgi?id=110565

        Reviewed by Zoltan Herczeg.

        This is the first step of a unified ARM backend for
        all ARM 32 bit architectures in LLInt.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * LLIntOffsetsExtractor.pro:
        * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb.
        * offlineasm/armv7.rb: Removed.
        * offlineasm/backends.rb:
        * offlineasm/risc.rb:

2013-03-12  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform
        https://bugs.webkit.org/show_bug.cgi?id=112112

        Reviewed by Oliver Hunt.

        Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2013-03-12  Filip Pizlo  <fpizlo@apple.com>

        DFG prediction propagation phase should not rerun forward propagation if double voting has already converged
        https://bugs.webkit.org/show_bug.cgi?id=111920

        Reviewed by Oliver Hunt.
        
        I don't know why we weren't exiting early after double voting if !m_changed.
        
        This change also removes backwards propagation from the voting fixpoint, since at that
        point short-circuiting loops is probably not particularly profitable. Profiling shows
        that this reduces the time spent in prediction propagation even further.
        
        This change appears to be a 1% SunSpider speed-up.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):

2013-03-11  Filip Pizlo  <fpizlo@apple.com>

        DFG overflow check elimination is too smart for its own good
        https://bugs.webkit.org/show_bug.cgi?id=111832

        Reviewed by Oliver Hunt and Gavin Barraclough.
        
        Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt
        rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized.
        It worked by always being false and always disabling the relvant optimization.
        
        This improves overflow check elimination in three ways:
        
        1) It reduces the amount of time the compiler will spend doing it.
        
        2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
           over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
           are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
           that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
           @b->children are int32's and that hence @b might produce a large enough result that doubles would
           start chopping low bits. The specific implication of this is that for a binary operation to not
           propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
           of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
           operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
           latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
           large won't even make it into the DFG currently.
        
        3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
           are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
           NodeUsedAsNumber to either @a or @b.
        
        This is neutral on V8v7 and a slight speed-up on compile time benchmarks.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp: Added.
        (DFG):
        (BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::run):
        (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
        (JSC::DFG::BackwardsPropagationPhase::isNotZero):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        (JSC::DFG::performBackwardsPropagation):
        * dfg/DFGBackwardsPropagationPhase.h: Added.
        (DFG):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        (DFG):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::setIsLoadedFrom):
        (JSC::DFG::VariableAccessData::isLoadedFrom):

2013-03-11  Oliver Hunt  <oliver@apple.com>

        Harden JSStringJoiner
        https://bugs.webkit.org/show_bug.cgi?id=112093

        Reviewed by Filip Pizlo.

        Harden JSStringJoiner, make it use our CheckedArithmetic
        class to simplify everything.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2013-03-11  Michael Saboff  <msaboff@apple.com>

        Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
        https://bugs.webkit.org/show_bug.cgi?id=112067

        Reviewed by Geoffrey Garen.

        We weren't setting the tag in SetCallee.  Therefore set it to CellTag.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-11  Oliver Hunt  <oliver@apple.com>

        Make SegmentedVector Noncopyable
        https://bugs.webkit.org/show_bug.cgi?id=112059

        Reviewed by Geoffrey Garen.

        Copying a SegmentedVector is very expensive, and really shouldn't
        be necessary.  So I've taken the one place where we currently copy
        and replaced it with a regular Vector, and replaced the address
        dependent logic with a indexing ref instead.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newLabelScope):
        (JSC::BytecodeGenerator::emitComplexJumpScopes):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/LabelScope.h:
        (JSC):
        (JSC::LabelScopePtr::LabelScopePtr):
        (LabelScopePtr):
        (JSC::LabelScopePtr::operator=):
        (JSC::LabelScopePtr::~LabelScopePtr):
        (JSC::LabelScopePtr::operator*):
        (JSC::LabelScopePtr::operator->):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::LabelNode::emitBytecode):

2013-03-10  Andreas Kling  <akling@apple.com>

        SpeculativeJIT should use OwnPtr<SlowPathGenerator>.
        <http://webkit.org/b/111942>

        Reviewed by Anders Carlsson.

        There's no need to include DFGSlowPathGenerator.h from the header as long as the destructor is out-of-line,
        so let's use OwnPtr instead of raw pointers + deleteAllValues().

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-03-09  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r145299.
        http://trac.webkit.org/changeset/145299
        https://bugs.webkit.org/show_bug.cgi?id=111928

        compilation failure with recent clang
        (DFGBackwardsPropagationPhase.cpp:132:35: error: comparison of
        constant 10 with expression of type 'bool' is always false)
        (Requested by thorton on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp: Removed.
        * dfg/DFGBackwardsPropagationPhase.h: Removed.
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        (DFG):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::isNotZero):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (VariableAccessData):

2013-03-08  Filip Pizlo  <fpizlo@apple.com>

        DFG overflow check elimination is too smart for its own good
        https://bugs.webkit.org/show_bug.cgi?id=111832

        Reviewed by Oliver Hunt and Gavin Barraclough.
        
        This improves overflow check elimination in three ways:
        
        1) It reduces the amount of time the compiler will spend doing it.
        
        2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
           over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
           are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
           that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
           @b->children are int32's and that hence @b might produce a large enough result that doubles would
           start chopping low bits. The specific implication of this is that for a binary operation to not
           propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
           of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
           operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
           latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
           large won't even make it into the DFG currently.
        
        3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
           are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
           NodeUsedAsNumber to either @a or @b.
        
        This is neutral on V8v7 and a slight speed-up on compile time benchmarks.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp: Added.
        (DFG):
        (BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::run):
        (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
        (JSC::DFG::BackwardsPropagationPhase::isNotZero):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        (JSC::DFG::performBackwardsPropagation):
        * dfg/DFGBackwardsPropagationPhase.h: Added.
        (DFG):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        (DFG):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::setIsLoadedFrom):
        (JSC::DFG::VariableAccessData::isLoadedFrom):

2013-03-08  Roger Fong  <roger_fong@apple.com>

        Makefile fixes.

        * JavaScriptCore.vcxproj/JavaScriptCore.make:

2013-03-08  Gabor Rapcsanyi  <rgabor@webkit.org>

        Cache flush problem on ARMv7 JSC
        https://bugs.webkit.org/show_bug.cgi?id=111441

        Reviewed by Zoltan Herczeg.

        Not proper cache flush causing random crashes on ARMv7 Linux with V8 tests.
        The problem is similar to https://bugs.webkit.org/show_bug.cgi?id=77712.
        Change the cache fulsh mechanism similar to ARM traditinal and revert the
        temporary fix.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::cacheFlush):

2013-03-07  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION (r143759): 40% JSBench regression, 20% Octane/closure regression, 40% Octane/jquery regression, 2% Octane regression
        https://bugs.webkit.org/show_bug.cgi?id=111797

        Reviewed by Oliver Hunt.

        The bot's testing configuration stresses the cache's starting guess
        of 1MB.

        This patch removes any starting guess, and just uses wall clock time
        to discover the initial working set size of an app, in code size.

        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase): Update our timer as we go.

        Also fixed a bug where pruning from 0 to 0 would hang -- that case is
        a possibility now that we start with a capacity of 0.

        * runtime/CodeCache.h:
        (CodeCacheMap):
        (JSC::CodeCacheMap::CodeCacheMap):
        (JSC::CodeCacheMap::add):
        (JSC::CodeCacheMap::prune): Don't prune if we're in the middle of
        discovering the working set size of an app, in code size.

2013-03-07  Michael Saboff  <msaboff@apple.com>

        Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article
        https://bugs.webkit.org/show_bug.cgi?id=111777

        Reviewed by Filip Pizlo.

        Moved register allocations to be above any generated control flow so that any
        resulting spill would be visible to all subsequently generated code.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-07  Filip Pizlo  <fpizlo@apple.com>

        DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way
        https://bugs.webkit.org/show_bug.cgi?id=111783

        Reviewed by Mark Hahnenberg.
        
        Unreachable code is not touched by CFA and so thinks that even untyped uses are checked.
        But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew
        this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a
        Phantom node that had another Phantom node as one of its kids.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):

2013-03-07  Filip Pizlo  <fpizlo@apple.com>

        The DFG fixpoint is not strictly profitable, and should be straight-lined
        https://bugs.webkit.org/show_bug.cgi?id=111764

        Reviewed by Oliver Hunt and Geoffrey Garen.
        
        The DFG previously ran optimizations to fixpoint because there exists a circular dependency:
        
        CSE depends on CFG simplification: CFG simplification merges blocks, and CSE is block-local.
        
        CFG simplification depends on CFA and constant folding: constant folding reveals branches on
        constants.
        
        CFA depends on CSE: CSE reveals must-alias relationships by proving that two operations
        always produce identical values.
        
        Arguments simplification also depends on CSE, but it ought not depend on anything else.
        
        Hence we get a cycle like: CFA -> folding -> CFG -> CSE -> CFA.
        
        Note that before we had sparse conditional CFA, we also had CFA depending on CFG. This ought
        not be the case anymore: CFG simplification should not by itself lead to better CFA results.
        
        My guess is that the weakest link in this cycle is CFG -> CSE. CSE cuts both ways: if you
        CSE too much then you increase register pressure. Hence it's not clear that you always want
        to CSE after simplifying control flow. This leads to an order of optimization as follows:
        
        CSE -> arguments -> CFA -> folding -> CFG
        
        This is a 2.5% speed-up on SunSpider, a 4% speed-up on V8Spider, a possible 0.3% slow-down
        on V8v7, nothing on Kraken, and 1.2% speed-up in the JSRegress geomean. I'll take a 2.5%
        speed-up over a 0.3% V8v7 speed-up.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):

2013-03-07  Roger Fong  <roger_fong@apple.com>

        Build fix for AppleWin VS2010.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Need a good way to reference event handlers without causing cycles
        https://bugs.webkit.org/show_bug.cgi?id=111088

        Reviewed by Geoffrey Garen.

        JSManagedValue is like a special kind of weak value. When you create a JSManagedValue, you can
        supply an Objective-C object as its "owner". As long as the Objective-C owner object remains
        alive and its wrapper remains accessible to the JSC garbage collector (e.g. by being marked by 
        the global object), the reference to the JavaScript value is strong. As soon as the Objective-C
        owner is deallocated or its wrapper becomes inaccessible to the garbage collector, the reference
        becomes weak.

        If you do not supply an owner or you use the weakValueWithValue: convenience class method, the
        returned JSManagedValue behaves as a normal weak reference.

        This new class allows clients to maintain references to JavaScript values in the Objective-C
        heap without creating reference cycles/leaking memory.

        * API/JSAPIWrapperObject.cpp: Added.
        (JSC):
        (JSC::::createStructure):
        (JSC::JSAPIWrapperObject::JSAPIWrapperObject): This is a special JSObject for the Objective-C API that knows
        for the purposes of garbage collection/marking that it wraps an opaque Objective-C object.
        (JSC::JSAPIWrapperObject::visitChildren): We add the pointer to the wrapped Objective-C object to the set of
        opaque roots so that the weak handle owner for JSManagedValues can find it later.
        * API/JSAPIWrapperObject.h: Added.
        (JSC):
        (JSAPIWrapperObject):
        (JSC::JSAPIWrapperObject::wrappedObject):
        (JSC::JSAPIWrapperObject::setWrappedObject):
        * API/JSBase.cpp:
        (JSSynchronousGarbageCollect):
        * API/JSBasePrivate.h:
        * API/JSCallbackObject.cpp:
        (JSC):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::destroy): Moved this to the header so that we don't get link errors with JSAPIWrapperObject.
        * API/JSContext.mm:
        (-[JSContext initWithVirtualMachine:]): We weren't adding manually allocated/initialized JSVirtualMachine objects to 
        the global cache of virtual machines. The init methods handle this now rather than contextWithGlobalContextRef, since 
        not everyone is guaranteed to use the latter.
        (-[JSContext initWithGlobalContextRef:]):
        (+[JSContext contextWithGlobalContextRef:]):
        * API/JSManagedValue.h: Added.
        * API/JSManagedValue.mm: Added.
        (JSManagedValueHandleOwner):
        (managedValueHandleOwner):
        (+[JSManagedValue weakValueWithValue:]):
        (+[JSManagedValue managedValueWithValue:owner:]):
        (-[JSManagedValue init]): We explicitly call the ARC entrypoints to initialize/get the weak owner field since we don't 
        use ARC when building our framework.
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue initWithValue:owner:]):
        (-[JSManagedValue dealloc]):
        (-[JSManagedValue value]):
        (-[JSManagedValue weakOwner]):
        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): If the Objective-C owner is still alive (i.e. loading the weak field
        returns non-nil) and that value was added to the set of opaque roots by the wrapper for that Objective-C owner, then the the 
        JSObject to which the JSManagedObject refers is still alive.
        * API/JSObjectRef.cpp: We have to add explicit checks for the JSAPIWrapperObject, just like the other types of JSCallbackObjects.
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValue.mm:
        (objectToValueWithoutCopy):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
        * API/JSWrapperMap.mm:
        (wrapperFinalize):
        (makeWrapper): This is our own internal version of JSObjectMake which creates JSAPIWrapperObjects, the Obj-C API 
        version of JSCallbackObjects.
        (createObjectWithCustomBrand):
        (-[JSObjCClassInfo wrapperForObject:]):
        (tryUnwrapObjcObject):
        * API/JavaScriptCore.h:
        * API/tests/testapi.mm: Added new tests for the strong and weak uses of JSManagedValue in the context of an 
        onclick handler for an Objective-C object inserted into a JSContext.
        (-[TextXYZ setWeakOnclick:]):
        (-[TextXYZ setOnclick:]):
        (-[TextXYZ weakOnclick]):
        (-[TextXYZ onclick]):
        (-[TextXYZ click]):
        * CMakeLists.txt: Various build system additions.
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalObject.cpp: Added the new canonical Structure for the JSAPIWrapperObject class.
        (JSC::JSGlobalObject::reset):
        (JSC):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding
        https://bugs.webkit.org/show_bug.cgi?id=111674

        Reviewed by Oliver Hunt.
        
        This gets rid of the speculated forms of ConvertThis in the backend, and has Fixup
        convert them to either Identity(Object:@child) if the child is predicted object, or
        Phantom(Other:@child) ; WeakJSConstant(global this object) if it's predicted Other.
        
        The goal of this is to ensure that the optimization fixpoint doesn't create
        Identity's, since doing so requires a rerun of CSE. So far this isn't a speed-up
        but I'm hoping this will be a step towards reducing the need to rerun the fixpoint
        so as to ultimately reduce compile times.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::globalThisObjectFor):
        (Graph):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::convertToIdentity):
        (JSC::DFG::Node::convertToWeakConstant):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-07  Peter Gal  <galpeter@inf.u-szeged.hu>

        Children method in LLINT AST Not class should return [@child]
        https://bugs.webkit.org/show_bug.cgi?id=90740

        Reviewed by Filip Pizlo.

        * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class.

2013-03-05  Oliver Hunt  <oliver@apple.com>

        Bring back eager resolution of function scoped variables
        https://bugs.webkit.org/show_bug.cgi?id=111497

        Reviewed by Geoffrey Garen.

        This reverts the get/put_scoped_var part of the great non-local
        variable resolution refactoring.  This still leaves all the lazy
        variable resolution logic as it's necessary for global property
        resolution, and i don't want to make the patch bigger than it
        already is.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC):
        (UnlinkedFunctionExecutable):
        (UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::usesGlobalObject):
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
        (JSC::UnlinkedCodeBlock::globalObjectRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitLoadGlobalObject):
        (JSC):
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetStaticVar):
        (JSC::BytecodeGenerator::emitPutStaticVar):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult::lexicalResolve):
        (JSC::ResolveResult::isStatic):
        (JSC::ResolveResult::depth):
        (JSC::ResolveResult::index):
        (ResolveResult):
        (JSC::ResolveResult::ResolveResult):
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC):
        (JSC::JIT::emit_op_put_scoped_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC):
        (JSC::JIT::emit_op_put_scoped_var):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        * runtime/CodeCache.h:
        (JSC):
        (CodeCache):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        * runtime/Options.cpp:
        (JSC::Options::initialize):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/144989
        
        I think we want the assertion that I removed.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::merge):
        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
        * dfg/DFGAbstractState.h:
        (AbstractState):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        DFG::AbstractState::merge() is still more complicated than it needs to be
        https://bugs.webkit.org/show_bug.cgi?id=111619

        Reviewed by Mark Hahnenberg.
        
        This method is the one place where we still do some minimal amount of liveness pruning, but the style with
        which it is written is awkward, and it makes an assertion about variablesAtTail that will be invalidated
        by https://bugs.webkit.org/show_bug.cgi?id=111539.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::merge):
        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
        * dfg/DFGAbstractState.h:
        (AbstractState):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination
        https://bugs.webkit.org/show_bug.cgi?id=111536

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint.
        On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush).
        Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying
        the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so
        that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce
        time spent doing load elimination after the fixpoint, since that is just wasted cycles.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::run):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (JSC::DFG::performCSE):
        (DFG):
        (JSC::DFG::performStoreElimination):
        * dfg/DFGCSEPhase.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):

2013-03-06  Andreas Kling  <akling@apple.com>

        Pack Structure members better.
        <http://webkit.org/b/111593>
        <rdar://problem/13359200>

        Reviewed by Mark Hahnenberg.

        Shrink Structure by 8 bytes (now at 104 bytes) on 64-bit by packing the members better.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (Structure):

2013-03-06  Andreas Kling  <akling@apple.com>

        Unreviewed, fix Windows build after r144910.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2013-03-05  Filip Pizlo  <fpizlo@apple.com>

        DFG should not check if nodes are shouldGenerate prior to DCE
        https://bugs.webkit.org/show_bug.cgi?id=111520

        Reviewed by Geoffrey Garen.
        
        All nodes are live before DCE. We don't need to check that they aren't, because they
        definitely will be.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::int32ToDoubleCSE):
        (JSC::DFG::CSEPhase::constantCSE):
        (JSC::DFG::CSEPhase::weakConstantCSE):
        (JSC::DFG::CSEPhase::getCalleeLoadElimination):
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
        (JSC::DFG::CSEPhase::globalVarStoreElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::getLocalLoadElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):

2013-03-06  Csaba Osztrogonác  <ossy@webkit.org>

        Fix unused parameter warnings in ARM assembler
        https://bugs.webkit.org/show_bug.cgi?id=111433

        Reviewed by Kentaro Hara.

        * assembler/ARMAssembler.h: Remove unreachable revertJump() after r143346.
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveIntsToDouble): Remove unused scratch parameter instead of UNUSED_PARAM.
        (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): Remove unused fpTemp parameter.
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameters.

2013-03-06  Andreas Kling  <akling@apple.com>

        Unused Structure property tables waste 14MB on Membuster.
        <http://webkit.org/b/110854>
        <rdar://problem/13292104>

        Reviewed by Geoffrey Garen.

        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
        14 MB progression on Membuster3.

        This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
        The issue with the last version was that Structure::m_offset could be used uninitialized
        when re-materializing a previously GC'd property table, causing some sanity checks to fail.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:

            Added PropertyTable.cpp.

        * runtime/PropertyTable.cpp: Added.
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::destroy):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::visitChildren):

            Moved marking of property table values here from Structure::visitChildren().

        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):

            Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
            Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
            zaps the property table.

        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureInlines.h:
        (JSC::Structure::propertyTable):

            Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
            Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
            Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.

        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):

            Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

        (JSC::Structure::takePropertyTableOrCloneIfPinned):

            Added for setting up the property table in a new transition, this code is now shared between
            addPropertyTransition() and nonPropertyTransition().

        * runtime/JSGlobalData.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

            Add a global propertyTableStructure.

        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::createStructure):
        (JSC::PropertyTable::copy):

            Make PropertyTable a GC object.

        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::checkConsistency):

2013-03-05  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode
        https://bugs.webkit.org/show_bug.cgi?id=105624

        Reviewed by Oliver Hunt.
        
        All callers pass invert = false, which is the default value of the argument. So, get
        rid of the argument and fold away all code that checks it.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-03-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):

2013-03-04  Filip Pizlo  <fpizlo@apple.com>

        DFG DCE might eliminate checks unsoundly
        https://bugs.webkit.org/show_bug.cgi?id=109389

        Reviewed by Oliver Hunt.
        
        This gets rid of all eager reference counting, and does all dead code elimination
        in one phase - the DCEPhase. This phase also sets up the node reference counts,
        which are then used not just for DCE but also register allocation and stack slot
        allocation.
        
        Doing this required a number of surgical changes in places that previously relied
        on always having liveness information. For example, the structure check hoisting
        phase must now consult whether a VariableAccessData is profitable for unboxing to
        make sure that it doesn't try to do hoisting on set SetLocals. The arguments
        simplification phase employs its own light-weight liveness analysis. Both phases
        previously just used reference counts.
        
        The largest change is that now, dead nodes get turned into Phantoms. Those
        Phantoms will retain those child edges that are not proven. This ensures that any
        type checks performed by a dead node remain even after the node is killed. On the
        other hand, this Phantom conversion means that we need special handling for
        SetLocal. I decided to make the four forms of SetLocal explicit:
        
        MovHint(@a, rK): Just indicates that node @a contains the value that would have
             now been placed into virtual register rK. Does not actually cause @a to be
             stored into rK. This would have previously been a dead SetLocal with @a
             being live. MovHints are always dead.
        
        ZombieHint(rK): Indicates that at this point, register rK will contain a dead
             value and OSR should put Undefined into it. This would have previously been
             a dead SetLocal with @a being dead also. ZombieHints are always dead.
        
        MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
             according to whatever UseKind the edge to @a has. The type check is always a
             forward exit. MovHintAndChecks are always live, since they are
             NodeMustGenerate. Previously this would have been a dead SetLocal with a
             live @a, and the check would have disappeared. This is one of the bugs that
             this patch solves.
        
        SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
             live.
        
        Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
        ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
        also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
        has a type check and @a's type hasn't been proven to have that type then you get
        a MovHintAndCheck. Otherwise you get a MovHint.
        
        This is performance neutral.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (ArgumentsSimplificationPhase):
        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
        * dfg/DFGBasicBlock.h:
        (BasicBlock):
        * dfg/DFGBasicBlockInlines.h:
        (DFG):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.cpp:
        (WTF::printInternal):
        (WTF):
        * dfg/DFGCommon.h:
        (WTF):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
        * dfg/DFGDCEPhase.cpp: Added.
        (DFG):
        (DCEPhase):
        (JSC::DFG::DCEPhase::DCEPhase):
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::findTypeCheckRoot):
        (JSC::DFG::DCEPhase::countEdge):
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::performDCE):
        * dfg/DFGDCEPhase.h: Added.
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::changeChild):
        (JSC::DFG::Graph::changeEdge):
        (JSC::DFG::Graph::compareAndSwap):
        (JSC::DFG::Graph::clearAndDerefChild):
        (JSC::DFG::Graph::performSubstitution):
        (JSC::DFG::Graph::performSubstitutionForEdge):
        (Graph):
        (JSC::DFG::Graph::substitute):
        * dfg/DFGInsertionSet.h:
        (InsertionSet):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::convertToGetLocalUnlinked):
        (JSC::DFG::Node::containsMovHint):
        (Node):
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
        (StructureCheckHoistingPhase):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):

2013-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: JSValue should implement init and return nil in exceptional cases
        https://bugs.webkit.org/show_bug.cgi?id=111487

        Reviewed by Darin Adler.

        * API/JSValue.mm:
        (-[JSValue init]): We return nil here because there is no way to get the instance into a coherent state
        without a JSContext.
        (-[JSValue initWithValue:inContext:]): Similarly, we should also return nil here if either of the arguments is 0.

2013-03-05  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r144708.
        http://trac.webkit.org/changeset/144708
        https://bugs.webkit.org/show_bug.cgi?id=111447

        random assertion crashes in inspector tests on qt+mac bots
        (Requested by kling on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::PropertyTable):
        (JSC):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::copy):
        * runtime/PropertyTable.cpp: Removed.
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::visitChildren):
        (JSC::Structure::checkConsistency):
        * runtime/Structure.h:
        (JSC):
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        (JSC::Structure::checkOffsetConsistency):
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):

2013-03-05  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX (r144698): Only enable SPEECH_SYNTHESIS for Mac
        <http://webkit.org/b/106742>

        Fixes the following build failures:

            Undefined symbols for architecture i386:
              "__ZTVN7WebCore25PlatformSpeechSynthesizerE", referenced from:
                  __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
              NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
              "__ZN7WebCore25PlatformSpeechSynthesizer19initializeVoiceListEv", referenced from:
                  __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
            ld: symbol(s) not found for architecture i386

        * Configurations/FeatureDefines.xcconfig:
        - Fix definition of ENABLE_ENCRYPTED_MEDIA_V2_macosx to match
          other FeatureDefines.xcconfig files.
        - Only set ENABLE_SPEECH_SYNTHESIS for the macosx platform.

2013-03-04  Andreas Kling  <akling@apple.com>

        Unused Structure property tables waste 14MB on Membuster.
        <http://webkit.org/b/110854>
        <rdar://problem/13292104>

        Reviewed by Geoffrey Garen.

        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
        14 MB progression on Membuster3.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:

            Added PropertyTable.cpp.

        * runtime/PropertyTable.cpp: Added.
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::destroy):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::visitChildren):

            Moved marking of property table values here from Structure::visitChildren().

        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):

            Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
            Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
            zaps the property table.

        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureInlines.h:
        (JSC::Structure::propertyTable):

            Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
            Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
            Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.

        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):

            Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

        * runtime/JSGlobalData.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

            Add a global propertyTableStructure.

        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::createStructure):
        (JSC::PropertyTable::copy):

            Make PropertyTable a GC object.

        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::checkConsistency):

2013-03-04  Chris Fleizach  <cfleizach@apple.com>

        Support WebSpeech - Speech Synthesis
        https://bugs.webkit.org/show_bug.cgi?id=106742

        Reviewed by Simon Fraser.

        Enable speech synthesis for the Mac.

        * Configurations/FeatureDefines.xcconfig:

2013-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove contextInternalContext from JSContextInternal.h
        https://bugs.webkit.org/show_bug.cgi?id=111356

        Reviewed by Geoffrey Garen.

        We don't need it any more since we have globalContextRef in JSContext.

        * API/JSContext.mm:
        * API/JSContextInternal.h:
        * API/JSValue.mm:
        (+[JSValue valueWithBool:inContext:]):
        (+[JSValue valueWithDouble:inContext:]):
        (+[JSValue valueWithInt32:inContext:]):
        (+[JSValue valueWithUInt32:inContext:]):
        (+[JSValue valueWithNewObjectInContext:]):
        (+[JSValue valueWithNewArrayInContext:]):
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
        (+[JSValue valueWithNewErrorFromMessage:inContext:]):
        (+[JSValue valueWithNullInContext:]):
        (+[JSValue valueWithUndefinedInContext:]):
        (-[JSValue toBool]):
        (-[JSValue toDouble]):
        (-[JSValue toNumber]):
        (-[JSValue toString]):
        (-[JSValue toDate]):
        (-[JSValue toArray]):
        (-[JSValue toDictionary]):
        (-[JSValue valueForProperty:]):
        (-[JSValue setValue:forProperty:]):
        (-[JSValue deleteProperty:]):
        (-[JSValue hasProperty:]):
        (-[JSValue valueAtIndex:]):
        (-[JSValue setValue:atIndex:]):
        (-[JSValue isUndefined]):
        (-[JSValue isNull]):
        (-[JSValue isBoolean]):
        (-[JSValue isNumber]):
        (-[JSValue isString]):
        (-[JSValue isObject]):
        (-[JSValue isEqualToObject:]):
        (-[JSValue isEqualWithTypeCoercionToObject:]):
        (-[JSValue isInstanceOf:]):
        (-[JSValue callWithArguments:]):
        (-[JSValue constructWithArguments:]):
        (-[JSValue invokeMethod:withArguments:]):
        (valueToObject):
        (objectToValueWithoutCopy):
        (objectToValue):
        (-[JSValue initWithValue:inContext:]):
        (-[JSValue dealloc]):
        (-[JSValue description]):
        * API/JSWrapperMap.mm:
        (createObjectWithCustomBrand):
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
        (-[JSObjCClassInfo wrapperForObject:]):
        (-[JSWrapperMap jsWrapperForObject:]):
        * API/ObjCCallbackFunction.mm:
        (ObjCCallbackFunction::call):
        (objCCallbackFunctionForInvocation):

2013-03-04  Andreas Kling  <akling@apple.com>

        Add simple vector traits for JSC::Identifier.
        <http://webkit.org/b/111323>

        Reviewed by Geoffrey Garen.

        Identifiers are really just Strings, giving them simple vector traits makes
        Vector move them with memcpy() instead of churning the refcounts.

        * runtime/Identifier.h:
        (WTF):

2013-03-04  Kunihiko Sakamoto  <ksakamoto@chromium.org>

        Add build flag for FontLoader
        https://bugs.webkit.org/show_bug.cgi?id=111289

        Reviewed by Benjamin Poulain.

        Add ENABLE_FONT_LOAD_EVENTS build flag (disabled by default).

        * Configurations/FeatureDefines.xcconfig:

2013-03-03  Andreas Kling  <akling@apple.com>

        Shrink JSC::HashTable entries.
        <http://webkit.org/b/111275>
        <rdar://problem/13333511>

        Reviewed by Anders Carlsson.

        Move the Intrinsic value out of the function-specific part of the union,
        and store it next to m_attributes. Reduces the size of HashEntry by 8 bytes.

        990 kB progression on Membuster3. (PTUS: 797 kB)

        * runtime/Lookup.h:
        (JSC::HashEntry::initialize):
        (JSC::HashEntry::intrinsic):
        (HashEntry):

2013-03-01  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX: testapi should link to Foundation, not CoreFoundation

        * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to
        link to Foundation.framework instead of CoreFoundation.framework
        since it uses NS types.

2013-03-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Passing JS functions to Objective-C callbacks causes JSValue to leak
        https://bugs.webkit.org/show_bug.cgi?id=107836

        Reviewed by Oliver Hunt.

        We've decided to remove support for this feature from the API because there's no way to automatically manage 
        the memory for clients in a satisfactory manner. Clients can still pass JS functions to Objective-C methods, 
        but the methods must accept plain JSValues instead of Objective-C blocks.

        We now ignore functions that are part of a protocol that inherits from JSExport that accept blocks as arguments.

        * API/JSBlockAdaptor.h: Removed.
        * API/JSBlockAdaptor.mm: Removed.
        * API/ObjCCallbackFunction.mm:
        (ArgumentTypeDelegate::typeBlock): Return nil to signal that we want to ignore this function when copying it
        to the object from the protocol.
        * API/tests/testapi.mm: Added a test to make sure that we ignore methods declared as part of a JSExport-ed protocol
        that have block arguments.
        (-[TestObject bogusCallback:]):
        * JavaScriptCore.gypi: Updated build files.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live
        https://bugs.webkit.org/show_bug.cgi?id=111209

        Reviewed by Oliver Hunt.
        
        Even if it is then everything will work just fine. It's not necessary to check the ref count here.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to
        https://bugs.webkit.org/show_bug.cgi?id=111205

        Reviewed by Oliver Hunt.
        
        I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count
        is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another,
        and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination()
        is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path
        from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill
        the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other
        basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal
        alive by one count rather than being solely responsible for its liveness.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):

2013-03-01  Filip Pizlo  <fpizlo@apple.com>

        Rename MovHint to MovHintEvent so I can create a NodeType called MovHint

        Rubber stamped by Mark Hahnenberg.
        
        This is similar to the SetLocal/SetLocalEvent naming scheme, where SetLocal is the
        NodeType and SetLocalEvent is the VariableEventKind.

        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        * dfg/DFGVariableEvent.h:
        (JSC::DFG::VariableEvent::movHint):
        (JSC::DFG::VariableEvent::id):
        (JSC::DFG::VariableEvent::operand):
        (VariableEvent):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):

2013-03-01  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>

        [JSC] Fix sign comparison warning/error after r144340.
        https://bugs.webkit.org/show_bug.cgi?id=111164

        Reviewed by Mark Hahnenberg.

        gcc (both 4.2.1 and 4.7.2) complain about comparing signed and
        unsigned terms (clang accepts it just fine).

        Work around that by casting the 1 to an uintptr_t as well.

        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::makeWord):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA should not do liveness pruning
        https://bugs.webkit.org/show_bug.cgi?id=111119

        Reviewed by Mark Hahnenberg.
        
        It adds complexity and probably buys nothing.  Moreover, I'm transitioning to having
        liveness only available at the bitter end of compilation, so this will stop working
        after https://bugs.webkit.org/show_bug.cgi?id=109389 anyway.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::mergeStateAtTail):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        Don't try to emit profiling if you don't have the DFG JIT.

        Rubber stamped by Mark Hahnenberg.

        * jit/JIT.h:
        (JSC::JIT::shouldEmitProfiling):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        DFG Phantom node should be honest about the fact that it can exit
        https://bugs.webkit.org/show_bug.cgi?id=111115

        Reviewed by Mark Hahnenberg.
        
        The chances of this having cause serious issues are low, since most clients of the
        NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible
        case of badness is if the ByteCodeParser inserted a Phantom with a type check in
        between a LogicalNot and a Branch; then that peephole optimization in Fixup might
        go slightly wrong.

        * dfg/DFGNodeType.h:
        (DFG):

2013-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add casts in DFGGPRInfo.h to suppress warnings
        https://bugs.webkit.org/show_bug.cgi?id=111104

        Reviewed by Filip Pizlo.

        With certain flags on, we get compiler warnings on ARM. We should do the proper casts to make these warnings go away.

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        It should be easy to determine if a DFG node exits forward or backward when doing type checks
        https://bugs.webkit.org/show_bug.cgi?id=111102

        Reviewed by Mark Hahnenberg.
        
        This adds a NodeExitsForward flag, which tells you the exit directionality of
        type checks performed by the node. Even if you convert the node to a Phantom
        and use the Edge UseKind for type checks, you'll still get the same exit
        directionality that the original node would have wanted.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGArrayifySlowPathGenerator.h:
        (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::setOpAndDefaultNonExitFlags):
        (JSC::DFG::Node::convertToPhantom):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::typeCheck):
        (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateIntegerOperand::gpr):
        (SpeculateIntegerOperand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::fpr):
        (SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::valueProfile() has a bogus assertion
        https://bugs.webkit.org/show_bug.cgi?id=111106
        <rdar://problem/13131427>

        Reviewed by Mark Hahnenberg.
        
        This was just a bad assertion: m_bytecodeOffset == -1 means that the value profile is constructed but not initialized.
        ValueProfile constructs itself in a safe way; you can call any method you want on a constructed but not initialized
        ValueProfile. CodeBlock first constructs all ValueProfiles (by growing the ValueProfile vector) and then initializes
        their m_bytecodeOffset later. This is necessary because the initialization is linking bytecode instructions to their
        ValueProfiles, so at that point we don't want the ValueProfile vector to resize, which implies that we want all of
        them to already be constructed. A GC can happen during this phase, and the GC may want to walk all ValueProfiles.
        This is safe, but one of the ValueProfile getters (CodeBlock::valueProfile()) was asserting that any value profile
        you get has had its m_bytecodeOffset initialized. This need not be the case and nothing will go wrong if it isn't.

        The solution is to remove the assertion, which I believe was put there to ensure that my m_valueProfiles refactoring
        a long time ago was sound: it used to be that a ValueProfile with m_bytecodeOffset == -1 was an argument profile; now
        all argument profiles are in m_argumentValueProfiles instead. I think it's safe to say that this refactoring was done
        soundly since it was a long time ago. So we should kill the assertion - I don't see an easy way to make the assertion
        sound with respect to the GC-during-CodeBlock-construction issue, and I don't believe that the assertion is buying us
        anything at this point.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfile):

2013-02-27  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed
        https://bugs.webkit.org/show_bug.cgi?id=110840

        Reviewed by Mark Hahnenberg.
        
        This doesn't add any observable functionality to the compiler, yet. But it does give
        every phase that runs after CFA the ability to know, in O(1) time, whether an edge
        will need to execute a type check.

        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::filterEdgeByUse):
        (JSC::DFG::AbstractState::filterByType):
        * dfg/DFGCommon.cpp:
        (WTF):
        (WTF::printInternal):
        * dfg/DFGCommon.h:
        (JSC::DFG::isProved):
        (DFG):
        (JSC::DFG::proofStatusForIsProved):
        (WTF):
        * dfg/DFGEdge.cpp:
        (JSC::DFG::Edge::dump):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::setNode):
        (JSC::DFG::Edge::useKindUnchecked):
        (JSC::DFG::Edge::setUseKind):
        (Edge):
        (JSC::DFG::Edge::proofStatusUnchecked):
        (JSC::DFG::Edge::proofStatus):
        (JSC::DFG::Edge::setProofStatus):
        (JSC::DFG::Edge::isProved):
        (JSC::DFG::Edge::needsCheck):
        (JSC::DFG::Edge::shift):
        (JSC::DFG::Edge::makeWord):

2013-02-28  Simon Hausmann  <simon.hausmann@digia.com>

        [Qt][Mac] Fix massive parallel builds

        Reviewed by Tor Arne Vestbø.

        There exists a race condition that LLIntDesiredOffsets.h is written to
        by two parllel instances of the ruby script. This patch ensures that similar to the output file,
        the generated file is also prefixed according to the build configuration.

        * LLIntOffsetsExtractor.pro:

2013-02-27  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r144168.
        http://trac.webkit.org/changeset/144168
        https://bugs.webkit.org/show_bug.cgi?id=111019

        It broke the build and tronical is unavailable (Requested by
        Ossy_night on #webkit).

        * LLIntOffsetsExtractor.pro:

2013-02-26  Filip Pizlo  <fpizlo@apple.com>

        Disable some unsound DFG DCE
        https://bugs.webkit.org/show_bug.cgi?id=110948

        Reviewed by Michael Saboff.
        
        DCE of bitops is not sound since the bitops might call some variant of valueOf.
        
        This used to work right because ValueToInt32 was MustGenerate. From the DFG IR
        standpoint it feels weird to make ValueToInt32 be MustGenerate since that node is
        implemented entirely as a pure conversion. If we ever gave the DFG the ability to
        do effectful bitops, we would most likely implement them as special nodes not
        related to the ValueToInt32 and bitop nodes we have now.
        
        This change is performance neutral.

        * dfg/DFGNodeType.h:
        (DFG):

2013-02-27  Glenn Adams  <glenn@skynav.com>

        Add ENABLE_CSS3_TEXT_LINE_BREAK flag.
        https://bugs.webkit.org/show_bug.cgi?id=110944

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2013-02-27  Julien Brianceau   <jbrianceau@nds.com>

        Fix build when DFG_JIT is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=110991

        Reviewed by Csaba Osztrogonác.

        * jit/JIT.h:
        (JSC::JIT::canBeOptimizedOrInlined):

2013-02-27  Simon Hausmann  <simon.hausmann@digia.com>

        [Qt][Mac] Fix massive parallel builds

        Reviewed by Tor Arne Vestbø.

        There exists a race condition that LLIntDesiredOffsets.h is written to
        by two parllel instances of the ruby script. This patch ensures that similar to the output file,
        the generated file is also prefixed according to the build configuration.

        * LLIntOffsetsExtractor.pro:

2013-02-26  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec
        https://bugs.webkit.org/show_bug.cgi?id=109036
        <rdar://problem/13292139>

        Reviewed by Gavin Barraclough.
        
        This was a two-fold problem:
        
        1) post_inc/dec has two results - the new value of the variable, and the old value of the variable. DFG OSR exit
           assumed that the "last result" used for the Baseline JIT's register allocation would be the new value. It was
           wrong in this assumption.
        
        2) The Baseline JIT knew to disable its last result optimization in cases where it might confuse the DFG. But it
           was doing this only for code blocks that could be totally optimized, but not code blocks that could only be
           optimized when inlined.
        
        This patch introduces a more rigorous notion of when the Baseline JIT emits profiling, when it does extra work
        to account for the possibility of OSR exit, and when it does extra work to account for the possibility of OSR
        entry. These notions are called shouldEmitProfiling(), canBeOptimizedOrInlined(), and canBeOptimized(),
        respectively.
        
        This is performance-neutral and fixes the reported bug. It probably fixes other bugs as well, since previously
        we for example weren't doing the more conservative implementation of op_mov in the Baseline JIT for code blocks
        that could be inlined but not optimized. So, if such a code block OSR exited at just the right point, you'd get
        symptoms similar to this bug.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGCommon.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compilePatchGetArrayLength):
        (JSC::JIT::canBeOptimizedOrInlined):
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_call_put_result):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITInlines.h:
        (JSC::JIT::emitArrayProfilingSite):
        (JSC::JIT::map):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::privateCompilePutByIdTransition):

2013-02-26  Roger Fong  <roger_fong@apple.com>

        Unreviewed. AppleWin VS2010 build fix.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-02-25  Filip Pizlo  <fpizlo@apple.com>

        The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context
        https://bugs.webkit.org/show_bug.cgi?id=110433

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        This introduces the equivalent of a liveness analysis, except for type checking.
        A variable is said to be "profitable for unboxing" (i.e. live at a type check)
        if there exists a type check on a GetLocal of that variable, and the type check
        is consistent with the variable's prediction. Variables that are not profitable
        for unboxing aren't unboxed. Previously they would have been.
        
        This is a slight speed-up on some things but mostly neutral.

        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::ArgumentPosition):
        (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
        (JSC::DFG::ArgumentPosition::mergeArgumentPredictionAwareness):
        (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
        (ArgumentPosition):
        (JSC::DFG::ArgumentPosition::isProfitableToUnbox):
        (JSC::DFG::ArgumentPosition::shouldUseDoubleFormat):
        * dfg/DFGCommon.h:
        (JSC::DFG::checkAndSet):
        (DFG):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (FixupPhase):
        (JSC::DFG::FixupPhase::alwaysUnboxSimplePrimitives):
        (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsCaptured):
        (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::isProfitableToUnbox):
        (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
        (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
        (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::mergeFlags):

2013-02-26  Oliver Hunt  <oliver@apple.com>

        Fix windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-02-26  Oliver Hunt  <oliver@apple.com>

        Web Inspector: REGRESSION: [JSC] SourceProvider reuses IDs
        https://bugs.webkit.org/show_bug.cgi?id=99674

        Reviewed by Gavin Barraclough.

        Simple incrementing counter for SourceProvider IDs.  Uses a
        lock to incrementing the counter so we don't increment reuse
        counter values or reassign the ID for a given SourceProvider.

        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::SourceProvider):
        (JSC):
        (JSC::SourceProvider::getID):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::asID):
        (SourceProvider):

2013-02-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r144074.
        http://trac.webkit.org/changeset/144074
        https://bugs.webkit.org/show_bug.cgi?id=110897

        Causing 20+ crashes on Mac (Requested by bradee-oh on
        #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::PropertyTable):
        (JSC):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::copy):
        * runtime/PropertyTable.cpp: Removed.
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC):
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):
        (Structure):
        * runtime/StructureInlines.h:

2013-02-26  Roger Fong  <roger_fong@apple.com>

        Unreviewed. AppleWin VS2010 build fix.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:

2013-02-26  Jer Noble  <jer.noble@apple.com>

        Unreviewed build fix; use correct macro for platform name in FeatureDefines.xcconfig.

        * Configurations/FeatureDefines.xcconfig:

2013-02-26  Michael Saboff  <msaboff@apple.com>

        Potential crash in YARR JIT generated code when building 64 bit
        https://bugs.webkit.org/show_bug.cgi?id=110893

        Reviewed by Gavin Barraclough.

        The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
        Therefore, we zero extend both the count and length registers to assure that these unsigned values
        don't have garbage upper bits.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):

2013-02-26  Andreas Kling  <akling@apple.com>

        Unused Structure property tables waste 14MB on Membuster.
        <http://webkit.org/b/110854>
        <rdar://problem/13292104>

        Reviewed by Filip Pizlo.

        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
        14 MB progression on Membuster3.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:

            Added PropertyTable.cpp.

        * runtime/PropertyTable.cpp: Added.
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::destroy):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::visitChildren):

            Moved marking of property table values here from Structure::visitChildren().

        * runtime/StructureInlines.h:
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):

            Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        * runtime/Structure.h:
        (Structure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::createStructure):
        (JSC::PropertyTable::copy):

2013-02-26  Andreas Kling  <akling@apple.com>

        Unreviewed, rolling out r144054.
        http://trac.webkit.org/changeset/144054
        https://bugs.webkit.org/show_bug.cgi?id=110854

        broke builds

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::PropertyTable):
        (JSC):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::copy):
        * runtime/PropertyTable.cpp: Removed.
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC):
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):
        (Structure):
        * runtime/StructureInlines.h:

2013-02-26  Andreas Kling  <akling@apple.com>

        Unused Structure property tables waste 14MB on Membuster.
        <http://webkit.org/b/110854>
        <rdar://problem/13292104>

        Reviewed by Filip Pizlo.

        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
        14 MB progression on Membuster3.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:

            Added PropertyTable.cpp.

        * runtime/PropertyTable.cpp: Added.
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::destroy):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::visitChildren):

            Moved marking of property table values here from Structure::visitChildren().

        * runtime/StructureInlines.h:
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):

            Moved these to StructureInlines.h to break header dependency cycle between Structure/PropertyTable.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        * runtime/Structure.h:
        (Structure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::createStructure):
        (JSC::PropertyTable::copy):

2013-02-26  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>

        Implement JIT on Windows 64 bits
        https://bugs.webkit.org/show_bug.cgi?id=107965

        Reviewed by Simon Hausmann.

        1. MSVC doesn't support inline assembly for 64 bits, implements the trampoline in a separate ASM file.

        2. Windows 64 bits has a different calling convention than other OSes following the AMD64 ABI.
        Differences that we have to handle here:
        - Registers passed parameters are RCX, RDX, R8 and R9 instead of RDI, RSI, RDX, RCX, R8 and R9
        - RDI and RSI must be preserved by callee
        - Only return values <= 8 bytes can be returned by register (RDX can't be used to return a second word)
        - There is no red-zone after RIP on the stack, but instead 4 reserved words before it

        * Target.pri:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        (JSC):
        (JITStackFrame):
        (JSC::JITStackFrame::returnAddressSlot):
        * jit/JITStubsMSVC64.asm: Added.
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * yarr/YarrJIT.cpp:
        (YarrGenerator):
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):

2013-02-26  Oliver Hunt  <oliver@apple.com>

        Kill another analyzer warning in javascriptcore
        https://bugs.webkit.org/show_bug.cgi?id=110802

        Reviewed by Benjamin Poulain.

        Add null checks.
        
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::startProfiling):
        (JSC::LegacyProfiler::stopProfiling):

2013-02-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r144004.
        http://trac.webkit.org/changeset/144004
        https://bugs.webkit.org/show_bug.cgi?id=110858

        This iOS change is outdated (Requested by notbenjamin on
        #webkit).

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        (BytecodeGenerator):
        * parser/Parser.cpp:
        (JSC::::Parser):
        * parser/Parser.h:
        (JSC::Parser::canRecurse):
        (Parser):

2013-02-25  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r143654): some jquery test asserts on 32 bit debug build
        https://bugs.webkit.org/show_bug.cgi?id=110756

        Reviewed by Geoffrey Garen.
        
        TypeOf does speculations manually, so it should mark its JSValueOperand as doing ManualOperandSpeculation.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-25  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] Upstream iOS Stack bound checking
        https://bugs.webkit.org/show_bug.cgi?id=110813

        Reviewed by Filip Pizlo.

        On iOS, the StackBounds cannot be cached because the stack
        can be in one of two threads (the web thread or the UI thread).

        We simply always consider the current stack bound when testing
        stack boundaries.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        (BytecodeGenerator):
        * parser/Parser.cpp:
        (JSC::::Parser):
        * parser/Parser.h:
        (JSC::Parser::canRecurse):
        (Parser):

2013-02-25  Michael Saboff  <msaboff@apple.com>

        For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset
        https://bugs.webkit.org/show_bug.cgi?id=110828

        Reviewed by Oliver Hunt.

        * runtime/JSObject.h:
        (JSC::maxOffsetRelativeToPatchedStorage): Only add the OBJECT_OFFSETOF(tag) for positive offsets.
        That way this function will return the offset farthest from 0 needed to access either the payload
        or tag.

2013-02-25  Jeffrey Pfau  <jpfau@apple.com>

        Optionally partition cache to prevent using cache for tracking
        https://bugs.webkit.org/show_bug.cgi?id=110269

        Reviewed by Maciej Stachowiak.

        * Configurations/FeatureDefines.xcconfig: Add defines for cache partitioning and public suffix list usage

2013-02-25  Roger Fong  <roger_fong@apple.com>

        Unreviewed. VS2010 solution build fix.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:

2013-02-24  Filip Pizlo  <fpizlo@apple.com>

        DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler
        https://bugs.webkit.org/show_bug.cgi?id=110722

        Reviewed by Oliver Hunt.
        
        This rolls out the DFG::Allocator part of http://trac.webkit.org/changeset/143654,
        and changes Edge to have more room for UseKinds and possibly other things.
        
        This is performance-neutral on both 32-bit and 64-bit. It reduces the size of
        DFG::Node on 64-bit (by virtue of getting rid of the 16-byte alignment of Node)
        and increases it slightly on 32-bit (by 4 bytes total - 16-byte alignment led to
        80 bytes, but the base size of Node plus the 12 bytes of new m_encodedWords in
        Edge gets 84 bytes). But, it will mean that we don't have to increase Node by
        another 16 bytes if we ever want to add more UseKinds or other things to Edge.

        * dfg/DFGAllocator.h:
        (DFG):
        (Allocator):
        (JSC::DFG::Allocator::Region::headerSize):
        (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
        (JSC::DFG::Allocator::Region::data):
        (JSC::DFG::Allocator::Region::isInThisRegion):
        (JSC::DFG::::Allocator):
        (JSC::DFG::::~Allocator):
        (JSC::DFG::::allocate):
        (JSC::DFG::::free):
        (JSC::DFG::::freeAll):
        (JSC::DFG::::reset):
        (JSC::DFG::::indexOf):
        (JSC::DFG::::allocatorOf):
        (JSC::DFG::::bumpAllocate):
        (JSC::DFG::::freeListAllocate):
        (JSC::DFG::::allocateSlow):
        (JSC::DFG::::freeRegionsStartingAt):
        (JSC::DFG::::startBumpingIn):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::Edge):
        (Edge):
        (JSC::DFG::Edge::node):
        (JSC::DFG::Edge::setNode):
        (JSC::DFG::Edge::useKindUnchecked):
        (JSC::DFG::Edge::setUseKind):
        (JSC::DFG::Edge::operator==):
        (JSC::DFG::Edge::operator!=):
        (JSC::DFG::Edge::makeWord):
        * dfg/DFGNodeAllocator.h:
        (DFG):

2013-02-22  Filip Pizlo  <fpizlo@apple.com>

        The DFG special case checks for isCreatedThisArgument are fragile
        https://bugs.webkit.org/show_bug.cgi?id=110535

        Reviewed by Oliver Hunt.
        
        There may be many situations in which we want to force a variable to never be
        unboxed. Capturing is one such case, and the created this argument is another.
        Previously all code that dealt with this issue had to query both scenarios.
        
        Now DFG::VariableAccessData knows these things. You just have to ask
        VariableAccessData for whether a variable should be unboxed. Anyone wishing to
        force a variable to never be unboxed just tells VariableAccessData.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (DFG):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (CFGSimplificationPhase):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsCaptured):
        (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::shouldNeverUnbox):
        (JSC::DFG::VariableAccessData::shouldUnboxIfPossible):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):

2013-02-25  Geoffrey Garen  <ggaren@apple.com>

        Do one lookup per code cache insertion instead of two
        https://bugs.webkit.org/show_bug.cgi?id=110674

        Reviewed by Sam Weinig.

        Deployed the idiomatic "add null value" trick to avoid a second hash
        lookup when inserting an item.

        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase): Factored this into a helper function
        to improve clarity and get some code off the hot path.

        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode): Use the add() API
        to avoid two hash lookups. Be sure to remove items if parsing fails,
        otherwise we'll leave nulls in the table. (I'm guessing that caching parse
        errors is not a win.)

        * runtime/CodeCache.h:
        (JSC::SourceCodeValue::SourceCodeValue):
        (CodeCacheMap):
        (JSC::CodeCacheMap::add): Combined find() and set() into add().

        (JSC::CodeCacheMap::remove):
        (JSC::CodeCacheMap::age):
        (JSC::CodeCacheMap::prune): Refactored to support above changes.

2013-02-25  Carlos Garcia Campos  <cgarcia@igalia.com>

        [BlackBerry][ARM] Fix cast-align warnings in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=110738

        Reviewed by Rob Buis.

        Use reinterpret_cast_ptr instead of reinterpret_cast for
        pointers.

        * dfg/DFGOperations.cpp:
        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::zeroFillWilderness):
        * heap/WeakBlock.h:
        (JSC::WeakBlock::asWeakImpl):
        (JSC::WeakBlock::asFreeCell):
        (JSC::WeakBlock::weakImpls):
        * heap/WeakImpl.h:
        (JSC::WeakImpl::asWeakImpl):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::disableErrorStackReserve):
        * interpreter/JSStack.h:
        (JSC::JSStack::reservationEnd):
        * runtime/ArrayStorage.h:
        (JSC::ArrayStorage::from):
        * runtime/Butterfly.h:
        (JSC::Butterfly::indexingPayload):
        * runtime/IndexingHeader.h:
        (JSC::IndexingHeader::propertyStorage):
        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff):
        (JSC::JSActivation::isTornOff):
        (JSC::JSActivation::storage):

2013-02-22  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT::speculateNumber() should just use SpeculateDoubleOperand instead of doing its own thing
        https://bugs.webkit.org/show_bug.cgi?id=110659

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        This simplifies the code, and also has the effect that if speculateNumber() is called
        prior to someone actually using the number in a double context, then the number will
        already be up-converted to double and ready to go.

        Previously if this ever came up, the subsequent use would have to again branch to see
        if the value is tagged as int or tagged as double.

        On the other hand, if you ever did speculateNumber() and then used the value as a
        JSValue, this will be a slow down now.

        I suspect that the former (speculateNumber() and then use as number) is more likely
        than the latter (speculateNumber() and then use as JSValue).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateNumber):

2013-02-22  Filip Pizlo  <fpizlo@apple.com>

        DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way
        https://bugs.webkit.org/show_bug.cgi?id=110650

        Reviewed by Mark Hahnenberg.
        
        Changes almost all calls to edge.setUseKind(kind) to be
        setUseKindAndUnboxIfProfitable<kind>(edge). This will allow us to use the latter
        as a hook for deciding which locals to unbox (webkit.org/b/110433).

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):

2013-02-22  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r143654): some fast/js test crashes on 32 bit build
        https://bugs.webkit.org/show_bug.cgi?id=110590

        Reviewed by Mark Hahnenberg.
        
        In compileValueToInt32, the refactoring in r143654 undid one of the fixes from
        r143314 due to a merge goof.
        
        In speculateNumber, we were simply forgetting to indicate that we need a
        ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should
        be passed whenever you will be performing the type checks yourself rather than
        using the operand class to do it for you.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::speculateNumber):

2013-02-22  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Fix the 32-bit build by using the right data type in more places.

        * runtime/CodeCache.h:
        (CodeCacheMap):

2013-02-22  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Fix the 32-bit build by using the right data type.

        * runtime/CodeCache.h:
        (JSC::CodeCacheMap::find):

2013-02-21  Geoffrey Garen  <ggaren@apple.com>

        Code cache size should adapt to workload
        https://bugs.webkit.org/show_bug.cgi?id=110560

        Reviewed by Antti Koivisto.

        (*) 5% PLT arithmetic mean speedup
        (*) 10% PLT geometric mean speedup
        (*) 3.4X microbenchmark speedup
        (*) Reduces initial cache capacity by 16X

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::CodeCache): Updated for interface change.

        * runtime/CodeCache.h:
        (JSC::SourceCodeValue::SourceCodeValue):
        (SourceCodeValue): Turned the cache value into a struct so it can track its age.

        (CodeCacheMap):
        (JSC::CodeCacheMap::CodeCacheMap):
        (JSC::CodeCacheMap::find):
        (JSC::CodeCacheMap::set):
        (JSC::CodeCacheMap::clear):
        (JSC::CodeCacheMap::pruneIfNeeded):
        (CodeCache): Grow and shrink in response to usage.

2013-02-21  Jessie Berlin  <jberlin@apple.com>

        Fix a typo that broke the 32 bit build.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-21  Michael Saboff  <msaboff@apple.com>

        25-30% regression in V8 RayTrace test in 32 bit builds with JIT disabled
        https://bugs.webkit.org/show_bug.cgi?id=110539

        Reviewed by Filip Pizlo.

        Change the scale used to lookup pointers in JSGlobalObject::m_specialPointers to be 4 bytes for
        the 32 bit version of the interpreter.

        * llint/LowLevelInterpreter32_64.asm:

2013-02-21  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Add executable property to cmd file.
        Required for executable files to maintain their executable permissions over svn.

        * JavaScriptCore.vcxproj/copy-files.cmd: Added property svn:executable.

2013-02-21  Filip Pizlo  <fpizlo@apple.com>

        Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for
        https://bugs.webkit.org/show_bug.cgi?id=110519
        <rdar://problem/13218566>

        Reviewed by Geoffrey Garen.
        
        * runtime/JSFunction.h:
        (JSC::JSFunction::allocationProfile):

2013-02-21  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Build fix for VS2010 WebKit solution.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-02-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode
        https://bugs.webkit.org/show_bug.cgi?id=109371

        Reviewed by Oliver Hunt.
        
        FixupPhase now locks in the speculations that each node will do. The DFG then
        remembers those speculations, and doesn't change its mind about them even if the
        graph is transformed - for example if a node's child is repointed to a different
        node as part of CSE, CFG simplification, or folding. Each node ensures that it
        executes the speculations promised by its edges. This is true even for Phantom
        nodes.
        
        This still leaves some craziness on the table for future work, like the
        elimination of speculating SetLocal's due to CFG simplification
        (webkit.org/b/109388) and elimination of nodes via DCE (webkit.org/b/109389).
        
        In all, this allows for a huge simplification of the DFG. Instead of having to
        execute the right speculation heuristic each time you want to decide what a node
        does (for example Node::shouldSpeculateInteger(child1, child2) &&
        node->canSpeculateInteger()), you just ask for the use kinds of its children
        (typically node->binaryUseKind() == Int32Use). Because the use kinds are
        discrete, you can often just switch over them. This makes many parts of the code
        more clear than they were before.
        
        Having UseKinds describe the speculations being performed also makes it far
        easier to perform analyses that need to know what speculations are done. This is
        so far only used to simplify large parts of the CFA.
        
        To have a larger vocabulary of UseKinds, this also changes the node allocator to
        be able to round up Node sizes to the nearest multiple of 16.
        
        This appears to be neutral on benchmarks, except for some goofy speed-ups, like
        8% on Octane/box2d.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::startExecuting):
        (DFG):
        (JSC::DFG::AbstractState::executeEdges):
        (JSC::DFG::AbstractState::verifyEdge):
        (JSC::DFG::AbstractState::verifyEdges):
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        (JSC::DFG::AbstractState::filterEdgeByUse):
        (JSC::DFG::AbstractState::filterByType):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::filter):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::AdjacencyList):
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (JSC::DFG::AdjacencyList::reset):
        (JSC::DFG::AdjacencyList::firstChild):
        (JSC::DFG::AdjacencyList::setFirstChild):
        (JSC::DFG::AdjacencyList::numChildren):
        (JSC::DFG::AdjacencyList::setNumChildren):
        (AdjacencyList):
        * dfg/DFGAllocator.h:
        (DFG):
        (Allocator):
        (JSC::DFG::Allocator::cellSize):
        (JSC::DFG::Allocator::Region::headerSize):
        (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
        (JSC::DFG::Allocator::Region::payloadSize):
        (JSC::DFG::Allocator::Region::payloadBegin):
        (JSC::DFG::Allocator::Region::payloadEnd):
        (JSC::DFG::Allocator::Region::isInThisRegion):
        (JSC::DFG::::Allocator):
        (JSC::DFG::::~Allocator):
        (JSC::DFG::::allocate):
        (JSC::DFG::::free):
        (JSC::DFG::::freeAll):
        (JSC::DFG::::reset):
        (JSC::DFG::::indexOf):
        (JSC::DFG::::allocatorOf):
        (JSC::DFG::::bumpAllocate):
        (JSC::DFG::::freeListAllocate):
        (JSC::DFG::::allocateSlow):
        (JSC::DFG::::freeRegionsStartingAt):
        (JSC::DFG::::startBumpingIn):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        (DFG):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGEdge.cpp:
        (JSC::DFG::Edge::dump):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::useKindUnchecked):
        (JSC::DFG::Edge::useKind):
        (JSC::DFG::Edge::shift):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        * dfg/DFGGraph.cpp:
        (DFG):
        (JSC::DFG::Graph::refChildren):
        (JSC::DFG::Graph::derefChildren):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::performSubstitution):
        (JSC::DFG::Graph::isPredictedNumerical):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        (DFG):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::binaryUseKind):
        (Node):
        (JSC::DFG::Node::isBinaryUseKind):
        * dfg/DFGNodeAllocator.h:
        (DFG):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::SpeculativeJIT::typeCheck):
        (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateInt32):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateRealNumber):
        (JSC::DFG::SpeculativeJIT::speculateBoolean):
        (JSC::DFG::SpeculativeJIT::speculateCell):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateNotCell):
        (JSC::DFG::SpeculativeJIT::speculateOther):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
        (JSC::DFG::SpeculativeJIT::needsTypeCheck):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::IntegerOperand::edge):
        (IntegerOperand):
        (JSC::DFG::IntegerOperand::node):
        (JSC::DFG::IntegerOperand::gpr):
        (JSC::DFG::IntegerOperand::use):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSValueOperand):
        (JSC::DFG::JSValueOperand::edge):
        (JSC::DFG::JSValueOperand::node):
        (JSC::DFG::JSValueOperand::gpr):
        (JSC::DFG::JSValueOperand::fill):
        (JSC::DFG::JSValueOperand::use):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::StorageOperand::edge):
        (StorageOperand):
        (JSC::DFG::StorageOperand::node):
        (JSC::DFG::StorageOperand::gpr):
        (JSC::DFG::StorageOperand::use):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (SpeculateIntegerOperand):
        (JSC::DFG::SpeculateIntegerOperand::edge):
        (JSC::DFG::SpeculateIntegerOperand::node):
        (JSC::DFG::SpeculateIntegerOperand::gpr):
        (JSC::DFG::SpeculateIntegerOperand::use):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateStrictInt32Operand::edge):
        (JSC::DFG::SpeculateStrictInt32Operand::node):
        (JSC::DFG::SpeculateStrictInt32Operand::gpr):
        (JSC::DFG::SpeculateStrictInt32Operand::use):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::edge):
        (JSC::DFG::SpeculateDoubleOperand::node):
        (JSC::DFG::SpeculateDoubleOperand::fpr):
        (JSC::DFG::SpeculateDoubleOperand::use):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::edge):
        (JSC::DFG::SpeculateCellOperand::node):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (JSC::DFG::SpeculateCellOperand::use):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::edge):
        (SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::node):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (JSC::DFG::SpeculateBooleanOperand::use):
        (DFG):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * dfg/DFGUseKind.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * dfg/DFGUseKind.h: Added.
        (DFG):
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        (WTF):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::reportValidationContext):

2013-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Need a way to use the Objective-C JavaScript API with WebKit
        https://bugs.webkit.org/show_bug.cgi?id=106059

        Reviewed by Geoffrey Garen.
        
        * API/JSBase.h: Renamed enable flag for API.
        * API/JSBlockAdaptor.h: Using new flag.
        * API/JSBlockAdaptor.mm: Ditto.
        * API/JSContext.h: Add convenience C API conversion function for JSGlobalContextRef.
        * API/JSContext.mm: 
        (-[JSContext JSGlobalContextRef]): Implementation of C API convenience function.
        (-[JSContext initWithVirtualMachine:]): We don't use the m_apiData field any more.
        (-[JSContext initWithGlobalContextRef:]): init method for allocating new JSContexts given a JSGlobalContextRef.
        (-[JSContext dealloc]): No more m_apiData.
        (-[JSContext wrapperForObjCObject:]): Renamed wrapperForObject. 
        (-[JSContext wrapperForJSObject:]): Fetches or allocates the JSValue for the specified JSValueRef in this JSContext.
        (+[JSContext contextWithGlobalContextRef:]): Helper function to grab the lightweight JSContext wrapper for a given
        JSGlobalContextRef from the global wrapper cache or allocate a new one if there isn't already one.
        * API/JSContextInternal.h: New flag, new method declaration for initWithGlobalContextRef.
        * API/JSExport.h: New flag.
        * API/JSValue.h: New flag and new C API convenience method.
        * API/JSValue.mm:
        (-[JSValue JSValueRef]): Implementation of the C API convenience method.
        (objectToValueWithoutCopy):
        (+[JSValue valueWithValue:inContext:]): We now ask the JSContext for an Objective-C JSValue wrapper, which it can cache
        in its internal JSWrapperMap.
        * API/JSValueInternal.h:
        * API/JSVirtualMachine.h:
        * API/JSVirtualMachine.mm: Added global cache that maps JSContextGroupRef -> JSVirtualMachine lightweight wrappers.
        (wrapperCacheLock):
        (initWrapperCache):
        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
        (-[JSVirtualMachine init]):
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
        (-[JSVirtualMachine contextForGlobalContextRef:]):
        (-[JSVirtualMachine addContext:forGlobalContextRef:]):
        * API/JSVirtualMachineInternal.h:
        * API/JSWrapperMap.h:
        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We use the JSObjectSetPrototype C API call because 
        setting the __proto__ property causes all sorts of bad things to happen behind the scenes, which can cause crashes based on 
        when it gets called.
        (-[JSWrapperMap initWithContext:]):
        (-[JSWrapperMap jsWrapperForObject:]):
        (-[JSWrapperMap objcWrapperForJSValueRef:]):
        * API/JavaScriptCore.h:
        * API/ObjCCallbackFunction.h:
        * API/ObjCCallbackFunction.mm:
        (ObjCCallbackFunction::ObjCCallbackFunction): We never actually should have retained the target in the case that we had a 
        block as a callback. Blocks are initially allocated on the stack and are only moved to the heap if we call their copy method.
        Retaining the block on the stack was a bad idea because if that stack frame ever went away and we called the block later, 
        we'd crash and burn.
        (ObjCCallbackFunction::setContext): We need a new setter for when the weak reference to a JSContext inside an ObjCCallbackFunction
        disappears, we can allocate a new one in its place.
        (ObjCCallbackFunction):
        (objCCallbackFunctionCallAsFunction): Reset the callback's context if it's ever destroyed.
        (objCCallbackFunctionForInvocation): Again, don't set the __proto__ property because it uses black magic that can cause us to crash
        depending on when this is called.
        (objCCallbackFunctionForBlock): Here is where we copy the block to the heap when we're first creating the callback object for it.
        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.mm: We're going to get rid of the automatic block conversion, since that is causing leaks. I changed it 
        here in this test just so that it wouldn't mask any other potential leaks. Also modified some of the tests since JSContexts are 
        just lightweight wrappers now, we're not guaranteed to get the same pointer back from the call to [JSValue context] as the one 
        that the value was created in.
        (-[TestObject callback:]):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): No more m_apiData.
        * runtime/JSGlobalData.h: Ditto.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject): Ditto.
        * runtime/JSGlobalObject.h:

2013-02-19  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands
        https://bugs.webkit.org/show_bug.cgi?id=110309

        Reviewed by Sam Weinig.
        
        It used to be necessary, back when we didn't have constant folding. Now we have
        constant folding. So we don't need it.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):

2013-02-20  Filip Pizlo  <fpizlo@apple.com>

        DFG inlines Resolves that it doesn't know how to handle correctly
        https://bugs.webkit.org/show_bug.cgi?id=110405

        Reviewed by Geoffrey Garen.
        
        Don't try to be clever: if there's a failing resolve, we can't inline it, period.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineResolveOperations):
        (JSC::DFG::canInlineOpcode):

2013-02-20  Roger Fong  <roger_fong@apple.com>

        Get VS2010 Solution B&I ready.
        <rdar://problem/1322988>

        Rubberstamped by Timothy Horton.        
        
        Add Production configuration. 
        Add a JavaScriptCore submit solution with a DebugSuffix configuration. 
        Modify JavaScriptCore.make as necessary.
        
        * JavaScriptCore.vcxproj/JavaScriptCore.make: Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.sln: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.sln.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: Added.
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
        * JavaScriptCore.vcxproj/jsc/jscCommon.props:
        * JavaScriptCore.vcxproj/jsc/jscProduction.props: Added.
        * JavaScriptCore.vcxproj/jsc/jscRelease.props:
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
        * JavaScriptCore.vcxproj/testapi/testapiProduction.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiRelease.props:

2013-02-19  Jer Noble  <jer.noble@apple.com>

        EME: Enable both ENCRYPTED_MEDIA and ENCRYPTED_MEDIA_V2 until clients transition to the new API.
        https://bugs.webkit.org/show_bug.cgi?id=110284

        Reviewed by Eric Carlson.

        Re-enable the ENCRYPTED_MEDIA flag.

        * Configurations/FeatureDefines.xcconfig:

2013-02-20  Dirk Schulze  <krit@webkit.org>

        Enable CANVAS_PATH flag
        https://bugs.webkit.org/show_bug.cgi?id=108508

        Reviewed by Simon Fraser.

        Enable CANVAS_PATH flag on trunk.

        Existing tests cover the feature.

        * Configurations/FeatureDefines.xcconfig:

2013-02-19  Mark Rowe  <mrowe@apple.com>

        Unreviewed, uninteresting change to test a theory about bad dependency handling.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString): Remove an unnecessary else clause.

2013-02-19  Oliver Hunt  <oliver@apple.com>

        Silence some analyzer warnings
        https://bugs.webkit.org/show_bug.cgi?id=110281

        Reviewed by Mark Hahnenberg.

        The static analyzer believes that callerCodeBlock can be null,
        based on other code performing null tests.  This should not
        ever be the case, but we'll add RELEASE_ASSERTs to make it
        obvious if we're ever wrong.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):

2013-02-19  Oliver Hunt  <oliver@apple.com>

        Don't force everything to be blinded in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=110279

        Reviewed by Mark Hahnenberg.

        Switch to an explicit flag for indicating that we want
        every constant to be blinded.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):

2013-02-19  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of Opcode.h

        Rubber stamped by Mark Hahnenberg.

        * bytecode/Opcode.h:

2013-02-19  Filip Pizlo  <fpizlo@apple.com>

        Moved PolymorphicAccessStructureList into its own file.

        Rubber stamped by Mark Hahnenberg.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Instruction.h:
        (JSC):
        * bytecode/PolymorphicAccessStructureList.h: Added.
        (JSC):
        (PolymorphicAccessStructureList):
        (PolymorphicStubInfo):
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        (JSC::PolymorphicAccessStructureList::visitWeak):
        * bytecode/StructureStubInfo.h:

2013-02-19  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of Instruction.h

        Rubber stamped by Mark Hahnenberg.

        * bytecode/Instruction.h:

2013-02-18  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling in r143348.
        http://trac.webkit.org/changeset/143348
        https://bugs.webkit.org/show_bug.cgi?id=110242

        The bug was that isEmptyValue() was returning true for the deleted value.
        Fixed this and simplified things further by delegating to m_sourceCode
        for both isNull() and isHashTableDeletedValue(), so they can't be out of
        sync.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::isHashTableDeletedValue):
        (JSC::SourceCodeKey::hash):
        (JSC::SourceCodeKey::length):
        (JSC::SourceCodeKey::isNull):
        (JSC::SourceCodeKey::operator==):
        (SourceCodeKey):

2013-02-15  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Improve gyp build JavaScriptCore code generation
        https://bugs.webkit.org/show_bug.cgi?id=109969

        Reviewed by Dirk Pranke.

        Switch away from using DerivedSources.make when building JavaScriptCore generated
        sources. This bring a couple advantages, such as building the sources in parallel,
        but requires us to list the generated sources more than once.

        * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Add rules for generating JavaScriptCore sources.
        * JavaScriptCore.gyp/generate-derived-sources.sh: Added.
        * JavaScriptCore.gyp/redirect-stdout.sh: Added.

2013-02-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r143348.
        http://trac.webkit.org/changeset/143348
        https://bugs.webkit.org/show_bug.cgi?id=110242

        "Caused a deleted value sentinel crash on the layout tests"
        (Requested by ggaren on #webkit).

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::isHashTableDeletedValue):
        (JSC::SourceCodeKey::hash):
        (JSC::SourceCodeKey::length):
        (JSC::SourceCodeKey::isNull):
        (JSC::SourceCodeKey::operator==):
        (SourceCodeKey):

2013-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        HeapBlock::destroy should issue warning if result is unused
        https://bugs.webkit.org/show_bug.cgi?id=110233

        Reviewed by Oliver Hunt.

        To enforce the fact that we need to return blocks to the BlockAllocator after calling destroy, 
        we should add WARN_UNUSED_RETURN to HeapBlock::destroy and any other destroy functions in its subclasses.

        * heap/HeapBlock.h:

2013-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        WeakSet::removeAllocator leaks WeakBlocks
        https://bugs.webkit.org/show_bug.cgi?id=110228

        Reviewed by Geoffrey Garen.

        We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::removeAllocator):

2013-02-18  Geoffrey Garen  <ggaren@apple.com>

        Save space on keys in the CodeCache
        https://bugs.webkit.org/show_bug.cgi?id=110179

        Reviewed by Oliver Hunt.

        Share the SourceProvider's string instead of making our own copy. This
        chops off 16MB - 32MB from the CodeCache's memory footprint when full.
        (It's 16MB when the strings are LChar, and 32MB when they're UChar.)

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h: Removed a defunct enum value.

