ChangeLog-2012-05-22   [plain text]


2012-05-22  Yong Li  <yoli@rim.com>

        [BlackBerry] getPlatformThreadRegisters() should fetch target thread's registers
        https://bugs.webkit.org/show_bug.cgi?id=87148

        Reviewed by George Staikos.

        Our previous implementation of getPlatformThreadRegisters() read registers in current
        thread's context but it is supposed to read the target thread's registers.

        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):

2012-05-05  Filip Pizlo  <fpizlo@apple.com>

        DFG should support reflective arguments access
        https://bugs.webkit.org/show_bug.cgi?id=85721

        Reviewed by Oliver Hunt.
        
        Merged r116345 from dfgopt.
        
        This adds support for op_create_arguments to the DFG. No other arguments-related
        opcodes are added by this change, though it does add a lot of the scaffolding
        necessary for the other ops.
        
        This also adds GetByVal/PutByVal optimizations for Arguments.
        
        Finally, this rationalizes slowPathCall with no return. Previously, that would
        work via callOperation() overloads that took InvalidGPRReg as the return GPR.
        But that creates awful ambiguity, since we had template functions that were
        polymorphic over all parameters except the second, which was a GPRReg, and a
        bunch of non-template overloads that also potentially had GPRReg as the second
        argument. I finally started to hit this ambiguity and was getting absolutely
        bizarre compiler errors, that made me feel like I was programming in SML. So,
        I changed the no-argument overloads to take NoResultTag instead, which made
        everything sensible again by eliminating the overload ambiguity.
        
        This is a ~7% speed-up on V8/earley and neutral elsewhere.

        * bytecode/PredictedType.h:
        (JSC::isArgumentsPrediction):
        (JSC):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::unmodifiedArgumentsRegister):
        (Node):
        (JSC::DFG::Node::shouldSpeculateArguments):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::pickCanTrample):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Arguments.h:
        (ArgumentsData):
        (Arguments):
        (JSC::Arguments::offsetOfData):

2011-05-21  Geoffrey Garen  <ggaren@apple.com>

        GC allocation trigger should be tuned to system RAM
        https://bugs.webkit.org/show_bug.cgi?id=87039

        Reviewed by Darin Adler.

        This helps avoid OOM crashes on small platforms, and helps avoid "too much GC"
        performance issues on big platforms.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap): GC balances between a fixed minimum and a proportional multiplier,
        which are limited based on system RAM.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::createContextGroup):
        (JSC::JSGlobalData::create):
        (JSC::JSGlobalData::createLeaked):
        * runtime/JSGlobalData.h:
        (JSGlobalData): Renamed HeapSize to HeapType because the exact size is
        influenced by the heap type, but not determined by it.

2012-05-21  Gavin Barraclough  <barraclough@apple.com>

        Disable private names by default in WebCore
        https://bugs.webkit.org/show_bug.cgi?id=87088

        Reviewed by Geoff Garen.

        r117859 introduced a preliminary implementation of ES6-like private name objects to JSC.
        These are probably not yet ready to be web-facing, so disabling by default in WebCore.
        Opting-in for JSC & DumpRenderTree so that we can still run the fast/js/names.html test.

        * jsc.cpp:
        (GlobalObject):
        (GlobalObject::javaScriptExperimentsEnabled):
            - Implemented new trap to opt-in to private names support.
        * runtime/JSGlobalObject.cpp:
        (JSC):
        (JSC::JSGlobalObject::reset):
            - Only add the Name property to the global object if experiments are enabled.
        * runtime/JSGlobalObject.h:
        (GlobalObjectMethodTable):
            - Added new trap to enabled experiments.
        (JSGlobalObject):
        (JSC::JSGlobalObject::finishCreation):
            - Set the global object's m_experimentsEnabled state on construction.
        (JSC::JSGlobalObject::javaScriptExperimentsEnabled):
            - Defaults to off.

2012-05-06  Filip Pizlo  <fpizlo@apple.com>

        Truncating multiplication on integers should not OSR exit every time
        https://bugs.webkit.org/show_bug.cgi?id=85752

        Reviewed by Gavin Barraclough.
        
        Merge r116264 from dfgopt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::mulShouldSpeculateInteger):
        (Graph):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):

2012-05-21  Csaba Osztrogonác  <ossy@webkit.org>

        DFG should be able to compute dominators
        https://bugs.webkit.org/show_bug.cgi?id=85269

        Unreviewed trivial 32 bit buildfix after r117861.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2012-05-21  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to compute dominators
        https://bugs.webkit.org/show_bug.cgi?id=85269

        Reviewed by Oliver Hunt.
        
        Merged r115754 from dfgopt.
        
        Implements a naive dominator calculator, which is currently just used to
        print information in graph dumps. I've enabled it by default mainly to
        be able to track its performance impact. So far it appears that there is
        none, which is unsurprising given that the number of basic blocks in most
        procedures is small.
        
        Also tweaked bytecode dumping to reveal more useful information about the
        nature of the code block.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * dfg/DFGDominators.cpp: Added.
        (DFG):
        (JSC::DFG::Dominators::Dominators):
        (JSC::DFG::Dominators::~Dominators):
        (JSC::DFG::Dominators::compute):
        (JSC::DFG::Dominators::iterateForBlock):
        * dfg/DFGDominators.h: Added.
        (DFG):
        (Dominators):
        (JSC::DFG::Dominators::invalidate):
        (JSC::DFG::Dominators::computeIfNecessary):
        (JSC::DFG::Dominators::isValid):
        (JSC::DFG::Dominators::dominates):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):

2012-05-21  Michael Saboff  <msaboff@apple.com>

        Cleanup of Calls to operationStrCat and operationNewArray and Use Constructor after r117729
        https://bugs.webkit.org/show_bug.cgi?id=87027

        Reviewed by Oliver Hunt.

        Change calls to operationStrCat and operationNewArray to provide the
        pointer to the EncodedJSValue* data buffer instead of the ScratchBuffer
        that contains it.  Added a ScratchBuffer::create() function.
        This is a clean-up to r117729.

        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::create):
        (JSC::ScratchBuffer::dataBuffer):
        (JSC::JSGlobalData::scratchBufferForSize):

2012-05-15  Gavin Barraclough  <barraclough@apple.com>

        Add support for private names
        https://bugs.webkit.org/show_bug.cgi?id=86509

        Reviewed by Oliver Hunt.

        The spec isn't final, but we can start adding support to allow property maps
        to contain keys that aren't identifiers.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        (JSC::::put):
        (JSC::::deleteProperty):
        (JSC::::getStaticValue):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
            - Only expose public named properties over the JSC API.
        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
            - Added new files to build system.
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
            - Added support for property access with name objects.
        * interpreter/CallFrame.h:
        (JSC::ExecState::privateNamePrototypeTable):
            - Added hash table for NamePrototype
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - Added support for property access with name objects.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Added support for property access with name objects.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
            - Added support for property access with name objects.
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
            - Added hash table for NamePrototype
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::symbolTableHasProperty):
            - Added new global properties.
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isName):
            - Added type for NameInstances, for fast isName check.
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deleteProperty):
        (JSC::JSVariableObject::symbolTableGet):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::symbolTablePut):
        (JSC::JSVariableObject::symbolTablePutWithAttributes):
            - symbol table lookup should take a PropertyName.
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTable::entry):
            - entry lookup should take a PropertyName.
        * runtime/NameConstructor.cpp: Added.
        (JSC):
        (JSC::NameConstructor::NameConstructor):
        (JSC::NameConstructor::finishCreation):
        (JSC::constructPrivateName):
        (JSC::NameConstructor::getConstructData):
        (JSC::NameConstructor::getCallData):
        * runtime/NameConstructor.h: Added.
        (JSC):
        (NameConstructor):
        (JSC::NameConstructor::create):
        (JSC::NameConstructor::createStructure):
            - Added constructor.
        * runtime/NameInstance.cpp: Added.
        (JSC):
        (JSC::NameInstance::NameInstance):
        (JSC::NameInstance::destroy):
        * runtime/NameInstance.h: Added.
        (JSC):
        (NameInstance):
        (JSC::NameInstance::createStructure):
        (JSC::NameInstance::create):
        (JSC::NameInstance::privateName):
        (JSC::NameInstance::nameString):
        (JSC::NameInstance::finishCreation):
        (JSC::isName):
            - Added instance.
        * runtime/NamePrototype.cpp: Added.
        (JSC):
        (JSC::NamePrototype::NamePrototype):
        (JSC::NamePrototype::finishCreation):
        (JSC::NamePrototype::getOwnPropertySlot):
        (JSC::NamePrototype::getOwnPropertyDescriptor):
        (JSC::privateNameProtoFuncToString):
        * runtime/NamePrototype.h: Added.
        (JSC):
        (NamePrototype):
        (JSC::NamePrototype::create):
        (JSC::NamePrototype::createStructure):
            - Added prototype.
        * runtime/PrivateName.h: Added.
        (JSC):
        (PrivateName):
        (JSC::PrivateName::PrivateName):
        (JSC::PrivateName::uid):
            - A private name object holds a StringImpl that can be used as a unique key in a property map.
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::findWithString):
            - Strings should only match keys in the table that are identifiers.
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
        (JSC::operator==):
        (JSC::operator!=):
            - replaced impl() & ustring() with uid() [to get the raw impl] and publicName() [impl or null, if not an identifier].
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/Structure.h:
        (JSC::Structure::get):
            - call uid() to get a PropertyName raw impl, for use as a key.

2012-04-30  Filip Pizlo  <fpizlo@apple.com>

        Bytecode dumps should contain data about the state of get_by_id caches
        https://bugs.webkit.org/show_bug.cgi?id=85246

        Reviewed by Gavin Barraclough.
        
        Merge r115694 from dfgopt.
        
        Changed the DFG bytecode parser (and the code that calls it) to be able
        to call codeBlock->dump() on the code blocks being parsed.
        
        Changed bytecode dumping to be able to print the state of get_by_id
        caches inline with the bytecode.
        
        Removed the old StructureStubInfo dumping code, which no longer worked
        right, and was incapable of telling us information about chain and list
        accesses.
        
        This change does not add dumping for put_by_id caches. We can add that
        at a later time.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::dumpStructure):
        (JSC):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::printGlobalResolveInfo):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::visitStructures):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::jitCompile):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::parse):
        * dfg/DFGByteCodeParser.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h:
        (DFG):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGOSRExitCompiler.cpp:
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::jitCompile):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):

2012-05-21  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header files.

2012-05-21  Allan Sandfeld Jensen  <allan.jensen@nokia.com>

        GCC 4.7 and C++11
        https://bugs.webkit.org/show_bug.cgi?id=86465

        Reviewed by Darin Adler.

        Set emptyValueIsZero flag so RegExpKey can be used with the non-copyable RegExp values.

        * runtime/RegExpKey.h:

2012-05-20  Michael Saboff  <msaboff@apple.com>

        JSGlobalData ScratchBuffers Are Not Visited During Garbage Collection
        https://bugs.webkit.org/show_bug.cgi?id=86553

        Reviewed by Gavin Barraclough.

        Scratch buffers can contain the only reference to live objects.
        Therefore visit scratch buffer contents as conservative roots.
        Changed the scratch buffers to be a struct with an "active"
        length and the actual buffer.  The users of the scratch
        buffer emit code where needed to set and clear the active
        length as appropriate.  During marking, the active count is
        used for conservative marking.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::gatherConservativeRoots):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::ScratchBuffer):
        (ScratchBuffer):
        (JSC::ScratchBuffer::allocationSize):
        (JSC::ScratchBuffer::setActiveLength):
        (JSC::ScratchBuffer::activeLength):
        (JSC::ScratchBuffer::activeLengthPtr):
        (JSC::ScratchBuffer::dataBuffer):
        (JSGlobalData):
        (JSC::JSGlobalData::scratchBufferForSize):

2012-05-20  Filip Pizlo  <fpizlo@apple.com>

        Predicted types should know about arguments
        https://bugs.webkit.org/show_bug.cgi?id=85165

        Reviewed by Oliver Hunt.
        
        Merge r115604 from dfgopt.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionToAbbreviatedString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC):
        (JSC::isMyArgumentsPrediction):
        (JSC::isArgumentsPrediction):

2012-05-20  Filip Pizlo  <fpizlo@apple.com>

        Bytecompiler should emit trivially fewer jumps in loops
        https://bugs.webkit.org/show_bug.cgi?id=85144

        Reviewed by Oliver Hunt.
        
        Merged r115587 from dfgopt.
        
        1-2% across the board win.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):

2012-05-19  Vivek Galatage  <vivekgalatage@gmail.com>

        Windows build broken due to changes in the http://trac.webkit.org/changeset/117646
        https://bugs.webkit.org/show_bug.cgi?id=86939

        The changeset 117646 changed the JSString::toBoolean signature. This
        change is for fixing the windows build break.

        Reviewed by Ryosuke Niwa.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(117646): fast/canvas/webgl/glsl-conformance.html is crashing in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=86929

        Reviewed by Oliver Hunt.
        
        The problem was that if CFG simplification saw a Branch with identical successors,
        it would always perform a basic block merge. But that's wrong if the successor has
        other predecessors.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        DFG CFG simplification crashes if it's trying to remove an unreachable block
        that has an already-killed-off unreachable successor
        https://bugs.webkit.org/show_bug.cgi?id=86918

        Reviewed by Oliver Hunt.
        
        This fixes crashes in:
        inspector/styles/styles-computed-trace.html
        inspector/console/console-big-array.html

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::fixPhis):

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should have control flow graph simplification
        https://bugs.webkit.org/show_bug.cgi?id=84553

        Reviewed by Oliver Hunt.
        
        Merged r115512 from dfgopt.

        This change gives the DFG the ability to simplify the control flow graph
        as part of an optimization fixpoint that includes CSE, CFA, and constant
        folding. This required a number of interesting changes including:
        
        - Solidifying the set of invariants that the DFG obeys. For example, the
          head and tail of each basic block must advertise the set of live locals
          and the set of available locals, respectively. It must do so by
          referring to the first access to the local in the block (for head) and
          the last one (for tail). This patch introduces the start of a
          validation step that may be turned on even with asserts disabled. To
          ensure that these invariants are preserved, I had to remove the
          redundant phi elimination phase. For now I just remove the call, but in
          the future we will probably remove it entirely unless we find a use for
          it.
        
        - Making it easier to get the boolean version of a JSValue. This is a
          pure operation, but we previously did not treat it as such.
        
        - Fixing the merging and filtering of AbstractValues that correspond to
          concrete JSValues. This was previously broken and was limiting the
          effect of running constant folding. Fixing this meant that I had to
          change how constant folding eliminates GetLocal nodes, so as to ensure
          that the resulting graph still obeys DFG rules.
        
        - Introducing simplified getters for some of the things that DFG phases
          want to know about, like the Nth child of a node (now just
          graph.child(...) if you don't care about performance too much) or
          getting successors of a basic block.
        
        The current CFG simplifier can handle almost all of the cases that it
        ought to handle; the noteworthy one that is not yet handled is removing
        basic blocks that just have jumps. To do this right we need to be able
        to remove jump-only blocks that also perform keep-alive on some values.
        To make this work, we need to be able to hoist the keep-alive into (or
        just above) a Branch. This is not fundamentally difficult but I opted to
        let this patch omit this optimization. We can handle this later.
        
        This is a big win on programs that include inline functions that are
        often called with constant arguments. Of course, SunSpider, V8, and
        Kraken don't count. Those benchmarks are completely neutral with this
        change.

        * API/JSValueRef.cpp:
        (JSValueToBoolean):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
        * bytecode/Operands.h:
        (JSC::Operands::setOperandFirstTime):
        (Operands):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::isClear):
        (JSC::DFG::AbstractValue::operator!=):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::validateIgnoringValue):
        (AbstractValue):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (AdjacencyList):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::~BasicBlock):
        (BasicBlock):
        (JSC::DFG::BasicBlock::numNodes):
        (JSC::DFG::BasicBlock::nodeIndex):
        (JSC::DFG::BasicBlock::isPhiIndex):
        (JSC::DFG::BasicBlock::isInPhis):
        (JSC::DFG::BasicBlock::isInBlock):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (DFG):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        (JSC::DFG::CFAPhase::performBlockCFA):
        (JSC::DFG::performCFA):
        * dfg/DFGCFAPhase.h:
        (DFG):
        * dfg/DFGCFGSimplificationPhase.cpp: Added.
        (DFG):
        (CFGSimplificationPhase):
        (JSC::DFG::CFGSimplificationPhase::CFGSimplificationPhase):
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::killUnreachable):
        (JSC::DFG::CFGSimplificationPhase::findOperandSource):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
        (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
        (JSC::DFG::CFGSimplificationPhase::fixPhis):
        (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
        (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
        (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
        (OperandSubstitution):
        (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
        (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
        (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        (JSC::DFG::performCFGSimplification):
        * dfg/DFGCFGSimplificationPhase.h: Added.
        (DFG):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::run):
        (CSEPhase):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (JSC::DFG::performCSE):
        * dfg/DFGCSEPhase.h:
        (DFG):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::run):
        (JSC::DFG::performConstantFolding):
        * dfg/DFGConstantFoldingPhase.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGEdge.h:
        (Edge):
        (JSC::DFG::Edge::operator UnspecifiedBoolType*):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::performFixup):
        * dfg/DFGFixupPhase.h:
        (DFG):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::handleSuccessor):
        (DFG):
        (JSC::DFG::Graph::determineReachability):
        (JSC::DFG::Graph::resetReachability):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::changeIndex):
        (Graph):
        (JSC::DFG::Graph::changeEdge):
        (JSC::DFG::Graph::numSuccessors):
        (JSC::DFG::Graph::successor):
        (JSC::DFG::Graph::successorForCondition):
        (JSC::DFG::Graph::isPredictedNumerical):
        (JSC::DFG::Graph::byValIsPure):
        (JSC::DFG::Graph::clobbersWorld):
        (JSC::DFG::Graph::numChildren):
        (JSC::DFG::Graph::child):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::numSuccessors):
        (Node):
        (JSC::DFG::Node::successor):
        (JSC::DFG::Node::successorForCondition):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runPhase):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::performPredictionPropagation):
        * dfg/DFGPredictionPropagationPhase.h:
        (DFG):
        * dfg/DFGRedundantPhiEliminationPhase.cpp:
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::performRedundantPhiElimination):
        * dfg/DFGRedundantPhiEliminationPhase.h:
        (DFG):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        (ScoreBoard):
        (JSC::DFG::ScoreBoard::useIfHasResult):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::nextBlock):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::jump):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp: Added.
        (DFG):
        (Validate):
        (JSC::DFG::Validate::Validate):
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::reportValidationContext):
        (JSC::DFG::Validate::dumpData):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):
        (JSC::DFG::validate):
        * dfg/DFGValidate.h: Added.
        (DFG):
        (JSC::DFG::validate):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        (JSC::DFG::performVirtualRegisterAllocation):
        * dfg/DFGVirtualRegisterAllocationPhase.h:
        (DFG):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncSome):
        * runtime/BooleanConstructor.cpp:
        (JSC::constructBoolean):
        (JSC::callBooleanConstructor):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::toBoolean):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSCell::toBoolean):
        (JSC::JSValue::toBoolean):
        * runtime/JSValue.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::toPropertyDescriptor):
        * runtime/RegExpConstructor.cpp:
        (JSC::setRegExpConstructorMultiline):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should have constant propagation
        https://bugs.webkit.org/show_bug.cgi?id=84004

        Reviewed by Gavin Barraclough.
        
        Merge r114554 from dfgopt.
        
        Changes AbstractValue to be able to hold a "set" of constants, where
        the maximum set size is 1 - so merging a value containing constant A
        with another value containing constant B where A != B will result in
        the AbstractValue claiming that it does not know any constants (i.e.
        it'll just have a predicted type and possible a structure).
        
        Added a constant folding phase that uses this new information to
        replace pure operations known to have constant results with
        JSConstants. This is OSR-exit-aware, in that it will prepend a Phantom
        that refers to all of the kids of the node we replaced.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::clear):
        (JSC::DFG::AbstractValue::isClear):
        (JSC::DFG::AbstractValue::makeTop):
        (JSC::DFG::AbstractValue::clobberValue):
        (AbstractValue):
        (JSC::DFG::AbstractValue::valueIsTop):
        (JSC::DFG::AbstractValue::value):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::operator==):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::validate):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::initialize):
        (AdjacencyList):
        (JSC::DFG::AdjacencyList::reset):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::constantCSE):
        (CSEPhase):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp: Added.
        (DFG):
        (ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::run):
        (JSC::DFG::performConstantFolding):
        * dfg/DFGConstantFoldingPhase.h: Added.
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.h:
        (Graph):
        (JSC::DFG::Graph::convertToConstant):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToConstant):
        (Node):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (JSValue):

2012-05-18  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Fix build for Qt by using ASSERT_UNUSED in DFGSpeculativeJIT
        https://bugs.webkit.org/show_bug.cgi?id=86902

        Reviewed by Andreas Kling.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

2012-04-16  Filip Pizlo  <fpizlo@apple.com>

        DFG should have out-of-line slow paths
        https://bugs.webkit.org/show_bug.cgi?id=83992

        Reviewed by Oliver Hunt.
        
        Merge of r114472 and r114553 from dfgopt.
        
        Introduces the notion of slow path code generation closures in the DFG.
        These are defined in DFGSlowPathGenerator.h, though they are fairly
        extensible so DFGSpeculativeJIT64.cpp and DFGSpeculativeJIT32_64.cpp
        define a couple special-purpose ones. A slow path generation closure
        (DFG::SlowPathGenerator) is executed after the main speculative path is
        generated. This makes them great for scheduling slow path code out of
        the way of the hot paths.
        
        This patch also converts most - but not all - of the DFG to use slow
        path generators instead of inline slow paths.
        
        The result is a sub-1% improvement on SunSpider and V8, and a miniscule
        regression on Kraken.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
        (TrustedImmPtr):
        (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32):
        (TrustedImm32):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGCommon.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (DFG):
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (PropertyAccessRecord):
        (JITCompiler):
        * dfg/DFGSilentRegisterSavePlan.h: Added.
        (DFG):
        (SilentRegisterSavePlan):
        (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
        (JSC::DFG::SilentRegisterSavePlan::spillAction):
        (JSC::DFG::SilentRegisterSavePlan::fillAction):
        (JSC::DFG::SilentRegisterSavePlan::nodeIndex):
        (JSC::DFG::SilentRegisterSavePlan::gpr):
        (JSC::DFG::SilentRegisterSavePlan::fpr):
        * dfg/DFGSlowPathGenerator.h: Added.
        (DFG):
        (SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::~SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::generate):
        (JSC::DFG::SlowPathGenerator::label):
        (JSC::DFG::SlowPathGenerator::call):
        (JumpingSlowPathGenerator):
        (JSC::DFG::JumpingSlowPathGenerator::JumpingSlowPathGenerator):
        (JSC::DFG::JumpingSlowPathGenerator::linkFrom):
        (JSC::DFG::JumpingSlowPathGenerator::jumpTo):
        (CallSlowPathGenerator):
        (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
        (JSC::DFG::CallSlowPathGenerator::call):
        (JSC::DFG::CallSlowPathGenerator::setUp):
        (JSC::DFG::CallSlowPathGenerator::recordCall):
        (JSC::DFG::CallSlowPathGenerator::tearDown):
        (CallResultAndNoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndOneArgumentSlowPathGenerator):
        (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
        (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal):
        (CallResultAndTwoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndThreeArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndFourArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndFiveArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal):
        (JSC::DFG::slowPathCall):
        (AssigningSlowPathGenerator):
        (JSC::DFG::AssigningSlowPathGenerator::AssigningSlowPathGenerator):
        (JSC::DFG::AssigningSlowPathGenerator::generateInternal):
        (JSC::DFG::slowPathMove):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (DFG):
        (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
        (JSC::DFG::SpeculativeJIT::pickCanTrample):
        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::generateInternal):
        (DFG):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::generateInternal):
        (DFG):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):

2012-05-18  Tony Chang  <tony@chromium.org>

        remove the CSS_GRID_LAYOUT compiler define, but default grid layout to off
        https://bugs.webkit.org/show_bug.cgi?id=86767

        Reviewed by Ojan Vafai.

        * Configurations/FeatureDefines.xcconfig: Remove ENABLE_CSS_GRID_LAYOUT.

2012-05-17  Filip Pizlo  <fpizlo@apple.com>

        Setting array index -1 and looping over array causes bad behavior
        https://bugs.webkit.org/show_bug.cgi?id=86733
        <rdar://problem/11477670>

        Reviewed by Oliver Hunt.

        * dfg/DFGOperations.cpp:

2012-05-17  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Rolled out r117495 because it caused som out of memory crashes.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2012-05-17  Geoffrey Garen  <ggaren@apple.com>

        Refactored the Heap to move more MarkedSpace logic into MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=86790

        Reviewed by Gavin Barraclough.

        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::markRoots):
        (JSC):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap): Took all the functors from here...

        * heap/MarkedBlock.h:
        (CountFunctor):
        (JSC::MarkedBlock::CountFunctor::CountFunctor):
        (JSC::MarkedBlock::CountFunctor::count):
        (JSC::MarkedBlock::CountFunctor::returnValue):
        (MarkedBlock):
        * heap/MarkedSpace.h:
        (JSC::ClearMarks::operator()):
        (JSC):
        (JSC::Sweep::operator()):
        (JSC::MarkCount::operator()):
        (JSC::Size::operator()):
        (JSC::Capacity::operator()):
        (MarkedSpace):
        (JSC::MarkedSpace::clearMarks):
        (JSC::MarkedSpace::sweep):
        (JSC::MarkedSpace::objectCount):
        (JSC::MarkedSpace::size):
        (JSC::MarkedSpace::capacity): and put them here.

2012-05-17  Geoffrey Garen  <ggaren@apple.com>

        Increase the GC allocation trigger
        https://bugs.webkit.org/show_bug.cgi?id=86699

        Reviewed by Sam Weinig.

        This helps a lot when the heap is growing, and helps to resolve
        the regression caused by r116484.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2012-05-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC in the middle of JSObject::allocatePropertyStorage can cause badness
        https://bugs.webkit.org/show_bug.cgi?id=83839

        Reviewed by Geoff Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage.
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're 
        growing our already-existing PropertyStorage.
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage 
        and the new structure so that we can be sure a GC never occurs when our Structure
        info is out of sync with our PropertyStorage.
        (JSC):
        (JSC::JSObject::putDirectInternal): Moved the check to see if we should 
        allocate more backing store before the actual property insertion into 
        the structure.
        (JSC::JSObject::putDirectWithoutTransition): Ditto.
        (JSC::JSObject::transitionTo): Ditto.
        * runtime/Structure.cpp:
        (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy 
        for property backing stores contained within the Structure class.
        (JSC):
        * runtime/Structure.h:
        (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion 
        into the Structure would require resizing the property backing store so that they can 
        preallocate the required storage.
        (Structure):

2012-05-16  Geoffrey Garen  <ggaren@apple.com>

        GC is not thread-safe when moving values between C stacks
        https://bugs.webkit.org/show_bug.cgi?id=86672

        Reviewed by Phil Pizlo.

        GC pauses thread A while marking thread A, and then B while marking B,
        which isn't safe against A and B moving values between each others'
        stacks.

        This is a theoretical bug -- I haven't been able to reproduce it
        in the wild.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromOtherThread):
        (JSC::MachineThreads::gatherConservativeRoots): Pause all C stacks for the
        duration of stack marking, to avoid missing values that might be moving
        between C stacks.

2012-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Block freeing thread should not free blocks when we are actively requesting them
        https://bugs.webkit.org/show_bug.cgi?id=86519

        Reviewed by Geoff Garen.

        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::allocate): Reordering the setting of the flag so its done 
        while we hold the lock to ensure proper locking.

2012-05-15  Filip Pizlo  <fpizlo@apple.com>

        shrinkToFit() is often not called for Vectors in CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=86436

        Reviewed by Oliver Hunt.
        
        The vectors in CodeBlock are often appended to during various stages of
        compilation, but we neglect to shrink them after compilation finishes. This
        patch takes the most brutal possible approach: shrink all the vectors after
        the bytecompile phase, and then shrink them again after the appropriate
        JITing phase. The two shrinks are necessary because the JIT may append more
        stuff, but may also generate code that directly references things in other
        vectors; hence some can only be shrunk before JIT and some after. Also,
        we may allow a CodeBlock to sit around for a long time - possibly forever -
        before invoking the JIT, hence it makes sense to have two shrinks.
        
        This is performance neutral on the major benchmarks we track.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::appendWeakReferenceTransition):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2012-05-15  Oliver Hunt  <oliver@apple.com>

        Make error information available even if all we have is line number information.
        https://bugs.webkit.org/show_bug.cgi?id=86547

        Reviewed by Filip Pizlo.

        We don't need expression information to generate useful line, file, and stack information,
        so only require that we have line number info available.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * runtime/Executable.h:
        (JSC):

2012-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Block freeing thread should not free blocks when we are actively requesting them
        https://bugs.webkit.org/show_bug.cgi?id=86519

        Reviewed by Geoffrey Garen.

        The block freeing thread shoots us in the foot if it decides to run while we're actively 
        requesting blocks and returning them. This situation can arise when there is a lot of copying 
        collection going on in steady state. We allocate a large swath of pages to copy into, then we 
        return all the newly free old pages to the BlockAllocator. In this state, if the block freeing 
        thread wakes up in between collections (which is more likely than it waking up during a 
        collection) and frees half of these pages, they will be needed almost immediately during the 
        next collection, causing a storm of VM allocations which we know are going to be very slow.

        What we'd like is for when things have quieted down the block freeing thread can then return 
        memory to the OS. Usually this will be when a page has fully loaded and has a low allocation 
        rate. In this situation, our opportunistic collections will only be running at least every few 
        seconds, thus the extra time spent doing VM allocations won't matter nearly as much as, say, 
        while a page is loading.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator): Initialize our new field.
        (JSC::BlockAllocator::blockFreeingThreadMain): We check if we've seen any block requests recently.
        If so, reset our flag and go back to sleep. We also don't bother with locking here. If we miss out 
        on an update, we'll see it when we wake up again.
        * heap/BlockAllocator.h: Add new field to track whether or not we've received recent block requests.
        (BlockAllocator):
        (JSC::BlockAllocator::allocate): If we receive a request for a block, set our field that tracks 
        that to true. We don't bother locking since we assume that writing to a bool is atomic.

2012-05-14  Luke Macpherson  <macpherson@chromium.org>

        Introduce ENABLE_CSS_VARIABLES compile flag.
        https://bugs.webkit.org/show_bug.cgi?id=86338

        Reviewed by Dimitri Glazkov.

        Add a configuration option for CSS Variables support, disabling it by default.

        * Configurations/FeatureDefines.xcconfig:

2012-05-14  Gavin Barraclough  <barraclough@apple.com>

        Cannot login to iCloud
        https://bugs.webkit.org/show_bug.cgi?id=86321

        Reviewed by Filip Pizlo.

        This is a bug introduced by bug#85853, we shouldn't allow assignment to
        the prototype property of functions to be cached, since we need to clear
        the cached inheritorID.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):

2012-05-14  Michael Saboff  <msaboff@apple.com>

        Enh: Add the Ability to Disable / Enable JavaScript GC Timer
        https://bugs.webkit.org/show_bug.cgi?id=86382

        Reviewed by Darin Adler.

        Add flag to GCActivityCallback to enable / disable activity timer.
        Add api via Heap to set the flag's value.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Windows export
        * heap/Heap.cpp:
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        * heap/Heap.h:
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::isEnabled):
        (JSC::GCActivityCallback::setEnabled):
        (JSC::GCActivityCallback::GCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire):

2012-05-14  Michael Saboff  <msaboff@apple.com>

        Increase Debug Logging in MarkStack::validate()
        https://bugs.webkit.org/show_bug.cgi?id=86408

        Rubber-stamped by Filip Pizlo.

        Added some descriptive debug messages for the conditions and
        values when a cell validation fails.

        * heap/MarkStack.cpp:
        (JSC::MarkStack::validate):

2012-05-14  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header file.

2012-05-14  Yong Li  <yoli@rim.com>

        DFG JIT didn't work with ARM EABI.
        https://bugs.webkit.org/show_bug.cgi?id=84449

        Reviewed by Filip Pizlo.

        Add a 32-bit dummy argument for some callOperation()
        methods to make it work for ARM EABI.

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::callOperation):

2012-05-13  Gavin Barraclough  <barraclough@apple.com>

        Introduce PropertyName class
        https://bugs.webkit.org/show_bug.cgi?id=86241

        Reviewed by Darin Adler.

        This patch introduced a couple of small bugs.

        * runtime/PropertyName.h:
        (JSC::toUInt32FromCharacters):
            - Returning wrong value for "" - should not convert to 0.
        (JSC::PropertyName::PropertyName):
            - Remove the ASSERT, it was a little too aspirational.

2012-05-13  Filip Pizlo  <fpizlo@apple.com>

        DFG performs incorrect constant folding on double-to-uint32 conversion in
        Uint32Array PutByVal
        https://bugs.webkit.org/show_bug.cgi?id=86330

        Reviewed by Darin Adler.
        
        static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
        In particular, C++ casts on typical hardware (like x86 and similar) will
        return 0x80000000 for double values that are out of range of the int32 domain
        (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
        for wrap-around; for example the double value 4294967297 ought to become the
        int32 value 1, not 0x80000000.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-05-11  Gavin Barraclough  <barraclough@apple.com>

        Introduce PropertyName class
        https://bugs.webkit.org/show_bug.cgi?id=86241

        Reviewed by Geoff Garen.

        Replace 'const Identifier&' arguments to functions accessing object properties with a new 'PropertyName' type.
        This change paves the way to allow for properties keyed by values that are not Identifiers.

        This change is largely a mechanical find & replace.
        It also changes JSFunction's constructor to take a UString& instead of an Identifier&
        (since in some cases we can no longer guarantee that we'lll have an Identifier), and
        unifies Identifier's methods to obtain array indices onto PropertyName.

        The new PropertyName class retains the ability to support .impl() and .ustring(), but
        in a future patch we may need to rework this, since not all PropertyNames should be
        equal based on their string representation.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
        (JSC::JSCallbackFunction::create):
        * API/JSCallbackObject.h:
        (JSCallbackObject):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertyDescriptor):
        (JSC::::put):
        (JSC::::deleteProperty):
        (JSC::::getStaticValue):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunctionWithCallback):
        * JSCTypedArrayStubs.h:
        (JSC):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertySlot):
        (JSC::DebuggerActivation::put):
        (JSC::DebuggerActivation::putDirectVirtual):
        (JSC::DebuggerActivation::deleteProperty):
        (JSC::DebuggerActivation::getOwnPropertyDescriptor):
        (JSC::DebuggerActivation::defineOwnProperty):
        * debugger/DebuggerActivation.h:
        (DebuggerActivation):
        * jsc.cpp:
        (GlobalObject::addFunction):
        (GlobalObject::addConstructableFunction):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::put):
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        * runtime/Arguments.h:
        (Arguments):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::ArrayConstructor::getOwnPropertySlot):
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayConstructor.h:
        (ArrayConstructor):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        (JSC::putProperty):
        * runtime/ArrayPrototype.h:
        (ArrayPrototype):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.h:
        (BooleanPrototype):
        * runtime/ClassInfo.h:
        (MethodTable):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        (JSC::DateConstructor::getOwnPropertySlot):
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DateConstructor.h:
        (DateConstructor):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        (JSC::DatePrototype::getOwnPropertyDescriptor):
        * runtime/DatePrototype.h:
        (DatePrototype):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.h:
        (ErrorPrototype):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::finishCreation):
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        (FunctionPrototype):
        * runtime/Identifier.cpp:
        (JSC):
        * runtime/Identifier.h:
        (Identifier):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        (InternalFunction):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        (JSC::JSActivation::getOwnPropertySlot):
        (JSC::JSActivation::put):
        (JSC::JSActivation::putDirectVirtual):
        (JSC::JSActivation::deleteProperty):
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        (JSActivation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::getOwnPropertySlot):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::put):
        (JSC::JSArray::deleteProperty):
        * runtime/JSArray.h:
        (JSArray):
        (JSC):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertySlot):
        (JSC::JSCell::put):
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::putDirectVirtual):
        (JSC::JSCell::defineOwnProperty):
        (JSC::JSCell::getOwnPropertyDescriptor):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::put):
        (JSC::JSFunction::deleteProperty):
        (JSC::JSFunction::defineOwnProperty):
        (JSC::getCalculatedDisplayName):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        (JSC::JSGlobalObject::putDirectVirtual):
        (JSC::JSGlobalObject::defineOwnProperty):
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::createThrowTypeError):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::hasOwnPropertyForWrite):
        (JSC::JSGlobalObject::symbolTableHasProperty):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertySlot):
        (JSC::JSNotAnObject::getOwnPropertyDescriptor):
        (JSC::JSNotAnObject::put):
        (JSC::JSNotAnObject::deleteProperty):
        * runtime/JSNotAnObject.h:
        (JSNotAnObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        (JSC::JSONObject::getOwnPropertyDescriptor):
        * runtime/JSONObject.h:
        (JSONObject):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::hasProperty):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::hasOwnProperty):
        (JSC::callDefaultValueFunction):
        (JSC::JSObject::findPropertyHashEntry):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::JSObject::getPropertyDescriptor):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectLocation):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSCell::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::get):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSValue::get):
        (JSC::JSValue::put):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):
        (JSC::JSStaticScopeObject::putDirectVirtual):
        (JSC::JSStaticScopeObject::getOwnPropertySlot):
        * runtime/JSStaticScopeObject.h:
        (JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
        (JSC::JSString::getStringPropertyDescriptor):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSString::getStringPropertySlot):
        * runtime/JSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSValue.h:
        (JSC):
        (JSValue):
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deleteProperty):
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::putDirectVirtual):
        * runtime/JSVariableObject.h:
        (JSVariableObject):
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::symbolTablePut):
        (JSC::JSVariableObject::symbolTablePutWithAttributes):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTable::entry):
        (JSC):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticPropertyDescriptor):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticFunctionDescriptor):
        (JSC::getStaticValueSlot):
        (JSC::getStaticValueDescriptor):
        (JSC::lookupPut):
        * runtime/MathObject.cpp:
        (JSC::MathObject::getOwnPropertySlot):
        (JSC::MathObject::getOwnPropertyDescriptor):
        * runtime/MathObject.h:
        (MathObject):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC):
        (JSC::NumberConstructor::finishCreation):
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        (JSC::NumberConstructor::put):
        (JSC::numberConstructorNaNValue):
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        (JSC::numberConstructorMaxValue):
        (JSC::numberConstructorMinValue):
        * runtime/NumberConstructor.h:
        (NumberConstructor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.h:
        (NumberPrototype):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        (JSC::ObjectConstructor::getOwnPropertySlot):
        (JSC::ObjectConstructor::getOwnPropertyDescriptor):
        * runtime/ObjectConstructor.h:
        (ObjectConstructor):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::defineOwnProperty):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):
        * runtime/PropertySlot.h:
        (PropertySlot):
        (JSC::PropertySlot::getValue):
        * runtime/RegExpConstructor.cpp:
        (JSC):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpConstructor::getOwnPropertySlot):
        (JSC::RegExpConstructor::getOwnPropertyDescriptor):
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        (JSC::RegExpConstructor::put):
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::defineOwnProperty):
        * runtime/RegExpObject.cpp:
        (JSC):
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        (JSC::RegExpObject::deleteProperty):
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::regExpObjectGlobal):
        (JSC::regExpObjectIgnoreCase):
        (JSC::regExpObjectMultiline):
        (JSC::regExpObjectSource):
        (JSC::RegExpObject::put):
        * runtime/RegExpObject.h:
        (RegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpPrototype.h:
        (RegExpPrototype):
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::deleteProperty):
        * runtime/StrictEvalActivation.h:
        (StrictEvalActivation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        (JSC::StringConstructor::getOwnPropertySlot):
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringConstructor.h:
        (StringConstructor):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlot):
        (JSC::StringObject::getOwnPropertyDescriptor):
        (JSC::StringObject::put):
        (JSC::StringObject::defineOwnProperty):
        (JSC::StringObject::deleteProperty):
        * runtime/StringObject.h:
        (StringObject):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertySlot):
        (JSC::StringPrototype::getOwnPropertyDescriptor):
        * runtime/StringPrototype.h:
        (StringPrototype):
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::get):

2012-05-11  Michael Saboff  <msaboff@apple.com>

        Rolling out r116659.

        Causes ASSERT failures on bots.

        Rubber stamped by Geoff Garen.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::MarkStackThreadSharedData::reset):
        (JSC::MarkStack::reset):
        (JSC):
        (JSC::SlotVisitor::copyAndAppend):
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        (MarkStack):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSString::finishCreation):
        (JSC::JSString::is8Bit):
        (JSC::JSRopeString::finishCreation):

2012-05-11  Oliver Hunt  <oliver@apple.com>

        Appease thread verifier when dealing with the JSC API's shared VM
        https://bugs.webkit.org/show_bug.cgi?id=86268

        Reviewed by Geoffrey Garen.

        If we're the shared VM, just disable the verifier.  This makes debug builds
        livable against non-webkit clients.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2012-05-11  Filip Pizlo  <fpizlo@apple.com>

        JIT memory allocator is not returning memory to the OS on Darwin
        https://bugs.webkit.org/show_bug.cgi?id=86047

        Reviewed by Geoff Garen.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2012-05-11  Geoffrey Garen  <ggaren@apple.com>

        Clarified JSGlobalData (JavaScript VM) lifetime
        https://bugs.webkit.org/show_bug.cgi?id=85142

        Reviewed by Alexey Proskuryakov.

        (Follow-up fix.)

        * API/JSContextRef.cpp:
        (JSGlobalContextCreate): Restored some code I removed because I misread an #ifdef.
        (We don't need to test BUILDING_ON_LEOPARD, but we still need the linked-on
        test, because apps might have been linked on older OS's.)

2012-05-11  Sam Weinig  <sam@webkit.org>

        Fix crash seen when running with libgmalloc
        <rdar://problem/11435411>
        https://bugs.webkit.org/show_bug.cgi?id=86232

        Reviewed by Gavin Barraclough.

        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        Don't delete the SlotVisitor before the ParallelModeEnabler has had a chance to run its
        destructor.

2012-05-10  Gavin Barraclough  <barraclough@apple.com>

        Remove op_get_callee

        Rubber stamped by Geoff Garen.
        
        This is now redundant.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITOpcodes32_64.cpp:
        (JSC):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-05-10  Gavin Barraclough  <barraclough@apple.com>

        Cache inheritorID on JSFunction
        https://bugs.webkit.org/show_bug.cgi?id=85853

        Reviewed by Geoff Garen & Filip Pizlo.

        An object's prototype is indicated via its structure.  To create an otherwise
        empty object with object A as its prototype, we require a structure with its
        prototype set to point to A.  We wish to use this same structure for all empty
        objects created with a prototype of A, so we presently store this structure as
        a property of A, known as the inheritorID.

        When a function F is invoked as a constructor, where F has a property 'prototype'
        set to point to A, in order to create the 'this' value for the constructor to
        use the following steps are taken:
          - the 'prototype' proptery of F is read, via a regular [[Get]] access.
          - the inheritorID internal property of the prototype is read.
          - a new, empty object is constructed with its structure set to point to inheritorID.

        There are two drawbacks to the current approach:
          - it requires that every object has an inheritorID field.
          - it requires a [[Get]] access on every constructor call to access the 'prototype' property.

        Instead, switch to caching a copy of the inheritorID on the function.  Constructor
        calls now only need read the internal property from the callee, saving a [[Get]].
        This also means that JSObject::m_inheritorID is no longer commonly read, and in a
        future patch we can move to storing this in a more memory efficient fashion.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::cacheInheritorID):
        (JSC):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        (JSC::JSFunction::cachedInheritorID):
        (JSFunction):
        (JSC::JSFunction::offsetOfCachedInheritorID):

2012-05-10  Michael Saboff  <msaboff@apple.com>

        Enh: Hash Const JSString in Backing Stores to Save Memory
        https://bugs.webkit.org/show_bug.cgi?id=86024

        Reviewed by Filip Pizlo.

        During garbage collection, each marking thread keeps a HashMap of
        strings.  While visiting via MarkStack::copyAndAppend(), we check to
        see if the string we are visiting is already in the HashMap.  If not
        we add it.  If so, we change the reference to the current string we're
        visiting to the prior string.

        To somewhat reduce the performance impact of this change, if a string
        is unique at the end of a marking it will not be checked during further
        GC phases.  In some cases this won't catch all duplicates, but we are
        trying to catch the growth of duplicate strings.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::resetChildren): New method called by the 
        main thread to reset the slave threads.  This is primarily done to
        clear the m_uniqueStrings HashMap.
        (JSC):
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::MarkStackThreadSharedData::reset):
        (JSC::MarkStack::reset): Added call to clear m_uniqueStrings.
        (JSC::MarkStack::internalAppend): New method that performs the hash consting.
        (JSC::SlotVisitor::copyAndAppend): Changed to call the new hash consting
        internalAppend()
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        (MarkStack):
        (JSC::MarkStack::sharedData):
        * runtime/JSString.h:
        (JSString): Added m_isHashConstSingleton flag, accessors for the flag and
        code to initialize the flag.
        (JSC::JSString::finishCreation):
        (JSC::JSString::isHashConstSingleton):
        (JSC::JSString::clearHashConstSingleton):
        (JSC::JSString::setHashConstSingleton):
        (JSC::JSRopeString::finishCreation):

2012-05-09  Filip Pizlo  <fpizlo@apple.com>

        JIT memory allocator is not returning memory to the OS on Darwin
        https://bugs.webkit.org/show_bug.cgi?id=86047
        <rdar://problem/11414948>

        Reviewed by Geoff Garen.
        
        Work around the problem by using a different madvise() flag, but only for the JIT memory
        allocator. Also put in ASSERTs that the call is actually working.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::notifyNeedPage):
        (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2012-05-09  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to get useful debug logging from the JIT memory allocator
        https://bugs.webkit.org/show_bug.cgi?id=86042

        Reviewed by Geoff Garen.

        * jit/ExecutableAllocator.h:

2012-05-09  Gavin Barraclough  <barraclough@apple.com>

        GC race condition in OpaqueJSClass::prototype
        https://bugs.webkit.org/show_bug.cgi?id=86034

        Build fix.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
            - Eeeep, landed bad version of patch!

2012-05-09  Gavin Barraclough  <barraclough@apple.com>

        GC race condition in OpaqueJSClass::prototype
        https://bugs.webkit.org/show_bug.cgi?id=86034

        Reviewed by Filip Pizlo.

        The bug here is basically:
            if (weakref) weakref->method()
        where a GC may occur between the if & the method call.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):

2012-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        CopiedSpace does not add pinned blocks back to the to-space filter
        https://bugs.webkit.org/show_bug.cgi?id=86011

        Reviewed by Geoffrey Garen.

        After a collection has finished, we go through the blocks in from-space 
        and move any of them that are pinned into to-space. At the beginning of 
        collection, we reset the to-space block filter that is used during 
        conservative scanning and add back the blocks that are filled during the 
        collection. However, we neglect to add back those blocks that are moved 
        from from-space to to-space, which can cause the conservative scan to 
        think that some pinned items are not actually in CopiedSpace.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneCopying): Add the pinned blocks back to the 
        to-space filter. Also added a comment and assert for future readers that 
        indicates that it's okay that we don't also add the block to the 
        to-space block set since it was never removed.


2012-05-09  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Use independent version numbers for public libraries
        https://bugs.webkit.org/show_bug.cgi?id=85984

        Reviewed by Gustavo Noronha Silva.

        * GNUmakefile.am: Use LIBJAVASCRIPTCOREGTK_VERSION for library
        version.

2012-05-09  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Do not install JavaScriptCore platform-specific headers
        https://bugs.webkit.org/show_bug.cgi?id=85983

        Reviewed by Gustavo Noronha Silva.

        JavaScriptCore.h includes JSStringRefCF.h unconditionally. It was
        renamed to JavaScript.h in r29234 and it still exists for
        compatibility with mac and windows users.

        * GNUmakefile.list.am: Remove JavaScriptCore.h, JSStringRefCF.h
        and JSStringRefBSTR.h from the sources and headers list.

2012-05-08  Gavin Barraclough  <barraclough@apple.com>

        ROLLING OUT r114255
        
        GC in the middle of JSObject::allocatePropertyStorage can cause badness
        https://bugs.webkit.org/show_bug.cgi?id=83839

        Reviewed by nobody.

        This breaks the world, with COLLECT_ON_EVERY_ALLOCATION enabled.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::isUsingInlineStorage):
        (JSC):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::transitionTo):
        * runtime/Structure.cpp:
        (JSC):
        * runtime/Structure.h:
        (JSC::Structure::didTransition):

2012-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap should not continually allocate new pages in steady state
        https://bugs.webkit.org/show_bug.cgi?id=85936

        Reviewed by Geoff Garen.

        Currently, in steady state (i.e. a constant amount of live GC 
        memory with a constant rate of allocation) assuming we've just 
        finished a collection with X live blocks in CopiedSpace, we 
        increase our working set by X blocks in CopiedSpace with each 
        collection we perform. This is due to the fact that we allocate 
        until we run out of free blocks to use in the Heap before we 
        consider whether we should run a collection. 

        In the longer term, this issue will be mostly resolved by 
        implementing quick release for the CopiedSpace. In the shorter 
        term, we should change our policy to check whether we should 
        allocate before trying to use a free block from the Heap. We 
        can change our policy to something more appropriate once we 
        have implemented quick release.

        This change should also have the convenient side effect of 
        reducing the variance in GC-heavy tests (e.g. v8-splay) due 
        to fact that we are doing less VM allocation during copying 
        collection. Overall, this patch is performance neutral across 
        the benchmarks we track.

        * heap/CopiedSpace.cpp: 
        (JSC::CopiedSpace::getFreshBlock): Shuffle the request from the BlockAllocator
        around so that we only do it if the block request must succeed 
        i.e. after we've already checked whether we should do a collection.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Ditto.
        (JSC::MarkedAllocator::allocateBlock): We no longer have a failure mode in this 
        function because by the time we've called it, we've already checked whether we 
        should run a collection so there's no point in returning null.
        * heap/MarkedAllocator.h: Removing old arguments from function declaration.
        (MarkedAllocator):

2012-05-08  Gavin Barraclough  <barraclough@apple.com>

        SIGFPE on divide in classic interpreter
        https://bugs.webkit.org/show_bug.cgi?id=85917

        Rubber stamped by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - check for divisor of -1.

2012-05-07  Oliver Hunt  <oliver@apple.com>

        Rolling out r110287

        RS=Filip Pizlo

        r110287 was meant to be refactoring only, but changed behavior
        enough to break some websites, including qq.com.

2012-05-07  Andy Estes  <aestes@apple.com>

        ENABLE_IFRAME_SEAMLESS should be part of FEATURE_DEFINES.

        * Configurations/FeatureDefines.xcconfig:

2012-05-07  Oliver Hunt  <oliver@apple.com>

        Fix release build.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-05-07  Oliver Hunt  <oliver@apple.com>

        LLInt doesn't check for Ropes when performing a character switch
        https://bugs.webkit.org/show_bug.cgi?id=85837

        Reviewed by Filip Pizlo.

        Make LLint check if the scrutinee of a char switch is a rope, and if
        so fall back to a slow case.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (LLInt):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-05-07  Eric Seidel  <eric@webkit.org>

        Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed
        https://bugs.webkit.org/show_bug.cgi?id=85822

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:

2012-05-05  Gavin Barraclough  <barraclough@apple.com>

        Remove TrustedImm32::m_isPointer
        https://bugs.webkit.org/show_bug.cgi?id=85726

        Rubber stamped by Sam Weinig.

        We used to rely on being able to generate code with known, fixed offsets – to do so we
        would inhibit more optimal code generation for pointers. This is no longer necessary.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32):
        (TrustedImm32):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::store32):
        (JSC::MacroAssemblerARM::move):
        (JSC::MacroAssemblerARM::branch32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::move):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::mul32):
        (JSC::MacroAssemblerMIPS::or32):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::store32):
        (JSC::MacroAssemblerMIPS::move):

2012-05-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should not Flush GetLocal's
        https://bugs.webkit.org/show_bug.cgi?id=85663
        <rdar://problem/11373600>

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::handleCall):

2012-05-04  Allan Sandfeld Jensen  <allan.jensen@nokia.com>

        Doesn't build with ENABLE_JIT=0 
        https://bugs.webkit.org/show_bug.cgi?id=85042

        Reviewed by Gavin Barraclough.

        * bytecode/Operands.h:

2012-05-03  Oliver Hunt  <oliver@apple.com>

        Regression(r114702): Clobbering the caller frame register before we've stored it.
        https://bugs.webkit.org/show_bug.cgi?id=85564

        Reviewed by Filip Pizlo.

        Don't use t0 as a temporary, when we're about to use the value in t0.

        * llint/LowLevelInterpreter32_64.asm:

2012-05-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Removing remainder of accidental printfs.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2012-05-03  Andy Estes  <aestes@apple.com>

        If you add printf()s to your garbage collector, the layout tests are gonna have a bad time.

        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire):

2012-05-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::reportAbandonedObjectGraph should not hasten an allocation-triggered collection
        https://bugs.webkit.org/show_bug.cgi?id=85543

        Reviewed by Filip Pizlo.

        Currently reportAbandonedObjectGraph causes the Heap to think it is closer to its 
        allocation limit for the current cycle, thus hastening an allocation-triggered collection. 
        In reality, it should just affect the opportunistic GC timer. We should track the bytes 
        we think have been abandoned and the bytes that have been allocated separately.

        * heap/Heap.cpp: Added a new field m_abandonedBytes to Heap to keep track of how much 
        we think we've abandoned.
        (JSC::Heap::Heap): 
        (JSC::Heap::reportAbandonedObjectGraph): 
        (JSC):
        (JSC::Heap::didAbandon): Added this function for reportAbandonedObjectGraph to call 
        rather than didAllocate. Works the same as didAllocate, but modifies bytes abandoned rather 
        than bytes allocated. Also notifies the timer, summing the two values together.
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate): Now adds the bytes allocated and bytes abandoned when reporting 
        to GCActivityCallback.
        * heap/Heap.h:
        (Heap):

2012-05-02  Eric Seidel  <eric@webkit.org>

        Sort ENABLE_ defines in FeatureDefines.xcconfig files to make them easier to compare with one another (and easier to autogenerate)
        https://bugs.webkit.org/show_bug.cgi?id=85433

        Reviewed by Adam Barth.

        I have a script which can autogenerate these xcconfig files as well as the
        vsprops files (and soon the Chromium, cmake, gnumake and qmake) feature lists
        from a central feature list file.
        In preparation for posting such a tool, I'm re-sorting these xcconfig files to be
        alphabetically ordered (currently they're close, but not quite).
        There is also at least one inconsistency between these files (CSS_LEGACY_PREFIXES) which
        I will fix in a second pass.  I will also sort the FEATURE_DEFINES = line in a follow-up patch.

        * Configurations/FeatureDefines.xcconfig:

2012-05-02  Hojong Han  <hojong.han@samsung.com>

        ARM_TRADITIONAL build fix
        https://bugs.webkit.org/show_bug.cgi?id=85358

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::lshift32):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::or32):
        (JSC::MacroAssemblerARM::urshift32):
        (JSC::MacroAssemblerARM::xor32):
        (JSC::MacroAssemblerARM::branchSub32):

2012-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Opportunistic GC should give up if the Heap is paged out
        https://bugs.webkit.org/show_bug.cgi?id=85411

        Reviewed by Filip Pizlo.

        Opportunistic GC is punishing us severely in limited memory situations because its 
        assumptions about how much time a collection will take are way out of whack when the Heap 
        has been paged out by the OS. We should add a simple detection function to the Heap that 
        detects if its is paged out. It will do this by iterating each block of both the MarkedSpace 
        and CopiedSpace. If that operation takes longer than a fixed amount of time (e.g. 100ms), 
        the function returns true. This function will only be run prior to an opportunistic 
        collection (i.e. it will not run during our normal allocation-triggered collections).

        In my tests, steady state was drastically improved in high memory pressure situations (i.e. 
        the browser was still usable, significant reduction in SPODs). Occasionally, a normal GC
        would be triggered due to pages doing things in the background, which would cause a 
        significant pause. As we close pages we now cause normal collections rather than full 
        collections, which prevents us from collecting all of the dead memory immediately. One 
        nice way to deal with this issue might be to do incremental sweeping.


        * heap/CopiedSpace.cpp:
        (JSC::isBlockListPagedOut): Helper function to reduce code duplication when iterating over 
        to-space, from-space, and the oversize blocks.
        (JSC):
        (JSC::CopiedSpace::isPagedOut): Tries to determine whether or not CopiedSpace is paged out
        by iterating all of the blocks.
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.cpp:
        (JSC::Heap::isPagedOut): Tries to determine whether the Heap is paged out by asking the 
        MarkedSpace and CopiedSpace if they are paged out.
        (JSC):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::increaseLastGCLength): Added this so that the GC timer can linearly back off 
        each time it determines that the Heap is paged out.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::isPagedOut): Tries to determine if this particular MarkedAllocator's
        list of blocks are paged out.
        (JSC):
        * heap/MarkedAllocator.h:
        (MarkedAllocator):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::isPagedOut): For each MarkedAllocator, check to see if they're paged out.
        * heap/MarkedSpace.h:
        (MarkedSpace):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::cancel):
        (JSC):
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::cancel):
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp: Added a constant of 100ms for the timeout in determining
        whether the Heap is paged out or not.
        (JSC):
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): Added the check to see if we 
        should attempt a collection based on whether or not we can iterate the blocks of the Heap in 
        100ms. If we can't, we cancel the timer and tell the Heap we just wasted 100ms more trying to 
        do a collection. This gives us a nice linear backoff so we're not constantly re-trying in
        steady state paged-out-ness.
        (JSC::DefaultGCActivityCallback::cancel): Added this function which, while currently doing 
        exactly the same thing as willCollect, is more obvious as to what it's doing when we call it 
        in timerDidFire.

2012-05-02  Yong Li  <yoli@rim.com>

        Fix GCC X86 build error
        https://bugs.webkit.org/show_bug.cgi?id=85379

        Reviewed by Rob Buis.

        Always explicitly claim ".text" to make sure
        functions defined with inline assembly will be
        created in the correct section.

        * dfg/DFGOperations.cpp:
        (JSC):

2012-05-02  Oliver Hunt  <oliver@apple.com>

        Unreviewed, rolling out r115388.
        http://trac.webkit.org/changeset/115388
        https://bugs.webkit.org/show_bug.cgi?id=85011

        This caused many weird performance problems, and needs to be
        landed in pieces.

        * dfg/DFGOperations.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dumpCaller):
        (JSC):
        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::execute):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::growSlowCase):
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::end):
        (JSC::RegisterFile::size):
        (JSC::RegisterFile::addressOfEnd):
        (RegisterFile):
        (JSC::RegisterFile::RegisterFile):
        (JSC::RegisterFile::shrink):
        (JSC::RegisterFile::grow):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):

2012-05-01  Oliver Hunt  <oliver@apple.com>

        Physijs demo crashes due to DFG not updating topCallFrame correctly.
        https://bugs.webkit.org/show_bug.cgi?id=85311

        Reviewed by Filip Pizlo.

        A few of the dfg operations failed to correctly set the topCallFrame,
        and so everything goes wrong.  This patch corrects the effected operations,
        and makes debug builds poison topCallFrame before calling a dfg operation.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):

2012-04-30  Gavin Barraclough  <barraclough@apple.com>

        Should be able to use YARR JIT without the JS language JIT
        https://bugs.webkit.org/show_bug.cgi?id=85252

        Reviewed by Geoff Garen.

        Need to split canUseRegExpJIT out of canUseJIT.

        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::useJIT):
        (JSC::JSGlobalData::JSGlobalData):
            - replace m_canUseJIT with m_canUseAssembler
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::canUseRegExpJIT):
            - Added canUseRegExpJIT, distinct from canUseJIT.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
            - Call canUseRegExpJIT instead of canUseJIT.

2012-04-30  Gavin Barraclough  <barraclough@apple.com>

        Should be able to build YARR JIT without the JS language JIT
        https://bugs.webkit.org/show_bug.cgi?id=85242

        Reviewed by Michael Saboff.

        Some build macros are wrong.

        * assembler/RepatchBuffer.h:
        * jit/ExecutableAllocator.h:
        (JSC):
        * jit/JITExceptions.cpp:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):

2012-04-26  Gavin Barraclough  <barraclough@apple.com>

        Arguments object resets attributes on redefinition of a parameter
        https://bugs.webkit.org/show_bug.cgi?id=84994

        Rubber stamped by Oliver Hunt.

        There is a bug that we always re-add the original property before
        redefinition, doing so in a way that will reset the attributes
        without checking configurability.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - Only instantiate the property once - do not re-add if
              it has already been added, or if it has been deleted.

2012-04-30  Ryosuke Niwa  <rniwa@webkit.org>

        Remove an erroneous assertion after r115655.

        * runtime/NumberPrototype.cpp:
        (JSC::toUStringWithRadix):

2012-04-30  Myles Maxfield  <mmaxfield@google.com>

        End of Interpreter::tryCacheGetByID can trigger the garbage collector
        https://bugs.webkit.org/show_bug.cgi?id=84927

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCacheGetByID):

2012-04-30  Benjamin Poulain  <benjamin@webkit.org>

        jsSingleCharacterString and jsSingleCharacterSubstring are not inlined
        https://bugs.webkit.org/show_bug.cgi?id=85147

        Reviewed by Darin Adler.

        The functions jsSingleCharacterString() and jsSingleCharacterSubstring() were not inlined
        by the compiler. This annihilate the gains of using SmallStrings.