        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::isHashTableDeletedValue):
        (SourceCodeKey):
        (JSC::SourceCodeKey::hash):
        (JSC::SourceCodeKey::length):
        (JSC::SourceCodeKey::isNull):
        (JSC::SourceCodeKey::string):
        (JSC::SourceCodeKey::operator==): Store a SourceCode instead of a String
        so we can share our string with our SourceProvider. Cache our hash so
        we don't have to re-decode our string just to re-hash the table.

2013-02-19  Zoltan Herczeg  <zherczeg@webkit.org>

        revertBranchPtrWithPatch is incorrect on ARM traditional
        https://bugs.webkit.org/show_bug.cgi?id=110201

        Reviewed by Oliver Hunt.

        Revert two instructions back to their original value.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::revertBranchPtrWithPatch):
        (ARMAssembler):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchPtrWithPatch):
        (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):

2013-02-19  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=110184

        Reviewed by Zoltan Herczeg.
        
        32-bit backend was making all sorts of crazy assumptions, which happened to mostly
        not break things prior to http://trac.webkit.org/changeset/143241. This brings the
        32-bit backend's type speculation fully into compliance with what the 64-bit
        backend does.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):

2013-02-18  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed build fix for Apple Windows. Second stage.
        Add missed export statement.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-02-18  Roger Fong  <roger_fong@apple.com>

        Unreviewed Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-02-18  Darin Adler  <darin@apple.com>

        Remove unneeded explicit function template arguments.
        https://bugs.webkit.org/show_bug.cgi?id=110043

        Reviewed by Ryosuke Niwa.

        * runtime/Identifier.cpp:
        (JSC::IdentifierASCIIStringTranslator::hash): Let the compiler deduce the type
        when calling computeHashAndMaskTop8Bits.
        (JSC::IdentifierLCharFromUCharTranslator::hash): Ditto.
        * runtime/Identifier.h:
        (JSC::IdentifierCharBufferTranslator::hash): Ditto.
2013-02-18  Geoffrey Garen  <ggaren@apple.com>

        Shrank the SourceProvider cache
        https://bugs.webkit.org/show_bug.cgi?id=110158

        Reviewed by Oliver Hunt.

        CodeCache is now our primary source cache, so a long-lived SourceProvider
        cache is a waste. I measured this as a 10MB Membuster win; with more
        precise instrumentation, Andreas estimated it as up to 30MB.

        I didn't eliminate the SourceProvider cache because it's still useful
        in speeding up uncached parsing of scripts with large nested functions
        (i.e., all scripts).

        * heap/Heap.cpp:
        (JSC::Heap::collect): Discard all source provider caches after GC. This
        is a convenient place to do so because it's reasonably soon after initial
        parsing without being immediate.

        * parser/Parser.cpp:
        (JSC::::Parser): Updated for interface change: The heap now owns the
        source provider cache, since most SourceProviders are not expected to
        have one by default, and the heap is responsible for throwing them away.

        (JSC::::parseInner): No need to update statistics on cache size, since
        we're going to throw it away no matter what.

        (JSC::::parseFunctionInfo): Reduced the minimum function size to 16. This
        is a 27% win on a new parsing micro-benchmark I've added. Now that the
        cache is temporary, we don't have to worry so much about its memory
        footprint.

        * parser/Parser.h:
        (Parser): Updated for interface changes.

        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::SourceProvider):
        (JSC::SourceProvider::~SourceProvider):
        * parser/SourceProvider.h:
        (JSC):
        (SourceProvider): SourceProvider doesn't own its cache anymore because
        the cache is temporary.

        * parser/SourceProviderCache.cpp:
        (JSC::SourceProviderCache::clear):
        (JSC::SourceProviderCache::add):
        * parser/SourceProviderCache.h:
        (JSC::SourceProviderCache::SourceProviderCache):
        (SourceProviderCache):
        * parser/SourceProviderCacheItem.h:
        (SourceProviderCacheItem): No need to update statistics on cache size,
        since we're going to throw it away no matter what.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::addSourceProviderCache):
        (JSC):
        (JSC::JSGlobalData::clearSourceProviderCaches):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData): Moved the cache here so it's easier to throw away.

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        DFG backend Branch handling has duplicate code and dead code
        https://bugs.webkit.org/show_bug.cgi?id=110162

        Reviewed by Mark Hahnenberg.
        
        Streamline the code, and make the 64 backend's optimizations make more sense
        (i.e. not be dead code).

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-18  Brent Fulgham  <bfulgham@webkit.org>

        [Windows] Unreviewed VS2010 build correction after r143273.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing source
        file SourceProvider.cpp.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Add missing exports.

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty
        https://bugs.webkit.org/show_bug.cgi?id=110155
        <rdar://problem/13233773>

        Reviewed by Mark Rowe.
        
        This was a rookie mistake.  It was doing:
        
        for (blah) {
            m_offset = foo // foo's monotonically increase in the loop
        }
        
        as a way of computing max offset for all of the properties.  Except what if the loop doesn't
        execute because there are no properties?  Well, then, you're going to have a bogus m_offset.
        
        The solution is to initialize m_offset at the top of the loop.

        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):

2013-02-18  Balazs Kilvady  <kilvadyb@homejinni.com>

        MIPS DFG implementation.
        https://bugs.webkit.org/show_bug.cgi?id=101328

        Reviewed by Oliver Hunt.

        DFG implementation for MIPS.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::MIPSAssembler):
        (JSC::MIPSAssembler::sllv):
        (JSC::MIPSAssembler::movd):
        (MIPSAssembler):
        (JSC::MIPSAssembler::negd):
        (JSC::MIPSAssembler::labelForWatchpoint):
        (JSC::MIPSAssembler::label):
        (JSC::MIPSAssembler::vmov):
        (JSC::MIPSAssembler::linkDirectJump):
        (JSC::MIPSAssembler::maxJumpReplacementSize):
        (JSC::MIPSAssembler::revertJumpToMove):
        (JSC::MIPSAssembler::replaceWithJump):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::poke):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::lshift32):
        (JSC::MacroAssemblerMIPS::mul32):
        (JSC::MacroAssemblerMIPS::or32):
        (JSC::MacroAssemblerMIPS::rshift32):
        (JSC::MacroAssemblerMIPS::urshift32):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::xor32):
        (JSC::MacroAssemblerMIPS::store32):
        (JSC::MacroAssemblerMIPS::jump):
        (JSC::MacroAssemblerMIPS::branchAdd32):
        (JSC::MacroAssemblerMIPS::branchMul32):
        (JSC::MacroAssemblerMIPS::branchSub32):
        (JSC::MacroAssemblerMIPS::branchNeg32):
        (JSC::MacroAssemblerMIPS::call):
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::moveDouble):
        (JSC::MacroAssemblerMIPS::swapDouble):
        (JSC::MacroAssemblerMIPS::subDouble):
        (JSC::MacroAssemblerMIPS::mulDouble):
        (JSC::MacroAssemblerMIPS::divDouble):
        (JSC::MacroAssemblerMIPS::negateDouble):
        (JSC::MacroAssemblerMIPS::branchEqual):
        (JSC::MacroAssemblerMIPS::branchNotEqual):
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
        (JSC::MacroAssemblerMIPS::truncateDoubleToInt32):
        (JSC::MacroAssemblerMIPS::truncateDoubleToUint32):
        (JSC::MacroAssemblerMIPS::branchDoubleNonZero):
        (JSC::MacroAssemblerMIPS::branchDoubleZeroOrNaN):
        (JSC::MacroAssemblerMIPS::invert):
        (JSC::MacroAssemblerMIPS::replaceWithJump):
        (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        (JSC::DFG::CCallHelpers::setupArguments):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGFPRInfo.h:
        (DFG):
        (FPRInfo):
        (JSC::DFG::FPRInfo::toRegister):
        (JSC::DFG::FPRInfo::toIndex):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (DFG):
        (GPRInfo):
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::allocationSize):
        (ScratchBuffer):

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things
        https://bugs.webkit.org/show_bug.cgi?id=110092

        Reviewed by Geoffrey Garen.
        
        These methods were previously using GenerationInfo and other things to try to
        gain information that the CFA could give away for free, if you asked kindly
        enough.
        
        Also fixed CallLinkStatus's dump() method since it was making an invalid
        assertion: we most certainly can have a status where the structure is non-null
        and the executable is null, like if we're dealing with an InternalFunction.
        
        Also removed calls to isKnownNotXYZ from fillSpeculateABC methods in 32_64. I
        don't know why that was there. But it was causing asserts if the value was
        empty - i.e. we had already exited unconditionally but we didn't know it. I
        could have fixed this by introducing another form of isKnownNotXYZ which was
        tolerant of empty values, but I didn't feel like fixing code that I knew to be
        unnecessary. (More deeply, isKnownNotCell, for example, really asks: "do you
        know that this value can never be a cell?" while some of the previous uses
        wanted to ask: "do you know that this is a value that is not a cell?". The
        former is "true" if the value is a contradiction [i.e. BOTTOM], while the
        latter is "false" for contradictions, since contradictions are not values.)

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::dump):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::CallLinkStatus):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::isKnownNotCell):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::dump):

2013-02-17  Filip Pizlo  <fpizlo@apple.com>

        Get rid of DFG::DoubleOperand and simplify ValueToInt32
        https://bugs.webkit.org/show_bug.cgi?id=110072

        Reviewed by Geoffrey Garen.
        
        ValueToInt32 had a side-effecting path, which was not OSR-friendly: an OSR after
        the side-effect would lead to the side-effect re-executing. I got rid of that path
        and replaced it with an optimization for the case where the input is speculated
        number-or-other. This makes idioms like null|0 and true|0 work as expected, and
        get optimized appropriately.
        
        Also got rid of DoubleOperand. Replaced all remaining uses of it with
        SpeculateDoubleOperand. Because the latter asserts that the Edge is a DoubleUse
        edge and the remaining uses of DoubleOperand are all for untyped uses, I worked
        around the assertion by setting the UseKind to DoubleUse by force. This is sound,
        since all existing assertions for DoubleUse are actually asserting that we're not
        converting a value to double unexpectedly. But all of these calls to
        SpeculateDoubleOperand are when the operand is already known to be represented as
        double, so there is no conversion.
        
        This is neutral on benchmarks, except stanford-crypto-ccm, which speeds up a
        little. Mostly, this is intended to delete a bunch of code. DoubleOperand was
        equivalent to the replace-edge-with-DoubleUse trick that I'm using now, except it
        involved a _lot_ more code.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (DFG):
        (FPRTemporary):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (DFG):

2013-02-18  Ádám Kallai  <kadam@inf.u-szeged.hu>

        [Qt] Mountain Lion buildfix after r143147.

        Reviewed by Csaba Osztrogonác.

        * runtime/DateConstructor.cpp:

2013-02-18  Zan Dobersek  <zdobersek@igalia.com>

        Stop placing std::isfinite and std::signbit inside the global scope
        https://bugs.webkit.org/show_bug.cgi?id=109817

        Reviewed by Darin Adler.

        Prefix calls to the isfinite and signbit methods with std:: as the two
        methods are no longer being imported into the global scope.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble):
        * offlineasm/cloop.rb:
        * runtime/BigInteger.h:
        (JSC::BigInteger::BigInteger):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DatePrototype.cpp:
        (JSC::fillStructuresUsingTimeArgs):
        (JSC::fillStructuresUsingDateArgs):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncSetYear):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::JSValue):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncIsFinite):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax): Also include an opportunistic style fix.
        (JSC::mathProtoFuncMin): Ditto.
        * runtime/NumberPrototype.cpp:
        (JSC::toStringWithRadix):
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        * runtime/Uint16WithFraction.h:
        (JSC::Uint16WithFraction::Uint16WithFraction):

2013-02-18  Ádám Kallai  <kadam@inf.u-szeged.hu>

        [Qt] Mountain Lion buildfix after r143147.

        Reviewed by Csaba Osztrogonác.

        * runtime/DateInstance.cpp:

2013-02-18  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed speculative build fix for Apple Win bots.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of StructureStubInfo.h

        Rubber stamped by Mark Hahnenberg.

        * bytecode/StructureStubInfo.h:

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSGlobalObject.h and JSGlobalObjectFunctions.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.h:

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Fix indention of Operations.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/Operations.h:

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere.

        Rubber stamped by Andy Estes.

        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere.

        Rubber stampted by Andy Estes.

        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-02-18  Filip Pizlo  <fpizlo@apple.com>

        Remove dead code for ValueToNumber from the DFG.

        Rubber stamped by Andy Estes.
        
        We killed ValueToNumber at some point, but forgot to kill all of the backend support
        for it.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleMinMax):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:

2013-02-17  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed buildfix for JSVALUE32_64 builds after r143147.

        * jit/JIT.h:

2013-02-17  Filip Pizlo  <fpizlo@apple.com>

        Move all Structure out-of-line inline methods to StructureInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=110024

        Rubber stamped by Mark Hahnenberg and Sam Weinig.
        
        This was supposed to be easy.
        
        But, initially, there was a Structure inline method in CodeBlock.h, and moving that
        into StructureInlines.h meant that Operations.h included CodeBlock.h. This would
        cause WebCore build failures, because CodeBlock.h transitively included the JSC
        parser (via many, many paths), and the JSC parser defines tokens using enumeration
        elements that CSSGrammar.cpp (generated by bison) would #define. For example,
        bison would give CSSGrammar.cpp a #define FUNCTION 123, and would do so before
        including anything interesting. The JSC parser would have an enum that included
        FUNCTION as an element. Hence the JSC parser included into CSSGrammar.cpp would have
        a token element called FUNCTION declared in an enumeration, but FUNCTION was
        #define'd to 123, leading to a parser error.
        
        Wow.
        
        So I removed all transitive include paths from CodeBlock.h to the JSC Parser. I
        believe I was able to do so without out-of-lining anything interesting or performance
        critical. This is probably a purely good thing to have done: it will be nice to be
        able to make changes to the parser without having to compile the universe.
        
        Of course, doing this caused a bunch of other things to not compile, since a bunch of
        headers relied on things being implicitly included for them when they transitively
        included the parser. I fixed a lot of that.
        
        Finally, I ended up removing the method that depended on CodeBlock.h from
        StructureInlines.h, and putting it in Structure.cpp. That might seem like all of this
        was a waste of time, except that I suspect it was a worthwhile forcing function for
        cleaning up a bunch of cruft.
        
        * API/JSCallbackFunction.cpp:
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.h:
        (JSC):
        * bytecode/EvalCodeCache.h:
        * bytecode/SamplingTool.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::parameterCount):
        (JSC):
        * bytecode/UnlinkedCodeBlock.h:
        (UnlinkedFunctionExecutable):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/Label.h:
        (JSC):
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGByteCodeParser.h:
        * dfg/DFGFPRInfo.h:
        * dfg/DFGRegisterBank.h:
        * heap/HandleStack.cpp:
        * jit/JITWriteBarrier.h:
        * parser/Nodes.h:
        (JSC):
        * parser/Parser.h:
        * parser/ParserError.h: Added.
        (JSC):
        (JSC::ParserError::ParserError):
        (ParserError):
        (JSC::ParserError::toErrorObject):
        * parser/ParserModes.h:
        * parser/SourceProvider.cpp: Added.
        (JSC):
        (JSC::SourceProvider::SourceProvider):
        (JSC::SourceProvider::~SourceProvider):
        * parser/SourceProvider.h:
        (JSC):
        (SourceProvider):
        * runtime/ArrayPrototype.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/Executable.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        (JSC):
        * runtime/Operations.h:
        * runtime/Structure.cpp:
        (JSC::Structure::prototypeForLookup):
        (JSC):
        * runtime/Structure.h:
        (JSC):
        * runtime/StructureInlines.h: Added.
        (JSC):
        (JSC::Structure::create):
        (JSC::Structure::createStructure):
        (JSC::Structure::get):
        (JSC::Structure::masqueradesAsUndefined):
        (JSC::SlotVisitor::internalAppend):
        (JSC::Structure::transitivelyTransitionedFrom):
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::enumerationCache):
        (JSC::Structure::prototypeForLookup):
        (JSC::Structure::prototypeChain):
        (JSC::Structure::isValid):
        * runtime/StructureRareData.cpp:

2013-02-17  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Windows build fix.

        * runtime/CodeCache.h:
        (CodeCacheMap):

2013-02-16  Geoffrey Garen  <ggaren@apple.com>

        Code cache should be explicit about what it caches
        https://bugs.webkit.org/show_bug.cgi?id=110039

        Reviewed by Oliver Hunt.

        This patch makes the code cache more explicit in two ways:

        (1) The cache caches top-level scripts. Any sub-functions executed as a
        part of a script are cached with it and evicted with it.

        This simplifies things by eliminating out-of-band sub-function tracking,
        and fixes pathological cases where functions for live scripts would be
        evicted in favor of functions for dead scripts, and/or high probability
        functions executed early in script lifetime would be evicted in favor of
        low probability functions executed late in script lifetime, due to LRU.

        Statistical data from general browsing and PLT confirms that caching
        functions independently of scripts is not profitable.

        (2) The cache tracks script size, not script count.

        This reduces the worst-case cache size by a factor of infinity.

        Script size is a reasonable first-order estimate of in-memory footprint 
        for a cached script because there are no syntactic constructs that have
        super-linear memory footprint.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock): Moved this function out of the cache
        because it does not consult the cache, and is not managed by it.

        (JSC::UnlinkedFunctionExecutable::visitChildren): Visit our code blocks
        because they are strong references now, rather than weak, a la (1).

        (JSC::UnlinkedFunctionExecutable::codeBlockFor): Updated for interface changes.

        * bytecode/UnlinkedCodeBlock.h:
        (UnlinkedFunctionExecutable):
        (UnlinkedFunctionCodeBlock): Strong now, not weak, a la (1).

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::CodeCache):
        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::length):
        (SourceCodeKey):
        (CodeCacheMap):
        (JSC::CodeCacheMap::CodeCacheMap):
        (JSC::CodeCacheMap::find):
        (JSC::CodeCacheMap::set):
        (JSC::CodeCacheMap::clear):
        (CodeCache):
        (JSC::CodeCache::clear): Removed individual function tracking, due to (1).
        Added explicit character counting, for (2).

        You might think 16000000 characters is a lot. It is. But this patch
        didn't establish that limit -- it just took the existing limit and
        made it more visible. I intend to reduce the size of the cache in a
        future patch.

2013-02-16  Filip Pizlo  <fpizlo@apple.com>

        Remove support for bytecode comments, since it doesn't build, and hasn't been used in a while.
        https://bugs.webkit.org/show_bug.cgi?id=110035

        Rubber stamped by Andreas Kling.
        
        There are other ways of achieving the same effect, like adding print statements to the bytecode generator.
        The fact that this feature doesn't build and nobody noticed implies that it's probably not a popular
        feature. As well, the amount of wiring that was required for it was quite big considering its relatively
        modest utility.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/Comment.h: Removed.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitOpcode):
        (JSC):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::symbolTable):

2013-02-16  Brent Fulgham  <bfulgham@webkit.org>

        [Windows] Unreviewed Visual Studio 2010 build fix after r143117

        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Reference new path to property sheets.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        Build correction after new operator == added.

2013-02-16  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of Structure.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/Structure.h:

2013-02-16  Christophe Dumez  <ch.dumez@sisa.samsung.com>

        Unreviewed build fix.

        Export symbol for new CString operator== operator to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-02-15  Filip Pizlo  <fpizlo@apple.com>

        Structure should be more methodical about the relationship between m_offset and m_propertyTable
        https://bugs.webkit.org/show_bug.cgi?id=109978

        Reviewed by Mark Hahnenberg.
        
        Allegedly, the previous relationship was that either m_propertyTable or m_offset
        would be set, and if m_propertyTable was not set you could rebuild it.  In reality,
        we would sometimes "reset" both: some transitions wouldn't set m_offset, and other
        transitions would clear the previous structure's m_propertyTable.  So, in a
        structure transition chain of A->B->C you could have:

        A transitions to B: B doesn't copy m_offset but does copy m_propertyTable, because
            that seemed like a good idea at the time (this was a common idiom in the code).
        B transitions to C: C steals B's m_propertyTable, leaving B with neither a
            m_propertyTable nor a m_offset.

        Then we would ask for the size of the property storage of B and get the answer
        "none".  That's not good.

        Now, there is a new relationship, which, hopefully, should fix things: m_offset is
        always set and always refers to the maximum offset ever used by the property table.
        From this, you can infer both the inline and out-of-line property size, and
        capacity.  This is accomplished by having PropertyTable::add() take a
        PropertyOffset reference, which must be Structure::m_offset.  It will update this
        offset.  As well, all transitions now copy m_offset.  And we frequently assert
        (using RELEASE_ASSERT) that the m_offset matches what m_propertyTable would tell
        you.  Hence if you ever modify the m_propertyTable, you'll also update the offset.
        If you ever copy the property table, you'll also copy the offset.  Life should be
        good, I think.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::add):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::checkConsistency):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        (JSC::PropertyTable::checkConsistency):
        * runtime/Structure.h:
        (JSC):
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::outOfLineCapacity):
        (JSC::Structure::outOfLineSize):
        (JSC::Structure::isEmpty):
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        (Structure):
        (JSC::Structure::checkOffsetConsistency):

2013-02-15  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Spread the gyp build files throughout the tree
        https://bugs.webkit.org/show_bug.cgi?id=109960

        Reviewed by Dirk Pranke.

        * JavaScriptCore.gyp/JavaScriptCoreGTK.gyp: Renamed from Source/WebKit/gtk/gyp/JavaScriptCore.gyp.
        * JavaScriptCore.gyp/generate-derived-sources.sh: Renamed from Source/WebKit/gtk/gyp/generate-derived-sources.sh.

2013-02-15  Filip Pizlo  <fpizlo@apple.com>

        DFG SpeculativeJIT64 should be more precise about when it's dealing with a cell (even though it probably doesn't matter)
        https://bugs.webkit.org/show_bug.cgi?id=109625

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-15  Geoffrey Garen  <ggaren@apple.com>

        Merged the global function cache into the source code cache
        https://bugs.webkit.org/show_bug.cgi?id=108660

        Reviewed by Sam Weinig.

        Responding to review comments by Darin Adler.

        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey): Don't initialize m_name and m_flags
        in the hash table deleted value because they're meaningless.

2013-02-14  Filip Pizlo  <fpizlo@apple.com>

        DFG AbstractState should filter operands to NewArray more precisely
        https://bugs.webkit.org/show_bug.cgi?id=109900

        Reviewed by Mark Hahnenberg.
        
        NewArray for primitive indexing types speculates that the inputs are the appropriate
        primitives. Now, the CFA filters the abstract state accordingly, as well.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2013-02-15  Andreas Kling  <akling@apple.com>

        Yarr: Use OwnPtr to make pattern/disjunction/character-class ownership clearer.
        <http://webkit.org/b/109218>

        Reviewed by Benjamin Poulain.

        - Let classes that manage lifetime of other objects hold on to them with OwnPtr instead of raw pointers.
        - Placed some strategic Vector::shrinkToFit(), ::reserveInitialCapacity() and ::swap().

        668 kB progression on Membuster3.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        (ByteCompiler):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):
        (BytecodePattern):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
        (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
        (JSC::Yarr::YarrGenerator::opCompileBody):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::charClass):
        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
        (JSC::Yarr::YarrPatternConstructor::reset):
        (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
        (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
        (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
        (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
        (JSC::Yarr::YarrPatternConstructor::optimizeBOL):
        (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        * yarr/YarrPattern.h:
        (JSC::Yarr::PatternDisjunction::addNewAlternative):
        (PatternDisjunction):
        (YarrPattern):
        (JSC::Yarr::YarrPattern::reset):
        (JSC::Yarr::YarrPattern::newlineCharacterClass):
        (JSC::Yarr::YarrPattern::digitsCharacterClass):
        (JSC::Yarr::YarrPattern::spacesCharacterClass):
        (JSC::Yarr::YarrPattern::wordcharCharacterClass):
        (JSC::Yarr::YarrPattern::nondigitsCharacterClass):
        (JSC::Yarr::YarrPattern::nonspacesCharacterClass):
        (JSC::Yarr::YarrPattern::nonwordcharCharacterClass):

2013-02-14  Geoffrey Garen  <ggaren@apple.com>

        Merged the global function cache into the source code cache
        https://bugs.webkit.org/show_bug.cgi?id=108660

        Reviewed by Sam Weinig.

        This has a few benefits:

            (*) Saves a few kB by removing a second cache data structure.

            (*) Reduces the worst case memory usage of the cache by 1.75X. (Heavy
            use of 'new Function' and other techniques could cause us to fill
            both root caches, and they didn't trade off against each other.)

            (*) Paves the way for future improvements based on a non-trivial
            cache key (for example, shrinkable pointer to the key string, and
            more precise cache size accounting).

        Also cleaned up the cache implementation and simplified it a bit.

        * heap/Handle.h:
        (HandleBase):
        * heap/Strong.h:
        (Strong): Build!

        * runtime/CodeCache.cpp:
        (JSC):
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::generateFunctionCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        (JSC::CodeCache::usedFunctionCode): Updated for three interface changes:

            (*) SourceCodeKey is a class, not a pair.

            (*) Table values are abstract pointers, since they can be executables
            or code blocks. (In a future patch, I'd like to change this so we
            always store only code blocks. But that's too much for one patch.)

            (*) The cache function is named "set" because it always overwrites
            unconditionally.

        * runtime/CodeCache.h:
        (CacheMap):
        (JSC::CacheMap::find):
        (JSC::CacheMap::set):
        (JSC::CacheMap::clear): Added support for specifying hash traits, so we
        can use a SourceCodeKey.

        Removed side table and random number generator to save space and reduce
        complexity. Hash tables are already random, so we don't need another source
        of randomness.

        (SourceCodeKey):
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::isHashTableDeletedValue):
        (JSC::SourceCodeKey::hash):
        (JSC::SourceCodeKey::isNull):
        (JSC::SourceCodeKey::operator==):
        (JSC::SourceCodeKeyHash::hash):
        (JSC::SourceCodeKeyHash::equal):
        (SourceCodeKeyHash):
        (SourceCodeKeyHashTraits):
        (JSC::SourceCodeKeyHashTraits::isEmptyValue): A SourceCodeKey is just a
        fancy triplet: source code string; function name (or null, for non-functions);
        and flags. Flags and function name distinguish between functions and programs
        with identical code, so they can live in the same cache.

        I chose to use the source code string as the primary hashing reference
        because it's likely to be unique. We can use profiling to choose another
        technique in future, if collisions between functions and programs prove
        to be hot. I suspect they won't.

        (JSC::CodeCache::clear):
        (CodeCache): Removed the second cache.

        * heap/Handle.h:
        (HandleBase):
        * heap/Strong.h:
        (Strong):
        * runtime/CodeCache.cpp:
        (JSC):
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::generateFunctionCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        (JSC::CodeCache::usedFunctionCode):
        * runtime/CodeCache.h:
        (JSC):
        (CacheMap):
        (JSC::CacheMap::find):
        (JSC::CacheMap::set):
        (JSC::CacheMap::clear):
        (SourceCodeKey):
        (JSC::SourceCodeKey::SourceCodeKey):
        (JSC::SourceCodeKey::isHashTableDeletedValue):
        (JSC::SourceCodeKey::hash):
        (JSC::SourceCodeKey::isNull):
        (JSC::SourceCodeKey::operator==):
        (JSC::SourceCodeKeyHash::hash):
        (JSC::SourceCodeKeyHash::equal):
        (SourceCodeKeyHash):
        (SourceCodeKeyHashTraits):
        (JSC::SourceCodeKeyHashTraits::isEmptyValue):
        (JSC::CodeCache::clear):
        (CodeCache):

2013-02-14  Tony Chang  <tony@chromium.org>

        Unreviewed, set svn:eol-style native for .sln, .vcproj, and .vsprops files.
        https://bugs.webkit.org/show_bug.cgi?id=96934

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added property svn:eol-style.
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added property svn:eol-style.

2013-02-14  Tony Chang  <tony@chromium.org>

        Unreviewed, set svn:eol-style CRLF for .sln files.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.

2013-02-14  David Kilzer  <ddkilzer@apple.com>

        [Mac] Clean up WARNING_CFLAGS
        <http://webkit.org/b/109747>
        <rdar://problem/13208373>

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Use
        GCC_WARN_64_TO_32_BIT_CONVERSION to enable and disable
        -Wshorten-64-to-32 rather than WARNING_CFLAGS.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.

2013-02-13  Anders Carlsson  <andersca@apple.com>

        Better build fix.

        * API/tests/testapi.c:
        (assertEqualsAsNumber):
        (main):

2013-02-13  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Build fix.

        * API/tests/testapi.c:
        (assertEqualsAsNumber):
        (main):

2013-02-13  Oliver Hunt  <oliver@apple.com>

        Yet another build fix

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2013-02-13  Zan Dobersek  <zdobersek@igalia.com>

        The 'global isinf/isnan' compiler quirk required when using clang with libstdc++
        https://bugs.webkit.org/show_bug.cgi?id=109325

        Reviewed by Anders Carlsson.

        Prefix calls to the isinf and isnan methods with std::, declaring we want to use the
        two methods as they're provided by the C++ standard library being used.

        * API/JSValueRef.cpp:
        (JSValueMakeNumber):
        * JSCTypedArrayStubs.h:
        (JSC):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoad):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::constantNaN):
        * offlineasm/cloop.rb:
        * runtime/DateConstructor.cpp:
        (JSC::dateUTC): Also include an opportunistic style fix.
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::calculateGregorianDateTime):
        (JSC::DateInstance::calculateGregorianDateTimeUTC):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncGetMilliSeconds):
        (JSC::dateProtoFuncGetUTCMilliseconds):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toInteger):
        * runtime/JSDateMath.cpp:
        (JSC::getUTCOffset):
        (JSC::parseDateFromNullTerminatedCharacters):
        (JSC::parseDate):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncIsNaN):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):
        (JSC::mathProtoFuncPow):
        * runtime/PropertyDescriptor.cpp:
        (JSC::sameValue):

2013-02-13  Filip Pizlo  <fpizlo@apple.com>

        Change another use of (SpecCell & ~SpecString) to SpecObject.

        Reviewed by Mark Hahnenberg.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2013-02-13  Filip Pizlo  <fpizlo@apple.com>

        ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types
        https://bugs.webkit.org/show_bug.cgi?id=109726

        Reviewed by Mark Hahnenberg.
        
        If you add it to the list of relevant node types, you also need to make sure
        it's listed as either hasChild or one of the other kinds. Otherwise you get
        an assertion. This is causing test failures in run-javascriptcore-tests.

        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::MinifiedNode::hasChild):

2013-02-13  Oliver Hunt  <oliver@apple.com>

        Build fix.

        Rearranged the code somewhat to reduce the number of
        DFG related ifdefs.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2013-02-13  Filip Pizlo  <fpizlo@apple.com>

        ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types
        https://bugs.webkit.org/show_bug.cgi?id=109726

        Reviewed by Gavin Barraclough.
        
        This is asymptomatic because ForwardInt32ToDouble is only used in SetLocals, in
        which case the value is already stored to the stack.  Still, we should fix this.

        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):

2013-02-12  Filip Pizlo  <fpizlo@apple.com>

        DFG LogicalNot/Branch peephole removal and inversion ignores the possibility of things exiting
        https://bugs.webkit.org/show_bug.cgi?id=109489

        Reviewed by Mark Hahnenberg.
        
        If things can exit between the LogicalNot and the Branch then don't peephole.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-02-13  Oliver Hunt  <oliver@apple.com>

        Remove unnecessary indirection to non-local variable access operations
        https://bugs.webkit.org/show_bug.cgi?id=109724

        Reviewed by Filip Pizlo.

        Linked bytecode now stores a direct pointer to the resolve operation
        vectors, so the interpreter no longer needs a bunch of indirection to
        to perform non-local lookup.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/Instruction.h:
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (ResolveGlobalData):
        (ResolveOperationData):
        (PutToBaseOperationData):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emitSlow_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emitSlow_op_resolve_base):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emitSlow_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_put_to_base):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_put_to_base):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:

2013-02-13  Zoltan Herczeg  <zherczeg@webkit.org>

        replaceWithJump should not decrease the offset by 1 on ARM traditional.
        https://bugs.webkit.org/show_bug.cgi?id=109689

        Reviewed by Oliver Hunt.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::replaceWithJump):

2013-02-12  Joseph Pecoraro  <pecoraro@apple.com>

        [iOS] Enable PAGE_VISIBILITY_API
        https://bugs.webkit.org/show_bug.cgi?id=109399

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2013-02-12  Filip Pizlo  <fpizlo@apple.com>

        Renamed SpecObjectMask to SpecObject.

        Rubber stamped by Mark Hahnenberg.
        
        "SpecObjectMask" is a weird name considering that a bunch of the other speculated
        types are also masks, but don't have "Mask" in the name.

        * bytecode/SpeculatedType.h:
        (JSC):
        (JSC::isObjectSpeculation):
        (JSC::isObjectOrOtherSpeculation):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2013-02-12  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA doesn't filter precisely enough for CompareStrictEq
        https://bugs.webkit.org/show_bug.cgi?id=109618

        Reviewed by Mark Hahnenberg.
        
        The backend speculates object for this case, but the CFA was filtering on
        (SpecCell & ~SpecString) | SpecOther.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2013-02-12  Martin Robinson  <mrobinson@igalia.com>

        Fix the gyp build of JavaScriptCore.

        * JavaScriptCore.gypi: Added some missing DFG files to the source list.

2013-02-12  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r142387.
        http://trac.webkit.org/changeset/142387
        https://bugs.webkit.org/show_bug.cgi?id=109601

        caused all layout and jscore tests on windows to fail
        (Requested by kling on #webkit).

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (UnlinkedCodeBlock):

2013-02-11  Filip Pizlo  <fpizlo@apple.com>

        DFG CompareEq optimization should be retuned
        https://bugs.webkit.org/show_bug.cgi?id=109545

        Reviewed by Mark Hahnenberg.
        
        - Made the object-to-object equality case work again by hoisting the if statement
          for it. Previously, object-to-object equality would be compiled as
          object-to-object-or-other.
        
        - Added AbstractState guards for most of the type checks that the object equality
          code uses.
        
        Looks like a hint of a speed-up on all of the things.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2013-02-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        JSC asserting with long parameter list functions in debug mode on ARM traditional
        https://bugs.webkit.org/show_bug.cgi?id=109565

        Reviewed by Zoltan Herczeg.

        Increase the value of sequenceGetByIdSlowCaseInstructionSpace to 80.

        * jit/JIT.h:

2013-02-11  Oliver Hunt  <oliver@apple.com>

        Make JSC API more NULL tolerant
        https://bugs.webkit.org/show_bug.cgi?id=109515

        Reviewed by Mark Hahnenberg.

        We do so much marshalling for the C API these days anyway that a single null
        check isn't a performance issue.  Yet the existing "null is unsafe" behaviour
        leads to crashes in embedding applications whenever there's an untested code
        path, so it seems having defined behaviour is superior.

        * API/APICast.h:
        (toJS):
        (toJSForGC):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        (JSObjectIsConstructor):
        (JSObjectCallAsConstructor):
        * API/tests/testapi.c:
        (main):

2013-02-11  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, adding a FIXME to remind ourselves of a bug.
        https://bugs.webkit.org/show_bug.cgi?id=109487

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):

2013-02-11  Filip Pizlo  <fpizlo@apple.com>

        Strange bug in DFG OSR in JSC
        https://bugs.webkit.org/show_bug.cgi?id=109491

        Reviewed by Mark Hahnenberg.
        
        Int32ToDouble was being injected after a side-effecting operation and before a SetLocal. Anytime we
        inject something just before a SetLocal we should be aware that the previous operation may have been
        a side-effect associated with the current code origin. Hence, we should use a forward exit.
        Int32ToDouble does not do forward exits by default.
        
        This patch adds a forward-exiting form of Int32ToDouble, for use in SetLocal Int32ToDouble injections.
        Changed the CSE and other things to treat these nodes identically, but for the exit strategy to be
        distinct (Int32ToDouble -> backward, ForwardInt32ToDouble -> forward). The use of the NodeType for
        signaling exit direction is not "great" but it's what we use in other places already (like
        ForwardCheckStructure).

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::int32ToDoubleCSE):
        (CSEPhase):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):

2013-02-11  Filip Pizlo  <fpizlo@apple.com>

        NonStringCell and Object are practically the same thing for the purpose of speculation
        https://bugs.webkit.org/show_bug.cgi?id=109492

        Reviewed by Mark Hahnenberg.
        
        Removed isNonStringCellSpeculation, and made all callers use isObjectSpeculation.
        
        Changed isNonStringCellOrOtherSpeculation to be isObjectOrOtherSpeculation.
        
        I believe this is correct because even weird object types like JSNotAnObject end up
        being "objects" from the standpoint of our typesystem. Anyway, the assumption that
        "is cell but not a string" equates to "object" is an assumption that is already made
        in other places in the system so there's little value in being paranoid about it.

        * bytecode/SpeculatedType.h:
        (JSC::isObjectSpeculation):
        (JSC::isObjectOrOtherSpeculation):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::shouldSpeculateObjectOrOther):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-10  Filip Pizlo  <fpizlo@apple.com>

        DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding
        https://bugs.webkit.org/show_bug.cgi?id=109387

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        Lock in the decision to use a non-speculative constant comparison as early as possible
        and don't let the CFA change it by folding constants. This might be a performance
        penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
        the other hand it completely side-steps the unsoundness that the bug speaks of.
        
        Rolling back in after adding 32-bit path.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-10  Filip Pizlo  <fpizlo@apple.com>

        DFG TypeOf implementation should have its backend code aligned to what the CFA does
        https://bugs.webkit.org/show_bug.cgi?id=109385

        Reviewed by Sam Weinig.
        
        The problem was that if we ended up trying to constant fold, but didn't succeed
        because of prediction mismatches, then we would also fail to do filtration.
        
        Rearranged the control flow in the CFA to fix that.
        
        As far as I know, this is asymptomatic - it's sort of OK for the CFA to prove less
        things, which is what the bug was.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2013-02-11  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r142491.
        http://trac.webkit.org/changeset/142491
        https://bugs.webkit.org/show_bug.cgi?id=109470

        broke the 32 bit build (Requested by jessieberlin on #webkit).

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-10  Filip Pizlo  <fpizlo@apple.com>

        DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding
        https://bugs.webkit.org/show_bug.cgi?id=109387

        Reviewed by Oliver Hunt.
        
        Lock in the decision to use a non-speculative constant comparison as early as possible
        and don't let the CFA change it by folding constants. This might be a performance
        penalty on some really weird code (FWIW, I haven't seen this on benchmarks), but on
        the other hand it completely side-steps the unsoundness that the bug speaks of.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::isConstantForCompareStrictEq):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-11  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed fix after r13954 for !ENABLE(JIT) builds.

        * llint/LowLevelInterpreter.cpp:

2013-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>

        JSC build failing with verbose debug mode
        https://bugs.webkit.org/show_bug.cgi?id=109441

        Reviewed by Darin Adler.

        Fixing some verbose messages which caused build errors.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):

2013-02-10  Martin Robinson  <mrobinson@igalia.com>

        Fix the GTK+ gyp build

        * JavaScriptCore.gypi: Update the source list to accurately
        reflect what's in the repository and remove the offsets extractor
        from the list of JavaScriptCore files. It's only used to build
        the extractor binary.

2013-02-09  Andreas Kling  <akling@apple.com>

        Shrink-wrap UnlinkedCodeBlock members.
        <http://webkit.org/b/109368>

        Reviewed by Oliver Hunt.

        Rearrange the members of UnlinkedCodeBlock to avoid unnecessary padding on 64-bit.
        Knocks ~600 KB off of the Membuster3 peak.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (UnlinkedCodeBlock):

2013-02-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should allow phases to break Phi's and then have one phase to rebuild them
        https://bugs.webkit.org/show_bug.cgi?id=108414

        Reviewed by Mark Hahnenberg.
        
        Introduces two new DFG forms: LoadStore and ThreadedCPS. These are described in
        detail in DFGCommon.h.
        
        Consequently, DFG phases no longer have to worry about preserving data flow
        links between basic blocks. It is generally always safe to request that the
        graph be dethreaded (Graph::dethread), which brings it into LoadStore form, where
        the data flow is implicit. In this form, only liveness-at-head needs to be
        preserved.
        
        All of the machinery for "threading" the graph to introduce data flow between
        blocks is now moved out of the bytecode parser and into the CPSRethreadingPhase.
        All phases that previously did this maintenance themselves now just rely on
        being able to dethread the graph. The one exception is the structure check
        hoising phase, which operates over a threaded graph and preserves it, for the
        sake of performance.
        
        Also moved two other things into their own phases: unification (previously found
        in the parser) and prediction injection (previously found in various places).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/Operands.h:
        (Operands):
        (JSC::Operands::sizeFor):
        (JSC::Operands::atFor):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGAllocator.h:
        (JSC::DFG::::allocateSlow):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGBasicBlockInlines.h:
        (DFG):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (DFG):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::killUnreachable):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        (CFGSimplificationPhase):
        (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * dfg/DFGCPSRethreadingPhase.cpp: Added.
        (DFG):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        (JSC::DFG::CPSRethreadingPhase::clearVariablesAtHeadAndTail):
        (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
        (JSC::DFG::CPSRethreadingPhase::addPhi):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeSetLocal):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
        (JSC::DFG::CPSRethreadingPhase::propagatePhis):
        (JSC::DFG::CPSRethreadingPhase::PhiStackEntry::PhiStackEntry):
        (PhiStackEntry):
        (JSC::DFG::CPSRethreadingPhase::phiStackFor):
        (JSC::DFG::performCPSRethreading):
        * dfg/DFGCPSRethreadingPhase.h: Added.
        (DFG):
        * dfg/DFGCSEPhase.cpp:
        (CSEPhase):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.cpp:
        (WTF):
        (WTF::printInternal):
        * dfg/DFGCommon.h:
        (JSC::DFG::logCompilationChanges):
        (DFG):
        (WTF):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dethread):
        (JSC::DFG::Graph::collectGarbage):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::performSubstitution):
        (Graph):
        (JSC::DFG::Graph::performSubstitutionForEdge):
        (JSC::DFG::Graph::convertToConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPhantomLocal):
        (Node):
        (JSC::DFG::Node::convertToGetLocal):
        (JSC::DFG::Node::hasVariableAccessData):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPredictionInjectionPhase.cpp: Added.
        (DFG):
        (PredictionInjectionPhase):
        (JSC::DFG::PredictionInjectionPhase::PredictionInjectionPhase):
        (JSC::DFG::PredictionInjectionPhase::run):
        (JSC::DFG::performPredictionInjection):
        * dfg/DFGPredictionInjectionPhase.h: Added.
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * dfg/DFGUnificationPhase.cpp: Added.
        (DFG):
        (UnificationPhase):
        (JSC::DFG::UnificationPhase::UnificationPhase):
        (JSC::DFG::UnificationPhase::run):
        (JSC::DFG::performUnification):
        * dfg/DFGUnificationPhase.h: Added.
        (DFG):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dump):
        * runtime/JSString.h:
        (JSString):
        * runtime/Options.h:
        (JSC):

2013-02-08  Jer Noble  <jer.noble@apple.com>

        Bring WebKit up to speed with latest Encrypted Media spec.
        https://bugs.webkit.org/show_bug.cgi?id=97037

        Reviewed by Eric Carlson.

        Define the ENABLE_ENCRYPTED_MEDIA_V2 setting.

        * Configurations/FeatureDefines.xcconfig:

2013-02-08  Gavin Barraclough  <barraclough@apple.com>

        Objective-C API for JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=105889

        Reviewed by Joseph Pecoraro

        Following up on review comments, mostly typos.

        * API/JSBlockAdaptor.h:
        * API/JSBlockAdaptor.mm:
        (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
        * API/JSContext.h:
        * API/JSExport.h:
        * API/JSValue.h:
        * API/JSValue.mm:
        * API/JSWrapperMap.mm:
        (selectorToPropertyName):
        (-[JSWrapperMap classInfoForClass:]):
        (-[JSWrapperMap wrapperForObject:]):

2013-02-08  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Add an experimental gyp build
        https://bugs.webkit.org/show_bug.cgi?id=109003

        Reviewed by Gustavo Noronha Silva.

        * JavaScriptCore.gypi: Update the list of source files to include those
        necessary for the GTK+ build.

2013-02-08  Andreas Kling  <akling@apple.com>

        JSC: Lower minimum PropertyTable size.
        <http://webkit.org/b/109247>

        Reviewed by Darin Adler.

        Lower the minimum table size for PropertyTable from 16 to 8.
        3.32 MB progression on Membuster3 (a ~13% reduction in memory used by PropertyTables.)

        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::sizeForCapacity):

2013-02-07  Roger Fong  <roger_fong@apple.com>

        Unreviewed. More VS2010 WebKit solution touchups.
        Make JavaScriptCoreExports.def.in be treated as a custom build file so that changes to it cause the exports to be rebuilt.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-02-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: testapi.mm should use ARC
        https://bugs.webkit.org/show_bug.cgi?id=107838

        Reviewed by Mark Rowe.

        Removing the changes to the Xcode project file and moving the equivalent flags into 
        the ToolExecutable xcconfig file.

        * Configurations/ToolExecutable.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-02-07  Brent Fulgham  <bfulgham@webkit.org>

        [Windows] Unreviewed Visual Studio 2010 build fixes after r142179.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Correct changed symbols
        * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Removed autogenerated file.

2013-02-05  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint
        https://bugs.webkit.org/show_bug.cgi?id=109000

        Reviewed by Oliver Hunt.
        
        Previously our source parser's ASTBuilder did some surgical constant folding, but it
        didn't cover some cases.  It was particularly incapable of doing constant folding for
        cases where we do some minimal loop peeling in the bytecode generator - since it
        didn't "see" those constants prior to the peeling.  Example:

        for (var i = 0; i < 4; ++i)
            things;

        This will get peeled just a bit by the bytecode generator, so that the "i < 4" is
        duplicated both at the top of the loop and the bottom.  This means that we have a
        constant comparison: "0 < 4", which the bytecode generator emits without any further
        thought.

        The DFG optimization fixpoint of course folds this and simplifies the CFG 
        accordingly, but this incurs a compile-time cost.  The purpose of this change is to
        do some surgical constant folding in the DFG's bytecode parser, so that such
        constructs reduce load on the CFG simplifier and the optimization fixpoint.  The goal
        is not to cover all cases, since the DFG CFA and CFG simplifier have a powerful
        sparse conditional constant propagation that we can always fall back on. Instead the
        goal is to cover enough cases that for common small functions we don't have to
        perform such transformations, thereby reducing compile times.
        
        This also refactors m_inlineStackEntry->m_inlineCallFrame to be a handy method call
        and also adds the notion of a TriState-based JSValue::pureToBoolean(). Both of these
        things are used by the folder.
        
        As well, care has been taken to make sure that the bytecode parser only does folding
        that is statically provable, and that doesn't arise out of speculation. This means
        we cannot fold on data flow that crosses inlining boundaries. On the other hand, the
        folding that the bytecode parser uses doesn't require phantoming anything. Such is
        the trade-off: for anything that we do need phantoming, we defer it to the
        optimization fixpoint.
        
        Slight SunSpider speed-up.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::flushArgumentsAndCapturedVariables):
        (JSC::DFG::ByteCodeParser::toInt32):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::inlineCallFrame):
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::canFold):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::getScope):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStronglyProvedConstantIn):
        (Node):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::pureToBoolean):
        (JSC):

2013-02-07  Zoltan Herczeg  <zherczeg@webkit.org>

        Invalid code is generated for storing constants with baseindex addressing modes on ARM traditional.
        https://bugs.webkit.org/show_bug.cgi?id=109050

        Reviewed by Oliver Hunt.

        The S! scratch register is reused, but it should contain the constant value.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::baseIndexTransfer32):
        (JSC::ARMAssembler::baseIndexTransfer16):

2013-02-07  Andras Becsi  <andras.becsi@digia.com>

        [Qt] Use GNU ar's thin archive format for intermediate static libs
        https://bugs.webkit.org/show_bug.cgi?id=109052

        Reviewed by Jocelyn Turcotte.

        Adjust project files that used activeBuildConfig()
        to use targetSubDir().

        * JavaScriptCore.pri:
        * LLIntOffsetsExtractor.pro:
        * Target.pri:

2013-02-06  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Touchups to VS2010 WebKit solution.
        Fix an export generator script, modify some property sheets, add resouce file.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
        * JavaScriptCore.vcxproj/resource.h: Added.

2013-02-06  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: Native Memory Instrumentation: assign class name to the heap graph node automatically
        https://bugs.webkit.org/show_bug.cgi?id=107262

        Reviewed by Yury Semikhatsky.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-02-06  Mike West  <mkwst@chromium.org>

        Add an ENABLE_NOSNIFF feature flag.
        https://bugs.webkit.org/show_bug.cgi?id=109029

        Reviewed by Jochen Eisinger.

        This new flag will control the behavior of 'X-Content-Type-Options: nosniff'
        when processing script and other resource types.

        * Configurations/FeatureDefines.xcconfig:

2013-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        put_to_base should emit a Phantom for "value" across the ForceOSRExit
        https://bugs.webkit.org/show_bug.cgi?id=108998

        Reviewed by Oliver Hunt.

        Otherwise, the OSR exit compiler could clobber it, which would lead to badness.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Ditto.

2013-02-05  Michael Saboff  <msaboff@apple.com>

        Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
        https://bugs.webkit.org/show_bug.cgi?id=108991

        Reviewed by Oliver Hunt.

        Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
        may step on calleeGPR is it happen to be nonArgGPR2.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkClosureCall):

2013-02-05  Roger Fong  <roger_fong@apple.com>

        Add a JavaScriptCore Export Generator project.
        https://bugs.webkit.org/show_bug.cgi?id=108971.

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.sln:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Added.

2013-02-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should have a precise view of jump targets
        https://bugs.webkit.org/show_bug.cgi?id=108868

        Reviewed by Oliver Hunt.
        
        Previously, the DFG relied entirely on the CodeBlock's jump targets list for
        determining when to break basic blocks. This worked great, except sometimes it
        would be too conservative since the CodeBlock just says where the bytecode
        generator inserted labels.
        
        This change keeps the old jump target list in CodeBlock since it is still
        valuable to the baseline JIT, but switches the DFG to use its own jump target
        calculator. This ought to reduce pressure on the DFG simplifier, which would
        previously do a lot of work to try to merge redundantly created basic blocks.
        It appears to be a 1% progression on SunSpider.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/PreciseJumpTargets.cpp: Added.
        (JSC):
        (JSC::addSimpleSwitchTargets):
        (JSC::computePreciseJumpTargets):
        * bytecode/PreciseJumpTargets.h: Added.
        (JSC):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):

2013-02-01  Roger Fong  <roger_fong@apple.com>

        Make ConfigurationBuildDir include directories precede WebKitLibraries in JSC.
        https://bugs.webkit.org/show_bug.cgi?id=108693.

        Rubberstamped by Timothy Horton.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:

2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Structure::m_outOfLineCapacity is unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=108206

        Reviewed by Darin Adler.

        Simplifying the utility functions that we use since we don't need a 
        bunch of fancy templates for this one specific call site.

        * runtime/Structure.h:
        (JSC::Structure::outOfLineCapacity):

2013-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: testapi.mm should use ARC
        https://bugs.webkit.org/show_bug.cgi?id=107838

        Reviewed by Oliver Hunt.

        In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs.
        We should enable ARC, since that is what most of our clients will be using. We use Xcode project 
        settings to make sure we don't try to compile ARC on 32-bit.

        * API/tests/testapi.mm:
        (+[TestObject testObject]):
        (testObjectiveCAPI):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-02-05  Brent Fulgham  <bfulgham@webkit.org>

        [Windows] Unreviewed VS2010 Build Correction after r141651

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
        StructureRareData.h and StructureRareData.cpp files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-02-05  Michael Saboff  <msaboff@apple.com>

        r141788 won't build due to not having all changes needed by Node* change
        https://bugs.webkit.org/show_bug.cgi?id=108944

        Reviewed by David Kilzer.

        Fixed three instances of integerResult(..., m_compileIndex) to be integerResult(..., node).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):

2013-02-04  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r141809.
        http://trac.webkit.org/changeset/141809
        https://bugs.webkit.org/show_bug.cgi?id=108860

        ARC isn't supported on 32-bit. (Requested by mhahnenberg on
        #webkit).

        * API/tests/testapi.mm:
        (+[TestObject testObject]):
        (testObjectiveCAPI):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: testapi.mm should use ARC
        https://bugs.webkit.org/show_bug.cgi?id=107838

        Reviewed by Oliver Hunt.

        In ToT testapi.mm uses the Obj-C garbage collector, which hides a lot of our object lifetime bugs. 
        We should enable ARC, since that is what most of our clients will be using.

        * API/tests/testapi.mm:
        (-[TestObject init]):
        (-[TestObject dealloc]):
        (+[TestObject testObject]):
        (testObjectiveCAPI):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: ObjCCallbackFunction should retain the target of its NSInvocation
        https://bugs.webkit.org/show_bug.cgi?id=108843

        Reviewed by Darin Adler.

        Currently, ObjCCallbackFunction doesn't retain the target of its NSInvocation. It needs to do 
        this to prevent crashes when trying to invoke a callback later on.

        * API/ObjCCallbackFunction.mm:
        (ObjCCallbackFunction::ObjCCallbackFunction):
        (ObjCCallbackFunction::~ObjCCallbackFunction):

2013-02-04  Martin Robinson  <mrobinson@igalia.com>

        Fix GTK+ 'make dist' in preparation for the 1.11.5 release.

        * GNUmakefile.list.am: Update the source lists.

2013-02-04  Michael Saboff  <msaboff@apple.com>

        For ARMv7s use integer divide instruction for divide and modulo when possible
        https://bugs.webkit.org/show_bug.cgi?id=108840

        Reviewed in person by Filip Pizlo.

        Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer.
        This is patterned after the similar code for X86.  Also added modulo power of 2 optimization
        that uses logical and.  Added sdiv and udiv to the ARMv7 disassembler.  Put all the changes
        behind #if CPU(APPLE_ARMV7S). 

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::sdiv):
        (JSC::ARMv7Assembler::udiv):
        * dfg/DFGCommon.h:
        (JSC::DFG::isARMv7s):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-04  David Kilzer  <ddkilzer@apple.com>

        Check PrivateHeaders/JSBasePrivate.h for inappropriate macros
        <http://webkit.org/b/108749>

        Reviewed by Joseph Pecoraro.

        * JavaScriptCore.xcodeproj/project.pbxproj: Add
        PrivateHeaders/JSBasePrivate.h to list of headers to check in
        "Check for Inappropriate Macros in External Headers" build phase
        script.

2013-02-04  David Kilzer  <ddkilzer@apple.com>

        Remove duplicate entries from JavaScriptCore Xcode project

            $ uniq Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | diff -u - Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj | patch -p0 -R
            patching file Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

        * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicates.

2013-02-04  David Kilzer  <ddkilzer@apple.com>

        Sort JavaScriptCore Xcode project file

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-02-03  David Kilzer  <ddkilzer@apple.com>

        Upstream ENABLE_PDFKIT_PLUGIN settting
        <http://webkit.org/b/108792>

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig: Disable PDFKIT_PLUGIN
        on iOS since PDFKit is a Mac-only framework.

2013-02-02  Andreas Kling  <akling@apple.com>

        Vector should consult allocator about ideal size when choosing capacity.
        <http://webkit.org/b/108410>
        <rdar://problem/13124002>

        Reviewed by Benjamin Poulain.

        Remove assertion about Vector capacity that won't hold anymore since capacity()
        may not be what you passed to reserveCapacity().
        Also export WTF::fastMallocGoodSize() for Windows builds.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2013-02-02  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Adopt the WinCE port to new CMake
        https://bugs.webkit.org/show_bug.cgi?id=108754

        Reviewed by Laszlo Gombos.

        * os-win32/WinMain.cpp: Removed.
        * shell/PlatformWinCE.cmake: Removed.

2013-02-02  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/108745> WTF shouldn't use a script build phase to detect the presence of headers when the compiler can do it for us

        Reviewed by Sam Weinig.

        * DerivedSources.make: Remove an obsolete Makefile rule. This should have been removed when the use
        of the generated file moved to WTF.

2013-02-02  David Kilzer  <ddkilzer@apple.com>

        Upstream iOS FeatureDefines
        <http://webkit.org/b/108753>

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:
        - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
        - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
        - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO.  Add
          PLATFORM_NAME variant to reduce future merge conflicts. 

2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Structure::m_enumerationCache should be moved to StructureRareData
        https://bugs.webkit.org/show_bug.cgi?id=108723

        Reviewed by Oliver Hunt.

        m_enumerationCache is only used by objects whose properties are iterated over, so not every Structure needs this 
        field and it can therefore be moved safely to StructureRareData to help with memory savings.

        * runtime/JSPropertyNameIterator.h:
        (JSPropertyNameIterator):
        (JSC::Register::propertyNameIterator):
        (JSC::StructureRareData::enumerationCache): Add to JSPropertyNameIterator.h so that it can see the correct type.
        (JSC::StructureRareData::setEnumerationCache): Ditto.
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyWithoutTransition): Use the enumerationCache() getter rather than accessing the field.
        (JSC::Structure::removePropertyWithoutTransition): Ditto.
        (JSC::Structure::visitChildren): We no longer have to worry about marking the m_enumerationCache field.
        * runtime/Structure.h: 
        (JSC::Structure::setEnumerationCache): Move the old accessors back since we don't have to have any knowledge of 
        the JSPropertyNameIterator type.
        (JSC::Structure::enumerationCache): Ditto.
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren): Mark the new m_enumerationCache field.
        * runtime/StructureRareData.h: Add new functions/fields.
        (StructureRareData):

2013-02-01  Roger Fong  <roger_fong@apple.com>

        Unreviewed. JavaScriptCore VS2010 project cleanup.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:

2013-02-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r141662.
        http://trac.webkit.org/changeset/141662
        https://bugs.webkit.org/show_bug.cgi?id=108738

        it's an incorrect change since processPhiStack will
        dereference dangling BasicBlock pointers (Requested by pizlo
        on #webkit).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2013-02-01  Filip Pizlo  <fpizlo@apple.com>

        Eliminate dead blocks sooner in the DFG::ByteCodeParser to make clear that you don't need to hold onto them during Phi construction
        https://bugs.webkit.org/show_bug.cgi?id=108717

        Reviewed by Mark Hahnenberg.
        
        I think this makes the code clearer. It doesn't change behavior.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2013-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Structure should have a StructureRareData field to save space
        https://bugs.webkit.org/show_bug.cgi?id=108659

        Reviewed by Oliver Hunt.

        Many of the fields in Structure are used in a subset of all total Structures; however, all Structures must 
        pay the memory cost of those fields, regardless of whether they use them or not. Since we can have potentially 
        many Structures on a single page (e.g. bing.com creates ~1500 Structures), it would be profitable to 
        refactor Structure so that not every Structure has to pay the memory costs for these infrequently used fields.

        To accomplish this, we can create a new StructureRareData class to house these seldom used fields which we 
        can allocate on demand whenever a Structure requires it. This StructureRareData can itself be a JSCell, and 
        can do all the marking of the fields for the Structure. The StructureRareData field will be part of a union 
        with m_previous to minimize overhead. We'll add a new field to JSTypeInfo to indicate that the Structure has 
        a StructureRareData field. During transitions, a Structure will clone its previous Structure's StructureRareData 
        if it has one. There could be some potential for optimizing this process, but the initial implementation will 
        be dumb since we'd be paying these overhead costs for each Structure anyways.

        Initially we'll only put two fields in the StructureRareData to avoid a memory regression. Over time we'll 
        continue to move fields from Structure to StructureRareData. Optimistically, this could potentially reduce our 
        Structure memory footprint by up to around 75%. It could also clear the way for removing destructors from 
        Structures (and into StructureRareData).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGRepatch.cpp: Includes for linking purposes.
        * jit/JITStubs.cpp:
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        * runtime/JSCellInlines.h: Added ifdef guards.
        * runtime/JSGlobalData.cpp: New Structure for StructureRareData class.
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.h:
        * runtime/JSTypeInfo.h: New flag to indicate whether or not a Structure has a StructureRareData field.
        (JSC::TypeInfo::flags):
        (JSC::TypeInfo::structureHasRareData):
        * runtime/ObjectPrototype.cpp:
        * runtime/Structure.cpp: We use a combined WriteBarrier<JSCell> field m_previousOrRareData to avoid compiler issues.
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::Structure): 
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::pin):
        (JSC::Structure::allocateRareData): Handles allocating a brand new StructureRareData field.
        (JSC::Structure::cloneRareDataFrom): Handles cloning a StructureRareData field from another. Used during Structure 
        transitions.
        (JSC::Structure::visitChildren): We no longer have to worry about marking m_objectToStringValue.
        * runtime/Structure.h:
        (JSC::Structure::previousID): Checks the structureHasRareData flag to see where it should get the previous Structure.
        (JSC::Structure::objectToStringValue): Reads the value from the StructureRareData. If it doesn't exist, returns 0.
        (JSC::Structure::setObjectToStringValue): Ensures that we have a StructureRareData field, then forwards the function 
        call to it.
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::setPreviousID): Checks for StructureRareData and forwards if necessary.
        (Structure):
        (JSC::Structure::clearPreviousID): Ditto.
        (JSC::Structure::create):
        * runtime/StructureRareData.cpp: Added. All of the basic functionality of a JSCell with the fields that we've moved 
        from Structure and the functions required to access/modify those fields as Structure would have done.
        (JSC):
        (JSC::StructureRareData::createStructure):
        (JSC::StructureRareData::create):
        (JSC::StructureRareData::clone):
        (JSC::StructureRareData::StructureRareData):
        (JSC::StructureRareData::visitChildren):
        * runtime/StructureRareData.h: Added.
        (JSC):
        (StructureRareData):
        * runtime/StructureRareDataInlines.h: Added.
        (JSC):
        (JSC::StructureRareData::previousID):
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::clearPreviousID):
        (JSC::Structure::previous): Handles the ugly casting to get the value of the right type of m_previousOrRareData.
        (JSC::Structure::rareData): Ditto.
        (JSC::StructureRareData::objectToStringValue):
        (JSC::StructureRareData::setObjectToStringValue):

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGRepatch.cpp:
        * jit/JITStubs.cpp:
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        * runtime/JSCellInlines.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.h:
        * runtime/JSTypeInfo.h:
        (JSC):
        (JSC::TypeInfo::flags):
        (JSC::TypeInfo::structureHasRareData):
        * runtime/ObjectPrototype.cpp:
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::pin):
        (JSC::Structure::allocateRareData):
        (JSC):
        (JSC::Structure::cloneRareDataFrom):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::Structure::previousID):
        (JSC::Structure::objectToStringValue):
        (JSC::Structure::setObjectToStringValue):
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::setPreviousID):
        (Structure):
        (JSC::Structure::clearPreviousID):
        (JSC::Structure::previous):
        (JSC::Structure::rareData):
        (JSC::Structure::create):
        * runtime/StructureRareData.cpp: Added.
        (JSC):
        (JSC::StructureRareData::createStructure):
        (JSC::StructureRareData::create):
        (JSC::StructureRareData::clone):
        (JSC::StructureRareData::StructureRareData):
        (JSC::StructureRareData::visitChildren):
        * runtime/StructureRareData.h: Added.
        (JSC):
        (StructureRareData):
        * runtime/StructureRareDataInlines.h: Added.
        (JSC):
        (JSC::StructureRareData::previousID):
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::clearPreviousID):
        (JSC::StructureRareData::objectToStringValue):
        (JSC::StructureRareData::setObjectToStringValue):

2013-02-01  Balazs Kilvady  <kilvadyb@homejinni.com>

        offlineasm BaseIndex handling is broken on ARM due to MIPS changes
        https://bugs.webkit.org/show_bug.cgi?id=108261

        Reviewed by Filip Pizlo.

        offlineasm BaseIndex handling fix on MIPS.

        * offlineasm/mips.rb:
        * offlineasm/risc.rb:

2013-02-01  Geoffrey Garen  <ggaren@apple.com>

        Removed an unused function: JSGlobalObject::createFunctionExecutableFromGlobalCode
        https://bugs.webkit.org/show_bug.cgi?id=108657

        Reviewed by Anders Carlsson.

        * runtime/JSGlobalObject.cpp:
        (JSC):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):

2013-02-01  Geoffrey Garen  <ggaren@apple.com>

        Added TriState to WTF and started using it in one place
        https://bugs.webkit.org/show_bug.cgi?id=108628

        Reviewed by Beth Dakin.

        * runtime/PrototypeMap.h:
        (JSC::PrototypeMap::isPrototype): Use TriState instead of boolean. In
        response to review feedback, this is an attempt to clarify that our
        'true' condition is actually just a 'maybe'.

        * runtime/PrototypeMap.h:
        (PrototypeMap):
        (JSC::PrototypeMap::isPrototype):

2013-02-01  Alexis Menard  <alexis@webkit.org>

        Enable unprefixed CSS transitions by default.
        https://bugs.webkit.org/show_bug.cgi?id=108216

        Reviewed by Dean Jackson.

        Rename the flag CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
        to CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED which will be used later to 
        guard the unprefixing work for CSS Transforms and animations.

        * Configurations/FeatureDefines.xcconfig:

2013-01-31  Filip Pizlo  <fpizlo@apple.com>

        DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability
        https://bugs.webkit.org/show_bug.cgi?id=108580

        Reviewed by Oliver Hunt.
        
        This is a harmless bug in that it only results in us keeping a bit too many things
        for OSR.  But it's worth fixing so that the code is consistent.

        keepOperandAlive() is called when block A has a branch to blocks B and C, but the
        A->B edge is proven to never be taken and we want to optimize the code to have A
        unconditionally jump to C.  In that case, for the purposes of OSR, we need to
        preserve the knowledge that the state that B expected to be live incoming from A
        ought still to be live up to the point of where the A->B,C branch used to be.  The
        way we keep things alive is by using the variablesAtTail of A (i.e., we use the
        knowledge of in what manner A made state available to B and C).  The way we choose
        which state should be kept alive ought to be chosen by the variablesAtHead of B
        (i.e. the things B says it needs from its predecessors, including A), except that
        keepOperandAlive() was previously just using variablesAtTail of A for this
        purpose.
        
        The fix is to have keepOperandAlive() use both liveness and availability in its
        logic. It should use liveness (i.e. B->variablesAtHead) to decide what to keep
        alive, and it should use availability (i.e. A->variablesAtTail) to decide how to
        keep it alive.
        
        This might be a microscopic win on some programs, but it's mainly intended to be
        a code clean-up so that I don't end up scratching my head in confusion the next
        time I look at this code.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):

2013-01-31  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
        https://bugs.webkit.org/show_bug.cgi?id=108576

        Reviewed by Filip Pizlo.

        This was a long-standing bug. The DFG would destructively reuse a register
        in op_convert_this, but:

            * The bug only presented during speculation failure for type Other

            * The bug presented by removing the low bits of a pointer, which
            used to be harmless, since all objects were so aligned anyway.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
        our scratch register. The whole point of our scratch register is to
        avoid destructively modifying our this register. I'm pretty sure this
        was a copy-paste error.

2013-01-31  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-01-31  Jessie Berlin  <jberlin@apple.com>

        Rolling out r141407 because it is causing crashes under
        WTF::TCMalloc_Central_FreeList::FetchFromSpans() in Release builds.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: JSContext exception property causes reference cycle
        https://bugs.webkit.org/show_bug.cgi?id=107778

        Reviewed by Darin Adler.

        JSContext has a (retain) JSValue * exception property which, when non-null, creates a 
        reference cycle (since the JSValue * holds a strong reference back to the JSContext *).

        * API/JSContext.mm: Instead of JSValue *, we now use a plain JSValueRef, which eliminates the reference cycle.
        (-[JSContext initWithVirtualMachine:]):
        (-[JSContext setException:]):
        (-[JSContext exception]):

2013-01-31  Roger Fong  <roger_fong@apple.com>

        Unreviewed build fix. Win7 port.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-01-31  Joseph Pecoraro  <pecoraro@apple.com>

        Disable ENABLE_FULLSCREEN_API on iOS
        https://bugs.webkit.org/show_bug.cgi?id=108250

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig:

2013-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Fix insertion of values greater than the max index allowed by the spec
        https://bugs.webkit.org/show_bug.cgi?id=108264

        Reviewed by Oliver Hunt.

        Fixed a bug, added a test to the API tests, cleaned up some code.

        * API/JSValue.h: Changed some of the documentation on setValue:atIndex: to indicate that 
        setting values at indices greater than UINT_MAX - 1 wont' affect the length of JS arrays.
        * API/JSValue.mm:
        (-[JSValue valueAtIndex:]): We weren't returning when we should have been.
        (-[JSValue setValue:atIndex:]): Added a comment about why we do the early check for being larger than UINT_MAX.
        (objectToValueWithoutCopy): Removed two redundant cases that were already checked previously.
        * API/tests/testapi.mm:

2013-01-30  Andreas Kling  <akling@apple.com>

        Vector should consult allocator about ideal size when choosing capacity.
        <http://webkit.org/b/108410>
        <rdar://problem/13124002>

        Reviewed by Benjamin Poulain.

        Remove assertion about Vector capacity that won't hold anymore since capacity()
        may not be what you passed to reserveCapacity().

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2013-01-30  Filip Pizlo  <fpizlo@apple.com>

        DFG bytecode parser should have more assertions about the status of local accesses
        https://bugs.webkit.org/show_bug.cgi?id=108417

        Reviewed by Mark Hahnenberg.
        
        Assert some things that we already know to be true, just to reassure ourselves that they are true.
        This is meant as a prerequisite for https://bugs.webkit.org/show_bug.cgi?id=108414, which will
        make these rules even stricter.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):

2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: JSContext's dealloc causes ASSERT due to ordering of releases
        https://bugs.webkit.org/show_bug.cgi?id=107978

        Reviewed by Filip Pizlo.

        We need to add the Identifier table save/restore in JSContextGroupRelease so that we 
        have the correct table if we end up destroying the JSGlobalData/Heap.

        * API/JSContextRef.cpp:
        (JSContextGroupRelease):

2013-01-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: exceptionHandler needs to be released in JSContext dealloc
        https://bugs.webkit.org/show_bug.cgi?id=108378

        Reviewed by Filip Pizlo.

        JSContext has a (copy) exceptionHandler property that it doesn't release in dealloc. 
        That sounds like the potential for a leak. It should be released.

        * API/JSContext.mm:
        (-[JSContext dealloc]):

2013-01-30  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken
        https://bugs.webkit.org/show_bug.cgi?id=108366

        Reviewed by Geoffrey Garen and Mark Hahnenberg.
        
        This was a longstanding bug that was revealed by http://trac.webkit.org/changeset/140504.
        Pure CSE requires that the Node::flags() that may affect the behavior of a node match,
        when comparing a possibly redundant node to its possible replacement. It was doing this
        by comparing Node::arithNodeFlags(), which as the name might appear to suggest, returns
        just those flag bits that correspond to actual node behavior and not auxiliary things.
        Unfortunately, Node::arithNodeFlags() wasn't actually masking off the irrelevant bits.
        This worked prior to r140504 because CSE itself didn't mutate the flags, so there was a
        very high probability that matching nodes would also have completely identical flag bits
        (even the ones that aren't relevant to arithmetic behavior, like NodeDoesNotExit). But
        r140504 moved one of CSE's side-tables (m_relevantToOSR) into a flag bit for quicker
        access. These bits would be mutated as the CSE ran over a basic block, in such a way that
        there was a very high probability that the possible replacement would already have the
        bit set, while the redundant node did not have the bit set. Since Node::arithNodeFlags()
        returned all of the bits, this would cause CSEPhase::pureCSE() to reject the match
        almost every time.
        
        The solution is to make Node::arithNodeFlags() do as its name suggests: only return those
        flags that are relevant to arithmetic behavior. This patch introduces a new mask that
        represents those bits, and includes NodeBehaviorMask and NodeBackPropMask, which are both
        used for queries on Node::arithNodeFlags(), and both affect arithmetic code gen. None of
        the other flags are relevant to Node::arithNodeFlags() since they either correspond to
        information already conveyed by the opcode (like NodeResultMask, NodeMustGenerate,
        NodeHasVarArgs, NodeClobbersWorld, NodeMightClobber) or information that doesn't affect
        the result that the node will produce or any of the queries performed on the result of
        Node::arithNodeFlags (NodeDoesNotExit and of course NodeRelevantToOSR).
        
        This is a 10% speed-up on Kraken, undoing the regression from r140504.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        * dfg/DFGNodeFlags.h:
        (DFG):

2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Structure::m_outOfLineCapacity is unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=108206

        Reviewed by Geoffrey Garen.

        We can calculate our out of line capacity by using the outOfLineSize and our knowledge about our resize policy.
        According to GDB, this knocks Structures down from 136 bytes to 128 bytes (I'm guessing the extra bytes are from
        better alignment of object fields), which puts Structures in a smaller size class. Woohoo! Looks neutral on our 
        benchmarks.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC):
        (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::outOfLineCapacity):
        (JSC::Structure::totalStorageCapacity):

2013-01-29  Geoffrey Garen  <ggaren@apple.com>

        Be a little more conservative about emitting table-based switches
        https://bugs.webkit.org/show_bug.cgi?id=108292

        Reviewed by Filip Pizlo.

        Profiling shows we're using op_switch in cases where it's a regression.

        * bytecompiler/NodesCodegen.cpp:
        (JSC):
        (JSC::length):
        (JSC::CaseBlockNode::tryTableSwitch):
        (JSC::CaseBlockNode::emitBytecodeForBlock):
        * parser/Nodes.h:
        (CaseBlockNode):

2013-01-29  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r140983.
        http://trac.webkit.org/changeset/140983
        https://bugs.webkit.org/show_bug.cgi?id=108277

        Unfortunately, this API has one last client (Requested by
        abarth on #webkit).

        * Configurations/FeatureDefines.xcconfig:

2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
        https://bugs.webkit.org/show_bug.cgi?id=107839

        Reviewed by Geoffrey Garen.

        Fixing several ASSERTs that were incorrect along with some of the reallocation of m_prototype and 
        m_constructor that they were based on.