        On stringProtoFuncCharAt(), this patch improves the performance by 11%.

        * runtime/JSString.h:
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):

2012-04-30  Benjamin Poulain  <bpoulain@apple.com>

        Add fast patch for radix == 10 on numberProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=85120

        Reviewed by Darin Adler.

        When radix, we use to turn the doubleValue into a JSValue just to convert
        it to a String. The problem is that was using the slow path for conversion and
        for the toString() operation.

        This patch shortcuts the creation of a JSValue and uses NumericStrings directly.
        The conversion is split between Integer and Double to ensure the fastest conversion
        for the common case of integer arguments.

        Converting number with radix 10 becomes 5% faster.

        Due to the simpler conversion of number to string for integer, converting
        integers that do not fall in the two previous optimizations get 32% faster.

        * runtime/NumberPrototype.cpp:
        (JSC::extractRadixFromArgs):
        (JSC::integerValueToString):
        (JSC::numberProtoFuncToString):

2012-04-30  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header.

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Factored threaded block allocation into a separate object
        https://bugs.webkit.org/show_bug.cgi?id=85148

        Reviewed by Sam Weinig.

        99% of this patch just moves duplicated block allocation and 
        deallocation code into a new object named BlockAllocator, with these 
        exceptions:

        * heap/BlockAllocator.h: Added.
        (BlockAllocator::BlockAllocator): The order of declarations here now 
        guards us against an unlikely race condition during startup.

        * heap/BlockAllocator.cpp:
        JSC::BlockAllocator::blockFreeingThreadMain): Added a FIXME to 
        highlight a lack of clarity we have in our block deallocation routines.

2012-04-28  Sam Weinig  <sam@webkit.org>

        Try to fix the Qt build.

        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Clarified JSGlobalData (JavaScript VM) lifetime
        https://bugs.webkit.org/show_bug.cgi?id=85142

        Reviewed by Anders Carlsson.

        This was so confusing that I didn't feel like I could reason about 
        memory lifetime in the heap without fixing it.

        The rules are:

        (1) JSGlobalData owns the virtual machine and all memory in it.

        (2) Deleting a JSGlobalData frees the virtual machine and all memory 
        in it.

        (Caveat emptor: if you delete the virtual machine while you're running 
        JIT code or accessing GC objects, you're gonna have a bad time.)

        (I opted not to make arbitrary sub-objects keep the virtual machine 
        alive automatically because:

                (a) doing that right would be complex and slow;

                (b) in the case of an exiting thread or process, there's no 
                clear way to give the garbage collector a chance to try again 
                later; 

                (c) continuing to run the garbage collector after we've been 
                asked to shut down the virtual machine seems rude;

                (d) we've never really supported that feature, anyway.)

        (3) Normal ref-counting will do. No need to call a battery of 
        specialty functions to tear down a JSGlobalData. Its foibles 
        notwithstanding, C++ does in fact know how to execute destructors in 
        order.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreate): Removed compatibility shim for older 
        operating systems because it's no longer used.

        (JSGlobalContextRelease): Now that we can rely on JSGlobalData to "do 
        the right thing", this code is much simpler. We still have one special 
        case to notify the garbage collector if we're removing the last 
        reference to the global object, since this can improve memory behavior.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::freeAllBlocks):
        * heap/CopiedSpace.h:
        (CopiedSpace): Renamed "destroy" => "freeAllBlocks" because true 
        destruction-time behaviors should be limited to our C++ destructor.

        * heap/Heap.cpp:
        (JSC::Heap::~Heap):
        (JSC):
        (JSC::Heap::lastChanceToFinalize):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::heap): Renamed "destroy" => "lastChanceToFinalize" because 
        true destruction-time behaviors should be limited to our C++ 
        destructor.

        Reorganized the code, putting code that must run before any objects 
        get torn down into lastChanceToFinalize, and code that just tears down 
        objects into our destructor.

        * heap/Local.h:
        (JSC::LocalStack::LocalStack):
        (JSC::LocalStack::push):
        (LocalStack): See rule (2).

        * jsc.cpp:
        (functionQuit):
        (main):
        (printUsageStatement):
        (parseArguments):
        (jscmain):
        * testRegExp.cpp:
        (main):
        (printUsageStatement):
        (parseArguments):
        (realMain): See rule (3).

        I removed the feature of ensuring orderly tear-down when calling quit()
        or running in --help mode because it didn't seem very useful and 
        making it work with Windows structured exception handling and 
        NO_RETURN didn't seem like a fun way to spend a Saturday.

        * runtime/JSGlobalData.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Moved heap to be the first data 
        member in JSGlobalData to ensure that it's destructed last, so other 
        objects that reference it destruct without crashing. This allowed me 
        to remove clearBuiltinStructures() altogether, and helped guarantee 
        rule (3).

        (JSC::JSGlobalData::~JSGlobalData): Explicitly call 
        lastChanceToFinalize() at the head of our destructor to ensure that 
        all pending finalizers run while the virtual machine is still in a 
        valid state. Trying to resurrect (re-ref) the virtual machine at this 
        point is not valid, but all other operations are.

        Changed a null to a 0xbbadbeef to clarify just how bad this beef is.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::globalData): See rule (3).

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * heap/WeakBlock.h:
        (WeakBlock):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Made WeakSet::allocate() static and removed its JSGlobalData argument
        https://bugs.webkit.org/show_bug.cgi?id=85128

        Reviewed by Anders Carlsson.

        This is a step toward faster finalization.

        WeakSet::allocate() now deduces which WeakSet to allocate from based on
        its JSCell* argument. (Currently, there's only one WeakSet, but soon
        there will be many.)

        This was a global replace of "globalData.heap.weakSet()->allocate" with
        "WeakSet::allocate", plus by-hand removal of the JSGlobalData argument.

        * heap/WeakSetInlines.h: Copied from Source/JavaScriptCore/heap/WeakSet.h.

        I had to split out WeakSet::allocate() in to a separate header to avoid
        a cycle.

        (JSC::WeakSet::allocate): We can mask the pointer we're passed to
        figure out where to allocate our WeakImpl. (Soon, we'll use this to
        associate the WeakImpl with the GC block it references.)

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Stop using aligned allocation for WeakBlock
        https://bugs.webkit.org/show_bug.cgi?id=85124

        Reviewed by Anders Carlsson.

        We don't actually use the alignment for anything.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create):
        (JSC::WeakBlock::WeakBlock): Switched from aligned allocation to regular
        allocation.

        * heap/WeakBlock.h:
        (WeakBlock): Don't use HeapBlock because HeapBlock requires aligned
        allocation. This change required me to add some declarations that we used
        to inherit from HeapBlock.

        (WeakBlock::blockFor): Removed. This function relied on aligned allocation
        but didn't do anything for us.

        (WeakBlock::deallocate): Removed. WeakBlock doesn't own any of the deallocation
        logic, so it shouldn't own the function.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::~WeakSet):
        (JSC::WeakSet::finalizeAll):
        (JSC::WeakSet::visitLiveWeakImpls):
        (JSC::WeakSet::visitDeadWeakImpls):
        (JSC::WeakSet::sweep):
        (JSC::WeakSet::shrink):
        (JSC::WeakSet::resetAllocator):
        (JSC::WeakSet::tryFindAllocator):
        * heap/WeakSet.h:
        (WeakSet): Updated declarations to reflect WeakBlock not inheriting from
        HeapBlock. This allowed me to remove some casts, which was nice.

        (JSC::WeakSet::deallocate): Directly set the deallocated flag instead of
        asking WeakBlock to do it for us.  We don't need to have a WeakBlock
        pointer to set the flag, so stop asking for one.

2012-04-27  Kentaro Hara  <haraken@chromium.org>

        [JSC] Implement a helper method createNotEnoughArgumentsError()
        https://bugs.webkit.org/show_bug.cgi?id=85102

        Reviewed by Geoffrey Garen.

        In bug 84787, kbr@ requested to avoid hard-coding
        createTypeError(exec, "Not enough arguments") here and there.
        This patch implements createNotEnoughArgumentsError(exec)
        and uses it in JSC bindings.

        c.f. a corresponding bug for V8 bindings is bug 85097.

        * runtime/Error.cpp:
        (JSC::createNotEnoughArgumentsError):
        (JSC):
        * runtime/Error.h:
        (JSC):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Only allow non-null pointers in the WeakSet
        https://bugs.webkit.org/show_bug.cgi?id=85119

        Reviewed by Darin Adler.

        This is a step toward more efficient finalization.

        No clients put non-pointers (JSValues) into Weak<T> and PassWeak<T>.

        Some clients put null pointers into Weak<T> and PassWeak<T>, but this is
        more efficient and straight-forward to model with a null in the Weak<T>
        or PassWeak<T> instead of allocating a WeakImpl just to hold null.

        * heap/PassWeak.h:
        (JSC): Removed the Unknown (JSValue) type of weak pointer because it's
        unused now.

        (PassWeak): Don't provide a default initializer for our JSCell* argument.
        This feature was only used in one place, and it was a bug.

        (JSC::::get): Don't check for a null stored inside our WeakImpl: that's 
        not allowed anymore.

        (JSC::PassWeak::PassWeak): Handle null as a null WeakImpl instead of
        allocating a WeakImpl and storing null into it.

        * heap/Weak.h:
        (Weak):
        (JSC::::Weak): Same changes as in PassWeak<T>.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::visitLiveWeakImpls):
        (JSC::WeakBlock::visitDeadWeakImpls): Only non-null cells are valid in
        the WeakSet now, so no need to check for non-cells and null cell pointers.

        * heap/WeakImpl.h:
        (JSC::WeakImpl::WeakImpl): Only non-null cells are valid in the WeakSet
        now, so ASSERT that.

2012-04-27  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/7909395> Math in JavaScript is inaccurate on iOS

        By defalut IEEE754 denormal support is disabled on iOS;
        turn it on.

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (main):
            - clear the appropriate bit in the fpscr.

2012-04-27  Michael Saboff  <msaboff@apple.com>

        Memory wasted in JSString for non-rope strings
        https://bugs.webkit.org/show_bug.cgi?id=84907

        Reviewed by Geoffrey Garen.

        Split JSString into two classes, JSString as a base class that does not
        include the fibers of a Rope, and a subclass JSRopeString that has the
        rope functionality.  Both classes "share" the same ClassInfo.  Added
        a bool to JSString to indicate that the string was allocated as a JSRopeString
        to properly handle visiting the fiber children when the rope is resolved and
        the JSRopeString appears as a JSString.  Didn't change the interface of JSString
        to require any JIT changes.

        As part of this change, removed "cellSize" from ClassInfo since both classes
        share the same ClassInfo, but have different sizes.  The only use I could find
        for cellSize was an ASSERT in allocateCell().

        This appears to be neutral on performance tests.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Changed JSString::resolveRope
                to JSRopeString::resolveRope
        * runtime/ClassInfo.h:
        (JSC):
        (ClassInfo):
        * runtime/JSCell.h:
        (JSC::allocateCell):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::RopeBuilder::expand):
        (JSC::JSString::visitChildren):
        (JSC):
        (JSC::JSRopeString::visitFibers):
        (JSC::JSRopeString::resolveRope):
        (JSC::JSRopeString::resolveRopeSlowCase8):
        (JSC::JSRopeString::resolveRopeSlowCase):
        (JSC::JSRopeString::outOfMemory):
        (JSC::JSRopeString::getIndexSlowCase):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        (JSC::JSString::finishCreation):
        (JSC::JSString::create):
        (JSC::JSString::isRope):
        (JSC::JSString::is8Bit):
        (JSRopeString):
        (RopeBuilder):
        (JSC::JSRopeString::RopeBuilder::RopeBuilder):
        (JSC::JSRopeString::RopeBuilder::append):
        (JSC::JSRopeString::RopeBuilder::release):
        (JSC::JSRopeString::RopeBuilder::length):
        (JSC::JSRopeString::JSRopeString):
        (JSC::JSRopeString::finishCreation):
        (JSC::JSRopeString::createNull):
        (JSC::JSRopeString::create):
        (JSC::JSString::value):
        (JSC::JSString::tryGetValue):
        (JSC::JSString::getIndex):
        (JSC::jsStringBuilder):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromArguments):

2012-04-27  Oliver Hunt  <oliver@apple.com>

        Correct assertion.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):

2012-04-27  Oliver Hunt  <oliver@apple.com>

        Lazy link phase of baseline jit fails to propagate exception
        https://bugs.webkit.org/show_bug.cgi?id=85092

        Reviewed by Filip Pizlo.

        Very simple patch, when linking produces an error we need to actually store
        the exception prior to throwing it.  I can't find any other examples of this,
        but as we're already in the slow path when throwing an exception I've hardened
        exception throwing against null exceptions.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * jit/JITStubs.cpp:
        (JSC::lazyLinkFor):

2012-04-27  Benjamin Poulain  <benjamin@webkit.org>

        Generalize the single character optimization of numberProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=85027

        Reviewed by Geoffrey Garen.

        The function numberProtoFuncToString() has an optimization to use SmallStrings::singleCharacterString()
        when the radix is 36.

        This patch generalize the optimization for any radix. Any positive number smaller than its radix
        can be represented by a single character of radixDigits.

        This makes numberProtoFuncToString() about twice as fast for this case of single digit conversion.

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToString):

2012-04-27  Gavin Peters  <gavinp@chromium.org>

        Add new ENABLE_LINK_PRERENDER define to control the Prerendering API
        https://bugs.webkit.org/show_bug.cgi?id=84871

        Reviewed by Adam Barth.

        Prerendering is currently covered by the ENABLE_LINK_PREFETCH macro, but the new Prerendering
        API separates it from prefetching.  Having separate include guards lets ports enable prefetching,
        a relatively easy change, without needing to build the infrastructure for prerendering, which
        is considerably more complicated.

        * Configurations/FeatureDefines.xcconfig:

2012-04-26  Oliver Hunt  <oliver@apple.com>

        Allocating WeakImpl should not trigger GC, as that makes the world very tricksy.
        https://bugs.webkit.org/show_bug.cgi?id=85020

        Reviewed by Gavin Barraclough.

        Now in the event that we are unable to find an allocator for a new handle, just
        add a new allocator rather than trying to recover "dead" handles through a GC.

        Find allocator is now much simpler, and addAllocator directly reports the
        increased memory usage to the heap without causing any GC to happen immediately.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::findAllocator):
        (JSC::WeakSet::addAllocator):

2012-04-26  Oliver Hunt  <oliver@apple.com>

        Remove RegisterFile::end()/m_end
        https://bugs.webkit.org/show_bug.cgi?id=85011

        Reviewed by Gavin Barraclough.

        Get rid of end() and m_end from RegisterFile.  From now on
        we only care about the end of the committed region when calling
        code.  When re-entering the VM we now plant the new CallFrame
        immediately after whatever the current topCallFrame is.  This
        required adding a routine to CallFrame to determine exactly what
        we should be doing (in the absence of an existing CallFrame, we
        can't reason about the frameExtent() so we check for that).

        This also now means that the GC only marks the portion of the
        RegisterFile that is actually in use, and that VM re-entry doesn't
        exhaust the RegisterFile as rapidly.

        * dfg/DFGOperations.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        (JSC::ExecState::startOfReusableRegisterFile):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::execute):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::growSlowCase):
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::commitEnd):
        (JSC::RegisterFile::addressOfEnd):
        (RegisterFile):
        (JSC::RegisterFile::RegisterFile):
        (JSC::RegisterFile::shrink):
        (JSC::RegisterFile::grow):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):

2012-04-26  Filip Pizlo  <fpizlo@apple.com>

        DFG ARMv7 backend should optimize Float32 arrays
        https://bugs.webkit.org/show_bug.cgi?id=85000
        <rdar://problem/10652827>

        Reviewed by Gavin Barraclough.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::flds):
        (JSC::ARMv7Assembler::fsts):
        (JSC::ARMv7Assembler::vcvtds):
        (JSC::ARMv7Assembler::vcvtsd):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadFloat):
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::convertFloatToDouble):
        (JSC::MacroAssemblerARMv7::convertDoubleToFloat):
        * bytecode/PredictedType.h:
        (JSC::isActionableFloatMutableArrayPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFloat32Array):

2012-04-25  Benjamin Poulain  <benjamin@webkit.org>

        Add a version of StringImpl::find() without offset
        https://bugs.webkit.org/show_bug.cgi?id=83968

        Reviewed by Sam Weinig.

        Add support for the new StringImpl::find() to UString.

        Change stringProtoFuncIndexOf() to specifically take advatage of the feature.
        This gives a 12% gains on a distribution of strings between 30 and 100 characters.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferences):
        (JSC::stringProtoFuncIndexOf):
        * runtime/UString.h:
        (UString):
        (JSC::UString::find):

2012-04-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        WebCore shouldn't call collectAllGarbage directly
        https://bugs.webkit.org/show_bug.cgi?id=84897

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported symbol 
        for reportAbanondedObjectGraph so WebCore can use it.
        * heap/Heap.h: Ditto.

2012-04-25  Oliver Hunt  <oliver@apple.com>

        Biolab disaster crashes on ToT
        https://bugs.webkit.org/show_bug.cgi?id=84898

        Reviewed by Filip Pizlo.

        Whoops, committed without saving reviewer requested change.

        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-04-25  Oliver Hunt  <oliver@apple.com>

        Biolab disaster crashes on ToT
        https://bugs.webkit.org/show_bug.cgi?id=84898

        Reviewed by Filip Pizlo.

        I recently added an assertion to the Interpreter to catch incorrect
        updates of topCallFrame.  This caused a bunch of sites (including biolab
        disaster) to crash as we were not correctly handling callee registers
        of inlined functions, leading to a mismatch.

        I could not actually make this trigger directly, although it does trigger
        already on some of the GTK and QT bots.

        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-04-25  Kenneth Russell  <kbr@google.com>

        Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced
        https://bugs.webkit.org/show_bug.cgi?id=83655

        Reviewed by Oliver Hunt.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionToAbbreviatedString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC):
        (JSC::isActionableIntMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::forPrediction):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSByteArray.cpp: Removed.
        * runtime/JSByteArray.h: Removed.
        * runtime/JSGlobalData.cpp:

2012-04-25  Filip Pizlo  <fpizlo@apple.com>

        http://bellard.org/jslinux/ triggers an assertion failure in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=84815
        <rdar://problem/11319514>

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):

2012-04-25  Michael Saboff  <msaboff@apple.com>

        Closure in try {} with catch captures all locals from the enclosing function
        https://bugs.webkit.org/show_bug.cgi?id=84804

        Reviewed by Oliver Hunt.

        Changed the capturing of local variables from capturing when eval is used,
        within a "with" or within a "catch" to be just when an eval is used.
        Renamed the function returning that we should capture from
        getCapturedVariables() to usesEval(), since that what it noew returns.
        Needed to fix the "with" code to only range check when the activation
        has actually been torn off.  Added m_isTornOff to JSActivation to
        track this.

        * parser/Parser.h:
        (JSC::Scope::usesEval):
        (JSC::Scope::getCapturedVariables):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        * runtime/JSActivation.h:
        (JSActivation):
        (JSC::JSActivation::tearOff):

2012-04-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC Activity Callback timer should be based on how much has been allocated since the last collection
        https://bugs.webkit.org/show_bug.cgi?id=84763

        Reviewed by Geoffrey Garen.

        The desired behavior for the GC timer is to collect at some point in the future, 
        regardless of how little we've allocated. A secondary goal, which is almost if not 
        as important, is for the timer to collect sooner if there is the potential to 
        collect a greater amount of memory. Conversely, as we allocate more memory we'd 
        like to reduce the delay to the next collection. If we're allocating quickly enough, 
        the timer should be preempted in favor of a normal allocation-triggered collection. 
        If allocation were to slow or stop, we'd like the timer to be able to opportunistically 
        run a collection without us having to allocate to the hard limit set by the Heap.

        This type of policy can be described in terms of the amount of CPU we are willing 
        to dedicate to reclaim a single MB of memory. For example, we might be willing to 
        dedicate 1% of our CPU to reclaim 1 MB. We base our CPU usage off of the length of 
        the last collection, e.g. if our last collection took 1ms, we would want to wait about 
        100ms before running another collection to reclaim 1 MB. These constants should be 
        tune-able, e.g. 0.1% CPU = 1 MB vs. 1% CPU = 1 MB vs. 10% CPU = 1 MB.

        * API/JSBase.cpp: Use the new reportAbandonedObjectGraph.
        (JSGarbageCollect):
        * API/JSContextRef.cpp: Ditto.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportAbandonedObjectGraph): Similar to reportExtraMemoryCost. Clients call
        this function to notify the Heap that some unknown number of JSC objects might have just 
        been abandoned and are now garbage. The Heap might schedule a new collection timer based 
        on this notification.
        (JSC):
        (JSC::Heap::collect): Renamed m_lastFullGCSize to the less confusing m_sizeAfterLastCollect.
        * heap/Heap.h:
        (Heap):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::zapFreeList): Fixed a bug in zapFreeList that failed to nullify the 
        current allocator's FreeList once zapping was complete.
        * runtime/GCActivityCallback.cpp: Removed didAbandonObjectGraph because it was replaced by 
        Heap::reportAbandonedObjectGraph.
        (JSC):
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::willCollect):
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp: Refactored the GC timer code so that we now schedule the 
        timer based on how much we have allocated since the last collection up to a certain amount. 
        We use the length of the previous GC to try to keep our total cost of opportunistic timer-triggered
        collections around 1% of the CPU per MB of garbage we expect to reclaim up to a maximum of 5 MB.
        (DefaultGCActivityCallbackPlatformData):
        (JSC):
        (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::commonConstructor):
        (JSC::scheduleTimer):
        (JSC::cancelTimer):
        (JSC::DefaultGCActivityCallback::didAllocate):

2012-04-24  Michael Saboff  <msaboff@apple.com>

        objectProtoFuncToString creates new string every invocation
        https://bugs.webkit.org/show_bug.cgi?id=84781

        Reviewed by Geoffrey Garen.

        Cache the results of object toString() in the attached Structure.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren): visit new m_hasObjectToStringValue.
        * runtime/Structure.h: Added new member m_hasObjectToStringValue
        (JSC):
        (JSC::Structure::objectToStringValue):
        (Structure):
        (JSC::Structure::setObjectToStringValue):

2012-04-24  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=84727.
        Fix build when ENABLE_JIT_CONSTANT_BLINDING enabled.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::or32):
        (JSC::MacroAssemblerSH4::and32):
        (JSC::MacroAssemblerSH4::lshift32):
        (JSC::MacroAssemblerSH4::xor32):
        (JSC::MacroAssemblerSH4::branchSub32):
        (JSC::MacroAssemblerSH4::urshift32):

2012-04-24  Gavin Barraclough  <barraclough@apple.com>

        Add explicit patchableBranchPtrWithPatch/patchableJump methods
        https://bugs.webkit.org/show_bug.cgi?id=84498

        Reviewed by Filip Pizlo.

        Don't rely on inUninterruptedSequence to distinguish which jumps we need to be able to repatch.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::PatchableJump::PatchableJump):
        (PatchableJump):
        (JSC::AbstractMacroAssembler::PatchableJump::operator Jump&):
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
            - Added PatchableJump type, removed inUninterruptedSequence.
        * assembler/LinkBuffer.h:
        (LinkBuffer):
        (JSC::LinkBuffer::locationOf):
            - Only allow the location to be taken of patchable branches
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::patchableBranchPtrWithPatch):
        (JSC::MacroAssembler::patchableJump):
        (JSC::MacroAssembler::shouldBlind):
            - Added default implementation of patchableBranchPtrWithPatch, patchableJump.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::MacroAssemblerARMv7):
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::patchableJump):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::makeBranch):
            - Added ARMv7 implementation of patchableBranchPtrWithPatch, patchableJump.
        * dfg/DFGCorrectableJumpPoint.h:
        (DFG):
        (JSC::DFG::CorrectableJumpPoint::switchToLateJump):
            - Late jumps are PatchableJumps.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
            - replace use of inUninterruptedSequence
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (PropertyAccessRecord):
            - replace use of inUninterruptedSequence
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
            - replace use of inUninterruptedSequence
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
            - replace use of inUninterruptedSequence
        * jit/JIT.h:
        (PropertyStubCompilationInfo):
            - replace use of inUninterruptedSequence
        * jit/JITInlineMethods.h:
        (JSC::JIT::beginUninterruptedSequence):
        (JSC::JIT::endUninterruptedSequence):
            - replace use of inUninterruptedSequence
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
            - replace use of inUninterruptedSequence
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
            - replace use of inUninterruptedSequence

2012-04-24  Benjamin Poulain  <bpoulain@apple.com>

        Generalize the single character optimization of r114072
        https://bugs.webkit.org/show_bug.cgi?id=83961

        Reviewed by Eric Seidel.

        Use the regular String::find(StringImpl*) in all cases now that it has been made faster.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2012-04-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, 32-bit build fix.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-04-24  Filip Pizlo  <fpizlo@apple.com>

        DFG performs incorrect DCE on (some?) intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=84746
        <rdar://problem/11310772>

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::setIntrinsicResult):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-04-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray
        https://bugs.webkit.org/show_bug.cgi?id=84648

        Reviewed by Geoffrey Garen.

        When emit_op_new_array successfully allocates a new JSArray but fails to allocate 
        the corresponding ArrayStorage for it, it falls back to the out-of-line stub call 
        to constructArray, which constructs and entirely new JSArray/ArrayStorage pair. 
        This leaves us with a JSArray hanging around on the stack or in a register that 
        did not go through its own constructor, thus giving it uninitialized memory in the 
        two fields that are checked in JSArray::visitChildren.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray): We try to allocate the ArrayStorage first, so that 
        if we fail we haven't generated the poisonous JSArray that can cause a GC crash.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_new_array):

2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG on ARMv7 should not OSR exit on every integer division
        https://bugs.webkit.org/show_bug.cgi?id=84661

        Reviewed by Oliver Hunt.
        
        On ARMv7, ArithDiv no longer has to know whether or not to speculate integer (since
        that was broken with the introduction of Int32ToDouble) nor does it have to know
        whether or not to convert its result to integer. This is now taken care of for free
        with the addition of the DoubleAsInt32 node, which represents a double-is-really-int
        speculation.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-04-24  Geoffrey Garen  <ggaren@apple.com>

        "GlobalHandle" HandleHeap (now WeakSet) allocations grow but do not shrink
        https://bugs.webkit.org/show_bug.cgi?id=84740
        <rdar://problem/9917638>

        Reviewed by Gavin Barraclough.

        Shrink!

        * heap/Heap.cpp:
        (JSC::Heap::destroy): Be more specific about what's shrinking, since we
        can also shrink the WeakSet, but we don't do so here.

        (JSC::Heap::collect): If we're going to shrink the heap, shrink the
        WeakSet too. Otherwise, its footprint is permanent.

        * heap/Heap.h:
        (Heap): Removed shrink() as a public interface, since it's vague about
        which parts of the heap it affects, and it's really an internal detail.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::shrink): Nix any free blocks. We assume that sweep() has
        already taken place, since that's the convention for shrink() in the heap.

        * heap/WeakSet.h:
        (WeakSet): New function!

2012-04-24  Adam Klein  <adamk@chromium.org>

        Fix includes in StrongInlines.h and ScriptValue.h
        https://bugs.webkit.org/show_bug.cgi?id=84659

        Reviewed by Geoffrey Garen.

        * heap/StrongInlines.h: Include JSGlobalData.h, since JSGlobalData's
        definiition is required here.

2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit should ensure that all variables have been initialized
        https://bugs.webkit.org/show_bug.cgi?id=84653
        <rdar://problem/11258183>

        Reviewed by Gavin Barraclough.
        
        Initialize all uncaptured dead variables to undefined on OSR exit.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:

2012-04-23  Oliver Hunt  <oliver@apple.com>

        Call instruction for the baseline JIT stores origin info in wrong callframe
        https://bugs.webkit.org/show_bug.cgi?id=84645

        Reviewed by Gavin Barraclough.

        The baseline JIT was updating the wrong callframe when making a call.  If the
        call failed during dispatch (unable to perform codegen, calling a non-object)
        we would attempt to use this information, but it would be completely wrong.

        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG must keep alive values that it will perform speculations on
        https://bugs.webkit.org/show_bug.cgi?id=84638
        <rdar://problem/11258183>

        Reviewed by Oliver Hunt.

        * dfg/DFGNodeType.h:
        (DFG):

2012-04-23  Oliver Hunt  <oliver@apple.com>

        Fix non-LLInt builds by temporarily removing an over-enthusiastic assertion

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):

2012-04-22  Jon Lee  <jonlee@apple.com>

        Remove notifications support on Mac Lion.
        https://bugs.webkit.org/show_bug.cgi?id=84554
        <rdar://problem/11297128>

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2012-04-21  Darin Adler  <darin@apple.com>

        Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints
        https://bugs.webkit.org/show_bug.cgi?id=84523

        Reviewed by Oliver Hunt.

        Profiles showed that checks against -1 were costly, and I saw they could be eliminated.
        Streamlined this code to use standard character types and 0 rather than -1. One benefit
        of this is that there's no widening and narrowing. Another is that there are many cases
        where we already have the correct behavior for 0, so can eliminate a branch that was
        used to test for -1 before. Also eliminates typecasts in the code.

        * parser/Lexer.cpp:
        (JSC::Lexer::invalidCharacterMessage): Updated use of String::format since m_current is now a
        character type, not an int.
        (JSC::Lexer::setCode): Use 0 rather than -1 when past the end.
        (JSC::Lexer::shift): Ditto. Also spruced up the comment a bit.
        (JSC::Lexer::atEnd): Added. New function that distinguishes an actual 0 character from the end
        of the code. This can be used places we used to cheeck for -1.
        (JSC::Lexer::peek): Updated to use -1 instead of 0. Removed meaningless comment.
        (JSC::Lexer::parseFourDigitUnicodeHex): Changed to use character types instead of int.
        (JSC::Lexer::shiftLineTerminator): Removed now-unneeded type casts. Changed local variable that
        had a data-member-style name.
        (JSC::Lexer::parseIdentifier): Removed now-unneeded explicit checks for -1, since the isIdentPart
        function already returns false for the 0 character. Updated types in a couple other places. Used
        the atEnd function where needed.
        (JSC::Lexer::parseIdentifierSlowCase): More of the same.
        (JSC::characterRequiresParseStringSlowCase): Added overloaded helper function for parseString.
        (JSC::Lexer::parseString): Ditto.
        (JSC::Lexer::parseStringSlowCase): Ditto.
        (JSC::Lexer::parseMultilineComment): Ditto.
        (JSC::Lexer::lex): More of the same. Also changed code to set the startOffset directly in
        the tokenInfo instead of putting it in a local variable first, saving some memory access.
        (JSC::Lexer::scanRegExp): Ditto.
        (JSC::Lexer::skipRegExp): Ditto.

        * parser/Lexer.h: Changed return type of the peek function and type of m_current from int to
        the character type. Added atEnd function.
        (JSC::Lexer::setOffset): Used 0 instead of -1 and removed an overzealous attempt to optimize. 
        (JSC::Lexer::lexExpectIdentifier): Used 0 instead of -1.

2012-04-21  Darin Adler  <darin@apple.com>

        Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints
        https://bugs.webkit.org/show_bug.cgi?id=84523

        Reviewed by Oliver Hunt.

        Separate preparation step of copyright dates, renaming, and other small tweaks.

        * parser/Lexer.cpp:
        (JSC::Lexer::invalidCharacterMessage): Removed "get" from name to match WebKit naming conventions.
        (JSC::Lexer::peek): Removed meaningless comment.
        (JSC::Lexer::parseFourDigitUnicodeHex): Renamed from getUnicodeCharacter to be more precise about
        what this function does.
        (JSC::Lexer::shiftLineTerminator): Renamed local variable that had a data-member-style name.
        (JSC::Lexer::parseStringSlowCase): Updated for new name of parseFourDigitUnicodeHex.
        (JSC::Lexer::lex): Updated for new name of invalidCharacterMessage.

        * parser/Lexer.h: Removed an unneeded forward declaration of the RegExp class.
        Renamed getInvalidCharMessage to invalidCharacterMessage and made it const. Renamed
        getUnicodeCharacter to parseFourDigitUnicodeHex.

2012-04-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize int8 and int16 arrays on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=84503

        Reviewed by Oliver Hunt.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::ldrsb):
        (JSC::ARMv7Assembler::ldrsh):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16Signed):
        (JSC::MacroAssemblerARMv7::load8Signed):
        * bytecode/PredictedType.h:
        (JSC::isActionableIntMutableArrayPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):

2012-04-20  Oliver Hunt  <oliver@apple.com>

        Add an ability to find the extent of a callframe
        https://bugs.webkit.org/show_bug.cgi?id=84513

        Reviewed by Filip Pizlo.

        Add a function to get the extent of a callframe and
        use that function for a new assertion to make sure the
        RegisterFile makes sense using that information.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        (JSC):
        * interpreter/CallFrame.h:
        (JSC::ExecState::frameExtent):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):

2012-04-20  Benjamin Poulain  <bpoulain@apple.com>

        Inline the JSArray constructor
        https://bugs.webkit.org/show_bug.cgi?id=84416

        Reviewed by Geoffrey Garen.

        The constructor is trivial, no reason to jump for it.

        This makes the creation of array ~5% faster (on non-trivial cases, no empty arrays).

        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h:
        (JSC::JSArray::JSArray):
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap should cancel GC timer at the start of the collection
        https://bugs.webkit.org/show_bug.cgi?id=84477

        Reviewed by Geoffrey Garen.

        Currently the Heap cancels the GC timer at the conclusion of a collection. 
        We should change this to be at the beginning because something (e.g. a finalizer) 
        could call didAbandonObjectGraph(), which will schedule the timer, but then 
        we'll immediately unschedule the timer at the conclusion of the collection, 
        thus potentially preventing large swaths of memory from being reclaimed in a timely manner.

        * API/JSBase.cpp:
        (JSGarbageCollect): Remove outdated fix-me and remove check for whether the Heap is 
        busy or not, since we're just scheduling a timer to run a GC in the future.
        * heap/Heap.cpp:
        (JSC::Heap::collect): Rename didCollect to willCollect and move the call to the 
        top of Heap::collect.
        * runtime/GCActivityCallback.cpp: Renamed didCollect to willCollect.
        (JSC::DefaultGCActivityCallback::willCollect):
        * runtime/GCActivityCallback.h: Ditto.
        (JSC::GCActivityCallback::willCollect):
        (DefaultGCActivityCallback): 
        * runtime/GCActivityCallbackCF.cpp: Ditto.
        (JSC::DefaultGCActivityCallback::willCollect):

2012-04-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSGarbageCollect should not call collectAllGarbage()
        https://bugs.webkit.org/show_bug.cgi?id=84476

        Reviewed by Geoffrey Garen.

        * API/JSBase.cpp:
        (JSGarbageCollect): Notify the Heap's GCActivityCallback using didAbandonObjectGraph.

2012-04-19  Oliver Hunt  <oliver@apple.com>

        Exception stack traces aren't complete when the exception starts in native code
        https://bugs.webkit.org/show_bug.cgi?id=84073

        Reviewed by Filip Pizlo.

        Refactored building the stack trace to so that we can construct
        it earlier, and don't rely on any prior work performed in the
        exception handling machinery. Also updated LLInt and the DFG to
        completely initialise the callframes of host function calls.

        Also fixed a few LLInt paths that failed to correctly update the
        topCallFrame.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (Interpreter):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jsc.cpp:
        (functionJSCStack):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):

2012-04-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        We're collecting pathologically due to small allocations
        https://bugs.webkit.org/show_bug.cgi?id=84404

        Reviewed by Geoffrey Garen.

        No change in performance on run-jsc-benchmarks.

        * dfg/DFGSpeculativeJIT.h: Replacing m_firstFreeCell with m_freeList.
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
        * heap/CopiedSpace.cpp: Getting rid of any water mark related stuff, since it's no 
        longer useful. 
        (JSC::CopiedSpace::CopiedSpace):
        (JSC::CopiedSpace::tryAllocateSlowCase): We now only call didAllocate here rather than 
        carrying out a somewhat complicated accounting job for our old water mark throughout CopiedSpace.
        (JSC::CopiedSpace::tryAllocateOversize):  Call the new didAllocate to notify the Heap of 
        newly allocated stuff.
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::destroy):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::startedCopying):
        * heap/Heap.cpp: Removed water mark related stuff, replaced with new bytesAllocated and 
        bytesAllocatedLimit to track how much memory has been allocated since the last collection.
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::collect): We now set the new limit of bytes that we can allocate before triggering 
        a collection to be the size of the Heap after the previous collection. Thus, we still have our 
        2x allocation amount.
        (JSC::Heap::didAllocate): Notifies the GC activity timer of how many bytes have been allocated 
        thus far and then adds the new number of bytes to the current total.
        (JSC):
        * heap/Heap.h: Removed water mark related stuff.
        (JSC::Heap::notifyIsSafeToCollect):
        (Heap):
        (JSC::Heap::shouldCollect):
        (JSC):
        * heap/MarkedAllocator.cpp: 
        (JSC::MarkedAllocator::tryAllocateHelper): Refactored to use MarkedBlock's new FreeList struct.
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::addBlock):
        * heap/MarkedAllocator.h: 
        (MarkedAllocator):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate): 
        (JSC::MarkedAllocator::zapFreeList): Refactored to take in a FreeList instead of a FreeCell.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelper):
        (JSC::MarkedBlock::zapFreeList):
        * heap/MarkedBlock.h:
        (FreeList): Added a new struct that keeps track of the current MarkedAllocator's
        free list including the number of bytes of stuff in the free list so that when the free list is 
        exhausted, the correct amount can be reported to Heap.
        (MarkedBlock):
        (JSC::MarkedBlock::FreeList::FreeList):
        (JSC):
        * heap/MarkedSpace.cpp: Removing all water mark related stuff.
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC):
        * heap/WeakSet.cpp:
        (JSC::WeakSet::findAllocator): Refactored to use the didAllocate interface with the Heap. This 
        function still needs work though now that the Heap knows how many bytes have been allocated 
        since the last collection.
        * jit/JITInlineMethods.h: Refactored to use MarkedBlock's new FreeList struct.
        (JSC::JIT::emitAllocateBasicJSObject): Ditto.
        * llint/LowLevelInterpreter.asm: Ditto.
        * runtime/GCActivityCallback.cpp: 
        (JSC::DefaultGCActivityCallback::didAllocate): 
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::didAllocate): Renamed willAllocate to didAllocate to indicate that 
        the allocation that is being reported has already taken place.
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC):
        (JSC::DefaultGCActivityCallback::didAllocate): Refactored to return early if the amount of 
        allocation since the last collection is not above a threshold (initially arbitrarily chosen to 
        be 128KB). 

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        MacroAssemblerARMv7::branchTruncateDoubleToUint32 should obey the overflow signal
        https://bugs.webkit.org/show_bug.cgi?id=84401

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32):

2012-04-19  Don Olmstead  <don.olmstead@am.sony.com>

        KeywordLookupGenerator.py should take an output file as an argument
        https://bugs.webkit.org/show_bug.cgi?id=84292

        Reviewed by Eric Seidel.

        Extended KeywordLookupGenerator to accept an additional argument specifying an output file. If this argument is found stdout is redirected to a file for the duration of the script.

        * KeywordLookupGenerator.py:

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to perform debugCall on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=84381

        Reviewed by Oliver Hunt.
        
        debugCall() was clobbering the argument to the call it was making, leading to a
        corrupt ExecState*. This change fixes that issue by using a scratch register that
        does not clobber arguments, and it also introduces more assertions that we have
        a valid call frame.

        * dfg/DFGAssemblyHelpers.cpp:
        (DFG):
        (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::selectScratchGPR):
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::debugCall):
        (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::selectScratchGPR):

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt no-JIT fallback native call trampoline's exception handler incorrectly assumes that
        the PB/PC has been preserved
        https://bugs.webkit.org/show_bug.cgi?id=84367

        Reviewed by Oliver Hunt.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to load from Float64 arrays on ARMv7 without crashing
        https://bugs.webkit.org/show_bug.cgi?id=84361

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):

2012-04-19  Dominik Röttsches  <dominik.rottsches@linux.intel.com>

        [CMake] Build fix after r114575
        https://bugs.webkit.org/show_bug.cgi?id=84322

        Reviewed by Simon Hausmann.

        Build fix, adding WTF when linking jsc shell.

        * shell/CMakeLists.txt:

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        JSC testing should have complete coverage over typed array types
        https://bugs.webkit.org/show_bug.cgi?id=84302

        Reviewed by Geoff Garen.
        
        Added Uint8ClampedArray to the set of typed arrays that are supported by jsc
        command-line.

        * JSCTypedArrayStubs.h:
        (JSC):
        * jsc.cpp:
        (GlobalObject::finishCreation):

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        jsc command line should support typed arrays by default
        https://bugs.webkit.org/show_bug.cgi?id=84298

        Rubber stamped by Gavin Barraclough.

        * JSCTypedArrayStubs.h:
        (JSC):
        * jsc.cpp:
        (GlobalObject::finishCreation):

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        JSVALUE32_64 should be able to perform division on ARM without crashing, and variables
        forced double should not be scrambled when performing OSR entry
        https://bugs.webkit.org/show_bug.cgi?id=84272

        Reviewed by Geoff Garen.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):

2012-04-18  Don Olmstead  <don.olmstead@am.sony.com> 

        JavaScriptCore.gypi not current
        https://bugs.webkit.org/show_bug.cgi?id=84224

        Reviewed by Eric Seidel.

        Updated JavaScriptCore.gypi to contain the latest sources. Removed os-win32 as it wasn't used. Also removed references to ICU files in the gypi file as ICU is most likely specified by the port itself.

        Private and public header files were determined by looking at copy-files.cmd within Apple's Visual Studio directory.

        * JavaScriptCore.gypi:

2012-04-18  Benjamin Poulain  <bpoulain@apple.com>

        Remove m_subclassData from JSArray, move the attribute to subclass as needed
        https://bugs.webkit.org/show_bug.cgi?id=84249

        Reviewed by Geoffrey Garen.

        JSArray's m_subclassData is only used by WebCore's RuntimeArray. This patch moves
        the attribute to RuntimeArray to avoid allocating memory for the pointer in the common
        case.

        This gives ~1% improvement in JSArray creation microbenchmark thanks to fewer allocations
        of CopiedSpace.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:

2012-04-18  Benjamin Poulain  <bpoulain@apple.com>

        replaceUsingStringSearch: delay the creation of the replace string until needed
        https://bugs.webkit.org/show_bug.cgi?id=83841

        Reviewed by Geoffrey Garen.

        We do not need to obtain the replaceValue until we have a match. By moving the intialization
        of replaceValue when needed, we save a few instructions when there is no match.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        (JSC::stringProtoFuncReplace):

2012-04-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC activity timer should be tied to allocation, not collection
        https://bugs.webkit.org/show_bug.cgi?id=83919

        Reviewed by Geoffrey Garen.

        * API/JSContextRef.cpp: Used the new didAbandonObjectGraph callback to indicate that now that we've 
        released a global object, we're abandoning a potentially large number of objects that JSC might want 
        to collect.
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateSlowCase): Added the call to timer's willAllocate function to indicate 
        that we've hit a slow path and are allocating now, so schedule the timer.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::collectAllGarbage): Removed the call to discardAllCompiledCode because it was causing us to 
        throw away too much code during our benchmarks (especially vp8, which is very large and thus has large 
        amounts of compiled code).
        (JSC::Heap::collect): Added the new call to didCollect at the conclusion of a collection so that we 
        can cancel the timer if we no longer need to run a collection. Also added a check at the beginning of a 
        collection to see if we should throw away our compiled code. Currently this is set to happen about once 
        every minute.
        * heap/Heap.h: Added field to keep track of the last time we threw away our compiled code.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Added call to willAllocate on the allocation slow path, just like 
        in CopiedSpace.
        * runtime/GCActivityCallback.cpp: Added default stubs for non-CF platforms.
        (JSC::DefaultGCActivityCallback::willAllocate):
        (JSC):
        (JSC::DefaultGCActivityCallback::didCollect):
        (JSC::DefaultGCActivityCallback::didAbandonObjectGraph):
        * runtime/GCActivityCallback.h: Added new functions to make JSC's GC timer less arcane. This includes replacing 
        the operator () with willAllocate() and adding an explicit didCollect() to cancel the timer after a collection 
        occurs rather than relying on the way the timer is invoked to cancel itself. Also added a callback for 
        when somebody else (e.g. WebCore or the JSC API) to notify JSC that they have just abandoned an entire graph of 
        objects and that JSC might want to clean them up.
        (JSC::GCActivityCallback::~GCActivityCallback):
        (JSC::GCActivityCallback::willAllocate):
        (JSC::GCActivityCallback::didCollect):
        (JSC::GCActivityCallback::didAbandonObjectGraph):
        (JSC::GCActivityCallback::synchronize):
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp: Re-wired all the run loop stuff to implement the aforementioned functions. 
        We added a flag to check whether the timer was active because the call to CFRunLoopTimerSetNextFireDate actually 
        turned out to be quite expensive (although Instruments couldn't tell us this).
        (DefaultGCActivityCallbackPlatformData):
        (JSC):
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire):
        (JSC::DefaultGCActivityCallback::commonConstructor):
        (JSC::scheduleTimer):
        (JSC::cancelTimer):
        (JSC::DefaultGCActivityCallback::willAllocate):
        (JSC::DefaultGCActivityCallback::didCollect):
        (JSC::DefaultGCActivityCallback::didAbandonObjectGraph):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should not attempt to get rare case counts for op_mod on ARM
        https://bugs.webkit.org/show_bug.cgi?id=84218

        Reviewed by Geoff Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGCommon.h:
        (JSC::DFG::isX86):
        (DFG):

2012-04-17  Myles Maxfield  <mmaxfield@google.com>

        BumpPointerAllocator assumes page size is less than MINIMUM_BUMP_POOL_SIZE
        https://bugs.webkit.org/show_bug.cgi?id=80912

        Reviewed by Hajime Morita.

        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to create an inheritorID for the global this object without crashing
        https://bugs.webkit.org/show_bug.cgi?id=84200
        <rdar://problem/11251082>

        Reviewed by Oliver Hunt.

        * runtime/JSGlobalThis.cpp:
        (JSC::JSGlobalThis::setUnwrappedObject):
        * runtime/JSGlobalThis.h:
        (JSC::JSGlobalThis::unwrappedObject):
        (JSGlobalThis):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInheritorID):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::resetInheritorID):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        DFG and LLInt should not clobber the frame pointer on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=84185
        <rdar://problem/10767252>

        Reviewed by Gavin Barraclough.
        
        Changed LLInt to use a different register. Changed DFG to use one fewer
        registers. We should revisit this and switch the DFG to use a different
        register instead of r7, but we can do that in a subsequent step since
        the performance effect is tiny.

        * dfg/DFGGPRInfo.h:
        (GPRInfo):
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        * offlineasm/armv7.rb:

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        use after free in JSC::DFG::Node::op / JSC::DFG::ByteCodeParser::flushArgument
        https://bugs.webkit.org/show_bug.cgi?id=83942
        <rdar://problem/11247370>

        Reviewed by Gavin Barraclough.
        
        Don't use references to the graph after resizing the graph.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushArgument):

2012-04-16  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.toString should be generic
        https://bugs.webkit.org/show_bug.cgi?id=81588

        Reviewed by Sam Weinig.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
            - check for join function, use fast case if base object is array & join is present & default.
        * runtime/CommonIdentifiers.h:
            - added 'join'.

2012-04-16  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing files.

2012-04-16  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r114309.
        http://trac.webkit.org/changeset/114309
        https://bugs.webkit.org/show_bug.cgi?id=84097

        it broke everything (Requested by olliej on #webkit).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/CodeBlock.h:
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (Interpreter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (functionJSCStack):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):

2012-04-16  Oliver Hunt  <oliver@apple.com>

        Exception stack traces aren't complete when the exception starts in native code
        https://bugs.webkit.org/show_bug.cgi?id=84073

        Reviewed by Gavin Barraclough.

        Refactored building the stack trace to so that we can construct
        it earlier, and don't rely on any prior work performed in the
        exception handling machinery. Also updated LLInt and the DFG to
        completely initialise the callframes of host function calls.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOriginIndexForReturn):
        (CodeBlock):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (Interpreter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (functionJSCStack):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):

2012-04-16  Oliver Hunt  <oliver@apple.com>

        Fix COMMANDLINE_TYPEDARRAYS build
        https://bugs.webkit.org/show_bug.cgi?id=84051

        Reviewed by Gavin Barraclough.

        Update for new putByIndex API and wtf changes.

        * JSCTypedArrayStubs.h:
        (JSC):

2012-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC in the middle of JSObject::allocatePropertyStorage can cause badness
        https://bugs.webkit.org/show_bug.cgi?id=83839

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage.
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're 
        growing our already-existing PropertyStorage.
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage 
        and the new structure so that we can be sure a GC never occurs when our Structure
        info is out of sync with our PropertyStorage.
        (JSC):
        (JSC::JSObject::putDirectInternal): Moved the check to see if we should 
        allocate more backing store before the actual property insertion into 
        the structure.
        (JSC::JSObject::putDirectWithoutTransition): Ditto.
        (JSC::JSObject::transitionTo): Ditto.
        * runtime/Structure.cpp:
        (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy 
        for property backing stores contained within the Structure class.
        (JSC):
        * runtime/Structure.h:
        (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion 
        into the Structure would require resizing the property backing store so that they can 
        preallocate the required storage.
        (Structure):

2012-04-13  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r114185.
        http://trac.webkit.org/changeset/114185
        https://bugs.webkit.org/show_bug.cgi?id=83967

        Broke a bunch of JavaScript related tests (Requested by
        andersca on #webkit).

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        * runtime/CommonIdentifiers.h:
        * tests/mozilla/ecma/Array/15.4.4.2.js:
        (getTestCases):

2012-04-13  Gavin Barraclough  <barraclough@apple.com>

        Don't rely on fixed offsets to patch calls
        https://bugs.webkit.org/show_bug.cgi?id=83966

        Rubber stamped by Oliver Hunt.

        These aren't being used anywhere!

        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2012-04-13  Hojong Han  <hojong.han@samsung.com>

        Array.prototype.toString and Array.prototype.toLocaleString should be generic
        https://bugs.webkit.org/show_bug.cgi?id=81588

        Reviewed by Gavin Barraclough.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        * runtime/CommonIdentifiers.h:
        * tests/mozilla/ecma/Array/15.4.4.2.js:
        (getTestCases.array.item.new.TestCase):
        (getTestCases):

2012-04-13  Gavin Barraclough  <barraclough@apple.com>

        Don't rely on fixed offsets to patch method checks
        https://bugs.webkit.org/show_bug.cgi?id=83958

        Reviewed by Oliver Hunt.

        * bytecode/StructureStubInfo.h:
            - Add fields for the method check info.
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
            - Store the offsets on the stub info, instead of asserting.
        * jit/JIT.h:
            - Delete all the method check related offsets.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
            - Use the offset from the stubInfo.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Pass the stubInfo to patchMethodCallProto.

2012-04-13  Gavin Barraclough  <barraclough@apple.com>

        Don't rely on fixed offsets to patch get_by_id/put_by_id
        https://bugs.webkit.org/show_bug.cgi?id=83924

        Reviewed by Oliver Hunt.

        Store offsets in the structure stub info, as we do for the DFG JIT.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::differenceBetween):
            - this method can be static (now used from PropertyStubCompilationInfo::copyToStubInfo, will be removed soon!)
        * bytecode/StructureStubInfo.h:
            - added new fields for baseline JIT offsets.
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
            - moved out from JIT::privateCompile.
        (JSC::JIT::privateCompile):
            - moved out code to PropertyStubCompilationInfo::copyToStubInfo.
        * jit/JIT.h:
        (PropertyStubCompilationInfo):
            - added helper functions to initializae PropertyStubCompilationInfo, state to store more offset info.
            - removed many offsets.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::patchGetByIdSelf):
        (JSC::JIT::patchPutByIdReplace):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
            - changed code generation to use new interface to store info on PropertyStubCompilationInfo.
            - changed repatch functions to read offsets from the structure stub info.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::patchGetByIdSelf):
        (JSC::JIT::patchPutByIdReplace):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
            - changed code generation to use new interface to store info on PropertyStubCompilationInfo.
            - changed repatch functions to read offsets from the structure stub info.

2012-04-13  Rob Buis  <rbuis@rim.com>

        Fix some compiler warnings (miscellaneous)
        https://bugs.webkit.org/show_bug.cgi?id=80790

        Reviewed by Antonio Gomes.

        Fix signed/unsigned comparison warning.

        * parser/Lexer.cpp:
        (JSC::::record16):

2012-04-12  Benjamin Poulain  <bpoulain@apple.com>

        Improve replaceUsingStringSearch() for case of a single character searchValue
        https://bugs.webkit.org/show_bug.cgi?id=83738

        Reviewed by Geoffrey Garen.

        This patch improves replaceUsingStringSearch() with the following:
        -Add a special case for single character search, taking advantage of the faster WTF::find().
        -Inline replaceUsingStringSearch().
        -Use StringImpl::create() instead of UString::substringSharingImpl() since we know we are in the bounds
         by definition.

        This gives less than 1% improvement for the multicharacter replace.
        The single character search show about 9% improvement.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2012-04-12  Michael Saboff  <msaboff@apple.com>

        StructureStubInfo::reset() causes leaks of PolymorphicAccessStructureList and ExecutableMemoryHandle objects
        https://bugs.webkit.org/show_bug.cgi?id=83823

        Reviewed by Gavin Barraclough.

        Put the clearing of the accessType to after the call to deref() so that
        deref() can use the accessType to delete referenced objects as needed.

        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::reset):

2012-04-12  Balazs Kelemen  <kbalazs@webkit.org>

        [Qt] Fix WebKit1 build with V8
        https://bugs.webkit.org/show_bug.cgi?id=83322

        Reviewed by Adam Barth.

        * yarr/yarr.pri:

2012-04-12  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=83821
        Move dfg repatching properties of structure stub info into a union

        Reviewed by Oliver Hunt.

        We want to be able to have similar properties for the baseline JIT, some restructuring to prepare for this.

        * bytecode/StructureStubInfo.h:
        (StructureStubInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchByIdSelfAccess):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::tryBuildPutByIdList):
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):

2012-04-12  Gavin Barraclough  <barraclough@apple.com>

        Delete a bunch of unused, copy & pasted values in JIT.h
        https://bugs.webkit.org/show_bug.cgi?id=83822

        Reviewed by Oliver Hunt.
        
        The only architecture we support the JSVALUE64 JIT on is x86-64, all the patch offsets for other architectures are just nonsense.

        * jit/JIT.h:
        (JIT):

2012-04-12  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt][ARM] Buildfix after r113934.

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::compare8):
        (MacroAssemblerARM):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        It is incorrect to short-circuit Branch(LogicalNot(@a)) if boolean speculations on @a may fail
        https://bugs.webkit.org/show_bug.cgi?id=83744
        <rdar://problem/11206946>

        Reviewed by Andy Estes.
        
        This does the conservative thing: it only short-circuits Branch(LogicalNot(@a)) if @a is a node
        that is statically known to return boolean results.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-04-11  Michael Saboff  <msaboff@apple.com>

        Invalid Union Reference in StructureStubInfo.{cpp.h}
        https://bugs.webkit.org/show_bug.cgi?id=83735

        Reviewed by Filip Pizlo.

        Changed the references to u.getByIdProtoList and u.getByIdSelfList
        to be consistent.

        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdSelfList):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed attempting to make Qt's eccentric hardware work.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::compare8):
        (MacroAssemblerARM):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::compare8):
        (MacroAssemblerMIPS):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::compare8):
        (MacroAssemblerSH4):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        op_is_foo should be optimized
        https://bugs.webkit.org/show_bug.cgi?id=83666

        Reviewed by Gavin Barraclough.
        
        This implements inlining of op_is_undefined, op_is_string, op_is_number,
        and op_is_boolean in LLInt and the baseline JIT. op_is_object and
        op_is_function are not inlined because they are quite a bit more complex.
        
        This also implements all of the op_is_foo opcodes in the DFG, but it does
        not do any type profiling based optimizations, yet.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::compare8):
        (MacroAssemblerARMv7):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::compare8):
        (MacroAssemblerX86Common):
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::testPtr):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArguments):
        (CCallHelpers):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_undefined):
        (JSC):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_string):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_undefined):
        (JSC):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_string):
        * jit/JITStubs.cpp:
        (JSC):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/armv7.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        If you use an IntegerOperand and want to return it with integerResult, you need to
        zero extend to get rid of the box
        https://bugs.webkit.org/show_bug.cgi?id=83734
        <rdar://problem/11232296>

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        SpeculativeJIT::fillStorage() should work with all the states that a cell may be in
        https://bugs.webkit.org/show_bug.cgi?id=83722

        Reviewed by Gavin Barraclough.
        
        It's now possible to do StorageOperand on a cell, in the case that the storage is
        inline. But this means that fillStorage() must be able to handle all of the states
        that a cell might be in. Previously it didn't.
        
        With this change, it now does handle all of the states, and moreover, it does so
        by preserving the DataFormat of cells and performing all of the cell speculations
        that should be performed if you're using a cell as storage. But if you use this on
        something that is known to be storage already then it behaves as it did before.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillStorage):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        Global variable predictions should not be coalesced unnecessarily
        https://bugs.webkit.org/show_bug.cgi?id=83678

        Reviewed by Geoff Garen.
        
        Removed the PredictionTracker and everyone who used it. Converted GetGlobalVar
        to have a heapPrediction like a civilized DFG opcode ought to.
        
        No performance effect.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * bytecode/PredictionTracker.h: Removed.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-04-11  Benjamin Poulain  <bpoulain@apple.com>

        Optimize String.split() for 1 character separator
        https://bugs.webkit.org/show_bug.cgi?id=83546

        Reviewed by Gavin Barraclough.

        This patch adds a serie of optimizations to make stringProtoFuncSplit() faster in the common case
        where the separator is a single character.

        The two main gains are:
        -Use of the find() function with a single character instead of doing a full string matching.
        -Use of WTF::find() instead of UString::find() to avoid branching on is8Bit() and have a simpler inline
         function.

        The code is also changed to avoid making unnecessary allocations by converting the 8bit string to 16bits.

        This makes String.split() faster by about 13% in that particular case.

        * runtime/StringPrototype.cpp:
        (JSC):
        (JSC::splitStringByOneCharacterImpl):
        (JSC::stringProtoFuncSplit):

2012-04-10  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Ad missing files.

2012-04-10  Mark Rowe  <mrowe@apple.com>

        Attempt to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-10  Patrick Gansterer  <paroga@webkit.org>

        Cleanup wtf/Platform.h and config.h files
        https://bugs.webkit.org/show_bug.cgi?id=83431

        Reviewed by Eric Seidel.

        The ENABLE() and USE() macros take care about the case when the flag
        isn't defined. So there is no need to define anything with 0.

        Also move duplicated code from the config.h files to Platform.h and
        merge a few preprocessor commands to make the file more readable.

        * config.h:

2012-04-10  Filip Pizlo  <fpizlo@apple.com>

        DFG should flush SetLocals to arguments
        https://bugs.webkit.org/show_bug.cgi?id=83554

        Reviewed by Gavin Barraclough.
        
        This is necessary to match baseline JIT argument capture behavior.
        
        But to make this work right we need to have a story for arguments into
        which we store values of different formats. This patch introduces the
        notion of an ArgumentPosition - i.e. an argument in a particular inline
        call frame - and forces unification of all data pertinent to selecting
        the argument's data format.
        
        Also fixed an amusing bug in the handling of OSR on SetLocals if there
        was any insertion/deletion of nodes in the basic block. This is benign
        for now but won't be eventually since the DFG is getting smarter. So
        better fix it now.
        
        Also fixed an amusing bug in the handling of OSR on SetLocals if they
        are immediately followed by a Flush. I think this bug might have always
        been there but now it'll happen more commonly, and it's covered by the
        run-javascriptcore-tests.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArgumentPosition.h: Added.
        (DFG):
        (ArgumentPosition):
        (JSC::DFG::ArgumentPosition::ArgumentPosition):
        (JSC::DFG::ArgumentPosition::addVariable):
        (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGDoubleFormatState.h: Added.
        (DFG):
        (JSC::DFG::mergeDoubleFormatStates):
        (JSC::DFG::mergeDoubleFormatState):
        (JSC::DFG::doubleFormatStateToString):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::predict):
        (JSC::DFG::VariableAccessData::argumentAwarePrediction):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
        (JSC::DFG::VariableAccessData::doubleFormatState):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):

2012-04-10  Adam Klein  <adamk@chromium.org>

        Remove unused NonNullPassRefPtr from WTF
        https://bugs.webkit.org/show_bug.cgi?id=82389

        Reviewed by Kentaro Hara.

        * JavaScriptCore.order: Remove nonexistent symbols referencing NonNullPassRefPtr.

2012-04-10  Darin Adler  <darin@apple.com>

        Remove unused data member from Lexer class
        https://bugs.webkit.org/show_bug.cgi?id=83429

        Reviewed by Kentaro Hara.

        I noticed that m_delimited was "write-only", so I deleted it.

        * parser/Lexer.cpp:
        (JSC::Lexer::setCode): Removed code to set m_delimited.
        (JSC::Lexer::parseIdentifier): Ditto.
        (JSC::Lexer::parseIdentifierSlowCase): Ditto.
        (JSC::Lexer::lex): Ditto.
        * parser/Lexer.h: Deleted m_delimited.

2012-04-10  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Enable USE_FOLDERS property
        https://bugs.webkit.org/show_bug.cgi?id=83571

        Reviewed by Daniel Bates.