        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We now only allocate those
        fields that are null (i.e. have been collected or have never been allocated to begin with).
        (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Renamed to better indicate that we're 
        reallocating one or both of the prototype/constructor combo.
        (-[JSObjCClassInfo wrapperForObject:]): Call new reallocate function.
        (-[JSObjCClassInfo constructor]): Ditto.

2013-01-29  Geoffrey Garen  <ggaren@apple.com>

        Make precise size classes more precise
        https://bugs.webkit.org/show_bug.cgi?id=108270

        Reviewed by Mark Hahnenberg.

        Size inference makes this profitable.

        I chose 8 byte increments because JSString is 24 bytes. Otherwise, 16
        byte increments might be better.

        * heap/Heap.h:
        (Heap): Removed firstAllocatorWithoutDestructors because it's unused now.

        * heap/MarkedBlock.h:
        (MarkedBlock): Updated constants.

        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC): Also reduced the maximum precise size class because my testing
        has shown that the smaller size classes are much more common. This
        offsets some of the size class explosion caused by reducing the precise
        increment.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions): No need for this ASSERT anymore
        because we don't rely on firstAllocatorWithoutDestructors anymore, since
        we pick size classes dynamically now.

2013-01-29  Oliver Hunt  <oliver@apple.com>

        Add some hardening to methodTable()
        https://bugs.webkit.org/show_bug.cgi?id=108253

        Reviewed by Mark Hahnenberg.

        When accessing methodTable() we now always make sure that our
        structure _could_ be valid.  Added a separate method to get a
        classes methodTable during destruction as it's not possible to
        validate the structure at that point.  This separation might
        also make it possible to improve the performance of methodTable
        access more generally in future.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::methodTableForDestruction):
        (JSC):
        (JSC::JSCell::methodTable):

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        offlineasm BaseIndex handling is broken on ARM due to MIPS changes
        https://bugs.webkit.org/show_bug.cgi?id=108261

        Reviewed by Oliver Hunt.
        
        Backends shouldn't override each other's methods. That's not cool.

        * offlineasm/mips.rb:

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        cloop.rb shouldn't use a method called 'dump' for code generation
        https://bugs.webkit.org/show_bug.cgi?id=108251

        Reviewed by Mark Hahnenberg.
        
        Revert http://trac.webkit.org/changeset/141178 and rename 'dump' to 'clDump'.
        
        Also made trivial build fixes for !ENABLE(JIT).

        * offlineasm/cloop.rb:
        * runtime/Executable.h:
        (ExecutableBase):
        (JSC::ExecutableBase::intrinsicFor):
        * runtime/JSGlobalData.h:

2013-01-29  Geoffrey Garen  <ggaren@apple.com>

        Removed GGC because it has been disabled for a long time
        https://bugs.webkit.org/show_bug.cgi?id=108245

        Reviewed by Filip Pizlo.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/CardSet.h: Removed.
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC):
        (JSC::Heap::writeBarrier):
        * heap/MarkedBlock.h:
        (MarkedBlock):
        (JSC):
        * heap/MarkedSpace.cpp:
        (JSC):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        Remove redundant AST dump method from cloop.rb, since they are already defined in ast.rb
        https://bugs.webkit.org/show_bug.cgi?id=108247

        Reviewed by Oliver Hunt.
        
        Makes offlineasm dumping easier to read and less likely to cause assertion failures.
        Also fixes the strange situation where cloop.rb and ast.rb both defined dump methods,
        but cloop.rb was winning.

        * offlineasm/cloop.rb:

2013-01-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: JSObjCClassInfo creates reference cycle with JSContext
        https://bugs.webkit.org/show_bug.cgi?id=107839

        Reviewed by Oliver Hunt.

        JSContext has a JSWrapperMap, which has an NSMutableDictionary m_classMap, which has values that 
        are JSObjCClassInfo objects, which have strong references to two JSValue *'s, m_prototype and 
        m_constructor, which in turn have strong references to the JSContext, creating a reference cycle. 
        We should make m_prototype and m_constructor Weak<JSObject>. This gets rid of the strong reference 
        to the JSContext and also prevents clients from accidentally creating reference cycles by assigning 
        to the prototype of the constructor. If Weak<JSObject> fields are ever garbage collected, we will 
        reallocate them.

        * API/JSContext.mm:
        (-[JSContext wrapperMap]):
        * API/JSContextInternal.h:
        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
        (-[JSObjCClassInfo dealloc]):
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
        (-[JSObjCClassInfo allocateConstructorAndPrototype]):
        (-[JSObjCClassInfo wrapperForObject:]):
        (-[JSObjCClassInfo constructor]):

2013-01-29  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
        https://bugs.webkit.org/show_bug.cgi?id=108097

        Reviewed by Geoffrey Garen.

        LiteralParser was accepting a bogus 'var a.b = c' statement

        * runtime/LiteralParser.cpp:
        (JSC::::tryJSONPParse):

2013-01-29  Oliver Hunt  <oliver@apple.com>

        Force debug builds to do bounds checks on contiguous property storage
        https://bugs.webkit.org/show_bug.cgi?id=108212

        Reviewed by Mark Hahnenberg.

        Add a ContiguousData type that we use to represent contiguous property
        storage.  In release builds it is simply a pointer to the correct type,
        but in debug builds it also carries the data length and performs bounds
        checks.  This means we don't have to add as many manual bounds assertions
        when performing operations over contiguous data.

        * dfg/DFGOperations.cpp:
        * runtime/ArrayStorage.h:
        (ArrayStorage):
        (JSC::ArrayStorage::vector):
        * runtime/Butterfly.h:
        (JSC::ContiguousData::ContiguousData):
        (ContiguousData):
        (JSC::ContiguousData::operator[]):
        (JSC::ContiguousData::data):
        (JSC::ContiguousData::length):
        (JSC):
        (JSC::Butterfly::contiguousInt32):
        (Butterfly):
        (JSC::Butterfly::contiguousDouble):
        (JSC::Butterfly::contiguous):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortNumericVector):
        (ContiguousTypeAccessor):
        (JSC::ContiguousTypeAccessor::getAsValue):
        (JSC::ContiguousTypeAccessor::setWithValue):
        (JSC::ContiguousTypeAccessor::replaceDataReference):
        (JSC):
        (JSC::JSArray::sortCompactedVector):
        (JSC::JSArray::sort):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h:
        (JSArray):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToContiguous):
        (JSC::JSObject::rageConvertDoubleToContiguous):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::rageEnsureContiguousSlow):
        (JSC::JSObject::ensureLengthSlow):
        * runtime/JSObject.h:
        (JSC::JSObject::ensureInt32):
        (JSC::JSObject::ensureDouble):
        (JSC::JSObject::ensureContiguous):
        (JSC::JSObject::rageEnsureContiguous):
        (JSObject):
        (JSC::JSObject::indexingData):
        (JSC::JSObject::currentIndexingData):

2013-01-29  Brent Fulgham  <bfulgham@webkit.org>

        [Windows, WinCairo] Unreviewed build fix after r141050

        * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Update symbols
        to match JavaScriptCore.vcproj version.

2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        [Qt] Implement GCActivityCallback
        https://bugs.webkit.org/show_bug.cgi?id=103998

        Reviewed by Simon Hausmann.

        Implements the activity triggered garbage collector.

        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::scheduleTimer):
        (JSC::DefaultGCActivityCallback::cancelTimer):
        * runtime/GCActivityCallback.h:
        (GCActivityCallback):
        (DefaultGCActivityCallback):

2013-01-29  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>

        Compilation warning in JSC
        https://bugs.webkit.org/show_bug.cgi?id=108178

        Reviewed by Kentaro Hara.

        Fixed 'comparison between signed and unsigned integer' warning in JSC::Structure constructor.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):

2013-01-29  Jocelyn Turcotte  <jocelyn.turcotte@digia.com>

        [Qt] Fix the JSC build on Mac

        Unreviewed, build fix.

        * heap/HeapTimer.h:
        Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.

2013-01-29  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        [Qt] Implement IncrementalSweeper and HeapTimer
        https://bugs.webkit.org/show_bug.cgi?id=103996

        Reviewed by Simon Hausmann.

        Implements the incremental sweeping garbage collection for the Qt platform.

        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::HeapTimer):
        (JSC::HeapTimer::~HeapTimer):
        (JSC::HeapTimer::timerEvent):
        (JSC::HeapTimer::synchronize):
        (JSC::HeapTimer::invalidate):
        (JSC::HeapTimer::didStartVMShutdown):
        * heap/HeapTimer.h:
        (HeapTimer):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::IncrementalSweeper):
        (JSC::IncrementalSweeper::scheduleTimer):
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):

2013-01-28  Filip Pizlo  <fpizlo@apple.com>

        DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node*
        https://bugs.webkit.org/show_bug.cgi?id=106868

        Reviewed by Oliver Hunt.
        
        This adds a pool allocator for Nodes, and uses that instead of a Vector. Changes all
        uses of Node& and NodeIndex to be simply Node*. Nodes no longer have an index except
        for debugging (Node::index(), which is not guaranteed to be O(1)).
        
        1% speed-up on SunSpider, presumably because this improves compile times.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::booleanResult):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h:
        (DFG):
        (JSC::DFG::AbstractState::forNode):
        (AbstractState):
        (JSC::DFG::AbstractState::speculateInt32Unary):
        (JSC::DFG::AbstractState::speculateNumberUnary):
        (JSC::DFG::AbstractState::speculateBooleanUnary):
        (JSC::DFG::AbstractState::speculateInt32Binary):
        (JSC::DFG::AbstractState::speculateNumberBinary):
        (JSC::DFG::AbstractState::trySetConstant):
        * dfg/DFGAbstractValue.h:
        (AbstractValue):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::AdjacencyList):
        (JSC::DFG::AdjacencyList::initialize):
        * dfg/DFGAllocator.h: Added.
        (DFG):
        (Allocator):
        (JSC::DFG::Allocator::Region::size):
        (JSC::DFG::Allocator::Region::headerSize):
        (JSC::DFG::Allocator::Region::numberOfThingsPerRegion):
        (JSC::DFG::Allocator::Region::data):
        (JSC::DFG::Allocator::Region::isInThisRegion):
        (JSC::DFG::Allocator::Region::regionFor):
        (Region):
        (JSC::DFG::::Allocator):
        (JSC::DFG::::~Allocator):
        (JSC::DFG::::allocate):
        (JSC::DFG::::free):
        (JSC::DFG::::freeAll):
        (JSC::DFG::::reset):
        (JSC::DFG::::indexOf):
        (JSC::DFG::::allocatorOf):
        (JSC::DFG::::bumpAllocate):
        (JSC::DFG::::freeListAllocate):
        (JSC::DFG::::allocateSlow):
        (JSC::DFG::::freeRegionsStartingAt):
        (JSC::DFG::::startBumpingIn):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
        (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGArrayMode.h:
        (ArrayMode):
        * dfg/DFGArrayifySlowPathGenerator.h:
        (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::node):
        (JSC::DFG::BasicBlock::isInPhis):
        (JSC::DFG::BasicBlock::isInBlock):
        (BasicBlock):
        * dfg/DFGBasicBlockInlines.h:
        (DFG):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getDirect):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::setDirect):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::setPair):
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::getToInt32):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::getCallee):
        (JSC::DFG::ByteCodeParser::getThis):
        (JSC::DFG::ByteCodeParser::setThis):
        (JSC::DFG::ByteCodeParser::isJSConstant):
        (JSC::DFG::ByteCodeParser::isInt32Constant):
        (JSC::DFG::ByteCodeParser::valueOfJSConstant):
        (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
        (JSC::DFG::ByteCodeParser::constantUndefined):
        (JSC::DFG::ByteCodeParser::constantNull):
        (JSC::DFG::ByteCodeParser::one):
        (JSC::DFG::ByteCodeParser::constantNaN):
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord):
        (ConstantRecord):
        (JSC::DFG::ByteCodeParser::PhiStackEntry::PhiStackEntry):
        (PhiStackEntry):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::setIntrinsicResult):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::getScope):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
        (JSC::DFG::CFGSimplificationPhase::fixPhis):
        (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
        (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
        (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
        (OperandSubstitution):
        (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
        (JSC::DFG::CFGSimplificationPhase::recordNewTarget):
        (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::constantCSE):
        (JSC::DFG::CSEPhase::weakConstantCSE):
        (JSC::DFG::CSEPhase::getCalleeLoadElimination):
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
        (JSC::DFG::CSEPhase::globalVarStoreElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkExecutableElimination):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::getLocalLoadElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::performSubstitution):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGCommon.cpp: Added.
        (DFG):
        (JSC::DFG::NodePointerTraits::dump):
        * dfg/DFGCommon.h:
        (DFG):
        (JSC::DFG::NodePointerTraits::defaultValue):
        (NodePointerTraits):
        (JSC::DFG::verboseCompilationEnabled):
        (JSC::DFG::shouldDumpGraphAtEachPhase):
        (JSC::DFG::validationEnabled):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::Disassembler):
        (JSC::DFG::Disassembler::createDumpList):
        (JSC::DFG::Disassembler::dumpDisassembly):
        * dfg/DFGDisassembler.h:
        (JSC::DFG::Disassembler::setForNode):
        (Disassembler):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGEdge.cpp: Added.
        (DFG):
        (JSC::DFG::Edge::dump):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::node):
        (JSC::DFG::Edge::operator*):
        (JSC::DFG::Edge::operator->):
        (Edge):
        (JSC::DFG::Edge::setNode):
        (JSC::DFG::Edge::useKind):
        (JSC::DFG::Edge::setUseKind):
        (JSC::DFG::Edge::isSet):
        (JSC::DFG::Edge::shift):
        (JSC::DFG::Edge::makeWord):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (FixupPhase):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::GenerationInfo):
        (JSC::DFG::GenerationInfo::initConstant):
        (JSC::DFG::GenerationInfo::initInteger):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initCell):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::initStorage):
        (GenerationInfo):
        (JSC::DFG::GenerationInfo::node):
        (JSC::DFG::GenerationInfo::noticeOSRBirth):
        (JSC::DFG::GenerationInfo::use):
        (JSC::DFG::GenerationInfo::appendFill):
        (JSC::DFG::GenerationInfo::appendSpill):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::~Graph):
        (DFG):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::amountOfNodeWhiteSpace):
        (JSC::DFG::Graph::printNodeWhiteSpace):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::refChildren):
        (JSC::DFG::Graph::derefChildren):
        (JSC::DFG::Graph::predictArgumentTypes):
        (JSC::DFG::Graph::collectGarbage):
        (JSC::DFG::Graph::determineReachability):
        (JSC::DFG::Graph::resetExitStates):
        * dfg/DFGGraph.h:
        (Graph):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::changeChild):
        (JSC::DFG::Graph::compareAndSwap):
        (JSC::DFG::Graph::clearAndDerefChild):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        (JSC::DFG::Graph::convertToConstant):
        (JSC::DFG::Graph::getJSConstantSpeculation):
        (JSC::DFG::Graph::addSpeculationMode):
        (JSC::DFG::Graph::valueAddSpeculationMode):
        (JSC::DFG::Graph::arithAddSpeculationMode):
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::mulShouldSpeculateInteger):
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
        (JSC::DFG::Graph::isConstant):
        (JSC::DFG::Graph::isJSConstant):
        (JSC::DFG::Graph::isInt32Constant):
        (JSC::DFG::Graph::isDoubleConstant):
        (JSC::DFG::Graph::isNumberConstant):
        (JSC::DFG::Graph::isBooleanConstant):
        (JSC::DFG::Graph::isCellConstant):
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::isInternalFunctionConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        (JSC::DFG::Graph::numSuccessors):
        (JSC::DFG::Graph::successor):
        (JSC::DFG::Graph::successorForCondition):
        (JSC::DFG::Graph::isPredictedNumerical):
        (JSC::DFG::Graph::byValIsPure):
        (JSC::DFG::Graph::clobbersWorld):
        (JSC::DFG::Graph::varArgNumChildren):
        (JSC::DFG::Graph::numChildren):
        (JSC::DFG::Graph::varArgChild):
        (JSC::DFG::Graph::child):
        (JSC::DFG::Graph::voteNode):
        (JSC::DFG::Graph::voteChildren):
        (JSC::DFG::Graph::substitute):
        (JSC::DFG::Graph::substituteGetLocal):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::Insertion::Insertion):
        (JSC::DFG::Insertion::element):
        (Insertion):
        (JSC::DFG::InsertionSet::insert):
        (InsertionSet):
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::setForNode):
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGLongLivedState.cpp: Added.
        (DFG):
        (JSC::DFG::LongLivedState::LongLivedState):
        (JSC::DFG::LongLivedState::~LongLivedState):
        (JSC::DFG::LongLivedState::shrinkToFit):
        * dfg/DFGLongLivedState.h: Added.
        (DFG):
        (LongLivedState):
        * dfg/DFGMinifiedID.h:
        (JSC::DFG::MinifiedID::MinifiedID):
        (JSC::DFG::MinifiedID::node):
        * dfg/DFGMinifiedNode.cpp:
        (JSC::DFG::MinifiedNode::fromNode):
        * dfg/DFGMinifiedNode.h:
        (MinifiedNode):
        * dfg/DFGNode.cpp: Added.
        (DFG):
        (JSC::DFG::Node::index):
        (WTF):
        (WTF::printInternal):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::ref):
        (JSC::DFG::Node::shouldSpeculateInteger):
        (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
        (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateFinalObject):
        (JSC::DFG::Node::shouldSpeculateArray):
        (JSC::DFG::Node::dumpChildren):
        (WTF):
        * dfg/DFGNodeAllocator.h: Added.
        (DFG):
        (operator new ):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        (SpeculationFailureDebugInfo):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.cpp:
        (DFG):
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h:
        (Phase):
        (JSC::DFG::runAndLog):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::setPrediction):
        (JSC::DFG::PredictionPropagationPhase::mergePrediction):
        (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
        (JSC::DFG::PredictionPropagationPhase::isNotZero):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::PredictionPropagationPhase::propagateForward):
        (JSC::DFG::PredictionPropagationPhase::propagateBackward):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::ScoreBoard):
        (JSC::DFG::ScoreBoard::use):
        (JSC::DFG::ScoreBoard::useIfHasResult):
        (ScoreBoard):
        * dfg/DFGSilentRegisterSavePlan.h:
        (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
        (JSC::DFG::SilentRegisterSavePlan::node):
        (SilentRegisterSavePlan):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::generate):
        (SlowPathGenerator):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::isStrictInt32):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNumeric):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::isFilled):
        (JSC::DFG::SpeculativeJIT::isFilledDouble):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::isConstant):
        (JSC::DFG::SpeculativeJIT::isJSConstant):
        (JSC::DFG::SpeculativeJIT::isInt32Constant):
        (JSC::DFG::SpeculativeJIT::isDoubleConstant):
        (JSC::DFG::SpeculativeJIT::isNumberConstant):
        (JSC::DFG::SpeculativeJIT::isBooleanConstant):
        (JSC::DFG::SpeculativeJIT::isFunctionConstant):
        (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
        (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
        (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
        (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
        (JSC::DFG::SpeculativeJIT::isNullConstant):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::integerResult):
        (JSC::DFG::SpeculativeJIT::noResult):
        (JSC::DFG::SpeculativeJIT::cellResult):
        (JSC::DFG::SpeculativeJIT::booleanResult):
        (JSC::DFG::SpeculativeJIT::jsValueResult):
        (JSC::DFG::SpeculativeJIT::storageResult):
        (JSC::DFG::SpeculativeJIT::doubleResult):
        (JSC::DFG::SpeculativeJIT::initConstantInfo):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        (JSC::DFG::SpeculativeJIT::setNodeForOperand):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::IntegerOperand::node):
        (JSC::DFG::IntegerOperand::gpr):
        (JSC::DFG::IntegerOperand::use):
        (IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::DoubleOperand::node):
        (JSC::DFG::DoubleOperand::fpr):
        (JSC::DFG::DoubleOperand::use):
        (DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::JSValueOperand::node):
        (JSC::DFG::JSValueOperand::gpr):
        (JSC::DFG::JSValueOperand::fill):
        (JSC::DFG::JSValueOperand::use):
        (JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::StorageOperand::node):
        (JSC::DFG::StorageOperand::gpr):
        (JSC::DFG::StorageOperand::use):
        (StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateIntegerOperand::node):
        (JSC::DFG::SpeculateIntegerOperand::gpr):
        (JSC::DFG::SpeculateIntegerOperand::use):
        (SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateStrictInt32Operand::node):
        (JSC::DFG::SpeculateStrictInt32Operand::gpr):
        (JSC::DFG::SpeculateStrictInt32Operand::use):
        (SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::node):
        (JSC::DFG::SpeculateDoubleOperand::fpr):
        (JSC::DFG::SpeculateDoubleOperand::use):
        (SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::node):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (JSC::DFG::SpeculateCellOperand::use):
        (SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::node):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (JSC::DFG::SpeculateBooleanOperand::use):
        (SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureAbstractValue.h:
        (StructureAbstractValue):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * dfg/DFGValidate.cpp:
        (DFG):
        (Validate):
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::reportValidationContext):
        * dfg/DFGValidate.h:
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::ValueSource):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * runtime/FunctionExecutableDump.cpp: Added.
        (JSC):
        (JSC::FunctionExecutableDump::dump):
        * runtime/FunctionExecutableDump.h: Added.
        (JSC):
        (FunctionExecutableDump):
        (JSC::FunctionExecutableDump::FunctionExecutableDump):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC):
        (DFG):
        (JSGlobalData):
        * runtime/Options.h:
        (JSC):

2013-01-28  Laszlo Gombos  <l.gombos@samsung.com>

        Collapse testing for a list of PLATFORM() into OS() and USE() tests
        https://bugs.webkit.org/show_bug.cgi?id=108018

        Reviewed by Eric Seidel.

        No functional change as "OS(DARWIN) && USE(CF)" equals to the
        following platforms: MAC, WX, QT and CHROMIUM. CHROMIUM
        is not using JavaScriptCore. 

        * runtime/DatePrototype.cpp:
        (JSC):

2013-01-28  Geoffrey Garen  <ggaren@apple.com>

        Static size inference for JavaScript objects
        https://bugs.webkit.org/show_bug.cgi?id=108093

        Reviewed by Phil Pizlo.

        * API/JSObjectRef.cpp:
        * JavaScriptCore.order:
        * JavaScriptCore.xcodeproj/project.pbxproj: Pay the tax man.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): op_new_object and op_create_this now
        have an extra inferredInlineCapacity argument. This is the statically
        inferred inline capacity, just from analyzing source text. op_new_object
        also gets a pointer to an allocation profile. (For op_create_this, the
        profile is in the construtor function.)

        (JSC::CodeBlock::CodeBlock): Link op_new_object.

        (JSC::CodeBlock::stronglyVisitStrongReferences): Mark our profiles.

        * bytecode/CodeBlock.h:
        (CodeBlock): Removed some dead code. Added object allocation profiles.

        * bytecode/Instruction.h:
        (JSC): New union type, since an instruction operand may point to an
        object allocation profile now.

        * bytecode/ObjectAllocationProfile.h: Added.
        (JSC):
        (ObjectAllocationProfile):
        (JSC::ObjectAllocationProfile::offsetOfAllocator):
        (JSC::ObjectAllocationProfile::offsetOfStructure):
        (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
        (JSC::ObjectAllocationProfile::isNull):
        (JSC::ObjectAllocationProfile::initialize):
        (JSC::ObjectAllocationProfile::structure):
        (JSC::ObjectAllocationProfile::inlineCapacity):
        (JSC::ObjectAllocationProfile::clear):
        (JSC::ObjectAllocationProfile::visitAggregate):
        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): New class
        for tracking a prediction about object allocation: structure, inline
        capacity, allocator to use.

        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName): Updated instruction sizes.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC):
        (JSC::UnlinkedCodeBlock::addObjectAllocationProfile):
        (JSC::UnlinkedCodeBlock::numberOfObjectAllocationProfiles):
        (UnlinkedCodeBlock): Unlinked support for allocation profiles.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate): Kill all remaining analyses at the
        end of codegen, since this is our last opportunity.

        (JSC::BytecodeGenerator::BytecodeGenerator): Added a static property
        analyzer to bytecode generation. It tracks initializing assignments and
        makes a guess about how many will happen.

        (JSC::BytecodeGenerator::newObjectAllocationProfile):
        (JSC):
        (JSC::BytecodeGenerator::emitProfiledOpcode):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitPutGetterSetter):
        (JSC::BytecodeGenerator::emitGetArgumentByVal):
        (JSC::BytecodeGenerator::emitGetByVal): Added hooks to the static property
        analyzer, so it can observe allocations and stores.

        (JSC::BytecodeGenerator::emitCreateThis): Factored this into a helper
        function because it was a significant amount of logic, and I wanted to
        add to it.

        (JSC::BytecodeGenerator::emitNewObject):
        (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct): Added a hook to profiled opcodes
        to track their stores, in case a store kills a profiled allocation. Since
        profiled opcodes are basically the only interesting stores we do, this
        is a convenient place to notice any store that might kill an allocation.

        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator): As above.

        * bytecompiler/StaticPropertyAnalysis.h: Added.
        (JSC):
        (StaticPropertyAnalysis):
        (JSC::StaticPropertyAnalysis::create):
        (JSC::StaticPropertyAnalysis::addPropertyIndex):
        (JSC::StaticPropertyAnalysis::record):
        (JSC::StaticPropertyAnalysis::propertyIndexCount):
        (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis): Simple helper
        class for tracking allocations and stores.

        * bytecompiler/StaticPropertyAnalyzer.h: Added.
        (StaticPropertyAnalyzer):
        (JSC::StaticPropertyAnalyzer::StaticPropertyAnalyzer):
        (JSC::StaticPropertyAnalyzer::createThis):
        (JSC::StaticPropertyAnalyzer::newObject):
        (JSC::StaticPropertyAnalyzer::putById):
        (JSC::StaticPropertyAnalyzer::mov):
        (JSC::StaticPropertyAnalyzer::kill): Helper class for observing allocations
        and stores and making an inline capacity guess. The heuristics here are
        intentionally minimal because we don't want this one class to try to
        re-create something like a DFG or a runtime analysis. If we discover that
        we need those kinds of analyses, we should just replace this class with
        something else.

        This class tracks multiple registers that alias the same object -- that
        happens a lot, when moving locals into temporary registers -- but it
        doesn't track control flow or multiple objects that alias the same register.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute): Updated for rename.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock): Updated for inline capacity and
        allocation profile.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasInlineCapacity):
        (Node):
        (JSC::DFG::Node::inlineCapacity):
        (JSC::DFG::Node::hasFunction): Give the graph a good way to represent
        inline capacity for an allocation.

        * dfg/DFGNodeType.h:
        (DFG): Updated for rename.

        * dfg/DFGOperations.cpp: Updated for interface change.

        * dfg/DFGOperations.h: We pass the inline capacity to the slow case as
        an argument. This is the simplest way, since it's stored as a bytecode operand.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate): Updated for rename.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID): Fixed a horrible off-by-one-half bug that only
        appears when doing an inline cached load for property number 64 on a 32-bit
        system. In JSVALUE32_64 land, "offsetRelativeToPatchedStorage" is the
        offset of the 64bit JSValue -- but we'll actually issue two loads, one for
        the payload at that offset, and one for the tag at that offset + 4. We need
        to ensure that both loads have a compact representation, or we'll corrupt
        the instruction stream.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Lots of refactoring to support
        passing an allocator to our allocation function, and/or passing a Structure
        as a register instead of an immediate.

        * heap/MarkedAllocator.h:
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::offsetOfFreeListHead): Added an accessor to simplify
        JIT code generation of allocation from an arbitrary allocator.

        * jit/JIT.h:
        (JSC):
        * jit/JITInlines.h:
        (JSC):
        (JSC::JIT::emitAllocateJSObject):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this): Same refactoring as done for the DFG.

        * jit/JITStubs.cpp:
        (JSC::tryCacheGetByID): Fixed the same bug mentioned above.

        (JSC::DEFINE_STUB_FUNCTION): Updated for interface changes.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions): Updated for interface changes.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm: Same refactoring as for the JITs.

        * profiler/ProfilerBytecode.cpp:
        * profiler/ProfilerBytecodes.cpp:
        * profiler/ProfilerCompilation.cpp:
        * profiler/ProfilerCompiledBytecode.cpp:
        * profiler/ProfilerDatabase.cpp:
        * profiler/ProfilerOSRExit.cpp:
        * profiler/ProfilerOrigin.cpp:
        * profiler/ProfilerProfiledBytecodes.cpp: Include ObjectConstructor.h
        because that's where createEmptyObject() lives now.

        * runtime/Executable.h:
        (JSC::JSFunction::JSFunction): Updated for rename.

        * runtime/JSCellInlines.h:
        (JSC::allocateCell): Updated to match the allocator selection code in
        the JIT, so it's clearer that both are correct.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::createAllocationProfile):
        (JSC::JSFunction::visitChildren):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        (JSC::JSFunction::getConstructData):
        * runtime/JSFunction.h:
        (JSC::JSFunction::offsetOfScopeChain):
        (JSC::JSFunction::offsetOfExecutable):
        (JSC::JSFunction::offsetOfAllocationProfile):
        (JSC::JSFunction::allocationProfile):
        (JSFunction):
        (JSC::JSFunction::tryGetAllocationProfile):
        (JSC::JSFunction::addAllocationProfileWatchpoint): Changed inheritorID
        data member to be an ObjectAllocationProfile, which includes a pointer
        to the desired allocator. This simplifies JIT code, since we don't have
        to compute the allocator on the fly. I verified by code inspection that
        JSFunction is still only 64 bytes.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::dateStructure): No direct pointer to the empty
        object structure anymore, because now clients need to specify how much
        inline capacity they want.

        * runtime/JSONObject.cpp:
        * runtime/JSObject.h:
        (JSC):
        (JSFinalObject):
        (JSC::JSFinalObject::defaultInlineCapacity):
        (JSC::JSFinalObject::maxInlineCapacity):
        (JSC::JSFinalObject::createStructure): A little refactoring to try to 
        clarify where some of these constants derive from.

        (JSC::maxOffsetRelativeToPatchedStorage): Used for bug fix, above.

        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget): Ugly, but effective.

        * runtime/LiteralParser.cpp:
        * runtime/ObjectConstructor.cpp:
        (JSC::constructObject):
        (JSC::constructWithObjectConstructor):
        (JSC::callObjectConstructor):
        (JSC::objectConstructorCreate): Updated for interface changes.

        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject): Clarified your options for how to allocate
        an empty object, to emphasize what things can actually vary.

        * runtime/PropertyOffset.h: These constants have moved because they're
        really higher level concepts to do with the layout of objects and the
        collector. PropertyOffset is just an abstract number line, independent
        of those things.

        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
        * runtime/PrototypeMap.h:
        (PrototypeMap): The map key is now a pair of prototype and inline capacity,
        since Structure encodes inline capacity.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::copyPropertyTableForPinning):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::totalStorageSize):
        (JSC::Structure::transitionCount):
        (JSC::Structure::create): Fixed a nasty refactoring bug that only shows
        up after enabling variable-sized inline capacities: we were passing our
        type info where our inline capacity was expected. The compiler didn't
        notice because both have type int :(.

2013-01-28  Oliver Hunt  <oliver@apple.com>

        Add more assertions to the property storage use in arrays
        https://bugs.webkit.org/show_bug.cgi?id=107728

        Reviewed by Filip Pizlo.

        Add a bunch of assertions to array and object butterfly
        usage.  This should make debugging somewhat easier.

        I also converted a couple of assertions to release asserts
        as they were so low cost it seemed a sensible thing to do.

        * runtime/JSArray.cpp:
        (JSC::JSArray::sortVector):
        (JSC::JSArray::compactForSorting):
        * runtime/JSObject.h:
        (JSC::JSObject::getHolyIndexQuickly):

2013-01-28  Adam Barth  <abarth@webkit.org>

        Remove webkitNotifications.createHTMLNotification
        https://bugs.webkit.org/show_bug.cgi?id=107598

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig:

2013-01-28  Michael Saboff  <msaboff@apple.com>

        Cleanup ARM version of debugName() in DFGFPRInfo.h
        https://bugs.webkit.org/show_bug.cgi?id=108090

        Reviewed by David Kilzer.

        Fixed debugName() so it will compile by adding static_cast<int> and missing commas.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):

2013-01-27  Andreas Kling  <akling@apple.com>

        JSC: FunctionParameters are memory hungry.
        <http://webkit.org/b/108033>
        <rdar://problem/13094803>

        Reviewed by Sam Weinig.

        Instead of inheriting from Vector<Identifier>, make FunctionParameters a simple fixed-size array
        with a custom-allocating create() function. Removes one step of indirection and cuts memory usage
        roughly in half.

        2.73 MB progression on Membuster3.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::paramString):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * parser/Nodes.cpp:
        (JSC::FunctionParameters::create):
        (JSC::FunctionParameters::FunctionParameters):
        (JSC::FunctionParameters::~FunctionParameters):
        * parser/Nodes.h:
        (FunctionParameters):
        (JSC::FunctionParameters::size):
        (JSC::FunctionParameters::at):
        (JSC::FunctionParameters::identifiers):

2013-01-27  Andreas Kling  <akling@apple.com>

        JSC: SourceProviderCache is memory hungry.
        <http://webkit.org/b/108029>
        <rdar://problem/13094806>

        Reviewed by Sam Weinig.

        Use fixed-size arrays for SourceProviderCacheItem's lists of captured variables.
        Since the lists never change after the object is created, there's no need to keep them in Vectors
        and we can instead create the whole cache item in a single allocation.

        13.37 MB progression on Membuster3.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Scope::copyCapturedVariablesToVector):
        (JSC::Scope::fillParametersForSourceProviderCache):
        (JSC::Scope::restoreFromSourceProviderCache):
        * parser/SourceProviderCacheItem.h:
        (SourceProviderCacheItemCreationParameters):
        (SourceProviderCacheItem):
        (JSC::SourceProviderCacheItem::approximateByteSize):
        (JSC::SourceProviderCacheItem::usedVariables):
        (JSC::SourceProviderCacheItem::writtenVariables):
        (JSC::SourceProviderCacheItem::~SourceProviderCacheItem):
        (JSC::SourceProviderCacheItem::create):
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):

2013-01-27  Zoltan Arvai  <zarvai@inf.u-szeged.hu>

        Fixing atomicIncrement implementation for Windows by dropping support before XP SP2.
        https://bugs.webkit.org/show_bug.cgi?id=106740

        Reviewed by Benjamin Poulain.

        * config.h:

2013-01-25  Filip Pizlo  <fpizlo@apple.com>

        DFG variable event stream shouldn't use NodeIndex
        https://bugs.webkit.org/show_bug.cgi?id=107996

        Reviewed by Oliver Hunt.
        
        Introduce the notion of a DFG::MinifiedID, which is just a unique ID of a DFG Node.
        Internally it currently uses a NodeIndex, but we could change this without having
        to recode all of the users of MinifiedID. This effectively decouples the OSR exit
        compiler's way of identifying nodes from the speculative JIT's way of identifying
        nodes, and should make it easier to make changes to the speculative JIT's internals
        in the future.
        
        Also changed variable event stream logging to exclude information about births and
        deaths of constants, since the OSR exit compiler never cares about which register
        holds a constant; if a value is constant then the OSR exit compiler can reify it.
        
        Also changed the variable event stream's value recovery computation to use a
        HashMap keyed by MinifiedID rather than a Vector indexed by NodeIndex.
        
        This appears to be performance-neutral. It's primarily meant as a small step
        towards https://bugs.webkit.org/show_bug.cgi?id=106868.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::GenerationInfo):
        (JSC::DFG::GenerationInfo::initConstant):
        (JSC::DFG::GenerationInfo::initInteger):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initCell):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::noticeOSRBirth):
        (JSC::DFG::GenerationInfo::use):
        (JSC::DFG::GenerationInfo::appendFill):
        (JSC::DFG::GenerationInfo::appendSpill):
        (GenerationInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGMinifiedGraph.h:
        (JSC::DFG::MinifiedGraph::at):
        (MinifiedGraph):
        * dfg/DFGMinifiedID.h: Added.
        (DFG):
        (MinifiedID):
        (JSC::DFG::MinifiedID::MinifiedID):
        (JSC::DFG::MinifiedID::operator!):
        (JSC::DFG::MinifiedID::nodeIndex):
        (JSC::DFG::MinifiedID::operator==):
        (JSC::DFG::MinifiedID::operator!=):
        (JSC::DFG::MinifiedID::operator<):
        (JSC::DFG::MinifiedID::operator>):
        (JSC::DFG::MinifiedID::operator<=):
        (JSC::DFG::MinifiedID::operator>=):
        (JSC::DFG::MinifiedID::hash):
        (JSC::DFG::MinifiedID::dump):
        (JSC::DFG::MinifiedID::isHashTableDeletedValue):
        (JSC::DFG::MinifiedID::invalidID):
        (JSC::DFG::MinifiedID::otherInvalidID):
        (JSC::DFG::MinifiedID::fromBits):
        (JSC::DFG::MinifiedIDHash::hash):
        (JSC::DFG::MinifiedIDHash::equal):
        (MinifiedIDHash):
        (WTF):
        * dfg/DFGMinifiedNode.cpp:
        (JSC::DFG::MinifiedNode::fromNode):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::MinifiedNode::id):
        (JSC::DFG::MinifiedNode::child1):
        (JSC::DFG::MinifiedNode::getID):
        (JSC::DFG::MinifiedNode::compareByNodeIndex):
        (MinifiedNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::isSet):
        (JSC::DFG::ValueSource::kind):
        (JSC::DFG::ValueSource::id):
        (ValueSource):
        (JSC::DFG::ValueSource::idFromKind):
        (JSC::DFG::ValueSource::kindFromID):
        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        (JSC::DFG::VariableEvent::dumpFillInfo):
        (JSC::DFG::VariableEvent::dumpSpillInfo):
        * dfg/DFGVariableEvent.h:
        (JSC::DFG::VariableEvent::fillGPR):
        (JSC::DFG::VariableEvent::fillPair):
        (JSC::DFG::VariableEvent::fillFPR):
        (JSC::DFG::VariableEvent::spill):
        (JSC::DFG::VariableEvent::death):
        (JSC::DFG::VariableEvent::movHint):
        (JSC::DFG::VariableEvent::id):
        (VariableEvent):
        * dfg/DFGVariableEventStream.cpp:
        (DFG):
        (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
        (JSC::DFG::VariableEventStream::reconstruct):
        * dfg/DFGVariableEventStream.h:
        (VariableEventStream):

2013-01-25  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Rename LLInt projects folder and make appropriate changes to solutions.

        * JavaScriptCore.vcxproj/JavaScriptCore.sln:
        * JavaScriptCore.vcxproj/LLInt: Copied from JavaScriptCore.vcxproj/LLInt.vcproj.
        * JavaScriptCore.vcxproj/LLInt.vcproj: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Removed.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Removed.

2013-01-24  Roger Fong  <roger_fong@apple.com>

        VS2010 JavascriptCore: Clean up property sheets, add a JSC solution, add testRegExp and testAPI projects.
        https://bugs.webkit.org/show_bug.cgi?id=106987

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
        * JavaScriptCore.vcxproj/jsc/jscCommon.props:
        * JavaScriptCore.vcxproj/jsc/jscDebug.props:
        * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
        * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
        * JavaScriptCore.vcxproj/testRegExp: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: Added.
        * JavaScriptCore.vcxproj/testapi: Added.
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Added.
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: Added.
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiDebug.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd: Added.
        * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: Added.
        * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: Added.
        * JavaScriptCore.vcxproj/testapi/testapiRelease.props: Added.

2013-01-24  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-01-24  Filip Pizlo  <fpizlo@apple.com>

        DFG::JITCompiler::getSpeculation() methods are badly named and superfluous
        https://bugs.webkit.org/show_bug.cgi?id=107860

        Reviewed by Mark Hahnenberg.

        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):

2013-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Rename JSValue.h/APIJSValue.h to JSCJSValue.h/JSValue.h
        https://bugs.webkit.org/show_bug.cgi?id=107327

        Reviewed by Filip Pizlo.

        We're renaming these two files, so we have to replace the names everywhere.

        * API/APICast.h:
        * API/APIJSValue.h: Removed.
        * API/JSBlockAdaptor.mm:
        * API/JSStringRefCF.cpp:
        * API/JSValue.h: Copied from Source/JavaScriptCore/API/APIJSValue.h.
        * API/JSValue.mm:
        * API/JSValueInternal.h:
        * API/JSValueRef.cpp:
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JavaScriptCore.h:
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.cpp:
        * bytecode/MethodOfGettingAValueProfile.h:
        * bytecode/ResolveGlobalStatus.cpp:
        * bytecode/ResolveGlobalStatus.h:
        * bytecode/SpeculatedType.h:
        * bytecode/ValueRecovery.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGNode.h:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * heap/CopiedBlock.h:
        * heap/HandleStack.cpp:
        * heap/HandleTypes.h:
        * heap/WeakImpl.h:
        * interpreter/Interpreter.h:
        * interpreter/Register.h:
        * interpreter/VMInspector.h:
        * jit/HostCallReturnValue.cpp:
        * jit/HostCallReturnValue.h:
        * jit/JITCode.h:
        * jit/JITExceptions.cpp:
        * jit/JITExceptions.h:
        * jit/JSInterfaceJIT.h:
        * llint/LLIntCLoop.h:
        * llint/LLIntData.h:
        * llint/LLIntSlowPaths.cpp:
        * profiler/ProfilerBytecode.h:
        * profiler/ProfilerBytecodeSequence.h:
        * profiler/ProfilerBytecodes.h:
        * profiler/ProfilerCompilation.h:
        * profiler/ProfilerCompiledBytecode.h:
        * profiler/ProfilerDatabase.h:
        * profiler/ProfilerOSRExit.h:
        * profiler/ProfilerOSRExitSite.h:
        * profiler/ProfilerOrigin.h:
        * profiler/ProfilerOriginStack.h:
        * runtime/ArgList.cpp:
        * runtime/CachedTranscendentalFunction.h:
        * runtime/CallData.h:
        * runtime/Completion.h:
        * runtime/ConstructData.h:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/JSAPIValueWrapper.h:
        * runtime/JSCJSValue.cpp: Copied from Source/JavaScriptCore/runtime/JSValue.cpp.
        * runtime/JSCJSValue.h: Copied from Source/JavaScriptCore/runtime/JSValue.h.
        (JSValue):
        * runtime/JSCJSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlines.h.
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSStringJoiner.h:
        * runtime/JSValue.cpp: Removed.
        * runtime/JSValue.h: Removed.
        * runtime/JSValueInlines.h: Removed.
        * runtime/LiteralParser.h:
        * runtime/Operations.h:
        * runtime/PropertyDescriptor.h:
        * runtime/PropertySlot.h:
        * runtime/Protect.h:
        * runtime/RegExpPrototype.cpp:
        * runtime/Structure.h:

2013-01-23  Oliver Hunt  <oliver@apple.com>

        Harden JSC a bit with RELEASE_ASSERT
        https://bugs.webkit.org/show_bug.cgi?id=107766

        Reviewed by Mark Hahnenberg.

        Went through and replaced a pile of ASSERTs that were covering
        significantly important details (bounds checks, etc) where
        having the checks did not impact release performance in any
        measurable way.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::branchAdd32):
        (JSC::MacroAssembler::branchMul32):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::handlerForBytecodeOffset):
        (JSC::CodeBlock::lineNumberForBytecodeOffset):
        (JSC::CodeBlock::bytecodeOffset):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::exceptionHandler):
        (JSC::CodeBlock::codeOrigin):
        (JSC::CodeBlock::immediateSwitchJumpTable):
        (JSC::CodeBlock::characterSwitchJumpTable):
        (JSC::CodeBlock::stringSwitchJumpTable):
        (JSC::CodeBlock::setIdentifiers):
        (JSC::baselineCodeBlockForInlineCallFrame):
        (JSC::ExecState::uncheckedR):
        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::inlineStack):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::CodeOrigin):
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGScratchRegisterAllocator.h:
        (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::allocate):
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::integerResult):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::ValueSource::ValueSource):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        (JSC::BlockAllocator::releaseFreeRegions):
        (JSC::BlockAllocator::blockFreeingThreadMain):
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::collect):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::observeZeroRefCount):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITExceptions.cpp:
        (JSC::genericThrow):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoad):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_resolve_operations):
        * jit/JITStubRoutine.cpp:
        (JSC::JITStubRoutine::observeZeroRefCount):
        * jit/JITStubs.cpp:
        (JSC::returnToThrowTrampoline):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        (JSC::Arguments::didTearOffActivation):
        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncLastIndexOf):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::growPropertyStorage):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        (JSC::CacheMap::add):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::EvalExecutable::unlinkCalls):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::unlinkCalls):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        (JSC::FunctionExecutable::unlinkCalls):
        (JSC::NativeExecutable::hashFor):
        * runtime/Executable.h:
        (JSC::EvalExecutable::compile):
        (JSC::ProgramExecutable::compile):
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileForConstruct):
        * runtime/IndexingHeader.h:
        (JSC::IndexingHeader::setVectorLength):
        * runtime/JSArray.cpp:
        (JSC::JSArray::pop):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::jsStrDecimalLiteral):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::getIndexSlowCase):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::popParenthesesDisjunctionContext):

2013-01-23  Filip Pizlo  <fpizlo@apple.com>

        Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures
        https://bugs.webkit.org/show_bug.cgi?id=107750
        <rdar://problem/12387265>

        Reviewed by Mark Hahnenberg.
        
        The point of this assertion was that if there is no variable capturing going on, then there should only be one GetLocal
        for the variable anywhere in the basic block. But if there is some capturing, then we'll have an unbounded number of
        GetLocals. The assertion was too imprecise for the latter case. I want to keep this assertion, so I introduced a
        checker that verifies this precisely: if there are any captured accesses to the variable anywhere at or after the
        GetLocal we are eliminating, then we allow redundant GetLocals.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):

2013-01-23  Oliver Hunt  <oliver@apple.com>

        Replace ASSERT_NOT_REACHED with RELEASE_ASSERT_NOT_REACHED in JSC
        https://bugs.webkit.org/show_bug.cgi?id=107736

        Reviewed by Mark Hahnenberg.

        Mechanical change with no performance impact.

        * API/JSBlockAdaptor.mm:
        (BlockArgumentTypeDelegate::typeVoid):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::construct):
        (JSC::::call):
        * API/JSScriptRef.cpp:
        * API/ObjCCallbackFunction.mm:
        (ArgumentTypeDelegate::typeVoid):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::replaceWithLoad):
        (JSC::ARMv7Assembler::replaceWithAddressComputation):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::invert):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::countLeadingZeros32):
        (JSC::MacroAssemblerARM::divDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::absDouble):
        (JSC::MacroAssemblerMIPS::replaceWithJump):
        (JSC::MacroAssemblerMIPS::maxJumpReplacementSize):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::absDouble):
        (JSC::MacroAssemblerSH4::replaceWithJump):
        (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::shllImm8r):
        (JSC::SH4Assembler::shlrImm8r):
        (JSC::SH4Assembler::cmplRegReg):
        (JSC::SH4Assembler::branch):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::replaceWithLoad):
        (JSC::X86Assembler::replaceWithAddressComputation):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CodeBlock.cpp:
        (JSC::debugHookName):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::usesOpcode):
        * bytecode/DataFormat.h:
        (JSC::needDataFormatConversion):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        (JSC::exitKindIsCountable):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
        * bytecode/Opcode.h:
        (JSC::opcodeLength):
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::fromStructureStubInfo):
        (JSC::PutByIdAccess::visitWeak):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC::BytecodeGenerator::emitGetLocalVar):
        (JSC::BytecodeGenerator::beginSwitch):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):
        (JSC::emitReadModifyAssignment):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
        (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::canHandleOpcodes):
        * dfg/DFGCommon.h:
        (JSC::DFG::useKindToString):
        * dfg/DFGDoubleFormatState.h:
        (JSC::DFG::mergeDoubleFormatStates):
        (JSC::DFG::doubleFormatStateToString):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::blessArrayOperation):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clobbersWorld):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::successor):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeType.h:
        (JSC::DFG::defaultFlags):
        * dfg/DFGRepatch.h:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::call):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::bitOp):
        (JSC::DFG::SpeculativeJIT::shiftOp):
        (JSC::DFG::SpeculativeJIT::integerResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::regionSetFor):
        * heap/GCThread.cpp:
        (JSC::GCThread::gcThreadMain):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweepHelper):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive):
        * interpreter/CallFrame.h:
        (JSC::ExecState::inlineCallFrame):
        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::execute):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitBinaryDoubleOp):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::isDirectPutById):
        * jit/JITStubs.cpp:
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/Nodes.h:
        (JSC::ExpressionNode::emitBytecodeInConditionContext):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOffForInlineCallFrame):
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):
        * runtime/Executable.cpp:
        (JSC::samplingDescription):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::unlinkCalls):
        * runtime/Identifier.cpp:
        (JSC):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::getCallData):
        * runtime/JSArray.cpp:
        (JSC::JSArray::push):
        (JSC::JSArray::sort):
        * runtime/JSCell.cpp:
        (JSC::JSCell::defaultValue):
        (JSC::JSCell::getOwnPropertyNames):
        (JSC::JSCell::getOwnNonIndexPropertyNames):
        (JSC::JSCell::className):
        (JSC::JSCell::getPropertyNames):
        (JSC::JSCell::customHasInstance):
        (JSC::JSCell::putDirectVirtual):
        (JSC::JSCell::defineOwnProperty):
        (JSC::JSCell::getOwnPropertyDescriptor):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::put):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::canGetIndexQuickly):
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        (JSC::JSObject::hasSparseMap):
        (JSC::JSObject::inSparseIndexingMode):
        * runtime/JSScope.cpp:
        (JSC::JSScope::isDynamicScope):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::putDirectVirtual):
        * runtime/JSSymbolTableObject.h:
        (JSSymbolTableObject):
        * runtime/LiteralParser.cpp:
        (JSC::::parse):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):
        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::getCanonicalPair):
        (JSC::Yarr::areCanonicallyEquivalent):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchCharacterClass):
        (JSC::Yarr::Interpreter::matchBackReference):
        (JSC::Yarr::Interpreter::backtrackParenthesesTerminalEnd):
        (JSC::Yarr::Interpreter::matchParentheses):
        (JSC::Yarr::Interpreter::backtrackParentheses):
        (JSC::Yarr::Interpreter::matchDisjunction):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateTerm):
        (JSC::Yarr::YarrGenerator::backtrackTerm):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):

2013-01-23  Tony Chang  <tony@chromium.org>

        Unreviewed, set svn:eol-style to CRLF on Windows .sln files.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Modified property svn:eol-style.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Modified property svn:eol-style.

2013-01-23  Oliver Hunt  <oliver@apple.com>

        Replace numerous manual CRASH's in JSC with RELEASE_ASSERT
        https://bugs.webkit.org/show_bug.cgi?id=107726

        Reviewed by Filip Pizlo.

        Fairly manual change from if (foo) CRASH(); to RELEASE_ASSERT(!foo);

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::branchAdd32):
        (JSC::MacroAssembler::branchMul32):
        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::CodeBlockHash):
        * heap/BlockAllocator.h:
        (JSC::Region::create):
        (JSC::Region::createCustomSize):
        * heap/GCAssertions.h:
        * heap/HandleSet.cpp:
        (JSC::HandleSet::visitStrongHandles):
        (JSC::HandleSet::writeBarrier):
        * heap/HandleSet.h:
        (JSC::HandleSet::allocate):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::validate):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        (JSC::roundUpAllocationSize):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        (JSC::ExecutableAllocator::allocate):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createUninitialized):
        * runtime/Completion.cpp:
        (JSC::evaluate):
        * runtime/JSArray.h:
        (JSC::constructArray):
        * runtime/JSGlobalObject.cpp:
        (JSC::slowValidateCell):
        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::createArrayStorage):
        * tools/TieredMMapArray.h:
        (JSC::TieredMMapArray::append):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::allocDisjunctionContext):
        (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
        (JSC::Yarr::Interpreter::InputStream::readChecked):
        (JSC::Yarr::Interpreter::InputStream::uncheckInput):
        (JSC::Yarr::Interpreter::InputStream::atEnd):
        (JSC::Yarr::Interpreter::interpret):

2013-01-22  Filip Pizlo  <fpizlo@apple.com>

        Convert CSE phase to not rely too much on NodeIndex
        https://bugs.webkit.org/show_bug.cgi?id=107616

        Reviewed by Geoffrey Garen.
        
        - Instead of looping over the graph (which assumes that you can simply loop over all
          nodes without considering blocks first) to reset node.replacement, do that in the
          loop that sets up relevantToOSR, just before running CSE on the block.
        
        - Instead of having a relevantToOSR bitvector indexed by NodeIndex, made
          NodeRelevantToOSR be a NodeFlag. We had exactly one bit left in NodeFlags, so I did
          some reshuffling to fit it in.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGNodeType.h:
        (DFG):

2013-01-21  Kentaro Hara  <haraken@chromium.org>

        Implement UIEvent constructor
        https://bugs.webkit.org/show_bug.cgi?id=107430

        Reviewed by Adam Barth.

        Editor's draft: https://dvcs.w3.org/hg/d4e/raw-file/tip/source_respec.htm

        UIEvent constructor is implemented under a DOM4_EVENTS_CONSTRUCTOR flag,
        which is enabled on Safari and Chromium for now.

        * Configurations/FeatureDefines.xcconfig:

2013-01-22  Roger Fong  <roger_fong@apple.com>

        Unreviewed VS2010 build fix following r140259.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-01-22  Roger Fong  <roger_fong@apple.com>

        JavaScriptCore property sheets, project files and modified build scripts.
        https://bugs.webkit.org/show_bug.cgi?id=106987

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj: Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.resources: Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist: Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExports.def: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Added.
        * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Added.
        * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.make: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/LLIntAssembly.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: Added.
        * JavaScriptCore.vcxproj/LLInt.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: Added.
        * JavaScriptCore.vcxproj/build-generated-files.sh: Added.
        * JavaScriptCore.vcxproj/copy-files.cmd: Added.
        * JavaScriptCore.vcxproj/jsc: Added.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Added.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.filters: Added.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj.user: Added.
        * JavaScriptCore.vcxproj/jsc/jscCommon.props: Added.
        * JavaScriptCore.vcxproj/jsc/jscDebug.props: Added.
        * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: Added.
        * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: Added.
        * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: Added.
        * JavaScriptCore.vcxproj/jsc/jscRelease.props: Added.
        * config.h:

2013-01-22  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Enable Page Visibility (PAGE_VISIBILITY_API)
        https://bugs.webkit.org/show_bug.cgi?id=107230

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2013-01-22  Tobias Netzel  <tobias.netzel@googlemail.com>

        Yarr JIT isn't big endian compatible
        https://bugs.webkit.org/show_bug.cgi?id=102897

        Reviewed by Oliver Hunt.

        This patch was tested in the current mozilla codebase only and has passed the regexp tests there.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2013-01-22  David Kilzer  <ddkilzer@apple.com>

        Fix DateMath.cpp to compile with -Wshorten-64-to-32
        <http://webkit.org/b/107503>

        Reviewed by Darin Adler.

        * runtime/JSDateMath.cpp:
        (JSC::parseDateFromNullTerminatedCharacters): Remove unneeded
        static_cast<int>().

2013-01-22  Tim Horton  <timothy_horton@apple.com>

        PDFPlugin: Build PDFPlugin everywhere, enable at runtime
        https://bugs.webkit.org/show_bug.cgi?id=107117

        Reviewed by Alexey Proskuryakov.

        Since PDFLayerController SPI is all forward-declared, the plugin should build
        on all Mac platforms, and can be enabled at runtime.

        * Configurations/FeatureDefines.xcconfig:

2013-01-21  Justin Schuh  <jschuh@chromium.org>

        [CHROMIUM] Suppress c4267 build warnings for Win64 targets
        https://bugs.webkit.org/show_bug.cgi?id=107499

        Reviewed by Abhishek Arya.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2013-01-21  Dirk Schulze  <dschulze@adobe.com>

        Add build flag for Canvas's Path object (disabled by default)
        https://bugs.webkit.org/show_bug.cgi?id=107473

        Reviewed by Dean Jackson.

        Add CANVAS_PATH build flag to build systems.

        * Configurations/FeatureDefines.xcconfig:

2013-01-20  Geoffrey Garen  <ggaren@apple.com>

        Weak GC maps should be easier to use
        https://bugs.webkit.org/show_bug.cgi?id=107312

        Reviewed by Sam Weinig.

        Follow-up fix.

        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyObjectStructureForPrototype): Restored this
        ASSERT, which was disabled because of a bug in WeakGCMap.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add): We can't pass our passed-in value to add() because
        a PassWeak() clears itself when passed to another function. So, we pass
        nullptr instead, and fix things up afterwards.

2013-01-20  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed.

        Temporarily disabling this ASSERT to get the bots green
        while I investigate a fix.

        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):

2013-01-20  Filip Pizlo  <fpizlo@apple.com>

        Inserting a node into the DFG graph should not require five lines of code
        https://bugs.webkit.org/show_bug.cgi?id=107381

        Reviewed by Sam Weinig.
        
        This adds fairly comprehensive support for inserting a node into a DFG graph in one
        method call. A common example of this is:
        
        m_insertionSet.insertNode(indexInBlock, DontRefChildren, DontRefNode, SpecNone, ForceOSRExit, codeOrigin);
        
        The arguments to insert() specify what reference counting you need to have happen
        (RefChildren => recursively refs all children, RefNode => non-recursively refs the node
        that was created), the prediction to set (SpecNone is a common default), followed by
        the arguments to the Node() constructor. InsertionSet::insertNode() and similar methods
        (Graph::addNode() and BasicBlock::appendNode()) all use a common variadic template
        function macro from DFGVariadicFunction.h. Also, all of these methods will automatically
        non-recursively ref() the node being created if the flags say NodeMustGenerate.
        
        In all, this new mechanism retains the flexibility of the old approach (you get to
        manage ref counts yourself, albeit in less code) while ensuring that most code that adds
        nodes to the graph now needs less code to do it.
        
        In the future, we should revisit the reference counting methodology in the DFG: we could
        do like most compilers and get rid of it entirely, or we could make it automatic. This
        patch doesn't attempt to make any such major changes, and only seeks to simplify the
        technique we were already using (manual ref counting).

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Operands.h:
        (JSC::dumpOperands):
        * dfg/DFGAdjacencyList.h:
        (AdjacencyList):
        (JSC::DFG::AdjacencyList::kind):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGBasicBlock.h:
        (DFG):
        (BasicBlock):
        * dfg/DFGBasicBlockInlines.h: Added.
        (DFG):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
        (ConstantFoldingPhase):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::FixupPhase):
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::ref):
        (Graph):
        * dfg/DFGInsertionSet.h:
        (DFG):
        (JSC::DFG::Insertion::Insertion):
        (JSC::DFG::Insertion::element):
        (Insertion):
        (JSC::DFG::InsertionSet::InsertionSet):
        (JSC::DFG::InsertionSet::insert):
        (InsertionSet):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (Node):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * dfg/DFGVariadicFunction.h: Added.

2013-01-19  Geoffrey Garen  <ggaren@apple.com>

        Track inheritance structures in a side table, instead of using a private
        name in each prototype
        https://bugs.webkit.org/show_bug.cgi?id=107378

        Reviewed by Sam Weinig and Phil Pizlo.

        This is a step toward object size inference.

        Using a side table frees us to use a more complex key (a pair of
        prototype and expected inline capacity).

        It also avoids ruining inline caches for prototypes. (Adding a new private
        name for a new inline capacity would change the prototype's structure,
        possibly firing watchpoints, making inline caches go polymorphic, and
        generally causing us to have a bad time.)

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri: Buildage.

        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation): Updated to use new side table API.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::cacheInheritorID): Updated to use new side table API.

        (JSC::JSFunction::visitChildren): Fixed a long-standing bug where JSFunction
        forgot to visit one of its data members (m_cachedInheritorID). This
        wasn't a user-visible problem before because JSFunction would always
        visit its .prototype property, which visited its m_cachedInheritorID.
        But now, function.prototype only weakly owns function.m_cachedInheritorID.

        * runtime/JSGlobalData.h:
        (JSGlobalData): Added the map, taking care to make sure that its
        destructor would run after the heap destructor.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset): Updated to use new side table API.

        * runtime/JSObject.cpp:
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::setPrototype):
        * runtime/JSObject.h:
        (JSObject): Updated to use new side table API, and removed lots of code
        that used to manage the per-object private name.

        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation): Updated to use new side table API.

        * runtime/PrototypeMap.cpp: Added.
        (JSC):
        (JSC::PrototypeMap::addPrototype):
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
        * runtime/PrototypeMap.h: Added.
        (PrototypeMap):
        (JSC::PrototypeMap::isPrototype):
        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): New side table.
        This is a simple weak map, mapping an object to the structure you should
        use when inheriting from that object. (In future, inline capacity will
        be a part of the mapping.)

        I used two maps to preserve existing behavior that allowed us to speculate
        about an object becoming a prototype, even if it wasn't one at the moment.
        However, I suspect that behavior can be removed without harm.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::contains):
        (WeakGCMap): I would rate myself a 6 / 10 in C++.

2013-01-18  Dan Bernstein  <mitz@apple.com>

        Removed duplicate references to two headers in the project files.

        Rubber-stamped by Mark Rowe.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.
        Fixes the case where the argument node in fixupNode is freed due to the Vector storage being reallocated.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for release builds when DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE is set to 1 in DFGCommon.h.

        * dfg/DFGCFAPhase.cpp: Added #include "Operations.h"

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
        https://bugs.webkit.org/show_bug.cgi?id=107340

        Reviewed by Filip Pizlo.

        Due to the change landed in r140201, more nodes might end up
        generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
        constant path of compileInt32ToDouble() to use the more
        restrictive isInt32Constant() check on the input.  This check was
        the same as the existing ASSERT() so the ASSERT was eliminated.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):

2013-01-18  Viatcheslav Ostapenko  <sl.ostapenko@samsung.com>

        Weak GC maps should be easier to use
        https://bugs.webkit.org/show_bug.cgi?id=107312

        Reviewed by Ryosuke Niwa.

        Build fix for linux platforms after r140194.

        * runtime/WeakGCMap.h:
        (WeakGCMap):

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly
        https://bugs.webkit.org/show_bug.cgi?id=107321

        Reviewed by  Filip Pizlo.

        Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
        an ArithDiv node with integer inputs and output for platforms that don't have integer division.
        Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node
        without any further checks.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        (FixupPhase):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Fix up of ArithDiv nodes for non-x86 CPUs is broken
        https://bugs.webkit.org/show_bug.cgi?id=107309

        Reviewed by  Filip Pizlo.

        Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixDoubleEdge):

2013-01-18  Dan Bernstein  <mitz@apple.com>

        Tried to fix the build after r140194.

        * API/JSWrapperMap.mm:
        (-[JSWrapperMap wrapperForObject:]):

2013-01-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Update documentation for JSValue and JSContext
        https://bugs.webkit.org/show_bug.cgi?id=107313

        Reviewed by Geoffrey Garen.

        After changing the semantics of object lifetime we need to update the API documentation to reflect the new semantics.

        * API/APIJSValue.h:
        * API/JSContext.h:

2013-01-18  Balazs Kilvady  <kilvadyb@homejinni.com>

        r134080 causes heap problem on linux systems where PAGESIZE != 4096
        https://bugs.webkit.org/show_bug.cgi?id=102828

        Reviewed by Mark Hahnenberg.

        Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * heap/MarkStack.cpp:
        (JSC):
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::expand):
        (JSC::MarkStackArray::donateSomeCellsTo):
        (JSC::MarkStackArray::stealSomeCellsFrom):
        * heap/MarkStack.h:
        (JSC::MarkStackSegment::data):
        (CapacityFromSize):
        (MarkStackArray):
        * heap/MarkStackInlines.h:
        (JSC::MarkStackArray::setTopForFullSegment):
        (JSC::MarkStackArray::append):
        (JSC::MarkStackArray::isEmpty):
        (JSC::MarkStackArray::size):
        * runtime/Options.h:
        (JSC):

2013-01-18  Geoffrey Garen  <ggaren@apple.com>

        Weak GC maps should be easier to use
        https://bugs.webkit.org/show_bug.cgi?id=107312

        Reviewed by Sam Weinig.

        This patch changes WeakGCMap to not use a WeakImpl finalizer to remove
        items from the map, and to instead have the map automatically remove
        stale items itself upon insertion. This has a few advantages:

        (1) WeakGCMap is now compatible with all the specializations you would
        use for HashMap.

        (2) There's no need for clients to write special finalization munging
        functions.

        (3) Clients can specify custom value finalizers if they like.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Def!

        * API/JSWeakObjectMapRefPrivate.cpp: Setter no longer requires a global
        data, since we've reduced interdependency.

        * heap/Handle.h: No more need to forward declare, since we've reduced
        interdependency.

        * heap/Weak.h:
        (Weak): Use explicit so we can assign directly to a weak map iterator
        without ambiguity between Weak<T> and PassWeak<T>.

        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add): See above.

        * runtime/Structure.h:
        (JSC):
        * runtime/StructureTransitionTable.h:
        (StructureTransitionTable): Bad code goes away, programmer happy.

        * runtime/WeakGCMap.h:
        (JSC):
        (WeakGCMap):
        (JSC::WeakGCMap::WeakGCMap):
        (JSC::WeakGCMap::set):
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::find):
        (JSC::WeakGCMap::contains):
        (JSC::WeakGCMap::gcMap):
        (JSC::WeakGCMap::gcMapIfNeeded): Inherit from HashMap and override any
        function that might observe a Weak<T> that has died, just enough to
        make such items appear as if they are not in the table.

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Refactor isPowerOf2() and add getLSBSet()
        https://bugs.webkit.org/show_bug.cgi?id=107306

        Reviewed by Filip Pizlo.

        Moved implementation of isPowerOf2() to new hasOneBitSet() in wtf/MathExtras.h.

        * runtime/PropertyMapHashTable.h:
        (JSC::isPowerOf2):

2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Clean up JSValue.mm
        https://bugs.webkit.org/show_bug.cgi?id=107163

        Reviewed by Darin Adler.

        m_context is no longer weak, so there is now a lot of dead code in in JSValue.mm, and a wasted message send 
        on every API call.  In the head of just about every method in JSValue.mm we're doing:

        JSContext *context = [self context];
        if (!context)
            return nil;

        This is getting a retained copy of the context, which is no longer necessary now m_context is no longer weak.  
        We can just delete all these lines from all functions doing this, and where they were referring to the local 
        variable 'context', instead we can just access m_context directly.

        Since we're already going to be modifying most of JSValue.mm, we'll also do the following:

        1) context @property is no longer weak – the context property is declared as:

            @property(readonly, weak) JSContext *context;

        This is really only informative (since we're not presently synthesizing the ivar), but it is now misleading. 
        We should change it to:

            @property(readonly, retain) JSContext *context;

        2) the JSContext ivar and accessor can be automatically generated.  Since we're no longer doing anything 
        special with m_context, we can just let the compiler handle the ivar for us.  We'll delete:

            JSContext *m_context;

        and:

            - (JSContext *)context
            {
                return m_context;
        
            }

        and find&replace "m_context" to "_context" in JSValue.mm.

        * API/APIJSValue.h:
        * API/JSValue.mm:
        (-[JSValue toObject]):
        (-[JSValue toBool]):
        (-[JSValue toDouble]):
        (-[JSValue toNumber]):
        (-[JSValue toString]):
        (-[JSValue toDate]):
        (-[JSValue toArray]):
        (-[JSValue toDictionary]):
        (-[JSValue valueForProperty:]):
        (-[JSValue setValue:forProperty:]):
        (-[JSValue deleteProperty:]):
        (-[JSValue hasProperty:]):
        (-[JSValue defineProperty:descriptor:]):
        (-[JSValue valueAtIndex:]):
        (-[JSValue setValue:atIndex:]):
        (-[JSValue isUndefined]):
        (-[JSValue isNull]):
        (-[JSValue isBoolean]):
        (-[JSValue isNumber]):
        (-[JSValue isString]):
        (-[JSValue isObject]):
        (-[JSValue isEqualToObject:]):
        (-[JSValue isEqualWithTypeCoercionToObject:]):
        (-[JSValue isInstanceOf:]):
        (-[JSValue callWithArguments:]):
        (-[JSValue constructWithArguments:]):
        (-[JSValue invokeMethod:withArguments:]):
        (-[JSValue objectForKeyedSubscript:]):
        (-[JSValue setObject:forKeyedSubscript:]):
        (-[JSValue initWithValue:inContext:]):
        (-[JSValue dealloc]):
        (-[JSValue description]):

2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Clean up JSValue
        https://bugs.webkit.org/show_bug.cgi?id=107156

        Reviewed by Oliver Hunt.

        JSContext m_protectCounts, protect, unprotect are all now unnecessary overhead, and should all be removed.  
        These exist to handle the context going away before the value does; the context needs to be able to unprotect 
        values early.  Since the value is now keeping the context alive there is no longer any danger of this happening; 
        instead we should just protect/unprotect the value in JSValue's init/dealloc methods.

        * API/JSContext.mm:
        (-[JSContext dealloc]):
        * API/JSContextInternal.h:
        * API/JSValue.mm:
        (-[JSValue initWithValue:inContext:]):
        (-[JSValue dealloc]):

2013-01-17  Filip Pizlo  <fpizlo@apple.com>

        DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants
        https://bugs.webkit.org/show_bug.cgi?id=107147

        Reviewed by Mark Hahnenberg.
        
        This small refactoring will enable a world where ref() returns Node*, which is useful for
        https://bugs.webkit.org/show_bug.cgi?id=106868.  Also, while this refactoring does lead to
        slightly less terse code, it's also slightly more self-explanatory.  I could never quite
        remember what the meaning of the bool return from ref() and deref() was.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::collectGarbage):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::ref):
        (Node):
        (JSC::DFG::Node::postfixRef):
        (JSC::DFG::Node::deref):
        (JSC::DFG::Node::postfixDeref):

2013-01-17  Alexey Proskuryakov  <ap@apple.com>

        Added svn:ignore=*.pyc, so that ud_opcode.pyc and ud_optable.pyc don't show up
        in svn stat.

        * disassembler/udis86: Added property svn:ignore.

2013-01-16  Filip Pizlo  <fpizlo@apple.com>

        DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
        https://bugs.webkit.org/show_bug.cgi?id=107081

        Reviewed by Michael Saboff.

        This bug led to the 32_64 backend emitting contiguous allocation code to allocate
        ArrayStorage arrays. This then led to all manner of heap corruption, since
        subsequent array accesses would be accessing the contiguous array "as if" it was
        an arraystorage array.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-01-16  Jonathan Liu  <net147@gmail.com>

        Add missing sys/mman.h include on Mac
        https://bugs.webkit.org/show_bug.cgi?id=98089

        Reviewed by Darin Adler.

        The madvise function and MADV_FREE constant require sys/mman.h.

        * jit/ExecutableAllocatorFixedVMPool.cpp:

2013-01-15  Michael Saboff  <msaboff@apple.com>

        DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
        https://bugs.webkit.org/show_bug.cgi?id=106978

        Reviewed by Filip Pizlo.

        Changed the numerator equal to -2^31 check to just return if we expect an integer
        result, since the check is after we have determined that the denominator is -1.
        The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

2013-01-15  Levi Weintraub  <leviw@chromium.org>

        Unreviewed, rolling out r139792.
        http://trac.webkit.org/changeset/139792
        https://bugs.webkit.org/show_bug.cgi?id=106970

        Broke the windows build.

        * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.

2013-01-15  Pratik Solanki  <psolanki@apple.com>

        Use MADV_FREE_REUSABLE to return JIT memory to OS
        https://bugs.webkit.org/show_bug.cgi?id=106830
        <rdar://problem/11437701>

        Reviewed by Geoffrey Garen.

        Use MADV_FREE_REUSABLE to return JIT memory on OSes that have the underlying madvise bug
        fixed.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2013-01-15  Levi Weintraub  <leviw@chromium.org>

        Unreviewed, rolling out r139790.
        http://trac.webkit.org/changeset/139790
        https://bugs.webkit.org/show_bug.cgi?id=106948

        The patch is failing its own test.

        * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.

2013-01-15  Zan Dobersek  <zandobersek@gmail.com>

        [Autotools] Unify JavaScriptCore sources list, regardless of target OS
        https://bugs.webkit.org/show_bug.cgi?id=106007

        Reviewed by Gustavo Noronha Silva.

        Include the Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp target
        in the general sources list as it is guarded by the ENABLE_EXECUTABLE_ALLOCATOR_FIXED
        feature define. This define is only used on 64-bit architecture and indirectly depends
        on enabling either JIT or YARR JIT feature. Both of these defines are disabled on
        Windows OS when using 64-bit architecture so there's no need to add this target to
        sources only when the target OS is Windows.

        * GNUmakefile.list.am:

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value
        https://bugs.webkit.org/show_bug.cgi?id=106727

        Reviewed by Oliver Hunt.
        
        The problem was this statement:
        
        if (m_value != other.m_value)
            m_value = JSValue();
        
        This is well-intentioned, in the sense that if we want our abstract value (i.e. this) to become the superset of the other
        abstract value, and the two abstract values have proven different constants, then our abstract value should rescind its
        claim that it has been proven to be constant. But this misses the special case that if the other abstract value is
        completely clear (meaning that it wishes to contribute zero information and so the superset operation shouldn't change
        this), it will have a clear m_value. So, the code prior to this patch would rescind the constant proof even though it
        didn't have to.
        
        This comes up rarely and I don't believe it will be a performance win, but it is good to have the CFA been consistently
        precise as often as possible.

        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::merge):

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        Python implementation reports "MemoryError" instead of doing things
        https://bugs.webkit.org/show_bug.cgi?id=106690

        Reviewed by Oliver Hunt.
        