        Setting the FOLDER property on targets gives more structure 
        to the generated Visual Studio solutions.
        This does not affect other CMake generators.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:

2012-04-10  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to see why a code block was not compiled by the DFG
        https://bugs.webkit.org/show_bug.cgi?id=83553

        Reviewed by Geoff Garen.
        
        If DFG_ENABLE(DEBUG_VERBOSE) and a code block is rejected, then print the
        opcode that caused the rejection.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        (DFG):
        (JSC::DFG::canHandleOpcodes):

2012-04-09  Gavin Barraclough  <barraclough@apple.com>

        If a callback constructor returns a C++ null, throw a type error.
        https://bugs.webkit.org/show_bug.cgi?id=83537

        Rubber Stamped by Geoff Garen.

        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
            - If a callback constructor returns a C++ null, throw a type error.
        * API/tests/testapi.c:
        (Base_returnHardNull):
        * API/tests/testapi.js:
            - Add a test case for callback constructors that return a C++ null.

2012-04-09  Gavin Barraclough  <barraclough@apple.com>

        If a callback function returns a C++ null, convert to undefined.
        https://bugs.webkit.org/show_bug.cgi?id=83534

        Reviewed by Geoff Garen.

        * API/JSCallbackFunction.cpp:
            - If a callback function returns a C++ null, convert to undefined.
        (JSC::JSCallbackFunction::call):
        * API/tests/testapi.c:
        (Base_returnHardNull):
        * API/tests/testapi.js:
            - Add a test case for callback functions that return a C++ null.

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Classic interpreter's GC hooks shouldn't attempt to scan instructions for code blocks that
        are currently being generated
        https://bugs.webkit.org/show_bug.cgi?id=83531
        <rdar://problem/11215200>

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, modernize and clean up uses of ARM assembly mnemonics in inline asm blocks.

        * dfg/DFGOperations.cpp:
        (JSC):
        * offlineasm/armv7.rb:

2012-04-09  Patrick Gansterer  <paroga@webkit.org>

        Remove HAVE_STDINT_H
        https://bugs.webkit.org/show_bug.cgi?id=83434

        Reviewed by Kentaro Hara.

        HAVE_STDINT_H is defined with 1 all the time and we us stdint.h without HAVE(STDINT_H) already.

        * config.h:

2012-04-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should not load the property storage if it is inline.
        https://bugs.webkit.org/show_bug.cgi?id=83455

        Reviewed by Gavin Barraclough.
        
        We had previously decided to have all property storage accesses go through
        the property storage pointer even if they don't "really" have to, because
        we were thinking this would help GC barriers somehow. Well, we never ended
        up doing anything with that. Hence, doing these wasted loads of the
        property storage pointer when the storage is inline is just a waste of CPU
        cycles.
        
        This change makes the DFG's inline property accesses (GetByOffset and
        PutByOffset) go directly to the inline property storage if the structure(s)
        tell us that it's OK.
        
        This looks like an across-the-board 1% win.

        * bytecode/StructureSet.h:
        (JSC):
        (JSC::StructureSet::allAreUsingInlinePropertyStorage):
        (StructureSet):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillStorage):

2012-04-08  Filip Pizlo  <fpizlo@apple.com>

        Command-line jsc's exception handling should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=83437

        Reviewed by Dan Bernstein.
        
        - If an exception is thrown during run() execution, it is now propagated,
          so that it will terminate program execution unless it is caught.
          
        - If program execution terminates with an exception, the exception is now
          always printed.
          
        - When printing the exception, the backtrace is now also printed if one is
          available. It will only not be available if you use something akin to my
          favorite line of code, 'throw "error"', since primitives don't have
          properties and hence we cannot attach a "stack" property to them.

        * jsc.cpp:
        (functionRun):
        (runWithScripts):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        Forced OSR exits should lead to recompilation based on count, not rate
        https://bugs.webkit.org/show_bug.cgi?id=83247
        <rdar://problem/10720925>

        Reviewed by Geoff Garen.
        
        Track which OSR exits happen because of inadequate coverage. Count them
        separately. If the count reaches a threshold, immediately trigger
        reoptimization.
        
        This is in contrast to the recompilation trigger for all other OSR exits.
        Normally recomp is triggered when the exit rate exceeds a certain ratio.
        
        Looks like a slight V8 speedup (sub 1%).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::forcedOSRExitCounter):
        (JSC::CodeBlock::addressOfForcedOSRExitCounter):
        (JSC::CodeBlock::offsetOfForcedOSRExitCounter):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        (CodeBlock):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::OSRExitCompiler::handleExitCounts):
        (DFG):
        * dfg/DFGOSRExitCompiler.h:
        (OSRExitCompiler):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):

2012-04-06  Benjamin Poulain  <bpoulain@apple.com>

        Do not abuse ArrayStorage's m_length for testing array consistency
        https://bugs.webkit.org/show_bug.cgi?id=83403

        Reviewed by Geoffrey Garen.

        Array creation from a list of values is a 3 steps process:
        -JSArray::tryCreateUninitialized()
        -JSArray::initializeIndex() for each values
        -JSArray::completeInitialization()

        Previously, the attribute m_length was not set to the final size
        JSArray::tryCreateUninitialized() because it was used to test the array
        consistency JSArray::initializeIndex().

        This caused the initialization loop using JSArray::initializeIndex() maintain
        two counters:
        -index of the loop
        -storage->m_length++

        This patch fixes this by using the index of the initialization loop for the indinces of
        JSArray::initializeIndex(). For testing consistency, the variable m_initializationIndex
        is introduced if CHECK_ARRAY_CONSISTENCY is defined.

        The patch also fixes minor unrelated build issue when CHECK_ARRAY_CONSISTENCY is defined.

        This improves the performance of JSArray creation from literals by 8%.

        * runtime/JSArray.cpp:
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (ArrayStorage):
        (JSC::JSArray::initializeIndex):
        (JSC::JSArray::completeInitialization):

2012-04-06  Jon Lee  <jonlee@apple.com>

        Build fix for Windows bots.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: export missing symbol.

2012-04-06  Geoffrey Garen  <ggaren@apple.com>

        Renamed

                WeakHeap => WeakSet
                HandleHeap => HandleSet

        Reviewed by Sam Weinig.

        These sets do have internal allocators, but it's confusing to call them
        heaps because they're sub-objects of an object called "heap".

        * heap/HandleHeap.cpp: Removed.
        * heap/HandleHeap.h: Removed.
        * heap/HandleSet.cpp: Copied from JavaScriptCore/heap/HandleHeap.cpp.
        * heap/WeakHeap.cpp: Removed.
        * heap/WeakHeap.h: Removed.
        * heap/WeakSet.cpp: Copied from JavaScriptCore/heap/WeakHeap.cpp.
        * heap/WeakSet.h: Copied from JavaScriptCore/heap/WeakHeap.h.

        Plus global rename using grep.

2012-04-06  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/10912476> HiDPI: Have canvas use a hidpi backing store, but downsample upon access

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig: Added ENABLE_HIGH_DPI_CANVAS.

2012-04-06  Rob Buis  <rbuis@rim.com>

        Fix cast-align warnings in JSC
        https://bugs.webkit.org/show_bug.cgi?id=80790

        Reviewed by George Staikos.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::computeJumpType):
        (JSC::ARMv7Assembler::link):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode):
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::copyAndAppend):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * wtf/RefCountedArray.h:
        (WTF::RefCountedArray::Header::payload):

2012-04-06  Darin Adler  <darin@apple.com>

        Streamline strtod and fix some related problems
        https://bugs.webkit.org/show_bug.cgi?id=82857

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::Lexer<>::lex): Use parseDouble. Since we have already scanned the number
        and we know it has only correct characters, leading spaces, trailing junk, and
        trailing spaces are not a possibility. No need to add a trailing null character.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt): Changed overflow based 10 case to use parseDouble. No need
        to allow trailing junk since the code above already allows only numeric digits
        in the string. This code path is used only in unusual cases, so it's not
        optimized for 8-bit strings, but easily could be.
        (JSC::jsStrDecimalLiteral): Removed the allow trailing junk argument to this
        function template because all the callers are OK with trailing junk. Use the
        parseDouble function. No need to copy the data into a byte buffer, because
        parseDouble handles that.
        (JSC::toDouble): Got rid of the DisallowTrailingJunk argument to the
        jsStrDecimalLiteral function template. That's OK because this function
        already checks for trailing junk and handles it appropriately. The old code
        path was doing it twice.
        (JSC::parseFloat): Got rid of the AllowTrailingJunk argument to the
        jsStrDecimalLiteral function template; the template allows junk unconditionally.

        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber): Use parseDouble. Since we have already scanned the number
        and we know it has only correct characters, leading spaces, trailing junk, and
        trailing spaces are not a possibility. No need to add a trailing null character.
        No need to copy the data into a byte buffer, because parseDouble handles that.
        We could optimize the UChar case even more because we know all the characters
        are ASCII, but not doing that at this time.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Updated.

2012-04-06  Patrick Gansterer  <paroga@webkit.org>

        Remove JSC dependency from GregorianDateTime
        https://bugs.webkit.org/show_bug.cgi?id=83290

        Reviewed by Geoffrey Garen.

        This allows us to move it to WTF later.

        * runtime/DateConstructor.cpp:
        (JSC::callDate):
        * runtime/JSDateMath.h:

2012-04-05  Michael Saboff  <msaboff@apple.com>

        Call Heap::discardAllCompiledCode() in low memory situations
        https://bugs.webkit.org/show_bug.cgi?id=83335

        Reviewed by Geoffrey Garen.

        Restructured Heap::discardAllCompiledCode() to do the "Is JavaScriptRunning?"
        check inline so that it can be called directly without this check.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode):
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h: Added JS_EXPORT_PRIVATE to discardAllCompiledCode() so it can be
        called from WebCore.
        (Heap):
        * runtime/JSGlobalData.h: Removed unused " void discardAllCompiledCode()" declaration.
        (JSGlobalData):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Speed up the conversion from JSValue to String for bulk operations
        https://bugs.webkit.org/show_bug.cgi?id=83243

        Reviewed by Geoffrey Garen.

        When making operations on primitive types, we loose some time converting
        values to JSString in order to extract the string.

        This patch speeds up some basic Array operations by avoiding the creation
        of intermediary JSString when possible.

        For the cases where we need to convert a lot of JSValue in a tight loop,
        an inline conversion is used.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncSort):
        * runtime/CommonIdentifiers.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSString.h:
        (JSC::JSValue::toUString):
        (JSC):
        (JSC::inlineJSValueNotStringtoUString):
        (JSC::JSValue::toUStringInline):
        * runtime/JSValue.cpp:
        (JSC::JSValue::toUStringSlowCase):
        (JSC):
        * runtime/JSValue.h:
        (JSValue):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Use QuickSort when sorting primitive values by string representation
        https://bugs.webkit.org/show_bug.cgi?id=83312

        Reviewed by Gavin Barraclough.

        When the value we are sorting are all primitive values, we do not need to
        ensure a stable sort as two values with equal string representation are
        indistinguishable from JavaScript.

        This gives about 16% performance increase when sorting primitive values.

        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        SIGILL in JavaScriptCore on a Geode processor
        https://bugs.webkit.org/show_bug.cgi?id=82496

        Reviewed by Gavin Barraclough.

        Don't attempt to use the DFG when SSE2 is not available.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::canCompileOpcodes):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        Fix 32-bit build.

        * API/APICast.h:
        (toJS):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        Replace static_cast with jsCast when casting JSCell subclasses in JSC
        https://bugs.webkit.org/show_bug.cgi?id=83307

        Reviewed by Gavin Barraclough.

        Replace all usage of static_cast<JSCell subtype*> with jsCast<> in JavaScriptCore.
        This results in assertions when unsafe casts are performed, but simply leaves
        a static_cast<> in release builds.

        * API/APICast.h:
        (toJS):
        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::finishCreation):
        (JSC::::construct):
        (JSC::::call):
        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::finishCreation):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.h:
        (JSC::isHostFunction):
        * runtime/JSActivation.h:
        (JSC::asActivation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSArray.h:
        (JSC::asArray):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSByteArray.h:
        (JSC::asByteArray):
        * runtime/JSCell.cpp:
        (JSC::JSCell::toObject):
        * runtime/JSCell.h:
        (JSC::jsCast):
        * runtime/JSGlobalObject.h:
        (JSC::asGlobalObject):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::allowsAccessFrom):
        (JSC::JSObject::toThisObject):
        (JSC::JSObject::unwrappedObject):
        * runtime/JSObject.h:
        (JSC::asObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC::Register::propertyNameIterator):
        * runtime/JSString.h:
        (JSC::asString):
        (JSC::JSValue::toString):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSubstr):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Make something faster than JSStringBuilder for joining an array of JSValue
        https://bugs.webkit.org/show_bug.cgi?id=83180

        Reviewed by Geoffrey Garen.

        This patch add the class JSStringJoiner optimized for join() operations.

        This class makes stricter constraints than JSStringBuilder in order avoid
        memory allocations.

        In the best case, the class allocate memory only twice:
        -Allocate an array to keep a list of UString to join.
        -Allocate the final string.

        We also avoid the conversion from 8bits strings to 16bits strings since
        they are costly and unlikly to help for subsequent calls.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        * runtime/JSStringJoiner.cpp: Added.
        (JSC):
        (JSC::appendStringToData):
        (JSC::joinStrings):
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h: Added.
        (JSC):
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2012-04-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=77293
        [Un]Reserve 'let'

        Rubber stamped by Oliver Hunt.

        Revert r106198.
        This does break the web - e.g. https://bvi.bnc.ca/index/bnc/indexen.html
        If we're going to reserve let, we're going to have to do so in a more
        circumspect fashion.

        * parser/Keywords.table:

2012-04-05  Michael Saboff  <msaboff@apple.com>

        Rolling out http://trac.webkit.org/changeset/113262.
        Original code was fine.

        Rubber-stamped by Oliver Hunt.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-05  Patrick Gansterer  <paroga@webkit.org>

        [WinCE] Remove unnecessary function decleration
        https://bugs.webkit.org/show_bug.cgi?id=83155

        Reviewed by Kentaro Hara.

        * runtime/JSDateMath.cpp:

2012-04-04  Patrick Gansterer  <paroga@webkit.org>

        Add WTF::getCurrentLocalTime()
        https://bugs.webkit.org/show_bug.cgi?id=83164

        Reviewed by Alexey Proskuryakov.

        Replace the calls to WTF::getLocalTime() with time(0) with the new function.
        This allows us to use Win32 API on windows to get the same result in a next step.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/DateConstructor.cpp:
        (JSC::callDate):

2012-04-04  Oliver Hunt  <oliver@apple.com>

        Parser fails to revert some state after parsing expression and object literals.
        https://bugs.webkit.org/show_bug.cgi?id=83236

        Reviewed by Gavin Barraclough.

        Reset left hand side counter after parsing the literals.

        * parser/Parser.cpp:
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseArrayLiteral):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        DFG InstanceOf should not uselessly speculate cell
        https://bugs.webkit.org/show_bug.cgi?id=83234

        Reviewed by Oliver Hunt.
        
        If InstanceOf is the only user of its child then don't speculate cell, since
        the not-cell case is super easy to handle.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):

2012-04-04  Michael Saboff  <msaboff@apple.com>

        Fixed minor error: "& 3" should be "& 2".

        Rubber-stamped by Oliver Hunt.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-04  Michael Saboff  <msaboff@apple.com>

        Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
        https://bugs.webkit.org/show_bug.cgi?id=83191

        Reviewed by Oliver Hunt.

        Make are that blinded constant pairs are similarly aligned to the
        original immediate values so that instructions that expect that
        alignment work correctly.  One example is ARMv7 add/sub imm to SP.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
        (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
        (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should short-circuit Branch(LogicalNot(...))
        https://bugs.webkit.org/show_bug.cgi?id=83181

        Reviewed by Geoff Garen.
        
        Slight (sub 1%) speed-up on V8.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-04-04  Geoffrey Garen  <ggaren@apple.com>

        [Qt] REGRESSION(r113141): All tests assert on 32 bit debug mode
        https://bugs.webkit.org/show_bug.cgi?id=83139

        Reviewed by Sam Weinig.

        * heap/PassWeak.h:
        (JSC::::get): 32-bit JSValue treats JSValue(nullptr).asCell() as an error,
        so work around that here. (Long-term, we should make 32-bit and 64-bit
        agree on the right behavior.)

2012-04-03  Geoffrey Garen  <ggaren@apple.com>

        Updated JSC expected test results to reflect recent bug fixes <disapproving look>.

        Reviewed by Sam Weinig.

        * tests/mozilla/expected.html:

2012-03-29  Geoffrey Garen  <ggaren@apple.com>

        First step toward incremental Weak<T> finalization
        https://bugs.webkit.org/show_bug.cgi?id=82670

        Reviewed by Filip Pizlo.

        This patch implements a Weak<T> heap that is compatible with incremental
        finalization, while making as few behavior changes as possible. The behavior
        changes it makes are:

        (*) Weak<T>'s raw JSValue no longer reverts to JSValue() automatically --
        instead, a separate flag indicates that the JSValue is no longer valid.
        (This is required so that the JSValue can be preserved for later finalization.)
        Objects dealing with WeakImpls directly must change to check the flag.

        (*) Weak<T> is no longer a subclass of Handle<T>.

        (*) DOM GC performance is different -- 9% faster in the geometric mean,
        but 15% slower in one specific case:
                gc-dom1.html: 6%  faster
                gc-dom2.html: 23% faster
                gc-dom3.html: 17% faster
                gc-dom4.html: 15% *slower*

        The key features of this new heap are:

        (*) Each block knows its own state, independent of any other blocks.

        (*) Each block caches its own sweep result.

        (*) The heap visits dead Weak<T>s at the end of GC. (It doesn't
        mark them yet, since that would be a behavior change.)

        * API/JSCallbackObject.cpp:
        (JSC::JSCallbackObjectData::finalize):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::init): Updated to use the new WeakHeap API.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri: Paid the build system tax since I added some new files.

        * heap/Handle.h: Made WeakBlock a friend and exposed slot() as public,
        so we can keep passing a Handle<T> to finalizers, to avoid more surface
        area change in this patch. A follow-up patch should change the type we
        pass to finalizers.

        * heap/HandleHeap.cpp:
        (JSC):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::isLiveNode):
        * heap/HandleHeap.h:
        (JSC):
        (HandleHeap):
        (Node):
        (JSC::HandleHeap::Node::Node): Removed all code related to Weak<T>, since
        we have a separate WeakHeap now.

        * heap/Heap.cpp:
        (JSC::Heap::Heap): Removed m_extraCost because extra cost is accounted
        for through our watermark now. Removed m_waterMark because it was unused.

        (JSC::Heap::destroy): Updated for addition of WeakHeap.

        (JSC::Heap::reportExtraMemoryCostSlowCase): Changed from using its own
        variable to participating in the watermark strategy. I wanted to standardize
        WeakHeap and all other Heap clients on this strategy, to make sure it's
        accurate.
 
        (JSC::Heap::markRoots): Updated for addition of WeakHeap. Added WeakHeap
        dead visit pass, as explained above.

        (JSC::Heap::collect):
        (JSC::Heap::resetAllocators): Updated for addition of WeakHeap.

        (JSC::Heap::addFinalizer):
        (JSC::Heap::FinalizerOwner::finalize): Updated for new Weak<T> API.

        * heap/Heap.h:
        (JSC::Heap::weakHeap):
        (Heap):
        (JSC::Heap::addToWaterMark): Added a way to participate in the watermarking
        strategy, since this is the best way for WeakHeap to report its memory
        cost. (I plan to update this in a follow-up patch to make it more accurate,
        but for now it is not less accurate than it used to be.)

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::addToWaterMark):
        (JSC::MarkedSpace::didConsumeFreeList): Removed m_nurseryWaterMark because
        it was unused, and I didn't want to update WeakHeap to keep an usused
        variable working. Added API for above.

        * heap/PassWeak.h:
        (JSC):
        (WeakImplAccessor):
        (PassWeak):
        (JSC::::operator):
        (JSC::::get):
        (JSC::::was):
        (JSC::::PassWeak):
        (JSC::::~PassWeak):
        (JSC::UnspecifiedBoolType):
        (JSC::::leakImpl):
        (JSC::adoptWeak):
        * heap/Strong.h:
        (JSC::Strong::operator!):
        (Strong):
        (JSC::Strong::operator UnspecifiedBoolType*):
        (JSC::Strong::get):
        * heap/Weak.h:
        (Weak):
        (JSC::::Weak):
        (JSC):
        (JSC::::isHashTableDeletedValue):
        (JSC::::~Weak):
        (JSC::::swap):
        (JSC::=):
        (JSC::::operator):
        (JSC::UnspecifiedBoolType):
        (JSC::::release):
        (JSC::::clear):
        (JSC::::hashTableDeletedValue): Lots of code changes here, but they boil
        down to two things:

        (*) Allocate WeakImpls from the WeakHeap instead of Handles from the HandleHeap.

        (*) Explicitly check WeakImpl::state() for non-liveness before returning
        a value (explained above).

        These files implement the new Weak<T> heap behavior described above:

        * heap/WeakBlock.cpp: Added.
        * heap/WeakBlock.h: Added.
        * heap/WeakHandleOwner.cpp: Added.
        * heap/WeakHandleOwner.h: Added.
        * heap/WeakHeap.cpp: Added.
        * heap/WeakHeap.h: Added.
        * heap/WeakImpl.h: Added.

        One interesting difference from the old heap is that we don't allow
        clients to overwrite a WeakImpl after allocating it, and we don't recycle
        WeakImpls prior to garbage collection. This is required for lazy finalization,
        but it will also help us esablish a useful invariant in the future: allocating
        a WeakImpl will be a binding contract to run a finalizer at some point in the
        future, even if the WeakImpl is later deallocated.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub): Check the Weak<T> for ! instead of
        its JSValue, since that's our API contract now, and the JSValue might
        be stale.

        * runtime/JSCell.h:
        (JSC::jsCast): Allow casting NULL pointers because it's useful and harmless.

        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add): I can't remember why I did this.

        * runtime/StructureTransitionTable.h:
        * runtime/WeakGCMap.h: I had to update these classes because they allocate
        and deallocate weak pointers manually. They should probably stop doing that.

2012-04-03  Keishi Hattori  <keishi@webkit.org>

        Disable ENABLE_DATALIST for now
        https://bugs.webkit.org/show_bug.cgi?id=82871

        Reviewed by Kent Tamura.

        * Configurations/FeatureDefines.xcconfig: Disabled ENABLE_DATALIST.

2012-04-02  Filip Pizlo  <fpizlo@apple.com>

        jsr/sret should be removed
        https://bugs.webkit.org/show_bug.cgi?id=82986
        <rdar://problem/11017015>

        Reviewed by Sam Weinig and Geoff Garen.
        
        Replaces jsr/sret with finally block inlining.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyContext):
        (JSC::BytecodeGenerator::emitComplexJumpScopes):
        (JSC):
        * bytecompiler/BytecodeGenerator.h:
        (FinallyContext):
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITOpcodes32_64.cpp:
        (JSC):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-04-03  Mark Rowe  <mrowe@apple.com>

        Make it possible to install the JavaScriptCore test tools.

        Part of <rdar://problem/11158607>.
        
        Reviewed by Filip Pizlo.

        * JavaScriptCore.xcodeproj/project.pbxproj: Introduce an aggregate target named
        Test Tools that builds testapi, minidom and testRegExp. Switch All from depending on
        those targets individually to depending on the new aggregate target.

2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend has a very convoluted way of saying it wants to emit a
        three-operand multiply instruction
        https://bugs.webkit.org/show_bug.cgi?id=83100

        Reviewed by Darin Adler.
        
        Changed the "muli"/"mulp" case to call emitArmV7() since that helper method was
        already smart enough to do the Right Thing for multiply.

        * offlineasm/armv7.rb:

2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-03  Gavin Barraclough  <barraclough@apple.com>

        Linux crashes during boot
        https://bugs.webkit.org/show_bug.cgi?id=83096

        Reviewed by Filip Pizlo.

        The bug here is that we add empty JSValues to the sparse map, and then set them
        - but a GC may occur before doing so (due to a call to reportExtraMemory cost).
        We may want to consider making it safe to mark empty JSValues, but the simple &
        contained fix to this specific bug is to just initialize these values to
        something other than JSValue().

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
            - Initialize sparse map entries.

2012-04-02  Oliver Hunt  <oliver@apple.com>

        Incorrect liveness information when inlining
        https://bugs.webkit.org/show_bug.cgi?id=82985

        Reviewed by Filip Pizlo.

        Don't remap register numbers that have already been remapped.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):

2012-04-02  Filip Pizlo  <fpizlo@apple.com>

        Activation tear-off neglects to copy the callee and scope chain, leading to crashes if we
        try to create an arguments object from the activation
        https://bugs.webkit.org/show_bug.cgi?id=82947
        <rdar://problem/11058598>

        Reviewed by Gavin Barraclough.
        
        We now copy the entire call frame header just to be sure. This is mostly perf-netural,
        except for a 3.7% slow-down in V8/earley.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff):

2012-04-02  Daniel Bates  <dbates@webkit.org>

        Remove Source/JavaScriptCore/wtf and its empty subdirectories

        Rubber-stamped by Eric Seidel.

        Following the move of WTF from Source/JavaScriptCore/wtf to Source/WTF
        (https://bugs.webkit.org/show_bug.cgi?id=75673), remove directory
        Source/JavaScriptCore/wtf and its empty subdirectories.

        * wtf: Removed.
        * wtf/android: Removed.
        * wtf/blackberry: Removed.
        * wtf/chromium: Removed.
        * wtf/dtoa: Removed.
        * wtf/efl: Removed.
        * wtf/gobject: Removed.
        * wtf/gtk: Removed.
        * wtf/mac: Removed.
        * wtf/qt: Removed.
        * wtf/qt/compat: Removed.
        * wtf/tests: Removed.
        * wtf/text: Removed.
        * wtf/threads: Removed.
        * wtf/threads/win: Removed.
        * wtf/unicode: Removed.
        * wtf/unicode/glib: Removed.
        * wtf/unicode/icu: Removed.
        * wtf/unicode/qt4: Removed.
        * wtf/unicode/wince: Removed.
        * wtf/url: Removed.
        * wtf/url/api: Removed.
        * wtf/url/src: Removed.
        * wtf/win: Removed.
        * wtf/wince: Removed.
        * wtf/wx: Removed.

2012-04-02  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing file.

2012-04-01  Darin Adler  <darin@apple.com>

        Fix incorrect path for libWTF.a in Mac project file.

        * JavaScriptCore.xcodeproj/project.pbxproj: Removed the "../Release" prefix that
        would cause other configurations to try to link with the "Release" version of
        libWTF.a instead of the correct version.

2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize a==b for a being an object and b being either an object or
        null/undefined, and vice versa
        https://bugs.webkit.org/show_bug.cgi?id=82656

        Reviewed by Oliver Hunt.
        
        Implements additional object equality optimizations for the case that one
        operand is predicted to be an easily speculated object (like FinalObject or
        Array) and the other is either an easily speculated object or Other, i.e.
        Null or Undefined.
        
        2-5% speed-up on V8/raytrace, leading to a sub-1% progression on V8.
        
        I also took the opportunity to clean up the control flow for the speculation
        decisions in the various Compare opcodes. And to fix a build bug in SamplingTool.
        And to remove debug cruft I stupidly committed in my last patch.
        
        * bytecode/SamplingTool.h:
        (SamplingRegion):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2012-03-30  David Barr  <davidbarr@chromium.org>

        Split up top-level .gitignore and .gitattributes
        https://bugs.webkit.org/show_bug.cgi?id=82687

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.gyp/.gitignore: Added.

2012-03-30  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.

        * JavaScriptCore.vcproj/JavaScriptCore.make: Copy WTF header files into a place where JavaScriptCore build can see them.

2012-03-30  Keishi Hattori  <keishi@webkit.org>

        Change ENABLE_INPUT_COLOR to ENABLE_INPUT_TYPE_COLOR and enable it for chromium
        https://bugs.webkit.org/show_bug.cgi?id=80972

        Reviewed by Kent Tamura.

        * Configurations/FeatureDefines.xcconfig:

2012-03-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor recompileAllJSFunctions() to be less expensive
        https://bugs.webkit.org/show_bug.cgi?id=80330

        Reviewed by Filip Pizlo.

        This change is performance neutral on the JS benchmarks we track. It's mostly to improve page 
        load performance, which currently does at least a couple full GCs per navigation.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode): Rename recompileAllJSFunctions to discardAllCompiledCode 
        because the function doesn't actually recompile anything (and never did); it simply throws code
        away for it to be recompiled later if we determine we should do so.
        (JSC):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::addFunctionExecutable): Adds a newly created FunctionExecutable to the Heap's list.
        (JSC::Heap::removeFunctionExecutable): Removes the specified FunctionExecutable from the Heap's list.
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp: Added next and prev fields to FunctionExecutables so that they can 
        be used in DoublyLinkedLists.
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize): Removes the FunctionExecutable from the Heap's list.
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create): Adds the FunctionExecutable to the Heap's list.
        * runtime/JSGlobalData.cpp: Remove recompileAllJSFunctions, as it's the Heap's job to own and manage 
        the list of FunctionExecutables.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Use the new discardAllCompiledCode.

2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Template the Yarr::Interpreter on the character type
        https://bugs.webkit.org/show_bug.cgi?id=82637

        Reviewed by Sam Weinig.

        We should be able to call to the interpreter after having already checked the character type,
        without having to re-package the character pointer back up into a string!

        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):
            - Don't pass length.
        * yarr/Yarr.h:
            - moved function declarations to YarrInterpreter.h.
        * yarr/YarrInterpreter.cpp:
        (Yarr):
        (Interpreter):
        (JSC::Yarr::Interpreter::InputStream::InputStream):
        (InputStream):
        (JSC::Yarr::Interpreter::Interpreter):
        (JSC::Yarr::interpret):
            - templated Interpreter class on CharType.
        * yarr/YarrInterpreter.h:
        (Yarr):
            - added function declarations.

2012-03-29  David Kilzer  <ddkilzer@apple.com>

        Don't use a flattened framework path when building on OS X

        Reviewed by Mark Rowe.

        * Configurations/ToolExecutable.xcconfig: Use REAL_PLATFORM_NAME
        to select different INSTALL_PATH values.

2012-03-29  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix, add Win-specific sources
        the wx port needs after WTF move.

        * wscript:

2012-03-29  Andy Estes  <aestes@apple.com>

        Remove an unused variable that breaks the build with newer versions of clang.

        Rubber stamped by Gavin Barraclough.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

2012-03-29  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        HashMap<>::add should return a more descriptive object
        https://bugs.webkit.org/show_bug.cgi?id=71063

        Reviewed by Ryosuke Niwa.

        Update code to use AddResult instead of a pair. Note that since WeakGCMap wraps
        the iterator type, there's a need for its own AddResult type -- instantiated from
        HashTableAddResult template class.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::contextData):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::addGlobalVar):
        (JSC::BytecodeGenerator::addConstant):
        (JSC::BytecodeGenerator::addConstantValue):
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitLazyNewFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * debugger/Debugger.cpp:
        * dfg/DFGAssemblyHelpers.cpp:
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * parser/Parser.cpp:
        (JSC::::parseStrictObjectLiteral):
        * parser/Parser.h:
        (JSC::Scope::declareParameter):
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        (JSC::Identifier::addSlowCase):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        (JSC::IdentifierTable::add):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
        (JSC::SparseArrayValueMap::put):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::JSArray::enterDictionaryMode):
        (JSC::JSArray::defineOwnNumericProperty):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add):
        * runtime/WeakGCMap.h:
        (WeakGCMap):
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::sampleChild):

2012-03-29  Patrick Gansterer  <paroga@webkit.org>

        Build fix for !ENABLE(YARR_JIT) after r112454.

        * runtime/RegExp.cpp:
        (JSC::RegExp::invalidateCode):

2012-03-28  Filip Pizlo  <fpizlo@apple.com>

        DFG object equality speculations should be simplified
        https://bugs.webkit.org/show_bug.cgi?id=82557

        Reviewed by Gavin Barraclough.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFinalObject):
        (JSC::DFG::Node::shouldSpeculateArray):

2012-03-28  David Kilzer  <ddkilzer@apple.com>

        minidom configurations should be based on ToolExecutable.xcconfig
        <http://webkit.org/b/82513>

        Reviewed by Mark Rowe.

        Note that this patch changes minidom from being installed in
        /usr/local/bin to JavaScriptCore.framework/Resources.

        * Configurations/ToolExecutable.xcconfig: Add semi-colon.
        * JavaScriptCore.xcodeproj/project.pbxproj: Base minidom
        configurations on ToolExecutable.xcconfig.  Remove redundant
        PRODUCT_NAME and SKIP_INSTALL variables.

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Build fix - some compiles generating NORETURN related warnings.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::setSubpatternStart):
        (JSC::Yarr::YarrGenerator::setSubpatternEnd):
        (JSC::Yarr::YarrGenerator::clearSubpatternStart):

2012-03-28  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix, move WTF back into JSCore target
        until issues with JSCore not linking in all WTF symbols are resolved.
        
        * wscript:

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Yarr: if we're not using the output array, don't populate it!
        https://bugs.webkit.org/show_bug.cgi?id=82519

        Reviewed by Sam Weinig.

        * runtime/RegExp.cpp:
        (JSC):
            - Missed review comment! - didn't fully remove RegExpRepresentation.

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Yarr: if we're not using the output array, don't populate it!
        https://bugs.webkit.org/show_bug.cgi?id=82519

        Reviewed by Sam Weinig.

        Add a new variant of the match method to RegExp that returns a MatchResult,
        and modify YarrJIT to be able to compile code that doesn't use an output vector.

        This is a 3% progression on v8-regexp.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Moved MatchResult into its own header.
        * assembler/AbstractMacroAssembler.h:
            - Added missing include.
        * runtime/MatchResult.h: Added.
        (MatchResult::MatchResult):
        (MatchResult):
        (MatchResult::failed):
        (MatchResult::operator bool):
        (MatchResult::empty):
            - Moved MatchResult into its own header.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::match):
            - Changed due to execute & representation changes.
        (JSC::RegExp::compileMatchOnly):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
            - Added helper to compile MatchOnly code.
        (JSC::RegExp::invalidateCode):
        (JSC::RegExp::matchCompareWithInterpreter):
        (JSC::RegExp::printTraceData):
            - Changed due representation changes.
        * runtime/RegExp.h:
        (RegExp):
        (JSC::RegExp::hasCode):
            - Made YarrCodeBlock a member.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - Added no-ovector form.
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - Match now takes a reference to ovector, not a pointer.
        * runtime/RegExpObject.h:
        (JSC):
            - Moved MatchResult into its own header.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):
            - Match now takes a reference to ovector, not a pointer.
        * testRegExp.cpp:
        (testOneRegExp):
            - Match now takes a reference to ovector, not a pointer.
        * yarr/YarrJIT.cpp:
        (Yarr):
        (YarrGenerator):
        (JSC::Yarr::YarrGenerator::initCallFrame):
        (JSC::Yarr::YarrGenerator::removeCallFrame):
        (JSC::Yarr::YarrGenerator::setSubpatternStart):
        (JSC::Yarr::YarrGenerator::setSubpatternEnd):
        (JSC::Yarr::YarrGenerator::clearSubpatternStart):
        (JSC::Yarr::YarrGenerator::setMatchStart):
        (JSC::Yarr::YarrGenerator::getMatchStart):
            - Added helper functions to intermediate access to output.
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::compile):
            - Changed to use the new helpers, only generate subpatterns if IncludeSubpatterns.
        (JSC::Yarr::jitCompile):
            - Needs to template of MatchOnly or IncludeSubpatterns.
        * yarr/YarrJIT.h:
        (YarrCodeBlock):
        (JSC::Yarr::YarrCodeBlock::set8BitCode):
        (JSC::Yarr::YarrCodeBlock::set16BitCode):
        (JSC::Yarr::YarrCodeBlock::has8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::has16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::execute):
        (JSC::Yarr::YarrCodeBlock::clear):
            - Added a second set of CodeRefs, so that we can compile RexExps with/without subpattern matching.

2012-03-27  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit should not generate an exit for variables of inlinees if the
        inlinees are not in scope
        https://bugs.webkit.org/show_bug.cgi?id=82312

        Reviewed by Oliver Hunt.
        
        * bytecode/CodeBlock.h:
        (JSC::baselineCodeBlockForInlineCallFrame):
        (JSC):
        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::computeNumVariablesForCodeOrigin):
        (DFG):
        (JSC::DFG::OSRExit::OSRExit):

2012-03-27  Matt Lilek  <mrl@apple.com>

        Stop compiling Interpreter.cpp with -fno-var-tracking
        https://bugs.webkit.org/show_bug.cgi?id=82299

        Reviewed by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-27  Pratik Solanki  <psolanki@apple.com>

        Compiler warning when JIT is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=82352

        Reviewed by Filip Pizlo.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):

2012-03-26  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Unaligned userspace access for SH4 platforms
        https://bugs.webkit.org/show_bug.cgi?id=79104

        Reviewed by Gavin Barraclough.

        * assembler/AbstractMacroAssembler.h:
        (Jump):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load16Unaligned):
        (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords):
        (JSC::MacroAssemblerSH4::branchDouble):
        (JSC::MacroAssemblerSH4::branchTrue):
        (JSC::MacroAssemblerSH4::branchFalse):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::extraInstrForBranch):
        (SH4Assembler):
        (JSC::SH4Assembler::bra):
        (JSC::SH4Assembler::linkJump):
        * jit/JIT.h:
        (JIT):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2012-03-26  Ryosuke Niwa  <rniwa@webkit.org>

        cssText should use shorthand notations
        https://bugs.webkit.org/show_bug.cgi?id=81737

        Reviewed by Enrica Casucci.

        Export symbols of BitVector on Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should assert that argument value recoveries can only be
        AlreadyInRegisterFile or Constant
        https://bugs.webkit.org/show_bug.cgi?id=82249

        Reviewed by Michael Saboff.
        
        Made the assertions that the DFG makes for argument value recoveries match
        what Arguments expects.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::isConstant):
        (ValueRecovery):
        (JSC::ValueRecovery::isAlreadyInRegisterFile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Tried to fix the Windows build.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putRange):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - speculative Windows build fix.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::getCanonicalPair):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Fixed builds with assertions disabled.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::areCanonicallyEquivalent):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - errk! - accidentally the whole pbxproj.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-25  Gavin Barraclough  <barraclough@apple.com>

        Greek sigma is handled wrong in case independent regexp.
        https://bugs.webkit.org/show_bug.cgi?id=82063

        Reviewed by Oliver Hunt.

        The bug here is that we assume that any given codepoint has at most one additional value it
        should match under a case insensitive match, and that the pair of codepoints that match (if
        a codepoint does not only match itself) can be determined by calling toUpper/toLower on the
        given codepoint). Life is not that simple.

        Instead, pre-calculate a set of tables mapping from a UCS2 codepoint to the set of characters
        it may match, under the ES5.1 case-insensitive matching rules. Since unicode is fairly regular
        we can pack this table quite nicely, and get it down to 364 entries. This means we can use a
        simple binary search to find an entry in typically eight compares.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * yarr/yarr.pri:
            - Added new files to build systems.
        * yarr/YarrCanonicalizeUCS2.cpp: Added.
            - New - autogenerated, UCS2 canonicalized comparison tables.
        * yarr/YarrCanonicalizeUCS2.h: Added.
        (JSC::Yarr::rangeInfoFor):
            - Look up the canonicalization info for a UCS2 character.
        (JSC::Yarr::getCanonicalPair):
            - For a UCS2 character with a single equivalent value, look it up.
        (JSC::Yarr::isCanonicallyUnique):
            - Returns true if no other UCS2 code points are canonically equal.
        (JSC::Yarr::areCanonicallyEquivalent):
            - Compare two values, under canonicalization rules.
        * yarr/YarrCanonicalizeUCS2.js: Added.
            - script used to generate YarrCanonicalizeUCS2.cpp.
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putChar):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
            - Added, used to put a non-ascii, non-unique character in a case-insensitive match.
        (JSC::Yarr::CharacterClassConstructor::putRange):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
            - Changed to call putUnicodeIgnoreCase, instead of putChar, avoid a double lookup of rangeInfo.

2012-03-26  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Add the build outputs dir to the list of build dirs,
        so we make sure it finds the API headers on all platforms.

        * wscript:

2012-03-26  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r112039.

        * interpreter/Register.h:
        (Register): Removed inline keyword from decleration since
                    there is an ALWAYS_INLINE at the definition anyway.

2012-03-26  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-03-25  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Move WTF to its own static lib build.

        * wscript:

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG int-to-double conversion should be revealed to CSE
        https://bugs.webkit.org/show_bug.cgi?id=82135

        Reviewed by Oliver Hunt.
        
        This introduces the notion of an Int32ToDouble node, which is injected
        into the graph anytime we know that we have a double use of a node that
        was predicted integer. The Int32ToDouble simplifies double speculation
        on integers by skipping the path that would unbox doubles, if we know
        that the value is already proven to be an integer. It allows integer to
        double conversions to be subjected to common subexpression elimination
        (CSE) by allowing the CSE phase to see where these conversions are
        occurring. Finally, it allows us to see when a constant is being used
        as both a double and an integer. This is a bit odd, since it means that
        sometimes a double use of a constant will not refer directly to the
        constant. This should not cause problems, for now, but it may require
        some canonizalization in the future if we want to support strength
        reductions of double operations based on constants.
        
        To allow injection of nodes into the graph, this change introduces the
        DFG::InsertionSet, which is a way of lazily inserting elements into a
        list. This allows the FixupPhase to remain O(N) despite performing
        multiple injections in a single basic block. Without the InsertionSet,
        each injection would require performing an insertion into a vector,
        which is O(N), leading to O(N^2) performance overall. With the
        InsertionSet, each injection simply records what insertion would have
        been performed, and all insertions are performed at once (via
        InsertionSet::execute) after processing of a basic block is completed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.h:
        (JSC::isActionableIntMutableArrayPrediction):
        (JSC):
        (JSC::isActionableFloatMutableArrayPrediction):
        (JSC::isActionableTypedMutableArrayPrediction):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        (JSC::DFG::useKindToString):
        (DFG):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (FixupPhase):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInsertionSet.h: Added.
        (DFG):
        (Insertion):
        (JSC::DFG::Insertion::Insertion):
        (JSC::DFG::Insertion::index):
        (JSC::DFG::Insertion::element):
        (InsertionSet):
        (JSC::DFG::InsertionSet::InsertionSet):
        (JSC::DFG::InsertionSet::append):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFGOperands should be moved out of the DFG and into bytecode
        https://bugs.webkit.org/show_bug.cgi?id=82151

        Reviewed by Dan Bernstein.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Operands.h: Copied from Source/JavaScriptCore/dfg/DFGOperands.h.
        * dfg/DFGBasicBlock.h:
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOperands.h: Removed.
        * dfg/DFGVariableAccessData.h:

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG 64-bit Branch implementation should not be creating a JSValueOperand that
        it isn't going to use
        https://bugs.webkit.org/show_bug.cgi?id=82136

        Reviewed by Geoff Garen.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):

2012-03-24  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Fix the build after WTF move.

        * wscript:

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG double voting may be overzealous in the case of variables that end up
        being used as integers
        https://bugs.webkit.org/show_bug.cgi?id=82008

        Reviewed by Oliver Hunt.
        
        Cleaned up propagation, making the intent more explicit in most places.
        Back-propagate NodeUsedAsInt for cases where a node was used in a context
        that is known to strongly prefer integers.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG::Node::shouldNotSpeculateInteger() should be eliminated
        https://bugs.webkit.org/show_bug.cgi?id=82123

        Reviewed by Geoff Garen.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-03-24  Yong Li  <yoli@rim.com>

        Increase getByIdSlowCase ConstantSpace/InstructionSpace for CPU(ARM_TRADITIONAL)
        https://bugs.webkit.org/show_bug.cgi?id=81521

        Increase sequenceGetByIdSlowCaseConstantSpace and sequenceGetByIdSlowCaseInstructionSpace
        for CPU(ARM_TRADITIONAL) to fit actual need.

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG Fixup should be able to short-circuit trivial ValueToInt32's
        https://bugs.webkit.org/show_bug.cgi?id=82030

        Reviewed by Michael Saboff.
        
        Takes the fixup() method of the prediction propagation phase and makes it
        into its own phase. Adds the ability to short-circuit trivial ValueToInt32
        nodes, and mark pure ValueToInt32's as such.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCommon.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp: Added.
        (DFG):
        (FixupPhase):
        (JSC::DFG::FixupPhase::FixupPhase):
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::performFixup):
        * dfg/DFGFixupPhase.h: Added.
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (PredictionPropagationPhase):

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        tryReallocate could break the zero-ed memory invariant of CopiedBlocks
        https://bugs.webkit.org/show_bug.cgi?id=82087

        Reviewed by Filip Pizlo.

        Removing this optimization turned out to be ~1% regression on kraken, so I simply 
        undid the modification to the current block if we fail.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryReallocate): Undid the reset in the CopiedAllocator if we fail 
        to reallocate from the current block.

2012-03-23  Alexey Proskuryakov  <ap@apple.com>

        [Mac] No need for platform-specific ENABLE_BLOB values
        https://bugs.webkit.org/show_bug.cgi?id=82102

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Michael Saboff  <msaboff@apple.com>

        DFG::compileValueToInt32 Sometime Generates GPR to FPR reg back to GPR
        https://bugs.webkit.org/show_bug.cgi?id=81805

        Reviewed by Filip Pizlo.

        Added SpeculativeJIT::checkGeneratedType() to determine the current format
        of an operand.  Used that information in SpeculativeJIT::compileValueToInt32
        to generate code that will use integer and JSValue types in integer
        format directly without a conversion to double.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkGeneratedType):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (SpeculativeJIT):

2012-03-23  Steve Falkenburg  <sfalken@apple.com>

        Update Apple Windows build files for WTF move
        https://bugs.webkit.org/show_bug.cgi?id=82069

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed WTF and WTFGenerated.

2012-03-23  Dean Jackson  <dino@apple.com>

        Disable CSS_SHADERS in Apple builds
        https://bugs.webkit.org/show_bug.cgi?id=81996

        Reviewed by Simon Fraser.

        Remove ENABLE_CSS_SHADERS from FeatureDefines. It's now in Platform.h.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Gavin Barraclough  <barraclough@apple.com>

        RexExp constructor last match properties should not rely on previous ovector
        https://bugs.webkit.org/show_bug.cgi?id=82077

        Reviewed by Oliver Hunt.

        This change simplifies matching, and will enable subpattern results to be fully lazily generated in the future.

        This patch changes the scheme used to lazily generate the last match properties of the RegExp object.
        Instead of relying on the results in the ovector, we can instead lazily generate the subpatters using
        a RegExpMatchesArray. To do so we just need to store the input, the regexp matched, and the match
        location (the MatchResult). When the match is accessed or the input is set, we reify results. We use
        a special value of setting the saved result to MatchResult::failed() to indicated that we're in a
        reified state. This means that next time a match is performed, the store of the result will
        automatically blow away the reified value.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files.
        * runtime/RegExp.cpp:
        (JSC::RegExpFunctionalTestCollector::outputOneTest):
            - changed 'subPattern' -> 'subpattern' (there was a mix in JSC, 'subpattern' was more common).
        * runtime/RegExpCachedResult.cpp: Added.
        (JSC::RegExpCachedResult::visitChildren):
        (JSC::RegExpCachedResult::lastResult):
        (JSC::RegExpCachedResult::setInput):
            - New methods, mark GC objects, lazily create the matches array, and record a user provided input (via assignment to RegExp.inupt).
        * runtime/RegExpCachedResult.h: Added.
        (RegExpCachedResult):
            - Added new class.
        (JSC::RegExpCachedResult::RegExpCachedResult):
        (JSC::RegExpCachedResult::record):
        (JSC::RegExpCachedResult::input):
            - Initialize the object, record the result of a RegExp match, access the stored input property.
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
            - Initialize m_result/m_multiline properties.
        (JSC::RegExpConstructor::visitChildren):
            - Make sure the cached results (or lazy source for them) are marked.
        (JSC::RegExpConstructor::getBackref):
        (JSC::RegExpConstructor::getLastParen):
        (JSC::RegExpConstructor::getLeftContext):
        (JSC::RegExpConstructor::getRightContext):
            - Moved from RegExpConstructor, moved to RegExpCachedResult, and using new caching scheme.
        (JSC::regExpConstructorInput):
        (JSC::setRegExpConstructorInput):
            - Changed to use RegExpCachedResult.
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        (RegExpConstructor):
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
            - Move multiline property onto the constructor object; it is not affected by the last match.
        (JSC::RegExpConstructor::setInput):
        (JSC::RegExpConstructor::input):
            - These defer to RegExpCachedResult.
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.cpp: Added.
        (JSC::RegExpMatchesArray::visitChildren):
            - Eeeep! added missing visitChildren!
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::reifyAllProperties):
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Moved from RegExpConstructor.cpp.
        (JSC::RegExpMatchesArray::leftContext):
        (JSC::RegExpMatchesArray::rightContext):
            - Since the match start/
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):
            - Declare new methods & structure flags.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
            - performMatch now requires the JSString input, to cache.
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now requires the JSString input, to cache.

2012-03-23  Tony Chang  <tony@chromium.org>

        [chromium] rename newwtf target back to wtf
        https://bugs.webkit.org/show_bug.cgi?id=82064

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Simplify memory usage tracking in CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=80705

        Reviewed by Filip Pizlo.

        * heap/CopiedAllocator.h:
        (CopiedAllocator): Rename currentUtilization to currentSize.
        (JSC::CopiedAllocator::currentCapacity):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        (JSC::CopiedBlock::payload): Move the implementation of payload() out of the class
        declaration.
        (JSC):
        (JSC::CopiedBlock::size): Add new function to calculate the block's size.
        (JSC::CopiedBlock::capacity): Ditto for capacity.
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::CopiedSpace): Remove old bogus memory stats fields and add a new
        field for the water mark.
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateSlowCase): When we fail to allocate from the current 
        block, we need to update our current water mark with the size of the block.
        (JSC::CopiedSpace::tryAllocateOversize): When we allocate a new oversize block, we 
        need to update our current water mark with the size of the used portion of the block.
        (JSC::CopiedSpace::tryReallocate): We don't need to update the water mark when 
        reallocating because it will either get accounted for when we fill up the block later 
        in the case of being able to reallocate in the current block or it will get picked up 
        immediately because we'll have to get a new block.
        (JSC::CopiedSpace::tryReallocateOversize): We do, however, need to update in when 
        realloc-ing an oversize block because we deallocate the old block and allocate a brand 
        new one.
        (JSC::CopiedSpace::doneFillingBlock): Update the water mark as blocks are returned to 
        the CopiedSpace by the SlotVisitors.
        (JSC::CopiedSpace::doneCopying): Add in any pinned blocks to the water mark.
        (JSC::CopiedSpace::getFreshBlock): We use the Heap's new function to tell us whether or 
        not we should collect now instead of doing the calculation ourself.
        (JSC::CopiedSpace::destroy):
        (JSC):
        (JSC::CopiedSpace::size): Manually calculate the size of the CopiedSpace, similar to how 
        MarkedSpace does.
        (JSC::CopiedSpace::capacity): Ditto for capacity.
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::waterMark):
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::startedCopying): Reset water mark to 0 when we start copying during a 
        collection.
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::allocateFromBlock):
        * heap/Heap.cpp:
        (JSC::Heap::size): Incorporate size of CopiedSpace into the total size of the Heap.
        (JSC::Heap::capacity): Ditto for capacity.
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::shouldCollect): New function for other sub-parts of the Heap to use to 
        determine whether they should initiate a collection or continue to allocate new blocks.
        (JSC):
        (JSC::Heap::waterMark): Now is the sum of the water marks of the two sub-parts of the
        Heap (MarkedSpace and CopiedSpace).
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Changed to use the Heap's new shouldCollect() function.

2012-03-23  Ryosuke Niwa  <rniwa@webkit.org>

        BitVector::resizeOutOfLine doesn't memset when converting an inline buffer
        https://bugs.webkit.org/show_bug.cgi?id=82012

        Reviewed by Filip Pizlo.

        Initialize out-of-line buffers while extending an inline buffer. Also export symbols to be used in WebCore.

        * wtf/BitVector.cpp:
        (WTF::BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (BitVector):
        (OutOfLineBits):

2012-03-22  Michael Saboff  <msaboff@apple.com>

        ExecutableAllocator::memoryPressureMultiplier() might can return NaN
        https://bugs.webkit.org/show_bug.cgi?id=82002

        Reviewed by Filip Pizlo.

        Guard against divide by zero and then make sure the return
        value is >= 1.0.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):

2012-03-22  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111778.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        Don't include and try to build files owned by WTF.
        Also, let VS have its way with the vcproj in terms of file ordering.

2012-03-22  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [CMake] Unreviewed build fix after r111778.

        * CMakeLists.txt: Move ${WTF_DIR} after ${JAVASCRIPTCORE_DIR} in
        the include paths so that the right config.h is used.

2012-03-22  Tony Chang  <tony@chromium.org>

        Unreviewed, fix chromium build after wtf move.

        Remove old wtf_config and wtf targets.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-22  Martin Robinson  <mrobinson@igalia.com>

        Fixed the GTK+ WTF/JavaScriptCore build after r111778.

        * GNUmakefile.list.am: Removed an extra trailing backslash.

2012-03-22  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * Configurations/JavaScriptCore.xcconfig: Tell the linker to pull in all members from static libraries
        rather than only those that contain symbols that JavaScriptCore itself uses.
        * JavaScriptCore.xcodeproj/project.pbxproj: Remove some bogus settings that crept in to the Xcode project.

2012-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeFlags has some duplicate code and naming issues
        https://bugs.webkit.org/show_bug.cgi?id=81975

        Reviewed by Gavin Barraclough.
        
        Removed most references to "ArithNodeFlags" since those are now just part
        of the node flags. Fixed some renaming goofs (EdgedAsNum is once again
        NodeUsedAsNum). Got rid of setArithNodeFlags() and mergeArithNodeFlags()
        because the former was never called and the latter did the same things as
        mergeFlags().

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):

2012-03-22  Eric Seidel  <eric@webkit.org>

        Actually move WTF files to their new home
        https://bugs.webkit.org/show_bug.cgi?id=81844

        Unreviewed.  The details of the port-specific changes
        have been seen by contributors from those ports, but
        the whole 5MB change isn't very reviewable as-is.

        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h:
        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:

2012-03-22  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Adding Source/WTF to the build.

        * wscript:

2012-03-22  Gavin Barraclough  <barraclough@apple.com>

        Add JSValue::isFunction
        https://bugs.webkit.org/show_bug.cgi?id=81935

        Reviewed by Geoff Garen.

        This would be useful in the WebCore bindings code.
        Also, remove asFunction, replace with jsCast<JSFunction*>.

        * API/JSContextRef.cpp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::isInlineCallFrameSlow):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        * runtime/JSFunction.h:
        (JSC):
        (JSC::asJSFunction):
        (JSC::JSValue::isFunction):
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/JSValue.h:
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):

2012-03-21  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation on booleans should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=81840

        Reviewed by Gavin Barraclough.
        
        This removes isKnownBoolean() and replaces it with AbstractState-based
        optimization, and cleans up the control flow in code gen methods for
        Branch and LogicalNot. Also fixes a goof in Node::shouldSpeculateNumber,
        and removes isKnownNotBoolean() since that method appeared to be a
        helper used solely by 32_64's speculateBooleanOperation().
        
        This is performance-neutral.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-21  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * wtf/MetaAllocator.h:
        (MetaAllocator): Export the destructor.

2012-03-21  Eric Seidel  <eric@webkit.org>

        Fix remaining WTF includes in JavaScriptCore in preparation for moving WTF headers out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=81834

        Reviewed by Adam Barth.

        * jsc.cpp:
        * os-win32/WinMain.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/TimeoutChecker.cpp:
        * testRegExp.cpp:
        * tools/CodeProfiling.cpp:

2012-03-21  Eric Seidel  <eric@webkit.org>

        WTF::MetaAllocator has a weak vtable (discovered when building wtf as a static library)
        https://bugs.webkit.org/show_bug.cgi?id=81838

        Reviewed by Geoffrey Garen.

        My understanding is that weak vtables happen when the compiler/linker cannot
        determine which compilation unit should constain the vtable.  In this case
        because there were only pure virtual functions as well as an "inline"
        virtual destructor (thus the virtual destructor was defined in many compilation
        units).  Since you can't actually "inline" a virtual function (it still has to
        bounce through the vtable), the "inline" on this virutal destructor doesn't
        actually help performance, and is only serving to confuse the compiler here.
        I've moved the destructor implementation to the .cpp file, thus making
        it clear to the compiler where the vtable should be stored, and solving the error.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::~MetaAllocator):
        (WTF):
        * wtf/MetaAllocator.h:

2012-03-20  Gavin Barraclough  <barraclough@apple.com>

        RegExpMatchesArray should not copy the ovector
        https://bugs.webkit.org/show_bug.cgi?id=81742

        Reviewed by Michael Saboff.

        Currently, all RegExpMatchesArray object contain Vector<int, 32>, used to hold any sub-pattern results.
        This makes allocation/construction/destruction of these objects more expensive. Instead, just store the
        main match, and recreate the sub-pattern ranges only if necessary (these are often only used for grouping,
        and the results never accessed).
        If the main match (index 0) of the RegExpMatchesArray is accessed, reify that value alone.

        * dfg/DFGOperations.cpp:
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/RegExpConstructor.cpp:
        (JSC):
            - Removed RegExpResult, RegExpMatchesArray constructor, destroy method.
        (JSC::RegExpMatchesArray::finishCreation):
            - Removed RegExpConstructorPrivate parameter.
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - (Was fillArrayInstance) Reify all properties of the RegExpMatchesArray.
            If there are sub-pattern properties, the RegExp is re-run to generate their values.
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Reify just the match (index 0) property of the RegExpMatchesArray.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - performMatch now returns a MatchResult, rather than using out-parameters.
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
            - Moved from .cpp, stores the input/regExp/result to use when lazily reifying properties.
        (RegExpMatchesArray):
        (JSC::RegExpMatchesArray::create):
            - Now passed the input string matched against, the RegExp, and the MatchResult.
        (JSC::RegExpMatchesArray::reifyAllPropertiesIfNecessary):
        (JSC::RegExpMatchesArray::reifyMatchPropertyIfNecessary):
            - Helpers to conditionally reify properties.
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):
        (JSC::RegExpMatchesArray::defineOwnProperty):
            - Changed to use reifyAllPropertiesIfNecessary/reifyMatchPropertyIfNecessary
            (getOwnPropertySlotByIndex calls reifyMatchPropertyIfNecessary if index is 0).
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
            - match now returns a MatchResult.
        * runtime/RegExpObject.h:
        (JSC::MatchResult::MatchResult):
            - Added the result of a match is a start & end tuple.
        (JSC::MatchResult::failed):
            - A failure is indicated by (notFound, 0).
        (JSC::MatchResult::operator bool):
            - Evaluates to false if the match failed.
        (JSC::MatchResult::empty):
            - Evaluates to true if the match succeeded with length 0.
        (JSC::RegExpObject::test):
            - Now returns a bool.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now returns a MatchResult, rather than using out-parameters.

2012-03-21  Hojong Han  <hojong.han@samsung.com>

        Fix out of memory by allowing overcommit
        https://bugs.webkit.org/show_bug.cgi?id=81743

        Reviewed by Geoffrey Garen.

        Garbage collection is not triggered and new blocks are added
        because overcommit is allowed by MAP_NORESERVE flag when high water mark is big enough.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        More Windows build fixing.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        Fix the order of the include directories to look in include/private first before looking
        in include/private/JavaScriptCore.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        Look in the Production output directory (where the wtf headers will be). This is the same
        thing that is done for jsc and testRegExp in ReleasePGO.

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        WTF headers should be in $(ConfigurationBuildDir)\include\private\wtf, not
        $(ConfigurationBuildDir)\include\private\JavaScriptCore\wtf.
        https://bugs.webkit.org/show_bug.cgi?id=81739

        Reviewed by Dan Bernstein.

        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Look for AtomicString.cpp, StringBuilder.cpp, StringImpl.cpp, and WTFString.cpp in the wtf
        subdirectory of the build output, not the JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        Get the headers for those 4 files from the wtf subdirectory of the build output, not the
        JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        Ditto.

2012-03-20  Eric Seidel  <eric@webkit.org>

        Move wtf/Platform.h from JavaScriptCore to Source/WTF/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80911

        Reviewed by Adam Barth.

        Update the various build systems to depend on Source/WTF headers
        as well as remove references to Platform.h (since it's now moved).

        * CMakeLists.txt:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:

2012-03-20  Filip Pizlo  <fpizlo@apple.com>

        op_mod fails on many interesting corner cases
        https://bugs.webkit.org/show_bug.cgi?id=81648

        Reviewed by Oliver Hunt.
        
        Removed most strength reduction for op_mod, and fixed the integer handling
        to do the right thing for corner cases. Oddly, this revealed bugs in OSR,
        which this patch also fixes.
        
        This patch is performance neutral on all of the major benchmarks we track.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC):
        * jit/JITStubs.h:
        (TrampolineStructure):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LowLevelInterpreter64.asm:
        * wtf/Platform.h:
        * wtf/SimpleStats.h:
        (WTF::SimpleStats::variance):

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.
        <rdar://problem/11069015>

        * JavaScriptCore.vcproj/JavaScriptCore.make: devenv /rebuild doesn't work with JavaScriptCore.vcproj. Use /clean and /build instead.

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Move WTF-related Windows project files out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=80680

        This change only moves the vcproj and related files from JavaScriptCore/JavaScriptCore.vcproj/WTF.
        It does not move any source code. This is in preparation for the WTF source move out of
        JavaScriptCore.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln:
        * JavaScriptCore.vcproj/WTF: Removed.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPostBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPreBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Removed.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Removed.