        The bug was that the CFA was assuming that a variable is dead at the end of a basic block and hence doesn't need to
        be merged to the next block if the last mention of the variable was dead. This is almost correct, except that it
        doesn't work if the last mention is a GetLocal - the GetLocal itself may be dead, but that doesn't mean that the
        variable is dead - it may still be live. The appropriate thing to do is to look at the GetLocal's Phi. If the
        variable is used in the next block then the next block will have a reference to the last mention in our block unless
        that last mention is a GetLocal, in which case it will link to the Phi. Doing it this way captures everything that
        the CFA wants: if the last use is a live GetLocal then the CFA needs to consider the GetLocal itself for possible
        refinements to the proof of the value in the variable, but if the GetLocal is dead, then this must mean that the
        variable is not mentioned in the block but may still be "passed through" it, which is what the Phi will tell us.
        Note that it is not possible for the GetLocal to refer to anything other than a Phi, and it is also not possible
        for the last mention of a variable to be a dead GetLocal while there are other mentions that aren't dead - if
        there had been SetLocals or GetLocals prior to the dead one then the dead one wouldn't have been emitted by the
        parser.
        
        This also fixes a similar bug in the handling of captured variables. If a variable is captured, then it doesn't
        matter if the last mention is dead, or not. Either way, we already know that a captured variable will be live in
        the next block, so we must merge it no matter what.
        
        Finally, this change makes the output of Operands dumping a bit more verbose: it now prints the variable name next
        to each variable's dump. I've often found the lack of this information confusing particularly for operand dumps
        that involve a lot of variables.

        * bytecode/Operands.h:
        (JSC::dumpOperands):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::mergeStateAtTail):

2013-01-14  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Fix vcproj file. Missing file tag after http://trac.webkit.org/changeset/139541.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2013-01-13  Filip Pizlo  <fpizlo@apple.com>

        DFG phases that store per-node information should store it in Node itself rather than using a secondary vector
        https://bugs.webkit.org/show_bug.cgi?id=106753

        Reviewed by Geoffrey Garen.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        (AbstractState):
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::performSubstitution):
        (JSC::DFG::CSEPhase::setReplacement):
        (CSEPhase):
        * dfg/DFGNode.h:
        (Node):

2013-01-12  Tim Horton  <timothy_horton@apple.com>

        Unreviewed build fix.

        * API/JSBlockAdaptor.mm:
        * API/JSContext.mm:
        * API/JSValue.mm:

2013-01-12  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed 64 bit buildfix after r139496.

        * dfg/DFGOperations.cpp:

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, speculative build fix.

        * API/JSWrapperMap.mm:

2013-01-10  Filip Pizlo  <fpizlo@apple.com>

        JITThunks should not compile only because of luck
        https://bugs.webkit.org/show_bug.cgi?id=105696

        Rubber stamped by Sam Weinig and Geoffrey Garen.
        
        This patch was supposed to just move JITThunks into its own file. But then I
        realized that there is a horrible circular dependency chain between JSCell,
        JSGlobalData, CallFrame, and Weak, which only works because of magical include
        order in JITStubs.h, and the fact that JSGlobalData.h includes JITStubs.h
        before it includes JSCell or JSValue.
        
        I first tried to just get JITThunks.h to just magically do the same pointless
        includes that JITStubs.h had, but then I decided to actually fix the underflying
        problem, which was that JSCell needed CallFrame, CallFrame needed JSGlobalData,
        JSGlobalData needed JITThunks, JITThunks needed Weak, and Weak needed JSCell.
        Now, all of JSCell's outgoing dependencies are placed in JSCellInlines.h. This
        also gave me an opportunity to move JSValue inline methods from JSCell.h into
        JSValueInlines.h. But to make this really work, I needed to remove includes of
        *Inlines.h from other headers (CodeBlock.h for example included JSValueInlines.h,
        which defeats the whole entire purpose of having an Inlines.h file), and I needed
        to add includes of *Inlines.h into a bunch of .cpp files. I did this mostly by
        having .cpp files include Operations.h. In future, if you're adding a .cpp file
        to JSC, you'll almost certainly have to include Operations.h unless you enjoy
        link errors.

        * API/JSBase.cpp:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * API/JSClassRef.cpp:
        * API/JSContextRef.cpp:
        * API/JSObjectRef.cpp:
        * API/JSScriptRef.cpp:
        * API/JSWeakObjectMapRefPrivate.cpp:
        * JSCTypedArrayStubs.h:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ArrayAllocationProfile.cpp:
        * bytecode/CodeBlock.cpp:
        * bytecode/GetByIdStatus.cpp:
        * bytecode/LazyOperandValueProfile.cpp:
        * bytecode/ResolveGlobalStatus.cpp:
        * bytecode/SpeculatedType.cpp:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerCallFrame.cpp:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGDriver.cpp:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (DFG):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        * dfg/DFGVariableEventStream.cpp:
        * heap/CopiedBlock.h:
        * heap/CopiedSpace.cpp:
        * heap/HandleSet.cpp:
        * heap/Heap.cpp:
        * heap/HeapStatistics.cpp:
        * heap/SlotVisitor.cpp:
        * heap/WeakBlock.cpp:
        * interpreter/CallFrame.cpp:
        * interpreter/CallFrame.h:
        * jit/ClosureCallStubRoutine.cpp:
        * jit/GCAwareJITStubRoutine.cpp:
        * jit/JIT.cpp:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITCode.h:
        * jit/JITExceptions.cpp:
        * jit/JITStubs.h:
        * jit/JITThunks.h:
        * jsc.cpp:
        * llint/LLIntExceptions.cpp:
        * profiler/LegacyProfiler.cpp:
        * profiler/ProfileGenerator.cpp:
        * profiler/ProfilerBytecode.cpp:
        * profiler/ProfilerBytecodeSequence.cpp:
        * profiler/ProfilerBytecodes.cpp:
        * profiler/ProfilerCompilation.cpp:
        * profiler/ProfilerCompiledBytecode.cpp:
        * profiler/ProfilerDatabase.cpp:
        * profiler/ProfilerOSRExit.cpp:
        * profiler/ProfilerOSRExitSite.cpp:
        * profiler/ProfilerOrigin.cpp:
        * profiler/ProfilerOriginStack.cpp:
        * profiler/ProfilerProfiledBytecodes.cpp:
        * runtime/ArgList.cpp:
        * runtime/Arguments.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/CallData.cpp:
        * runtime/CodeCache.cpp:
        * runtime/Completion.cpp:
        * runtime/ConstructData.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/Error.cpp:
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/Identifier.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSBoundFunction.cpp:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        (JSC):
        * runtime/JSCellInlines.h: Added.
        (JSC):
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        (JSC::JSCell::structure):
        (JSC::JSCell::visitChildren):
        (JSC::allocateCell):
        (JSC::isZapped):
        (JSC::JSCell::isObject):
        (JSC::JSCell::isString):
        (JSC::JSCell::isGetterSetter):
        (JSC::JSCell::isProxy):
        (JSC::JSCell::isAPIValueWrapper):
        (JSC::JSCell::setStructure):
        (JSC::JSCell::methodTable):
        (JSC::JSCell::inherits):
        (JSC::JSCell::fastGetOwnPropertySlot):
        (JSC::JSCell::fastGetOwnProperty):
        (JSC::JSCell::toBoolean):
        * runtime/JSDateMath.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        (JSC):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSLock.cpp:
        * runtime/JSNameScope.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.h:
        (JSC):
        * runtime/JSProxy.cpp:
        * runtime/JSScope.cpp:
        * runtime/JSSegmentedVariableObject.cpp:
        * runtime/JSString.h:
        (JSC):
        * runtime/JSStringJoiner.cpp:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSValue.cpp:
        * runtime/JSValueInlines.h:
        (JSC::JSValue::toInt32):
        (JSC::JSValue::toUInt32):
        (JSC):
        (JSC::JSValue::isUInt32):
        (JSC::JSValue::asUInt32):
        (JSC::JSValue::asNumber):
        (JSC::jsNaN):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::encode):
        (JSC::JSValue::decode):
        (JSC::JSValue::operator bool):
        (JSC::JSValue::operator==):
        (JSC::JSValue::operator!=):
        (JSC::JSValue::isEmpty):
        (JSC::JSValue::isUndefined):
        (JSC::JSValue::isNull):
        (JSC::JSValue::isUndefinedOrNull):
        (JSC::JSValue::isCell):
        (JSC::JSValue::isInt32):
        (JSC::JSValue::isDouble):
        (JSC::JSValue::isTrue):
        (JSC::JSValue::isFalse):
        (JSC::JSValue::tag):
        (JSC::JSValue::payload):
        (JSC::JSValue::asInt32):
        (JSC::JSValue::asDouble):
        (JSC::JSValue::asCell):
        (JSC::JSValue::isNumber):
        (JSC::JSValue::isBoolean):
        (JSC::JSValue::asBoolean):
        (JSC::reinterpretDoubleToInt64):
        (JSC::reinterpretInt64ToDouble):
        (JSC::JSValue::isString):
        (JSC::JSValue::isPrimitive):
        (JSC::JSValue::isGetterSetter):
        (JSC::JSValue::isObject):
        (JSC::JSValue::getString):
        (JSC::::getString):
        (JSC::JSValue::getObject):
        (JSC::JSValue::getUInt32):
        (JSC::JSValue::toPrimitive):
        (JSC::JSValue::getPrimitiveNumber):
        (JSC::JSValue::toNumber):
        (JSC::JSValue::toObject):
        (JSC::JSValue::isFunction):
        (JSC::JSValue::inherits):
        (JSC::JSValue::toThisObject):
        (JSC::JSValue::get):
        (JSC::JSValue::put):
        (JSC::JSValue::putByIndex):
        (JSC::JSValue::structureOrUndefined):
        (JSC::JSValue::equal):
        (JSC::JSValue::equalSlowCaseInline):
        (JSC::JSValue::strictEqualSlowCaseInline):
        (JSC::JSValue::strictEqual):
        * runtime/JSVariableObject.cpp:
        * runtime/JSWithScope.cpp:
        * runtime/JSWrapperObject.cpp:
        * runtime/LiteralParser.cpp:
        * runtime/Lookup.cpp:
        * runtime/NameConstructor.cpp:
        * runtime/NameInstance.cpp:
        * runtime/NamePrototype.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorPrototype.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/Operations.h:
        (JSC):
        * runtime/PropertySlot.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpCache.cpp:
        * runtime/RegExpCachedResult.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/SmallStrings.cpp:
        * runtime/SparseArrayValueMap.cpp:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringRecursionChecker.cpp:
        * runtime/Structure.h:
        (JSC):
        * runtime/StructureChain.cpp:
        * runtime/TimeoutChecker.cpp:
        * testRegExp.cpp:

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=106724

        Reviewed by Oliver Hunt.
        
        In cases where we were getting it wrong, I think it was benign because we would either already have an
        OSR exit prior to there, or the operand would be a constant.  But still, it's good to get this right.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        Phantom(GetLocal) should be treated as relevant to OSR
        https://bugs.webkit.org/show_bug.cgi?id=106715

        Reviewed by Mark Hahnenberg.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performBlockCSE):

2013-01-11  Pratik Solanki  <psolanki@apple.com>

        Fix function name typo ProgramExecutable::initalizeGlobalProperties()
        https://bugs.webkit.org/show_bug.cgi?id=106701

        Reviewed by Geoffrey Garen.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/Executable.h:

2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        testapi is failing with a block-related error in the Objc API
        https://bugs.webkit.org/show_bug.cgi?id=106055

        Reviewed by Filip Pizlo.

        Same bug as in testapi.mm. We need to actually call the static block, rather than casting the block to a bool.

        * API/ObjCCallbackFunction.mm:
        (blockSignatureContainsClass):

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        Add a run-time option to print bytecode at DFG compile time
        https://bugs.webkit.org/show_bug.cgi?id=106704

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * runtime/Options.h:
        (JSC):

2013-01-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to enable verbose printing of each OSR exit at run-time (rather than compile-time) and it should print register state
        https://bugs.webkit.org/show_bug.cgi?id=106700

        Reviewed by Mark Hahnenberg.

        * dfg/DFGAssemblyHelpers.h:
        (DFG):
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGCommon.h:
        * dfg/DFGOSRExit.h:
        (DFG):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * runtime/Options.h:
        (JSC):

2013-01-11  Geoffrey Garen  <ggaren@apple.com>

        Removed getDirectLocation and offsetForLocation and all their uses
        https://bugs.webkit.org/show_bug.cgi?id=106692

        Reviewed by Filip Pizlo.

        getDirectLocation() and its associated offsetForLocation() relied on
        detailed knowledge of the rules of PropertyOffset, JSObject, and
        Structure, which is a hard thing to reverse-engineer reliably. Luckily,
        it wasn't needed, and all clients either wanted a true value or a
        PropertyOffset. So, I refactored accordingly.

        * dfg/DFGOperations.cpp: Renamed putDirectOffset to putDirect, to clarify
        that we are not putting an offset.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnPropertySlot): Get a value instead of a value
        pointer, since we never wanted a pointer to begin with.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot): Use a PropertyOffset instead of a pointer,
        so we don't have to reverse-engineer the offset from the pointer.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::resetInheritorID):
        (JSC::JSObject::inheritorID):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::fillGetterPropertySlot):
        (JSC::JSObject::getOwnPropertyDescriptor): Renamed getDirectOffset and
        putDirectOffset, as explaind above. We want to use the name "getDirectOffset"
        for when the thing you're getting is the offset.

        * runtime/JSObject.h:
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectOffset): Changed getDirectLocation to getDirectOffset,
        since clients really wants PropertyOffsets and not locations.

        (JSObject::offsetForLocation): Removed this function because it was hard
        to get right.

        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectUndefined):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/JSScope.cpp:
        (JSC::executeResolveOperations):
        (JSC::JSScope::resolvePut):
        * runtime/JSValue.cpp:
        (JSC::JSValue::putToPrimitive): Updated for renames.

        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot): Use a PropertyOffset instead of a pointer,
        so we don't have to reverse-engineer the offset from the pointer.

        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure): Updated for renames.

2013-01-11  Geoffrey Garen  <ggaren@apple.com>

        Removed an unused version of getDirectLocation
        https://bugs.webkit.org/show_bug.cgi?id=106691

        Reviewed by Gavin Barraclough.

        getDirectLocation is a weird operation. Removing the unused version is
        the easy part.

        * runtime/JSObject.h:
        (JSObject):

2013-01-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C objects that are passed to JavaScript leak (until the JSContext is destroyed)
        https://bugs.webkit.org/show_bug.cgi?id=106056

        Reviewed by Darin Adler.

        * API/APIJSValue.h:
        * API/JSValue.mm: Make the reference to the JSContext strong.
        (-[JSValue context]):
        (-[JSValue initWithValue:inContext:]):
        (-[JSValue dealloc]):
        * API/JSWrapperMap.mm: Make the reference back from wrappers to Obj-C objects weak instead of strong.
        Also add an explicit WeakGCMap in the JSWrapperMap rather than using Obj-C associated object API which 
        was causing memory leaks.
        (wrapperClass):
        (-[JSObjCClassInfo wrapperForObject:]):
        (-[JSWrapperMap initWithContext:]):
        (-[JSWrapperMap dealloc]):
        (-[JSWrapperMap wrapperForObject:]):

2013-01-11  Geoffrey Garen  <ggaren@apple.com>

        Fixed some bogus PropertyOffset ASSERTs
        https://bugs.webkit.org/show_bug.cgi?id=106686

        Reviewed by Gavin Barraclough.

        The ASSERTs were passing a JSType instead of an inlineCapacity, due to
        an incomplete refactoring.

        The compiler didn't catch this because both types are int underneath.

        * runtime/JSObject.h:
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectLocation):
        (JSC::JSObject::offsetForLocation):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
        our inline capacity, as we intended.

2013-01-11  Geoffrey Garen  <ggaren@apple.com>

        Rename propertyOffsetFor => offsetForPropertyNumber
        https://bugs.webkit.org/show_bug.cgi?id=106685

        Reviewed by Gavin Barraclough.

        Since the argument is just a typedef and not an object, I wanted to clarify the meaning.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::nextOffset): Updated for rename.

        * runtime/PropertyOffset.h:
        (JSC::offsetForPropertyNumber): Renamed. Also changed some PropertyOffset variables
        to plain ints, because they're not actually on the PropertyOffsets number line.

        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):
        * runtime/Structure.h:
        (JSC::Structure::lastValidOffset): Updated for rename.

2013-01-10  Zan Dobersek  <zandobersek@gmail.com>

        Remove the ENABLE_ANIMATION_API feature define occurences
        https://bugs.webkit.org/show_bug.cgi?id=106544

        Reviewed by Simon Fraser.

        The Animation API code was removed in r137243. The ENABLE_ANIMATION_API
        feature define handling still lingers in various build systems and configurations
        but is of no use, so it should be removed.

        * Configurations/FeatureDefines.xcconfig:

2013-01-09  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Just move the JavaScriptCore exports file around in the vcproj to make things clearer.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2013-01-09  Filip Pizlo  <fpizlo@apple.com>

        Dont use a node reference after appending to the graph.
        https://bugs.webkit.org/show_bug.cgi?id=103305
        <rdar://problem/12753096>

        Reviewed by Mark Hahnenberg.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):

2013-01-09  Roger Fong  <roger_fong@apple.com>

        Rename export files to make them more easily findable.
        https://bugs.webkit.org/show_bug.cgi?id=98695.

        Reviewed by Timothy Horton.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def.

2013-01-09  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add mips.rb to offlineasm_nosources.

2013-01-08  Oliver Hunt  <oliver@apple.com>

        Support op_typeof in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=98898

        Reviewed by Filip Pizlo.

        Adds a TypeOf node to the DFG to support op_typeof.

        To avoid adding too much GC horror, this also makes the
        common strings portion of the SmallString cache strongly
        referenced.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
          We try to determine the result early here, and substitute in a constant.
          Otherwise we leave the node intact, and set the result type to SpecString.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
          Parse op_typeof
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
          TypeOf nodes can be subjected to pure CSE
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
          We can handle typeof.
        * dfg/DFGNodeType.h:
        (DFG):
          Define the node.
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
          Add operationTypeOf to support the non-trivial cases.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
          Actual codegen
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC):
        * runtime/Operations.h:
        (JSC):
          Some refactoring to allow us to get the type string for an
          object without needing a callframe.


2013-01-08  Filip Pizlo  <fpizlo@apple.com>

        DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments
        https://bugs.webkit.org/show_bug.cgi?id=106398
        <rdar://problem/12439776>

        Reviewed by Mark Hahnenberg.
        
        This is a possible optimization for inlined calls, and fixes crashes for inlined constructors, in the case
        that the inlined code used arguments. The problem was that assuming that 'this' was captured implies the
        assumption that it was initialized by the caller, which is wrong for constructors and this.
        
        Also added a pretty essential DFG IR validation rule: we shouldn't have any live locals at the top of the
        root block. This helps to catch this bug: our assumption that 'this' was captured in an inlined constructor
        that used arguments led to liveness for the temporary that would have held 'this' in the caller being
        propagated all the way up to the entrypoint of the function.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::isCaptured):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::reportValidationContext):
        (Validate):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):

2013-01-08  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r138921): Crash in JSC::Arguments::create
        https://bugs.webkit.org/show_bug.cgi?id=106329
        <rdar://problem/12974196>

        Reviewed by Mark Hahnenberg.
        
        Arguments::finishCreation() that takes an InlineCallFrame* needs to understand that the callee can
        be unset, indicating that the callee needs to be loaded from the true call frame. This adds a
        method to InlineCallFrame to do just that.

        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::calleeForCallFrame):
        * bytecode/CodeOrigin.h:
        (InlineCallFrame):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):

2013-01-08  Filip Pizlo  <fpizlo@apple.com>

        DFG initrinsic handling should ensure that we backwards propagate the fact that all operands may escape
        https://bugs.webkit.org/show_bug.cgi?id=106365

        Reviewed by Mark Hahnenberg.
        
        Use the fact that Phantom means that things escaped, and just insert Phantoms for all
        of the operands.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):

2013-01-08  Filip Pizlo  <fpizlo@apple.com>

        If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized
        https://bugs.webkit.org/show_bug.cgi?id=106363

        Reviewed by Mark Hahnenberg.

        * runtime/JSArray.h:
        (JSC::JSArray::tryCreateUninitialized):

2013-01-07  Filip Pizlo  <fpizlo@apple.com>

        DFG should backwards-propagate NodeUsedAsValue for Phantom
        https://bugs.webkit.org/show_bug.cgi?id=106299

        Reviewed by Mark Hahnenberg.
        
        This is currently benign because Phantom is only inserted by the bytecode parser for
        things that already happen to be used in contexts that backwards propagate
        NodeUsedAsValue. But that doesn't change the fact that the semantics of Phantom are
        that the value can be arbitrarily used by the baseline JIT.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2013-01-07  Filip Pizlo  <fpizlo@apple.com>

        Rationalize closure call heuristics and profiling
        https://bugs.webkit.org/show_bug.cgi?id=106270

        Reviewed by Oliver Hunt.
        
        Did a number of things:
        
        - CallLinkInfo now remembers if it was ever a closure call, and CallLinkStatus uses
          this. Reduces the likelihood that we will inline a closure call as if it was a
          normal call.
        
        - Made InlineCallFrame print inferred function names, and refactored
          CodeBlock::inferredName() to better use FunctionExecutable's API.
        
        - Made bytecode dumping print frequent exit sites that led to recompilation.
        
        - Made bytecode dumping for op_call and op_construct print what the CallLinkStatus
          saw.
        
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (CallLinkInfo):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::inferredName):
        (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
        (JSC::CodeBlock::printCallOp):
        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::dump):
        (JSC::InlineCallFrame::inferredName):
        (JSC):
        (JSC::InlineCallFrame::dumpBriefFunctionInformation):
        (JSC::InlineCallFrame::dump):
        * bytecode/CodeOrigin.h:
        (InlineCallFrame):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::ExitProfile::exitSitesFor):
        (DFG):
        * bytecode/DFGExitProfile.h:
        (ExitProfile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2013-01-07  Ryosuke Niwa  <rniwa@webkit.org>

        Sorted the xcodeproj file.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-01-07  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, it should be possible to build JSC on ARM.

        * API/JSBase.h:
        * jit/JITStubs.cpp:
        (JSC::performPlatformSpecificJITAssertions):
        (JSC):
        * jit/JITStubs.h:
        (JSC):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::JITThunks):
        * jit/JITThunks.h:
        (JITThunks):
        * offlineasm/armv7.rb:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2013-01-07  Balazs Kilvady  <kilvadyb@homejinni.com>

        MIPS LLInt implementation.
        https://bugs.webkit.org/show_bug.cgi?id=99706

        Reviewed by Filip Pizlo.

        LLInt implementation for MIPS.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::jump):
        * dfg/DFGOperations.cpp:
        (JSC):
        * jit/JITStubs.cpp:
        (JSC):
        * jit/JITStubs.h:
        (JITStackFrame):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/mips.rb: Added.

2013-01-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        testapi is failing with a block-related error in the Objc API
        https://bugs.webkit.org/show_bug.cgi?id=106055

        Reviewed by Geoffrey Garen.

        Casting a block to a bool will always return true, which isn't the behavior that is intended here.
        Instead we need to call the block, but C semantics don't allow this, so we need to change 
        testapi.m to be Objective-C++ and therefore testapi.mm.

        * API/tests/testapi.m: Removed.
        * API/tests/testapi.mm: Copied from Source/JavaScriptCore/API/tests/testapi.m.
        (blockSignatureContainsClass):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-01-06  Filip Pizlo  <fpizlo@apple.com>

        Simplify slow case profiling
        https://bugs.webkit.org/show_bug.cgi?id=106208

        Reviewed by Mark Rowe.
        
        Removing the minimum execution ratio portion of slow case profiling, which allows
        the removal of a field from CodeBlock. This appears to be performance neutral,
        implying that the complexity incurred by the previous heuristic was purely
        harmful: it made the code more complicated, and it made CodeBlock larger, without
        resulting in any measurable benefits.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::couldTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * runtime/Options.h:

2013-01-05  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline closure calls
        https://bugs.webkit.org/show_bug.cgi?id=106067

        Reviewed by Gavin Barraclough.
        
        This adds initial support for inlining closure calls to the DFG. A call is considered
        to be a closure call when the JSFunction* varies, but always has the same executable.
        We already have closure call inline caching in both JITs, which works by checking that
        the callee has an expected structure (as a cheap way of detecting that it is in fact
        a JSFunction) and an expected executable. Closure call inlining uses profiling data
        aggregated by CallLinkStatus to decide when to specialize the call to the particular
        structure/executable, and inline the call rather than emitting a call sequence. When
        we choose to do a closure inline rather than an ordinary inline, a number of things
        change about how inlining is performed:
        
        - The inline is guarded by a CheckStructure/CheckExecutable rather than a
          CheckFunction.
        
        - Instead of propagating a constant value for the scope, we emit GetMyScope every time
          that the scope is needed, which loads the scope from a local variable. We do similar
          things for the callee.
        
        - The prologue of the inlined code includes SetMyScope and SetCallee nodes to eagerly
          plant the scope and callee into the "true call frame", i.e. the place on the stack
          where the call frame would have been if the call had been actually performed. This
          allows GetMyScope/GetCallee to work as they would if the code wasn't inlined. It
          also allows for trivial handling of scope and callee for call frame reconstruction
          upon stack introspection and during OSR.
        
        - A new node called GetScope is introduced, which just gets the scope of a function.
          This node has the expected CSE support. This allows for the
          SetMyScope(GetScope(@function)) sequence to set up the scope in the true call frame.
        
        - GetMyScope/GetCallee CSE can match against SetMyScope/SetCallee, which means that
          the GetMyScope/GetCallee nodes emitted during parsing are often removed during CSE,
          if we can prove that it is safe to do so.
        
        - Inlining heuristics are adjusted to grok the cost of inlining a closure. We are
          less likely to inline a closure call than we are to inline a normal call, since we
          end up emitting more code for closures due to CheckStructure, CheckExecutable,
          GetScope, SetMyScope, and SetCallee.
        
        Additionally, I've fixed the VariableEventStream to ensure that we don't attempt to
        plant Undefined into the true call frames. This was previously a harmless oversight,
        but it becomes quite bad if OSR is relying on the scope/callee already having been
        set and not subsequently clobbered by the OSR itself.
        
        This is a ~60% speed-up on programs that frequently make calls to closures. It's
        neutral on V8v7 and other major benchmark suites.
        
        The lack of a definite speed-up is likely due the fact that closure inlining currently
        does not do any cardinality [1] optimizations. We don't observe when a closure was
        constructed within its caller, and so used the scope from its caller; and furthermore
        we have no facility to detect when the scope is single. All scoped variable accesses
        are assumed to be multiple instead. A subsequent step will be to ensure that closure
        call inlining will be single and loving it.
        
        [1] Single and loving it: Must-alias analysis for higher-order languages. Suresh
            Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. In POPL '98.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::dump):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::isClosureCall):
        (CallLinkStatus):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::globalObjectFor):
        (JSC):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (CSEPhase):
        (JSC::DFG::CSEPhase::getCalleeLoadElimination):
        (JSC::DFG::CSEPhase::checkExecutableElimination):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::mightInlineFunctionForClosureCall):
        * dfg/DFGCapabilities.h:
        (DFG):
        (JSC::DFG::mightInlineFunctionForClosureCall):
        (JSC::DFG::canInlineFunctionForClosureCall):
        (JSC::DFG::canInlineFunctionFor):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::hasExecutable):
        (JSC::DFG::Node::executable):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * runtime/Options.h:
        (JSC):

2013-01-05  Filip Pizlo  <fpizlo@apple.com>

        Data flow paths that carry non-numbers, non-undefined, non-null values should not cause subtractions and arithmetic additions (i.e. ++) to speculate double
        https://bugs.webkit.org/show_bug.cgi?id=106190

        Reviewed by Sam Weinig.
        
        The problem is that the DFG logic for deciding when to speculate integer was
        confusing the special case of ValueAdd (where non-numeric values should cause us
        to not speculate integer, because we want to fall off into the generic case) with
        the more normal case of ArithAdd and ArithSub (where we want to speculate integer
        unless we have evidence that the operands are doubles, since the DFG doesn't have
        generic handling of non-numeric arithmetic). Prior to this change doing a - b where
        either a or b were possibly non-numeric would always force the subtraction to be
        done using doubles.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addSpeculationMode):
        (Graph):
        (JSC::DFG::Graph::valueAddSpeculationMode):
        (JSC::DFG::Graph::arithAddSpeculationMode):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):

2013-01-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should trust array profiling over value profiling
        https://bugs.webkit.org/show_bug.cgi?id=106155

        Reviewed by Gavin Barraclough.
        
        The real problem is that prediction propagation is not flow-sensitive. We had code
        like:
        
        var a = (some load from memory); // returns either an array or false
        if (a)
            a[i] = v;
        
        Because 'a' could be 'false', we were emitting a fully generic unoptimized PutByVal.
        This patch changes ArrayMode to ignore the type of the base of an array access, if
        array profiling tells us that the array access can be optimized.
        
        In the future, we could probably make this work even better with some flow
        sensitivity in the prediction propagator, but I also tend to think that this is a
        more robust overall solution. If we ever did want to support array accesses on
        array-or-false then we should change the array profiler to be able to tell us that
        this is what is going on.
        
        3.7% speed-up on V8/earley.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):

2013-01-04  Filip Pizlo  <fpizlo@apple.com>

        Rationalize exit site profiling for calls
        https://bugs.webkit.org/show_bug.cgi?id=106150

        Reviewed by Sam Weinig.
        
        This adds two new exit kinds for calls: BadFunction and BadExecutable. The latter is not used
        yet, but is already integrated with profiling. CheckFunction uses a BadFunction speculation
        instead of BadCache, now. This allows CallLinkStatus to turn itself into a closure call status
        if we had a BadFunction exit site but the CallLinkInfo told us to use a non-closure call. This
        might happen if we had call unlinking that led to information loss along the way.
        
        No performance impact. This is meant as another step towards inlining closure calls.

        * bytecode/CallLinkStatus.cpp:
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::setIsProved):
        (JSC::CallLinkStatus::setHasBadFunctionExitSite):
        (CallLinkStatus):
        (JSC::CallLinkStatus::setHasBadCacheExitSite):
        (JSC::CallLinkStatus::setHasBadExecutableExitSite):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-01-03  Filip Pizlo  <fpizlo@apple.com>

        DFG should not elide CheckStructure if it's needed to perform a cell check
        https://bugs.webkit.org/show_bug.cgi?id=106074

        Reviewed by Ryosuke Niwa.
        
        The problem here was that the constant folding phase was misinterpreting the meaning of the sets
        in DFG::AbstractValue.  AbstractValue describes a constraint on the values that a variable (i.e.
        a DFG Node, or a virtual register, i.e. local or argument) may have. It does so by containing
        four sets: the set of JSValues (either empty, the singleton set containing one JSValue, or the
        set of all JSValues); the set of "current known" structures, i.e. the set of structures that you
        already know that this value may have right now (also either empty, the singleton set, or the set
        of all structures); the set of "future possible" structures, i.e. the set of structures that this
        value could have in the future if none of the structure transition watchpoints for those
        structures had fired (also empty, singleton, or all); and the set of types, which is a
        SpeculatedType bitmask. The correct way to interpret the sets is to think of the AbstractValue as
        the intersection of these three sets of values:
        
        - The set of JSValues that have a type that belongs to the m_type set.
        - If m_value is not the empty value then: the set of all JSValues that are == m_value;
                                            else: the set of all JSValues.
          where '==' is as defined by JSValue::operator==.
        - Union of { the set of all cells that have a structure that belongs to m_currentKnownStructure }
               and { the set of all JSValues that are not cells }.
        
        You can then further intersect this set with the following set, if you guard the code with
        watchpoints on all structures in the m_futurePossibleStructure:
        
        - Union of { the set of all cells that have a structure that belongs to m_futurePossibleStructure }
               and { the set of all JSValues that are not cells }.
        
        One way to think of this is that m_currentKnownStructure is filtered by m_futurePossibleStructure
        (i.e. is set to the intersection of m_currentKnownStructure and m_futurePossibleStructure), if the
        code for which you're doing this is always preceded by watchpoints on all structures in
        m_futurePossibleStructure, and is always before any side-effects that could change the structures
        of objects.
        
        The incorrect optimization related to CheckStructure. CheckStructure checks that the value is a
        cell, and that it has a particular structure. It was incorrectly assuming that you could eliminate
        the CheckStructure, if m_currentKnownStructure contained the structure that CheckStructure was
        checking. But this is not the case, since m_currentKnownStructure does not prove that the value is
        a cell with a particular structure; it only proves that if the value was a cell then it would have
        a particular structure. Hence, to eliminate CheckStructure, it is also necessary to check that
        AbstractValue::m_type contains only cells (i.e. isCellSpeculation(m_type) == true).
        
        It wasn't doing that, and this changes makes sure that it does do that.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2013-01-04  Adam Klein  <adamk@chromium.org>

        Remove ENABLE_MUTATION_OBSERVERS #define
        https://bugs.webkit.org/show_bug.cgi?id=105459

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2013-01-03  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeCache serves little or no purpose ever since we decided to keep bytecode around permanently
        https://bugs.webkit.org/show_bug.cgi?id=106058

        Reviewed by Michael Saboff.
        
        All baseline code blocks now always have bytecode, so the bytecode cache's ability to minimize the
        number of times that the DFG produces bytecode sequences for code blocks is superfluous.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGByteCodeCache.h: Removed.
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleInlining):
        * runtime/Executable.cpp:
        (JSC):
        * runtime/Executable.h:
        (FunctionExecutable):

2013-01-03  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build for DFG JIT disabled.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpValueProfiling):
        (JSC::CodeBlock::dumpArrayProfiling):
        * runtime/Executable.cpp:
        (JSC):
        (JSC::ExecutableBase::intrinsic):

2013-01-03  Filip Pizlo  <fpizlo@apple.com>

        CallLinkStatus should be aware of closure calls, and the DFG bytecode parser should use that as its sole internal notion of how to optimize calls
        https://bugs.webkit.org/show_bug.cgi?id=106027

        Reviewed by Mark Hahnenberg.
        
        Previously, the DFG bytecode parser had its own internal notion of exactly what CallLinkStatus was
        meant to do, in the form of a CallType, expectedFunction, intrinsic, etc. This change makes CallLinkStatus
        smart enough to do all of that, and also gives it the ability to understand closure calls.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC):
        (JSC::CallLinkStatus::function):
        (JSC::CallLinkStatus::internalFunction):
        (JSC::CallLinkStatus::intrinsicFor):
        (JSC::CallLinkStatus::setIsProved):
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::dump):
        * bytecode/CallLinkStatus.h:
        (JSC):
        (JSC::CallLinkStatus::CallLinkStatus):
        (CallLinkStatus):
        (JSC::CallLinkStatus::takesSlowPath):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::isClosureCall):
        (JSC::CallLinkStatus::callTarget):
        (JSC::CallLinkStatus::executable):
        (JSC::CallLinkStatus::structure):
        (JSC::CallLinkStatus::isProved):
        (JSC::CallLinkStatus::canOptimize):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfFunctionConstant):

2013-01-02  Simon Hausmann  <simon.hausmann@digia.com>

        [MinGW-w64] Centralize workaround for pow() implementation
        https://bugs.webkit.org/show_bug.cgi?id=105925

        Reviewed by Sam Weinig.

        As suggested by Sam, move the MinGW-w64 workaround into MathExtras.h
        away from the JSC usage.

        * runtime/MathObject.cpp:
        (JSC::mathPow):

2013-01-02  Gavin Barraclough  <barraclough@apple.com>

        Objective-C API for JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=105889

        Reviewed by Geoff Garen.

        Fixes for more issues raised by Darin.

        * API/JSBlockAdaptor.mm:
        (BlockArgument):
        (BlockArgumentStruct::BlockArgumentStruct):
        (BlockArgumentTypeDelegate::typeStruct):
        (BlockResult):
        (BlockResultStruct::BlockResultStruct):
        (buildBlockSignature):
        (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]):
        (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
            - fix * position for Objective-C types
        * API/JSContext.h:
            - fix * position for Objective-C types
        * API/JSContext.mm:
        (-[JSContext initWithVirtualMachine:]):
        (-[JSContext virtualMachine]):
        (contextInternalContext):
            - fix * position for Objective-C types
        (-[JSContext dealloc]):
        (-[JSContext protect:]):
        (-[JSContext unprotect:]):
            - HashMap<JSValueRef, size_t> -> HashCountedSet<JSValueRef>
        * API/JSContextInternal.h:
        (WeakContextRef):
            - fix * position for Objective-C types
        * API/JSValue.mm:
        (valueToString):
            - fix * position for Objective-C types
        (isNSBoolean):
            - Added helper to check for booleans.
        (objectToValueWithoutCopy):
            - Added contextRef
            - fix * position for Objective-C types
            - Remove @YES, @NO literal usage, use isNSBoolean instead
        (objectToValue):
            - Added contextRef
        (+[JSValue valueWithValue:inContext:]):
        (-[JSValue initWithValue:inContext:]):
            - fix * position for Objective-C types
        (createStructHandlerMap):
        (handerForStructTag):
            - getStructTagHandler -> handerForStructTag
            - Split out createStructHandlerMap
            - strncmp -> memcmp
            - String(type).impl() -> StringImpl::create(type)
        (+[JSValue selectorForStructToValue:]):
        (+[JSValue selectorForValueToStruct:]):
            - getStructTagHandler -> handerForStructTag
        (typeToValueInvocationFor):
        (valueToTypeInvocationFor):
            - fix * position for Objective-C types
        * API/JSValueInternal.h:
            - fix * position for Objective-C types
        * API/JSVirtualMachineInternal.h:
            - fix * position for Objective-C types
        * API/JSWrapperMap.h:
            - fix * position for Objective-C types
        * API/JSWrapperMap.mm:
        (selectorToPropertyName):
        (createObjectWithCustomBrand):
        (createRenameMap):
        (putNonEnumerable):
        (copyMethodsToObject):
        (copyPrototypeProperties):
        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
        (-[JSWrapperMap initWithContext:]):
        (-[JSWrapperMap wrapperForObject:]):
        (getJSExportProtocol):
            - fix * position for Objective-C types
        * API/ObjCCallbackFunction.h:
            - fix * position for Objective-C types
        * API/ObjCCallbackFunction.mm:
        (CallbackArgument):
        (CallbackArgumentStruct::CallbackArgumentStruct):
            - fix * position for Objective-C types
        (CallbackArgumentBlockCallback::createAdoptingJSBlockAdaptor):
            - Added to make adopt explicit
        (CallbackArgumentBlockCallback):
        (CallbackArgumentBlockCallback::CallbackArgumentBlockCallback):
        (ArgumentTypeDelegate::typeBlock):
            - Call createAdoptingJSBlockAdaptor
        (ArgumentTypeDelegate::typeStruct):
        (CallbackResult):
        (CallbackResultStruct::CallbackResultStruct):
        (ResultTypeDelegate::typeStruct):
        (ObjCCallbackFunction::ObjCCallbackFunction):
        (ObjCCallbackFunction::context):
        (objCCallbackFunctionForInvocation):
        (objCCallbackFunctionForMethod):
        (objCCallbackFunctionForBlock):
            - fix * position for Objective-C types
        * API/ObjcRuntimeExtras.h:
        (protocolImplementsProtocol):
        (forEachProtocolImplementingProtocol):
        (forEachMethodInProtocol):
        (forEachPropertyInProtocol):
            - fix * position for Objective-C types
        * API/tests/testapi.m:
        (-[TestObject testArgumentTypesWithInt:double:boolean:string:number:array:dictionary:]):
        (testObjectiveCAPI):
            - fix * position for Objective-C types

2013-01-02  Geoffrey Garen  <ggaren@apple.com>

        Some renaming in the CodeCache
        https://bugs.webkit.org/show_bug.cgi?id=105966

        Reviewed by Gavin Barraclough.

        CodeBlockKey => SourceCodeKey because the key is not a CodeBlock.

        m_recentlyUsedFunctionCode => m_recentlyUsedFunctions to match other names.

        GlobalFunctionKey => FunctionKey because the key is not unique to globalness.

        m_cachedGlobalFunctions => m_globalFunctions because "cached" is redundant
        for data members in an object called "CodeCache".

        kMaxRootCodeBlockEntries => kMaxRootEntries because there are no non-CodeBlock
        entries in a CodeBlock cache.

        kMaxFunctionCodeBlocks => kMaxChildFunctionEntries to clarify that this
        number models a parent-child relationship.

        Also removed the initial "k" from enum constants. That's an interesting
        style for calling out constants, but it's not the WebKit style.

        Finally, a behavior change: Use MaxRootEntries for the limit on global
        functions, and not MaxChildFunctionEntries. Previously, there was an
        unused constant that seemed to have been intended for this purpose.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::makeSourceCodeKey):
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::generateFunctionCodeBlock):
        (JSC::CodeCache::makeFunctionKey):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        (JSC::CodeCache::usedFunctionCode):
        * runtime/CodeCache.h:
        (JSC::CodeCache::clear):

2013-01-02  Filip Pizlo  <fpizlo@apple.com>

        DFG inlining machinery should be robust against the inline callee varying while the executable stays the same
        https://bugs.webkit.org/show_bug.cgi?id=105953

        Reviewed by Mark Hahnenberg.
        
        This institutes the policy that if InlineCallFrame::callee is null, then the callee and scope have already
        been stored into the true call frame (i.e. the place where the call frame of the inlined call would have
        been) and so any attempt to access the callee or scope should do a load instead of assuming that the value
        is constant. This wires the changes through the bytecode parser, the stack scanning logic, and the compiler
        optimization phases and backends.

        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::dump):
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (InlineCallFrame):
        (JSC::InlineCallFrame::isClosureCall):
        (JSC::CodeOrigin::stackOffset):
        (JSC):
        * dfg/DFGAssemblyHelpers.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::get):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::getScope):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCSEPhase.cpp:
        (CSEPhase):
        (JSC::DFG::CSEPhase::genericPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::pureCSERequiringSameInlineCallFrame):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallFrame):

2013-01-02  Gavin Barraclough  <barraclough@apple.com>

        Objective-C API for JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=105889

        Reviewed by Geoff Garen.

        Fixes for a number of issues raised by Darin.

        * API/APIJSValue.h:
            - Fix typos in comment
            - Add newline before NS_CLASS_AVAILABLE(10_9, NA)
            - cls -> expectedClass
            - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
        * API/JSBase.h:
            - JS_OBJC_API_ENABLED no longer implies __OBJC__
        * API/JSBlockAdaptor.mm:
        (BlockArgumentStruct::BlockArgumentStruct):
        (BlockArgumentStruct):
            - mark virtual functions as virtual, override, and private
            - refactor out buffer allocation for struct types
        (BlockArgumentTypeDelegate::typeVoid):
        (BlockArgumentTypeDelegate::typeBlock):
        (BlockArgumentTypeDelegate::typeStruct):
            - return nil -> return 0
        (BlockResultStruct::BlockResultStruct):
        (BlockResultStruct):
            - mark virtual functions as virtual, override, and private
            - refactor out buffer allocation for struct types
        (buildBlockSignature):
            - %lu is not an appropriate format specifier for NSInteger
        (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]):
            - nil check [super init]
        (-[JSBlockAdaptor blockMatchesSignature:]):
        (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
            - ctx -> contextRef
        * API/JSContext.h:
            - Fix typos in comment
            - Add newline before NS_CLASS_AVAILABLE(10_9, NA)
            - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
        * API/JSContext.mm:
        (-[JSContext initWithVirtualMachine:]):
            - nil check [super init]
        (+[JSContext currentArguments]):
            - args -> argumentArray
        (-[JSContext setObject:forKeyedSubscript:]):
            - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
        (-[JSContext dealloc]):
        (-[JSContext protect:]):
        (-[JSContext unprotect:]):
            - m_protected -> m_protectCounts
        * API/JSValue.mm:
        (-[JSValue toObjectOfClass:]):
            - cls -> expectedClass
        (-[JSValue toBool]):
        (-[JSValue deleteProperty:]):
        (-[JSValue hasProperty:]):
        (-[JSValue isUndefined]):
        (-[JSValue isNull]):
        (-[JSValue isBoolean]):
        (-[JSValue isNumber]):
        (-[JSValue isString]):
        (-[JSValue isObject]):
        (-[JSValue isEqualToObject:]):
        (-[JSValue isEqualWithTypeCoercionToObject:]):
        (-[JSValue isInstanceOf:]):
            - removed ? YES : NO
        (-[JSValue callWithArguments:]):
        (-[JSValue constructWithArguments:]):
        (-[JSValue invokeMethod:withArguments:]):
            - args -> argumentArray
        (+[JSValue valueWithPoint:inContext:]):
        (+[JSValue valueWithRange:inContext:]):
        (+[JSValue valueWithRect:inContext:]):
        (+[JSValue valueWithSize:inContext:]):
            - [NSNumber numberWithFloat:] -> @()
        (-[JSValue objectForKeyedSubscript:]):
        (-[JSValue setObject:forKeyedSubscript:]):
            - key type for -setObject:forKeyedSubscript: is now NSObject <NSCopying> *
        (JSContainerConvertor):
        (JSContainerConvertor::isWorkListEmpty):
        (JSContainerConvertor::convert):
        (ObjcContainerConvertor):
        (ObjcContainerConvertor::isWorkListEmpty):
            - remove WTF::
            - isWorkListEmpty is const
        (objectToValue):
            -  use fast enumeration
        (-[JSValue initWithValue:inContext:]):
            - nil check [super init]
        (getStructTagHandler):
            - m_structHandlers -> structHandlers
        * API/JSVirtualMachine.h:
            - Add newline before NS_CLASS_AVAILABLE(10_9, NA)
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine init]):
            - nil check [super init]
        * API/JSWrapperMap.mm:
        (selectorToPropertyName):
        (copyPrototypeProperties):
            - remove WTF::
            - use static_cast
        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
        (-[JSWrapperMap initWithContext:]):
            - nil check [super init]
        (-[JSWrapperMap wrapperForObject:]):
        (tryUnwrapObjcObject):
            - enable ASSERT
        (getJSExportProtocol):
        (getNSBlockClass):
            - remove if check on initializing static
        * API/JavaScriptCore.h:
            - JS_OBJC_API_ENABLED no longer implies __OBJC__
        * API/ObjCCallbackFunction.mm:
        (CallbackArgumentOfClass):
        (CallbackArgumentOfClass::~CallbackArgumentOfClass):
        (CallbackArgumentStruct::CallbackArgumentStruct):
        (CallbackArgumentStruct):
        (CallbackArgumentBlockCallback):
            - mark virtual functions as virtual, override, and private
            - refactor out buffer allocation for struct types
        (ArgumentTypeDelegate::typeVoid):
        (ArgumentTypeDelegate::typeOfClass):
        (ArgumentTypeDelegate::typeStruct):
            - return nil -> return 0
        (CallbackResultStruct::CallbackResultStruct):
        (CallbackResultStruct):
            - mark virtual functions as virtual, override, and private
            - refactor out buffer allocation for struct types
        (ResultTypeDelegate::typeStruct):
            - return nil -> return 0
        (ObjCCallbackFunction):
            - remove WTF::
        (objCCallbackFunctionFinalize):
            - use static_cast
        (objCCallbackFunctionCallAsFunction):
            - Fix typos in comment
        (createObjCCallbackFunctionClass):
        (objCCallbackFunctionClass):
            - Split out createObjCCallbackFunctionClass from objCCallbackFunctionClass
        (ObjCCallbackFunction::call):
            - ctx -> contextRef
        (blockSignatureContainsClass):
            - Remove tri-state enum.
        (skipNumber):
            - isdigit -> isASCIIDigit 
        (objCCallbackFunctionForInvocation):
            - clean up & comment blockSignatureContainsClass() usage
        (tryUnwrapBlock):
            - use static_cast
        * API/ObjcRuntimeExtras.h:
        (forEachProtocolImplementingProtocol):
        (forEachMethodInClass):
        (forEachMethodInProtocol):
        (forEachPropertyInProtocol):
            - Remove WTF::
            - Remove if (count) checks
        (skipPair):
            - NSUInteger -> size_t
        (StringRange):
        (StringRange::operator const char*):
        (StringRange::get):
        (StructBuffer):
        (StructBuffer::StructBuffer):
        (StructBuffer::~StructBuffer):
        (StructBuffer::operator void*):
            - Added helper for creating an aligned buffer, used by struct conversion invocations.
        (parseObjCType):
            - *(position++) -> *position++
        * API/tests/testapi.c:
            - PLATFORM(MAC) -> JS_OBJC_API_ENABLED
        * API/tests/testapi.m:
        (blockSignatureContainsClass):
            - Remove tri-state enum.
        (testObjectiveCAPI):
            - Added more result type checks.

2013-01-02  Filip Pizlo  <fpizlo@apple.com>

        DFG should not use the InlineCallFrame's callee when it could have used the executable istead
        https://bugs.webkit.org/show_bug.cgi?id=105947

        Reviewed by Mark Hahnenberg.
        
        We shouldn't use the callee to get the executable when we have the executable already. Not only
        does this make the logic more clear, but it also allows for a world where the executable is known
        but the callee isn't.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::strictModeFor):

2013-01-02  Filip Pizlo  <fpizlo@apple.com>

        DFG inliner should not use the callee's bytecode variable for resolving references to the callee in inlined code
        https://bugs.webkit.org/show_bug.cgi?id=105938

        Reviewed by Mark Hahnenberg.
        
        This simplifies a bunch of code for referring to the callee. It also ought to simplify how we do
        closure call inlining: for inlined closure call frames we will simply require that the callee is
        already stashed on the stack in the Callee slot in the inline call frame header.

        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getDirect):
        (JSC::DFG::ByteCodeParser::get):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):

2013-01-02  Ryosuke Niwa  <rniwa@webkit.org>

        Another Windows port build fix attempt. Try not exporting this symbol from JSC
        since it's also compiled in WebCore.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2013-01-02  Csaba Osztrogonác  <ossy@webkit.org>

        One more unreviewed buildfix after r138609.

        * jit/JITCall.cpp: Add a missing include.

2013-01-02  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed buildfix after r138609.

        * jit/JITCall32_64.cpp: Add a missing include.

2013-01-01  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should have closure call caching
        https://bugs.webkit.org/show_bug.cgi?id=105900

        Reviewed by Gavin Barraclough.
        
        This is not a speed-up by itself, but is meant to allow the DFG inliner to
        accurately discern between closure calls and non-closure calls, so that it can
        do closure call inlining in the future.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isClosureCall):
        (CallLinkStatus):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        (JSC::JIT::linkSlowCall):
        * jit/JIT.h:
        (JSC::JIT::compileClosureCall):
        * jit/JITCall.cpp:
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * jit/ThunkGenerators.cpp:
        (JSC::linkClosureCallGenerator):
        * jit/ThunkGenerators.h:

2013-01-01  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/12942239> Update copyright strings

        Reviewed by Sam Weinig.

        * Info.plist:

2012-12-31  Gavin Barraclough  <barraclough@apple.com>

        Objective-C API for JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=105889

        Reviewed by Filip Pizlo.

        For a detailed description of the API implemented here, see:
            JSContext.h
            APIJSValue.h
            JSVirtualMachine.h
            JSExport.h
        Still to do -
            (1) Shoud rename APIJSValue.h -> JSValue.h (but we'll have to rename JSValue.h first).
            (2) Numerous FIXMEs, all with separate bugs filed.

        * API/APIJSValue.h: Added.
            - this Objective-C class is used to reference a JavaScript object.
        * API/JSBase.h:
            - added JS_OBJC_API_ENABLED macro to control ObjC API support.
        * API/JSBlockAdaptor.h: Added.
            - this Objective-C class is used in creating a special NSBlock proxying a JavaScript function.
        * API/JSBlockAdaptor.mm: Added.
        (BlockArgument):
        (BlockArgument::~BlockArgument):
        (BlockArgumentBoolean):
        (BlockArgumentBoolean::get):
        (BlockArgumentNumeric):
        (BlockArgumentNumeric::get):
        (BlockArgumentId):
        (BlockArgumentId::get):
        (BlockArgumentStruct):
        (BlockArgumentStruct::BlockArgumentStruct):
        (BlockArgumentStruct::~BlockArgumentStruct):
        (BlockArgumentStruct::get):
            - decoded arguent type information of a JSBlockAdaptor.
        (BlockArgumentTypeDelegate):
        (BlockArgumentTypeDelegate::typeInteger):
        (BlockArgumentTypeDelegate::typeDouble):
        (BlockArgumentTypeDelegate::typeBool):
        (BlockArgumentTypeDelegate::typeVoid):
        (BlockArgumentTypeDelegate::typeId):
        (BlockArgumentTypeDelegate::typeOfClass):
        (BlockArgumentTypeDelegate::typeBlock):
        (BlockArgumentTypeDelegate::typeStruct):
            - delegate for use in conjunction with parseObjCType.
        (BlockResult):
        (BlockResult::~BlockResult):
        (BlockResultVoid):
        (BlockResultVoid::set):
        (BlockResultInteger):
        (BlockResultInteger::set):
        (BlockResultDouble):
        (BlockResultDouble::set):
        (BlockResultBoolean):
        (BlockResultBoolean::set):
        (BlockResultStruct):
        (BlockResultStruct::BlockResultStruct):
        (BlockResultStruct::~BlockResultStruct):
        (BlockResultStruct::set):
            - decoded result type information of a JSBlockAdaptor.
        (buildBlockSignature):
            - partial step in constructing a signature with stack offset information from one without.
        (-[JSBlockAdaptor initWithBlockSignatureFromProtocol:]):
            - constructor.
        (-[JSBlockAdaptor blockMatchesSignature:]):
            - check whether signature strings match, where only one contains stack frame offsets.
        (-[JSBlockAdaptor blockFromValue:inContext:withException:]):
            - use the adaptor to create a special forwarding block.
        * API/JSCallbackObjectFunctions.h:
        (JSC::::inherits):
            - add missing braces to multiline for statement.
        * API/JSContext.h: Added.
            - this Objective-C class is used to reference a JavaScript context.
        * API/JSContext.mm: Added.
        (-[JSContext init]):
            - constructor.
        (-[JSContext initWithVirtualMachine:]):
            - construct in a given VM (JSGlobalData).
        (-[JSContext evaluateScript:]):
        (-[JSContext globalObject]):
            - evaluate a script, global object accessor.
        (+[JSContext currentContext]):
        (+[JSContext currentThis]):
        (+[JSContext currentArguments]):
            - These methods obtain context, this, arguments from within a callback.
        (-[JSContext virtualMachine]):
            - implementation for .virtualMachine property.
        (-[JSContext objectForKeyedSubscript:]):
        (-[JSContext setObject:forKeyedSubscript:]):
            - support for subscript property access.
        (contextInternalContext):
            - internal accessor to m_context.
        (-[JSContext dealloc]):
            - desctructor.
        (-[JSContext notifyException:]):
        (-[JSContext valueFromNotifyException:]):
        (-[JSContext boolFromNotifyException:]):
            - internal method to record an exception was thrown.
        (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]):
        (-[JSContext endCallbackWithData:]):
            - internal methods to push/pop a callback record.
        (-[JSContext protect:]):
        (-[JSContext unprotect:]):
            - internal methods to add a value to a protect set (used to protect the internal property of JSValue).
        (-[JSContext wrapperForObject:]):
            - internal method to create a wrapper object.
        (WeakContextRef::WeakContextRef):
        (WeakContextRef::~WeakContextRef):
        (WeakContextRef::get):
        (WeakContextRef::set):
            - Helper class to implement a weak reference to a JSContext.
        * API/JSContextInternal.h: Added.
        (CallbackData):
        (WeakContextRef):
            - see API/JSContext.mm for description of internal methods.
        * API/JSExport.h: Added.
            - Provides JSExport protocol & JSExportAs macro.
        * API/JSValue.mm: Added.
        (+[JSValue valueWithObject:inContext:]):
        (+[JSValue valueWithBool:inContext:]):
        (+[JSValue valueWithDouble:inContext:]):
        (+[JSValue valueWithInt32:inContext:]):
        (+[JSValue valueWithUInt32:inContext:]):
        (+[JSValue valueWithNewObjectInContext:]):
        (+[JSValue valueWithNewArrayInContext:]):
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
        (+[JSValue valueWithNewErrorFromMessage:inContext:]):
        (+[JSValue valueWithNullInContext:]):
        (+[JSValue valueWithUndefinedInContext:]):
            - Constructors.
        (-[JSValue toObject]):
        (-[JSValue toObjectOfClass:]):
        (-[JSValue toBool]):
        (-[JSValue toDouble]):
        (-[JSValue toInt32]):
        (-[JSValue toUInt32]):
        (-[JSValue toNumber]):
        (-[JSValue toString]):
        (-[JSValue toDate]):
        (-[JSValue toArray]):
        (-[JSValue toDictionary]):
            - Conversion to Objective-C types.
        (-[JSValue valueForProperty:]):
        (-[JSValue setValue:forProperty:]):
        (-[JSValue deleteProperty:]):
        (-[JSValue hasProperty:]):
        (-[JSValue defineProperty:descriptor:]):
            - Property access by property name.
        (-[JSValue valueAtIndex:]):
        (-[JSValue setValue:atIndex:]):
            - Property access by index.
        (-[JSValue isUndefined]):
        (-[JSValue isNull]):
        (-[JSValue isBoolean]):
        (-[JSValue isNumber]):
        (-[JSValue isString]):
        (-[JSValue isObject]):
            - Test JavaScript type.
        (-[JSValue isEqualToObject:]):
        (-[JSValue isEqualWithTypeCoercionToObject:]):
        (-[JSValue isInstanceOf:]):
            - ===, ==, instanceof operators.
        (-[JSValue callWithArguments:]):
        (-[JSValue constructWithArguments:]):
        (-[JSValue invokeMethod:withArguments:]):
            - Call & construct.
        (-[JSValue context]):
            - implementation for .context property.
        (-[JSValue toPoint]):
        (-[JSValue toRange]):
        (-[JSValue toRect]):
        (-[JSValue toSize]):
        (+[JSValue valueWithPoint:inContext:]):
        (+[JSValue valueWithRange:inContext:]):
        (+[JSValue valueWithRect:inContext:]):
        (+[JSValue valueWithSize:inContext:]):
            - Support for NS struct types.
        (-[JSValue objectForKeyedSubscript:]):
        (-[JSValue objectAtIndexedSubscript:]):
        (-[JSValue setObject:forKeyedSubscript:]):
        (-[JSValue setObject:atIndexedSubscript:]):
            - support for subscript property access.
        (isDate):
        (isArray):
            - internal helper functions to check for instances of JS Date, Array types.
        (JSContainerConvertor):
        (Task):
        (JSContainerConvertor::JSContainerConvertor):
        (JSContainerConvertor::isWorkListEmpty):
        (JSContainerConvertor::convert):
        (JSContainerConvertor::add):
        (JSContainerConvertor::take):
            - helper class for tracking state while converting to Array/Dictionary objects.
        (valueToObjectWithoutCopy):
        (containerValueToObject):
        (valueToObject):
        (valueToNumber):
        (valueToString):
        (valueToDate):
        (valueToArray):
        (valueToDictionary):
            - function for converting JavaScript values to Objective-C objects.
        (ObjcContainerConvertor):
        (ObjcContainerConvertor::ObjcContainerConvertor):
        (ObjcContainerConvertor::isWorkListEmpty):
        (ObjcContainerConvertor::convert):
        (ObjcContainerConvertor::add):
        (ObjcContainerConvertor::take):
            - helper class for tracking state while converting to Array/Dictionary values.
        (objectToValueWithoutCopy):
        (objectToValue):
        (valueInternalValue):
            - function for converting Objective-C objects to JavaScript values.
        (+[JSValue valueWithValue:inContext:]):
        (-[JSValue initWithValue:inContext:]):
            - internal constructors.
        (StructTagHandler):
        (getStructTagHandler):
        (+[JSValue selectorForStructToValue:]):
        (+[JSValue selectorForValueToStruct:]):
            - methods to tracking struct types that support conversion to/from JSValue.
        (-[JSValue dealloc]):
            - destructor.
        (-[JSValue description]):
            - Objective-C to-NSString conversion.
        (typeToValueInvocationFor):
        (valueToTypeInvocationFor):
            - create invocation objects for conversion to/from JSValue.
        * API/JSValueInternal.h: Added.
            - see API/JSValue.mm for description of internal methods.
        * API/JSVirtualMachine.h: Added.
            - this Objective-C class is used to reference a JavaScript virtual machine (JSGlobalData).
        * API/JSVirtualMachine.mm: Added.
        (-[JSVirtualMachine init]):
        (-[JSVirtualMachine dealloc]):
            - constructor & destructor.
        (getGroupFromVirtualMachine):
            - internal accessor for m_group property.
        * API/JSVirtualMachineInternal.h: Added.
            - see API/JSVirtualMachine.mm for description of internal methods.
        * API/JSWrapperMap.h: Added.
        * API/JSWrapperMap.mm: Added.
        (wrapperClass):
            - singleton root for detction (& unwrapping) of wrapper objects.
        (selectorToPropertyName):
            - default selector to property name conversion.
        (createObjectWithCustomBrand):
            - creates a JSObject with a custom NativeBrand (class name).
        (createRenameMap):
            - parse @optional properties of a JSExport protocol.
        (putNonEnumerable):
            - property put with enumerable=false.
        (copyMethodsToObject):
            - iterate methods in a protocol; add functions to a JSObject.
        (parsePropertyAttributes):
            - examine protocol property metadata.
        (makeSetterName):
            - "foo" -> "setFoo"
        (copyPrototypeProperties):
            - create properties on a Protocol object reflecting the instance methods & properties of a protocol.
        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]):
        (-[JSObjCClassInfo dealloc]):
        (-[JSObjCClassInfo wrapperForObject:]):
        (-[JSObjCClassInfo constructor]):
            - cache the Protocol/Constructor objects for an Objective-C type.
        (-[JSWrapperMap initWithContext:]):
        (-[JSWrapperMap dealloc]):
            - constructor & desctructor.
        (-[JSWrapperMap classInfoForClass:]):
            - maps Class -> JSObjCClassInfo.
        (-[JSWrapperMap wrapperForObject:]):
            - cretae or retrieve a cached wrapper value for an object.
        (tryUnwrapObjcObject):
            - check whether a value is a wrapper object; unwrap if so.
        * API/JavaScriptCore.h:
            - Added includes for new API headers.
        * API/ObjCCallbackFunction.h: Added.
            - this class is used to wrap Objective-C instance methods, class methods & blocks as JSFunction objects.
        * API/ObjCCallbackFunction.mm: Added.
        (CallbackArgument):
        (CallbackArgument::~CallbackArgument):
        (CallbackArgumentBoolean):
        (CallbackArgumentBoolean::set):
        (CallbackArgumentInteger):
        (CallbackArgumentInteger::set):
        (CallbackArgumentDouble):
        (CallbackArgumentDouble::set):
        (CallbackArgumentJSValue):
        (CallbackArgumentJSValue::set):
        (CallbackArgumentId):
        (CallbackArgumentId::set):
        (CallbackArgumentOfClass):
        (CallbackArgumentOfClass::CallbackArgumentOfClass):
        (CallbackArgumentOfClass::~CallbackArgumentOfClass):
        (CallbackArgumentOfClass::set):
        (CallbackArgumentNSNumber):
        (CallbackArgumentNSNumber::set):
        (CallbackArgumentNSString):
        (CallbackArgumentNSString::set):
        (CallbackArgumentNSDate):
        (CallbackArgumentNSDate::set):
        (CallbackArgumentNSArray):
        (CallbackArgumentNSArray::set):
        (CallbackArgumentNSDictionary):
        (CallbackArgumentNSDictionary::set):
        (CallbackArgumentStruct):
        (CallbackArgumentStruct::CallbackArgumentStruct):
        (CallbackArgumentStruct::~CallbackArgumentStruct):
        (CallbackArgumentStruct::set):
        (CallbackArgumentBlockCallback):
        (CallbackArgumentBlockCallback::CallbackArgumentBlockCallback):
        (CallbackArgumentBlockCallback::~CallbackArgumentBlockCallback):
        (CallbackArgumentBlockCallback::set):
            - decoded arguent type information of a ObjCCallbackFunction.
        (ArgumentTypeDelegate):
        (ArgumentTypeDelegate::typeInteger):
        (ArgumentTypeDelegate::typeDouble):
        (ArgumentTypeDelegate::typeBool):
        (ArgumentTypeDelegate::typeVoid):
        (ArgumentTypeDelegate::typeId):
        (ArgumentTypeDelegate::typeOfClass):
        (ArgumentTypeDelegate::typeBlock):
        (ArgumentTypeDelegate::typeStruct):
            - delegate for use in conjunction with parseObjCType.
        (CallbackResult):
        (CallbackResult::~CallbackResult):
        (CallbackResultVoid):
        (CallbackResultVoid::get):
        (CallbackResultId):
        (CallbackResultId::get):
        (CallbackResultNumeric):
        (CallbackResultNumeric::get):
        (CallbackResultBoolean):
        (CallbackResultBoolean::get):
        (CallbackResultStruct):
        (CallbackResultStruct::CallbackResultStruct):
        (CallbackResultStruct::~CallbackResultStruct):
        (CallbackResultStruct::get):
            - decoded result type information of a ObjCCallbackFunction.
        (ResultTypeDelegate):
        (ResultTypeDelegate::typeInteger):
        (ResultTypeDelegate::typeDouble):
        (ResultTypeDelegate::typeBool):
        (ResultTypeDelegate::typeVoid):
        (ResultTypeDelegate::typeId):
        (ResultTypeDelegate::typeOfClass):
        (ResultTypeDelegate::typeBlock):
        (ResultTypeDelegate::typeStruct):
            - delegate for use in conjunction with parseObjCType.
        (ObjCCallbackFunction):
        (ObjCCallbackFunction::ObjCCallbackFunction):
        (ObjCCallbackFunction::~ObjCCallbackFunction):
            - constructor & destructor.
        (ObjCCallbackFunction::context):
            - accessor.
        (ObjCCallbackFunction::wrappedBlock):
            - attemmpt to unwrap a block object.
        (objCCallbackFunctionFinalize):
        (objCCallbackFunctionCallAsFunction):
        (objCCallbackFunctionClass):
            - JSClassRef used to represent ObjCCallbackFunction objects.
        (ObjCCallbackFunction::call):
        (blockSignatureContainsClass):
            - helper function to determine if we're running on a recent Clang.
        (skipNumber):
            - helper used in parsing signature strings.
        (objCCallbackFunctionForInvocation):
        (objCCallbackFunctionForMethod):
        (objCCallbackFunctionForBlock):
            - functions to try to create ObjCCallbackFunction instances for methods/blocks.
        (tryUnwrapBlock):
            - attemmpt to unwrap a block object.
        * API/ObjcRuntimeExtras.h: Added.
        (protocolImplementsProtocol):
        (forEachProtocolImplementingProtocol):
        (forEachMethodInClass):
        (forEachMethodInProtocol):
        (forEachPropertyInProtocol):
            - functions used in reflecting on Objective-C types.
        (skipPair):
            - parsing helper used by parseObjCType, scans for matching parentheses.
        (StringRange):
        (StringRange::StringRange):
        (StringRange::~StringRange):
        (StringRange::operator const char*):
        (StringRange::get):
            - Helper class - create a c string copy of a range of an existing string.
        (parseObjCType):
            - function to parse Objective-C type strings, makes callbacks to a deleagte.
        * API/tests/testapi.c:
        (main):
            - added call to testObjectiveCAPI (in testapi.m).
        * API/tests/testapi.m: Added.
        (+[ParentObject parentTest]):
        (+[TestObject testObject]):
        (+[TestObject classTest]):
        (-[TestObject getString]):
        (-[TestObject testArgumentTypesWithInt:double:boolean:string:number:array:dictionary:]):
        (-[TestObject callback:]):
        (-[TextXYZ test:]):
            - test object, used in various test vases.
        (checkResult):
            - helper function.
        (blockSignatureContainsClass):
            - helper function to determine if we're running on a recent Clang.
        (testObjectiveCAPI):
            - new test cases.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - added new files.
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
            - added m_apiData - provide convenient storage for use by the API.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
            - added m_apiData - provide convenient storage for use by the API.

2012-12-27  Csaba Osztrogonác  <ossy@webkit.org>

        One more unreviwed holiday MIPS and SH4 buildfixes after r138516.

        * jit/ThunkGenerators.cpp:

2012-12-27  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviwed holiday ARM and SH4 buildfixes after r138516.

        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):

2012-12-26  Filip Pizlo  <fpizlo@apple.com>

        All JIT stubs should go through the getCTIStub API
        https://bugs.webkit.org/show_bug.cgi?id=105750

        Reviewed by Sam Weinig.
        
        Previously JITThunks had two sets of thunks: one static set stored in a struct,
        which was filled by JIT::privateCompileCTITrampolines, and another set stored in
        a HashMap. Moreover, the code to generate the code for the CTI trampoline struct
        had loads of copy-paste between JSVALUE32_64 and JSVALUE64, and was total
        unmodular with respect to calls versus constructors, among other things.
                  
        This changeset removes this struct and rationalizes the code that generates those
        thunks. All of thunks are now generated through the getCTIStub HashMap API. All
        thunks for the baseline JIT now use the JSInterfaceJIT and have their codegen
        located in ThunkGenerators.cpp. All thunks now share as much code as possible -
        it turns out that they are almost 100% identical between 32_64 and 64, so that
        works out great. A bunch of call vs. construct duplication was eliminated. And,
        most of the call link versus virtual call duplication was also eliminated.
        
        This does not change behavior but it does make it easier to add more thunks in
        the future.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        * jit/JIT.h:
        (JIT):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlines.h:
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC):
        * jit/JITStubs.cpp:
        (JSC::tryCacheGetByID):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::JITThunks):
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        (JSC):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        (JSC):
        (JITThunks):
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
        (JSC::JSInterfaceJIT::emitJumpIfNotJSCell):
        (JSC):
        (JSC::JSInterfaceJIT::emitFastArithIntToImmNoCheck):
        (JSC::JSInterfaceJIT::emitJumpIfNotType):
        (JSC::JSInterfaceJIT::emitGetFromCallFrameHeaderPtr):
        (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
        (JSC::JSInterfaceJIT::emitPutImmediateToCallFrameHeader):
        (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
        (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall):
        (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn):
        (JSC::JSInterfaceJIT::restoreArgumentReference):
        * jit/ThunkGenerators.cpp:
        (JSC::generateSlowCaseFor):
        (JSC):
        (JSC::linkForGenerator):
        (JSC::linkCallGenerator):
        (JSC::linkConstructGenerator):
        (JSC::virtualForGenerator):
        (JSC::virtualCallGenerator):
        (JSC::virtualConstructGenerator):
        (JSC::stringLengthTrampolineGenerator):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        * jit/ThunkGenerators.h:
        (JSC):
        * runtime/Executable.h:
        (NativeExecutable):
        (JSC::NativeExecutable::nativeFunctionFor):
        (JSC::NativeExecutable::offsetOfNativeFunctionFor):

2012-12-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Remove header files in JavaScriptCore/CMakeLists.txt
        https://bugs.webkit.org/show_bug.cgi?id=105753

        Reviewed by Laszlo Gombos.

        * CMakeLists.txt: Remove header files in source list.

2012-12-25  Filip Pizlo  <fpizlo@apple.com>

        JITThunks should be in its own file
        https://bugs.webkit.org/show_bug.cgi?id=105744

        Rubber stamped by Sam Weinig.
        
        Moved JITThunks into its own file and removed some static methods from it
        that were not related to what JITThunks currently does. Performed various
        pagan rituals to get it to build - apparently there is a circular dependency
        between JSCell, Weak, and JITThunks, which magically resolves itself if you
        make sure to first include Register.h. Making it so that fewer pagan rituals
        need to be performed if this code changes in the future is covered by
        https://bugs.webkit.org/show_bug.cgi?id=105696.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * jit/JITStubs.cpp:
        (JSC::tryCachePutByID):
        (JSC::tryCacheGetByID):
        * jit/JITStubs.h:
        (JSC::JITStackFrame::returnAddressSlot):
        (JSC::returnAddressIsInCtiTrampoline):
        * jit/JITThunks.cpp: Added.
        (JSC::JITThunks::JITThunks):
        (JSC::JITThunks::~JITThunks):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        (JSC::JITThunks::clearHostFunctionStubs):
        * jit/JITThunks.h: Added.
        (JSC::JITThunks::ctiStringLengthTrampoline):
        (JSC::JITThunks::ctiVirtualCallLink):
        (JSC::JITThunks::ctiVirtualConstructLink):
        (JSC::JITThunks::ctiVirtualCall):
        (JSC::JITThunks::ctiVirtualConstruct):
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        * jit/ThunkGenerator.h: Added.
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:
        * runtime/JSGlobalData.h:

2012-12-25  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed follow-up for r138455.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-12-24  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed compilation fix for r138452.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-12-24  Laszlo Gombos  <l.gombos@samsung.com>

        Remove wtf/Platform.h includes from {c|cpp} files
        https://bugs.webkit.org/show_bug.cgi?id=105678

        Reviewed by Kentaro Hara.

        Remove wtf/Platform.h from the include list as it is already
        included in config.h.

        * disassembler/udis86/udis86.c:
        * disassembler/udis86/udis86_decode.c:
        * disassembler/udis86/udis86_input.c:
        * disassembler/udis86/udis86_itab_holder.c:
        * disassembler/udis86/udis86_syn-att.c:
        * disassembler/udis86/udis86_syn-intel.c:
        * disassembler/udis86/udis86_syn.c:
        * heap/VTableSpectrum.cpp:

2012-12-21  Filip Pizlo  <fpizlo@apple.com>

        DFG Arrayify slow path should be out-of-line
        https://bugs.webkit.org/show_bug.cgi?id=105400

        Reviewed by Gavin Barraclough.
        
        The interesting bit of this change is allowing out-of-line slow path generators
        to emit speculation checks. This is accomplished by having a version of
        speculationCheck() that returns a jump placeholder instead of taking a jump (or
        jump list) as an argument. You can then fill in that jump placeholder at a
        later time, so long as you do it before OSR exit linking. Slow path generators
        run before linking, so that just naturally ends up working.
        
        This isn't really a big win, but we know that out-of-lining slow paths is
        generally a good thing to do, so it's fair to assume that this is a move in the
        right direction.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayifySlowPathGenerator.h: Added.
        (DFG):
        (ArrayifySlowPathGenerator):
        (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
        (JSC::DFG::ArrayifySlowPathGenerator::generateInternal):
        * dfg/DFGOSRExitJumpPlaceholder.cpp: Added.
        (DFG):
        (JSC::DFG::OSRExitJumpPlaceholder::fill):
        * dfg/DFGOSRExitJumpPlaceholder.h: Added.
        (DFG):
        (OSRExitJumpPlaceholder):
        (JSC::DFG::OSRExitJumpPlaceholder::OSRExitJumpPlaceholder):
        (JSC::DFG::OSRExitJumpPlaceholder::operator!):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2012-12-20  Oliver Hunt  <oliver@apple.com>

        Finally found the problem.  Using the wrong JSContextGroup.

        * API/tests/testapi.c:
        (main):

2012-12-20  Oliver Hunt  <oliver@apple.com>

        Try to convince bots to be happy with testapi.

        * API/JSScriptRefPrivate.h:

2012-12-20  Michael Saboff  <msaboff@apple.com>

        JIT: Change uninitialized pointer value -1 to constant
        https://bugs.webkit.org/show_bug.cgi?id=105576

        Rubber stamped by Gavin Barraclough.

        Changed the use of -1 as a pointer value in the JITs to be the constant unusedPointer defined in the
        new file jit/UnusedPointer.h.  Made it's value 0xd1e7beef, which is a bad pointer on most architectures
        because it is odd, and to distinguish it from other common values.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clearToUnusedPointer):
        (JSC::JITWriteBarrierBase::get):
        * jit/UnusedPointer.h: Added.

2012-12-20  Filip Pizlo  <fpizlo@apple.com>

        DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to
        https://bugs.webkit.org/show_bug.cgi?id=105577

        Reviewed by Mark Hahnenberg.
        
        I don't know why this wasn't there from the beginning.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):

2012-12-19  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation checks that take JumpList should consolidate OSRExits
        https://bugs.webkit.org/show_bug.cgi?id=105401

        Reviewed by Oliver Hunt.

        Change OSRExitCompilationInfo to always contain a JumpList, and change JumpList
        to be more compact. This way, a speculationCheck that takes a JumpList only has
        to emit one OSRExit structure, and one OSRExit landing pad.
        
        The downside is that we get less precise information about *where* we exited
        from. So, this also includes changes to the profiler to be more relaxed about
        what an ExitSite is.

        * assembler/AbstractMacroAssembler.h:
        (JumpList):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (DFG):
        (JSC::DFG::JITCompiler::appendExitInfo):
        (JITCompiler):
        * dfg/DFGOSRExitCompilationInfo.h:
        (OSRExitCompilationInfo):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::addOSRExitSite):
        * profiler/ProfilerCompilation.h:
        (Compilation):
        * profiler/ProfilerOSRExitSite.cpp:
        (JSC::Profiler::OSRExitSite::toJS):
        * profiler/ProfilerOSRExitSite.h:
        (JSC::Profiler::OSRExitSite::OSRExitSite):
        (JSC::Profiler::OSRExitSite::codeAddress):
        (OSRExitSite):

2012-12-19  Oliver Hunt  <oliver@apple.com>

        Fix some incorrect tests in testapi.c

        Reviewed by Simon Fraser.

        * API/tests/testapi.c:
        (main):

2012-12-19  Filip Pizlo  <fpizlo@apple.com>

        JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object
        https://bugs.webkit.org/show_bug.cgi?id=105468

        Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough.

        Changed JSObject::ensure<IndexingType> methods to gracefully handle
        InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning
        null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it
        by entering dictionary indexing mode, which forces the object to behave correctly even if there
        is proxying or weird prototype stuff going on.
        
        Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal
        with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case
        since we'd try to resize a butterfly on a JSString, but JSString has something other than
        m_butterfly at that offset.
        
        Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code
        since those are now redundant.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        * runtime/JSObject.h:
        (JSObject):

2012-12-19  Oliver Hunt  <oliver@apple.com>

        Tidy up JSScriptRef API
        https://bugs.webkit.org/show_bug.cgi?id=105470

        Reviewed by Anders Carlsson.

        People found the API's use of a context confusing, so we'll switch to a JSContextGroup based
        API, and drop a number of the unnecessary uses of contexts.

        * API/JSScriptRef.cpp:
        (OpaqueJSScript::globalData):
        (parseScript):
        * API/JSScriptRefPrivate.h:
        * API/tests/testapi.c:
        (main):

2012-12-19  Alexis Menard  <alexis@webkit.org>

        Implement CSS parsing for CSS transitions unprefixed.
        https://bugs.webkit.org/show_bug.cgi?id=104804

        Reviewed by Dean Jackson.

        Add a new flag ENABLE_CSS_TRANSFORMS_ANIMATIONS_TRANSITIONS_UNPREFIXED
        to cover the work of unprefixing Transforms, Animations and 
        Transitions. It will let the possibility of each ports to turn it off 
        in their release branches until we're confident that these CSS 
        properties are ready to be unprefixed.

        * Configurations/FeatureDefines.xcconfig:

2012-12-18  Filip Pizlo  <fpizlo@apple.com>

        Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero
        https://bugs.webkit.org/show_bug.cgi?id=105379

        Reviewed by Gavin Barraclough.

        Forgetting to set this flag led to the DFG trying to ensure array storage on a proxy. I've
        now hardened the code with a release assertion as well as fixing the bug. A release assertion
        is appropriate here since this is slow-path code.

        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlowNoCheck):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        * runtime/JSObject.h:
        (JSObject):
        * runtime/JSProxy.h:
        (JSProxy):

2012-12-18  Oliver Hunt  <oliver@apple.com>

        Add a JSScriptRef API to JSC so that we can allow API users to avoid the full cost of reparsing everytime the execute a script.
        https://bugs.webkit.org/show_bug.cgi?id=105340

        Reviewed by Gavin Barraclough.

        This patch adds a (currently private) API to allow users of the JSC API to create a JSScript object
        that references a reusable version of the script that they wish to evaluate.  This can help us avoid
        numeorus copies that are otherwise induced by our existing API and gives us an opaque object that we
        can hang various caches off.  Currently this is simply a simple SourceProvider, but in future we may
        be able to add more caching without requiring new/replacement APIs. 

        * API/JSScriptRef.cpp: Added.
        * API/JSScriptRefPrivate.h: Added.
        * API/tests/testapi.c:
          Add tests for new APIs.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-12-18  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode incorrectly checks for non-array array storage when it should be checking for array array storage
        https://bugs.webkit.org/show_bug.cgi?id=105365

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):

2012-12-18  Filip Pizlo  <fpizlo@apple.com>

        SunSpider/date-format-tofte shouldn't compile each of the tiny worthless eval's only to OSR exit in the prologue every time
        https://bugs.webkit.org/show_bug.cgi?id=105335

        Reviewed by Geoffrey Garen.

        The first thing I did was restructure the logic of canInlineResolveOperations(),
        because I didn't understand it. This was relevant because the OSR exits are
        caused by a resolve that the DFG cannot handle.
        
        I was then going to make it so that we didn't compile the resolve at all, but
        realized that this would not be the best fix: it didn't seem sensible to me to
        be optimizing these evals after only 60 invocations. Evals should have a higher
        threshold, since they often contain code for which the baseline JIT does a
        pretty good job already (if all you've got is a single heap access or a single
        hard-to-inline call, then the baseline JIT has got you covered), and typically
        if we see one eval code block we expect to see more (from the same eval site):
        so our typical low threshold could lead to a *lot* of compilation. As such, the
        main effect of this patch is to introduce an evalThresholdMultiplier, which is
        now set to 10.
        
        This is a ~5% speed-up on data-format-tofte. No regressions anywhere as far as
        I can see.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::codeTypeThresholdMultiplier):
        (JSC):
        (JSC::CodeBlock::optimizationThresholdScalingFactor):
        (JSC::CodeBlock::exitCountThresholdForReoptimization):
        (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineResolveOperations):
        * dfg/DFGOSRExitCompiler.cpp:
        * runtime/Options.h:
        (JSC):

2012-12-18  Filip Pizlo  <fpizlo@apple.com>

        Convert indexingTypeToString to IndexingTypeDump
        https://bugs.webkit.org/show_bug.cgi?id=105351

        Reviewed by Mark Hahnenberg.

        This gets rid of another case of static char buffer[thingy].

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * runtime/IndexingType.cpp:
        (JSC::dumpIndexingType):
        * runtime/IndexingType.h:
        (JSC):
        * runtime/JSValue.cpp:
        (JSC::JSValue::dump):

2012-12-18  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=102579
        [mac] Enable scaled cursors

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2012-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Restrictions on oversize CopiedBlock allocations should be relaxed
        https://bugs.webkit.org/show_bug.cgi?id=105339

        Reviewed by Filip Pizlo.

        Currently the DFG has a single branch in the inline allocation path for property/array storage where 
        it checks to see if the number of bytes requested will fit in the current block. This does not match 
        what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then 
        if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations 
        that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when 
        the collector tries to perform some operation on a CopiedBlock.

        To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that 
        oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find 
        the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and 
        we should figure out if a block is oversize by some other method than just whatever the JSObject says 
        it is. One way we could record this info Region of the block, since we allocate a one-off Region for 
        oversize blocks.

        * heap/BlockAllocator.h:
        (JSC::Region::isCustomSize): 
        (Region):
        (JSC::Region::createCustomSize):
        (JSC::Region::Region):
        (JSC::BlockAllocator::deallocateCustomSize):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        (JSC::CopiedBlock::isOversize): 
        (JSC):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::tryReallocate):
        (JSC::CopiedSpace::tryReallocateOversize):
        * heap/CopiedSpace.h:
        (CopiedSpace): 
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::contains):
        (JSC::CopiedSpace::tryAllocate):
        (JSC):
        * heap/CopyVisitor.h:
        (CopyVisitor):
        * heap/CopyVisitorInlines.h:
        (JSC::CopyVisitor::checkIfShouldCopy):
        (JSC::CopyVisitor::didCopy):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):

2012-12-18  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Add Build Phase to Check Headers for Inappropriate Macros (Platform.h macros)
        https://bugs.webkit.org/show_bug.cgi?id=104279

        Reviewed by David Kilzer.

        Add a build phase to check the public JavaScriptCore headers for
        inappropriate macros.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-12-18  Michael Saboff  <msaboff@apple.com>

        [Qt] Fix the ARMv7 build after r137976
        https://bugs.webkit.org/show_bug.cgi?id=105270

        Reviewed by Csaba Osztrogonác.

        Add default value for Jump parameter to fix build.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump::Jump):

2012-12-17  Geoffrey Garen  <ggaren@apple.com>

        Constant fold !{number} in the parser
        https://bugs.webkit.org/show_bug.cgi?id=105232

        Reviewed by Filip Pizlo.

        Typically, we wait for hot execution and constant fold in the DFG.
        However, !0 and !1 are common enough in minifiers that it can be good
        to get them out of the way early, for faster/smaller parsing and startup.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createLogicalNot): !{literal} is super simple, especially
        since there's no literal form of NaN or Inf.

2012-12-17  Filip Pizlo  <fpizlo@apple.com>

        DFG is too aggressive eliding overflow checks for additions involving large constants
        https://bugs.webkit.org/show_bug.cgi?id=105239

        Reviewed by Gavin Barraclough.

        If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate,
        then make sure that the non-constant child of the addition knows that he's got to do an overflow
        check, by flowing the UsedAsNumber property at him.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addSpeculationMode):
        (Graph):
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-12-17  Michael Saboff  <msaboff@apple.com>

        DFG: Refactor DFGCorrectableJumpPoint to reduce size of OSRExit data
        https://bugs.webkit.org/show_bug.cgi?id=105237

        Reviewed by Filip Pizlo.

        Replaced DFGCorrectableJumpPoint with OSRExitCompilationInfo which is used and kept alive only while we are
        compiling in the DFG.  Moved the patchable branch offset directly into OSRExit.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/AbstractMacroAssembler.h:
        * dfg/DFGCorrectableJumpPoint.cpp: Removed.
        * dfg/DFGCorrectableJumpPoint.h: Removed.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::appendExitJump):
        (JITCompiler):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::setPatchableCodeOffset):
        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump):
        (JSC::DFG::OSRExit::codeLocationForRepatch):
        (JSC::DFG::OSRExit::correctJump):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompilationInfo.h: Added.
        (OSRExitCompilationInfo):
        (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
        (JSC::DFG::OSRExitCompilationInfo::failureJump):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):

2012-12-17  Filip Pizlo  <fpizlo@apple.com>

        DFG is too aggressive with eliding overflow checks in loops
        https://bugs.webkit.org/show_bug.cgi?id=105226

        Reviewed by Mark Hahnenberg and Oliver Hunt.

        If we see a variable's live range cross basic block boundaries, conservatively assume that it may
        be part of a data-flow back-edge, and as a result, we may have entirely integer operations that
        could lead to the creation of an integer that is out of range of 2^52 (the significand of a double
        float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug.
        
        In future we may want to actually look at whether or not there was a data-flow back-edge instead
        of being super conservative about it. But we have no evidence, yet, that this would help us on
        real code.

        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-12-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Butterfly::growArrayRight shouldn't be called on null Butterfly objects
        https://bugs.webkit.org/show_bug.cgi?id=105221

        Reviewed by Filip Pizlo.

        Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 
        objects purely by coincidence. We should add a new static function that null checks the old 
        Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 
        use in the couple of places in JSObject that expect such behavior to work.

        * runtime/Butterfly.h:
        (Butterfly):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createOrGrowArrayRight):
        (JSC):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createArrayStorage):

2012-12-17  Filip Pizlo  <fpizlo@apple.com>

        javascript integer overflow
        https://bugs.webkit.org/show_bug.cgi?id=104967

        Reviewed by Mark Hahnenberg.

        Fix PutScopedVar backward flow.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-12-16  Filip Pizlo  <fpizlo@apple.com>

        Rationalize array profiling for out-of-bounds and hole cases
        https://bugs.webkit.org/show_bug.cgi?id=105139

        Reviewed by Geoffrey Garen.

        This makes ArrayProfile track whether or not we had out-of-bounds, which allows
        for more precise decision-making in the DFG.
        
        Also cleaned up ExitKinds for out-of-bounds and hole cases to make it easier to
        look at them in the profiler.
        
        Slight speed-up (5-8%) on SunSpider/crypto-md5.

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        (JSC::ArrayProfile::briefDescription):
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::ArrayProfile):
        (JSC::ArrayProfile::addressOfOutOfBounds):
        (JSC::ArrayProfile::expectedStructure):
        (JSC::ArrayProfile::structureIsPolymorphic):
        (JSC::ArrayProfile::outOfBounds):
        (JSC::ArrayProfile::polymorphicStructure):
        * bytecode/CodeBlock.cpp:
        (JSC::dumpChain):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        (JSC::exitKindIsCountable):
        * bytecode/ExitKind.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-12-17  Balazs Kilvady  <kilvadyb@homejinni.com>

        Implement add64 for MIPS assembler after r136601
        https://bugs.webkit.org/show_bug.cgi?id=104106

        Reviewed by Zoltan Herczeg.

        Added add64 function to MacroAssebler of MIPS.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (JSC::MacroAssemblerMIPS::add64):
        (MacroAssemblerMIPS):

2012-12-17  Jonathan Liu  <net147@gmail.com>

        Fix Math.pow implementation with MinGW-w64
        https://bugs.webkit.org/show_bug.cgi?id=105087

        Reviewed by Simon Hausmann.

        The MinGW-w64 runtime has different behaviour for pow()
        compared to other C runtimes. This results in the following
        test262 tests failing with the latest MinGW-w64 runtime:
        - S15.8.2.13_A14
        - S15.8.2.13_A16
        - S15.8.2.13_A20
        - S15.8.2.13_A22

        Handle the special cases that are different with MinGW-w64.

        * runtime/MathObject.cpp:
        (JSC::mathPow):

2012-12-16  Filip Pizlo  <fpizlo@apple.com>

        Bytecode dumping should show rare case profiles
        https://bugs.webkit.org/show_bug.cgi?id=105133

        Reviewed by Geoffrey Garen.

        Refactored the dumper to call dumpBytecodeCommandAndNewLine in just one place,
        rather than in all of the places. Changed the rare case profile getters to use
        tryBinarySearch rather than binarySearch, so that they can be used speculatively
        even if you don't know that the bytecode has rare case profiles. This actually
        increases our assertion level, since it means that in release builds we will get
        null and crash rather than getting some random adjacent profile. And then this
        adds some printing of the rare case profiles.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::beginDumpProfiling):
        (JSC):
        (JSC::CodeBlock::dumpValueProfiling):
        (JSC::CodeBlock::dumpArrayProfiling):
        (JSC::CodeBlock::dumpRareCaseProfile):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
        (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset):

2012-12-13  Filip Pizlo  <fpizlo@apple.com>

        Attempt to rationalize and simplify WTF::binarySearch
        https://bugs.webkit.org/show_bug.cgi?id=104890

        Reviewed by Maciej Stachowiak.

        Switch to using the new binarySearch() API. No change in behavior.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::codeOriginForReturn):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getStubInfo):
        (JSC::CodeBlock::getByValInfo):
        (JSC::CodeBlock::getCallLinkInfo):
        (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
        (JSC::CodeBlock::specialFastCaseProfileForBytecodeOffset):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::blockIndexForBytecodeOffset):
        * dfg/DFGMinifiedGraph.h:
        (JSC::DFG::MinifiedGraph::at):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):

2012-12-13  Filip Pizlo  <fpizlo@apple.com>

        Don't assert that flags <= 0x3ff in JSTypeInfo
        https://bugs.webkit.org/show_bug.cgi?id=104988

        Reviewed by Sam Weinig.

        This assertion doesn't accomplish anything other than crashes.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):

2012-12-13  Filip Pizlo  <fpizlo@apple.com>

        Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings
        https://bugs.webkit.org/show_bug.cgi?id=104623

        Reviewed by Geoffrey Garen.

        Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching
        in some cases. This appears to be perf-neutral on benchmarks that we track.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDProtoList):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSTypeInfo.h:
        (JSC):
        (JSC::TypeInfo::hasImpureGetOwnPropertySlot):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChainForChainAccess):

2012-12-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/137683.
        It broke gmail.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC):
        * runtime/Operations.h:
        (JSC):

2012-13-11  Oliver Hunt  <oliver@apple.com>

        Support op_typeof in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=98898

        Reviewed by Filip Pizlo.

        Adds a TypeOf node to the DFG to support op_typeof. 

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
          We try to determine the result early here, and substitute in a constant.
          Otherwise we leave the node intact, and set the result type to SpecString.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
          Parse op_typeof
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
          TypeOf nodes can be subjected to pure CSE
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
          We can handle typeof.
        * dfg/DFGNodeType.h:
        (DFG):
          Define the node.
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
          Add operationTypeOf to support the non-trivial cases.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
          Actual codegen
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC):
        * runtime/Operations.h:
        (JSC):
          Some refactoring to allow us to get the type string for an
          object without needing a callframe.

2012-12-12  Filip Pizlo  <fpizlo@apple.com>

        OSR exit compiler should emit code for resetting the execution counter that matches the logic of ExecutionCounter.cpp
        https://bugs.webkit.org/show_bug.cgi?id=104791

        Reviewed by Oliver Hunt.

        The OSR exit compiler wants to make it so that every OSR exit does the equivalent
        of:
        
        codeBlock->m_jitExecuteCounter.setNewThreshold(
            codeBlock->counterValueForOptimizeAfterLongWarmUp());
        
        This logically involves:
        
        - Resetting the counter to zero.
        - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp().
        - Figuring out the scaled threshold, subtracting the count so far (which is zero,
          so this part is a no-op), and clipping (ExecuteCounter::clippedThreshold()).
        - Setting m_counter to the negated clipped threshold.
        - Setting m_totalCount to the previous count so far (which is zero) plus the
          clipped threshold.
        
        Because of the reset, which sets the count-so-far to zero, this amounts to:
        
        - Setting m_activeThreshold to counterValueForOptimizeAfterLongWarmUp().
        - Figuring out the clipped scaled threshold.
        - Setting m_counter to the negated clipped scaled threshold.
        - Setting m_totalCount to the (positive) clipped scaled threshold.
        
        The code was previously not doing this, but now is. This is performance neutral.
        The only change in behavior over what the code was previously doing (setting the
        m_counter to the negated scaled threshold, without clipping, and then setting
        the m_totalCount to the clipped scaled threshold) is that this will respond more
        gracefully under memory pressure and will ensure that we get more value profile
        LUBing before triggering recompilation. More LUBing is almost always a good
        thing.

        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::OSRExitCompiler::handleExitCounts):

2012-12-12  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: Native Memory Instrumentation: remove fake root MemoryObjectInfo.
        https://bugs.webkit.org/show_bug.cgi?id=104796

        Reviewed by Yury Semikhatsky.

        It was not a good idea to introduce a fake root MemoryObjectInfo.
        It makes a problem when we visit an object without its own MemoryObjectType.

        Example: RenderBox has a global pointer to a hash map.
        HashMap doesn't have its own object type because it is a generic container.
        It will inherit object type from the fake root memory object info.
        The same could happen for another container in another class with other MemoryObjectType.

        This fact forces me to create custom process method for root objects
        because they need to have their own MemoryObjectInfo with customisable memory object type.

        Drive by fix: InstrumentedPointer* was replaced with Wrapper* because actually it is using
        for instrumented and not instrumented object classes.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-12-11  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        Implement add64 for ARM traditional assembler after r136601
        https://bugs.webkit.org/show_bug.cgi?id=104103

        Reviewed by Zoltan Herczeg.

        Implement add64 function for ARM traditional macroassembler.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::add64):
        (MacroAssemblerARM):

2012-12-11  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed. Fix build with DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites):

2012-12-11  Filip Pizlo  <fpizlo@apple.com>

        Profiler should show bytecode dumps as they would have been visible to the JITs, including the profiling data that the JITs would see
        https://bugs.webkit.org/show_bug.cgi?id=104647

        Reviewed by Oliver Hunt.

        Adds more profiling data to bytecode dumps, and adds the ability to do a secondary
        bytecode dump for each JIT compilation of a code block. This is relevant because both
        the bytecodes, and the profiling data, may change after some number of executions.
        
        Also fixes some random dumping code to use PrintStream& rather than
        static const char[thingy].

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/ArrayProfile.cpp:
        (JSC::dumpArrayModes):
        (JSC::ArrayProfile::briefDescription):
        * bytecode/ArrayProfile.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::dumpValueProfiling):
        (JSC::CodeBlock::dumpArrayProfiling):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::briefDescription):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * profiler/ProfilerBytecodeSequence.cpp: Added.
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        (JSC::Profiler::BytecodeSequence::~BytecodeSequence):
        (JSC::Profiler::BytecodeSequence::indexForBytecodeIndex):
        (JSC::Profiler::BytecodeSequence::forBytecodeIndex):
        (JSC::Profiler::BytecodeSequence::addSequenceProperties):
        * profiler/ProfilerBytecodeSequence.h: Added.
        (JSC::Profiler::BytecodeSequence::size):
        (JSC::Profiler::BytecodeSequence::at):
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::Bytecodes):
        (JSC::Profiler::Bytecodes::toJS):
        * profiler/ProfilerBytecodes.h:
        (JSC::Profiler::Bytecodes::instructionCount):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::addProfiledBytecodes):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        (JSC::Profiler::Compilation::profiledBytecodesSize):
        (JSC::Profiler::Compilation::profiledBytecodesAt):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::ensureBytecodesFor):
        * profiler/ProfilerDatabase.h:
        * profiler/ProfilerProfiledBytecodes.cpp: Added.
        (JSC::Profiler::ProfiledBytecodes::ProfiledBytecodes):
        (JSC::Profiler::ProfiledBytecodes::~ProfiledBytecodes):
        (JSC::Profiler::ProfiledBytecodes::toJS):
        * profiler/ProfilerProfiledBytecodes.h: Added.
        (JSC::Profiler::ProfiledBytecodes::bytecodes):
        * runtime/CommonIdentifiers.h:

2012-12-11  Oswald Buddenhagen  <oswald.buddenhagen@digia.com>

        [Qt] delete dead include paths

        Reviewed by Simon Hausmann.

        followup to https://bugs.webkit.org/show_bug.cgi?id=93446

        * JavaScriptCore.pri:

2012-12-11  Julien BRIANCEAU   <jbrianceau@nds.com>

        Implement add64 for SH4 assembler to fix build after r136601
        https://bugs.webkit.org/show_bug.cgi?id=104377

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::add64):
        (MacroAssemblerSH4):

2012-12-10  Yury Semikhatsky  <yurys@chromium.org>

        Memory instrumentation: make sure each edge is reported only once
        https://bugs.webkit.org/show_bug.cgi?id=104630

        Reviewed by Pavel Feldman.

        Changed exported symbols for MemoryInstrumentation.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-12-10  Filip Pizlo  <fpizlo@apple.com>

        Don't OSR exit just because a string is a rope
        https://bugs.webkit.org/show_bug.cgi?id=104621

        Reviewed by Michael Saboff.

        Slight SunSpider speed-up at around the 0.7% level. This patch does the obvious
        thing of calling a slow path to resolve ropes rather than OSR exiting if the
        string is a rope.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::getIndexedPropertyStorageMayTriggerGC):
        (ArrayMode):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2012-12-10  Gustavo Noronha Silva  <gns@gnome.org>

        Unreviewed distcheck fix.

        * GNUmakefile.list.am:

2012-12-10  Filip Pizlo  <fpizlo@apple.com>

        JSC profiling and debug dump code should use inferred names when possible
        https://bugs.webkit.org/show_bug.cgi?id=104519

        Reviewed by Oliver Hunt.

        This does as advertised: the profiler now knows the inferred name of all code blocks,
        and all uses of CodeBlock::dump() dump it along with the hash.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::inferredName):
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeBlock.h:
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::Bytecodes):
        (JSC::Profiler::Bytecodes::toJS):
        * profiler/ProfilerBytecodes.h:
        (JSC::Profiler::Bytecodes::inferredName):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::addBytecodes):
        (JSC::Profiler::Database::ensureBytecodesFor):
        * profiler/ProfilerDatabase.h:
        * runtime/CommonIdentifiers.h:

2012-12-09  Filip Pizlo  <fpizlo@apple.com>

        Profiler should say things about OSR exits
        https://bugs.webkit.org/show_bug.cgi?id=104497

        Reviewed by Oliver Hunt.

        This adds support for profiling OSR exits. For each exit that is taken, the profiler
        records the machine code address that the exit occurred on, the exit kind, the origin
        stack, and the number of times that it happened.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/AbstractMacroAssembler.h:
        (Jump):
        (JSC::AbstractMacroAssembler::Jump::label):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::saveCompilation):
        (CodeBlock):
        (JSC::CodeBlock::compilation):
        (DFGData):
        * bytecode/DFGExitProfile.h:
        (DFG):
        * bytecode/ExitKind.cpp: Added.
        (JSC):
        (JSC::exitKindToString):
        (JSC::exitKindIsCountable):
        (WTF):
        (WTF::printInternal):
        * bytecode/ExitKind.h: Added.
        (JSC):
        (WTF):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * dfg/DFGOSRExitCompiler.cpp:
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JumpReplacementWatchpoint.h:
        (JSC::JumpReplacementWatchpoint::sourceLabel):
        (JumpReplacementWatchpoint):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::addOSRExitSite):
        (Profiler):
        (JSC::Profiler::Compilation::addOSRExit):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        (Compilation):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::newCompilation):
        * profiler/ProfilerDatabase.h:
        (Database):
        * profiler/ProfilerOSRExit.cpp: Added.
        (Profiler):
        (JSC::Profiler::OSRExit::OSRExit):
        (JSC::Profiler::OSRExit::~OSRExit):
        (JSC::Profiler::OSRExit::toJS):
        * profiler/ProfilerOSRExit.h: Added.
        (Profiler):
        (OSRExit):
        (JSC::Profiler::OSRExit::id):
        (JSC::Profiler::OSRExit::origin):
        (JSC::Profiler::OSRExit::exitKind):
        (JSC::Profiler::OSRExit::isWatchpoint):
        (JSC::Profiler::OSRExit::counterAddress):
        (JSC::Profiler::OSRExit::count):
        * profiler/ProfilerOSRExitSite.cpp: Added.
        (Profiler):
        (JSC::Profiler::OSRExitSite::toJS):
        * profiler/ProfilerOSRExitSite.h: Added.
        (Profiler):
        (OSRExitSite):
        (JSC::Profiler::OSRExitSite::OSRExitSite):
        (JSC::Profiler::OSRExitSite::codeAddress):
        * runtime/CommonIdentifiers.h:

2012-12-10  Alexis Menard  <alexis@webkit.org>

        [CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag.
        https://bugs.webkit.org/show_bug.cgi?id=104539

        Reviewed by Antonio Gomes.

        As discussed on webkit-dev it is not needed to keep this feature flag 
        as support for <position> type is a small feature that is already 
        implemented by three other UAs. It was useful while landing this 
        feature as partial bits were landed one after one.

        * Configurations/FeatureDefines.xcconfig:

2012-12-09  Filip Pizlo  <fpizlo@apple.com>

        DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation()
        https://bugs.webkit.org/show_bug.cgi?id=104500

        Reviewed by Oliver Hunt.

        Slight across-the-board speed-up.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-12-08  Filip Pizlo  <fpizlo@apple.com>

        JSC should scale the optimization threshold for a code block according to the cost of compiling it
        https://bugs.webkit.org/show_bug.cgi?id=104406

        Reviewed by Oliver Hunt.

        We've long known that we want to scale the execution count threshold needed for the DFG
        to kick in to scale according to some estimate of the cost of compiling that code block.
        This institutes a relationship like this:
        
        threshold = thresholdSetting * (a * sqrt(instructionCount + b) + abs(c * instructionCount) + d
        
        Where a, b, c, d are coefficients derived from fitting the above expression to various
        data points, which I chose based on looking at one benchmark (3d-cube) and from my
        own intuitions.
        
        Making this work well also required changing the thresholdForOptimizeAfterLongWarmUp
        from 5000 to 1000.
        
        This is a >1% speed-up on SunSpider, a >3% speed-up on V8Spider, ~1% speed-up on V8v7,
        neutral on Octane, and neutral on Kraken.
        
        I also out-of-lined a bunch of methods related to these heuristics, because I couldn't
        stand having them defined in the header anymore. I also made improvements to debugging
        code because I needed it for tuning this change.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::sourceCodeForTools):
        (JSC::CodeBlock::sourceCodeOnOneLine):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::reoptimizationRetryCounter):
        (JSC::CodeBlock::countReoptimization):
        (JSC::CodeBlock::optimizationThresholdScalingFactor):
        (JSC::clipThreshold):
        (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeSoon):
        (JSC::CodeBlock::checkIfOptimizationThresholdReached):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        (JSC::CodeBlock::adjustedExitCountThreshold):
        (JSC::CodeBlock::exitCountThresholdForReoptimization):
        (JSC::CodeBlock::exitCountThresholdForReoptimizationFromLoop):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        * bytecode/CodeBlock.h:
        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter::hasCrossedThreshold):
        * bytecode/ReduceWhitespace.cpp: Added.
        (JSC::reduceWhitespace):
        * bytecode/ReduceWhitespace.h: Added.
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGCapabilities.h:
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpHeader):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dumpHeader):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::ensureBytecodesFor):
        * runtime/Options.h:

2012-12-07  Jonathan Liu  <net147@gmail.com>

        Add missing forward declaration for JSC::ArrayAllocationProfile
        https://bugs.webkit.org/show_bug.cgi?id=104425

        Reviewed by Kentaro Hara.

        The header for the JSC::ArrayConstructor class is missing a forward
        declaration for the JSC::ArrayAllocationProfile class which causes
        compilation to fail when compiling with MinGW-w64.

        * runtime/ArrayConstructor.h:
        (JSC):

2012-12-07  Jonathan Liu  <net147@gmail.com>

        Add missing const qualifier to JSC::CodeBlock::getJITType()
        https://bugs.webkit.org/show_bug.cgi?id=104424

        Reviewed by Laszlo Gombos.

        JSC::CodeBlock::getJITType() has the const qualifier when JIT is
        enabled but is missing the const qualifier when JIT is disabled.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getJITType):

2012-12-07  Oliver Hunt  <oliver@apple.com>

        Make function code cache proportional to main codeblock cache
        https://bugs.webkit.org/show_bug.cgi?id=104420

        Reviewed by Geoffrey Garen.

        Makes the constants determining the recently used function cache proportional
        to the number of root codeblocks in the cache.  Also renames the constants to
        make them more clear.
     
        * runtime/CodeCache.h:

2012-12-06  Filip Pizlo  <fpizlo@apple.com>

        Strange results calculating a square root in a loop
        https://bugs.webkit.org/show_bug.cgi?id=104247
        <rdar://problem/12826880>

        Reviewed by Oliver Hunt.

        Fixed the CFG simplification phase to ignore dead GetLocals in the first of the blocks
        under the merge. This fixes the assertion, and is also cleaner: our general rule is
        to not "revive" things that we've already proved to be dead.
        
        Also fixed some rotted debug code.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):

2012-12-07  Geoffrey Garen  <ggaren@apple.com>

        Crash in JSC::Bindings::RootObject::globalObject() sync'ing notes in Evernote
        https://bugs.webkit.org/show_bug.cgi?id=104321
        <rdar://problem/12770497>

        Reviewed by Sam Weinig.

        Work around a JSValueUnprotect(NULL) in Evernote.

        * API/JSValueRef.cpp:
        (evernoteHackNeeded):
        (JSValueUnprotect):

2012-12-06  Filip Pizlo  <fpizlo@apple.com>

        Incorrect inequality for checking whether a statement is within bounds of a handler
        https://bugs.webkit.org/show_bug.cgi?id=104313
        <rdar://problem/12808934>

        Reviewed by Geoffrey Garen.

        The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
        used for checking whether a handler is pertinent to the current instruction. '<' is
        correct, but '<=' isn't, since the 'end' is not inclusive.
        
        Also found, and addressed, a benign goof in how the finally inliner works: sometimes
        we will have end > start. This falls out naturally from how the inliner works and how
        we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
        future confusion, I added a comment and some code to prune those handlers out. Because
        of how the handler resolution works, these handlers would have been skipped anyway.
        
        Also made various fixes to debugging code, which was necessary for tracking this down.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::handlerForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * bytecompiler/Label.h:
        (JSC::Label::bind):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):

2012-12-06  Rick Byers  <rbyers@chromium.org>

        CSS cursor property should support webkit-image-set
        https://bugs.webkit.org/show_bug.cgi?id=99493

        Reviewed by Beth Dakin.

        Add ENABLE_MOUSE_CURSOR_SCALE (disabled by default)

        * Configurations/FeatureDefines.xcconfig:

2012-12-06  Laszlo Gombos  <l.gombos@samsung.com>

        [CMake] Consolidate list of files to build for JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=104287

        Reviewed by Gyuyoung Kim.

        Add MemoryStatistics.cpp and ExecutableAllocator.cpp to the common
        list of files and remove them from the port specific lists.

        * CMakeLists.txt:
        * PlatformBlackBerry.cmake:
        * PlatformEfl.cmake:
        * PlatformWinCE.cmake:

2012-12-06  Oliver Hunt  <oliver@apple.com>

        Tell heap that we've released all the compiled code.

        Reviewed by Geoff Garen.

        When we discard compiled code, inform the heap that we've
        released an entire object graph.  This informs the heap that
        it might want to perform a GC soon.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::discardAllCode):

2012-12-06  Laszlo Gombos  <l.gombos@samsung.com>

        [EFL] Remove ENABLE_GLIB_SUPPORT CMake variable
        https://bugs.webkit.org/show_bug.cgi?id=104278

        Reviewed by Brent Fulgham.

        The conditional is not required as it is always set for EFL.

        * PlatformEfl.cmake:

2012-12-06  Oliver Hunt  <oliver@apple.com>

        Build fix, last patch rolled out logic that is now needed on ToT.

        * parser/ASTBuilder.h:
        (ASTBuilder):
        (JSC::ASTBuilder::setFunctionStart):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setFunctionStart):
        (JSC::FunctionBodyNode::functionStart):
        (FunctionBodyNode):
        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::setFunctionStart):

2012-12-05  Oliver Hunt  <oliver@apple.com>

        Remove harmful string->function cache
        https://bugs.webkit.org/show_bug.cgi?id=104193

        Reviewed by Alexey Proskuryakov.

        Remove the string->function code cache that turned out to actually
        be quite harmful.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionCodeBlock):
        * runtime/CodeCache.h:
        (JSC::CodeCache::clear):

2012-12-05  Halton Huo  <halton.huo@intel.com>

        [CMake] Unify coding style for CMake files
        https://bugs.webkit.org/show_bug.cgi?id=103605

        Reviewed by Laszlo Gombos.

        Update cmake files(.cmake, CMakeLists.txt) with following style rules:
        1. Indentation
        1.1 Use spaces, not tabs.
        1.2 Four spaces as indent.
        2. Spacing
        2.1 Place one space between control statements and their parentheses.
            For eg, if (), else (), elseif (), endif (), foreach (),
            endforeach (), while (), endwhile (), break ().
        2.2 Do not place spaces between function and macro statements and
            their parentheses. For eg, macro(), endmacro(), function(),
            endfunction().
        2.3 Do not place spaces between a command or function or macro and its
            parentheses, or between a parenthesis and its content. For eg,
            message("testing") not message( "testing") or message ("testing" )
        2.4 No space at line ending.
        3. Lowercase when call commands macros and functions. For eg,
           add_executable() not ADD_EXECUTABLE(), set() not SET().

        * CMakeLists.txt:
        * PlatformBlackBerry.cmake:
        * PlatformEfl.cmake:
        * PlatformWinCE.cmake:
        * shell/CMakeLists.txt:
        * shell/PlatformBlackBerry.cmake:
        * shell/PlatformEfl.cmake:
        * shell/PlatformWinCE.cmake:

2012-12-05  Oliver Hunt  <oliver@apple.com>

        Empty parse cache when receiving a low memory warning
        https://bugs.webkit.org/show_bug.cgi?id=104161

        Reviewed by Filip Pizlo.

        This adds a function to the globaldata to empty all code related data
        structures (code in the heap and the code cache).
        It also adds a function to allow the CodeCache to actually be cleared
        at all. 

        * runtime/CodeCache.h:
        (CacheMap):
        (JSC::CacheMap::clear):
        (JSC::CodeCache::clear):
        (CodeCache):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::discardAllCode):
        (JSC):
        * runtime/JSGlobalData.h:
        (JSGlobalData):

2012-12-05  Filip Pizlo  <fpizlo@apple.com>

        JSC profiler should not count executions of op_call_put_result because doing so changes DFG codegen
        https://bugs.webkit.org/show_bug.cgi?id=104102

        Reviewed by Oliver Hunt.

        This removes op_call_put_result from profiling, since profiling it has an effect on
        codegen. This fix enables all of SunSpider, V8, and Kraken to be profiled with the
        new profiler.
        
        To make this all fit together, the profiler now also reports in its output the exact
        bytecode opcode name for each instruction (in addition to the stringified dump of that
        bytecode), so that tools that grok the output can take note of op_call_put_result and
        work around the fact that it has no counts.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * profiler/ProfilerBytecode.cpp:
        (JSC::Profiler::Bytecode::toJS):
        * profiler/ProfilerBytecode.h:
        (JSC::Profiler::Bytecode::Bytecode):
        (JSC::Profiler::Bytecode::opcodeID):
        (Bytecode):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::ensureBytecodesFor):
        * runtime/CommonIdentifiers.h:

2012-12-04  Filip Pizlo  <fpizlo@apple.com>

        display-profiler-output should be able to show source code
        https://bugs.webkit.org/show_bug.cgi?id=104073

        Reviewed by Oliver Hunt.

        Modify the profiler database to store source code. For functions, we store the
        function including the function signature.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::unlinkedCodeBlock):
        (CodeBlock):
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::Bytecodes):
        (JSC::Profiler::Bytecodes::toJS):
        * profiler/ProfilerBytecodes.h:
        (Bytecodes):
        (JSC::Profiler::Bytecodes::sourceCode):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::addBytecodes):
        (JSC::Profiler::Database::ensureBytecodesFor):
        * profiler/ProfilerDatabase.h:
        (Database):
        * runtime/CommonIdentifiers.h:
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::unlinkedExecutable):

2012-12-02  Filip Pizlo  <fpizlo@apple.com>

        JSC should be able to report profiling data associated with the IR dumps and disassembly
        https://bugs.webkit.org/show_bug.cgi?id=102999

        Reviewed by Gavin Barraclough.

        Added a new profiler to JSC. It's simply called "Profiler" in anticipation of it
        ultimately replacing the previous profiling infrastructure. This profiler counts the
        number of times that a bytecode executes in various engines, and will record both the
        counts and all disassembly and bytecode dumps, into a database that can be at any
        time turned into either a JS object using any global object or global data of your
        choice, or can be turned into a JSON string, or saved to a file.
        
        Currently the only use of this is the new '-p <file>' flag to the jsc command-line.
        
        The profiler is always compiled in and normally incurs no execution time cost, but is
        only activated when you create a Profiler::Database and install it in
        JSGlobalData::m_perBytecodeProfiler. From that point on, all code blocks will be
        compiled along with disassembly and bytecode dumps stored into the Profiler::Database,
        and all code blocks will have execution counts, which are also stored in the database.
        The database will continue to keep information about code blocks alive even after they
        are otherwise GC'd.
        
        This currently still has some glitches, like the fact that it only counts executions
        in the JITs. Doing execution counting in the LLInt might require a bit of a rethink
        about how the counting is expressed - currently it is implicit in bytecode, so there
        is no easy way to "turn it on" in the LLInt. Also, right now there is no information
        recorded about OSR exits or out-of-line stubs. But, even so, it's quite cool, and
        gives you a peek into what JSC is doing that would otherwise not be possible.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::baselineVersion):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::baselineCodeBlock):
        (JSC):
        * bytecode/CodeOrigin.h:
        (InlineCallFrame):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dump):
        (DFG):
        (JSC::DFG::Disassembler::reportToProfiler):
        (JSC::DFG::Disassembler::dumpHeader):
        (JSC::DFG::Disassembler::append):
        (JSC::DFG::Disassembler::createDumpList):
        * dfg/DFGDisassembler.h:
        (Disassembler):
        (JSC::DFG::Disassembler::DumpedOp::DumpedOp):
        (DumpedOp):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::hasExecutionCounter):
        (JSC::DFG::Node::executionCounter):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dump):
        (JSC::JITDisassembler::reportToProfiler):
        (JSC):
        (JSC::JITDisassembler::dumpHeader):
        (JSC::JITDisassembler::firstSlowLabel):
        (JSC::JITDisassembler::dumpVectorForInstructions):
        (JSC::JITDisassembler::dumpForInstructions):
        (JSC::JITDisassembler::reportInstructions):
        * jit/JITDisassembler.h:
        (JITDisassembler):
        (DumpedOp):
        * jsc.cpp:
        (CommandLine::CommandLine):
        (CommandLine):
        (printUsageStatement):
        (CommandLine::parseArguments):
        (jscmain):
        * profiler/ProfilerBytecode.cpp: Added.
        (Profiler):
        (JSC::Profiler::Bytecode::toJS):
        * profiler/ProfilerBytecode.h: Added.
        (Profiler):
        (Bytecode):
        (JSC::Profiler::Bytecode::Bytecode):
        (JSC::Profiler::Bytecode::bytecodeIndex):
        (JSC::Profiler::Bytecode::description):
        (JSC::Profiler::getBytecodeIndexForBytecode):
        * profiler/ProfilerBytecodes.cpp: Added.
        (Profiler):
        (JSC::Profiler::Bytecodes::Bytecodes):
        (JSC::Profiler::Bytecodes::~Bytecodes):
        (JSC::Profiler::Bytecodes::indexForBytecodeIndex):
        (JSC::Profiler::Bytecodes::forBytecodeIndex):
        (JSC::Profiler::Bytecodes::dump):
        (JSC::Profiler::Bytecodes::toJS):
        * profiler/ProfilerBytecodes.h: Added.
        (Profiler):
        (Bytecodes):
        (JSC::Profiler::Bytecodes::append):
        (JSC::Profiler::Bytecodes::id):
        (JSC::Profiler::Bytecodes::hash):
        (JSC::Profiler::Bytecodes::size):
        (JSC::Profiler::Bytecodes::at):
        * profiler/ProfilerCompilation.cpp: Added.
        (Profiler):
        (JSC::Profiler::Compilation::Compilation):
        (JSC::Profiler::Compilation::~Compilation):
        (JSC::Profiler::Compilation::addDescription):
        (JSC::Profiler::Compilation::executionCounterFor):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h: Added.
        (Profiler):
        (Compilation):
        (JSC::Profiler::Compilation::bytecodes):
        (JSC::Profiler::Compilation::kind):
        * profiler/ProfilerCompilationKind.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * profiler/ProfilerCompilationKind.h: Added.
        (Profiler):
        (WTF):
        * profiler/ProfilerCompiledBytecode.cpp: Added.
        (Profiler):
        (JSC::Profiler::CompiledBytecode::CompiledBytecode):
        (JSC::Profiler::CompiledBytecode::~CompiledBytecode):
        (JSC::Profiler::CompiledBytecode::toJS):
        * profiler/ProfilerCompiledBytecode.h: Added.
        (Profiler):
        (CompiledBytecode):
        (JSC::Profiler::CompiledBytecode::originStack):
        (JSC::Profiler::CompiledBytecode::description):
        * profiler/ProfilerDatabase.cpp: Added.
        (Profiler):
        (JSC::Profiler::Database::Database):
        (JSC::Profiler::Database::~Database):
        (JSC::Profiler::Database::addBytecodes):
        (JSC::Profiler::Database::ensureBytecodesFor):
        (JSC::Profiler::Database::notifyDestruction):
        (JSC::Profiler::Database::newCompilation):
        (JSC::Profiler::Database::toJS):
        (JSC::Profiler::Database::toJSON):
        (JSC::Profiler::Database::save):
        * profiler/ProfilerDatabase.h: Added.
        (Profiler):
        (Database):
        * profiler/ProfilerExecutionCounter.h: Added.
        (Profiler):
        (ExecutionCounter):
        (JSC::Profiler::ExecutionCounter::ExecutionCounter):
        (JSC::Profiler::ExecutionCounter::address):
        (JSC::Profiler::ExecutionCounter::count):
        * profiler/ProfilerOrigin.cpp: Added.
        (Profiler):
        (JSC::Profiler::Origin::Origin):
        (JSC::Profiler::Origin::dump):
        (JSC::Profiler::Origin::toJS):
        * profiler/ProfilerOrigin.h: Added.
        (JSC):
        (Profiler):
        (Origin):
        (JSC::Profiler::Origin::Origin):
        (JSC::Profiler::Origin::operator!):
        (JSC::Profiler::Origin::bytecodes):
        (JSC::Profiler::Origin::bytecodeIndex):
        (JSC::Profiler::Origin::operator!=):
        (JSC::Profiler::Origin::operator==):
        (JSC::Profiler::Origin::hash):
        (JSC::Profiler::Origin::isHashTableDeletedValue):
        (JSC::Profiler::OriginHash::hash):
        (JSC::Profiler::OriginHash::equal):
        (OriginHash):
        (WTF):
        * profiler/ProfilerOriginStack.cpp: Added.
        (Profiler):
        (JSC::Profiler::OriginStack::OriginStack):
        (JSC::Profiler::OriginStack::~OriginStack):
        (JSC::Profiler::OriginStack::append):
        (JSC::Profiler::OriginStack::operator==):
        (JSC::Profiler::OriginStack::hash):
        (JSC::Profiler::OriginStack::dump):
        (JSC::Profiler::OriginStack::toJS):
        * profiler/ProfilerOriginStack.h: Added.
        (JSC):
        (Profiler):
        (OriginStack):
        (JSC::Profiler::OriginStack::OriginStack):
        (JSC::Profiler::OriginStack::operator!):
        (JSC::Profiler::OriginStack::size):
        (JSC::Profiler::OriginStack::fromBottom):
        (JSC::Profiler::OriginStack::fromTop):
        (JSC::Profiler::OriginStack::isHashTableDeletedValue):
        (JSC::Profiler::OriginStackHash::hash):
        (JSC::Profiler::OriginStackHash::equal):
        (OriginStackHash):
        (WTF):
        * runtime/CommonIdentifiers.h:
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/Options.h:
        (JSC):

2012-12-04  Filip Pizlo  <fpizlo@apple.com>

        Rename Profiler to LegacyProfiler
        https://bugs.webkit.org/show_bug.cgi?id=104031

        Rubber stamped by Mark Hahnenberg

        Make room in the namespace for https://bugs.webkit.org/show_bug.cgi?id=102999.

        * API/JSProfilerPrivate.cpp:
        (JSStartProfiling):
        (JSEndProfiling):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JIT.h:
        * jit/JITCode.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        (JSC):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/LegacyProfiler.cpp: Added.
        (JSC):
        (JSC::LegacyProfiler::profiler):
        (JSC::LegacyProfiler::startProfiling):
        (JSC::LegacyProfiler::stopProfiling):
        (JSC::dispatchFunctionToProfiles):
        (JSC::LegacyProfiler::willExecute):
        (JSC::LegacyProfiler::didExecute):
        (JSC::LegacyProfiler::exceptionUnwind):
        (JSC::LegacyProfiler::createCallIdentifier):
        (JSC::createCallIdentifierFromFunctionImp):
        * profiler/LegacyProfiler.h: Added.
        (JSC):
        (LegacyProfiler):
        (JSC::LegacyProfiler::currentProfiles):
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::addParentForConsoleStart):
        * profiler/ProfileNode.cpp:
        * profiler/Profiler.cpp: Removed.
        * profiler/Profiler.h: Removed.
        * runtime/JSGlobalData.h:
        (JSC):
        (JSC::JSGlobalData::enabledProfiler):
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):

2012-12-03  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline code blocks that use scoped variable access
        https://bugs.webkit.org/show_bug.cgi?id=103974

        Reviewed by Oliver Hunt.

        This mostly just turns on something we could have done all along, but also adds a few key
        necessities to make this right:
        
        1) Constant folding of SkipScope, since if we inline with a known JSFunction* then the
           scope is constant.
        
        2) Interference analysis for GetLocal<->PutScopedVar and SetLocal<->GetScopedVar.
        
        This is not meant to be a speed-up on major benchmarks since we don't yet inline most
        closure calls for entirely unrelated reasons. But on toy programs it can be >2x faster.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getScope):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
        (JSC::DFG::CSEPhase::getLocalLoadElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineResolveOperations):

2012-12-03  Filip Pizlo  <fpizlo@apple.com>

        Replace JSValue::description() with JSValue::dump(PrintStream&)
        https://bugs.webkit.org/show_bug.cgi?id=103866

        Reviewed by Darin Adler.

        JSValue now has a dump() method. Anywhere that you would have wanted to use
        description(), you can either do toCString(value).data(), or if the callee
        is a print()/dataLog() method then you just pass the value directly.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/CodeBlock.cpp:
        (JSC::valueToSourceString):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::dump):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dump):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jsc.cpp:
        (functionDescribe):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_trace_value):
        * runtime/JSValue.cpp:
        (JSC::JSValue::dump):
        * runtime/JSValue.h:

2012-12-04  Filip Pizlo  <fpizlo@apple.com>

        jsc command line tool's support for typed arrays should be robust against array buffer allocation errors
        https://bugs.webkit.org/show_bug.cgi?id=104020
        <rdar://problem/12802478>

        Reviewed by Mark Hahnenberg.

        Check for null buffers, since that's what typed array allocators are supposed to do. WebCore does it,
        and that is indeed the contract of ArrayBuffer and TypedArrayBase.

        * JSCTypedArrayStubs.h:
        (JSC):

2012-12-03  Peter Rybin  <prybin@chromium.org>

        Web Inspector: make ASSERTION FAILED: foundPropertiesCount == object->size() more useful
        https://bugs.webkit.org/show_bug.cgi?id=103254

        Reviewed by Pavel Feldman.

        Missing symbol WTFReportFatalError is added to the linker list.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-12-03  Alexis Menard  <alexis@webkit.org>

        [Mac] Enable CSS3 background-position offset by default.
        https://bugs.webkit.org/show_bug.cgi?id=103905

        Reviewed by Simon Fraser.

        Turn the flag on by default.

        * Configurations/FeatureDefines.xcconfig:

2012-12-02  Filip Pizlo  <fpizlo@apple.com>

        DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context
        https://bugs.webkit.org/show_bug.cgi?id=103858

        Reviewed by Gavin Barraclough.

        A rage conversion from double to contiguous is one where you try to convert each
        double to an int32.

        This is probably not the last we'll hear of rage conversion from double to contiguous.
        It may be better to do this right during parsing, which will result in fewer cases of
        Arrayification. But even so, this looks like a straight win already - 1% speed-up on
        Kraken, no major regression anywhere else.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        (JSC::DFG::arrayConversionToString):
        (JSC::DFG::ArrayMode::dump):
        (WTF):
        (WTF::printInternal):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::withConversion):
        (ArrayMode):
        (JSC::DFG::ArrayMode::doesConversion):
        (WTF):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (FixupPhase):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * runtime/JSObject.cpp:
        (JSC):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToContiguous):
        (JSC::JSObject::rageConvertDoubleToContiguous):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::rageEnsureContiguousSlow):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::rageEnsureContiguous):

2012-12-02  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE should not keep alive things that aren't relevant to OSR
        https://bugs.webkit.org/show_bug.cgi?id=103849

        Reviewed by Oliver Hunt.

        Most Phantom nodes are inserted by CSE, and by default have the same children as the
        node that CSE had eliminated. This change makes CSE inspect all Phantom nodes (both
        those it creates and those that were created by other phases) to see if they have
        children that are redundant - i.e. children that are not interesting to OSR, which
        is the only reason why Phantoms exist in the first place. Being relevant to OSR is
        defined as one of: (1) you're a Phi, (2) you're a SetLocal, (3) somewhere between
        your definition and the Phantom there was a SetLocal that referred to you.
        
        This is a slight speed-up in a few places.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::run):
        (JSC::DFG::CSEPhase::performSubstitution):
        (CSEPhase):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):

2012-12-02  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to build and run with DFG_ENABLE(PROPAGATION_VERBOSE)
        https://bugs.webkit.org/show_bug.cgi?id=103848

        Reviewed by Sam Weinig.

        Fix random dataLog() and print() statements.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):

2012-12-01  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock should be able to dump bytecode to something other than WTF::dataFile()
        https://bugs.webkit.org/show_bug.cgi?id=103832

        Reviewed by Oliver Hunt.

        Add a PrintStream& argument to all of the CodeBlock bytecode dumping methods.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::dumpStructure):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dumpForInstructions):

2012-11-30  Pierre Rossi  <pierre.rossi@gmail.com>

        [Qt] Unreviewed speculative Mac build fix after r136232

        Update the include path so that LLIntAssembly.h is picked up.
        The bot didn't break until later when a clean build was triggered.

        * JavaScriptCore.pri:

2012-11-30  Oliver Hunt  <oliver@apple.com>

        Optimise more cases of op_typeof
        https://bugs.webkit.org/show_bug.cgi?id=103783

        Reviewed by Mark Hahnenberg.

        Increase our coverage of typeof based typechecks by
        making sure that the codegenerators always uses
        consistent operand ordering when feeding typeof operations
        into equality operations.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):
        (JSC::EqualNode::emitBytecode):
        (JSC::StrictEqualNode::emitBytecode):

2012-11-30  Filip Pizlo  <fpizlo@apple.com>

        Rationalize and clean up DFG handling of scoped accesses
        https://bugs.webkit.org/show_bug.cgi?id=103715

        Reviewed by Oliver Hunt.

        Previously, we had a GetScope node that specified the depth to which you wanted
        to travel to get a JSScope, and the backend implementation of the node would
        perform all of the necessary footwork, including potentially skipping the top
        scope if necessary, and doing however many loads were needed. But there were
        strange things. First, if you had accesses at different scope depths, then the
        loads to get to the common depth could not be CSE'd - CSE would match only
        GetScope's that had identical depth. Second, GetScope would be emitted even if
        we already had the scope, for example in put_to_base. And finally, even though
        the ResolveOperations could tell us whether or not we had to skip the top scope,
        the backend would recompute this information itself, often pessimistically.
        
        This eliminates GetScope and replaces it with the following:
        
        GetMyScope: just get the JSScope from the call frame header. This will forever
        mean getting the JSScope associated with the machine call frame; it will not
        mean getting the scope of an inlined function. Or at least that's the intent.
        
        SkipTopScope: check if there is an activation, and if so, skip a scope. This
        takes a scope as a child and returns a scope.
        
        SkipScope: skip one scope level.
        
        The bytecode parser now emits the right combination of the above, and
        potentially emits multiple SkipScope's, based on the ResolveOperations.
        
        This change also includes some fixups to debug logging. We now always print
        the ExecutableBase* in addition to the CodeBlock* in the CodeBlock's dump,
        and we are now more verbose when dumping CodeOrigins and InlineCallFrames.
        
        This is performance-neutral. It's just meant to be a clean-up.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::inlineStack):
        (JSC::CodeOrigin::dump):
        (JSC):
        (JSC::InlineCallFrame::dump):
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (InlineCallFrame):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getScope):
        (DFG):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dump):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dump):

2012-11-30  Oliver Hunt  <oliver@apple.com>

        Add direct string->function code cache
        https://bugs.webkit.org/show_bug.cgi?id=103764

        Reviewed by Michael Saboff.

        A fairly logically simple patch.  We now track the start of the
        unique portion of a functions body, and use that as our key for
        unlinked function code.  This allows us to cache identical code
        in different contexts, leading to a small but consistent improvement
        on the benchmarks we track.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::functionStartOffset):
        (UnlinkedFunctionExecutable):
        * parser/ASTBuilder.h:
        (ASTBuilder):
        (JSC::ASTBuilder::setFunctionStart):
        * parser/Nodes.cpp:
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setFunctionStart):
        (JSC::FunctionBodyNode::functionStart):
        (FunctionBodyNode):
        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Parser::findCachedFunctionInfo):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::setFunctionStart):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::generateFunctionCodeBlock):
        (JSC::CodeCache::getFunctionCodeBlock):
        (JSC::CodeCache::usedFunctionCode):
        * runtime/CodeCache.h:

2012-11-30  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        Crash in conversion of empty OpaqueJSString to Identifier 
        https://bugs.webkit.org/show_bug.cgi?id=101867

        Reviewed by Michael Saboff.

        The constructor call used for both null and empty OpaqueJSStrings results
        in an assertion voilation and crash. This patch instead uses the Identifier
        constructors which are specifically for null and empty Identifier.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):

2012-11-30  Tor Arne Vestbø  <tor.arne.vestbo@digia.com>

        [Qt] Place the LLIntOffsetsExtractor binaries in debug/release subdirs on Mac

        Otherwise we'll end up using the same LLIntAssembly.h for both build
        configs of JavaScriptCore -- one of them which will be for the wrong
        config.

        Reviewed by Simon Hausmann.

        * LLIntOffsetsExtractor.pro:

2012-11-30  Julien BRIANCEAU   <jbrianceau@nds.com>

        [sh4] Fix compilation warnings in JavaScriptCore JIT for sh4 arch
        https://bugs.webkit.org/show_bug.cgi?id=103378

        Reviewed by Filip Pizlo.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchTest32):
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branchMul32):
        (JSC::MacroAssemblerSH4::branchSub32):
        (JSC::MacroAssemblerSH4::branchOr32):

2012-11-29  Rafael Weinstein  <rafaelw@chromium.org>

        [HTMLTemplateElement] Add feature flag
        https://bugs.webkit.org/show_bug.cgi?id=103694

        Reviewed by Adam Barth.

        This flag will guard the implementation of the HTMLTemplateElement.
        http://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/templates/index.html

        * Configurations/FeatureDefines.xcconfig:

2012-11-29  Filip Pizlo  <fpizlo@apple.com>

        It should be easy to find code blocks in debug dumps
        https://bugs.webkit.org/show_bug.cgi?id=103623

        Reviewed by Goeffrey Garen.

        This gives CodeBlock a relatively strong, but also relatively compact, hash. We compute
        it lazily so that it only impacts run-time when debug support is enabled. We stringify
        it smartly so that it's short and easy to type. We base it on the source code so that
        the optimization level is irrelevant. And, we use SHA1 since it's already in our code
        base. Now, when a piece of code wants to print some debugging to say that it's operating
        on some code block, it can use this CodeBlockHash instead of memory addresses.

        This also takes CodeBlock debugging into the new world of print() and dataLog(). In
        particular, CodeBlock::dump() corresponds to the thing you want printed if you do:

        dataLog("I heart ", *myCodeBlock);

        Probably, you want to just print some identifying information at this point rather than
        the full bytecode dump. So, the existing CodeBlock::dump() has been renamed to
        CodeBlock::dumpBytecode(), and CodeBlock::dump() now prints the CodeBlockHash plus just
        a few little tidbits.
        
        Here's an example of CodeBlock::dump() output:
        
        EkILzr:[0x103883a00, BaselineFunctionCall]
        
        EkILzr is the CodeBlockHash. 0x103883a00 is the CodeBlock's address in memory. The other
        part is self-explanatory.

        Finally, this new notion of CodeBlockHash is available for other purposes like bisecting
        breakage. As such CodeBlockHash has all of the comparison operator overloads. When
        bisecting in DFGDriver.cpp, you can now say things like:
        
        if (codeBlock->hash() < CodeBlockHash("CAAAAA"))
            return false;
        
        And yes, CAAAAA is near the median hash, and the largest one is smaller than E99999. Such
        is life when you use base 62 to encode a 32-bit number.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkInfo.h:
        (CallLinkInfo):
        (JSC::CallLinkInfo::specializationKind):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hash):
        (JSC):
        (JSC::CodeBlock::dumpAssumingJITType):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::resetStubInternal):
        (JSC::CodeBlock::reoptimize):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::specializationKind):
        (CodeBlock):
        (JSC::CodeBlock::getJITType):
        * bytecode/CodeBlockHash.cpp: Added.
        (JSC):
        (JSC::CodeBlockHash::CodeBlockHash):
        (JSC::CodeBlockHash::dump):
        * bytecode/CodeBlockHash.h: Added.
        (JSC):
        (CodeBlockHash):
        (JSC::CodeBlockHash::CodeBlockHash):
        (JSC::CodeBlockHash::hash):
        (JSC::CodeBlockHash::operator==):
        (JSC::CodeBlockHash::operator!=):
        (JSC::CodeBlockHash::operator<):
        (JSC::CodeBlockHash::operator>):
        (JSC::CodeBlockHash::operator<=):
        (JSC::CodeBlockHash::operator>=):
        * bytecode/CodeBlockWithJITType.h: Added.
        (JSC):
        (CodeBlockWithJITType):
        (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
        (JSC::CodeBlockWithJITType::dump):
        * bytecode/CodeOrigin.cpp: Added.
        (JSC):
        (JSC::CodeOrigin::inlineDepthForCallFrame):
        (JSC::CodeOrigin::inlineDepth):
        (JSC::CodeOrigin::inlineStack):
        (JSC::InlineCallFrame::hash):
        * bytecode/CodeOrigin.h:
        (InlineCallFrame):
        (JSC::InlineCallFrame::specializationKind):
        (JSC):
        * bytecode/CodeType.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * bytecode/CodeType.h:
        (WTF):
        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter::dump):
        * bytecode/ExecutionCounter.h:
        (ExecutionCounter):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dump):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::dfgLinkClosureCall):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpCallFrame):
        * jit/JITCode.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * jit/JITCode.h:
        (JSC::JITCode::jitType):
        (WTF):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dump):
        (JSC::JITDisassembler::dumpForInstructions):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/CodeSpecializationKind.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * runtime/CodeSpecializationKind.h:
        (JSC::specializationFromIsCall):
        (JSC):
        (JSC::specializationFromIsConstruct):
        (WTF):
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::hashFor):
        (JSC):
        (JSC::NativeExecutable::hashFor):
        (JSC::ScriptExecutable::hashFor):
        * runtime/Executable.h:
        (ExecutableBase):
        (NativeExecutable):
        (ScriptExecutable):
        (JSC::ScriptExecutable::source):

2012-11-29  Michael Saboff  <msaboff@apple.com>

        Speculative Windows build fix after r136086.

        Unreviewed build fix.

        Suspect that ?setDumpsGeneratedCode@BytecodeGenerator@JSC@@SAX_N@Z needs to be removed from Windows
        export list since the symbol was removed in r136086.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-11-28  Filip Pizlo  <fpizlo@apple.com>

        SpeculatedType dumping should not use the static char buffer[thingy] idiom
        https://bugs.webkit.org/show_bug.cgi?id=103584

        Reviewed by Michael Saboff.

        Changed SpeculatedType to be "dumpable" by saying things like:
        
        dataLog("thingy = ", SpeculationDump(thingy))
        
        Removed the old stringification functions, and changed all code that referred to them
        to use the new dataLog()/print() style.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::dumpSpeculationAbbreviated):
        * bytecode/SpeculatedType.h:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::dump):
        * bytecode/VirtualRegister.h:
        (WTF::printInternal):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGStructureAbstractValue.h:
        * dfg/DFGVariableAccessDataDump.cpp: Added.
        (JSC::DFG::VariableAccessDataDump::VariableAccessDataDump):
        (JSC::DFG::VariableAccessDataDump::dump):
        * dfg/DFGVariableAccessDataDump.h: Added.
        (VariableAccessDataDump):

2012-11-28  Michael Saboff  <msaboff@apple.com>

        Change Bytecompiler s_dumpsGeneratedCode to an Options value
        https://bugs.webkit.org/show_bug.cgi?id=103588

        Reviewed by Filip Pizlo.

        Moved the control of dumping bytecodes to Options::dumpGeneratedBytecodes.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * jsc.cpp:
        (runWithScripts):
        * runtime/Options.h:

2012-11-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Copying phase should use work lists
        https://bugs.webkit.org/show_bug.cgi?id=101390

        Reviewed by Filip Pizlo.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        * heap/BlockAllocator.h: New RegionSet for CopyWorkListSegments.
        (BlockAllocator):
        (JSC::CopyWorkListSegment):
        * heap/CopiedBlock.h: Added a per-block CopyWorkList to keep track of the JSCells that need to be revisited during the copying
        phase to copy their backing stores.
        (CopiedBlock):
        (JSC::CopiedBlock::CopiedBlock): 
        (JSC::CopiedBlock::didSurviveGC):
        (JSC::CopiedBlock::didEvacuateBytes): There is now a one-to-one relationship between GCThreads and the CopiedBlocks they're 
        responsible for evacuating, we no longer need any of that fancy compare and swap stuff. 
        (JSC::CopiedBlock::pin):
        (JSC::CopiedBlock::hasWorkList): 
        (JSC::CopiedBlock::workList):
        * heap/CopiedBlockInlines.h: Added.
        (JSC::CopiedBlock::reportLiveBytes): Since we now have to grab a SpinLock to perform operations on the CopyWorkList during marking,
        we don't need to do any of that fancy compare and swap stuff we were doing for tracking live bytes.
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::pin):
        * heap/CopyVisitor.cpp:
        (JSC::CopyVisitor::copyFromShared): We now iterate over a range of CopiedBlocks rather than MarkedBlocks and revisit the cells in those
        blocks' CopyWorkLists.
        * heap/CopyVisitor.h:
        (CopyVisitor):
        * heap/CopyVisitorInlines.h:
        (JSC::CopyVisitor::visitCell): The function responsible for calling the correct copyBackingStore() function for each JSCell from 
        a CopiedBlock's CopyWorkList.
        (JSC::CopyVisitor::didCopy): We no longer need to check if the block is empty here because we know exactly when we're done 
        evacuating a CopiedBlock, which is when we've gone through all of the CopiedBlock's CopyWorkList.
        * heap/CopyWorkList.h: Added.
        (CopyWorkListSegment): Individual chunk of a CopyWorkList that is allocated from the BlockAllocator.
        (JSC::CopyWorkListSegment::create):
        (JSC::CopyWorkListSegment::size):
        (JSC::CopyWorkListSegment::isFull):
        (JSC::CopyWorkListSegment::get):
        (JSC::CopyWorkListSegment::append):
        (JSC::CopyWorkListSegment::CopyWorkListSegment):
        (JSC::CopyWorkListSegment::data):
        (JSC::CopyWorkListSegment::endOfBlock):
        (CopyWorkListIterator): Responsible for giving CopyVisitors a contiguous notion of access across the separate CopyWorkListSegments
        that make up each CopyWorkList.
        (JSC::CopyWorkListIterator::get):
        (JSC::CopyWorkListIterator::operator*):
        (JSC::CopyWorkListIterator::operator->):
        (JSC::CopyWorkListIterator::operator++):
        (JSC::CopyWorkListIterator::operator==):
        (JSC::CopyWorkListIterator::operator!=):
        (JSC::CopyWorkListIterator::CopyWorkListIterator):
        (CopyWorkList): Data structure that keeps track of the JSCells that need copying in a particular CopiedBlock.
        (JSC::CopyWorkList::CopyWorkList):
        (JSC::CopyWorkList::~CopyWorkList):
        (JSC::CopyWorkList::append):
        (JSC::CopyWorkList::begin):
        (JSC::CopyWorkList::end):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData): We no longer use the m_blockSnapshot from the Heap during the copying phase.
        (JSC::GCThreadSharedData::didStartCopying): We now copy the set of all blocks in the CopiedSpace to a separate vector for 
        iterating over during the copying phase since the set stored in the CopiedSpace will change as blocks are evacuated and 
        recycled throughout the copying phase.
        * heap/GCThreadSharedData.h:
        (GCThreadSharedData): 
        * heap/Heap.h:
        (Heap):
        * heap/SlotVisitor.h: We now need to know the object who is being marked that has a backing store so that we can store it 
        in a CopyWorkList to revisit later during the copying phase.
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):

2012-11-28  Filip Pizlo  <fpizlo@apple.com>

        Disassembly methods should be able to disassemble to any PrintStream& rather than always using WTF::dataFile()
        https://bugs.webkit.org/show_bug.cgi?id=103492

        Reviewed by Mark Hahnenberg.

        Switched disassembly code to use PrintStream&, and to use print() rather than printf().

        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dump):
        (DFG):
        (JSC::DFG::Disassembler::dumpDisassembly):
        * dfg/DFGDisassembler.h:
        (Disassembler):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::printWhiteSpace):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::printNodeWhiteSpace):
        (JSC::DFG::Graph::dump):
        (DFG):
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGGraph.h:
        (Graph):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dump):
        (JSC::JITDisassembler::dumpForInstructions):
        (JSC::JITDisassembler::dumpDisassembly):
        * jit/JITDisassembler.h:
        (JITDisassembler):

2012-11-28  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to say dataLog("count = ", count, "\n") instead of dataLogF("count = %d\n", count)
        https://bugs.webkit.org/show_bug.cgi?id=103009

        Reviewed by Michael Saboff.

        Instead of converting all of JSC to use the new dataLog()/print() methods, I just changed
        one place: dumping of abstract values. This is mainly just to ensure that the code I
        added to WTF is actually doing things.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        (WTF):
        (WTF::printInternal):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::dump):
        (WTF):
        (WTF::printInternal):

2012-11-28  Oliver Hunt  <oliver@apple.com>

        Make source cache include more information about the function extent.
        https://bugs.webkit.org/show_bug.cgi?id=103552

        Reviewed by Gavin Barraclough.

        Add a bit more information to the source cache.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
           Store the function start offset
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
        (SourceProviderCacheItem):
           Add additional field for the start of the real function string, and re-arrange
           fields to avoid growing the struct.

2012-11-27  Filip Pizlo  <fpizlo@apple.com>

        Convert some remaining uses of FILE* to PrintStream&.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::dump):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dump):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::dumpChildren):

2012-11-27  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation in JSValue.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSValue.h:

2012-11-26  Filip Pizlo  <fpizlo@apple.com>

        DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same
        https://bugs.webkit.org/show_bug.cgi?id=103353

        Reviewed by Oliver Hunt and Gavin Barraclough.

        Made it possible to use forward speculations for most of the operand classes. Changed the conditional
        direction parameter from being 'bool isForward' to an enum (SpeculationDirection). Changed SetLocal
        to use forward speculations and got rid of its half-baked version of same.
        
        Also added the ability to force the DFG's disassembler to dump all nodes, even ones that are dead.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dump):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateIntegerOperand::gpr):
        (SpeculateIntegerOperand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::fpr):
        (SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Options.h:
        (JSC):

2012-11-26  Daniel Bates  <dbates@webkit.org>

        Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators()
        <https://bugs.webkit.org/show_bug.cgi?id=103303>

        Reviewed by Simon Fraser.

        Fix misspelled word, "Seperators" [sic], in a local variable name in JSC::jsSpliceSubstringsWithSeparators().

        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstringsWithSeparators):

2012-11-26  Daniel Bates  <dbates@webkit.org>

        JavaScript fails to handle String.replace() with large replacement string
        https://bugs.webkit.org/show_bug.cgi?id=102956
        <rdar://problem/12738012>

        Reviewed by Oliver Hunt.

        Fix an issue where we didn't check for overflow when computing the length
        of the result of String.replace() with a large replacement string.

        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstringsWithSeparators):

2012-11-26  Zeno Albisser  <zeno@webkit.org>

        [Qt] Fix the LLInt build on Mac
        https://bugs.webkit.org/show_bug.cgi?id=97587

        Reviewed by Simon Hausmann.

        * DerivedSources.pri:
        * JavaScriptCore.pro:

2012-11-26  Oliver Hunt  <oliver@apple.com>

        32-bit build fix.  Move the method decalration outside of the X86_64 only section.