2012-03-20  Benjamin Poulain  <bpoulain@apple.com>

        Cache the type string of JavaScript object
        https://bugs.webkit.org/show_bug.cgi?id=81446

        Reviewed by Geoffrey Garen.

        Instead of creating the JSString every time, we create
        lazily the strings in JSGlobalData.

        This avoid the construction of the StringImpl and of the JSString,
        which gives some performance improvements.

        * runtime/CommonIdentifiers.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::finalizeSmallStrings):
        (JSC::SmallStrings::initialize):
        (JSC):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-20  Oliver Hunt  <oliver@apple.com>

        Allow LLINT to work even when executable allocation fails.
        https://bugs.webkit.org/show_bug.cgi?id=81693

        Reviewed by Gavin Barraclough.

        Don't crash if executable allocation fails if we can fall back on LLINT

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-20  Csaba Osztrogonác  <ossy@webkit.org>

        Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428

        32 bit buildfix after r111355.

        2147483648 (2^31) isn't valid int literal in ISO C90, because 2147483647 (2^31-1) is the biggest int.
        The smallest int is -2147483648 (-2^31) == -2147483647 - 1  == -INT32_MAX-1 == INT32_MIN (stdint.h).

        Reviewed by Zoltan Herczeg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

2012-03-19  Jochen Eisinger  <jochen@chromium.org>

        Split WTFReportBacktrace into WTFReportBacktrace and WTFPrintBacktrace
        https://bugs.webkit.org/show_bug.cgi?id=80983

        Reviewed by Darin Adler.

        This allows printing a backtrace acquired by an earlier WTFGetBacktrace
        call which is useful for local debugging.

        * wtf/Assertions.cpp:
        * wtf/Assertions.h:

2012-03-19  Benjamin Poulain  <benjamin@webkit.org>

        Do not copy the script source in the SourceProvider, just reference the existing string
        https://bugs.webkit.org/show_bug.cgi?id=81466

        Reviewed by Geoffrey Garen.

        * parser/SourceCode.h: Remove the unused, and incorrect, function data().
        * parser/SourceProvider.h: Add OVERRIDE for clarity.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Division optimizations fail to infer cases of truncated division and
        mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428
        <rdar://problem/11067382>

        Reviewed by Oliver Hunt.

        If you're a division over integers and you're only used as an integer, then you're
        an integer division and remainder checks become unnecessary. If you're dividing
        -2147483648 by -1, don't crash.

        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::add32):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter64.asm:

2012-03-19  Benjamin Poulain  <bpoulain@apple.com>

        Simplify SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=81445

        Reviewed by Gavin Barraclough.

        SmallStrings had two methods that should not be public: count() and clear().

        The method clear() is effectively replaced by finalizeSmallStrings(). The body
        of the method was moved to the constructor since the code is obvious.

        The method count() is unused.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG can no longer compile V8-v4/regexp in debug mode
        https://bugs.webkit.org/show_bug.cgi?id=81592

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagation for UInt32ToNumber incorrectly assumes that outs outcome does not
        change throughout the fixpoint
        https://bugs.webkit.org/show_bug.cgi?id=81583

        Reviewed by Michael Saboff.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        GC should not attempt to clear LLInt instruction inline caches for code blocks that are in
        the process of being generated
        https://bugs.webkit.org/show_bug.cgi?id=81565

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2012-03-19  Eric Seidel  <eric@webkit.org>

        Fix WTF header include discipline in Chromium WebKit
        https://bugs.webkit.org/show_bug.cgi?id=81281

        Reviewed by James Robinson.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * wtf/unicode/icu/CollatorICU.cpp:

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeUse should be called Edge and NodeReferenceBlob should be called AdjacencyList
        https://bugs.webkit.org/show_bug.cgi?id=81556

        Rubber stamped by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        * dfg/DFGAdjacencyList.h: Copied from Source/JavaScriptCore/dfg/DFGNodeReferenceBlob.h.
        (JSC::DFG::AdjacencyList::AdjacencyList):
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (JSC::DFG::AdjacencyList::child1):
        (JSC::DFG::AdjacencyList::child2):
        (JSC::DFG::AdjacencyList::child3):
        (JSC::DFG::AdjacencyList::setChild1):
        (JSC::DFG::AdjacencyList::setChild2):
        (JSC::DFG::AdjacencyList::setChild3):
        (JSC::DFG::AdjacencyList::child1Unchecked):
        (JSC::DFG::AdjacencyList::initialize):
        (AdjacencyList):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::performSubstitution):
        * dfg/DFGEdge.h: Copied from Source/JavaScriptCore/dfg/DFGNodeUse.h.
        (DFG):
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::operator==):
        (JSC::DFG::Edge::operator!=):
        (Edge):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::operator[]):
        (JSC::DFG::Graph::at):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        (Graph):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child1Unchecked):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGNodeReferenceBlob.h: Removed.
        * dfg/DFGNodeUse.h: Removed.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::use):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - defineOwnProperty was checking for correct behaviour, provided that length/callee hadn't
            been overrridden. instead, just reify length/callee & rely on JSObject::defineOwnProperty.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
            - for arguments/caller/length properties, defineOwnProperty was incorrectly asserting that
            the object must be extensible; this is incorrect since these properties should already exist
            on the object. In addition, it was asserting that the arguments/caller values must match the
            corresponding magic data properties, but for strict mode function this is incorrect. Instead,
            just reify the arguments/caller accessor & defer to JSObject::defineOwnProperty.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt get_by_pname slow path incorrectly assumes that the operands are not constants
        https://bugs.webkit.org/show_bug.cgi?id=81559

        Reviewed by Michael Saboff.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-03-19  Yong Li  <yoli@rim.com>

        [BlackBerry] Implement OSAllocator::commit/decommit in the correct way
        https://bugs.webkit.org/show_bug.cgi?id=77013

        We should use mmap(PROT_NONE, MAP_LAZY) instead of posix_madvise() to
        implement memory decommitting for QNX.

        Reviewed by Rob Buis.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - revent a couple of files accidentally committed.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Another Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        Cross-platform processor core counter: fix build on FreeBSD.
        https://bugs.webkit.org/show_bug.cgi?id=81482

        Reviewed by Zoltan Herczeg.

        The documentation of sysctl(3) shows that <sys/types.h> should be
        included before <sys/sysctl.h> (sys/types.h tends to be the first
        included header in general).

        This should fix the build on FreeBSD and other systems where
        sysctl.h really depends on types defined in types.h.

        * wtf/NumberOfCores.cpp:

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        JSCallbackFunction::toStringCallback/valueOfCallback do not handle 0 return value from convertToType
        https://bugs.webkit.org/show_bug.cgi?id=81468 <rdar://problem/11034745>

        Reviewed by Oliver Hunt.

        The API specifies that convertToType may opt not to handle a conversion:
            "@result The objects's converted value, or NULL if the object was not converted."
        In which case, it would propagate first up the JSClass hierarchy, calling its superclass's
        conversion functions, and failing that call the JSObject::defaultValue function.

        Unfortunately this behaviour was removed in bug#69677/bug#69858, and instead we now rely on
        the toStringCallback/valueOfCallback function introduced in bug#69156. Even after a fix in
        bug#73368, these will return the result from the first convertToType they find, regardless
        of whether this result is null, and if no convertToType method is found in the api class
        hierarchy (possible if toStringCallback/valueOfCallback was accessed off the prototype
        chain), they will also return a null pointer. This is unsafe.

        It would be easy to make the approach based around toStringCallback/valueOfCallback continue
        to walk the api class hierarchy, but making the fallback to defaultValue would be problematic
        (since defaultValue calls toStringCallback/valueOfCallback, this would infinitely recurse).
        Making the fallback work with toString/valueOf methods attached to api objects is probably
        not the right thing to do – instead, we should just implement the defaultValue trap for api
        objects.

        In addition, this bug highlights that fact that JSCallbackFunction::call will allow a hard
        null to be returned from C to JavaScript - this is not okay. Handle with an exception.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
            - Should be null checking the return value.
        (JSC):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackObject.h:
        (JSCallbackObject):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSCallbackObjectFunctions.h:
        (JSC::::defaultValue):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
            - Remove toStringCallback/valueOfCallback.
        * API/tests/testapi.js:
            - Revert this test, now we no longer artificially introduce a toString method onto the api object.

2012-03-18  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [EFL] Include ICU_INCLUDE_DIRS when building.
        https://bugs.webkit.org/show_bug.cgi?id=81483

        Reviewed by Daniel Bates.

        So far, only the ICU libraries were being included when building
        JavaScriptCore, however the include path is also needed, otherwise the
        build will fail when ICU is installed into a non-standard location.

        * PlatformEfl.cmake: Include ${ICU_INCLUDE_DIRS}.

2012-03-17  Gavin Barraclough  <barraclough@apple.com>

        Strength reduction, RegExp.exec -> RegExp.test
        https://bugs.webkit.org/show_bug.cgi?id=81459

        Reviewed by Sam Weinig.

        RegExp.prototype.exec & RegExp.prototype.test can both be used to test a regular
        expression for a match against a string - however exec is more expensive, since
        it allocates a matches array object. In cases where the result is consumed in a
        boolean context the allocation of the matches array can be trivially elided.

        For example:
            function f()
            {
                for (i =0; i < 10000000; ++i)
                    if(!/a/.exec("a"))
                        err = true;
            }

        This is a 2.5x speedup on this example microbenchmark loop.

        In a more advanced form of this optimization, we may be able to avoid allocating
        the array where access to the array can be observed.

        * create_hash_table:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jsc.cpp:
        (GlobalObject::addConstructableFunction):
        * runtime/Intrinsic.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (RegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):

2012-03-16  Michael Saboff  <msaboff@apple.com>

        Improve diagnostic benefit of JSGlobalData::m_isInitializingObject
        https://bugs.webkit.org/show_bug.cgi?id=81244

        Rubber stamped by Filip Pizlo.

        Changed type and name of JSGlobalData::m_isInitializingObject to
        ClassInfo* and m_initializingObjectClass.
        Changed JSGlobalData::setInitializingObject to
        JSGlobalData::setInitializingObjectClass.  This pointer can be used within 
        the debugger to determine what type of object is being initialized.
        
        * runtime/JSCell.h:
        (JSC::JSCell::finishCreation):
        (JSC::allocateCell):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::isInitializingObject):
        (JSC::JSGlobalData::setInitializingObjectClass):
        * runtime/Structure.h:
        (JSC::JSCell::finishCreation):

2012-03-16  Mark Rowe  <mrowe@apple.com>

        Build fix. Do not preserve owner and group information when installing the WTF headers.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-15  David Dorwin  <ddorwin@chromium.org>

        Make the array pointer parameters in the Typed Array create() methods const.
        https://bugs.webkit.org/show_bug.cgi?id=81147

        Reviewed by Kenneth Russell.

        This allows const arrays to be passed to these methods.
        They use PassRefPtr<Subclass> create(), which already has a const parameter.

        * wtf/Int16Array.h:
        (Int16Array):
        (WTF::Int16Array::create):
        * wtf/Int32Array.h:
        (Int32Array):
        (WTF::Int32Array::create):
        * wtf/Int8Array.h:
        (Int8Array):
        (WTF::Int8Array::create):
        * wtf/Uint16Array.h:
        (Uint16Array):
        (WTF::Uint16Array::create):
        * wtf/Uint32Array.h:
        (Uint32Array):
        (WTF::Uint32Array::create):
        * wtf/Uint8Array.h:
        (Uint8Array):
        (WTF::Uint8Array::create):
        * wtf/Uint8ClampedArray.h:
        (Uint8ClampedArray):
        (WTF::Uint8ClampedArray::create):

2012-03-15  Myles Maxfield  <mmaxfield@google.com>

        CopiedSpace::tryAllocateOversize assumes system page size
        https://bugs.webkit.org/show_bug.cgi?id=80615

        Reviewed by Geoffrey Garen.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateOversize):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::oversizeBlockFor):
        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create):
        * wtf/StdLibExtras.h:
        (WTF::roundUpToMultipleOf):

2012-03-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing Windows build breakage

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-15  Patrick Gansterer  <paroga@webkit.org>

        [EFL] Make zlib a general build requirement
        https://bugs.webkit.org/show_bug.cgi?id=80153

        Reviewed by Hajime Morita.

        After r109538 WebSocket module needs zlib to support deflate-frame extension.

        * wtf/Platform.h:

2012-03-15  Benjamin Poulain  <bpoulain@apple.com>

        NumericStrings should be inlined
        https://bugs.webkit.org/show_bug.cgi?id=81183

        Reviewed by Gavin Barraclough.

        NumericStrings is not always inlined. When it is not, the class is not faster
        than using UString::number() directly.

        * runtime/NumericStrings.h:
        (JSC::NumericStrings::add):
        (JSC::NumericStrings::lookupSmallString):

2012-03-15  Andras Becsi  <andras.becsi@nokia.com>

        Fix ARM build after r110792.

        Unreviewed build fix.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        Remove superfluous curly brackets.

2012-03-15  Gavin Barraclough  <barraclough@apple.com>

        ARMv7: prefer vmov(gpr,gpr->double) over vmov(gpr->single)
        https://bugs.webkit.org/show_bug.cgi?id=81256

        Reviewed by Oliver Hunt.

        This is a 0.5% sunspider progression.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::convertInt32ToDouble):
            - switch which form of vmov we use.

2012-03-15  YoungTaeck Song  <youngtaeck.song@samsung.com>

        [EFL] Add OwnPtr specialization for Ecore_Timer.
        https://bugs.webkit.org/show_bug.cgi?id=80119

        Reviewed by Hajime Morita.

        Add an overload for deleteOwnedPtr(Ecore_Timer*) on EFL port.

        * wtf/OwnPtrCommon.h:
        (WTF):
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):
        (WTF):

2012-03-15  Hojong Han  <hojong.han@samsung.com>

        Linux has madvise enough to support OSAllocator::commit/decommit
        https://bugs.webkit.org/show_bug.cgi?id=80505

        Reviewed by Geoffrey Garen.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/copy-files.cmd:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj:

2012-03-15  Kevin Ollivier  <kevino@theolliviers.com>

        Move wx port to using export macros
        https://bugs.webkit.org/show_bug.cgi?id=77279

        Reviewed by Hajime Morita.

        * wscript:
        * wtf/Platform.h:

2012-03-14  Benjamin Poulain  <bpoulain@apple.com>

        Avoid StringImpl::getData16SlowCase() when sorting array
        https://bugs.webkit.org/show_bug.cgi?id=81070

        Reviewed by Geoffrey Garen.

        The function codePointCompare() is used intensively when sorting strings.
        This patch improves its performance by:
        -Avoiding character conversion.
        -Inlining the function.

        This makes Peacekeeper's arrayCombined test 30% faster.

        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF):
        (WTF::codePointCompare):
        (WTF::codePointCompare8):
        (WTF::codePointCompare16):
        (WTF::codePointCompare8To16):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Fix memory allocation failed by fastmalloc
        https://bugs.webkit.org/show_bug.cgi?id=79614

        Reviewed by Geoffrey Garen.

        Memory allocation failed even if the heap grows successfully.
        It is wrong to get the span only from the large list after the heap grows,
        because new span could be added in the normal list.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::New):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Run cacheFlush page by page to assure of flushing all the requested ranges
        https://bugs.webkit.org/show_bug.cgi?id=77712

        Reviewed by Geoffrey Garen.

        Current MetaAllocator concept, always coalesces adjacent free spaces,
        doesn't meet memory management of Linux kernel.
        In a certain case Linux kernel doesn't regard contiguous virtual memory areas as one but two.
        Therefore cacheFlush page by page guarantees a flush-requested range.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):

2012-03-14  Oliver Hunt  <oliver@apple.com>

        Make ARMv7 work again
        https://bugs.webkit.org/show_bug.cgi?id=81157

        Reviewed by Geoffrey Garen.

        We were trying to use the ARMv7 dataRegister as a scratch register in a scenario
        where we the ARMv7MacroAssembler would also try to use dataRegister for its own
        nefarious purposes.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::store32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):

2012-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::destroy leaks CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=81055

        Reviewed by Geoffrey Garen.

        Added a destroy() function to CopiedSpace that moves all normal size 
        CopiedBlocks from the CopiedSpace to the Heap's list of free blocks 
        as well as deallocates all of the oversize blocks in the CopiedSpace. 
        This function is now called in Heap::destroy().

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::destroy):
        (JSC):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):

2012-03-14  Andrew Lo  <anlo@rim.com>

        [BlackBerry] Implement REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR using AnimationFrameRateController
        https://bugs.webkit.org/show_bug.cgi?id=81000

        Enable WTF_USE_REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for BlackBerry.

        Reviewed by Antonio Gomes.

        * wtf/Platform.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        ValueToInt32 speculation will cause OSR exits even when it does not have to
        https://bugs.webkit.org/show_bug.cgi?id=81068
        <rdar://problem/11043926>

        Reviewed by Anders Carlsson.
        
        Two related changes:
        1) ValueToInt32 will now always just defer to the non-speculative path, instead
           of exiting, if it doesn't know what speculations to perform.
        2) ValueToInt32 will speculate boolean if it sees this to be profitable.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBoolean):
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        More Windows build fixing

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Type conversion of exponential part failed
        https://bugs.webkit.org/show_bug.cgi?id=80673

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC):
        (JSC::jsStrDecimalLiteral): Added another template argument that exposes whether or not
        we accept trailing junk to clients of jsStrDecimalLiteral. Also added additional template 
        parameter for strtod to allow trailing spaces.
        (JSC::toDouble):
        (JSC::parseFloat): Accept trailing junk, as per the ECMA 262 spec (15.1.2.3).
        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber):
        * tests/mozilla/expected.html: Update the expected page for run-javascriptcore-tests so that 
        we will run ecma/TypeConversion/9.3.1-3.js as a regression test now.
        * wtf/dtoa.cpp:
        (WTF):
        (WTF::strtod): We also needed to sometimes accept trailing spaces to pass a few other tests that were 
        broken by changing the default allowance of trailing junk in jsStrDecimalLiteral.
        * wtf/dtoa.h:
        * wtf/dtoa/double-conversion.cc: When the AdvanceToNonspace function was lifted out of the 
        Chromium codebase, the person porting it only thought to check for spaces when skipping whitespace.
        A few of our JSC tests check for other types of trailing whitespace, so I've added checks for those 
        here to cover those cases (horizontal tab, vertical tab, carriage return, form feed, and line feed).
        * wtf/text/WTFString.cpp:
        (WTF::toDoubleType): Disallow trailing spaces, as this breaks form input verification stuff.

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix since is_pod<> includes some header that I didn't know about.
        Removing the assert for now.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Functions with C linkage should return POD types
        https://bugs.webkit.org/show_bug.cgi?id=81061

        Reviewed by Mark Rowe.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::encodeResult):

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Loads from UInt32Arrays should not result in a double up-convert if it isn't necessary
        https://bugs.webkit.org/show_bug.cgi?id=80979
        <rdar://problem/11036848>

        Reviewed by Oliver Hunt.
        
        Also improved DFG IR dumping to include type information in a somewhat more
        intuitive way.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToAbbreviatedString):
        (JSC):
        * bytecode/PredictedType.h:
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):

2012-03-13  George Staikos  <staikos@webkit.org>

        The callback is only used if SA_RESTART is defined.  Compile it out
        otherwise to avoid a warning.
        https://bugs.webkit.org/show_bug.cgi?id=80926

        Reviewed by Alexey Proskuryakov.

        * heap/MachineStackMarker.cpp:
        (JSC):

2012-03-13  Hojong Han  <hojong.han@samsung.com>

        Dump the generated code for ARM_TRADITIONAL
        https://bugs.webkit.org/show_bug.cgi?id=80975

        Reviewed by Gavin Barraclough.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::dumpCode):

2012-03-13  Adam Barth  <abarth@webkit.org> && Benjamin Poulain  <bpoulain@apple.com>

        Always enable ENABLE(CLIENT_BASED_GEOLOCATION)
        https://bugs.webkit.org/show_bug.cgi?id=78853

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2012-03-13  Kwonjin Jeong  <gram@company100.net>

        Remove SlotVisitor::copy() method.
        https://bugs.webkit.org/show_bug.cgi?id=80973

        Reviewed by Geoffrey Garen.

        SlotVisitor::copy() method isn't called anywhere.

        * heap/MarkStack.cpp: Remove definition of SlotVisitor::copy() method.
        * heap/SlotVisitor.h: Remove declaration of SlotVisitor::copy() method.

2012-03-12  Hojong Han  <hojong.han@samsung.com>

        Fix test cases for RegExp multiline
        https://bugs.webkit.org/show_bug.cgi?id=80822

        Reviewed by Gavin Barraclough.

        * tests/mozilla/js1_2/regexp/RegExp_multiline.js:
        * tests/mozilla/js1_2/regexp/RegExp_multiline_as_array.js:
        * tests/mozilla/js1_2/regexp/beginLine.js:
        * tests/mozilla/js1_2/regexp/endLine.js:

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        Arithmetic use inference should be procedure-global and should run in tandem
        with type propagation
        https://bugs.webkit.org/show_bug.cgi?id=80819
        <rdar://problem/11034006>

        Reviewed by Gavin Barraclough.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp: Removed.
        * dfg/DFGArithNodeFlagsInferencePhase.h: Removed.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::isNotZero):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::flags):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeFlags):

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        Node::op and Node::flags should be private
        https://bugs.webkit.org/show_bug.cgi?id=80824
        <rdar://problem/11033435>

        Reviewed by Gavin Barraclough.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandPrediction):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::isJSConstant):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::byValIsPure):
        (JSC::DFG::CSEPhase::clobbersWorld):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGNode.cpp: Removed.
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::op):
        (JSC::DFG::Node::flags):
        (JSC::DFG::Node::setOp):
        (JSC::DFG::Node::setFlags):
        (JSC::DFG::Node::mergeFlags):
        (JSC::DFG::Node::filterFlags):
        (JSC::DFG::Node::clearFlags):
        (JSC::DFG::Node::setOpAndDefaultFlags):
        (JSC::DFG::Node::mustGenerate):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::isWeakConstant):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveGlobalDataIndex):
        (JSC::DFG::Node::hasArithNodeFlags):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        (JSC::DFG::Node::hasConstantBuffer):
        (JSC::DFG::Node::hasRegexpIndex):
        (JSC::DFG::Node::hasVarNumber):
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasFunctionCheckData):
        (JSC::DFG::Node::hasStructureTransitionData):
        (JSC::DFG::Node::hasStructureSet):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::hasFunctionDeclIndex):
        (JSC::DFG::Node::hasFunctionExprIndex):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGNodeFlags.cpp: Copied from Source/JavaScriptCore/dfg/DFGNode.cpp.
        * dfg/DFGNodeFlags.h: Added.
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeCanSpeculateInteger):
        * dfg/DFGNodeType.h: Added.
        (DFG):
        (JSC::DFG::defaultFlags):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGRedundantPhiEliminationPhase.cpp:
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::RedundantPhiEliminationPhase::replacePhiChild):
        (JSC::DFG::RedundantPhiEliminationPhase::updateBlockVariableInformation):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-03-12  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        Minor DataLog fixes
        https://bugs.webkit.org/show_bug.cgi?id=80826

        Reviewed by Andreas Kling.

        * bytecode/ExecutionCounter.cpp:
        Do not include DataLog.h, it is not used.
        
        * jit/ExecutableAllocator.cpp:
        Ditto.

        * wtf/DataLog.cpp:
        (WTF::initializeLogFileOnce):
        Add missing semi-colon to the code path where DATA_LOG_FILENAME is defined.

        * wtf/HashTable.cpp:
        Include DataLog as it is used.

2012-03-12  SangGyu Lee  <sg5.lee@samsung.com>

        Integer overflow check code in arithmetic operation in classic interpreter
        https://bugs.webkit.org/show_bug.cgi?id=80465

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2012-03-12  Zeno Albisser  <zeno@webkit.org>

        [Qt][Mac] Build fails after enabling LLINT when JIT is disabled (r109863)
        https://bugs.webkit.org/show_bug.cgi?id=80827

        Qt on Mac uses OS(DARWIN) as well, but we do not want to enable LLINT.

        Reviewed by Simon Hausmann.

        * wtf/Platform.h:

2012-03-12  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed prospective Qt/Mac build fix

        * runtime/JSGlobalData.cpp: use #USE(CF) instead of PLATFORM(MAC) to determine
        whether to include CoreFoundation headers, used for JIT configuration in JSGlobalData
        constructor.

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        All DFG nodes should have a mutable set of flags
        https://bugs.webkit.org/show_bug.cgi?id=80779
        <rdar://problem/11026218>

        Reviewed by Gavin Barraclough.
        
        Got rid of NodeId, and placed all of the flags that distinguished NodeId
        from NodeType into a separate Node::flags field. Combined what was previously
        ArithNodeFlags into Node::flags.
        
        In the process of debugging, I found that the debug support in the virtual
        register allocator was lacking, so I improved it. I also realized that the
        virtual register allocator was assuming that the nodes in a basic block were
        contiguous, which is no longer the case. So I fixed that. The fix also made
        it natural to have more extreme assertions, so I added them. I suspect this
        will make it easier to catch virtual register allocation bugs in the future.
        
        This is mostly performance neutral; if anything it looks like a slight
        speed-up.
        
        This patch does leave some work for future refactorings; for example, Node::op
        is unencapsulated. This was already the case, though now it feels even more
        like it should be. I avoided doing that because this patch has already grown
        way bigger than I wanted.
        
        Finally, this patch creates a DFGNode.cpp file and makes a slight effort to
        move some unnecessarily inline stuff out of DFGNode.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::clobbersWorld):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::opName):
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGNode.cpp: Added.
        (DFG):
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeCanSpeculateInteger):
        (JSC::DFG::defaultFlags):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::setOpAndDefaultFlags):
        (JSC::DFG::Node::mustGenerate):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (ScoreBoard):
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::assertClear):
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-03-10  Filip Pizlo  <fpizlo@apple.com>

        LLInt should support JSVALUE64
        https://bugs.webkit.org/show_bug.cgi?id=79609
        <rdar://problem/10063437>

        Reviewed by Gavin Barraclough and Oliver Hunt.
        
        Ported the LLInt, which previously only worked on 32-bit, to 64-bit. This
        patch moves a fair bit of code from LowLevelInterpreter32_64.asm to the common
        file, LowLevelInterpreter.asm. About 1/3 of the LLInt did not have to be
        specialized for value representation.
        
        Also made some minor changes to offlineasm and the slow-paths.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::SlowPathReturnType::SlowPathReturnType):
        (JSC::LLInt::encodeResult):
        * llint/LLIntThunks.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/armv7.rb:
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/parser.rb:
        * offlineasm/registers.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:
        * wtf/Platform.h:

2012-03-10  Yong Li  <yoli@rim.com>

        Web Worker crashes with WX_EXCLUSIVE
        https://bugs.webkit.org/show_bug.cgi?id=80532

        Let each JS global object own a meta allocator
        for WX_EXCLUSIVE to avoid conflicts from Web Worker.
        Also fix a mutex leak in MetaAllocator's dtor.

        Reviewed by Filip Pizlo.

        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
        (DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
        (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::DemandExecutableAllocator::allocators):
        (JSC::DemandExecutableAllocator::allocatorsMutex):
        (JSC):
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocator.h:
        (JSC):
        (ExecutableAllocator):
        (JSC::ExecutableAllocator::allocator):
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocator::~MetaAllocator): Finalize the spin lock.
        * wtf/TCSpinLock.h:
        (TCMalloc_SpinLock::Finalize): Add empty Finalize() to some implementations.

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        The problem here is that deleteProperty rejects deletion of prototype.
        This is correct in most cases, however defineOwnPropery is presently
        implemented internally to ensure the attributes change by deleting the
        old property, and creating a new one.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::deleteProperty):
            - If deletePropery is called via defineOwnPropery, allow old prototype to be removed.

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.toLocaleString visits elements in wrong order under certain conditions
        https://bugs.webkit.org/show_bug.cgi?id=80663

        Reviewed by Michael Saboff.

        The bug here is actually that we're continuing to process the array after an exception
        has been thrown, and that the second value throw is overriding the first.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):

2012-03-09  Ryosuke Niwa  <rniwa@webkit.org>

        WebKit compiled by gcc (Xcode 3.2.6) hangs while running DOM/Accessors.html
        https://bugs.webkit.org/show_bug.cgi?id=80080

        Reviewed by Filip Pizlo.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingRegion::Locker::Locker):
        (JSC::SamplingRegion::Locker::~Locker):
        * bytecode/SamplingTool.h:
        (JSC::SamplingRegion::exchangeCurrent):
        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):
        (WTF::weakCompareAndSwapUIntPtr):

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        REGRESSION: Date.parse("Tue Nov 23 20:40:05 2010 GMT") returns NaN
        https://bugs.webkit.org/show_bug.cgi?id=49989

        Reviewed by Oliver Hunt.

        Patch originally by chris reiss <christopher.reiss@nokia.com>,
        allow the year to appear before the timezone in date strings.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2012-03-09  Mark Rowe  <mrowe@apple.com>

        Ensure that the WTF headers are copied at installhdrs time.

        Reviewed by Dan Bernstein and Jessie Berlin.

        * Configurations/JavaScriptCore.xcconfig: Set INSTALLHDRS_SCRIPT_PHASE = YES
        so that our script phases are invoked at installhdrs time. The only one that
        does any useful work at that time is the one that installs WTF headers.

2012-03-09  Jon Lee  <jonlee@apple.com>

        Add support for ENABLE(LEGACY_NOTIFICATIONS)
        https://bugs.webkit.org/show_bug.cgi?id=80497

        Reviewed by Adam Barth.

        Prep for b80472: Update API for Web Notifications
        * Configurations/FeatureDefines.xcconfig:

2012-03-09  Ashod Nakashian  <ashodnakashian@yahoo.com>

        Bash scripts should support LF endings only
        https://bugs.webkit.org/show_bug.cgi?id=79509

        Reviewed by David Kilzer.

        * gyp/generate-derived-sources.sh: Added property svn:eol-style.
        * gyp/run-if-exists.sh: Added property svn:eol-style.
        * gyp/update-info-plist.sh: Added property svn:eol-style.

2012-03-09  Jessie Berlin  <jberlin@apple.com>

        Windows debug build fix.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        Fix unreachable code warnings (which we treat as errors).

2012-03-09  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Zoltan Herczeg.

        [Qt] Fix the SH4 build after r109834
        https://bugs.webkit.org/show_bug.cgi?id=80492

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branchSub32):

2012-03-09  Andy Wingo  <wingo@igalia.com>

        Refactor code feature analysis in the parser
        https://bugs.webkit.org/show_bug.cgi?id=79112

        Reviewed by Geoffrey Garen.

        This commit refactors the parser to more uniformly propagate flag
        bits down and up the parse process, as the parser descends and
        returns into nested blocks.  Some flags get passed town to
        subscopes, some apply to specific scopes only, and some get
        unioned up after parsing subscopes.