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::shouldConsiderBlinding):

2012-11-26  Oliver Hunt  <oliver@apple.com>

        Don't blind all the things.
        https://bugs.webkit.org/show_bug.cgi?id=102572

        Reviewed by Gavin Barraclough.

        No longer blind all the constants in the instruction stream.  We use a
        simple non-deterministic filter to avoid blinding everything.  Also modified
        the basic integer blinding logic to avoid blinding small negative values.

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::shouldConsiderBlinding):
        (JSC::MacroAssembler::shouldBlind):

2012-11-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::copyButterfly doesn't handle undecided indexing types correctly
        https://bugs.webkit.org/show_bug.cgi?id=102573

        Reviewed by Filip Pizlo.

        We don't do any copying into the newly allocated vector and we don't zero-initialize CopiedBlocks 
        during the copying phase, so we end up with uninitialized memory in arrays which have undecided indexing 
        types. We should just do the actual memcpy from the old block to the new one. 

        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly): Just do the same thing that we do for other contiguous indexing types.

2012-11-26  Julien BRIANCEAU   <jbrianceau@nds.com>

        [sh4] JavaScriptCore JIT build is broken since r135330
        Add missing implementation for sh4 arch.
        https://bugs.webkit.org/show_bug.cgi?id=103145

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranchPtrWithPatch):
        (MacroAssemblerSH4):
        (JSC::MacroAssemblerSH4::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerSH4::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::revertJump):
        (SH4Assembler):
        (JSC::SH4Assembler::printInstr):

2012-11-26  Yuqiang Xian  <yuqiang.xian@intel.com>

        Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms
        https://bugs.webkit.org/show_bug.cgi?id=100909

        Reviewed by Brent Fulgham.

        This is a (trivial) fix after r132701.

        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2012-11-26  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        [Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash
        https://bugs.webkit.org/show_bug.cgi?id=98857

        Reviewed by Zoltan Herczeg.

        Implement a new version of patchableBranch32 to fix crashing JSC
        tests.

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::patchableBranch32):
        (MacroAssemblerARM):

2012-11-21  Filip Pizlo  <fpizlo@apple.com>

        Any function that can log things should be able to easily log them to a memory buffer as well
        https://bugs.webkit.org/show_bug.cgi?id=103000

        Reviewed by Sam Weinig.

        Change all users of WTF::dataFile() to expect a PrintStream& rather than a FILE*.

        * bytecode/Operands.h:
        (JSC::OperandValueTraits::dump):
        (JSC::dumpOperands):
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGCommon.h:
        (JSC::DFG::NodeIndexTraits::dump):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::dump):
        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        (JSC::DFG::VariableEvent::dumpFillInfo):
        (JSC::DFG::VariableEvent::dumpSpillInfo):
        * dfg/DFGVariableEvent.h:
        (VariableEvent):
        * disassembler/Disassembler.h:
        (JSC):
        (JSC::tryToDisassemble):
        * disassembler/UDis86Disassembler.cpp:
        (JSC::tryToDisassemble):

2012-11-23  Alexis Menard  <alexis@webkit.org>

        [CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing.
        https://bugs.webkit.org/show_bug.cgi?id=102104

        Reviewed by Julien Chaffraix.

        Protect the new feature behind a feature flag.

        * Configurations/FeatureDefines.xcconfig:

2012-11-23  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        Fix the ARM traditional build after r135330
        https://bugs.webkit.org/show_bug.cgi?id=102871

        Reviewed by Zoltan Herczeg.

        Added missing functionality to traditional ARM architecture.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::revertJump):
        (ARMAssembler):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):

2012-11-16  Yury Semikhatsky  <yurys@chromium.org>

        Memory instrumentation: extract MemoryObjectInfo declaration into a separate file
        https://bugs.webkit.org/show_bug.cgi?id=102510

        Reviewed by Pavel Feldman.

        Added new symbols for the methods that have moved into .../wtf/MemoryInstrumentation.cpp

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-11-23  Julien BRIANCEAU   <jbrianceau@nds.com>

        [sh4] JavaScriptCore JIT build is broken since r130839
        Add missing implementation for sh4 arch.
        https://bugs.webkit.org/show_bug.cgi?id=101479

        Reviewed by Filip Pizlo.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8Signed):
        (MacroAssemblerSH4):
        (JSC::MacroAssemblerSH4::load16Signed):
        (JSC::MacroAssemblerSH4::store8):
        (JSC::MacroAssemblerSH4::store16):
        (JSC::MacroAssemblerSH4::moveDoubleToInts):
        (JSC::MacroAssemblerSH4::moveIntsToDouble):
        (JSC::MacroAssemblerSH4::loadFloat):
        (JSC::MacroAssemblerSH4::loadDouble):
        (JSC::MacroAssemblerSH4::storeFloat):
        (JSC::MacroAssemblerSH4::storeDouble):
        (JSC::MacroAssemblerSH4::addDouble):
        (JSC::MacroAssemblerSH4::convertFloatToDouble):
        (JSC::MacroAssemblerSH4::convertDoubleToFloat):
        (JSC::MacroAssemblerSH4::urshift32):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::sublRegReg):
        (JSC::SH4Assembler::subvlRegReg):
        (JSC::SH4Assembler::floatfpulfrn):
        (JSC::SH4Assembler::fldsfpul):
        (JSC::SH4Assembler::fstsfpul):
        (JSC::SH4Assembler::dcnvsd):
        (SH4Assembler):
        (JSC::SH4Assembler::movbRegMem):
        (JSC::SH4Assembler::sizeOfConstantPool):
        (JSC::SH4Assembler::linkJump):
        (JSC::SH4Assembler::printInstr):
        (JSC::SH4Assembler::printBlockInstr):

2012-11-22  Balazs Kilvady  <kilvadyb@homejinni.com>

        Fix the MIPS build after r135330
        https://bugs.webkit.org/show_bug.cgi?id=102872

        Reviewed by Gavin Barraclough.

        Revert/replace functions added to MIPS port.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::revertJumpToMove):
        (MIPSAssembler):
        (JSC::MIPSAssembler::replaceWithJump):
        * assembler/MacroAssemblerMIPS.h:
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):

2012-11-21  Filip Pizlo  <fpizlo@apple.com>

        Rename dataLog() and dataLogV() to dataLogF() and dataLogFV()
        https://bugs.webkit.org/show_bug.cgi?id=103001

        Rubber stamped by Dan Bernstein.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        (JSC::LinkBuffer::dumpLinkStatistics):
        (JSC::LinkBuffer::dumpCode):
        * assembler/LinkBuffer.h:
        (JSC):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::vprintfStdoutInstr):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecodeCommentAndNewLine):
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::dumpStructure):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::dumpStatistics):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::resetStubInternal):
        (JSC::CodeBlock::reoptimize):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/Opcode.cpp:
        (JSC::OpcodeStats::~OpcodeStats):
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingFlags::stop):
        (JSC::SamplingRegion::dumpInternal):
        (JSC::SamplingTool::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        (JSC::DFG::CFAPhase::performForwardCFA):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
        (JSC::DFG::CFGSimplificationPhase::fixPhis):
        (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
        (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dump):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::printWhiteSpace):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::propagateForward):
        (JSC::DFG::PredictionPropagationPhase::propagateBackward):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::dump):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        (JSC::DFG::ScoreBoard::dump):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::generate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecutionWithConditionalDirection):
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        (JSC::DFG::SpeculativeJIT::dump):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * dfg/DFGValidate.cpp:
        (Validate):
        (JSC::DFG::Validate::reportValidationContext):
        (JSC::DFG::Validate::dumpData):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::logEvent):
        (JSC::DFG::VariableEventStream::reconstruct):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * heap/Heap.cpp:
        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::logStatistics):
        (JSC::HeapStatistics::showObjectStatistics):
        * heap/MarkStack.h:
        * heap/MarkedBlock.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::validate):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dumpCaller):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dump):
        (JSC::JITDisassembler::dumpForInstructions):
        * jit/JITStubRoutine.h:
        (JSC):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JumpReplacementWatchpoint.cpp:
        (JSC::JumpReplacementWatchpoint::fireInternal):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        * profiler/Profile.cpp:
        (JSC::Profile::debugPrintData):
        (JSC::Profile::debugPrintDataSampleStyle):
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::debugPrintData):
        (JSC::ProfileNode::debugPrintDataSampleStyle):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::dumpRegExpTrace):
        * runtime/RegExp.cpp:
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/SamplingCounter.cpp:
        (JSC::AbstractSamplingCounter::dump):
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::report):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::dumpInternal):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::dumpDisjunction):

2012-11-21  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to say disassemble(stuff) instead of having to say if (!tryToDisassemble(stuff)) dataLog("I failed")
        https://bugs.webkit.org/show_bug.cgi?id=103010

        Reviewed by Anders Carlsson.

        You can still say tryToDisassemble(), which will tell you if it failed; you can then
        decide what to do instead. But it's better to say disassemble(), which will just print
        the instruction ranges if tryToDisassemble() failed. This is particularly appropriate
        since that's what all previous users of tryToDisassemble() would have done in some
        form or another.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpDisassembly):
        * disassembler/Disassembler.cpp: Added.
        (JSC):
        (JSC::disassemble):
        * disassembler/Disassembler.h:
        (JSC):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dumpDisassembly):

2012-11-21  Filip Pizlo  <fpizlo@apple.com>

        dumpOperands() claims that it needs a non-const Operands& when that is completely false
        https://bugs.webkit.org/show_bug.cgi?id=103005

        Reviewed by Eric Carlson.

        * bytecode/Operands.h:
        (JSC::dumpOperands):
        (JSC):

2012-11-20  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT's disassembly should be just as pretty as the DFG's
        https://bugs.webkit.org/show_bug.cgi?id=102873

        Reviewed by Sam Weinig.

        Integrated the CodeBlock's bytecode dumper with the JIT's disassembler. Also fixed
        some type goof-ups (instructions are not in a Vector<Instruction> so using a Vector
        iterator makes no sense) and stream-lined some things (you don't actually need a
        full-fledged ExecState* to dump bytecode).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::dump):
        (JSC):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpCallFrame):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JITDisassembler.cpp: Added.
        (JSC):
        (JSC::JITDisassembler::JITDisassembler):
        (JSC::JITDisassembler::~JITDisassembler):
        (JSC::JITDisassembler::dump):
        (JSC::JITDisassembler::dumpForInstructions):
        (JSC::JITDisassembler::dumpDisassembly):
        * jit/JITDisassembler.h: Added.
        (JSC):
        (JITDisassembler):
        (JSC::JITDisassembler::setStartOfCode):
        (JSC::JITDisassembler::setForBytecodeMainPath):
        (JSC::JITDisassembler::setForBytecodeSlowPath):
        (JSC::JITDisassembler::setEndOfSlowPath):
        (JSC::JITDisassembler::setEndOfCode):

2012-11-21  Daniel Bates  <dbates@webkit.org>

        JavaScript fails to concatenate large strings
        <https://bugs.webkit.org/show_bug.cgi?id=102963>

        Reviewed by Michael Saboff.

        Fixes an issue where we inadvertently didn't check the length of
        a JavaScript string for overflow.

        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromArguments):

2012-11-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to cache closure calls (part 2/2)
        https://bugs.webkit.org/show_bug.cgi?id=102662

        Reviewed by Gavin Barraclough.

        Added caching of calls where the JSFunction* varies, but the Structure* and ExecutableBase*
        stay the same. This is accomplished by replacing the branch that compares against a constant
        JSFunction* with a jump to a closure call stub. The closure call stub contains a fast path,
        and jumps slow directly to the virtual call thunk.

        Looks like a 1% win on V8v7.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h:
        (CallLinkInfo):
        (JSC::CallLinkInfo::isLinked):
        (JSC::getCallLinkInfoBytecodeIndex):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC):
        (JSC::CodeBlock::findClosureCallForReturnPC):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::codeOriginForReturn):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getCallLinkInfo):
        (CodeBlock):
        (JSC::CodeBlock::isIncomingCallAlreadyLinked):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        (JSCallRecord):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::linkSlowFor):
        (DFG):
        (JSC::DFG::dfgLinkFor):
        (JSC::DFG::dfgLinkSlowFor):
        (JSC::DFG::dfgLinkClosureCall):
        * dfg/DFGRepatch.h:
        (DFG):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGThunks.cpp:
        (DFG):
        (JSC::DFG::linkClosureCallThunkGenerator):
        * dfg/DFGThunks.h:
        (DFG):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::jitStubRoutines):
        * heap/JITStubRoutineSet.h:
        (JSC::JITStubRoutineSet::size):
        (JSC::JITStubRoutineSet::at):
        (JITStubRoutineSet):
        * jit/ClosureCallStubRoutine.cpp: Added.
        (JSC):
        (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
        (JSC::ClosureCallStubRoutine::~ClosureCallStubRoutine):
        (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
        * jit/ClosureCallStubRoutine.h: Added.
        (JSC):
        (ClosureCallStubRoutine):
        (JSC::ClosureCallStubRoutine::structure):
        (JSC::ClosureCallStubRoutine::executable):
        (JSC::ClosureCallStubRoutine::codeOrigin):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h:
        (GCAwareJITStubRoutine):
        (JSC::GCAwareJITStubRoutine::isClosureCall):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2012-11-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to cache closure calls (part 1/2)
        https://bugs.webkit.org/show_bug.cgi?id=102662

        Reviewed by Gavin Barraclough.

        Add ability to revert a jump replacement back to
        branchPtrWithPatch(Condition, RegisterID, TrustedImmPtr). This is meant to be
        a mandatory piece of functionality for all assemblers. I also renamed some of
        the functions for reverting jump replacements back to
        patchableBranchPtrWithPatch(Condition, Address, TrustedImmPtr), so as to avoid
        confusion.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::BadReg):
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::revertJumpTo_movT3):
        * assembler/LinkBuffer.h:
        (JSC):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
        (MacroAssemblerX86):
        (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
        (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::startOfBranchPtrWithPatchOnRegister):
        (RepatchBuffer):
        (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatchOnAddress):
        (JSC::RepatchBuffer::revertJumpReplacementToBranchPtrWithPatch):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::revertJumpTo_cmpl_ir_force32):
        (X86Assembler):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::replaceWithJump):
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):

2012-11-20  Yong Li  <yoli@rim.com>

        [ARMv7] Neither linkCall() nor linkPointer() should flush code.
        https://bugs.webkit.org/show_bug.cgi?id=99213

        Reviewed by George Staikos.

        LinkBuffer doesn't need to flush code during linking. It will
        eventually flush the whole executable. Fixing this gives >%5
        sunspider boost (on QNX).

        Also make replaceWithLoad() and replaceWithAddressComputation() flush
        only when necessary.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::linkCall):
        (JSC::ARMv7Assembler::linkPointer):
        (JSC::ARMv7Assembler::relinkCall):
        (JSC::ARMv7Assembler::repatchInt32):
        (JSC::ARMv7Assembler::repatchPointer):
        (JSC::ARMv7Assembler::replaceWithLoad): Flush only after it did write.
        (JSC::ARMv7Assembler::replaceWithAddressComputation): Flush only after it did write.
        (JSC::ARMv7Assembler::setInt32):
        (JSC::ARMv7Assembler::setPointer):

2012-11-19  Filip Pizlo  <fpizlo@apple.com>

        Remove support for ARMv7 errata from the jump code
        https://bugs.webkit.org/show_bug.cgi?id=102759

        Reviewed by Oliver Hunt.

        The jump replacement code was wrong to begin with since it wasn't doing
        a cache flush on the inserted padding. And, to my knowledge, we don't need
        this anymore, so this patch removes all errata code from the ARMv7 port.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::computeJumpType):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::maxJumpReplacementSize):
        (JSC::ARMv7Assembler::canBeJumpT3):
        (JSC::ARMv7Assembler::canBeJumpT4):

2012-11-19  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Create JavaScriptCore ForwardingHeaders
        https://bugs.webkit.org/show_bug.cgi?id=92665

        Reviewed by Brent Fulgham.

        When using CMake to build the Windows port, we need
        to generate the forwarding headers with it too.

        * CMakeLists.txt:

2012-11-19  Kihong Kwon  <kihong.kwon@samsung.com>

        Add PROXIMITY_EVENTS feature
        https://bugs.webkit.org/show_bug.cgi?id=102658

        Reviewed by Kentaro Hara.

        Add PROXIMITY_EVENTS feature to xcode project for JavaScriptCore.

        * Configurations/FeatureDefines.xcconfig:

2012-11-18  Dan Bernstein  <mitz@apple.com>

        Try to fix the DFG build after r135099.

        * dfg/DFGCommon.h:
        (JSC::DFG::shouldShowDisassembly):

2012-11-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix for !ENABLE(DFG_JIT).

        * dfg/DFGCommon.h:
        (JSC::DFG::shouldShowDisassembly):
        (DFG):

2012-11-18  Filip Pizlo  <fpizlo@apple.com>

        JSC should have more logging in structure-related code
        https://bugs.webkit.org/show_bug.cgi?id=102630

        Reviewed by Simon Fraser.

        - JSValue::description() now tells you if something is a structure, and if so,
          what kind of structure it is.
        
        - Jettisoning logic now tells you why things are being jettisoned.
        
        - It's now possible to turn off GC-triggered jettisoning entirely.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::reoptimize):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/Options.h:
        (JSC):

2012-11-18  Filip Pizlo  <fpizlo@apple.com>

        DFG constant folding phase should say 'changed = true' whenever it changes the graph
        https://bugs.webkit.org/show_bug.cgi?id=102550

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2012-11-17  Elliott Sprehn  <esprehn@chromium.org>

        Expose JSObject removeDirect and PrivateName to WebCore
        https://bugs.webkit.org/show_bug.cgi?id=102546

        Reviewed by Geoffrey Garen.

        Export removeDirect for use in WebCore so JSDependentRetained works.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-11-16  Filip Pizlo  <fpizlo@apple.com>

        Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead
        https://bugs.webkit.org/show_bug.cgi?id=102327

        Reviewed by Mark Hahnenberg.

        If the profiler tells us that a GetById or PutById may be polymorphic but our
        control flow analysis proves that it isn't, we should trust the control flow
        analysis over the profiler. This arises in cases where GetById or PutById were
        inlined: the inlined function may have been called from other places that led
        to polymorphism, but in the current inlined context, there is no polymorphism.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        (JSC):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (GetByIdStatus):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        (JSC):
        * bytecode/PutByIdStatus.h:
        (JSC):
        (JSC::PutByIdStatus::PutByIdStatus):
        (PutByIdStatus):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::bestProvenStructure):
        (AbstractValue):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (ConstantFoldingPhase):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetByOffset):
        (Node):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::hasStorageResult):
        * runtime/JSGlobalObject.h:
        (JSC::Structure::prototypeChain):
        (JSC):
        (JSC::Structure::isValid):
        * runtime/Operations.h:
        (JSC::isPrototypeChainNormalized):
        (JSC):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::transitionDidInvolveSpecificValue):

2012-11-16  Tony Chang  <tony@chromium.org>

        Remove ENABLE_CSS_HIERARCHIES since it's no longer in use
        https://bugs.webkit.org/show_bug.cgi?id=102554

        Reviewed by Andreas Kling.

        As mentioned in https://bugs.webkit.org/show_bug.cgi?id=79939#c41 ,
        we're going to revist this feature once additional vendor support is
        achieved.

        * Configurations/FeatureDefines.xcconfig:

2012-11-16  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r133688.

        Use numeric_limits<uint32_t>::max() instead of UINT32_MAX.

        * runtime/CodeCache.h:
        (JSC::CacheMap::CacheMap):

2012-11-15  Filip Pizlo  <fpizlo@apple.com>

        ClassInfo.h should have correct indentation.

        Rubber stamped by Mark Hahnenberg.

        ClassInfo.h had some true creativity in its use of whitespace. Some things within
        the namespace were indented four spaces and others where not. One #define had its
        contents indented four spaces, while another didn't. I applied the following rule:
        
        - Non-macro things in the namespace should not be indented (that's our current
          accepted practice).
        
        - Macros should never be indented but if they are multi-line then their subsequent
          bodies should be indented four spaces. I believe that is consistent with what we
          do elsewhere.

        * runtime/ClassInfo.h:
        (JSC):
        (MethodTable):
        (ClassInfo):
        (JSC::ClassInfo::propHashTable):
        (JSC::ClassInfo::isSubClassOf):
        (JSC::ClassInfo::hasStaticProperties):

2012-11-15  Filip Pizlo  <fpizlo@apple.com>

        DFG should copy propagate trivially no-op ConvertThis
        https://bugs.webkit.org/show_bug.cgi?id=102445

        Reviewed by Oliver Hunt.

        Copy propagation is always a good thing, since it reveals must-alias relationships
        to the CFA and CSE. This accomplishes copy propagation for ConvertThis by first
        converting it to an Identity node (which is done by the constant folder since it
        has access to CFA results) and then performing substitution of references to
        Identity with references to Identity's child in the CSE.
        
        I'm not aiming for a big speed-up here; I just think that this will be useful for
        the work on https://bugs.webkit.org/show_bug.cgi?id=102327.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-11-15  Filip Pizlo  <fpizlo@apple.com>

        CallData.h should have correct indentation.

        Rubber stamped by Mark Hahneberg.

        * runtime/CallData.h:
        (JSC):

2012-11-15  Filip Pizlo  <fpizlo@apple.com>

        Remove methodCallDummy since it is not used anymore.

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):

2012-11-14  Filip Pizlo  <fpizlo@apple.com>

        Structure should be able to easily tell if the prototype chain might intercept a store
        https://bugs.webkit.org/show_bug.cgi?id=102326

        Reviewed by Geoffrey Garen.

        This improves our ability to reason about the correctness of the more optimized
        prototype chain walk in JSObject::put(), while also making it straight forward to
        check if the prototype chain will do strange things to a property store by just
        looking at the structure.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/Structure.cpp:
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        (JSC):
        * runtime/Structure.h:
        (Structure):

2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>

        [CMake] Do not regenerate LLIntAssembly.h on every incremental build
        https://bugs.webkit.org/show_bug.cgi?id=102248

        Reviewed by Kenneth Rohde Christiansen.

        Update LLIntAssembly.h's mtime after running asm.rb to make the build
        system dependency tracking consistent.

        * CMakeLists.txt:

2012-11-15  Thiago Marcos P. Santos  <thiago.santos@intel.com>

        Fix compiler warnings about signed/unsigned comparison on i386
        https://bugs.webkit.org/show_bug.cgi?id=102249

        Reviewed by Kenneth Rohde Christiansen.

        Add casting to unsigned to shut up gcc warnings. Build was broken on
        JSVALUE32_64 ports compiling with -Werror.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):

2012-11-14  Brent Fulgham  <bfulgham@webkit.org>

        [Windows, WinCairo] Unreviewed build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Missed one of the exports that was part of the WebKit2.def.

2012-11-14  Brent Fulgham  <bfulgham@webkit.org>

        [Windows, WinCairo] Correct build failure.
        https://bugs.webkit.org/show_bug.cgi?id=102302

        WebCore symbols were mistakenly added to the JavaScriptCore
        library definition file.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove
        WebCore symbols that were incorrectly added to the export file.

2012-11-14  Mark Lam  <mark.lam@apple.com>

        Change JSEventListener::m_jsFunction to be a weak ref.
        https://bugs.webkit.org/show_bug.cgi?id=101989.

        Reviewed by Geoffrey Garen.

        Added infrastructure for scanning weak ref slots.

        * heap/SlotVisitor.cpp: Added #include "SlotVisitorInlines.h".
        * heap/SlotVisitor.h:
        (SlotVisitor): Added SlotVisitor::appendUnbarrieredWeak().
        * heap/SlotVisitorInlines.h: Added #include "Weak.h".
        (JSC::SlotVisitor::appendUnbarrieredWeak): Added.
        * heap/Weak.h:
        (JSC::operator==): Added operator==() for Weak.
        * runtime/JSCell.h: Removed #include "SlotVisitorInlines.h".
        * runtime/JSObject.h: Added #include "SlotVisitorInlines.h".

2012-11-14  Filip Pizlo  <fpizlo@apple.com>

        Read-only properties created with putDirect() should tell the structure that there are read-only properties
        https://bugs.webkit.org/show_bug.cgi?id=102292

        Reviewed by Gavin Barraclough.

        This mostly affects things like function.length.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):

2012-11-13  Filip Pizlo  <fpizlo@apple.com>

        Don't access Node& after adding nodes to the graph.
        https://bugs.webkit.org/show_bug.cgi?id=102005

        Reviewed by Oliver Hunt.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-11-14  Valery Ignatyev  <valery.ignatyev@ispras.ru>

        Replace (typeof(x) != <"object", "undefined", ...>) with
        !(typeof(x) == <"object",..>). Later is_object, is_<...>  bytecode operation
        will be used.

        https://bugs.webkit.org/show_bug.cgi?id=98893

        Reviewed by Filip Pizlo.

        This eliminates expensive  typeof implementation and
        allows to use DFG optimizations, which doesn't support 'typeof'.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):

2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>

        [Qt][ARM]REGRESSION(r133985): It broke the build
        https://bugs.webkit.org/show_bug.cgi?id=101740

        Reviewed by Csaba Osztrogonác.

        Changed the emitGenericContiguousPutByVal to accept the additional IndexingType argument.
        This information was passed as a template parameter.        

        * jit/JIT.h:
        (JSC::JIT::emitInt32PutByVal):
        (JSC::JIT::emitDoublePutByVal):
        (JSC::JIT::emitContiguousPutByVal):
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGenericContiguousPutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGenericContiguousPutByVal):

2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>

        Fix the MIPS build after r134332
        https://bugs.webkit.org/show_bug.cgi?id=102227

        Reviewed by Csaba Osztrogonác.

        Added missing methods for the MacroAssemblerMIPS, based on the MacroAssemblerARMv7.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::canJumpReplacePatchableBranchPtrWithPatch):
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):

2012-11-14  Peter Gal  <galpeter@inf.u-szeged.hu>

        Fix the [-Wreturn-type] warning in JavaScriptCore/assembler/MacroAssemblerARM.h
        https://bugs.webkit.org/show_bug.cgi?id=102206

        Reviewed by Csaba Osztrogonác.

        Add a return value for the function to suppress the warning.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):

2012-11-14  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r134599.
        http://trac.webkit.org/changeset/134599
        https://bugs.webkit.org/show_bug.cgi?id=102225

        It broke the 32 bit EFL build (Requested by Ossy on #webkit).

        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        (JSC):
        (JSC::JIT::emitGenericContiguousPutByVal):

2012-11-14  Balazs Kilvady  <kilvadyb@homejinni.com>

        [Qt][ARM]REGRESSION(r133985): It broke the build
        https://bugs.webkit.org/show_bug.cgi?id=101740

        Reviewed by Csaba Osztrogonác.

        Template function body moved to fix VALUE_PROFILER disabled case.

        * jit/JITPropertyAccess.cpp:
        (JSC):
        (JSC::JIT::emitGenericContiguousPutByVal):
        * jit/JITPropertyAccess32_64.cpp:

2012-11-13  Filip Pizlo  <fpizlo@apple.com>

        DFG CreateThis should be able to statically account for the structure of the object it creates, if profiling indicates that this structure is always the same
        https://bugs.webkit.org/show_bug.cgi?id=102017

        Reviewed by Geoffrey Garen.

        This adds a watchpoint in JSFunction on the cached inheritor ID. It also changes
        NewObject to take a structure as an operand (previously it implicitly used the owning
        global object's empty object structure). Any GetCallee where the callee is predictable
        is turned into a CheckFunction + WeakJSConstant, and any CreateThis on a WeakJSConstant
        where the inheritor ID watchpoint is still valid is turned into an InheritorIDWatchpoint
        followed by a NewObject. NewObject already accounts for the structure it uses for object
        creation in the CFA.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasFunction):
        (JSC::DFG::Node::function):
        (JSC::DFG::Node::hasStructure):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Executable.h:
        (JSC::JSFunction::JSFunction):
        * runtime/JSBoundFunction.cpp:
        (JSC):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        (JSC::JSFunction::tryGetKnownInheritorID):
        (JSFunction):
        (JSC::JSFunction::addInheritorIDWatchpoint):

2012-11-13  Filip Pizlo  <fpizlo@apple.com>

        JSFunction and its descendants should be destructible
        https://bugs.webkit.org/show_bug.cgi?id=102062

        Reviewed by Mark Hahnenberg.

        This will make it easy to place an InlineWatchpointSet inside JSFunction. In the
        future, we could make JSFunction non-destructible again by making a version of
        WatchpointSet that is entirely GC'd, but this seems like overkill for now.
        
        This is performance-neutral.

        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::destroy):
        (JSC):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/JSFunction.cpp:
        (JSC):
        (JSC::JSFunction::destroy):
        * runtime/JSFunction.h:
        (JSFunction):

2012-11-13  Cosmin Truta  <ctruta@rim.com>

        Uninitialized fields in class JSLock
        https://bugs.webkit.org/show_bug.cgi?id=101695

        Reviewed by Mark Hahnenberg.

        Initialize JSLock::m_ownerThread and JSLock::m_lockDropDepth.

        * runtime/JSLock.cpp:
        (JSC::JSLock::JSLock):

2012-11-13  Peter Gal  <galpeter@inf.u-szeged.hu>

        Fix the ARM traditional build after r134332
        https://bugs.webkit.org/show_bug.cgi?id=102044

        Reviewed by Zoltan Herczeg.

        Added missing methods for the MacroAssemblerARM, based on the MacroAssemblerARMv7.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::canJumpReplacePatchableBranchPtrWithPatch):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):

2012-11-12  Filip Pizlo  <fpizlo@apple.com>

        op_get_callee should have value profiling
        https://bugs.webkit.org/show_bug.cgi?id=102047

        Reviewed by Sam Weinig.

        This will allow us to detect if the callee is always the same, which is probably
        the common case for a lot of constructors.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_callee):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_callee):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-11-12  Filip Pizlo  <fpizlo@apple.com>

        The act of getting the callee during 'this' construction should be explicit in bytecode
        https://bugs.webkit.org/show_bug.cgi?id=102016

        Reviewed by Michael Saboff.

        This is mostly a rollout of http://trac.webkit.org/changeset/116673, but also includes
        changes to have create_this use the result of get_callee.
        
        No performance or behavioral impact. This is just meant to allow us to profile
        get_callee in the future.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_callee):
        (JSC):
        (JSC::JIT::emit_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_callee):
        (JSC):
        (JSC::JIT::emit_op_create_this):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-11-12  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix ARMv7 build.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):

2012-11-12  Filip Pizlo  <fpizlo@apple.com>

        Patching of jumps to stubs should use jump replacement rather than branch destination overwrite
        https://bugs.webkit.org/show_bug.cgi?id=101909

        Reviewed by Geoffrey Garen.

        This saves a few instructions in inline cases, on those architectures where it is
        easy to figure out where to put the jump replacement. Sub-1% speed-up across the
        board.

        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::canJumpReplacePatchableBranchPtrWithPatch):
        (MacroAssemblerX86):
        (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranchPtrWithPatch):
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatch):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::startOfPatchableBranchPtrWithPatch):
        (RepatchBuffer):
        (JSC::RepatchBuffer::replaceWithJump):
        (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranchPtrWithPatch):
        * assembler/X86Assembler.h:
        (X86Assembler):
        (JSC::X86Assembler::revertJumpTo_movq_i64r):
        (JSC::X86Assembler::revertJumpTo_cmpl_im_force32):
        (X86InstructionFormatter):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::replaceWithJump):
        (DFG):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):

2012-11-11  Filip Pizlo  <fpizlo@apple.com>

        DFG ArithMul overflow check elimination is too aggressive
        https://bugs.webkit.org/show_bug.cgi?id=101871

        Reviewed by Oliver Hunt.

        The code was ignoring the fact that ((a * b) | 0) == (((a | 0) * (b | 0)) | 0)
        only holds if a * b < 2^53. So, I changed it to only enable the optimization
        when a < 2^22 and b is an int32 (and vice versa), using a super trivial peephole
        analysis to prove the inequality. I considered writing an epic forward flow
        formulation that tracks the ranges of integer values but then I thought better
        of it.
        
        This also rewires the ArithMul integer speculation logic. Previously, we would
        assume that an ArithMul was only UsedAsNumber if it escaped, and separately we
        would decide whether to speculate integer based on a proof of the <2^22
        inequality. Now, we treat the double rounding behavior of ArithMul as if the
        result was UsedAsNumber even if it did not escape. Then we try to prove that
        double rounding cannot happen by attemping to prove that a < 2^22. This then
        feeds back into the decision of whether or not to speculate integer (if we fail
        to prove a < 2^22 then we're UsedAsNumber, and if we're also MayOverflow then
        that forces double speculation).
        
        No performance impact. It just fixes a bug.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::mulShouldSpeculateInteger):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-11-11  Filip Pizlo  <fpizlo@apple.com>

        DFG should not emit function checks if we've already proved that the operand is that exact function
        https://bugs.webkit.org/show_bug.cgi?id=101885

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::filterByValue):
        (AbstractValue):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2012-11-12  Kentaro Hara  <haraken@chromium.org>

        [V8][JSC] ScriptProfileNode::callUID needs not to be [Custom]
        https://bugs.webkit.org/show_bug.cgi?id=101892

        Reviewed by Adam Barth.

        Added callUID(), which enables us to kill custom bindings for ScriptProfileNode::callUID.

        * profiler/ProfileNode.h:
        (JSC::ProfileNode::callUID):

2012-11-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header.

2012-11-11  Michael Pruett  <michael@68k.org>

        Fix assertion failure in JSObject::tryGetIndexQuickly()
        https://bugs.webkit.org/show_bug.cgi?id=101869

        Reviewed by Filip Pizlo.

        Currently JSObject::tryGetIndexQuickly() triggers an assertion
        failure when the object has an undecided indexing type. This
        case should be treated the same as a blank indexing type.

        * runtime/JSObject.h:
        (JSC::JSObject::tryGetIndexQuickly):

2012-11-11  Filip Pizlo  <fpizlo@apple.com>

        DFG register allocation should be greedy rather than round-robin
        https://bugs.webkit.org/show_bug.cgi?id=101870

        Reviewed by Geoffrey Garen.

        This simplifies the code, reduces some code duplication, and shows some slight
        performance improvements in a few places, likely due to the fact that lower-numered
        registers also typically have smaller encodings.

        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::RegisterBank):
        (JSC::DFG::RegisterBank::tryAllocate):
        (JSC::DFG::RegisterBank::allocate):
        (JSC::DFG::RegisterBank::allocateInternal):
        (RegisterBank):

2012-11-11  Kenichi Ishibashi  <bashi@chromium.org>

        WTFString::utf8() should have a mode of conversion to use replacement character
        https://bugs.webkit.org/show_bug.cgi?id=101678

        Reviewed by Alexey Proskuryakov.

        Follow the change on String::utf8()

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode): Pass String::StrictConversion instead of true to String::utf8().

2012-11-10  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time
        https://bugs.webkit.org/show_bug.cgi?id=101718

        Reviewed by Geoffrey Garen.

        If we're reading from a JSArray in double mode, where the array's structure is
        primordial (all aspects of the structure are unchanged except for indexing type),
        and the result of the load is used in arithmetic that is known to not distinguish
        between NaN and undefined, then we should not emit a NaN check. Looks like a 5%
        win on navier-stokes.
        
        Also fixed an OpInfo initialization goof for String ops that was revealed by this
        change.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::arraySpeculationToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::isSaneChain):
        (ArrayMode):
        (JSC::DFG::ArrayMode::isInBounds):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):

2012-11-10  Filip Pizlo  <fpizlo@apple.com>

        DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
        https://bugs.webkit.org/show_bug.cgi?id=101511

        Reviewed by Geoffrey Garen.
        
        This is the second attempt at this patch, which fixes the !"" case.

        To make life easier, this moves BranchDirection into BasicBlock so that after
        running the CFA, we always know, for each block, what direction the CFA
        proved. CFG simplification now both uses and preserves cfaBranchDirection in
        its transformations.
        
        Also made both LogicalNot and Branch check whether the operand is a known cell
        with a known structure, and if so, made them do the appropriate folding.
        
        5% speed-up on V8/raytrace because it makes raytrace's own null checks
        evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
        that we were already doing structure check hoisting.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGBranchDirection.h: Added.
        (DFG):
        (JSC::DFG::branchDirectionToString):
        (JSC::DFG::isKnownDirection):
        (JSC::DFG::branchCondition):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):

2012-11-10  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r133971.
        http://trac.webkit.org/changeset/133971
        https://bugs.webkit.org/show_bug.cgi?id=101839

        Causes WebProcess to hang at 100% on www.apple.com (Requested
        by kling on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::branchDirectionToString):
        (AbstractState):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGBranchDirection.h: Removed.
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):

2012-11-09  Filip Pizlo  <fpizlo@apple.com>

        If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
        https://bugs.webkit.org/show_bug.cgi?id=101720

        Reviewed by Mark Hahnenberg.

        Previously, "original" arrays was just a hint that we could find the structure
        of the array if we needed to even if the array profile didn't have it due to
        polymorphism. Now, "original" arrays are a property that is actually checked:
        if an array access has ArrayMode::arrayClass() == Array::OriginalArray, then we
        can be sure that the code performing the access is dealing with not just a
        JSArray, but a JSArray that has no named properties, no indexed accessors, and
        the ArrayPrototype as its prototype. This will be useful for optimizations that
        are being done as part of https://bugs.webkit.org/show_bug.cgi?id=101720.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        (DFG):
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGArrayMode.h:
        (JSC):
        (DFG):
        (JSC::DFG::ArrayMode::withProfile):
        (ArrayMode):
        (JSC::DFG::ArrayMode::benefitsFromOriginalArray):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):

2012-11-09  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of BooleanPrototype.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/BooleanPrototype.h:

2012-11-09  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of BooleanObject.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/BooleanObject.h:

2012-11-09  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of BooleanConstructor.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/BooleanConstructor.h:

2012-11-09  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of BatchedTransitionOptimizer.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/BatchedTransitionOptimizer.h:

2012-11-09  Oliver Hunt  <oliver@apple.com>

        So Thingy probably isn't the best name for a class, so
        renamed to CacheMap.

        RS=Geoff

        * runtime/CodeCache.h:
        (JSC::CacheMap::CacheMap):

2012-11-09  Filip Pizlo  <fpizlo@apple.com>

        ArrayPrototype should start out with a blank indexing type
        https://bugs.webkit.org/show_bug.cgi?id=101719

        Reviewed by Mark Hahnenberg.

        This allows us to track if the array prototype ever ends up with indexed
        properties.

        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::create):
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (ArrayPrototype):
        (JSC::ArrayPrototype::createStructure):

2012-11-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator
        https://bugs.webkit.org/show_bug.cgi?id=101642

        Reviewed by Filip Pizlo.

        MarkStackSegmentAllocator is like a miniature version of the BlockAllocator. Now that the BlockAllocator has support 
        for a variety of block sizes, we should get rid of the MarkStackSegmentAllocator in favor of the BlockAllocator.

        * heap/BlockAllocator.h: Add new specializations of regionSetFor for the new MarkStackSegments.
        (JSC):
        (JSC::MarkStackSegment):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        (JSC::GCThreadSharedData::reset):
        * heap/GCThreadSharedData.h:
        (GCThreadSharedData):
        * heap/MarkStack.cpp: 
        (JSC::MarkStackArray::MarkStackArray): We now have a doubly linked list of MarkStackSegments, so we need to refactor 
        all the places that used the old custom tail/previous logic.
        (JSC::MarkStackArray::~MarkStackArray):
        (JSC::MarkStackArray::expand):
        (JSC::MarkStackArray::refill):
        (JSC::MarkStackArray::donateSomeCellsTo): Refactor to use the new linked list.
        (JSC::MarkStackArray::stealSomeCellsFrom): Ditto.
        * heap/MarkStack.h:
        (JSC):
        (MarkStackSegment):
        (JSC::MarkStackSegment::MarkStackSegment):
        (JSC::MarkStackSegment::sizeFromCapacity):
        (MarkStackArray):
        * heap/MarkStackInlines.h:
        (JSC::MarkStackSegment::create):
        (JSC):
        (JSC::MarkStackArray::postIncTop):
        (JSC::MarkStackArray::preDecTop):
        (JSC::MarkStackArray::setTopForFullSegment):
        (JSC::MarkStackArray::setTopForEmptySegment):
        (JSC::MarkStackArray::top):
        (JSC::MarkStackArray::validatePrevious):
        (JSC::MarkStackArray::append):
        (JSC::MarkStackArray::removeLast):
        (JSC::MarkStackArray::isEmpty):
        (JSC::MarkStackArray::size):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):

2012-11-09  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        [Qt] r133953 broke the ARM_TRADITIONAL build
        https://bugs.webkit.org/show_bug.cgi?id=101706

        Reviewed by Csaba Osztrogonác.

        Fix for both hardfp and softfp.

        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):

2012-11-09  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r134051.
        http://trac.webkit.org/changeset/134051
        https://bugs.webkit.org/show_bug.cgi?id=101757

        It didn't fix the build (Requested by Ossy on #webkit).

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):

2012-11-09  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        [Qt] r133953 broke the ARM_TRADITIONAL build
        https://bugs.webkit.org/show_bug.cgi?id=101706

        Reviewed by Csaba Osztrogonác.

        Fix the ARM_TRADITIONAL build after r133953

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):

2012-11-09  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt] Fix the LLINT build from ARMv7 platform
        https://bugs.webkit.org/show_bug.cgi?id=101712

        Reviewed by Simon Hausmann.

        Enable generating of LLIntAssembly.h on ARM platforms.

        * DerivedSources.pri:
        * JavaScriptCore.pro:

2012-11-08  Filip Pizlo  <fpizlo@apple.com>

        ArrayPrototype.h should have correct indentation

        Rubber stamped by Sam Weinig.

        * runtime/ArrayPrototype.h:

2012-11-08  Mark Lam  <mark.lam@apple.com>

        Renamed ...InlineMethods.h files to ...Inlines.h.
        https://bugs.webkit.org/show_bug.cgi?id=101145.

        Reviewed by Geoffrey Garen.

        This is only a refactoring effort to rename the files. There are no
        functionality changes.

        * API/JSObjectRef.cpp:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        * dfg/DFGOperations.cpp:
        * heap/ConservativeRoots.cpp:
        * heap/CopiedBlock.h:
        * heap/CopiedSpace.cpp:
        * heap/CopiedSpaceInlineMethods.h: Removed.
        * heap/CopiedSpaceInlines.h: Copied from Source/JavaScriptCore/heap/CopiedSpaceInlineMethods.h.
        * heap/CopyVisitor.cpp:
        * heap/CopyVisitorInlineMethods.h: Removed.
        * heap/CopyVisitorInlines.h: Copied from Source/JavaScriptCore/heap/CopyVisitorInlineMethods.h.
        * heap/GCThread.cpp:
        * heap/GCThreadSharedData.cpp:
        * heap/HandleStack.cpp:
        * heap/Heap.cpp:
        * heap/HeapRootVisitor.h:
        * heap/MarkStack.cpp:
        * heap/MarkStackInlineMethods.h: Removed.
        * heap/MarkStackInlines.h: Copied from Source/JavaScriptCore/heap/MarkStackInlineMethods.h.
        * heap/SlotVisitor.cpp:
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlineMethods.h: Removed.
        * heap/SlotVisitorInlines.h: Copied from Source/JavaScriptCore/heap/SlotVisitorInlineMethods.h.
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITInlineMethods.h: Removed.
        * jit/JITInlines.h: Copied from Source/JavaScriptCore/jit/JITInlineMethods.h.
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jsc.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/ButterflyInlineMethods.h: Removed.
        * runtime/ButterflyInlines.h: Copied from Source/JavaScriptCore/runtime/ButterflyInlineMethods.h.
        * runtime/IndexingHeaderInlineMethods.h: Removed.
        * runtime/IndexingHeaderInlines.h: Copied from Source/JavaScriptCore/runtime/IndexingHeaderInlineMethods.h.
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        * runtime/JSValueInlineMethods.h: Removed.
        * runtime/JSValueInlines.h: Copied from Source/JavaScriptCore/runtime/JSValueInlineMethods.h.
        * runtime/LiteralParser.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/Operations.h:
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/StringPrototype.cpp:

2012-11-08  Filip Pizlo  <fpizlo@apple.com>

        ArrayConstructor.h should have correct indentation

        Rubber stamped by Sam Weinig.

        * runtime/ArrayConstructor.h:

2012-11-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should know that int == null is always false
        https://bugs.webkit.org/show_bug.cgi?id=101665

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2012-11-08  Filip Pizlo  <fpizlo@apple.com>

        Arguments.h should have correct indentation

        Rubber stamped by Sam Weinig.

        * runtime/Arguments.h:

2012-11-08  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled.

        Reviewed by Oliver Hunt.

        * jit/JITInlineMethods.h:
        (JSC::JIT::chooseArrayMode):

2012-11-08  Filip Pizlo  <fpizlo@apple.com>

        op_call should have LLInt call link info even if the DFG is disabled
        https://bugs.webkit.org/show_bug.cgi?id=101672

        Reviewed by Oliver Hunt.

        Get rid of the evil uses of fall-through.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2012-11-08  Oliver Hunt  <oliver@apple.com>

        Improve effectiveness of function-level caching
        https://bugs.webkit.org/show_bug.cgi?id=101667

        Reviewed by Filip Pizlo.

        Added a random-eviction based cache for unlinked functions, and switch
        UnlinkedFunctionExecutable's code references to Weak<>, thereby letting
        us remove the explicit UnlinkedFunctionExecutable::clearCode() calls that
        were being triggered by GC.

        Refactored the random eviction part of the CodeCache into a separate data
        structure so that I didn't have to duplicate the code again, and then used
        that for the new function cache.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::clearCodeForRecompilation):
        (UnlinkedFunctionExecutable):
        * debugger/Debugger.cpp:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::generateFunctionCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        (JSC::CodeCache::usedFunctionCode):
        (JSC):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling):
        (JSC::FunctionExecutable::clearCode):
        * runtime/Executable.h:
        (FunctionExecutable):

2012-11-07  Filip Pizlo  <fpizlo@apple.com>

        DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is proven to have a non-masquerading structure then it always evaluates to true
        https://bugs.webkit.org/show_bug.cgi?id=101511

        Reviewed by Oliver Hunt.

        To make life easier, this moves BranchDirection into BasicBlock so that after
        running the CFA, we always know, for each block, what direction the CFA
        proved. CFG simplification now both uses and preserves cfaBranchDirection in
        its transformations.
        
        Also made both LogicalNot and Branch check whether the operand is a known cell
        with a known structure, and if so, made them do the appropriate folding.
        
        5% speed-up on V8/raytrace because it makes raytrace's own null checks
        evaporate (i.e. idioms like 'if (!x) throw "unhappiness"') thanks to the fact
        that we were already doing structure check hoisting.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGBranchDirection.h: Added.
        (DFG):
        (JSC::DFG::branchDirectionToString):
        (JSC::DFG::isKnownDirection):
        (JSC::DFG::branchCondition):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):

2012-11-08  Christophe Dumez  <christophe.dumez@intel.com>

        [JSC] HTML extensions to String.prototype should escape " as &quot; in argument values
        https://bugs.webkit.org/show_bug.cgi?id=90667

        Reviewed by Benjamin Poulain.

        Escape quotation mark as &quot; in argument values to:
        - String.prototype.anchor(name)
        - String.prototype.fontcolor(color)
        - String.prototype.fontsize(size)
        - String.prototype.link(href)

        This behavior matches Chromium/V8 and Firefox/Spidermonkey
        implementations and is requited by:
        http://mathias.html5.org/specs/javascript/#escapeattributevalue

        This also fixes a potential security risk (XSS vector).

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):

2012-11-08  Anders Carlsson  <andersca@apple.com>

        HeapStatistics::s_pauseTimeStarts and s_pauseTimeEnds should be Vectors
        https://bugs.webkit.org/show_bug.cgi?id=101651

        Reviewed by Andreas Kling.

        HeapStatistics uses Deques when Vectors would work just as good.

        * heap/HeapStatistics.cpp:
        * heap/HeapStatistics.h:
        (HeapStatistics):

2012-11-07  Filip Pizlo  <fpizlo@apple.com>

        DFG should not assume that something is a double just because it might be undefined
        https://bugs.webkit.org/show_bug.cgi?id=101438

        Reviewed by Oliver Hunt.

        This changes all non-bitop arithmetic to (a) statically expect that variables are
        defined prior to use in arithmetic and (b) not fall off into double paths just
        because a value may not be a number. This is accomplished with two new notions of
        speculation:
        
        shouldSpeculateIntegerExpectingDefined: Should we speculate that the value is an
        integer if we ignore undefined (i.e. SpecOther) predictions?
        
        shouldSpeculateIntegerForArithmetic: Should we speculate that the value is an
        integer if we ignore non-numeric predictions?
        
        This is a ~2x speed-up on programs that seem to our prediction propagator to have
        paths in which otherwise numeric variables are undefined.

        * bytecode/SpeculatedType.h:
        (JSC::isInt32SpeculationForArithmetic):
        (JSC):
        (JSC::isInt32SpeculationExpectingDefined):
        (JSC::isDoubleSpeculationForArithmetic):
        (JSC::isNumberSpeculationExpectingDefined):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::mulShouldSpeculateInteger):
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateIntegerForArithmetic):
        (Node):
        (JSC::DFG::Node::shouldSpeculateIntegerExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic):
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_div):

2012-11-06  Filip Pizlo  <fpizlo@apple.com>

        JSC should infer when indexed storage contains only integers or doubles
        https://bugs.webkit.org/show_bug.cgi?id=98606

        Reviewed by Oliver Hunt.

        This adds two new indexing types: int32 and double. It also adds array allocation profiling,
        which allows array allocations to converge to allocating arrays using those types to which
        those arrays would have been converted.
        
        20% speed-up on navier-stokes. 40% speed-up on various Kraken DSP tests. Some slow-downs too,
        but a performance win overall on all benchmarks we track.

        * API/JSObjectRef.cpp:
        (JSObjectMakeArray):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/AbstractMacroAssembler.h:
        (JumpList):
        (JSC::AbstractMacroAssembler::JumpList::JumpList):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::jnp):
        (X86Assembler):
        (JSC::X86Assembler::X86InstructionFormatter::emitRex):
        * bytecode/ArrayAllocationProfile.cpp: Added.
        (JSC):
        (JSC::ArrayAllocationProfile::updateIndexingType):
        * bytecode/ArrayAllocationProfile.h: Added.
        (JSC):
        (ArrayAllocationProfile):
        (JSC::ArrayAllocationProfile::ArrayAllocationProfile):
        (JSC::ArrayAllocationProfile::selectIndexingType):
        (JSC::ArrayAllocationProfile::updateLastAllocation):
        (JSC::ArrayAllocationProfile::selectIndexingTypeFor):
        (JSC::ArrayAllocationProfile::updateLastAllocationFor):
        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::updatedObservedArrayModes):
        (JSC):
        * bytecode/ArrayProfile.h:
        (JSC):
        (JSC::arrayModesInclude):
        (JSC::shouldUseSlowPutArrayStorage):
        (JSC::shouldUseFastArrayStorage):
        (JSC::shouldUseContiguous):
        (JSC::shouldUseDouble):
        (JSC::shouldUseInt32):
        (ArrayProfile):
        * bytecode/ByValInfo.h:
        (JSC::isOptimizableIndexingType):
        (JSC::jitArrayModeForIndexingType):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC):
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::updateAllArrayPredictions):
        (JSC::CodeBlock::updateAllPredictions):
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::numberOfArrayAllocationProfiles):
        (JSC::CodeBlock::addArrayAllocationProfile):
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::updateAllArrayPredictions):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * bytecode/Instruction.h:
        (JSC):
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/SpeculatedType.h:
        (JSC):
        (JSC::isRealNumberSpeculation):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC):
        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
        (JSC::UnlinkedCodeBlock::numberOfArrayAllocationProfiles):
        (UnlinkedCodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newArrayAllocationProfile):
        (JSC):
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        (JSC::DFG::ArrayMode::refine):
        (DFG):
        (JSC::DFG::ArrayMode::alreadyChecked):
        (JSC::DFG::arrayTypeToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::withType):
        (ArrayMode):
        (JSC::DFG::ArrayMode::withTypeAndConversion):
        (JSC::DFG::ArrayMode::usesButterfly):
        (JSC::DFG::ArrayMode::isSpecific):
        (JSC::DFG::ArrayMode::supportsLength):
        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArrayMode):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
        (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::byValIsPure):
        * dfg/DFGNode.h:
        (NewArrayBufferData):
        (JSC::DFG::Node::hasIndexingType):
        (Node):
        (JSC::DFG::Node::indexingType):
        (JSC::DFG::Node::setIndexingType):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        (DFG):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (SpeculateIntegerOperand):
        (JSC::DFG::SpeculateIntegerOperand::use):
        (SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::use):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.h:
        (JSC::JIT::emitInt32GetByVal):
        (JIT):
        (JSC::JIT::emitInt32PutByVal):
        (JSC::JIT::emitDoublePutByVal):
        (JSC::JIT::emitContiguousPutByVal):
        * jit/JITExceptions.cpp:
        (JSC::genericThrow):
        * jit/JITInlineMethods.h:
        (JSC::arrayProfileSaw):
        (JSC::JIT::chooseArrayMode):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emit_op_new_array_with_size):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitDoubleGetByVal):
        (JSC):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emitDoubleGetByVal):
        (JSC):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        (JSC):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/x86.rb:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/ArrayConstructor.h:
        (JSC):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        * runtime/Butterfly.h:
        (JSC::Butterfly::contiguousInt32):
        (JSC::Butterfly::contiguousDouble):
        (JSC::Butterfly::fromContiguous):
        * runtime/ButterflyInlineMethods.h:
        (JSC::Butterfly::createUninitializedDuringCollection):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/IndexingHeaderInlineMethods.h:
        (JSC::IndexingHeader::indexingPayloadSizeInBytes):
        * runtime/IndexingType.cpp:
        (JSC::leastUpperBoundOfIndexingTypes):
        (JSC):
        (JSC::leastUpperBoundOfIndexingTypeAndType):
        (JSC::leastUpperBoundOfIndexingTypeAndValue):
        (JSC::indexingTypeToString):
        * runtime/IndexingType.h:
        (JSC):
        (JSC::hasUndecided):
        (JSC::hasInt32):
        (JSC::hasDouble):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        (JSC::compareNumbersForQSortWithInt32):
        (JSC):
        (JSC::compareNumbersForQSortWithDouble):
        (JSC::JSArray::sortNumericVector):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sortCompactedVector):
        (JSC::JSArray::sort):
        (JSC::JSArray::sortVector):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSArray):
        (JSC::createContiguousArrayButterfly):
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC):
        (JSC::JSGlobalObject::haveABadTime):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::originalArrayStructureForIndexingType):
        (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation):
        (JSC::JSGlobalObject::arrayStructureForProfileDuringAllocation):
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        (JSC::constructEmptyArray):
        (JSC::constructArray):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::convertUndecidedForValue):
        (JSC::JSObject::convertInt32ForValue):
        (JSC::JSObject::setIndexQuicklyToUndecided):
        (JSC::JSObject::convertInt32ToDoubleOrContiguousWhilePerformingSetIndex):
        (JSC::JSObject::convertDoubleToContiguousWhilePerformingSetIndex):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::getNewVectorLength):
        (JSC::JSObject::countElements):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::getArrayLength):
        (JSC::JSObject::getVectorLength):
        (JSC::JSObject::canGetIndexQuickly):
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        (JSC::JSObject::hasSparseMap):
        (JSC::JSObject::inSparseIndexingMode):
        (JSObject):
        (JSC::JSObject::ensureInt32):
        (JSC::JSObject::ensureDouble):
        (JSC::JSObject::ensureLength):
        (JSC::JSObject::indexingData):
        (JSC::JSObject::currentIndexingData):
        (JSC::JSObject::getHolyIndexQuickly):
        (JSC::JSObject::relevantLength):
        (JSC::JSObject::currentRelevantLength):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/LiteralParser.cpp:
        (JSC::::parse):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSplit):
        * runtime/Structure.cpp:
        (JSC::Structure::nonPropertyTransition):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):

2012-11-08  Balazs Kilvady  <kilvadyb@homejinni.com>

        ASSERT problem on MIPS
        https://bugs.webkit.org/show_bug.cgi?id=100589

        Reviewed by Oliver Hunt.

        ASSERT fix for MIPS arch.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_resolve_operations):

2012-11-08  Michael Saboff  <msaboff@apple.com>

        OpaqueJSClassContextData() should use StringImpl::isolatedCopy() to make string copies
        https://bugs.webkit.org/show_bug.cgi?id=101507

        Reviewed by Andreas Kling.

        Changed to use isolatedCopy() for key Strings.

        * API/JSClassRef.cpp:
        (OpaqueJSClassContextData::OpaqueJSClassContextData):

2012-11-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        WeakBlocks should be HeapBlocks
        https://bugs.webkit.org/show_bug.cgi?id=101411

        Reviewed by Oliver Hunt.

        Currently WeakBlocks use fastMalloc memory. They are very similar to the other HeapBlocks, however, 
        so we should change them to being allocated with the BlockAllocator.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        * heap/BlockAllocator.h: Added a new RegionSet for WeakBlocks.
        (JSC):
        (BlockAllocator):
        (JSC::WeakBlock):
        * heap/Heap.h: Friended WeakSet to allow access to the BlockAllocator.
        (Heap):
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create): Refactored to use HeapBlocks rather than fastMalloc.
        (JSC::WeakBlock::WeakBlock):
        * heap/WeakBlock.h: Changed the WeakBlock size to 4 KB so that it divides evenly into the Region size.
        (JSC):
        (WeakBlock):
        * heap/WeakSet.cpp:
        (JSC::WeakSet::~WeakSet):
        (JSC::WeakSet::addAllocator):

2012-11-07  Filip Pizlo  <fpizlo@apple.com>

        Indentation of ArgList.h is wrong
        https://bugs.webkit.org/show_bug.cgi?id=101441

        Reviewed by Andreas Kling.

        Just unindented by 4 spaces.

        * runtime/ArgList.h:

2012-11-07  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        [Qt][ARM] REGRESSION(r133688): It made all JSC and layout tests crash on ARM traditional platform
        https://bugs.webkit.org/show_bug.cgi?id=101465

        Reviewed by Oliver Hunt.

        Fix failing javascriptcore tests on ARM after r133688

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2012-11-06  Oliver Hunt  <oliver@apple.com>

        Reduce parser overhead in JSC
        https://bugs.webkit.org/show_bug.cgi?id=101127

        Reviewed by Filip Pizlo.

        An exciting journey into the world of architecture in which our hero
        adds yet another layer to JSC codegeneration.

        This patch adds a marginally more compact form of bytecode that is
        free from any data specific to a given execution context, and that
        does store any data structures necessary for execution.  To actually
        execute this UnlinkedBytecode we still need to instantiate a real
        CodeBlock, but this is a much faster linear time operation than any
        of the earlier parsing or code generation passes.

        As the unlinked code is context free we can then simply use a cache
        from source to unlinked code mapping to completely avoid all of the
        old parser overhead.  The cache is currently very simple and memory
        heavy, using the complete source text as a key (rather than SourceCode
        or equivalent), and a random eviction policy.

        This seems to produce a substantial win when loading identical content
        in different contexts.

        * API/tests/testapi.c:
        (main):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
            Moved a number of fields, and a bunch of logic to UnlinkedCodeBlock.h/cpp
        * bytecode/Opcode.h:
            Added a global const init no op instruction needed to get correct
            behaviour without any associated semantics.
        * bytecode/UnlinkedCodeBlock.cpp: Added.
        * bytecode/UnlinkedCodeBlock.h: Added.
            A fairly shallow, GC allocated version of the old CodeBlock
            classes with a 32bit instruction size, and just metadata
            size tracking.
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
            Replace direct access to m_symbolTable with access through
            symbolTable().  ProgramCode no longer has a symbol table at
            all so some previously unconditional (and pointless) uses
            of symbolTable get null checks.
            A few other changes to deal with type changes due to us generating
            unlinked code (eg. pointer free, so profile indices rather than
            pointers).
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCapabilities.h:
            Support global_init_nop        
        * interpreter/Interpreter.cpp:
            Now get the ProgramExecutable to initialise new global properties
            before starting execution.        
        * jit/JIT.cpp:
        * jit/JITDriver.h:
        * jit/JITStubs.cpp:
        * llint/LLIntData.cpp:
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
            Adding init_global_const_nop everywhere else
        * parser/Parser.h:
        * parser/ParserModes.h: Added.
        * parser/ParserTokens.h:
            Parser no longer needs a global object or callframe to function        
        * runtime/CodeCache.cpp: Added.
        * runtime/CodeCache.h: Added.
            A simple, random eviction, Source->UnlinkedCode cache        
        * runtime/Executable.cpp:
        * runtime/Executable.h:
            Executables now reference their unlinked counterparts, and
            request code specifically for the target global object.        
        * runtime/JSGlobalData.cpp:
        * runtime/JSGlobalData.h:
            GlobalData now owns a CodeCache and a set of new structures
            for the unlinked code types.  
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
            Utility functions used by executables to perform compilation
 
        * runtime/JSType.h:
          Add new JSTypes for unlinked code

2012-11-06  Michael Saboff  <msaboff@apple.com>

        JSStringCreateWithCFString() Should create an 8 bit String if possible
        https://bugs.webkit.org/show_bug.cgi?id=101104

        Reviewed by Darin Adler.

        Try converting the CFString to an 8 bit string using CFStringGetBytes(...,
        kCFStringEncodingISOLatin1, ...) and return the 8 bit string if successful.
        If not proceed with 16 bit conversion.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):

2012-11-06  Oliver Hunt  <oliver@apple.com>

        Reduce direct m_symbolTable usage in CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=101391

        Reviewed by Sam Weinig.

        Simple refactoring.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::dumpStatistics):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::isCaptured):

2012-11-06  Michael Saboff  <msaboff@apple.com>

        Lexer::scanRegExp, create 8 bit pattern and flag Identifiers from 16 bit source when possible
        https://bugs.webkit.org/show_bug.cgi?id=101013

        Reviewed by Darin Adler.

        Changed scanRegExp so that it will create 8 bit identifiers from 8 bit sources and from 16 bit sources
        whan all the characters are 8 bit.  Using two templated helpers, the "is all 8 bit" check is only performed
        on 16 bit sources.  The first helper is orCharacter() that will accumulate the or value of all characters
        only for 16 bit sources.  Replaced the helper Lexer::makeIdentifierSameType() with Lexer::makeRightSizedIdentifier().

        * parser/Lexer.cpp:
        (JSC::orCharacter<LChar>): Explicit template that serves as a placeholder.
        (JSC::orCharacter<UChar>): Explicit template that actually or accumulates characters.
        (JSC::Lexer::scanRegExp):
        * parser/Lexer.h:
        (Lexer):
        (JSC::Lexer::makeRightSizedIdentifier<LChar>): New template that always creates an 8 bit Identifier.
        (JSC::Lexer::makeRightSizedIdentifier<UChar>): New template that creates an 8 bit Identifier for 8 bit
        data in a 16 bit source.

2012-11-06  Filip Pizlo  <fpizlo@apple.com>

        Indentation of JSCell.h is wrong
        https://bugs.webkit.org/show_bug.cgi?id=101379

        Rubber stamped by Alexey Proskuryakov.

        Just removed four spaces on a bunch of lines.

        * runtime/JSCell.h:

2012-11-05  Filip Pizlo  <fpizlo@apple.com>

        Indentation of JSObject.h is wrong
        https://bugs.webkit.org/show_bug.cgi?id=101313

        Rubber stamped by Alexey Proskuryakov.

        Just unindented code, since namespace bodies shouldn't be indented.

        * runtime/JSObject.h:

2012-11-05  Filip Pizlo  <fpizlo@apple.com>

        Indentation of JSArray.h is wrong
        https://bugs.webkit.org/show_bug.cgi?id=101314

        Rubber stamped by Alexey Proskuryakov.

        Just removing the indentation inside the namespace body.

        * runtime/JSArray.h:

2012-11-05  Filip Pizlo  <fpizlo@apple.com>

        DFG should not fall down to patchable GetById just because a prototype had things added to it
        https://bugs.webkit.org/show_bug.cgi?id=101299

        Reviewed by Geoffrey Garen.

        This looks like a slight win on V8v7 and SunSpider.

        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-11-05  Filip Pizlo  <fpizlo@apple.com>

        Get rid of method_check
        https://bugs.webkit.org/show_bug.cgi?id=101147

        Reviewed by Geoffrey Garen.

        op_method_check no longer buys us anything, since get_by_id proto caching
        gives just as much profiling information and the DFG inlines monomorphic
        proto accesses anyway.
        
        This also has the potential for a speed-up since it makes parsing of
        profiling data easier. No longer do we have to deal with the confusion of
        the get_by_id portion of a method_check appearing monomorphic even though
        we're really dealing with a bimorphic access (method_check specializes for
        one case and get_by_id for another).

        This looks like a 1% speed-up on both SunSpider and V8v7.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::shrinkToFit):
        (JSC::CodeBlock::unlinkCalls):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getCallLinkInfo):
        (JSC::CodeBlock::callLinkInfo):
        (CodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/MethodCallLinkInfo.cpp: Removed.
        * bytecode/MethodCallLinkInfo.h: Removed.
        * bytecode/MethodCallLinkStatus.cpp: Removed.
        * bytecode/MethodCallLinkStatus.h: Removed.
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallDotNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::slowCaseInfo):
        (PropertyStubCompilationInfo):
        (JSC):
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::compileGetByIdSlowCase):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC):
        (JSC::JIT::compileGetByIdSlowCase):
        * jit/JITStubs.cpp:
        (JSC):
        * jit/JITStubs.h:
        * llint/LowLevelInterpreter.asm:

2012-11-05  Yuqiang Xian  <yuqiang.xian@intel.com>

        Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations
        https://bugs.webkit.org/show_bug.cgi?id=100321

        Reviewed by Filip Pizlo.

        We have refactored the MacroAssembler and JIT compilers to distinguish
        the pointer operations from the 64-bit integer operations (see bug #99154).
        Now we want to do the similar work for LLInt, and the goal is same as
        the one mentioned in 99154.

        This is the second part of the modification: in the low level interpreter,
        changing the operations on 64-bit integers to use the "<foo>q" instructions.
        This also removes some unused/meaningless "<foo>p" instructions.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/armv7.rb:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2012-11-05  Filip Pizlo  <fpizlo@apple.com>

        Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only
        https://bugs.webkit.org/show_bug.cgi?id=101276

        Reviewed by Gavin Barraclough.

        Changed normalizePrototypeChain() to report an invalid prototype chain if any object is a proxy.
        This catches cases where our prototype chain checks would have been insufficient to guard against
        newly introduced properties, despecialized properties, or deleted properties in the chain of
        objects involved in the access.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::tryBuildPutByIdList):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Operations.h:
        (JSC):
        (JSC::normalizePrototypeChain):

2012-11-05  Dima Gorbik  <dgorbik@apple.com>

        Back out controversial changes from Bug 98665.
        https://bugs.webkit.org/show_bug.cgi?id=101244

        Reviewed by David Kilzer.

        Backing out changes from Bug 98665 until further discussions take place on rules for including Platform.h in Assertions.h.

        * API/tests/minidom.c:
        * API/tests/testapi.c:

2012-11-04  Filip Pizlo  <fpizlo@apple.com>

        Reduce the verbosity of referring to QNaN in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=101174

        Reviewed by Geoffrey Garen.

        Introduces a #define QNaN in JSValue.h, and replaces all previous uses of
        std::numeric_limits<double>::quiet_NaN() with QNaN.

        * API/JSValueRef.cpp:
        (JSValueMakeNumber):
        (JSValueToNumber):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * runtime/CachedTranscendentalFunction.h:
        (JSC::CachedTranscendentalFunction::initialize):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateInstanceCache.h:
        (JSC::DateInstanceData::DateInstanceData):
        (JSC::DateInstanceCache::reset):
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::defaultValue):
        (JSC::TerminatedExecutionError::defaultValue):
        * runtime/JSCell.h:
        (JSC::JSValue::getPrimitiveNumber):
        * runtime/JSDateMath.cpp:
        (JSC::parseDateFromNullTerminatedCharacters):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::resetDateCache):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        (JSC::toDouble):
        (JSC::jsToNumber):
        (JSC::parseFloat):
        * runtime/JSValue.cpp:
        (JSC::JSValue::toNumberSlowCase):
        * runtime/JSValue.h:
        (JSC):
        * runtime/JSValueInlineMethods.h:
        (JSC::jsNaN):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):

2012-11-03  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should use structure watchpoints whenever possible
        https://bugs.webkit.org/show_bug.cgi?id=101146

        Reviewed by Sam Weinig.

        No speed-up yet except on toy programs. I think that it will start to show
        speed-ups with https://bugs.webkit.org/show_bug.cgi?id=101147, which this is
        a step towards.

        * jit/JIT.h:
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::addStructureTransitionCheck):
        (JSC):
        (JSC::JIT::testPrototype):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):

2012-11-04  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt] udis86_itab.c is always regenerated
        https://bugs.webkit.org/show_bug.cgi?id=100756

        Reviewed by Simon Hausmann.

        * DerivedSources.pri: Generate sources to the generated directory.
        * disassembler/udis86/differences.txt:
        * disassembler/udis86/itab.py: Add --outputDir option.
        (UdItabGenerator.__init__):
        (genItabH):
        (genItabC):
        (main):

2012-11-02  Filip Pizlo  <fpizlo@apple.com>

        LLInt 32-bit put_by_val ArrayStorage case should use the right register (t3, not t2) for the index in the publicLength updating path
        https://bugs.webkit.org/show_bug.cgi?id=101118

        Reviewed by Gavin Barraclough.

        * llint/LowLevelInterpreter32_64.asm:

2012-11-02  Filip Pizlo  <fpizlo@apple.com>

        DFG::Node::converToStructureTransitionWatchpoint should take kindly to ArrayifyToStructure
        https://bugs.webkit.org/show_bug.cgi?id=101117

        Reviewed by Gavin Barraclough.

        We have logic to convert ArrayifyToStructure to StructureTransitionWatchpoint, which is awesome, except
        that previously convertToStructureTransitionWatchpoint was (a) asserting that it never saw an
        ArrayifyToStructure and (b) would incorrectly create a ForwardStructureTransitionWatchpoint if it did.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToStructureTransitionWatchpoint):

2012-11-02  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT::typedArrayDescriptor should use the Float64Array descriptor for Float64Arrays
        https://bugs.webkit.org/show_bug.cgi?id=101114

        Reviewed by Gavin Barraclough.

        As in https://bugs.webkit.org/show_bug.cgi?id=101112, this was only wrong when Float64Array descriptors
        hadn't been initialized yet. That happens rarely, but when it does happen, we would crash.
        
        This would also become much more wrong if we ever put type size info (num bytes, etc) in the descriptor
        and used that directly. So it's good to fix it.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):

2012-11-02  Filip Pizlo  <fpizlo@apple.com>

        JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays
        https://bugs.webkit.org/show_bug.cgi?id=101112

        Reviewed by Gavin Barraclough.

        The only reason why the code was wrong to use uint8ArrayDescriptor instead is that if we're just using
        Uint8ClampedArrays then the descriptor for Uint8Array may not have been initialized.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByVal):

2012-11-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects
        https://bugs.webkit.org/show_bug.cgi?id=100877

        Reviewed by Filip Pizlo.

        Currently when we canonicalize cell liveness data in MarkedBlocks, we set the mark bit for every cell in the 
        block except for those in the free list. This allows us to consider objects that were allocated since the 
        previous collection to be considered live until they have a chance to be properly marked by the collector.

        If we want to use the mark bits to signify other types of information, e.g. using sticky mark bits for generational 
        collection, we will have to keep track of newly allocated objects in a different fashion when we canonicalize cell liveness.

        One method would be to allocate a separate set of bits while canonicalizing liveness data. These bits would 
        track the newly allocated objects in the block separately from those objects who had already been marked. We would 
        then check these bits, along with the mark bits, when determining liveness. 

        * heap/Heap.h:
        (Heap):
        (JSC::Heap::isLive): We now check for the presence of the newlyAllocated Bitmap.
        (JSC):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep): We clear the newlyAllocated Bitmap if we're creating a free list. This 
        will happen if we canonicalize liveness data for some other reason than collection (e.g. forEachCell) and 
        then start allocating again.
        (JSC::SetNewlyAllocatedFunctor::SetNewlyAllocatedFunctor): 
        (SetNewlyAllocatedFunctor):
        (JSC::SetNewlyAllocatedFunctor::operator()): We set the newlyAllocated bits for all the objects 
        that aren't already marked. We undo the bits for the objects in the free list later in canonicalizeCellLivenessData.
        (JSC::MarkedBlock::canonicalizeCellLivenessData): We should never have a FreeListed block with a newlyAllocated Bitmap.
        We allocate the new Bitmap, set the bits for all the objects that aren't already marked, and then unset all of the 
        bits for the items currently in the FreeList.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::clearMarks): We clear the newlyAllocated bitmap if it exists because at this point we don't need it
        any more.
        (JSC::MarkedBlock::isEmpty): If we have some objects that are newlyAllocated, we are not empty.
        (JSC::MarkedBlock::isNewlyAllocated): 
        (JSC):
        (JSC::MarkedBlock::setNewlyAllocated):
        (JSC::MarkedBlock::clearNewlyAllocated):
        (JSC::MarkedBlock::isLive): We now check the newlyAllocated Bitmap, if it exists, when determining liveness of a cell in 
        a block that is Marked.
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::visit): We need to make sure we don't finalize objects that are in the newlyAllocated Bitmap.
        (JSC::WeakBlock::reap): Ditto.

2012-11-02  Filip Pizlo  <fpizlo@apple.com>

        JIT::privateCompileGetByVal should use MacroAssemblerCodePtr::createFromExecutableAddress like JIT::privateCompilePutByVal
        https://bugs.webkit.org/show_bug.cgi?id=101109

        Reviewed by Gavin Barraclough.

        This fixes crashes on ARMv7 resulting from the return address already being tagged with the THUMB2 bit.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByVal):

2012-11-02  Simon Fraser  <simon.fraser@apple.com>

        Enable SUBPIXEL_LAYOUT on Mac
        https://bugs.webkit.org/show_bug.cgi?id=101076

        Reviewed by Dave Hyatt.

        Define ENABLE_SUBPIXEL_LAYOUT and include it in FEATURE_DEFINES.

        * Configurations/FeatureDefines.xcconfig:

2012-11-02  Michael Saboff  <msaboff@apple.com>

        RegExp.prototype.toString Should Produce an 8 bit JSString if possible.
        https://bugs.webkit.org/show_bug.cgi?id=101003

        Reviewed by Geoffrey Garen.

        Took the logic of regExpObjectSource() and created two templated helpers that uses the
        source character type when appending to the StringBuilder.

        * runtime/RegExpObject.cpp:
        (JSC::appendLineTerminatorEscape): Checks line terminate type to come up with escaped version.
        (JSC::regExpObjectSourceInternal): Templated version of original.
        (JSC::regExpObjectSource): Wrapper function.

2012-11-02  Adam Barth  <abarth@webkit.org>

        ENABLE(UNDO_MANAGER) is disabled everywhere and is not under active development
        https://bugs.webkit.org/show_bug.cgi?id=100711

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2012-11-02  Simon Hausmann  <simon.hausmann@digia.com>

        [Qt] Fix build on Windows when Qt is configured with -release
        https://bugs.webkit.org/show_bug.cgi?id=101041

        Reviewed by Jocelyn Turcotte.

        When Qt is configured with -debug or -release, the release/debug build of for example
        QtCore is not available by default. For LLIntExtractor we always need to build debug
        _and_ release versions, but we do not actually need any Qt libraries nor qtmain(d).lib.
        Therefore we can disable all these features but need to keep $$QT.core.includes in the
        INCLUDEPATH for some defines from qglobal.h.

        * LLIntOffsetsExtractor.pro:

2012-11-01  Mark Lam  <mark.lam@apple.com>

        A llint workaround for a toolchain issue.
        https://bugs.webkit.org/show_bug.cgi?id=101012.

        Reviewed by Michael Saboff.

        * llint/LowLevelInterpreter.asm:
          - use a local label to workaround the toolchain issue with undeclared
            global labels.

2012-11-01  Oliver Hunt  <oliver@apple.com>

        Remove GlobalObject constant register that is typically unused
        https://bugs.webkit.org/show_bug.cgi?id=101005

        Reviewed by Geoffrey Garen.

        The GlobalObject constant register is frequently allocated even when it
        is not used, it is also getting in the way of some other optimisations.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseResolveOperations):

2012-10-31  Filip Pizlo  <fpizlo@apple.com>

        DFG optimized string access code should be enabled
        https://bugs.webkit.org/show_bug.cgi?id=100825

        Reviewed by Oliver Hunt.

        - Removes prediction checks from the parser.
        
        - Fixes the handling of array mode refinement for strings. I.e. we don't do
          any refinement - we already know it's going to be a string. We could
          revisit this in the future, but for now the DFG lacks the ability to
          handle any array modes other than Array::String for string intrinsics, so
          this is as good as it gets.
        
        - Removes uses of isBlahSpeculation for checking if a mode is already
          checked. isBlahSpeculation implicitly checks if the SpeculatedType is not
          BOTTOM ("empty"), which breaks for checking if a mode is already checked
          since a mode may already be "checked" in the sense that we've proven that
          the code is unreachable.
        
        ~1% speed-up on V8v7, mostly from a speed-up on crypto, which uses string
        intrinsics in one of the hot functions.

        * bytecode/SpeculatedType.h:
        (JSC::speculationChecked):
        (JSC):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):

2012-10-31  Filip Pizlo  <fpizlo@apple.com>

        Sparse array size threshold should be increased to 100000
        https://bugs.webkit.org/show_bug.cgi?id=100827

        Reviewed by Oliver Hunt.

        This enables the use of contiguous arrays in programs that previously
        couldn't use them. And I so far can't see any examples of this being
        a downside. To the extent that there is a downside, it ought to be
        addressed by GC: https://bugs.webkit.org/show_bug.cgi?id=100828

        * runtime/ArrayConventions.h:
        (JSC):

2012-10-31  Mark Lam  <mark.lam@apple.com>

        C++ llint 64-bit backend needs to zero extend results of int32 operations.
        https://bugs.webkit.org/show_bug.cgi?id=100899.

        Reviewed by Filip Pizlo.

        llint asm instructions ending in "i" for a 64-bit machine expects the
        high 32-bit of registers to be zero'ed out when a 32-bit instruction
        writes into a register. Fixed the C++ llint to honor this.

        Fixed the index register used in BaseIndex addressing to be of size
        intptr_t as expected.

        Updated CLoopRegister to handle different endiannesss configurations.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoopRegister::clearHighWord):
          - new method to clear the high 32-bit of a 64-bit register.
            It's a no-op for the 32-bit build. 
        (CLoopRegister):
          - CLoopRegister now takes care of packing and byte endianness order.
        (JSC::CLoop::execute): - Added an assert.
        * offlineasm/cloop.rb:
          - Add calls to clearHighWord() wherever needed.

2012-10-31  Mark Lam  <mark.lam@apple.com>

        A JSC printf (support for %J+s and %b).
        https://bugs.webkit.org/show_bug.cgi?id=100566.

        Reviewed by Michael Saboff.

        Added VMInspector::printf(), fprintf(), sprintf(), and snprintf().
        - %b prints ints as boolean TRUE (non-zero) or FALSE (zero).
        - %Js prints a WTF::String* like a %s prints a char*.
          Also works for 16bit WTF::Strings (prints wchar_t* using %S).
        - '+' is a modifier meaning 'use verbose mode', and %J+s is an example
          of its use.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/VMInspector.cpp:
        (FormatPrinter):
        (JSC::FormatPrinter::~FormatPrinter):
        (JSC::FormatPrinter::print):
        (JSC::FormatPrinter::printArg):
        (JSC::FormatPrinter::printWTFString):
        (JSC::FileFormatPrinter::FileFormatPrinter):
        (JSC::FileFormatPrinter::printArg):
        (JSC::StringFormatPrinter::StringFormatPrinter):
        (JSC::StringFormatPrinter::printArg):
        (JSC::StringNFormatPrinter::StringNFormatPrinter):
        (JSC::StringNFormatPrinter::printArg):
        (JSC::VMInspector::fprintf):
        (JSC::VMInspector::printf):
        (JSC::VMInspector::sprintf):
        (JSC::VMInspector::snprintf):
        * interpreter/VMInspector.h:
        (VMInspector):

2012-10-31  Mark Lam  <mark.lam@apple.com>

        64-bit llint PC offset can be negative: using an unsigned shift is a bug.
        https://bugs.webkit.org/show_bug.cgi?id=100896.

        Reviewed by Filip Pizlo.

        Fixed the PC offset divisions in the 64-bit llint asm to use rshift instead of urshift.

        * llint/LowLevelInterpreter64.asm:

2012-10-30  Yuqiang Xian  <yuqiang.xian@intel.com>

        glsl-function-atan.html WebGL conformance test fails after https://bugs.webkit.org/show_bug.cgi?id=99154
        https://bugs.webkit.org/show_bug.cgi?id=100789

        Reviewed by Filip Pizlo.

        We accidently missed a bitwise double to int64 conversion.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFill):

2012-10-30  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Sync up FeatureDefine Configuration Files
        https://bugs.webkit.org/show_bug.cgi?id=100171

        Reviewed by David Kilzer.

        Follow up to better coordinate with iOS feature defines. Make:

          - ENABLE_FILTERS always on
          - ENABLE_INPUT_* iphonesimulator values point to the iphoneos values

        * Configurations/FeatureDefines.xcconfig:

2012-10-30  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Sync up FeatureDefine Configuration Files
        https://bugs.webkit.org/show_bug.cgi?id=100171

        Reviewed by David Kilzer.

        Ensure an identical FeatureDefine files across all projects. Changes:

          - ENABLE_CSS_BOX_DECORATION_BREAK should be in all
          - ENABLE_PDFKIT_PLUGIN should be in all
          - ENABLE_RESOLUTION_MEDIA_QUERY should be in all
          - ENABLE_ENCRYPTED_MEDIA should be in all
          - ENABLE_HIDDEN_PAGE_DOM_TIMER_THROTTLING with corrected value
          - Some alphabetical ordering cleanup

        * Configurations/FeatureDefines.xcconfig:

2012-10-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        Arrays can change IndexingType in the middle of sorting
        https://bugs.webkit.org/show_bug.cgi?id=100773

        Reviewed by Filip Pizlo.

        Instead of giving up, we just fetch the appropriate vector based on the current 
        IndexingType of the array.

        * runtime/JSArray.cpp:
        (JSC::JSArray::sortVector):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::currentIndexingData):
        (JSC::JSObject::currentRelevantLength):

2012-10-29  Anders Carlsson  <andersca@apple.com>

        Build WebKit as C++11 on Mac
        https://bugs.webkit.org/show_bug.cgi?id=100720

        Reviewed by Daniel Bates.

        * Configurations/Base.xcconfig:
        Add CLANG_CXX_LANGUAGE_STANDARD=gnu++0x.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::pushFinallyContext):
        (JSC::BytecodeGenerator::beginSwitch):
        * llint/LLIntOffsetsExtractor.cpp:
        * runtime/Identifier.cpp:
        (JSC::Identifier::add8):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        * runtime/JSONObject.cpp:
        (JSC::appendStringToStringBuilder):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):
        Add static_casts to prevent implicit type conversions in non-constant initializer lists.

2012-10-28  Mark Rowe  <mrowe@apple.com>

        Simplify Xcode configuration settings that used to vary between OS versions.

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:

2012-10-28  Mark Rowe  <mrowe@apple.com>

        Remove references to unsupported OS and Xcode versions.

        Reviewed by Anders Carlsson.

        * Configurations/Base.xcconfig:
        * Configurations/CompilerVersion.xcconfig: Removed.
        * Configurations/DebugRelease.xcconfig:
        * Configurations/Version.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-10-29  Michael Saboff  <msaboff@apple.com>

        Non-special escape character sequences cause JSC::Lexer::parseString to create 16 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=100576

        Reviewed by Darin Adler.

        Changed singleEscape() processing to be based on a lookup of a static table.  The table
        covers ASCII characters SPACE through DEL.  If a character can be a single character escape,
        then the table provides the non-zero result of that escape.  Updated the result of
        singleEscape to be an LChar to make the table as small as possible.
        Added a new test fast/js/normal-character-escapes-in-string-literals.html to validated
        the behavior.

        * parser/Lexer.cpp:
        (JSC::singleEscape):
        (JSC::Lexer::parseString):
        (JSC::Lexer::parseStringSlowCase):

2012-10-29  Enrica Casucci  <enrica@apple.com>

        Add ENABLE_USERSELECT_ALL feature flag.
        https://bugs.webkit.org/show_bug.cgi?id=100559

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2012-10-28  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to emit effectful structure checks
        https://bugs.webkit.org/show_bug.cgi?id=99260

        Reviewed by Oliver Hunt.

        This change allows us to find out if an array access that has gone polymorphic
        is operating over known structures - i.e. the primordial array structures of the
        global object that the code block containing the array access belongs to. We
        term this state "OriginalArray" for short. The fact that the access has gone
        polymorphic means that the array profile will not be able to report the set of
        structures it had seen - but if it can tell us that all of the structures were
        primordial then it just so happens that we can deduce what the structure set
        would have been by just querying the code block's global object. This allows us
        to emit an ArrayifyToStructure instead of an Arrayify if we find that we need to
        do conversions. The fast path of an ArrayifyToStructure is exactly like the fast
        path of a CheckStructure and is mostly subject to the same optimizations. It
        also burns one fewer registers.
        
        Essentially the notion of OriginalArray is a super cheap way of getting the
        array profile to tell us a structure set instead of a singleton structure.
        Currently, the array profile can only tell us the structure seen at an array
        access if there was exactly one structure. If there were multiple structures, it
        won't tell us anything other than the array modes and other auxiliary profiling
        data (whether there were stores to holes, for example). With OriginalArray, we
        cheaply get a structure set if all of the structures were primordial for the
        code block's global object, since in that case the array mode set (ArrayModes)
        can directly tell us the structure set. In the future, we might consider adding
        complete structure sets to the array profiles, but I suspect that we would hit
        diminishing returns if we did so - it would only help if we have array accesses
        that are both polymorphic and are cross-global-object accesses (rare) or if the
        arrays had named properties or other structure transitions that are unrelated to
        indexing type (also rare).
        
        This also does away with Arrayify (and the new ArrayifyToStructure) returning
        the butterfly pointer. This turns out to be faster and easier to CSE.
        
        And, this also changes constant folding to be able to eliminate CheckStructure,
        ForwardCheckStructure, and ArrayifyToStructure in addition to being able to
        transform them into structure transition watchpoints. This is great for
        ArrayifyToStructure because then CSE and CFA know that there is no side effect.
        Converting CheckStructure and ForwardCheckStructure to also behave this way is
        just a matter of elegance.
        
        This has no performance impact right now. It's intended to alleviate some of the
        regressions seen in the early implementation of
        https://bugs.webkit.org/show_bug.cgi?id=98606.

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        * bytecode/ArrayProfile.h:
        (JSC):
        (JSC::ArrayProfile::ArrayProfile):
        (ArrayProfile):
        (JSC::ArrayProfile::usesOriginalArrayStructures):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        (JSC::DFG::ArrayMode::alreadyChecked):
        (JSC::DFG::arrayClassToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::withProfile):
        (JSC::DFG::ArrayMode::isJSArray):
        (ArrayMode):
        (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure):
        (JSC::DFG::ArrayMode::supportsLength):
        (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArrayMode):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::getScopeRegistersLoadElimination):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::hasArrayMode):
        (JSC::DFG::Node::arrayMode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::isOriginalArrayStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::nonPropertyTransition):

2012-10-28  Filip Pizlo  <fpizlo@apple.com>

        There should not be blind spots in array length array profiling
        https://bugs.webkit.org/show_bug.cgi?id=100620

        Reviewed by Oliver Hunt.

        I don't think this has any performance impact. But it's good to not have random
        programs occasionally emit a GetById for array length accesses.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::privateCompilePatchGetArrayLength):

2012-10-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, make always-true enum-to-int comparisons use casts.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueSource::tagGPR):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):

2012-10-27  Filip Pizlo  <fpizlo@apple.com>

        OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack
        https://bugs.webkit.org/show_bug.cgi?id=100601

        Reviewed by Oliver Hunt.

        This happened to me while I was fixing bugs for https://bugs.webkit.org/show_bug.cgi?id=100599.
        I'm not sure how to reproduce this.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
        (AssemblyHelpers):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2012-10-27  Filip Pizlo  <fpizlo@apple.com>

        DFG::Array::Mode needs to be cleaned up
        https://bugs.webkit.org/show_bug.cgi?id=100599

        Reviewed by Oliver Hunt.

        Turn the previous massive Array::Mode enum into a class that contains four
        fields, the type, whether it's a JSArray, the level of speculation, and the
        kind of conversion to perform.
        
        No performance or behavioral change.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        (JSC::DFG::ArrayMode::refine):
        (JSC::DFG::ArrayMode::alreadyChecked):
        (JSC::DFG::arrayTypeToString):
        (JSC::DFG::arrayClassToString):
        (DFG):
        (JSC::DFG::arraySpeculationToString):
        (JSC::DFG::arrayConversionToString):
        (JSC::DFG::ArrayMode::toString):
        * dfg/DFGArrayMode.h:
        (DFG):
        (ArrayMode):
        (JSC::DFG::ArrayMode::ArrayMode):
        (JSC::DFG::ArrayMode::type):
        (JSC::DFG::ArrayMode::arrayClass):
        (JSC::DFG::ArrayMode::speculation):
        (JSC::DFG::ArrayMode::conversion):
        (JSC::DFG::ArrayMode::asWord):
        (JSC::DFG::ArrayMode::fromWord):
        (JSC::DFG::ArrayMode::withSpeculation):
        (JSC::DFG::ArrayMode::usesButterfly):
        (JSC::DFG::ArrayMode::isJSArray):
        (JSC::DFG::ArrayMode::isInBounds):
        (JSC::DFG::ArrayMode::mayStoreToHole):
        (JSC::DFG::ArrayMode::isOutOfBounds):
        (JSC::DFG::ArrayMode::isSlowPut):
        (JSC::DFG::ArrayMode::canCSEStorage):
        (JSC::DFG::ArrayMode::lengthNeedsStorage):
        (JSC::DFG::ArrayMode::modeForPut):
        (JSC::DFG::ArrayMode::isSpecific):
        (JSC::DFG::ArrayMode::supportsLength):
        (JSC::DFG::ArrayMode::benefitsFromStructureCheck):
        (JSC::DFG::ArrayMode::doesConversion):
        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
        (JSC::DFG::ArrayMode::operator==):
        (JSC::DFG::ArrayMode::operator!=):
        (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
        (JSC::DFG::canCSEStorage):
        (JSC::DFG::lengthNeedsStorage):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArrayMode):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::byValIsPure):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arrayMode):
        (JSC::DFG::Node::setArrayMode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-27  Dan Bernstein  <mitz@apple.com>

        REAL_PLATFORM_NAME build setting is no longer needed
        https://bugs.webkit.org/show_bug.cgi?id=100587

        Reviewed by Mark Rowe.

        Removed the definition of REAL_PLATFORM_NAME and replaced references to it with references
        to PLATFORM_NAME.

        * Configurations/Base.xcconfig:
        * Configurations/CompilerVersion.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/JSC.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig:

2012-10-25  Filip Pizlo  <fpizlo@apple.com>

        Forward OSR calculation is wrong in the presence of multiple SetLocals, or a mix of SetLocals and Phantoms
        https://bugs.webkit.org/show_bug.cgi?id=100461

        Reviewed by Oliver Hunt and Gavin Barraclough.

        This does a couple of things. First, it removes the part of the change in r131822 that made the forward
        OSR exit calculator capable of handling multiple SetLocals. That change was wrong, because it would
        blindly assume that all SetLocals had the same ValueRecovery, and would ignore the possibility that if
        there is no value recovery then a ForwardCheckStructure on the first SetLocal would not know how to
        recover the state associated with the second SetLocal. Then, it introduces the invariant that any bytecode
        op that decomposes into multiple SetLocals must first emit dead SetLocals as hints and then emit a second
        set of SetLocals to actually do the setting of the locals. This means that if a ForwardCheckStructure (or
        any other hoisted forward speculation) is inserted, it will always be inserted on the second set of
        SetLocals (since hoisting only touches the live ones), at which point OSR will already know about the
        mov hints implied by the first set of (dead) SetLocals. This gives us the behavior we wanted, namely, that
        a ForwardCheckStructure applied to a variant set by a resolve_with_base-like operation can correctly do a
        forward exit while also ensuring that prior to exiting we set the appropriate locals.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):

2012-10-26  Simon Hausmann  <simon.hausmann@digia.com>

        [Qt] Fix the LLInt build on Windows
        https://bugs.webkit.org/show_bug.cgi?id=97648

        Reviewed by Tor Arne Vestbø.

        The main change for the port on Windows is changing the way offsets are extracted
        and the LLIntAssembly.h is generated to accomodate release and debug configurations.

        Firstly the LLIntOffsetsExtractor binary is now built as-is (no DESTDIR set) and
        placed into debug\LLIntOffsetsExtractor.exe and release\LLIntOffsetsExtractor.exe
        on Windows debug_and_release builds. On other patforms it remainds in the regular
        out directory.

        Secondly the LLIntAssembly.h files must be different for different build types,
        so the LLIntAssembly.h generator in DerivedSources.pri operates no on the extractor
        binary files as input. Using a simple exists() check we verify the presence of either
        a regular, a debug\LLIntOffsetsExtractor and a release\LLIntOffsetsExtractor binary
        and process all of them. The resulting assembly files consequently end up in
        generated\debug\LLIntAssembly.h and generated\release\LLIntAssembly.h.

        In Target.pri we have to also make sure that those directories are in the include
        path according to the release or debug configuration.

        Lastly a small tweak - swapping WTF.pri and JSC.pri inclusions - in the
        LLIntOffsetsExtractor build was needed to make sure that we include
        JavaScriptCore/config.h instead of WTF/config.h, required to fix the
        build issues originally pasted in bug #97648.

        * DerivedSources.pri:
        * JavaScriptCore.pro:
        * LLIntOffsetsExtractor.pro:
        * Target.pri:

2012-10-26  Gabor Ballabas  <gaborb@inf.u-szeged.hu>

        [Qt] Enable JSC's disassembler on x86, x86_64 Linux
        https://bugs.webkit.org/show_bug.cgi?id=100386

        Reviewed by Simon Hausmann.

        It works fine on Linux x86, x86_64 just needs to be enabled in the
        QtWebKit build system.

        * DerivedSources.pri:
        * JavaScriptCore.pri:
        * Target.pri:

2012-10-26  Thiago Marcos P. Santos  <thiago.santos@intel.com>

        Add feature flags for CSS Device Adaptation
        https://bugs.webkit.org/show_bug.cgi?id=95960

        Reviewed by Kenneth Rohde Christiansen.

        * Configurations/FeatureDefines.xcconfig:

2012-10-26  Simon Hausmann  <simon.hausmann@digia.com>

        [WIN] Make LLInt offsets extractor work on Windows
        https://bugs.webkit.org/show_bug.cgi?id=100369

        Reviewed by Kenneth Rohde Christiansen.

        Open the input file explicitly in binary mode to prevent ruby/Windows from thinking that
        it's a text mode file that needs even new line conversions. The binary mode parameter is
        ignored on other platforms.

        * offlineasm/offsets.rb:

2012-10-25  Michael Saboff  <msaboff@apple.com>

        SymbolTableIndexHashTraits::needsDestruction should be set to true
        https://bugs.webkit.org/show_bug.cgi?id=100437

        Reviewed by Mark Hahnenberg.

        For correctness, set SymbolTableIndexHashTraits::needsDestruction to true since SymbolTableEntry's do
        need to have their destructor called due to the possibility of rare data.

        * runtime/SymbolTable.h:
        (SymbolTableIndexHashTraits):

2012-10-25  Filip Pizlo  <fpizlo@apple.com>

        DFG Arrayify elimination should replace it with GetButterfly rather than Phantom
        https://bugs.webkit.org/show_bug.cgi?id=100441

        Reviewed by Oliver Hunt and Gavin Barraclough.

        Made array profiler's to-string helper behave correctly.
        
        Made Arrayify elimination do the right thing (convert to GetButterfly).
        
        Made CFA's interference analysis track clobbered array modes correctly, mostly by
        simplifying the machinery.

        * bytecode/ArrayProfile.cpp:
        (JSC::arrayModesToString):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::clobberArrayModes):
        (AbstractValue):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2012-10-25  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r131793-r131826): Crash going to wikifonia.org
        https://bugs.webkit.org/show_bug.cgi?id=100281

        Reviewed by Oliver Hunt.

        Restore something that got lost in the resolve refactoring: the ability to give up on life if
        we see a resolve of 'arguments'.

        * runtime/JSScope.cpp:
        (JSC::JSScope::resolveContainingScopeInternal):

2012-10-25  Dominik Röttsches  <dominik.rottsches@intel.com>

        Conditionalize XHR timeout support
        https://bugs.webkit.org/show_bug.cgi?id=100356

        Reviewed by Adam Barth.

        Adding XHR_TIMEOUT feature to conditionalize this on ports without network backend support.

        * Configurations/FeatureDefines.xcconfig:

2012-10-25  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r131836): failures in list styles tests on EFL, GTK
        https://bugs.webkit.org/show_bug.cgi?id=99824

        Reviewed by Oliver Hunt.

        Saved start of string since it is modified by call convertUTF8ToUTF16().

        * API/JSStringRef.cpp:
        (JSStringCreateWithUTF8CString):

2012-10-24  Filip Pizlo  <fpizlo@apple.com>

        DFG NewArrayBuffer node should keep its data in a structure on the side to free up one of the opInfos
        https://bugs.webkit.org/show_bug.cgi?id=100328

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:
        (NewArrayBufferData):
        (DFG):
        (JSC::DFG::Node::newArrayBufferData):
        (Node):
        (JSC::DFG::Node::startConstant):
        (JSC::DFG::Node::numConstants):

2012-10-25  Mark Lam  <mark.lam@apple.com>

        Update the C++ llint to work with the latest op_resolve... changes.
        https://bugs.webkit.org/show_bug.cgi?id=100345.

        Reviewed by Oliver Hunt.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        - emit opcode name as label when not using COMPUTED_GOTOs. The new op_resolve
          opcodes have jumps to these labels.
        - declare all opcode labels as UNUSED_LABEL()s to keep the compiler happy
          for opcodes that are not referenced by anyone.
        * offlineasm/asm.rb:
        - strip llint_ prefix from opcode names used as labels.

2012-10-24  Yuqiang Xian  <yuqiang.xian@intel.com>

        Refactor LLInt64 to distinguish the pointer operations from the 64-bit integer operations
        https://bugs.webkit.org/show_bug.cgi?id=100321

        Reviewed by Filip Pizlo.

        We have refactored the MacroAssembler and JIT compilers to distinguish
        the pointer operations from the 64-bit integer operations (see bug #99154).
        Now we want to do the similar work for LLInt, and the goal is same as
        the one mentioned in 99154.

        This is the first part of the modification: in the offline assembler,
        adding the support of the "<foo>q" instructions which will be used for
        64-bit integer operations.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2012-10-24  Filip Pizlo  <fpizlo@apple.com>

        DFG compileBlahBlahByVal methods for Contiguous and ArrayStorage have only one caller and should be removed
        https://bugs.webkit.org/show_bug.cgi?id=100311

        Reviewed by Mark Hahnenberg.

        Just trying to simplify things before I make them more complicated again.

        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-23  Andreas Kling  <kling@webkit.org>

        CodeBlock: Give m_putToBaseOperations an inline capacity.
        <http://webkit.org/b/100190>
        <rdar://problem/12562466>

        Reviewed by Oliver Hunt.

        Since the CodeBlock constructor always inserts a single PutToBaseOperation, but there's no
        guarantee that more will follow, give the m_putToBaseOperations vector an inline capacity of 1.
        There are 4009 of these Vectors on Membuster3, and only 126 of them have more than a single entry.

        This change yields a 1.90MB reduction in memory usage.

        * bytecode/CodeBlock.h:
        (CodeBlock):

2012-10-23  Christophe Dumez  <christophe.dumez@intel.com>

        Regression(r132143): Assertion hit in JSC::Interpreter::StackPolicy::StackPolicy(JSC::Interpreter&, const WTF::StackBounds&)
        https://bugs.webkit.org/show_bug.cgi?id=100109

        Reviewed by Oliver Hunt.

        Fix possible integer overflow in StackPolicy constructor by
        using size_t type instead of int for stack sizes. The value
        returned by StackBounds::size() is of type size_t but was
        assigned to an int, which may overflow.

        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::StackPolicy::StackPolicy):

2012-10-23  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header file.

2012-10-23  Mark Lam  <mark.lam@apple.com>

        Make topCallFrame reliable.
        https://bugs.webkit.org/show_bug.cgi?id=98928.

        Reviewed by Geoffrey Garen.

        - VM entry points and the GC now uses topCallFrame.
        - The callerFrame value in CallFrames are now always the previous
          frame on the stack, except for the first frame which has a
          callerFrame of 0 (not counting the HostCallFrameFlag).
          Hence, we can now traverse every frame on the stack all the way
          back to the first frame.
        - GlobalExec's will no longer be used as the callerFrame values in
          call frames.
        - Added fences and traps for debugging the JSStack in debug builds.

        * bytecode/SamplingTool.h:
        (SamplingTool):
        (JSC::SamplingTool::CallRecord::CallRecord):
        * dfg/DFGOperations.cpp:
        - Fixed 2 DFG helper functions to flush topCallFrame as expected.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
        * interpreter/CallFrame.h:
        (JSC::ExecState::callerFrameNoFlags):
        (ExecState):
        (JSC::ExecState::argIndexForRegister):
        (JSC::ExecState::getArgumentUnsafe):
        * interpreter/CallFrameClosure.h:
        (CallFrameClosure):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::eval):
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::endRepeatCall):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::gatherConservativeRoots):
        (JSC::JSStack::disableErrorStackReserve):
        * interpreter/JSStack.h:
        (JSC):
        (JSStack):
        (JSC::JSStack::installFence):
        (JSC::JSStack::validateFence):
        (JSC::JSStack::installTrapsAfterFrame):
        * interpreter/JSStackInlines.h: Added.
        (JSC):
        (JSC::JSStack::getTopOfFrame):
        (JSC::JSStack::getTopOfStack):
        (JSC::JSStack::getStartOfFrame):
        (JSC::JSStack::pushFrame):
        (JSC::JSStack::popFrame):
        (JSC::JSStack::generateFenceValue):
        (JSC::JSStack::installFence):
        (JSC::JSStack::validateFence):
        (JSC::JSStack::installTrapsAfterFrame):
        * jit/JITStubs.cpp:
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        - Set frame->codeBlock to 0 for both the above because they are called
          with partially intitialized frames (cb uninitialized), but may
          trigger a GC.
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2012-10-22  Filip Pizlo  <fpizlo@apple.com>

        DFG::Array::Undecided should be called DFG::Array::SelectUsingPredictions
        https://bugs.webkit.org/show_bug.cgi?id=100052

        Reviewed by Oliver Hunt.

        No functional change, just renaming. It's a clearer name that more accurately
        reflects the meaning, and it eliminates the namespace confusion that will happen
        with the Undecided indexing type in https://bugs.webkit.org/show_bug.cgi?id=98606

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::fromObserved):
        (JSC::DFG::refineArrayMode):
        (JSC::DFG::modeAlreadyChecked):
        (JSC::DFG::modeToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::canCSEStorage):
        (JSC::DFG::modeIsSpecific):
        (JSC::DFG::modeSupportsLength):
        (JSC::DFG::benefitsFromStructureCheck):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-22  Mark Lam  <mark.lam@apple.com>

        Change stack recursion checks to be based on stack availability.
        https://bugs.webkit.org/show_bug.cgi?id=99872.

        Reviewed by Filip Pizlo and Geoffrey Garen.

        - Remove m_reentryDepth, ThreadStackType which are now obsolete.
        - Replaced the reentryDepth checks with a StackBounds check.
        - Added the Interpreter::StackPolicy class to compute a reasonable
          stack capacity requirement given the native stack that the
          interpreter is executing on at that time.
        - Reserved an amount of JSStack space for the use of error handling
          and enable its use (using Interpreter::ErrorHandlingMode) when
          we're about to throw or report an exception.
        - Interpreter::StackPolicy also allows more native stack space
          to be used when in ErrorHandlingMode. This is needed in the case
          of native stack overflows.
        - Fixed the parser so that it throws a StackOverflowError instead of
          a SyntaxError when it encounters a stack overflow.

        * API/JSContextRef.cpp:
        (JSContextGroupCreate):
        (JSGlobalContextCreateInGroup):
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::ErrorHandlingMode::ErrorHandlingMode):
        (JSC):
        (JSC::Interpreter::ErrorHandlingMode::~ErrorHandlingMode):
        (JSC::Interpreter::StackPolicy::StackPolicy):
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        (ErrorHandlingMode):
        (StackPolicy):
        (JSC::Interpreter::StackPolicy::requiredCapacity):
        * interpreter/JSStack.cpp:
        (JSC):
        (JSC::JSStack::JSStack):
        (JSC::JSStack::growSlowCase):
        (JSC::JSStack::enableErrorStackReserve):
        (JSC::JSStack::disableErrorStackReserve):
        * interpreter/JSStack.h:
        (JSStack):
        (JSC::JSStack::reservationEnd):
        (JSC):
        * jsc.cpp:
        (jscmain):
        * parser/Parser.cpp:
        (JSC::::Parser):
        * parser/Parser.h:
        (Parser):
        (JSC::::parse):
        * runtime/ExceptionHelpers.cpp:
        (JSC::throwStackOverflowError):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::createContextGroup):
        (JSC::JSGlobalData::create):
        (JSC::JSGlobalData::createLeaked):
        (JSC::JSGlobalData::sharedInstance):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        * testRegExp.cpp:
        (realMain):

2012-10-20  Martin Robinson  <mrobinson@igalia.com>

        Fix 'make dist' for the GTK+ port

        * GNUmakefile.list.am: Add missing files to the source list.

2012-10-21  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>

        [CMake][JSC] Depend on risc.rb to decide when to run the LLInt scripts.
        https://bugs.webkit.org/show_bug.cgi?id=99917

        Reviewed by Geoffrey Garen.

        Depend on the newly-added risc.rb to make sure we always run the
        LLInt scripts when one of them changes.

        * CMakeLists.txt:

2012-10-20  Filip Pizlo  <fpizlo@apple.com>

        LLInt backends of non-ARM RISC platforms should be able to share code with the existing ARMv7 backend
        https://bugs.webkit.org/show_bug.cgi?id=99745

        Reviewed by Geoffrey Garen.

        This moves all of the things in armv7.rb that I thought are generally useful out
        into risc.rb. It also separates some phases (branch ops is separated into one
        phase that does sensible things, and another that does things that are painfully
        ARM-specific), and removes ARM assumptions from others by using a callback to
        drive exactly what lowering must happen. The goal here is to minimize the future
        maintenance burden of LLInt by ensuring that the various platforms share as much
        lowering code as possible.

        * offlineasm/armv7.rb:
        * offlineasm/risc.rb: Added.

2012-10-19  Filip Pizlo  <fpizlo@apple.com>

        DFG should have some facility for recognizing redundant CheckArrays and Arrayifies
        https://bugs.webkit.org/show_bug.cgi?id=99287

        Reviewed by Mark Hahnenberg.

        Adds reasoning about indexing type sets (i.e. ArrayModes) to AbstractValue, which
        then enables us to fold away CheckArray's and Arrayify's that are redundant.

        * bytecode/ArrayProfile.cpp:
        (JSC::arrayModesToString):
        (JSC):
        * bytecode/ArrayProfile.h:
        (JSC):
        (JSC::mergeArrayModes):
        (JSC::arrayModesAlreadyChecked):
        * bytecode/StructureSet.h:
        (JSC::StructureSet::arrayModesFromStructures):
        (StructureSet):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::AbstractValue):
        (JSC::DFG::AbstractValue::clear):
        (JSC::DFG::AbstractValue::isClear):
        (JSC::DFG::AbstractValue::makeTop):
        (JSC::DFG::AbstractValue::clobberStructures):
        (AbstractValue):
        (JSC::DFG::AbstractValue::setMostSpecific):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::operator==):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::filterArrayModes):
        (JSC::DFG::AbstractValue::validate):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::dump):
        (JSC::DFG::AbstractValue::clobberArrayModes):
        (JSC::DFG::AbstractValue::clobberArrayModesSlow):
        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
        (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::modeAlreadyChecked):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::arrayModesFor):
        (DFG):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::arrayify):

2012-10-19  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should not inline array allocations, to make them easier to instrument
        https://bugs.webkit.org/show_bug.cgi?id=99905

        Reviewed by Mark Hahnenberg.

        This will make it easier to instrument array allocations for the purposes of profiling.
        It also allows us to kill off a bunch of code. And, this doesn't appear to hurt
        performance at all. That's expected because these days any hot allocation will end up
        in the DFG JIT, which does inline these allocations.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):

2012-10-19  Oliver Hunt  <oliver@apple.com>

        Fix some of the regression cause by the non-local variable reworking
        https://bugs.webkit.org/show_bug.cgi?id=99896

        Reviewed by Filip Pizlo.

        The non0local variable reworking led to some of the optimisations performed by
        the bytecode generator being dropped.  This in turn put more pressure on the DFG
        optimisations.  This exposed a short coming in our double speculation propogation.
        Now we try to distinguish between places where we should SpecDoubleReal vs generic
        SpecDouble.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPredictions):
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-10-19  Michael Saboff  <msaboff@apple.com>

        Lexer should create 8 bit Identifiers for RegularExpressions and ASCII identifiers
        https://bugs.webkit.org/show_bug.cgi?id=99855

        Reviewed by Filip Pizlo.

        Added makeIdentifier helpers that will always make an 8 bit Identifier or make an
        Identifier that is the same size as the template parameter.  Used the first in the fast
        path when looking for a JS identifier and the second when scanning regular expressions.

        * parser/Lexer.cpp:
        (JSC::::scanRegExp):
        * parser/Lexer.h:
        (Lexer):
        (JSC::::makeIdentifierSameType):
        (JSC::::makeLCharIdentifier):
        (JSC::::lexExpectIdentifier):

2012-10-19  Mark Lam  <mark.lam@apple.com>

        Added WTF::StackStats mechanism.
        https://bugs.webkit.org/show_bug.cgi?id=99805.

        Reviewed by Geoffrey Garen.

        Added StackStats checkpoints and probes.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::append):
        (JSC::visitChildren):
        (JSC::SlotVisitor::donateKnownParallel):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::mergeOpaqueRoots):
        (JSC::SlotVisitor::internalAppend):
        (JSC::SlotVisitor::harvestWeakReferences):
        (JSC::SlotVisitor::finalizeUnconditionalFinalizers):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * parser/Parser.h:
        (JSC::Parser::canRecurse):
        * runtime/StringRecursionChecker.h:
        (StringRecursionChecker):

2012-10-19  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r131822): It made 500+ tests crash on 32 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=99814

        Reviewed by Filip Pizlo.

        Call the correct macro in 32bit. 

        * llint/LowLevelInterpreter.asm:

2012-10-19  Dongwoo Joshua Im  <dw.im@samsung.com>

        Rename ENABLE_CSS3_TEXT_DECORATION to ENABLE_CSS3_TEXT
        https://bugs.webkit.org/show_bug.cgi?id=99804

        Reviewed by Julien Chaffraix.

        CSS3 text related properties will be implemented under this flag,
        including text decoration, text-align-last, and text-justify.

        * Configurations/FeatureDefines.xcconfig:

2012-10-18  Anders Carlsson  <andersca@apple.com>

        Clean up RegExpKey
        https://bugs.webkit.org/show_bug.cgi?id=99798

        Reviewed by Darin Adler.

        RegExpHash doesn't need to be a class template specialization when the class template is specialized
        for JSC::RegExpKey only. Make it a nested class of RegExp instead. Also, make operator== a friend function
        so Hash::equal can see it.

        * runtime/RegExpKey.h:
        (JSC::RegExpKey::RegExpKey):
        (JSC::RegExpKey::operator==):
        (RegExpKey):
        (JSC::RegExpKey::Hash::hash):
        (JSC::RegExpKey::Hash::equal):
        (Hash):

2012-10-19  Mark Lam  <mark.lam@apple.com>

        Bot greening: Follow up to r131877 to fix the Windows build.
        https://bugs.webkit.org/show_bug.cgi?id=99739.

        Not reviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-10-19  Mark Lam  <mark.lam@apple.com>

        Bot greening: Attempt to fix broken Window build after r131836.
        https://bugs.webkit.org/show_bug.cgi?id=99739.

        Not reviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Unreviewed fix after r131868.

        On JSVALUE64 platforms, JSValue constants can be Imm64 instead of ImmPtr for JIT compilers.

        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2012-10-18  Filip Pizlo  <fpizlo@apple.com>

        Baseline array profiling should be less accurate, and DFG OSR exit should update array profiles on CheckArray and CheckStructure failure
        https://bugs.webkit.org/show_bug.cgi?id=99261

        Reviewed by Oliver Hunt.

        This makes array profiling stochastic, like value profiling. The point is to avoid
        noticing one-off indexing types that we'll never see again, but instead to:
        
        Notice the big ones: We want the DFG to compile based on the things that happen with
        high probability. So, this change makes array profiling do like value profiling and
        only notice a random subsampling of indexing types that flowed through an array
        access. Prior to this patch array profiles noticed all indexing types and weighted
        them identically.
        
        Bias the recent: Often an array access will see awkward indexing types during the
        first handful of executions because of artifacts of program startup. So, we want to
        bias towards the indexing types that we saw most recently. With this change, array
        profiling does like value profiling and usually tells use a random sampling that
        is biased to what happened recently.
        
        Have a backup plan: The above two things don't work by themselves because our
        randomness is not that random (nor do we care enough to make it more random), and
        because some procedures will have a <1/10 probability event that we must handle
        without bailing because it dominates a hot loop. So, like value profiling, this
        patch makes array profiling use OSR exits to tell us why we are bailing out, so
        that we don't make the same mistake again in the future.
        
        This change also makes the way that the 32-bit OSR exit compiler snatches scratch
        registers more uniform. We don't need a scratch buffer when we can push and pop.

        * bytecode/DFGExitProfile.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitArrayProfilingSite):
        * llint/LowLevelInterpreter.asm:

2012-10-18  Yuqiang Xian  <yuqiang.xian@intel.com>

        [Qt] REGRESSION(r131858): It broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=99809

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):

2012-10-18  Yuqiang Xian  <yuqiang.xian@intel.com>

        Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands
        https://bugs.webkit.org/show_bug.cgi?id=99154

        Reviewed by Gavin Barraclough.

        In current JavaScriptCore implementation for JSVALUE64 platform (i.e.,
        the X64 platform), we assume that the JSValue size is same to the
        pointer size, and thus EncodedJSValue is simply type defined as a
        "void*". In the JIT compiler, we also take this assumption and invoke
        the same macro assembler interfaces for both JSValue and pointer
        operands. We need to differentiate the operations on pointers from the
        operations on JSValues, and let them invoking different macro
        assembler interfaces. For example, we now use the interface of
        "loadPtr" to load either a pointer or a JSValue, and we need to switch
        to using "loadPtr" to load a pointer and some new "load64" interface
        to load a JSValue. This would help us supporting other JSVALUE64
        platforms where pointer size is not necessarily 64-bits, for example
        x32 (bug #99153).

        The major modification I made is to introduce the "*64" interfaces in
        the MacroAssembler for those operations on JSValues, keep the "*Ptr"
        interfaces for those operations on real pointers, and go through all
        the JIT compiler code to correct the usage.

        This is the second part of the work, i.e, to correct the usage of the
        new MacroAssembler interfaces in the JIT compilers, which also means
        that now EncodedJSValue is defined as a 64-bit integer, and the "*64"
        interfaces are used for it.

        * assembler/MacroAssembler.h: JSValue immediates should be in Imm64 instead of ImmPtr.
        (MacroAssembler):
        (JSC::MacroAssembler::shouldBlind):
        * dfg/DFGAssemblyHelpers.cpp: Correct the JIT compilers usage of the new interfaces.
        (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
        (JSC::DFG::AssemblyHelpers::branchIfNotCell):
        (JSC::DFG::AssemblyHelpers::debugCall):
        (JSC::DFG::AssemblyHelpers::boxDouble):
        (JSC::DFG::AssemblyHelpers::unboxDouble):
        (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        * dfg/DFGScratchRegisterAllocator.h:
        (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::branch64):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compileNonStringCellOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitNonStringCellOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
        (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
        (JSC::DFG::slowPathFor):
        (JSC::DFG::virtualForThunkGenerator):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_negate):
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emit_op_rshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emit_compareAndJumpSlow):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::compileBinaryArithOpSlowCase):
        (JSC::JIT::emit_op_div):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        * jit/JITInlineMethods.h: Have some clean-up work as well.
        (JSC):
        (JSC::JIT::emitPutCellToCallFrameHeader):
        (JSC::JIT::emitPutIntToCallFrameHeader):
        (JSC::JIT::emitPutToCallFrameHeader):
        (JSC::JIT::emitGetFromCallFrameHeader32):
        (JSC::JIT::emitGetFromCallFrameHeader64):
        (JSC::JIT::emitAllocateJSArray):
        (JSC::JIT::emitValueProfilingSite):
        (JSC::JIT::emitGetJITStubArg):
        (JSC::JIT::emitGetVirtualRegister):
        (JSC::JIT::emitPutVirtualRegister):
        (JSC::JIT::emitInitRegister):
        (JSC::JIT::emitJumpIfJSCell):
        (JSC::JIT::emitJumpIfBothJSCells):
        (JSC::JIT::emitJumpIfNotJSCell):
        (JSC::JIT::emitLoadInt32ToDouble):
        (JSC::JIT::emitJumpIfImmediateInteger):
        (JSC::JIT::emitJumpIfNotImmediateInteger):
        (JSC::JIT::emitJumpIfNotImmediateIntegers):
        (JSC::JIT::emitFastArithReTagImmediate):
        (JSC::JIT::emitFastArithIntToImmNoCheck):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_tear_off_activation):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_throw_static_error):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_init_lazy_reg):
        (JSC::JIT::emitSlow_op_convert_this):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emit_op_put_to_base):
        (JSC::JIT::emit_resolve_operations):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emitArrayStorageGetByVal):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emitContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::compilePutDirectOffset):
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jit/JITStubCall.h:
        (JITStubCall):
        (JSC::JITStubCall::JITStubCall):
        (JSC::JITStubCall::addArgument):
        (JSC::JITStubCall::call):
        (JSC::JITStubCall::callWithValueProfiling):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitJumpIfImmediateNumber):
        (JSC::JSInterfaceJIT::emitJumpIfNotImmediateNumber):
        (JSC::JSInterfaceJIT::emitLoadJSCell):
        (JSC::JSInterfaceJIT::emitLoadInt32):
        (JSC::JSInterfaceJIT::emitLoadDouble):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h: Define JSVALUE64 EncodedJSValue as int64_t, which is also unified with JSVALUE32_64.
        (JSC):
        * runtime/JSValueInlineMethods.h: New implementation of some JSValue methods to make them more conformant
        with the new rule that "JSValue is a 64-bit integer rather than a pointer" for JSVALUE64 platforms.
        (JSC):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::operator bool):
        (JSC::JSValue::operator==):
        (JSC::JSValue::operator!=):
        (JSC::reinterpretDoubleToInt64):
        (JSC::reinterpretInt64ToDouble):
        (JSC::JSValue::asDouble):

2012-10-18  Michael Saboff  <msaboff@apple.com>

        convertUTF8ToUTF16() Should Check for ASCII Input
        ihttps://bugs.webkit.org/show_bug.cgi?id=99739

        Reviewed by Geoffrey Garen.

        Using the updated convertUTF8ToUTF16() , we can determine if is makes more sense to 
        create a string using the 8 bit source.  Added a new OpaqueJSString::create(LChar*, unsigned).
        Had to add a cast n JSStringCreateWithCFString to differentiate which create() to call.

        * API/JSStringRef.cpp:
        (JSStringCreateWithUTF8CString):
        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):
        * API/OpaqueJSString.h:
        (OpaqueJSString::create):
        (OpaqueJSString):
        (OpaqueJSString::OpaqueJSString):

2012-10-18  Oliver Hunt  <oliver@apple.com>

        Unbreak jsc tests.  Last minute "clever"-ness is clearly just not
        a good plan.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2012-10-18  Oliver Hunt  <oliver@apple.com>

        Bytecode should not have responsibility for determining how to perform non-local resolves
        https://bugs.webkit.org/show_bug.cgi?id=99349

        Reviewed by Gavin Barraclough.

        This patch removes lexical analysis from the bytecode generation.  This allows
        us to delay lookup of a non-local variables until the lookup is actually necessary,
        and simplifies a lot of the resolve logic in BytecodeGenerator.

        Once a lookup is performed we cache the lookup information in a set of out-of-line
        buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
        etc, and allows the respective JITs to recreated optimal lookup code.

        This is currently still a performance regression in LLInt, but most of the remaining
        regression is caused by a lot of indirection that I'll remove in future work, as well
        as some work necessary to allow LLInt to perform in line instruction repatching.
        We will also want to improve the behaviour of the baseline JIT for some of the lookup
        operations, however this patch was getting quite large already so I'm landing it now
        that we've reached the bar of "performance-neutral".

        Basic browsing seems to work.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitStructures):
        (JSC):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addResolve):
        (JSC::CodeBlock::addPutToBase):
        (CodeBlock):
        (JSC::CodeBlock::resolveOperations):
        (JSC::CodeBlock::putToBaseOperation):
        (JSC::CodeBlock::numberOfResolveOperations):
        (JSC::CodeBlock::numberOfPutToBaseOperations):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::globalObjectConstant):
        (JSC::CodeBlock::setGlobalObjectConstant):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::computeForStructure):
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ResolveGlobalStatus.h:
        (JSC):
        (ResolveGlobalStatus):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetLocalVar):
        (JSC::BytecodeGenerator::emitInitGlobalConst):
        (JSC::BytecodeGenerator::emitPutToBase):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult::registerResolve):
        (JSC::ResolveResult::dynamicResolve):
        (ResolveResult):
        (JSC::ResolveResult::ResolveResult):
        (JSC):
        (NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::resolved):
        (JSC::NonlocalResolveInfo::put):
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::getResolveOperations):
        (JSC::BytecodeGenerator::getResolveWithThisOperations):
        (JSC::BytecodeGenerator::getResolveBaseOperations):
        (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
        (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
        (JSC::BytecodeGenerator::getPutToBaseOperation):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (DFG):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineResolveOperations):
        (DFG):
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (ResolveGlobalData):
        (ResolveOperationData):
        (DFG):
        (PutToBaseOperationData):
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveOperationsDataIndex):
        (Node):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::resolveOperations):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::putToBaseOperation):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC):
        (JSC::JIT::emit_resolve_operations):
        (JSC::JIT::emitSlow_link_resolve_operations):
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emitSlow_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emitSlow_op_resolve_base):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emitSlow_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_put_to_base):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitSlow_op_init_global_const_check):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitSlow_op_init_global_const_check):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSScope.cpp:
        (JSC::LookupResult::base):
        (JSC::LookupResult::value):
        (JSC::LookupResult::setBase):
        (JSC::LookupResult::setValue):
        (LookupResult):
        (JSC):
        (JSC::setPutPropertyAccessOffset):
        (JSC::executeResolveOperations):
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolveContainingScope):
        (JSC::JSScope::resolve):
        (JSC::JSScope::resolveBase):
        (JSC::JSScope::resolveWithBase):
        (JSC::JSScope::resolveWithThis):
        (JSC::JSScope::resolvePut):
        (JSC::JSScope::resolveGlobal):
        * runtime/JSScope.h:
        (JSScope):
        * runtime/JSVariableObject.cpp:
        (JSC):
        * runtime/JSVariableObject.h:
        (JSVariableObject):
        * runtime/Structure.h:
        (JSC::Structure::propertyAccessesAreCacheable):
        (Structure):

2012-10-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Live oversize copied blocks should count toward overall heap fragmentation
        https://bugs.webkit.org/show_bug.cgi?id=99548

        Reviewed by Filip Pizlo.

        The CopiedSpace uses overall heap fragmentation to determine whether or not it should do any copying. 
        Currently it doesn't include live oversize CopiedBlocks in the calculation, but it should. We should 
        treat them as 100% utilized, since running a copying phase won't be able to free/compact any of their 
        memory. We can also free any dead oversize CopiedBlocks while we're iterating over them, rather than 
        iterating over them again at the end of the copying phase.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::startedCopying):
        (JSC::CopiedSpace::doneCopying): Also removed a branch when iterating over from-space at the end of 
        copying. Since we eagerly recycle blocks as soon as they're fully evacuated, we should see no
        unpinned blocks in from-space at the end of copying.
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::recycleBorrowedBlock):
        * heap/CopyVisitorInlineMethods.h:
        (JSC::CopyVisitor::checkIfShouldCopy):

2012-10-18  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Build fix after r131701 and r131777.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-10-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Race condition between GCThread and main thread during copying phase
        https://bugs.webkit.org/show_bug.cgi?id=99641

        Reviewed by Filip Pizlo.

        When a GCThread returns from copyFromShared(), it then calls doneCopying(), which returns 
        its borrowed CopiedBlock to the CopiedSpace. This final block allows the CopiedSpace to 
        continue and finish the cleanup of the copying phase. However, the GCThread can loop back 
        around, see that m_currentPhase is still "Copy", and try to go through the copying phase again. 
        This can cause all sorts of issues. To fix this, we should add a cyclic barrier to GCThread::waitForNextPhase().

        * heap/GCThread.cpp:
        (JSC::GCThread::waitForNextPhase): All GCThreads will wait when they finish one iteration until the main thread 
        notifies them to move down to the second while loop, where they wait for the next GCPhase to start. They also 
        decrement the m_numberOfActiveGCThreads counter as they begin to wait for the next phase and increment it as 
        they enter the next phase. This allows the main thread to wait in endCurrentPhase() until all the threads have 
        finished the current phase and are waiting on the next phase to begin. Without the counter, there would be 
        no way to ensure that every thread was available for each GCPhase.
        (JSC::GCThread::gcThreadMain): We now use the m_phaseLock to synchronize with the main thread when we're being created.
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData): As we create each GCThread, we increment the m_numberOfActiveGCThreads
        counter. When we are done creating the threads, we wait until they're all waiting for the next GCPhase. This prevents 
        us from leaving some GCThreads behind during the first GCPhase, which could hurt us on our very short-running 
        benchmarks (e.g. SunSpider).
        (JSC::GCThreadSharedData::~GCThreadSharedData):
        (JSC::GCThreadSharedData::startNextPhase): We atomically swap the two flags, m_gcThreadsShouldWait and m_currentPhase, 
        so that if the threads finish very quickly, they will wait until the main thread is ready to end the current phase.
        (JSC::GCThreadSharedData::endCurrentPhase): Here atomically we swap the two flags again to allow the threads to 
        advance to waiting on the next GCPhase. We wait until all of the GCThreads have settled into the second wait loop
        before allowing the main thread to continue. This prevents us from leaving one of the GCThreads stuck in the first 
        wait loop if we were to call startNextPhase() before it had time to wake up and move on to the second wait loop.
        (JSC):
        (JSC::GCThreadSharedData::didStartMarking): We now use startNextPhase() to properly swap the flags.
        (JSC::GCThreadSharedData::didFinishMarking): Ditto for endCurrentPhase().
        (JSC::GCThreadSharedData::didStartCopying): Ditto.
        (JSC::GCThreadSharedData::didFinishCopying): Ditto.
        * heap/GCThreadSharedData.h:
        (GCThreadSharedData):
        * heap/Heap.cpp: 
        (JSC::Heap::copyBackingStores): No reason to use the extra reference.

2012-10-18  Pablo Flouret  <pablof@motorola.com>

        Implement css3-conditional's @supports rule
        https://bugs.webkit.org/show_bug.cgi?id=86146

        Reviewed by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:
            Add an ENABLE_CSS3_CONDITIONAL_RULES flag.

2012-10-18  Michael Saboff  <msaboff@apple.com>

        Make conversion between JSStringRef and WKStringRef work without character size conversions
        https://bugs.webkit.org/show_bug.cgi?id=99727

        Reviewed by Anders Carlsson.

        Export the string() method for use in WebKit.

        * API/OpaqueJSString.h:
        (OpaqueJSString::string):

2012-10-18  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>

        [CMake] Avoid unnecessarily running the LLInt generation commands.
        https://bugs.webkit.org/show_bug.cgi?id=99708

        Reviewed by Rob Buis.

        As described in the comments in the change itself, in some cases
        the Ruby generation scripts used when LLInt is on would each be
        run twice in every build even if nothing had changed.

        Fix that by not setting the OBJECT_DEPENDS property of some source
        files to depend on the generated headers; instead, they are now
        just part of the final binaries/libraries which use them.

        * CMakeLists.txt:

2012-10-17  Zoltan Horvath  <zoltan@webkit.org>

        Remove the JSHeap memory measurement of the PageLoad performacetests since it creates bogus JSGlobalDatas
        https://bugs.webkit.org/show_bug.cgi?id=99609 

        Reviewed by Ryosuke Niwa.

        Remove the implementation since it creates bogus JSGlobalDatas in the layout tests.

        * heap/HeapStatistics.cpp:
        (JSC):
        * heap/HeapStatistics.h:
        (HeapStatistics):

2012-10-17  Sam Weinig  <sam@webkit.org>

        Attempt to fix the build.

        * bytecode/GlobalResolveInfo.h: Copied from bytecode/GlobalResolveInfo.h.

2012-10-17  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r130826 or r130828): Twitter top bar is dysfunctional
        https://bugs.webkit.org/show_bug.cgi?id=99577
        <rdar://problem/12518883>

        Reviewed by Mark Hahnenberg.

        It turns out that it's a good idea to maintain the invariants of your object model, such as that
        elements past publicLength should have the hole value.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-17  Anders Carlsson  <andersca@apple.com>

        Clean up Vector.h
        https://bugs.webkit.org/show_bug.cgi?id=99622

        Reviewed by Benjamin Poulain.

        Fix fallout from removing std::max and std::min using declarations.

        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::stringProtoFuncIndexOf):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):

2012-10-17  Oliver Hunt  <oliver@apple.com>

        Committing new files is so overrated.

        * bytecode/ResolveOperation.h: Added.
        (JSC):
        (JSC::ResolveOperation::getAndReturnScopedVar):
        (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
        (ResolveOperation):
        (JSC::ResolveOperation::getAndReturnGlobalVar):
        (JSC::ResolveOperation::getAndReturnGlobalProperty):
        (JSC::ResolveOperation::resolveFail):
        (JSC::ResolveOperation::skipTopScopeNode):
        (JSC::ResolveOperation::skipScopes):
        (JSC::ResolveOperation::returnGlobalObjectAsBase):
        (JSC::ResolveOperation::setBaseToGlobal):
        (JSC::ResolveOperation::setBaseToUndefined):
        (JSC::ResolveOperation::setBaseToScope):
        (JSC::ResolveOperation::returnScopeAsBase):
        (JSC::PutToBaseOperation::PutToBaseOperation):

2012-10-17  Michael Saboff  <msaboff@apple.com>

        StringPrototype::jsSpliceSubstringsWithSeparators() doesn't optimally handle 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=99230

        Reviewed by Geoffrey Garen.

        Added code to select characters8() or characters16() on the not all 8 bit path for both the 
        processing of the source and the separators.

        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstringsWithSeparators):

2012-10-17  Filip Pizlo  <fpizlo@apple.com>

        Array and object allocations via 'new Object' or 'new Array' should be inlined in bytecode to allow allocation site profiling
        https://bugs.webkit.org/show_bug.cgi?id=99557

        Reviewed by Geoffrey Garen.

        Removed an inaccurate and misleading comment as per Geoff's review. (I forgot
        to make this change as part of http://trac.webkit.org/changeset/131644).

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallResolveNode::emitBytecode):

2012-10-17  Oliver Hunt  <oliver@apple.com>

        Bytecode should not have responsibility for determining how to perform non-local resolves
        https://bugs.webkit.org/show_bug.cgi?id=99349

        Reviewed by Gavin Barraclough.

        This patch removes lexical analysis from the bytecode generation.  This allows
        us to delay lookup of a non-local variables until the lookup is actually necessary,
        and simplifies a lot of the resolve logic in BytecodeGenerator.

        Once a lookup is performed we cache the lookup information in a set of out-of-line
        buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
        etc, and allows the respective JITs to recreated optimal lookup code.

        This is currently still a performance regression in LLInt, but most of the remaining
        regression is caused by a lot of indirection that I'll remove in future work, as well
        as some work necessary to allow LLInt to perform in line instruction repatching.
        We will also want to improve the behaviour of the baseline JIT for some of the lookup
        operations, however this patch was getting quite large already so I'm landing it now
        that we've reached the bar of "performance-neutral".

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitStructures):
        (JSC):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addResolve):
        (JSC::CodeBlock::addPutToBase):
        (CodeBlock):
        (JSC::CodeBlock::resolveOperations):
        (JSC::CodeBlock::putToBaseOperation):
        (JSC::CodeBlock::numberOfResolveOperations):
        (JSC::CodeBlock::numberOfPutToBaseOperations):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::globalObjectConstant):
        (JSC::CodeBlock::setGlobalObjectConstant):
        * bytecode/GlobalResolveInfo.h: Removed.
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::computeForStructure):
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ResolveGlobalStatus.h:
        (JSC):
        (ResolveGlobalStatus):
        * bytecode/ResolveOperation.h: Added.
          The new types and logic we use to perform the cached lookups.
        (JSC):
        (ResolveOperation):
        (JSC::ResolveOperation::getAndReturnScopedVar):
        (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
        (JSC::ResolveOperation::getAndReturnGlobalVar):
        (JSC::ResolveOperation::getAndReturnGlobalProperty):
        (JSC::ResolveOperation::resolveFail):
        (JSC::ResolveOperation::skipTopScopeNode):
        (JSC::ResolveOperation::skipScopes):
        (JSC::ResolveOperation::returnGlobalObjectAsBase):
        (JSC::ResolveOperation::setBaseToGlobal):
        (JSC::ResolveOperation::setBaseToUndefined):
        (JSC::ResolveOperation::setBaseToScope):
        (JSC::ResolveOperation::returnScopeAsBase):
        (JSC::PutToBaseOperation::PutToBaseOperation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetLocalVar):
        (JSC::BytecodeGenerator::emitInitGlobalConst):
        (JSC::BytecodeGenerator::emitPutToBase):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult::registerResolve):
        (JSC::ResolveResult::dynamicResolve):
        (ResolveResult):
        (JSC::ResolveResult::ResolveResult):
        (JSC):
        (NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::resolved):
        (JSC::NonlocalResolveInfo::put):
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::getResolveOperations):
        (JSC::BytecodeGenerator::getResolveWithThisOperations):
        (JSC::BytecodeGenerator::getResolveBaseOperations):
        (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
        (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
        (JSC::BytecodeGenerator::getPutToBaseOperation):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (DFG):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileResolveOperations):
        (DFG):
        (JSC::DFG::canCompilePutToBaseOperation):
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (ResolveGlobalData):
        (ResolveOperationData):
        (DFG):
        (PutToBaseOperationData):
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveOperationsDataIndex):
        (Node):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::resolveOperations):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::putToBaseOperation):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC):
        (JSC::JIT::emit_resolve_operations):
        (JSC::JIT::emitSlow_link_resolve_operations):
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emitSlow_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emitSlow_op_resolve_base):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emitSlow_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_put_to_base):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitSlow_op_init_global_const_check):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitSlow_op_init_global_const_check):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSScope.cpp:
        (JSC::LookupResult::base):
        (JSC::LookupResult::value):
        (JSC::LookupResult::setBase):
        (JSC::LookupResult::setValue):
        (LookupResult):
        (JSC):
        (JSC::setPutPropertyAccessOffset):
        (JSC::executeResolveOperations):
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolveContainingScope):
        (JSC::JSScope::resolve):
        (JSC::JSScope::resolveBase):
        (JSC::JSScope::resolveWithBase):
        (JSC::JSScope::resolveWithThis):
        (JSC::JSScope::resolvePut):
        (JSC::JSScope::resolveGlobal):
        * runtime/JSScope.h:
        (JSScope):
        * runtime/JSVariableObject.cpp:
        (JSC):
        * runtime/JSVariableObject.h:
        (JSVariableObject):
        * runtime/Structure.h:
        (JSC::Structure::propertyAccessesAreCacheable):
        (Structure):

2012-10-17  Filip Pizlo  <fpizlo@apple.com>

        Array and object allocations via 'new Object' or 'new Array' should be inlined in bytecode to allow allocation site profiling
        https://bugs.webkit.org/show_bug.cgi?id=99557

        Reviewed by Geoffrey Garen.

        This uses the old jneq_ptr trick to allow for the bytecode to "see" that the
        operation in question is what we almost certainly know it to be.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/SpecialPointer.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::expectedFunctionForIdentifier):
        (JSC):
        (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::NewExprNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array_with_size):
        (JSC):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        (JSC):
        * runtime/ArrayConstructor.h:
        (JSC):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC):

2012-10-17  Filip Pizlo  <fpizlo@apple.com>

        JIT op_get_by_pname should call cti_get_by_val_generic and not cti_get_by_val
        https://bugs.webkit.org/show_bug.cgi?id=99631
        <rdar://problem/12483221>

        Reviewed by Mark Hahnenberg.

        cti_get_by_val assumes that the return address has patching metadata associated with it, which won't
        be true for op_get_by_pname. cti_get_by_val_generic makes no such assumptions.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_pname):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_pname):

2012-10-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Block freeing thread should sleep indefinitely when there's no work to do
        https://bugs.webkit.org/show_bug.cgi?id=98084

        Reviewed by Geoffrey Garen.

        r130212 didn't fully fix the problem.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::blockFreeingThreadMain): We would just continue to the next iteration if 
        we found that we had zero blocks to copy. We should move the indefinite wait up to where that 
        check is done so that we properly detect the "no more blocks to copy, wait for more" condition.

2012-10-16  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed, rolling out r131516 and r131550.
        http://trac.webkit.org/changeset/131516
        http://trac.webkit.org/changeset/131550
        https://bugs.webkit.org/show_bug.cgi?id=99349

        It caused zillion different problem on different platforms

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC):
        (JSC::isGlobalResolve):
        (JSC::instructionOffsetForNth):
        (JSC::printGlobalResolveInfo):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitStructures):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::hasGlobalResolveInfoAtBytecodeOffset):
        (JSC::CodeBlock::globalResolveInfoForBytecodeOffset):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addGlobalResolveInfo):
        (JSC::CodeBlock::globalResolveInfo):
        (JSC::CodeBlock::numberOfGlobalResolveInfos):
        (JSC::CodeBlock::globalResolveInfoCount):
        * bytecode/GlobalResolveInfo.h: Copied from Source/JavaScriptCore/bytecode/ResolveGlobalStatus.cpp.
        (JSC):
        (JSC::GlobalResolveInfo::GlobalResolveInfo):
        (GlobalResolveInfo):
        (JSC::getGlobalResolveInfoBytecodeOffset):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC):
        (JSC::computeForStructure):
        (JSC::computeForLLInt):
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ResolveGlobalStatus.h:
        (JSC):
        (ResolveGlobalStatus):
        * bytecode/ResolveOperation.h: Removed.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC::ResolveResult::registerPointer):
        (JSC):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetStaticVar):
        (JSC::BytecodeGenerator::emitInitGlobalConst):
        (JSC::BytecodeGenerator::emitPutStaticVar):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult::registerResolve):
        (JSC::ResolveResult::dynamicResolve):
        (JSC::ResolveResult::lexicalResolve):
        (JSC::ResolveResult::indexedGlobalResolve):
        (JSC::ResolveResult::dynamicIndexedGlobalResolve):
        (JSC::ResolveResult::globalResolve):
        (JSC::ResolveResult::dynamicGlobalResolve):
        (JSC::ResolveResult::type):
        (JSC::ResolveResult::index):
        (JSC::ResolveResult::depth):
        (JSC::ResolveResult::globalObject):
        (ResolveResult):
        (JSC::ResolveResult::isStatic):
        (JSC::ResolveResult::isIndexed):
        (JSC::ResolveResult::isScoped):
        (JSC::ResolveResult::isGlobal):
        (JSC::ResolveResult::ResolveResult):
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (ResolveGlobalData):
        (DFG):
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        (JSC):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        (JSC::JIT::emit_op_get_global_var_watchable):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_resolve_global_dynamic):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        (JSC::JIT::emit_op_put_global_var):
        (JSC::JIT::emit_op_put_global_var_check):
        (JSC::JIT::emitSlow_op_put_global_var_check):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        (JSC::JIT::emit_op_put_global_var):
        (JSC::JIT::emit_op_put_global_var_check):
        (JSC::JIT::emitSlow_op_put_global_var_check):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSScope.cpp:
        (JSC::JSScope::resolve):
        (JSC::JSScope::resolveSkip):
        (JSC::JSScope::resolveGlobal):
        (JSC::JSScope::resolveGlobalDynamic):
        (JSC::JSScope::resolveBase):
        (JSC::JSScope::resolveWithBase):
        (JSC::JSScope::resolveWithThis):
        * runtime/JSScope.h:
        (JSScope):
        * runtime/JSVariableObject.cpp:
        * runtime/JSVariableObject.h:
        * runtime/Structure.h:

2012-10-16  Dongwoo Joshua Im  <dw.im@samsung.com>

        [GTK] Fix build break - ResolveOperations.h is not in WebKit.
        https://bugs.webkit.org/show_bug.cgi?id=99538

        Unreviewed build fix.

        There are some files including ResolveOperations.h which is not exist at all.

        * GNUmakefile.list.am: s/ResolveOperations.h/ResolveOperation.h/
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: s/ResolveOperations.h/ResolveOperation.h/

2012-10-16  Jian Li  <jianli@chromium.org>

        Rename feature define ENABLE_WIDGET_REGION to ENABLE_DRAGGBALE_REGION
        https://bugs.webkit.org/show_bug.cgi?id=98975

        Reviewed by Adam Barth.

        Renaming is needed to better match with the draggable region code. 

        * Configurations/FeatureDefines.xcconfig:

2012-10-15  Oliver Hunt  <oliver@apple.com>

        Bytecode should not have responsibility for determining how to perform non-local resolves
        https://bugs.webkit.org/show_bug.cgi?id=99349

        Reviewed by Gavin Barraclough.

        This patch removes lexical analysis from the bytecode generation.  This allows
        us to delay lookup of a non-local variables until the lookup is actually necessary,
        and simplifies a lot of the resolve logic in BytecodeGenerator.

        Once a lookup is performed we cache the lookup information in a set of out-of-line
        buffers in CodeBlock.  This allows subsequent lookups to avoid unnecessary hashing,
        etc, and allows the respective JITs to recreated optimal lookup code.

        This is currently still a performance regression in LLInt, but most of the remaining
        regression is caused by a lot of indirection that I'll remove in future work, as well
        as some work necessary to allow LLInt to perform in line instruction repatching.
        We will also want to improve the behaviour of the baseline JIT for some of the lookup
        operations, however this patch was getting quite large already so I'm landing it now
        that we've reached the bar of "performance-neutral".

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitStructures):
        (JSC):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addResolve):
        (JSC::CodeBlock::addPutToBase):
        (CodeBlock):
        (JSC::CodeBlock::resolveOperations):
        (JSC::CodeBlock::putToBaseOperation):
        (JSC::CodeBlock::numberOfResolveOperations):
        (JSC::CodeBlock::numberOfPutToBaseOperations):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::globalObjectConstant):
        (JSC::CodeBlock::setGlobalObjectConstant):
        * bytecode/GlobalResolveInfo.h: Removed.
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::computeForStructure):
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ResolveGlobalStatus.h:
        (JSC):
        (ResolveGlobalStatus):
        * bytecode/ResolveOperation.h: Added.
          The new types and logic we use to perform the cached lookups.
        (JSC):
        (ResolveOperation):
        (JSC::ResolveOperation::getAndReturnScopedVar):
        (JSC::ResolveOperation::checkForDynamicEntriesBeforeGlobalScope):
        (JSC::ResolveOperation::getAndReturnGlobalVar):
        (JSC::ResolveOperation::getAndReturnGlobalProperty):
        (JSC::ResolveOperation::resolveFail):
        (JSC::ResolveOperation::skipTopScopeNode):
        (JSC::ResolveOperation::skipScopes):
        (JSC::ResolveOperation::returnGlobalObjectAsBase):
        (JSC::ResolveOperation::setBaseToGlobal):
        (JSC::ResolveOperation::setBaseToUndefined):
        (JSC::ResolveOperation::setBaseToScope):
        (JSC::ResolveOperation::returnScopeAsBase):
        (JSC::PutToBaseOperation::PutToBaseOperation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetLocalVar):
        (JSC::BytecodeGenerator::emitInitGlobalConst):
        (JSC::BytecodeGenerator::emitPutToBase):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult::registerResolve):
        (JSC::ResolveResult::dynamicResolve):
        (ResolveResult):
        (JSC::ResolveResult::ResolveResult):
        (JSC):
        (NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::~NonlocalResolveInfo):
        (JSC::NonlocalResolveInfo::resolved):
        (JSC::NonlocalResolveInfo::put):
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::getResolveOperations):
        (JSC::BytecodeGenerator::getResolveWithThisOperations):
        (JSC::BytecodeGenerator::getResolveBaseOperations):
        (JSC::BytecodeGenerator::getResolveBaseForPutOperations):
        (JSC::BytecodeGenerator::getResolveWithBaseForPutOperations):
        (JSC::BytecodeGenerator::getPutToBaseOperation):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (DFG):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileResolveOperations):
        (DFG):
        (JSC::DFG::canCompilePutToBaseOperation):
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (ResolveGlobalData):
        (ResolveOperationData):
        (DFG):
        (PutToBaseOperationData):
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveOperationsDataIndex):
        (Node):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::resolveOperations):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::putToBaseOperation):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC):
        (JSC::JIT::emit_resolve_operations):
        (JSC::JIT::emitSlow_link_resolve_operations):
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emitSlow_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emitSlow_op_resolve_base):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emitSlow_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_put_to_base):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_put_to_base):
        (JSC):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitSlow_op_init_global_const_check):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::emit_op_init_global_const_check):
        (JSC::JIT::emitSlow_op_init_global_const_check):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSScope.cpp:
        (JSC::LookupResult::base):
        (JSC::LookupResult::value):
        (JSC::LookupResult::setBase):
        (JSC::LookupResult::setValue):
        (LookupResult):
        (JSC):
        (JSC::setPutPropertyAccessOffset):
        (JSC::executeResolveOperations):
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolveContainingScope):
        (JSC::JSScope::resolve):
        (JSC::JSScope::resolveBase):
        (JSC::JSScope::resolveWithBase):
        (JSC::JSScope::resolveWithThis):
        (JSC::JSScope::resolvePut):
        (JSC::JSScope::resolveGlobal):
        * runtime/JSScope.h:
        (JSScope):
        * runtime/JSVariableObject.cpp:
        (JSC):
        * runtime/JSVariableObject.h:
        (JSVariableObject):
        * runtime/Structure.h:
        (JSC::Structure::propertyAccessesAreCacheable):
        (Structure):

2012-10-16  Filip Pizlo  <fpizlo@apple.com>

        Accidental switch fall-through in DFG::FixupPhase
        https://bugs.webkit.org/show_bug.cgi?id=96956
        <rdar://problem/12313242>

        Reviewed by Mark Hahnenberg.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-10-16  Filip Pizlo  <fpizlo@apple.com>

        GetScopedVar CSE matches dead GetScopedVar's leading to IR corruption
        https://bugs.webkit.org/show_bug.cgi?id=99470
        <rdar://problem/12363698>

        Reviewed by Mark Hahnenberg.

        All it takes is to follow the "if (!shouldGenerate) continue" idiom and everything will be OK.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):

2012-10-16  Dima Gorbik  <dgorbik@apple.com>

        Remove Platform.h include from the header files.
        https://bugs.webkit.org/show_bug.cgi?id=98665

        Reviewed by Eric Seidel.

        We don't want other clients that include WebKit headers to know about Platform.h.

        * API/tests/minidom.c:
        * API/tests/testapi.c:

2012-10-16  Balazs Kilvady  <kilvadyb@homejinni.com>

        Add missing MIPS functions to assembler.
        https://bugs.webkit.org/show_bug.cgi?id=98856

        Reviewed by Oliver Hunt.

        Implement missing functions in MacroAssemblerMIPS and MIPSAssembler.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::lb):
        (MIPSAssembler):
        (JSC::MIPSAssembler::lh):
        (JSC::MIPSAssembler::cvtds):
        (JSC::MIPSAssembler::cvtsd):
        (JSC::MIPSAssembler::vmov):
        * assembler/MacroAssemblerMIPS.h:
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::load8Signed):
        (JSC::MacroAssemblerMIPS::load16Signed):
        (JSC::MacroAssemblerMIPS::moveDoubleToInts):
        (JSC::MacroAssemblerMIPS::moveIntsToDouble):
        (JSC::MacroAssemblerMIPS::loadFloat):
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::storeFloat):
        (JSC::MacroAssemblerMIPS::storeDouble):
        (JSC::MacroAssemblerMIPS::addDouble):
        (JSC::MacroAssemblerMIPS::convertFloatToDouble):
        (JSC::MacroAssemblerMIPS::convertDoubleToFloat):

2012-10-16  Balazs Kilvady  <kilvadyb@homejinni.com>

        MIPS assembler coding-style fix.
        https://bugs.webkit.org/show_bug.cgi?id=99359

        Reviewed by Oliver Hunt.

        Coding style fix of existing MIPS assembler header files.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::addiu):
        (JSC::MIPSAssembler::addu):
        (JSC::MIPSAssembler::subu):
        (JSC::MIPSAssembler::mul):
        (JSC::MIPSAssembler::andInsn):
        (JSC::MIPSAssembler::andi):
        (JSC::MIPSAssembler::nor):
        (JSC::MIPSAssembler::orInsn):
        (JSC::MIPSAssembler::ori):
        (JSC::MIPSAssembler::xorInsn):
        (JSC::MIPSAssembler::xori):
        (JSC::MIPSAssembler::slt):
        (JSC::MIPSAssembler::sltu):
        (JSC::MIPSAssembler::sltiu):
        (JSC::MIPSAssembler::sll):
        (JSC::MIPSAssembler::sllv):
        (JSC::MIPSAssembler::sra):
        (JSC::MIPSAssembler::srav):
        (JSC::MIPSAssembler::srl):
        (JSC::MIPSAssembler::srlv):
        (JSC::MIPSAssembler::lbu):
        (JSC::MIPSAssembler::lw):
        (JSC::MIPSAssembler::lwl):
        (JSC::MIPSAssembler::lwr):
        (JSC::MIPSAssembler::lhu):
        (JSC::MIPSAssembler::sb):
        (JSC::MIPSAssembler::sh):
        (JSC::MIPSAssembler::sw):
        (JSC::MIPSAssembler::addd):
        (JSC::MIPSAssembler::subd):
        (JSC::MIPSAssembler::muld):
        (JSC::MIPSAssembler::divd):
        (JSC::MIPSAssembler::lwc1):
        (JSC::MIPSAssembler::ldc1):
        (JSC::MIPSAssembler::swc1):
        (JSC::MIPSAssembler::sdc1):
        (MIPSAssembler):
        (JSC::MIPSAssembler::relocateJumps):
        (JSC::MIPSAssembler::linkWithOffset):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::sub32):
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::load8):
        (JSC::MacroAssemblerMIPS::load32):
        (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
        (JSC::MacroAssemblerMIPS::load16):
        (JSC::MacroAssemblerMIPS::store8):
        (JSC::MacroAssemblerMIPS::store16):
        (JSC::MacroAssemblerMIPS::store32):
        (JSC::MacroAssemblerMIPS::nearCall):
        (JSC::MacroAssemblerMIPS::test8):
        (JSC::MacroAssemblerMIPS::test32):

2012-10-16  Yuqiang Xian  <yuqiang.xian@intel.com>

        Refactor MacroAssembler interfaces to differentiate the pointer operands from the 64-bit integer operands
        https://bugs.webkit.org/show_bug.cgi?id=99154

        Reviewed by Gavin Barraclough.

        In current JavaScriptCore implementation for JSVALUE64 platform (i.e.,
        the X64 platform), we assume that the JSValue size is same to the
        pointer size, and thus EncodedJSValue is simply type defined as a
        "void*". In the JIT compiler, we also take this assumption and invoke
        the same macro assembler interfaces for both JSValue and pointer
        operands. We need to differentiate the operations on pointers from the
        operations on JSValues, and let them invoking different macro
        assembler interfaces. For example, we now use the interface of
        "loadPtr" to load either a pointer or a JSValue, and we need to switch
        to using "loadPtr" to load a pointer and some new "load64" interface
        to load a JSValue. This would help us supporting other JSVALUE64
        platforms where pointer size is not necessarily 64-bits, for example
        x32 (bug #99153).

        The major modification I made is to introduce the "*64" interfaces in
        the MacroAssembler for those operations on JSValues, keep the "*Ptr"
        interfaces for those operations on real pointers, and go through all
        the JIT compiler code to correct the usage.

        This is the first part of the work, i.e, to add the *64 interfaces to
        the MacroAssembler.

        * assembler/AbstractMacroAssembler.h: Add the Imm64 interfaces.
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::TrustedImm64::TrustedImm64):
        (TrustedImm64):
        (JSC::AbstractMacroAssembler::Imm64::Imm64):
        (Imm64):
        (JSC::AbstractMacroAssembler::Imm64::asTrustedImm64):
        * assembler/MacroAssembler.h: map <foo>Ptr methods to <foo>64 for X86_64.
        (MacroAssembler):
        (JSC::MacroAssembler::peek64):
        (JSC::MacroAssembler::poke):
        (JSC::MacroAssembler::poke64):
        (JSC::MacroAssembler::addPtr):
        (JSC::MacroAssembler::andPtr):
        (JSC::MacroAssembler::negPtr):
        (JSC::MacroAssembler::orPtr):
        (JSC::MacroAssembler::rotateRightPtr):
        (JSC::MacroAssembler::subPtr):
        (JSC::MacroAssembler::xorPtr):
        (JSC::MacroAssembler::loadPtr):
        (JSC::MacroAssembler::loadPtrWithAddressOffsetPatch):
        (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::storePtrWithAddressOffsetPatch):
        (JSC::MacroAssembler::movePtrToDouble):
        (JSC::MacroAssembler::moveDoubleToPtr):
        (JSC::MacroAssembler::comparePtr):
        (JSC::MacroAssembler::testPtr):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::branchTestPtr):
        (JSC::MacroAssembler::branchAddPtr):
        (JSC::MacroAssembler::branchSubPtr):
        (JSC::MacroAssembler::shouldBlindDouble):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::RotatedImm64::RotatedImm64):
        (RotatedImm64):
        (JSC::MacroAssembler::rotationBlindConstant):
        (JSC::MacroAssembler::loadRotationBlindedConstant):
        (JSC::MacroAssembler::move):
        (JSC::MacroAssembler::and64):
        (JSC::MacroAssembler::store64):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::move):
        * assembler/MacroAssemblerX86_64.h: Add the <foo>64 methods for X86_64.
        (JSC::MacroAssemblerX86_64::branchAdd32):
        (JSC::MacroAssemblerX86_64::add64):
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::and64):
        (JSC::MacroAssemblerX86_64::neg64):
        (JSC::MacroAssemblerX86_64::or64):
        (JSC::MacroAssemblerX86_64::rotateRight64):
        (JSC::MacroAssemblerX86_64::sub64):
        (JSC::MacroAssemblerX86_64::xor64):
        (JSC::MacroAssemblerX86_64::load64):
        (JSC::MacroAssemblerX86_64::load64WithAddressOffsetPatch):
        (JSC::MacroAssemblerX86_64::load64WithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerX86_64::store64):
        (JSC::MacroAssemblerX86_64::store64WithAddressOffsetPatch):
        (JSC::MacroAssemblerX86_64::move64ToDouble):
        (JSC::MacroAssemblerX86_64::moveDoubleTo64):
        (JSC::MacroAssemblerX86_64::compare64):
        (JSC::MacroAssemblerX86_64::branch64):
        (JSC::MacroAssemblerX86_64::branchTest64):
        (JSC::MacroAssemblerX86_64::test64):
        (JSC::MacroAssemblerX86_64::branchAdd64):
        (JSC::MacroAssemblerX86_64::branchSub64):
        (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
        (JSC::MacroAssemblerX86_64::storePtrWithPatch):

2012-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make CopiedSpace and MarkedSpace regions independent
        https://bugs.webkit.org/show_bug.cgi?id=99222

        Reviewed by Filip Pizlo.

        Right now CopiedSpace and MarkedSpace have the same block size and share the same regions, 
        but there's no reason that they can't have different block sizes while still sharing the 
        same underlying regions. We should factor the two "used" lists of regions apart so that 
        MarkedBlocks and CopiedBlocks can be different sizes. Regions will still be a uniform size 
        so that when they become empty they may be shared between the CopiedSpace and the MarkedSpace, 
        since benchmarks indicate that sharing is a boon for performance.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        * heap/BlockAllocator.h:
        (JSC):
        (Region):
        (JSC::Region::create): We now have a fixed size for Regions so that empty regions can continue to 
        be shared between the MarkedSpace and CopiedSpace. Once they are used for a specific type of block,
        however, they can only be used for that type of block until they become empty again.
        (JSC::Region::createCustomSize):
        (JSC::Region::Region):
        (JSC::Region::~Region):
        (JSC::Region::reset):
        (BlockAllocator):
        (JSC::BlockAllocator::RegionSet::RegionSet):
        (RegionSet):
        (JSC::BlockAllocator::tryAllocateFromRegion): We change this function so that it correctly 
        moves blocks between empty, partial, and full lists.
        (JSC::BlockAllocator::allocate):
        (JSC::BlockAllocator::allocateCustomSize):
        (JSC::BlockAllocator::deallocate): Ditto.
        (JSC::CopiedBlock):
        (JSC::MarkedBlock):
        (JSC::BlockAllocator::regionSetFor): We use this so that we can use the same allocate/deallocate
        functions with different RegionSets. We specialize the function for each type of block that we 
        want to allocate.
        * heap/CopiedBlock.h:
        (CopiedBlock):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/HeapBlock.h:
        (HeapBlock):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock): For oversize MarkedBlocks, if the block size gets too big we can 
        underflow the endAtom, which will cause us to segfault when we try to sweep a block. If we're a 
        custom size MarkedBlock we need to calculate endAtom so it doesn't underflow.

2012-10-14  Filip Pizlo  <fpizlo@apple.com>

        JIT::JIT fails to initialize all of its fields
        https://bugs.webkit.org/show_bug.cgi?id=99283

        Reviewed by Andreas Kling.

        There were two groups of such fields, all of which are eventually initialized
        prior to use inside of privateCompile(). But it's safer to make sure that they
        are initialized in the constructor as well, since we may use the JIT to do a
        stub compile without calling into privateCompile().
        
        Unsigned index fields for dynamic repatching meta-data: this change
        initializes them to UINT_MAX, so we should crash if we try to use those
        indices without initializing them.
        
        Boolean flags for value profiling: this change initializes them to false, so
        we at worst turn off value profiling.

        * jit/JIT.cpp:
        (JSC::JIT::JIT):

2012-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        We should avoid weakCompareAndSwap when parallel GC is disabled
        https://bugs.webkit.org/show_bug.cgi?id=99331

        Reviewed by Filip Pizlo.

        CopiedBlock::reportLiveBytes and didEvacuateBytes uses weakCompareAndSwap, which some platforms 
        don't support. For platforms that don't have parallel GC enabled, we should just use a normal store.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::reportLiveBytes):
        (JSC::CopiedBlock::didEvacuateBytes):

2012-10-15  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header file.

2012-10-14  Filip Pizlo  <fpizlo@apple.com>

        DFG should handle polymorphic array modes by eagerly transforming arrays into the most general applicable form
        https://bugs.webkit.org/show_bug.cgi?id=99269

        Reviewed by Geoffrey Garen.

        This kills off a bunch of code for "polymorphic" array modes in the DFG. It should
        also be a performance win for code that uses a lot of array storage arrays.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::fromObserved):
        (JSC::DFG::modeAlreadyChecked):
        (JSC::DFG::modeToString):
        * dfg/DFGArrayMode.h:
        (DFG):
        (JSC::DFG::modeUsesButterfly):
        (JSC::DFG::modeIsJSArray):
        (JSC::DFG::mayStoreToTail):
        (JSC::DFG::mayStoreToHole):
        (JSC::DFG::canCSEStorage):
        (JSC::DFG::modeSupportsLength):
        (JSC::DFG::benefitsFromStructureCheck):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::byValIsPure):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-14  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(126886): Fat binary builds don't know how to handle architecture variants to which the LLInt is agnostic
        https://bugs.webkit.org/show_bug.cgi?id=99270

        Reviewed by Geoffrey Garen.

        The fix is to hash cons the offsets based on configuration index, not the offsets
        themselves.

        * offlineasm/offsets.rb:

2012-10-13  Filip Pizlo  <fpizlo@apple.com>

        IndexingType should not have a bit for each type
        https://bugs.webkit.org/show_bug.cgi?id=98997

        Reviewed by Oliver Hunt.

        Somewhat incidentally, the introduction of butterflies led to each indexing
        type being represented by a unique bit. This is superficially nice since it
        allows you to test if a structure corresponds to a particular indexing type
        by saying !!(structure->indexingType() & TheType). But the downside is that
        given the 8 bits we have for the m_indexingType field, that leaves only a
        small number of possible indexing types if we have one per bit.
        
        This changeset changes the indexing type to be:
        
        Bit #1: Tells you if you're an array.
        
        Bits #2 - #5: 16 possible indexing types, including the blank type for
            objects that don't have indexed properties.
        
        Bits #6-8: Auxiliary bits that we could use for other things. Currently we
            just use one of those bits, for MayHaveIndexedAccessors.
        
        This is performance-neutral, and is primarily intended to give us more
        breathing room for introducing new inferred array modes.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::jumps):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::patchableBranch32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::patchableBranch32):
        (MacroAssemblerARMv7):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::modeAlreadyChecked):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        (DFG):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray):
        (JSC::JIT::chooseArrayMode):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emitArrayStorageGetByVal):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emitArrayStorageGetByVal):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/IndexingType.h:
        (JSC):
        (JSC::hasIndexedProperties):
        (JSC::hasContiguous):
        (JSC::hasFastArrayStorage):
        (JSC::hasArrayStorage):
        (JSC::shouldUseSlowPut):
        * runtime/JSGlobalObject.cpp:
        (JSC):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):

2012-10-14  Filip Pizlo  <fpizlo@apple.com>

        DFG structure check hoisting should attempt to ignore side effects and make transformations that are sound even in their presence
        https://bugs.webkit.org/show_bug.cgi?id=99262

        Reviewed by Oliver Hunt.

        This hugely simplifies the structure check hoisting phase. It will no longer be necessary
        to modify it when the effectfulness of operations changes. This also enables the hoister
        to hoist effectful things in the future.
        
        The downside is that the hoister may end up adding strictly more checks than were present
        in the original code, if the code truly has a lot of side-effects. I don't see evidence
        of this happening. This patch does have some speed-ups and some slow-downs, but is
        neutral in the average, and the slow-downs do not appear to have more structure checks
        than ToT.

        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
        (StructureCheckHoistingPhase):
        (CheckData):
        (JSC::DFG::StructureCheckHoistingPhase::CheckData::CheckData):

2012-10-14  Filip Pizlo  <fpizlo@apple.com>

        Fix the build of universal binary with ARMv7s of JavaScriptCore

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:

2012-10-13  Filip Pizlo  <fpizlo@apple.com>

        Array length array profiling is broken in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=99258

        Reviewed by Oliver Hunt.

        The code generator for array length stubs calls into
        emitArrayProfilingSiteForBytecodeIndex(), which emits profiling only if
        canBeOptimized() returns true. But m_canBeOptimized is only initialized during
        full method compiles, so in a stub compile it may (or may not) be false, meaning
        that we may, or may not, get meaningful profiling info.
        
        This appeared to not affect too many programs since the LLInt has good array
        length array profiling.

        * jit/JIT.h:
        (JSC::JIT::compilePatchGetArrayLength):

2012-10-14  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r131089.

        WinCE does not support getenv().

        * runtime/Options.cpp:
        (JSC::overrideOptionWithHeuristic):

2012-10-12  Kangil Han  <kangil.han@samsung.com>

        Fix build error on DFGSpeculativeJIT32_64.cpp
        https://bugs.webkit.org/show_bug.cgi?id=99234

        Reviewed by Anders Carlsson.

        Seems BUG 98608 causes build error on 32bit machine so fix it.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-12  Filip Pizlo  <fpizlo@apple.com>

        Contiguous array allocation should always be inlined
        https://bugs.webkit.org/show_bug.cgi?id=98608

        Reviewed by Oliver Hunt and Mark Hahnenberg.

        This inlines contiguous array allocation in the most obvious way possible.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::branchSubPtr):
        (MacroAssembler):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchSubPtr):
        (MacroAssemblerX86_64):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: Added.
        (DFG):
        (CallArrayAllocatorSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorSlowPathGenerator::generateInternal):
        (CallArrayAllocatorWithVariableSizeSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::generateInternal):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Race condition during CopyingPhase can lead to deadlock
        https://bugs.webkit.org/show_bug.cgi?id=99226

        Reviewed by Filip Pizlo.

        The main thread calls startCopying() for each of the GCThreads at the beginning of the copy phase. 
        It then proceeds to start copying. If copying completes before one of the GCThreads wakes up, the 
        main thread will set m_currentPhase back to NoPhase, the GCThread will wake up, see that there's 
        nothing to do, and then it will go back to sleep without ever calling CopyVisitor::doneCopying() 
        to return its borrowed block to the CopiedSpace. CopiedSpace::doneCopying() will then sleep forever 
        waiting on the block.

        The fix for this is to make sure we call CopiedSpace::doneCopying() on the main thread before we 
        call GCThreadSharedData::didFinishCopying(), which sets the m_currentPhase flag to NoPhase. This 
        way we will wait until all threads have woken up and given back their borrowed blocks before 
        clearing the flag.

        * heap/Heap.cpp:
        (JSC::Heap::copyBackingStores):

2012-10-12  Anders Carlsson  <andersca@apple.com>

        Move macros from Parser.h to Parser.cpp
        https://bugs.webkit.org/show_bug.cgi?id=99217

        Reviewed by Andreas Kling.

        There are a bunch of macros in Parser.h that are only used in Parser.cpp. Move them to Parser.cpp
        so they won't pollute the global namespace.
        * parser/Parser.cpp:
        * parser/Parser.h:
        (JSC):

2012-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Another build fix after r131213

        Added some symbol magic to placate the linker on some platforms.

        * JavaScriptCore.order:

2012-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix after r131213

        Removed an unused variable that was making compilers unhappy.

        * heap/GCThread.cpp:
        (JSC::GCThread::GCThread):
        * heap/GCThread.h:
        (GCThread):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):

2012-10-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Copying collection shouldn't require O(live bytes) memory overhead
        https://bugs.webkit.org/show_bug.cgi?id=98792

        Reviewed by Filip Pizlo.

        Currently our copying collection occurs simultaneously with the marking phase. We'd like 
        to be able to reuse CopiedBlocks as soon as they become fully evacuated, but this is not 
        currently possible because we don't know the liveness statistics of each old CopiedBlock 
        until marking/copying has already finished. Instead, we have to allocate additional memory 
        from the OS to use as our working set of CopiedBlocks while copying. We then return the 
        fully evacuated old CopiedBlocks back to the block allocator, thus giving our copying phase 
        an O(live bytes) overhead.

        To fix this, we should instead split the copying phase apart from the marking phase. This 
        way we have full liveness data for each CopiedBlock during the copying phase so that we 
        can reuse them the instant they become fully evacuated. With the additional liveness data 
        that each CopiedBlock accumulates, we can add some additional heuristics to the collector. 
        For example, we can calculate our global Heap fragmentation and only choose to do a copying 
        phase if that fragmentation exceeds some limit. As another example, we can skip copying 
        blocks that are already above a particular fragmentation limit, which allows older objects 
        to coalesce into blocks that are rarely copied.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopiedBlock.h:
        (CopiedBlock):
        (JSC::CopiedBlock::CopiedBlock): Added support for tracking live bytes in a CopiedBlock in a 
        thread-safe fashion.
        (JSC::CopiedBlock::reportLiveBytes): Adds a number of live bytes to the block in a thread-safe 
        fashion using compare and swap.
        (JSC):
        (JSC::CopiedBlock::didSurviveGC): Called when a block survives a single GC without being 
        evacuated. This could be called for a couple reasons: (a) the block was pinned or (b) we 
        decided not to do any copying. A block can become pinned for a few reasons: (1) a pointer into 
        the block was found during the conservative scan. (2) the block was deemed full enough to 
        not warrant any copying. (3) The block is oversize and was found to be live. 
        (JSC::CopiedBlock::didEvacuateBytes): Called when some number of bytes are copied from this 
        block. If the number of live bytes ever hits zero, the block will return itself to the 
        BlockAllocator to be recycled.
        (JSC::CopiedBlock::canBeRecycled): Indicates that a block has no live bytes and can be 
        immediately recycled. This is used for blocks that are found to have zero live bytes at the 
        beginning of the copying phase.
        (JSC::CopiedBlock::shouldEvacuate): This function returns true if the current fragmentation 
        of the block is above our fragmentation threshold, and false otherwise.
        (JSC::CopiedBlock::isPinned): Added an accessor for the pinned flag
        (JSC::CopiedBlock::liveBytes): 
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::CopiedSpace):
        (JSC::CopiedSpace::doneFillingBlock): Changed so that we can exchange our filled block for a 
        fresh block. This avoids the situation where a thread returns its borrowed block, it's the last 
        borrowed block, so CopiedSpace thinks that copying has completed, and it starts doing all of the 
        copying phase cleanup. In actuality, the thread wanted another block after returning the current 
        block. So we allow the thread to atomically exchange its block for another block.
        (JSC::CopiedSpace::startedCopying): Added the calculation of global Heap fragmentation to 
        determine if the copying phase should commence. We include the MarkedSpace in our fragmentation 
        calculation by assuming that the MarkedSpace is 0% fragmented since we can reuse any currently 
        free memory in it (i.e. we ignore any internal fragmentation in the MarkedSpace). While we're 
        calculating the fragmentation of CopiedSpace, we also return any free blocks we find along the 
        way (meaning liveBytes() == 0).
        (JSC):
        (JSC::CopiedSpace::doneCopying): We still have to iterate over all the blocks, regardless of
        whether the copying phase took place or not so that we can reset all of the live bytes counters 
        and un-pin any pinned blocks.
        * heap/CopiedSpace.h:
        (CopiedSpace):
        (JSC::CopiedSpace::shouldDoCopyPhase):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::recycleEvacuatedBlock): This function is distinct from recycling a borrowed block 
        because a borrowed block hasn't been added to the CopiedSpace yet, but an evacuated block is still
        currently in CopiedSpace, so we have to make sure we properly remove all traces of the block from 
        CopiedSpace before returning it to BlockAllocator.
        (JSC::CopiedSpace::recycleBorrowedBlock): Renamed to indicate the distinction mentioned above.
        * heap/CopyVisitor.cpp: Added.
        (JSC):
        (JSC::CopyVisitor::CopyVisitor):
        (JSC::CopyVisitor::copyFromShared): Main function for any thread participating in the copying phase.
        Grabs chunks of MarkedBlocks from the shared list and copies the backing store of anybody who needs
        it until there are no more chunks to copy.
        * heap/CopyVisitor.h: Added.
        (JSC):
        (CopyVisitor):
        * heap/CopyVisitorInlineMethods.h: Added.
        (JSC):
        (GCCopyPhaseFunctor):
        (JSC::GCCopyPhaseFunctor::GCCopyPhaseFunctor):
        (JSC::GCCopyPhaseFunctor::operator()):
        (JSC::CopyVisitor::checkIfShouldCopy): We don't have to check shouldEvacuate() because all of those 
        checks are done during the marking phase.
        (JSC::CopyVisitor::allocateNewSpace): 
        (JSC::CopyVisitor::allocateNewSpaceSlow):
        (JSC::CopyVisitor::startCopying): Initialization function for a thread that is about to start copying.
        (JSC::CopyVisitor::doneCopying):
        (JSC::CopyVisitor::didCopy): This callback is called by an object that has just successfully copied its
        backing store. It indicates to the CopiedBlock that somebody has just finished evacuating some number of 
        bytes from it, and, if the CopiedBlock now has no more live bytes, can be recycled immediately.
        * heap/GCThread.cpp: Added.
        (JSC):
        (JSC::GCThread::GCThread): This is a new class that encapsulates a single thread responsible for participating 
        in a specific set of GC phases. Currently, that set of phases includes Mark, Copy, and Exit. Each thread 
        monitors a shared variable in its associated GCThreadSharedData. The main thread updates this m_currentPhase
        variable as collection progresses through the various phases. Parallel marking still works exactly like it 
        has. In other words, the "run loop" for each of the GC threads sits above any individual phase, thus keeping 
        the separate phases of the collector orthogonal.
        (JSC::GCThread::threadID):
        (JSC::GCThread::initializeThreadID):
        (JSC::GCThread::slotVisitor):
        (JSC::GCThread::copyVisitor):
        (JSC::GCThread::waitForNextPhase):
        (JSC::GCThread::gcThreadMain):
        (JSC::GCThread::gcThreadStartFunc):
        * heap/GCThread.h: Added.
        (JSC):
        (GCThread):
        * heap/GCThreadSharedData.cpp: The GCThreadSharedData now has a list of GCThread objects rather than raw 
        ThreadIdentifiers.
        (JSC::GCThreadSharedData::resetChildren):
        (JSC::GCThreadSharedData::childVisitCount):
        (JSC::GCThreadSharedData::GCThreadSharedData):
        (JSC::GCThreadSharedData::~GCThreadSharedData):
        (JSC::GCThreadSharedData::reset):
        (JSC::GCThreadSharedData::didStartMarking): Callback to let the GCThreadSharedData know that marking has 
        started and updates the m_currentPhase variable and notifies the GCThreads accordingly.
        (JSC::GCThreadSharedData::didFinishMarking): Ditto for finishing marking. 
        (JSC::GCThreadSharedData::didStartCopying): Ditto for starting the copying phase.
        (JSC::GCThreadSharedData::didFinishCopying): Ditto for finishing copying. 
        * heap/GCThreadSharedData.h:
        (JSC):
        (GCThreadSharedData):
        (JSC::GCThreadSharedData::getNextBlocksToCopy): Atomically gets the next chunk of work for a copying thread.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markRoots):
        (JSC):
        (JSC::Heap::copyBackingStores): Responsible for setting up the copying phase, notifying the copying threads, 
        and doing any copying work if necessary.
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC):
        (JSC::CopyFunctor::CopyFunctor):
        (CopyFunctor):
        (JSC::CopyFunctor::operator()):
        * heap/IncrementalSweeper.cpp: Changed the incremental sweeper to have a reference to the list of MarkedBlocks 
        that need sweeping, since this now resides in the Heap so that it can be easily shared by the GCThreads.
        (JSC::IncrementalSweeper::IncrementalSweeper):
        (JSC::IncrementalSweeper::startSweeping):
        * heap/IncrementalSweeper.h:
        (JSC):
        (IncrementalSweeper):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::setup):
        (JSC::SlotVisitor::drainFromShared): We no longer do any copying-related work here.
        (JSC):
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * heap/SlotVisitorInlineMethods.h:
        (JSC):
        (JSC::SlotVisitor::copyLater): Notifies the CopiedBlock that there are some live bytes that may need 
        to be copied.
        * runtime/Butterfly.h:
        (JSC):
        (Butterfly):
        * runtime/ButterflyInlineMethods.h:
        (JSC::Butterfly::createUninitializedDuringCollection): Uses the new CopyVisitor.
        * runtime/ClassInfo.h:
        (MethodTable): Added new "virtual" function copyBackingStore to method table.
        (JSC):
        * runtime/JSCell.cpp:
        (JSC::JSCell::copyBackingStore): Default implementation that does nothing.
        (JSC):
        * runtime/JSCell.h:
        (JSC):
        (JSCell):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly): Does the actual copying of the butterfly.
        (JSC):
        (JSC::JSObject::visitButterfly): Calls copyLater for the butterfly.
        (JSC::JSObject::copyBackingStore): 
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSCell::methodTable):
        (JSC::JSCell::inherits):
        * runtime/Options.h: Added two new constants, minHeapUtilization and minCopiedBlockUtilization, 
        to govern the amount of fragmentation we allow before doing copying.
        (JSC):

2012-10-12  Filip Pizlo  <fpizlo@apple.com>

        DFG array allocation calls should not return an encoded JSValue
        https://bugs.webkit.org/show_bug.cgi?id=99196

        Reviewed by Mark Hahnenberg.

        The array allocation operations now return a pointer instead. This makes it
        easier to share code between 32-bit and 64-bit.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-01  Jer Noble  <jer.noble@apple.com>

        Enable ENCRYPTED_MEDIA support on Mac.
        https://bugs.webkit.org/show_bug.cgi?id=98044

        Reviewed by Anders Carlsson.

        Enable the ENCRYPTED_MEDIA flag.

        * Configurations/FeatureDefines.xcconfig:

2012-10-12  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed. It should be possible to build JSC on ARMv7.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::patchableBranchPtr):

2012-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        BlockAllocator should use regions as its VM allocation abstraction
        https://bugs.webkit.org/show_bug.cgi?id=99107

        Reviewed by Geoffrey Garen.

        Currently the BlockAllocator allocates a single block at a time directly from the OS. Our block 
        allocations are on the large-ish side (64 KB) to amortize across many allocations the expense of 
        mapping new virtual memory from the OS. These large blocks are then shared between the MarkedSpace 
        and the CopiedSpace. This design makes it difficult to vary the size of the blocks in different 
        parts of the Heap while still allowing us to amortize the VM allocation costs.

        We should redesign the BlockAllocator so that it has a layer of indirection between blocks that are 
        used by the allocator/collector and our primary unit of VM allocation from the OS. In particular, 
        the BlockAllocator should allocate Regions of virtual memory from the OS, which are then subdivided 
        into one or more Blocks to be used in our custom allocators. This design has the following nice properties:

        1) We can remove the knowledge of PageAllocationAligned from HeapBlocks. Each HeapBlock will now 
           only know what Region it belongs to. The Region maintains all the metadata for how to allocate 
           and deallocate virtual memory from the OS.

        2) We can easily allocate in larger chunks than we need to satisfy a particular request for a Block. 
           We can then continue to amortize our VM allocation costs while allowing for smaller block sizes, 
           which should increase locality in the mutator when allocating, lazy sweeping, etc.

        3) By encapsulating the logic of where our memory comes from inside of the Region class, we can more 
           easily transition over to allocating VM from a specific range of pre-reserved address space. This 
           will be a necessary step along the way to 32-bit pointers.

        This particular patch will not change the size of MarkedBlocks or CopiedBlocks, nor will it change how 
        much VM we allocate per failed Block request. It only sets up the data structures that we need to make 
        these changes in future patches.

        Most of the changes in this patch relate to the addition of the Region class to be used by the 
        BlockAllocator and the threading of changes made to BlockAllocator's interface through to the call sites.

        * heap/BlockAllocator.cpp: The BlockAllocator now has three lists that track the three disjoint sets of
        Regions that it cares about: empty regions, partially full regions, and completely full regions. 
        Empty regions have no blocks currently in use and can be freed immediately if the freeing thread 
        determines they should be. Partial regions have some blocks used, but aren't completely in use yet. 
        These regions are preferred for recycling before empty regions to mitigate fragmentation within regions.
        Completely full regions are no longer able to be used for allocations. Regions move between these 
        three lists as they are created and their constituent blocks are allocated and deallocated.
        (JSC::BlockAllocator::BlockAllocator):
        (JSC::BlockAllocator::~BlockAllocator):
        (JSC::BlockAllocator::releaseFreeRegions):
        (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
        (JSC::BlockAllocator::waitForRelativeTime):
        (JSC::BlockAllocator::blockFreeingThreadMain):
        * heap/BlockAllocator.h:
        (JSC):
        (DeadBlock):
        (JSC::DeadBlock::DeadBlock):
        (Region):
        (JSC::Region::blockSize):
        (JSC::Region::isFull):
        (JSC::Region::isEmpty):
        (JSC::Region::create): This function is responsible for doing the actual VM allocation. This should be the 
        only function in the entire JSC object runtime that calls out the OS for virtual memory allocation.
        (JSC::Region::Region):
        (JSC::Region::~Region):
        (JSC::Region::allocate):
        (JSC::Region::deallocate):
        (BlockAllocator):
        (JSC::BlockAllocator::tryAllocateFromRegion): Helper function that encapsulates checking a particular list 
        of regions for a free block.
        (JSC::BlockAllocator::allocate):
        (JSC::BlockAllocator::allocateCustomSize): This function is responsible for allocating one-off custom size 
        regions for use in oversize allocations in both the MarkedSpace and the CopiedSpace. These regions are not 
        tracked by the BlockAllocator. The only pointer to them is in the HeapBlock that is returned. These regions 
        contain exactly one block.
        (JSC::BlockAllocator::deallocate):
        (JSC::BlockAllocator::deallocateCustomSize): This function is responsible for deallocating one-off custom size
        regions. The regions are deallocated back to the OS eagerly.
        * heap/CopiedBlock.h: Re-worked CopiedBlocks to use Regions instead of PageAllocationAligned.
        (CopiedBlock):
        (JSC::CopiedBlock::createNoZeroFill):
        (JSC::CopiedBlock::create):
        (JSC::CopiedBlock::CopiedBlock):
        (JSC::CopiedBlock::payloadEnd):
        (JSC::CopiedBlock::capacity):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::~CopiedSpace):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::doneCopying):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::allocateBlockForCopyingPhase):
        (JSC::CopiedSpace::allocateBlock):
        * heap/HeapBlock.h:
        (JSC::HeapBlock::destroy):
        (JSC::HeapBlock::HeapBlock):
        (JSC::HeapBlock::region):
        (HeapBlock):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateBlock):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::capacity):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::freeBlock):

2012-10-11  Filip Pizlo  <fpizlo@apple.com>

        UInt32ToNumber and OSR exit should be aware of copy propagation and correctly recover both versions of a variable that was subject to a UInt32ToNumber cast
        https://bugs.webkit.org/show_bug.cgi?id=99100
        <rdar://problem/12480955>

        Reviewed by Michael Saboff and Mark Hahnenberg.

        Fixed by forcing UInt32ToNumber to use a different register. This "undoes" the copy propagation that we
        would have been doing, since it has no performance effect in this case and has the benefit of making the
        OSR exit compiler a lot simpler.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):

2012-10-11  Geoffrey Garen  <ggaren@apple.com>

        Removed some more static assumptions about inline object capacity
        https://bugs.webkit.org/show_bug.cgi?id=98603

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Use JSObject::allocationSize()
        for a little more flexibility. We still pass it a constant inline capacity
        because the JIT doesn't have a strategy for selecting a size class based
        on non-constant capacity yet. "INLINE_STORAGE_CAPACITY" is a marker for
        code that makes static assumptions about object size.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm: Ditto for the rest of our many execution engines.

        * runtime/JSObject.h:
        (JSC::JSObject::allocationSize):
        (JSC::JSFinalObject::finishCreation):
        (JSC::JSFinalObject::create): New helper function for computing object
        size dynamically, since we plan to have objects of different sizes.

        (JSC::JSFinalObject::JSFinalObject): Note that our m_inlineStorage used
        to auto-generate an implicit C++ constructor with default null initialization.
        This memory is not observed in its uninitialized state, and our LLInt and
        JIT allocators do not initialize it, so I did not add any explicit code
        to do so, now that the implicit code is gone.

        (JSC::JSObject::offsetOfInlineStorage): Changed the math here to match
        inlineStorageUnsafe(), since we can rely on an explicit data member anymore.

2012-10-11  Geoffrey Garen  <ggaren@apple.com>

        Enable RUNTIME_HEURISTICS all the time, for easier testing
        https://bugs.webkit.org/show_bug.cgi?id=99090

        Reviewed by Filip Pizlo.

        I find myself using this a lot, and there doesn't seem to be an obvious
        reason to compile it out, since it only runs once at startup.

        * runtime/Options.cpp:
        (JSC::overrideOptionWithHeuristic):
        (JSC::Options::initialize):
        * runtime/Options.h: Removed the #ifdef.

2012-10-11  Geoffrey Garen  <ggaren@apple.com>

        Removed ASSERT_CLASS_FITS_IN_CELL
        https://bugs.webkit.org/show_bug.cgi?id=97634

        Reviewed by Mark Hahnenberg.

        Our collector now supports arbitrarily sized objects, so the ASSERT is not needed.

        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * heap/MarkedSpace.h:
        * jsc.cpp:
        * runtime/Arguments.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/Error.cpp:
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSBoundFunction.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalThis.cpp:
        * runtime/JSNameScope.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSScope.cpp:
        * runtime/JSWithScope.cpp:
        * runtime/JSWrapperObject.cpp:
        * runtime/MathObject.cpp:
        * runtime/NameConstructor.cpp:
        * runtime/NamePrototype.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorPrototype.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        * testRegExp.cpp: Removed the ASSERT.

2012-10-11  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline code blocks that use new_array_buffer
        https://bugs.webkit.org/show_bug.cgi?id=98996

        Reviewed by Geoffrey Garen.

        This adds plumbing to drop in constant buffers from the inlinees to the inliner.
        It's smart about not duplicating buffers needlessly but doesn't try to completely
        hash-cons them, either.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numberOfConstantBuffers):
        (JSC::CodeBlock::addConstantBuffer):
        (JSC::CodeBlock::constantBufferAsVector):
        (JSC::CodeBlock::constantBuffer):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ConstantBufferKey):
        (JSC::DFG::ConstantBufferKey::ConstantBufferKey):
        (JSC::DFG::ConstantBufferKey::operator==):
        (JSC::DFG::ConstantBufferKey::hash):
        (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue):
        (JSC::DFG::ConstantBufferKey::codeBlock):
        (JSC::DFG::ConstantBufferKey::index):
        (DFG):
        (JSC::DFG::ConstantBufferKeyHash::hash):
        (JSC::DFG::ConstantBufferKeyHash::equal):
        (ConstantBufferKeyHash):
        (WTF):
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-10-10  Zoltan Horvath  <zoltan@webkit.org>

        Pageload tests should measure memory usage
        https://bugs.webkit.org/show_bug.cgi?id=93958

        Reviewed by Ryosuke Niwa.

        Add JS Heap and Heap memory measurement to PageLoad tests.

        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::usedJSHeap): Add new private function to expose the used JS Heap size.
        (JSC):
        * heap/HeapStatistics.h:
        (HeapStatistics): Add new private function to expose the used JS Heap size.

2012-10-10  Balazs Kilvady  <kilvadyb@homejinni.com>

        RegisterFile to JSStack rename fix for a struct member.

        Compilation problem in debug build on MIPS
        https://bugs.webkit.org/show_bug.cgi?id=98808

        Reviewed by Alexey Proskuryakov.

        In ASSERT conditions structure field name "registerFile" was replaced
        with type name "JSStack" and it should be "stack".

        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks): structure member name fix.

2012-10-10  Michael Saboff  <msaboff@apple.com>

        After r130344, OpaqueJSString::string() shouldn't directly return the wrapped String
        https://bugs.webkit.org/show_bug.cgi?id=98801

        Reviewed by Geoffrey Garen.

        Return a copy of the wrapped String so that the wrapped string cannot be turned into 
        an Identifier.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::string):
        * API/OpaqueJSString.h:
        (OpaqueJSString):

2012-10-10  Peter Gal  <galpeter@inf.u-szeged.hu>

        Add moveDoubleToInts and moveIntsToDouble to MacroAssemblerARM
        https://bugs.webkit.org/show_bug.cgi?id=98855

        Reviewed by Filip Pizlo.

        Implement the missing moveDoubleToInts and moveIntsToDouble
        methods in the MacroAssemblerARM after r130839.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveDoubleToInts):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::moveIntsToDouble):

2012-10-09  Filip Pizlo  <fpizlo@apple.com>

        Typed arrays should not be 20x slower in the baseline JIT than in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=98605

        Reviewed by Oliver Hunt and Gavin Barraclough.

        This adds typed array get_by_val/put_by_val patching to the baseline JIT. It's
        a big (~40%) win on benchmarks that have trouble staying in the DFG JIT. Even
        if we fix those benchmarks, this functionality gives us the insurance that we
        typically desire with all speculative optimizations: even if we bail to
        baseline, we're still reasonably performant.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/MacroAssembler.cpp: Added.
        (JSC):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::patchableBranchPtr):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::moveDoubleToInts):
        (JSC::MacroAssemblerARMv7::moveIntsToDouble):
        (JSC::MacroAssemblerARMv7::patchableBranchPtr):
        * assembler/MacroAssemblerX86.h:
        (MacroAssemblerX86):
        (JSC::MacroAssemblerX86::moveDoubleToInts):
        (JSC::MacroAssemblerX86::moveIntsToDouble):
        * bytecode/ByValInfo.h:
        (JSC::hasOptimizableIndexingForClassInfo):
        (JSC):
        (JSC::hasOptimizableIndexing):
        (JSC::jitArrayModeForClassInfo):
        (JSC::jitArrayModeForStructure):
        (JSC::ByValInfo::ByValInfo):
        (ByValInfo):
        * dfg/DFGAssemblyHelpers.cpp:
        (DFG):
        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::boxDouble):
        (JSC::DFG::AssemblyHelpers::unboxDouble):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * jit/JIT.h:
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::typedArrayDescriptor):
        * runtime/TypedArrayDescriptor.h: Added.
        (JSC):
        (JSC::TypedArrayDescriptor::TypedArrayDescriptor):
        (TypedArrayDescriptor):

2012-10-09  Michael Saboff  <msaboff@apple.com>

        Add tests to testapi for null OpaqueJSStrings
        https://bugs.webkit.org/show_bug.cgi?id=98805

        Reviewed by Geoffrey Garen.

        Added tests that check that OpaqueJSString, which is wrapped via JSStringRef, properly returns
        null strings and that a null string in a JSStringRef will return a NULL JSChar* and 0 length
        via the JSStringGetCharactersPtr() and JSStringGetLength() APIs respectively. Added a check that 
        JSValueMakeFromJSONString() properly handles a null string as well.

        * API/tests/testapi.c:
        (main):

2012-10-09  Jian Li  <jianli@chromium.org>

        Update the CSS property used to support draggable regions.
        https://bugs.webkit.org/show_bug.cgi?id=97156

        Reviewed by Adam Barth.

        The CSS property to support draggable regions, guarded under
        WIDGET_REGION is now disabled from Mac WebKit, in order not to cause
        confusion with DASHBOARD_SUPPORT feature.

        * Configurations/FeatureDefines.xcconfig: Disable WIDGET_REGION feature.

2012-10-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, adding forgotten files.

        * bytecode/ByValInfo.h: Added.
        (JSC):
        (JSC::isOptimizableIndexingType):
        (JSC::jitArrayModeForIndexingType):
        (JSC::ByValInfo::ByValInfo):
        (ByValInfo):
        (JSC::getByValInfoBytecodeIndex):
        * runtime/IndexingType.cpp: Added.
        (JSC):
        (JSC::indexingTypeToString):

2012-10-08  Filip Pizlo  <fpizlo@apple.com>

        JSC should infer when indexed storage is contiguous, and optimize for it
        https://bugs.webkit.org/show_bug.cgi?id=97288

        Reviewed by Mark Hahnenberg.

        This introduces a new kind of indexed property storage called Contiguous,
        which has the following properties:
        
        - No header bits beyond IndexedHeader. This results in a 16 byte reduction
          in memory usage per array versus an ArrayStorage array. It also means
          that the total memory usage for an empty array is now just 3 * 8 on both
          32-bit and 64-bit. Of that, only 8 bytes are array-specific; the rest is
          our standard object header overhead.
        
        - No need for hole checks on store. This results in a ~4% speed-up on
          Kraken and a ~1% speed-up on V8v7.
        
        - publicLength <= vectorLength. This means that doing new Array(blah)
          immediately allocates room for blah elements.
        
        - No sparse map or index bias.
        
        If you ever do things to an array that would require publicLength >
        vectorLength, a sparse map, or index bias, then we switch to ArrayStorage
        mode. This seems to never happen in any benchmark we track, and is unlikely
        to happen very frequently on any website.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::append):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::patchableBranchTest32):
        * bytecode/ByValInfo.h: Added.
        (JSC):
        (JSC::isOptimizableIndexingType):
        (JSC::jitArrayModeForIndexingType):
        (JSC::ByValInfo::ByValInfo):
        (ByValInfo):
        (JSC::getByValInfoBytecodeIndex):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::getByValInfo):
        (JSC::CodeBlock::setNumberOfByValInfos):
        (JSC::CodeBlock::numberOfByValInfos):
        (JSC::CodeBlock::byValInfo):
        * bytecode/SamplingTool.h:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::fromObserved):
        (JSC::DFG::modeAlreadyChecked):
        (JSC::DFG::modeToString):
        * dfg/DFGArrayMode.h:
        (DFG):
        (JSC::DFG::modeUsesButterfly):
        (JSC::DFG::modeIsJSArray):
        (JSC::DFG::isInBoundsAccess):
        (JSC::DFG::mayStoreToTail):
        (JSC::DFG::mayStoreToHole):
        (JSC::DFG::modeIsPolymorphic):
        (JSC::DFG::polymorphicIncludesContiguous):
        (JSC::DFG::polymorphicIncludesArrayStorage):
        (JSC::DFG::canCSEStorage):
        (JSC::DFG::modeSupportsLength):
        (JSC::DFG::benefitsFromStructureCheck):
        (JSC::DFG::isEffectful):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::byValIsPure):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::putByValWillNeedExtraRegister):
        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileContiguousGetByVal):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileArrayStorageGetByVal):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compileArrayStoragePutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (SamplingScope):
        (JSC::SamplingScope::SamplingScope):
        (JSC::SamplingScope::~SamplingScope):
        (JSC):
        (JSC::Interpreter::execute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::ByValCompilationInfo::ByValCompilationInfo):
        (ByValCompilationInfo):
        (JSC):
        (JIT):
        (JSC::JIT::compileGetByVal):
        (JSC::JIT::compilePutByVal):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray):
        (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
        (JSC):
        (JSC::arrayProfileSaw):
        (JSC::JIT::chooseArrayMode):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emitSlow_op_new_array):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emitArrayStorageGetByVal):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC):
        (JSC::JIT::emitContiguousGetByVal):
        (JSC::JIT::emitArrayStorageGetByVal):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/JITStubs.cpp:
        (JSC::getByVal):
        (JSC):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::putByVal):
        * jit/JITStubs.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayConventions.h:
        (JSC::isDenseEnoughForVector):
        * runtime/ArrayPrototype.cpp:
        (JSC):
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/Butterfly.h:
        (Butterfly):
        (JSC::Butterfly::fromPointer):
        (JSC::Butterfly::pointer):
        (JSC::Butterfly::publicLength):
        (JSC::Butterfly::vectorLength):
        (JSC::Butterfly::setPublicLength):
        (JSC::Butterfly::setVectorLength):
        (JSC::Butterfly::contiguous):
        (JSC::Butterfly::fromContiguous):
        * runtime/ButterflyInlineMethods.h:
        (JSC::Butterfly::unshift):
        (JSC::Butterfly::shift):
        * runtime/IndexingHeaderInlineMethods.h:
        (JSC::IndexingHeader::indexingPayloadSizeInBytes):
        * runtime/IndexingType.cpp: Added.
        (JSC):
        (JSC::indexingTypeToString):
        * runtime/IndexingType.h:
        (JSC):
        (JSC::hasContiguous):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLengthWithArrayStorage):
        (JSC::JSArray::setLength):
        (JSC):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        (JSC::JSArray::sortNumericVector):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sortCompactedVector):
        (JSC::JSArray::sort):
        (JSC::JSArray::sortVector):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSC::JSArray::shiftCountForShift):
        (JSC::JSArray::shiftCountForSplice):
        (JSArray):
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCountForShift):
        (JSC::JSArray::unshiftCountForSplice):
        (JSC::JSArray::unshiftCount):
        (JSC::JSArray::isLengthWritable):
        (JSC::createContiguousArrayButterfly):
        (JSC):
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC):
        (JSC::JSGlobalObject::haveABadTime):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::arrayStructureWithArrayStorage):
        (JSC::JSGlobalObject::addressOfArrayStructureWithArrayStorage):
        (JSC::constructEmptyArray):
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::createInitialContiguous):
        (JSC):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::ensureIndexedStorageSlow):
        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthContiguousWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::getNewVectorLength):
        (JSC::JSObject::countElementsInContiguous):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureContiguousLengthSlow):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::getArrayLength):
        (JSC::JSObject::getVectorLength):
        (JSC::JSObject::canGetIndexQuickly):
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        (JSC::JSObject::hasSparseMap):
        (JSC::JSObject::inSparseIndexingMode):
        (JSObject):
        (JSC::JSObject::ensureContiguous):
        (JSC::JSObject::ensureIndexedStorage):
        (JSC::JSObject::ensureContiguousLength):
        (JSC::JSObject::indexingData):
        (JSC::JSObject::relevantLength):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * runtime/Structure.cpp:
        (JSC::Structure::needsSlowPutIndexing):
        (JSC):
        (JSC::Structure::suggestedArrayStorageTransition):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):

2012-10-09  Michael Saboff  <msaboff@apple.com>

        After r130344, OpaqueJSString::identifier() adds wrapped String to identifier table
        https://bugs.webkit.org/show_bug.cgi?id=98693
        REGRESSION (r130344): Install failed in Install Environment
        <rdar://problem/12450118>

        Reviewed by Mark Rowe.

        Use Identifier(LChar*, length) or Identifier(UChar*, length) constructors so that we don't
        add the String instance in the OpaqueJSString to any identifier tables.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):

2012-10-08  Mark Lam  <mark.lam@apple.com>

        Renamed RegisterFile to JSStack, and removed prototype of the
        previously deleted Interpreter::privateExecute().
        https://bugs.webkit.org/show_bug.cgi?id=98717.

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/BytecodeConventions.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::nameForRegister):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::alreadyInJSStack):
        (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt32):
        (JSC::ValueRecovery::alreadyInJSStackAsUnboxedCell):
        (JSC::ValueRecovery::alreadyInJSStackAsUnboxedBoolean):
        (JSC::ValueRecovery::alreadyInJSStackAsUnboxedDouble):
        (JSC::ValueRecovery::displacedInJSStack):
        (JSC::ValueRecovery::isAlreadyInJSStack):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dump):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::registerFor):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
        (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
        (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getDirect):
        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGGenerationInfo.h:
        (GenerationInfo):
        (JSC::DFG::GenerationInfo::needsSpill):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::beginCall):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::spill):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
        (JSC::DFG::slowPathFor):
        (JSC::DFG::virtualForThunkGenerator):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):
        (JSC::DFG::isInJSStack):
        (JSC::DFG::ValueSource::forSpeculation):
        (JSC::DFG::ValueSource::isInJSStack):
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * heap/Heap.cpp:
        (JSC::Heap::stack):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        (JSC):
        (Heap):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::stack):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        (JSC::ExecState::callee):
        (JSC::ExecState::codeBlock):
        (JSC::ExecState::scope):
        (JSC::ExecState::callerFrame):
        (JSC::ExecState::returnPC):
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (JSC::ExecState::setBytecodeOffsetForNonDFGCode):
        (JSC::ExecState::inlineCallFrame):
        (JSC::ExecState::codeOriginIndexForDFG):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        (JSC::ExecState::setCallerFrame):
        (JSC::ExecState::setScope):
        (JSC::ExecState::init):
        (JSC::ExecState::argumentCountIncludingThis):
        (JSC::ExecState::offsetFor):
        (JSC::ExecState::setArgumentCountIncludingThis):
        (JSC::ExecState::setCallee):
        (JSC::ExecState::setCodeBlock):
        (JSC::ExecState::setReturnPC):
        (JSC::ExecState::setInlineCallFrame):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::slideRegisterWindowForCall):
        (JSC::eval):
        (JSC::loadVarargs):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::endRepeatCall):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::stack):
        (Interpreter):
        (JSC::Interpreter::execute):
        (JSC):
        * interpreter/JSStack.cpp: Copied from Source/JavaScriptCore/interpreter/RegisterFile.cpp.
        (JSC::stackStatisticsMutex):
        (JSC::JSStack::~JSStack):
        (JSC::JSStack::growSlowCase):
        (JSC::JSStack::gatherConservativeRoots):
        (JSC::JSStack::releaseExcessCapacity):
        (JSC::JSStack::initializeThreading):
        (JSC::JSStack::committedByteCount):
        (JSC::JSStack::addToCommittedByteCount):
        * interpreter/JSStack.h: Copied from Source/JavaScriptCore/interpreter/RegisterFile.h.
        (JSStack):
        (JSC::JSStack::JSStack):
        (JSC::JSStack::shrink):
        (JSC::JSStack::grow):
        * interpreter/RegisterFile.cpp: Removed.
        * interpreter/RegisterFile.h: Removed.
        * interpreter/VMInspector.cpp:
        (JSC::VMInspector::dumpFrame):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC):
        (JIT):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        * jit/JITCode.h:
        (JSC):
        (JSC::JITCode::execute):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitPutToCallFrameHeader):
        (JSC::JIT::emitPutCellToCallFrameHeader):
        (JSC::JIT::emitPutIntToCallFrameHeader):
        (JSC::JIT::emitPutImmediateToCallFrameHeader):
        (JSC::JIT::emitGetFromCallFrameHeaderPtr):
        (JSC::JIT::emitGetFromCallFrameHeader32):
        (JSC::JIT::updateTopCallFrame):
        (JSC::JIT::unmap):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emit_op_resolve_global_dynamic):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        * jit/JITStubs.cpp:
        (JSC::ctiTrampoline):
        (JSC::JITThunks::JITThunks):
        (JSC):
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        (JSC):
        (JITStackFrame):
        * jit/JSInterfaceJIT.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::genericCall):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOffForInlineCallFrame):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::globalExec):
        * runtime/JSGlobalObject.h:
        (JSC):
        (JSGlobalObject):
        * runtime/JSLock.cpp:
        (JSC):
        * runtime/JSVariableObject.h:
        (JSVariableObject):
        * runtime/MemoryStatistics.cpp:
        (JSC::globalMemoryStatistics):

2012-10-08  Kiran Muppala  <cmuppala@apple.com>

        Throttle DOM timers on hidden pages.
        https://bugs.webkit.org/show_bug.cgi?id=98474

        Reviewed by Maciej Stachowiak.

        Add HIDDEN_PAGE_DOM_TIMER_THROTTLING feature define.

        * Configurations/FeatureDefines.xcconfig:

2012-10-08  Michael Saboff  <msaboff@apple.com>

        After r130344, OpaqueJSString() creates an empty string which should be a null string
        https://bugs.webkit.org/show_bug.cgi?id=98417

        Reviewed by Sam Weinig.

        Changed create() of a null string to return 0. This is the same behavior as before r130344.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::create):

2012-10-07  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Rename first/second to key/value in HashMap iterators
        https://bugs.webkit.org/show_bug.cgi?id=82784

        Reviewed by Eric Seidel.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnNonIndexPropertyNames):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::~OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::contextData):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::EvalCodeCache::visitAggregate):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/JumpTable.h:
        (JSC::StringJumpTable::offsetForValue):
        (JSC::StringJumpTable::ctiForValue):
        * bytecode/LazyOperandValueProfile.cpp:
        (JSC::LazyOperandValueProfileParser::getIfPresent):
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::dump):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::addGlobalVar):
        (JSC::BytecodeGenerator::addConstant):
        (JSC::BytecodeGenerator::addConstantValue):
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitLazyNewFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * debugger/Debugger.cpp:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
        * dfg/DFGAssemblyHelpers.cpp:
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        * dfg/DFGByteCodeCache.h:
        (JSC::DFG::ByteCodeCache::~ByteCodeCache):
        (JSC::DFG::ByteCodeCache::get):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        (JSC::DFG::StructureCheckHoistingPhase::noticeStructureCheck):
        (JSC::DFG::StructureCheckHoistingPhase::noticeClobber):
        * heap/Heap.cpp:
        (JSC::Heap::markProtectedObjects):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):
        * heap/JITStubRoutineSet.cpp:
        (JSC::JITStubRoutineSet::markSlow):
        (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::internalAppend):
        * heap/Weak.h:
        (JSC::weakRemove):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::ctiStub):
        * parser/Parser.cpp:
        (JSC::::parseStrictObjectLiteral):
        * profiler/Profile.cpp:
        (JSC::functionNameCountPairComparator):
        (JSC::Profile::debugPrintDataSampleStyle):
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnNonIndexPropertyNames):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::invalidateCode):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::SparseArrayValueMap::visitChildren):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::clear):
        (JSC::WeakGCMap::set):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::sampleChild):
        (JSC::ProfileTreeNode::childCount):
        (JSC::ProfileTreeNode::dumpInternal):
        (JSC::ProfileTreeNode::compareEntries):

2012-10-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC should have a way to gather and log Heap memory use and pause times
        https://bugs.webkit.org/show_bug.cgi?id=98431

        Reviewed by Geoffrey Garen.

        In order to improve our infrastructure for benchmark-driven development, we should 
        have a centralized method of gathering and logging various statistics about the state 
        of the JS heap. This would allow us to create and to use other tools to analyze the 
        output of the VM after running various workloads.

        The first two statistics that might be interesting is memory use by JSC and GC pause 
        times. We can control whether this recording happens through the use of the Options 
        class, allowing us to either use environment variables or command line flags.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::collect): If we finish a collection and are still over our set GC heap size, 
        we end the program immediately and report an error. Also added recording of pause times.
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::shouldCollect): When we set a specific GC heap size through Options, we 
        ignore all other heuristics on when we should collect and instead only ask if we're 
        greater than the amount specified in the Option value. This allows us to view time/memory 
        tradeoffs more clearly.
        * heap/HeapStatistics.cpp: Added.
        (JSC):
        (JSC::HeapStatistics::initialize):
        (JSC::HeapStatistics::recordGCPauseTime):
        (JSC::HeapStatistics::logStatistics):
        (JSC::HeapStatistics::exitWithFailure):
        (JSC::HeapStatistics::reportSuccess):
        (JSC::HeapStatistics::parseMemoryAmount):
        (StorageStatistics):
        (JSC::StorageStatistics::StorageStatistics):
        (JSC::StorageStatistics::operator()):
        (JSC::StorageStatistics::objectWithOutOfLineStorageCount):
        (JSC::StorageStatistics::objectCount):
        (JSC::StorageStatistics::storageSize):
        (JSC::StorageStatistics::storageCapacity):
        (JSC::HeapStatistics::showObjectStatistics): Moved the old showHeapStatistics (renamed to showObjectStatistics) 
        to try to start collecting our various memory statistics gathering/reporting mechanisms scattered throughout the 
        codebase into one place.
        * heap/HeapStatistics.h: Added.
        (JSC):
        (HeapStatistics):
        * jsc.cpp:
        (main):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce): We need to initialize our data structures for recording 
        statistics if necessary.
        * runtime/Options.cpp: Add new Options for the various types of statistics we'll be gathering.
        (JSC::parse):
        (JSC):
        (JSC::Options::initialize): Initialize the various new options using environment variables.
        (JSC::Options::dumpOption):
        * runtime/Options.h:
        (JSC):

2012-10-04  Rik Cabanier  <cabanier@adobe.com>

        Turn Compositing on by default in WebKit build
        https://bugs.webkit.org/show_bug.cgi?id=98315

        Reviewed by Simon Fraser.

        enable -webkit-blend-mode on trunk.

        * Configurations/FeatureDefines.xcconfig:

2012-10-04  Michael Saboff  <msaboff@apple.com>

        Crash in Safari at com.apple.JavaScriptCore: WTF::StringImpl::is8Bit const + 12
        https://bugs.webkit.org/show_bug.cgi?id=98433

        Reviewed by Jessie Berlin.

        The problem is due to a String with a null StringImpl (i.e. a null string).
        Added a length check before the is8Bit() check since length() checks for a null StringImpl.  Changed the
        characters16() call to characters() since it can handle a null StringImpl as well.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):

2012-10-04  Benjamin Poulain  <bpoulain@apple.com>

        Use copyLCharsFromUCharSource() for IdentifierLCharFromUCharTranslator translation
        https://bugs.webkit.org/show_bug.cgi?id=98335

        Reviewed by Michael Saboff.

        Michael Saboff added an optimized version of UChar->LChar conversion in r125846.
        Use this function in JSC::Identifier.

        * runtime/Identifier.cpp:
        (JSC::IdentifierLCharFromUCharTranslator::translate):

2012-10-04  Michael Saboff  <msaboff@apple.com>

        After r130344, OpaqueJSString() creates a empty string which should be a null string
        https://bugs.webkit.org/show_bug.cgi?id=98417

        Reviewed by Alexey Proskuryakov.

        Removed the setting of enclosed string to an empty string from default constructor.
        Before changeset r130344, the semantic was the default constructor produced a null
        string.

        * API/OpaqueJSString.h:
        (OpaqueJSString::OpaqueJSString):

2012-10-04  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt] Add missing LLInt dependencies to the build system
        https://bugs.webkit.org/show_bug.cgi?id=98394

        Reviewed by Geoffrey Garen.

        * DerivedSources.pri:
        * LLIntOffsetsExtractor.pro:

2012-10-03  Geoffrey Garen  <ggaren@apple.com>

        Next step toward fixing Windows: add new symbol.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-10-03  Geoffrey Garen  <ggaren@apple.com>

        First step toward fixing Windows: remove old symbol.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-10-03  Geoffrey Garen  <ggaren@apple.com>

        Removed the assumption that "final" objects have a fixed number of inline slots
        https://bugs.webkit.org/show_bug.cgi?id=98332

        Reviewed by Filip Pizlo.

        This is a step toward object size inference.

        I replaced the inline storage capacity constant with a data member per
        structure, set the the maximum supported value for the constant to 100,
        then fixed what broke. (Note that even though this patch increases the
        theoretical maximum inline capacity, it doesn't change any actual inline
        capacity.)

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetDirectOffset): These functions just get a rename:
        the constant they need is the first out of line offset along the offset
        number line, which is not necessarily the same thing (and is, in this
        patch, never the same thing) as the inline capacity of any given object.

        (JSC::JIT::emit_op_get_by_pname):
        * jit/JITPropertyAccess32_64.cpp: This function changes functionality,
        since it needs to convert from the abstract offset number line to an
        actual offset in memory, and it can't assume that inline and out-of-line
        offsets are contiguous on the number line.

        (JSC::JIT::compileGetDirectOffset): Updated for rename.

        (JSC::JIT::emit_op_get_by_pname): Same as emit_op_get_by_pname above.

        * llint/LowLevelInterpreter.asm: Updated to mirror changes in PropertyOffset.h,
        since we duplicate values from there.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm: Just like the JIT, most things are just
        renames, and get_by_pname changes to do more math. I also standardized
        offset calculations to use a hard-coded "-2", to match the JIT. This
        isn't really better, but it makes global search and replace easier,
        should we choose to refactor this code not to hard-code constants.

        I also renamed loadPropertyAtVariableOffsetKnownNotFinal to
        loadPropertyAtVariableOffsetKnownNotInline in order to sever the assumption
        that inline capacity is tied to object type, and I changed the 64bit LLInt
        to use this -- not using this previously seems to have been an oversight.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        (JSC::JSFinalObject::visitChildren):
        * runtime/JSObject.h:
        (JSC::JSObject::offsetForLocation):
        (JSNonFinalObject):
        (JSC::JSFinalObject::createStructure):
        (JSFinalObject):
        (JSC::JSFinalObject::finishCreation): Updated for above changes.

        * runtime/JSPropertyNameIterator.h:
        (JSPropertyNameIterator):
        (JSC::JSPropertyNameIterator::finishCreation): Store the inline capacity
        of our object, since it's not a constant.

        (JSC::JSPropertyNameIterator::getOffset): Removed. This function was
        wrong. Luckily, it was also unused, since the C++ interpreter is gone.

        * runtime/PropertyMapHashTable.h:
        (PropertyTable): Use a helper function instead of hard-coding assumptions
        about object types.

        (JSC::PropertyTable::nextOffset):
        * runtime/PropertyOffset.h:
        (JSC):
        (JSC::checkOffset):
        (JSC::validateOffset):
        (JSC::isInlineOffset):
        (JSC::numberOfSlotsForLastOffset):
        (JSC::propertyOffsetFor): Refactored these functions to take inline capacity
        as an argument, since it's not fixed at compile time anymore.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::putSpecificValue):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::outOfLineCapacity):
        (JSC::Structure::hasInlineStorage):
        (JSC::Structure::inlineCapacity):
        (JSC::Structure::inlineSize):
        (JSC::Structure::firstValidOffset):
        (JSC::Structure::lastValidOffset):
        (JSC::Structure::create): Removed some hard-coded assumptions about inline
        capacity and object type, and replaced with more liberal use of helper functions.

2012-10-03  Michael Saboff  <msaboff@apple.com>

        OpaqueJSString doesn't optimally handle 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=98300

        Reviewed by Geoffrey Garen.

        Change OpaqueJSString to store and manage a String instead of a UChar buffer.
        The member string is a copy of any string used during creation.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::create):
        (OpaqueJSString::identifier):
        * API/OpaqueJSString.h:
        (OpaqueJSString::characters):
        (OpaqueJSString::length):
        (OpaqueJSString::string):
        (OpaqueJSString::OpaqueJSString):
        (OpaqueJSString):

2012-10-03  Filip Pizlo  <fpizlo@apple.com>

        Array.splice should be fast when it is used to remove elements other than the very first
        https://bugs.webkit.org/show_bug.cgi?id=98236

        Reviewed by Michael Saboff.

        Applied the same technique that was used to optimize the unshift case of splice in
        http://trac.webkit.org/changeset/129676.  This is a >20x speed-up on programs that
        use splice for element removal.

        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCount):
        * runtime/JSArray.h:
        (JSArray):

2012-09-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Delayed structure sweep can leak structures without bound
        https://bugs.webkit.org/show_bug.cgi?id=96546

        Reviewed by Geoffrey Garen.

        This patch gets rid of the separate Structure allocator in the MarkedSpace and adds two new destructor-only
        allocators. We now have separate allocators for our three types of objects: those objects with no destructors,
        those objects with destructors and with immortal structures, and those objects with destructors that don't have 
        immortal structures. All of the objects of the third type (destructors without immortal structures) now 
        inherit from a new class named JSDestructibleObject (which in turn is a subclass of JSNonFinalObject), which stores 
        the ClassInfo for these classes at a fixed offset for safe retrieval during sweeping/destruction.

        * API/JSCallbackConstructor.cpp: Use JSDestructibleObject for JSCallbackConstructor.
        (JSC):
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSCallbackConstructor):
        * API/JSCallbackObject.cpp: Inherit from JSDestructibleObject for normal JSCallbackObjects and use a finalizer for 
        JSCallbackObject<JSGlobalObject>, since JSGlobalObject also uses a finalizer.
        (JSC):
        (JSC::::create): We need to move the create function for JSCallbackObject<JSGlobalObject> out of line so we can add 
        the finalizer for it. We don't want to add the finalizer is something like finishCreation in case somebody decides 
        to subclass this. We use this same technique for many other subclasses of JSGlobalObject.
        (JSC::::createStructure):
        * API/JSCallbackObject.h:
        (JSCallbackObject):
        (JSC):
        * API/JSClassRef.cpp: Change all the JSCallbackObject<JSNonFinalObject> to use JSDestructibleObject instead.
        (OpaqueJSClass::prototype):
        * API/JSObjectRef.cpp: Ditto.
        (JSObjectMake):
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp: Ditto.
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp: Ditto.
        * JSCTypedArrayStubs.h:
        (JSC):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.h: Use the proper allocator type when doing inline allocation in the DFG.
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * heap/Heap.cpp:
        (JSC):
        * heap/Heap.h: Add accessors for the various types of allocators now. Also remove the isSafeToSweepStructures function 
        since it's always safe to sweep Structures now.
        (JSC::Heap::allocatorForObjectWithNormalDestructor): 
        (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
        (Heap):
        (JSC::Heap::allocateWithNormalDestructor):
        (JSC):
        (JSC::Heap::allocateWithImmortalStructureDestructor):
        * heap/IncrementalSweeper.cpp: Remove all the logic to detect when it's safe to sweep Structures from the 
        IncrementalSweeper since it's always safe to sweep Structures now.
        (JSC::IncrementalSweeper::IncrementalSweeper):
        (JSC::IncrementalSweeper::sweepNextBlock):
        (JSC::IncrementalSweeper::startSweeping):
        (JSC::IncrementalSweeper::willFinishSweeping):
        (JSC):
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):
        * heap/MarkedAllocator.cpp: Remove the logic that was preventing us from sweeping Structures if it wasn't safe. Add 
        tracking of the specific destructor type of allocator. 
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::allocateBlock):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::destructorType):
        (MarkedAllocator):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::init):
        * heap/MarkedBlock.cpp: Add all the destructor type stuff to MarkedBlocks so that we do the right thing when sweeping. 
        We also use the stored destructor type to determine the right thing to do in all JSCell::classInfo() calls.
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC):
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelper):
        * heap/MarkedBlock.h:
        (JSC):
        (JSC::MarkedBlock::allocator):
        (JSC::MarkedBlock::destructorType):
        * heap/MarkedSpace.cpp: Add the new destructor allocators to MarkedSpace.
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::canonicalizeCellLivenessData):
        (JSC::MarkedSpace::isPagedOut):
        (JSC::MarkedSpace::freeBlock):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor):
        (JSC::MarkedSpace::normalDestructorAllocatorFor):
        (JSC::MarkedSpace::allocateWithImmortalStructureDestructor):
        (JSC::MarkedSpace::allocateWithNormalDestructor):
        (JSC::MarkedSpace::forEachBlock):
        * heap/SlotVisitor.cpp: Add include because the symbol was needed in an inlined function.
        * jit/JIT.h: Make sure we use the correct allocator when doing inline allocations in the baseline JIT.
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSArray):
        * jsc.cpp: 
        (GlobalObject::create): Add finalizer here since JSGlobalObject needs to use a finalizer instead of inheriting from 
        JSDestructibleObject.
        * runtime/Arguments.cpp: Inherit from JSDestructibleObject.
        (JSC):
        * runtime/Arguments.h:
        (Arguments):
        (JSC::Arguments::Arguments):
        * runtime/ErrorPrototype.cpp: Added an assert to make sure we have a trivial destructor.
        (JSC):
        * runtime/Executable.h: Indicate that all of the Executable* classes have immortal Structures.
        (JSC):
        * runtime/InternalFunction.cpp: Inherit from JSDestructibleObject.
        (JSC):
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        (InternalFunction):
        * runtime/JSCell.h: Added two static bools, needsDestruction and hasImmortalStructure, that classes can override 
        to indicate at compile time which part of the heap they should be allocated in.
        (JSC::allocateCell): Use the appropriate allocator depending on the destructor type.
        * runtime/JSDestructibleObject.h: Added. New class that stores the ClassInfo of any subclass so that it can be 
        accessed safely when the object is being destroyed.
        (JSC):
        (JSDestructibleObject):
        (JSC::JSDestructibleObject::classInfo):
        (JSC::JSDestructibleObject::JSDestructibleObject):
        (JSC::JSCell::classInfo): Checks the current MarkedBlock to see where it should get the ClassInfo from so that it's always safe.
        * runtime/JSGlobalObject.cpp: JSGlobalObject now uses a finalizer instead of a destructor so that it can avoid forcing all 
        of its relatives in the inheritance hierarchy (e.g. JSScope) to use destructors as well.
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::createRareDataIfNeeded): Since we always create a finalizer now, we don't have to worry about adding one 
        for the m_rareData field when it's created.
        (JSC::JSGlobalObject::create):
        (JSC):
        * runtime/JSGlobalThis.h: Inherit from JSDestructibleObject.
        (JSGlobalThis):
        (JSC::JSGlobalThis::JSGlobalThis):
        * runtime/JSPropertyNameIterator.h: Has an immortal Structure.
        (JSC):
        * runtime/JSScope.cpp:
        (JSC):
        * runtime/JSString.h: Has an immortal Structure.
        (JSC):
        * runtime/JSWrapperObject.h: Inherit from JSDestructibleObject.
        (JSWrapperObject):
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/MathObject.cpp: Cleaning up some of the inheritance stuff.
        (JSC):
        * runtime/NameInstance.h: Inherit from JSDestructibleObject.
        (NameInstance):
        * runtime/RegExp.h: Has immortal Structure.
        (JSC):
        * runtime/RegExpObject.cpp: Inheritance cleanup.
        (JSC):
        * runtime/SparseArrayValueMap.h: Has immortal Structure.
        (JSC):
        * runtime/Structure.h: Has immortal Structure.
        (JSC):
        * runtime/StructureChain.h: Ditto.
        (JSC):
        * runtime/SymbolTable.h: Ditto.
        (SharedSymbolTable):
        (JSC):

== Rolled over to ChangeLog-2012-10-02 ==