        The goal is to eventually be very precise with scoping
        information, once we have block scopes: one block scope might use
        `eval', which would require the emission of a symbol table within
        that block and containing blocks, whereas another block in the
        same function might not, allowing us to not emit a symbol table.

        * parser/Nodes.h:
        (JSC::ScopeFlags): Rename from CodeFeatures.
        (JSC::ScopeNode::addScopeFlags):
        (JSC::ScopeNode::scopeFlags): New accessors for m_scopeFlags.
        (JSC::ScopeNode::isStrictMode):
        (JSC::ScopeNode::usesEval):
        (JSC::ScopeNode::usesArguments):
        (JSC::ScopeNode::setUsesArguments):
        (JSC::ScopeNode::usesThis):
        (JSC::ScopeNode::needsActivationForMoreThanVariables):
        (JSC::ScopeNode::needsActivation): Refactor these accessors to
        operate on the m_scopeFlags member.
        (JSC::ScopeNode::source):
        (JSC::ScopeNode::sourceURL):
        (JSC::ScopeNode::sourceID): Shuffle these definitions around; no
        semantic change.
        (JSC::ScopeNode::ScopeNode)
        (JSC::ProgramNode::ProgramNode)
        (JSC::EvalNode::EvalNode)
        (JSC::FunctionBodyNode::FunctionBodyNode): Have these constructors
        take a ScopeFlags as an argument, instead of a bool inStrictContext.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create): Adapt constructors to change.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::thisExpr):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::addVar):
        (JSC::ASTBuilder::Scope::Scope):
        (Scope):
        (ASTBuilder):
        (JSC::ASTBuilder::makeFunctionCallNode): Don't track scope
        features here.  Instead rely on the base Parser mechanism to track
        features.

        * parser/NodeInfo.h (NodeInfo, NodeDeclarationInfo): "ScopeFlags".

        * parser/Parser.h:
        (JSC::Scope::Scope): Manage scope through flags, not
        bit-booleans.  This lets us uniformly propagate them up and down.
        (JSC::Scope::declareWrite):
        (JSC::Scope::declareParameter):
        (JSC::Scope::useVariable):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::getCapturedVariables):
        (JSC::Scope::saveFunctionInfo):
        (JSC::Scope::restoreFunctionInfo):
        (JSC::Parser::pushScope): Adapt to use scope flags and their
        accessors instead of bit-booleans.
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseInner):
        (JSC::::didFinishParsing):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseConstDeclarationList):
        (JSC::::parseWithStatement):
        (JSC::::parseTryStatement):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parsePrimaryExpression): Hoist some of the flag handling
        out of the "context" (ASTBuilder or SyntaxChecker) and to here.
        Does not seem to have a performance impact.

        * parser/SourceProviderCacheItem.h (SourceProviderCacheItem):
        Cache the scopeflags.
        * parser/SyntaxChecker.h: Remove evalCount() decl.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::usesEval):
        (JSC::ScriptExecutable::usesArguments):
        (JSC::ScriptExecutable::needsActivation):
        (JSC::ScriptExecutable::isStrictMode):
        (JSC::ScriptExecutable::recordParse):
        (ScriptExecutable): ScopeFlags, not features.

2012-03-08  Benjamin Poulain  <bpoulain@apple.com>

        Build fix for MSVC after r110266

        Unreviewed. A #ifdef for MSVC was left over in r110266.

        * runtime/RegExpObject.h:
        (RegExpObject):

2012-03-08  Benjamin Poulain  <bpoulain@apple.com>

        Allocate the RegExpObject's data with the Cell
        https://bugs.webkit.org/show_bug.cgi?id=80654

        Reviewed by Gavin Barraclough.

        This patch removes the creation of RegExpObject's data to avoid the overhead
        create by the allocation and destruction.

        We RegExp are created repeatedly, this provides some performance improvment.
        The PeaceKeeper test stringDetectBrowser improves by 10%.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::visitChildren):
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setRegExp):
        (JSC::RegExpObject::regExp):
        (JSC::RegExpObject::setLastIndex):
        (JSC::RegExpObject::getLastIndex):
        (RegExpObject):

2012-03-08  Steve Falkenburg  <sfalken@apple.com>

        Separate WTF parts of JavaScriptCoreGenerated into WTFGenerated for Windows build
        https://bugs.webkit.org/show_bug.cgi?id=80657
        
        Preparation for WTF separation from JavaScriptCore.
        The "Generated" vcproj files on Windows are necessary so Visual Studio can calculate correct
        dependencies for generated files.
        
        This also removes the PGO build targets from the WTF code, since we can't build instrumentation/optimization
        versions of the WTF code independent of the JavaScriptCore code.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Add WTFGenerated, update dependent projects.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py: Removed.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Add WTFGenerated, update dependent projects.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Remove PGO targets from WTF.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py.

2012-03-08  Benjamin Poulain  <benjamin@webkit.org>

        Fix the build of WebKit with WTFURL following the removal of ForwardingHeaders/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80652

        Reviewed by Eric Seidel.

        Fix the header, URLSegments.h is not part of the API.

        * wtf/url/api/ParsedURL.h:

2012-03-08  Ryosuke Niwa  <rniwa@webkit.org>

        Mac build fix for micro data API.

        * Configurations/FeatureDefines.xcconfig:

2012-03-08  Gavin Barraclough  <barraclough@apple.com>

        String.prototype.match and replace do not clear global regexp lastIndex per ES5.1 15.5.4.10
        https://bugs.webkit.org/show_bug.cgi?id=26890

        Reviewed by Oliver Hunt.

        Per 15.10.6.2 step 9.a.1 called via the action of the last iteration of 15.5.4.10 8.f.i.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
            - added calls to setLastIndex.

2012-03-08  Matt Lilek  <mrl@apple.com>

        Don't enable VIDEO_TRACK on all OS X platforms
        https://bugs.webkit.org/show_bug.cgi?id=80635

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Build fix.  That day is not today.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Build fix. One of these days I'll manage to commit something that works everywhere.

        * assembler/AbstractMacroAssembler.h:
        (AbstractMacroAssembler):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
        (MacroAssemblerX86Common):

2012-03-08  Chao-ying Fu  <fu@mips.com>

        Update MIPS patchOffsetGetByIdSlowCaseCall
        https://bugs.webkit.org/show_bug.cgi?id=80302

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Missing some places where we should be blinding 64bit values (and blinding something we shouldn't)
        https://bugs.webkit.org/show_bug.cgi?id=80633

        Reviewed by Gavin Barraclough.

        Add 64-bit trap for shouldBlindForSpecificArch, so that we always blind
        if there isn't a machine specific implementation (otherwise the 64bit value
        got truncated and 32bit checks were used -- leaving 32bits untested).
        Also add a bit of logic to ensure that we don't try to blind a few common
        constants that go through the ImmPtr paths -- encoded numeric JSValues and
        unencoded doubles with common "safe" values.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble):
        (MacroAssembler):
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2012-03-08  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/11012572> Ensure that the staged frameworks path is in the search path for JavaScriptCore

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2012-03-08  Steve Falkenburg  <sfalken@apple.com>

        Fix line endings for copy-files.cmd.
        
        If a cmd file doesn't have Windows line endings, it doesn't work properly.
        In this case, the label :clean wasn't found, breaking the clean build.
        
        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:

2012-03-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA incorrectly handles ValueToInt32
        https://bugs.webkit.org/show_bug.cgi?id=80568

        Reviewed by Gavin Barraclough.
        
        Changed it match exactly the decision pattern used in
        DFG::SpeculativeJIT::compileValueToInt32

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2012-03-08  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>

        [Qt] [WK2] Webkit fails to link when compiled with force_static_libs_as_shared
        https://bugs.webkit.org/show_bug.cgi?id=80524

        Reviewed by Simon Hausmann.

        Move IdentifierTable methods defintion to WTFThreadData.cpp to fix linking 
        of WTF library.

        * runtime/Identifier.cpp:
        * wtf/WTFThreadData.cpp:
        (JSC):
        (JSC::IdentifierTable::~IdentifierTable):
        (JSC::IdentifierTable::add):

2012-03-08  Filip Pizlo  <fpizlo@apple.com>

        DFG instruction count threshold should be lifted to 10000
        https://bugs.webkit.org/show_bug.cgi?id=80579

        Reviewed by Gavin Barraclough.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):

2012-03-07  Filip Pizlo  <fpizlo@apple.com>

        Incorrect tracking of abstract values of variables forced double
        https://bugs.webkit.org/show_bug.cgi?id=80566
        <rdar://problem/11001442>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::mergeStateAtTail):

2012-03-07  Chao-yng Fu  <fu@mips.com>

        [Qt] Fix the MIPS/SH4 build after r109834
        https://bugs.webkit.org/show_bug.cgi?id=80492

        Reviewed by Oliver Hunt.

        Implement three-argument branch(Add,Sub)32.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::branchAdd32):
        (JSC::MacroAssemblerMIPS::branchSub32):

2012-03-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r110127.
        http://trac.webkit.org/changeset/110127
        https://bugs.webkit.org/show_bug.cgi?id=80562

        compile failed on AppleWin (Requested by ukai on #webkit).

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize):
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create):
        * runtime/JSGlobalData.cpp:
        (WTF):
        (Recompiler):
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):

2012-03-07  Hojong Han  <hojong.han@samsung.com>

        The end atom of the marked block considered to filter invalid cells
        https://bugs.webkit.org/show_bug.cgi?id=79191

        Reviewed by Geoffrey Garen.

        Register file could have stale pointers beyond the end atom of marked block.
        Those pointers can weasel out of filtering in-middle-of-cell pointer.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLiveCell):

2012-03-07  Jessie Berlin  <jberlin@apple.com>

        Clean Windows build fails after r110033
        https://bugs.webkit.org/show_bug.cgi?id=80553

        Rubber-stamped by Jon Honeycutt and Eric Seidel.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        Place the implementation files next to their header files in the wtf/text subdirectory.
        Use echo -F to tell xcopy that these are files (since there is apparently no flag).
        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Update the path to those implementation files.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

2012-03-07  Yuqiang Xian  <yuqiang.xian@intel.com>

        Eliminate redundant Phis in DFG
        https://bugs.webkit.org/show_bug.cgi?id=80415

        Reviewed by Filip Pizlo.

        Although this may not have any advantage at current stage, this is towards
        minimal SSA to make more high level optimizations (like bug 76770) easier.
        We have the choices either to build minimal SSA from scratch or to
        keep current simple Phi insertion mechanism and remove the redundancy
        in another phase. Currently we choose the latter because the change
        could be smaller.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGRedundantPhiEliminationPhase.cpp: Added.
        (DFG):
        (RedundantPhiEliminationPhase):
        (JSC::DFG::RedundantPhiEliminationPhase::RedundantPhiEliminationPhase):
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::RedundantPhiEliminationPhase::getRedundantReplacement):
        (JSC::DFG::RedundantPhiEliminationPhase::replacePhiChild):
        (JSC::DFG::RedundantPhiEliminationPhase::fixupPhis):
        (JSC::DFG::RedundantPhiEliminationPhase::updateBlockVariableInformation):
        (JSC::DFG::performRedundantPhiElimination):
        * dfg/DFGRedundantPhiEliminationPhase.h: Added.
        (DFG):

2012-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor recompileAllJSFunctions() to be less expensive
        https://bugs.webkit.org/show_bug.cgi?id=80330

        Reviewed by Geoffrey Garen.

        This change is performance neutral on the JS benchmarks we track. It's mostly to improve page 
        load performance, which currently does at least a couple full GCs per navigation.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode): Rename recompileAllJSFunctions to discardAllCompiledCode 
        because the function doesn't actually recompile anything (and never did); it simply throws code
        away for it to be recompiled later if we determine we should do so.
        (JSC):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::addFunctionExecutable): Adds a newly created FunctionExecutable to the Heap's list.
        (JSC::Heap::removeFunctionExecutable): Removes the specified FunctionExecutable from the Heap's list.
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp: Added next and prev fields to FunctionExecutables so that they can 
        be used in DoublyLinkedLists.
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize): Removes the FunctionExecutable from the Heap's list.
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create): Adds the FunctionExecutable to the Heap's list.
        * runtime/JSGlobalData.cpp: Remove recompileAllJSFunctions, as it's the Heap's job to own and manage 
        the list of FunctionExecutables.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Use the new discardAllCompiledCode.

2012-03-06  Oliver Hunt  <oliver@apple.com>

        Further harden 64-bit JIT
        https://bugs.webkit.org/show_bug.cgi?id=80457

        Reviewed by Filip Pizlo.

        This patch implements blinding for ImmPtr.  Rather than xor based blinding
        we perform randomised pointer rotations in order to avoid the significant
        cost in executable memory that would otherwise be necessary (and to avoid
        the need for an additional scratch register in some cases).

        As with the prior blinding patch there's a moderate amount of noise as we
        correct the use of ImmPtr vs. TrustedImmPtr.

        * assembler/AbstractMacroAssembler.h:
        (ImmPtr):
        (JSC::AbstractMacroAssembler::ImmPtr::asTrustedImmPtr):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::RotatedImmPtr::RotatedImmPtr):
        (RotatedImmPtr):
        (JSC::MacroAssembler::rotationBlindConstant):
        (JSC::MacroAssembler::loadRotationBlindedConstant):
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::move):
        (JSC::MacroAssembler::poke):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::rotateRightPtr):
        (JSC::MacroAssemblerX86_64::xorPtr):
        * assembler/X86Assembler.h:
        (X86Assembler):
        (JSC::X86Assembler::xorq_rm):
        (JSC::X86Assembler::rorq_i8r):
        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::emitEdgeCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_post_inc):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        (JSC::JIT::emitGetVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_jmp_scopes):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_throw_reference_error):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emitSlow_op_new_array):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_jmp_scopes):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_index):
        * jit/JITStubCall.h:
        (JITStubCall):
        (JSC::JITStubCall::addArgument):

2012-03-07  Simon Hausmann  <simon.hausmann@nokia.com>

        ARM build fix.

        Reviewed by Zoltan Herczeg.

        Implement three-argument branch(Add,Sub)32.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::add32):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::sub32):
        (JSC::MacroAssemblerARM::branchAdd32):
        (JSC::MacroAssemblerARM::branchSub32):

2012-03-07  Andy Wingo  <wingo@igalia.com>

        Parser: Inline ScopeNodeData into ScopeNode
        https://bugs.webkit.org/show_bug.cgi?id=79776

        Reviewed by Geoffrey Garen.

        It used to be that some ScopeNode members were kept in a separate
        structure because sometimes they wouldn't be needed, and
        allocating a ParserArena was expensive.  This patch makes
        ParserArena lazily allocate its IdentifierArena, allowing the
        members to be included directly, which is simpler and easier to
        reason about.

        * parser/ParserArena.cpp:
        (JSC::ParserArena::ParserArena):
        (JSC::ParserArena::reset):
        (JSC::ParserArena::isEmpty):
        * parser/ParserArena.h:
        (JSC::ParserArena::identifierArena): Lazily allocate the
        IdentifierArena.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ScopeNode::singleStatement):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (JSC::ScopeNode::destroyData):
        (JSC::ScopeNode::needsActivationForMoreThanVariables):
        (JSC::ScopeNode::needsActivation):
        (JSC::ScopeNode::hasCapturedVariables):
        (JSC::ScopeNode::capturedVariableCount):
        (JSC::ScopeNode::captures):
        (JSC::ScopeNode::varStack):
        (JSC::ScopeNode::functionStack):
        (JSC::ScopeNode::neededConstants):
        (ScopeNode):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ScopeNode::emitStatementsBytecode): Inline ScopeNodeData
        into ScopeNode.  Adapt accessors.

2012-03-06  Eric Seidel  <eric@webkit.org>

        Make WTF public headers use fully-qualified include paths and remove ForwardingHeaders/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80363

        Reviewed by Mark Rowe.

        Historically WTF has been part of JavaScriptCore, and on Mac and Windows
        its headers have appeared as part of the "private" headers exported by
        JavaScriptCore.  All of the WTF headers there are "flattened" into a single
        private headers directory, and WebCore, WebKit and WebKit2 have used "ForwardingHeaders"
        to re-map fully-qualified <wtf/text/Foo.h> includes to simple <JavaScriptCore/Foo.h> includes.

        However, very soon, we are moving the WTF source code out of JavaScriptCore into its
        own directory and project.  As part of such, the WTF headers will no longer be part of
        the JavaScriptCore private interfaces.
        In preparation for that, this change makes both the Mac and Win builds export
        WTF headers in a non-flattened manner.  On Mac, that means into usr/local/include/wtf
        (and subdirectories), on Windows for now that means JavaScriptCore/wtf (and subdirectories).

        There are 5 parts to this change.
        1.  Updates the JavaScriptCore XCode and VCProj files to actually install these headers
            (and header directories) into the appropriate places in the build directory.
        2.  Updates JavaScriptCore.xcodeproj to look for these WTF headers in this install location
            (WebCore, WebKit, etc. had already been taught to look in previous patches).
        3.  Fixes all JavaScriptCore source files, and WTF headers to include WTF headers
            using fully qualified paths.
        4.  Stops the Mac and Win builds from installing these WTF headers in their old "flattened" location.
        5.  Removes WebCore and WebKit ForwardingHeaders/wtf directories now that the flattened headers no longer exist.

        Unfortunately we see no way to do this change in smaller parts, since all of these steps are interdependant.
        It is possible there are internal Apple projects which depend on JavaScriptCore/Foo.h working for WTF
        headers, those will have to be updated to use <wtf/Foo.h> after this change.
        I've discussed this proposed change at length with Mark Rowe, and my understanding is they
        are ready for (and interested in) this change happening.

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * wtf/AVLTree.h:
        * wtf/Alignment.h:
        * wtf/AlwaysInline.h:
        * wtf/ArrayBufferView.h:
        * wtf/Assertions.h:
        * wtf/Atomics.h:
        * wtf/Bitmap.h:
        * wtf/BoundsCheckedPointer.h:
        * wtf/CheckedArithmetic.h:
        * wtf/Deque.h:
        * wtf/ExportMacros.h:
        * wtf/FastAllocBase.h:
        * wtf/FastMalloc.h:
        * wtf/Float32Array.h:
        * wtf/Float64Array.h:
        * wtf/Functional.h:
        * wtf/HashCountedSet.h:
        * wtf/HashFunctions.h:
        * wtf/HashMap.h:
        * wtf/HashSet.h:
        * wtf/HashTable.h:
        * wtf/HashTraits.h:
        * wtf/Int16Array.h:
        * wtf/Int32Array.h:
        * wtf/Int8Array.h:
        * wtf/IntegralTypedArrayBase.h:
        * wtf/ListHashSet.h:
        * wtf/MainThread.h:
        * wtf/MetaAllocator.h:
        * wtf/Noncopyable.h:
        * wtf/OwnArrayPtr.h:
        * wtf/OwnPtr.h:
        * wtf/PackedIntVector.h:
        * wtf/ParallelJobs.h:
        * wtf/PassOwnArrayPtr.h:
        * wtf/PassOwnPtr.h:
        * wtf/PassRefPtr.h:
        * wtf/PassTraits.h:
        * wtf/Platform.h:
        * wtf/PossiblyNull.h:
        * wtf/RefCounted.h:
        * wtf/RefCountedLeakCounter.h:
        * wtf/RefPtr.h:
        * wtf/RetainPtr.h:
        * wtf/SimpleStats.h:
        * wtf/Spectrum.h:
        * wtf/StdLibExtras.h:
        * wtf/TCPageMap.h:
        * wtf/TemporaryChange.h:
        * wtf/ThreadSafeRefCounted.h:
        * wtf/Threading.h:
        * wtf/ThreadingPrimitives.h:
        * wtf/TypeTraits.h:
        * wtf/TypedArrayBase.h:
        * wtf/Uint16Array.h:
        * wtf/Uint32Array.h:
        * wtf/Uint8Array.h:
        * wtf/Uint8ClampedArray.h:
        * wtf/UnusedParam.h:
        * wtf/Vector.h:
        * wtf/VectorTraits.h:
        * wtf/dtoa/double-conversion.h:
        * wtf/dtoa/utils.h:
        * wtf/gobject/GRefPtr.h:
        * wtf/gobject/GlibUtilities.h:
        * wtf/text/AtomicString.h:
        * wtf/text/AtomicStringImpl.h:
        * wtf/text/CString.h:
        * wtf/text/StringConcatenate.h:
        * wtf/text/StringHash.h:
        * wtf/text/WTFString.h:
        * wtf/unicode/CharacterNames.h:
        * wtf/unicode/UTF8.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:
        * wtf/url/api/ParsedURL.h:
        * wtf/url/api/URLString.h:
        * wtf/wince/FastMallocWinCE.h:
        * yarr/YarrJIT.cpp:

2012-03-06  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype functions should throw if delete fails
        https://bugs.webkit.org/show_bug.cgi?id=80467

        Reviewed by Oliver Hunt.

        All calls to [[Delete]] from Array.prototype are specified to pass 'true' as the value of Throw.
        In the case of shift/unshift, these are also missing a throw from the 'put' in the implementations
        in JSArray.cpp. There are effectively three copies of each of the generic shift/unshift routines,
        one in splice, one in ArrayPrototype's shift/unshift methods, and one in JSArray's shift/unshift
        routines, for handling arrays with holes. These three copies should be unified.

        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
            - Added - shared copies of the shift/unshift functionality.
        (JSC::arrayProtoFuncPop):
            - should throw if the delete fails.
        (JSC::arrayProtoFuncReverse):
            - should throw if the delete fails.
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
            - use shift/unshift.
        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
            - Don't try to handle arrays with holes; return a value indicating
              the generic routine should be used instead.
        * runtime/JSArray.h:
            - declaration for shiftCount/unshiftCount changed.
        * tests/mozilla/js1_6/Array/regress-304828.js:
            - this was asserting incorrect behaviour.

2012-03-06  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Make the removal of transitive library dependencies work with CMake < 2.8.7.
        https://bugs.webkit.org/show_bug.cgi?id=80469

        Reviewed by Antonio Gomes.

        * CMakeLists.txt: Manually set the LINK_INTERFACE_LIBRARIES target
        property on the library being created.

2012-03-06  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG BasicBlock should group the Phi nodes together and separate them
        from the other nodes
        https://bugs.webkit.org/show_bug.cgi?id=80361

        Reviewed by Filip Pizlo.

        This would make it more efficient to remove the redundant Phi nodes or
        insert new Phi nodes for SSA, besides providing a cleaner BasicBlock structure.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performBlockCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        GCActivityCallback timer should vary with the length of the previous GC
        https://bugs.webkit.org/show_bug.cgi?id=80344

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp: Gave Heap the ability to keep track of the length of its last 
        GC length so that the GC Activity Callback can use it.
        (JSC::Heap::Heap):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::lastGCLength):
        (Heap):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC):
        (JSC::DefaultGCActivityCallback::operator()): Use the length of the Heap's last 
        GC to determine the length of our timer trigger (currently set at 100x the duration 
        of the last GC).

2012-03-06  Rob Buis  <rbuis@rim.com>

        BlackBerry] Fix cast-align gcc warnings when compiling JSC
        https://bugs.webkit.org/show_bug.cgi?id=80420

        Reviewed by Gavin Barraclough.

        Fix warnings given in Blackberry build.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        * wtf/RefCountedArray.h:
        (WTF::RefCountedArray::Header::fromPayload):

2012-03-06  Gavin Barraclough  <barraclough@apple.com>

        writable/configurable not respected for some properties of Function/String/Arguments
        https://bugs.webkit.org/show_bug.cgi?id=80436

        Reviewed by Oliver Hunt.

        Special properties should behave like regular properties.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - Mis-nested logic for making read-only properties non-live.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
            - arguments/length/caller are non-writable, non-configurable - reject appropriately.
        (JSC::JSFunction::deleteProperty):
            - Attempting to delete prototype/caller should fail.
        (JSC::JSFunction::defineOwnProperty):
            - Ensure prototype is reified on attempt to reify it.
            - arguments/length/caller are non-writable, non-configurable - reject appropriately.
        * runtime/JSFunction.h:
            - added declaration for defineOwnProperty.
        (JSFunction):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
            - length is non-writable, non-configurable - reject appropriately.

2012-03-06  Ulan Degenbaev  <ulan@chromium.org>

        TypedArray subarray call for subarray does not clamp the end index parameter properly
        https://bugs.webkit.org/show_bug.cgi?id=80285

        Reviewed by Kenneth Russell.

        * wtf/ArrayBufferView.h:
        (WTF::ArrayBufferView::calculateOffsetAndLength):

2012-03-06  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r109837.
        http://trac.webkit.org/changeset/109837
        https://bugs.webkit.org/show_bug.cgi?id=80399

        breaks Mac Productions builds, too late to try and fix it
        tonight (Requested by eseidel on #webkit).

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * yarr/YarrJIT.cpp:

2012-03-06  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt][ARM] Speculative buildfix after r109834.

        Reviewed by Csaba Osztrogonác.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::and32):
        (MacroAssemblerARM):

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix pt 2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix pt 1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        putByIndex should throw in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=80335

        Reviewed by Filip Pizlo.

        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.

        This is a largely mechanical change, simply adding an extra parameter to a number
        of functions. Some call sites need perform additional exception checks, and
        operationPutByValBeyondArrayBounds needs to know whether it is strict or not.

        This patch doesn't fix a missing throw from some cases of shift/unshift (this is
        an existing bug), I'll follow up with a third patch to handle that.

        * API/JSObjectRef.cpp:
        (JSObjectSetPropertyAtIndex):
        * JSCTypedArrayStubs.h:
        (JSC):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putByIndex):
        * runtime/Arguments.h:
        (Arguments):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/ClassInfo.h:
        (MethodTable):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
        (JSC::JSArray::put):
        (JSC::JSArray::putByIndex):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        (JSArray):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::putByIndex):
        * runtime/JSByteArray.h:
        (JSByteArray):
        * runtime/JSCell.cpp:
        (JSC::JSCell::putByIndex):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::putByIndex):
        * runtime/JSNotAnObject.h:
        (JSNotAnObject):
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        * runtime/JSObject.h:
        (JSC::JSValue::putByIndex):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::fillArrayInstance):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::putByIndex):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):

2012-03-05  Yuqiang Xian  <yuqiang.xian@intel.com>

        PredictNone is incorrectly treated as isDoublePrediction
        https://bugs.webkit.org/show_bug.cgi?id=80365

        Reviewed by Filip Pizlo.

        Also it is incorrectly treated as isFixedIndexedStorageObjectPrediction.

        * bytecode/PredictedType.h:
        (JSC::isFixedIndexedStorageObjectPrediction):
        (JSC::isDoublePrediction):

2012-03-05  Filip Pizlo  <fpizlo@apple.com>

        The LLInt should work even when the JIT is disabled
        https://bugs.webkit.org/show_bug.cgi?id=80340
        <rdar://problem/10922235>

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (MacroAssemblerCodeRef):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JIT.h:
        (JSC::JIT::compileCTINativeCall):
        * jit/JITStubs.h:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LLIntEntrypoints.cpp:
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.h:
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/Executable.h:
        (NativeExecutable):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::parse):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * wtf/Platform.h:

2012-03-05  Yuqiang Xian  <yuqiang.xian@intel.com>

        Checks for dead variables are not sufficient when fixing the expected
        values in DFG OSR entry
        https://bugs.webkit.org/show_bug.cgi?id=80371

        Reviewed by Filip Pizlo.

        A dead variable should be identified when there's no node referencing it.
        But we currently failed to catch the case where there are some nodes
        referencing a variable but those nodes are actually not referenced by
        others so will be ignored in code generation. In such case we should
        also consider that variable to be a dead variable in the block and fix
        the expected values.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):

2012-03-05  Oliver Hunt  <oliver@apple.com>

        Fix Qt build.

        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSub32Constant):

2012-03-05  Eric Seidel  <eric@webkit.org>

        Update JavaScriptCore files to use fully-qualified WTF include paths
        https://bugs.webkit.org/show_bug.cgi?id=79960

        Reviewed by Adam Barth.

        This change does 5 small/related things:
         1. Updates JavaScriptCore.xcodeproj to install WTF headers into $BUILD/usr/local/include
            (WebCore, WebKit were already setup to look there, but JavaScriptCore.xcodeproj
            was not installing headers there.)
         2. Makes JavaScriptCore targets include $BUILD/usr/local/include in their
            header search path, as that's where the WTF headers will be installed.
         3. Similarly updates JavaScriptCore.vcproj/copy-files.cmd to copy WTF headers to PrivateHeaders/wtf/*
            in addition to the current behavior of flattening all headers to PrivateHeaders/*.h.
         4. Updates a bunch of JSC files to use #include <wtf/Foo.h> instead of #include "Foo.h"
            since soon the WTF headers will not be part of the JavaScriptCore Xcode project.
         5. Makes build-webkit build the WTF XCode project by default.

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * yarr/YarrJIT.cpp:

2012-03-05  Oliver Hunt  <oliver@apple.com>

        Add basic support for constant blinding to the JIT
        https://bugs.webkit.org/show_bug.cgi?id=80354

        Reviewed by Filip Pizlo.

        This patch adds basic constant blinding support to the JIT, at the
        MacroAssembler level.  This means all JITs in JSC (Yarr, baseline, and DFG)
        get constant blinding.  Woo!

        This patch only introduces blinding for Imm32, a later patch will do similar
        for ImmPtr.  In order to make misuse of Imm32 as a trusted type essentially
        impossible, we make TrustedImm32 a private parent of Imm32 and add an explicit
        accessor that's needed to access the actual value.  This also means you cannot
        accidentally pass an untrusted value to a function that does not perform
        blinding.

        To make everything work sensibly, this patch also corrects some code that was using
        Imm32 when TrustedImm32 could be used, and refactors a few callers that use
        untrusted immediates, so that they call slightly different varaints of the functions
        that they used previously.  This is largely necessary to deal with x86-32 not having
        sufficient registers to handle the additional work required when we choose to blind
        a constant.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Imm32::asTrustedImm32):
        (Imm32):
        (JSC::AbstractMacroAssembler::beginUninterruptedSequence):
        (JSC::AbstractMacroAssembler::endUninterruptedSequence):
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::inUninterruptedSequence):
        (JSC::AbstractMacroAssembler::random):
        (JSC::AbstractMacroAssembler::scratchRegisterForBlinding):
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::addressForPoke):
        (MacroAssembler):
        (JSC::MacroAssembler::poke):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::BlindedImm32::BlindedImm32):
        (BlindedImm32):
        (JSC::MacroAssembler::keyForConstant):
        (JSC::MacroAssembler::xorBlindConstant):
        (JSC::MacroAssembler::additionBlindedConstant):
        (JSC::MacroAssembler::andBlindedConstant):
        (JSC::MacroAssembler::orBlindedConstant):
        (JSC::MacroAssembler::loadXorBlindedConstant):
        (JSC::MacroAssembler::add32):
        (JSC::MacroAssembler::addPtr):
        (JSC::MacroAssembler::and32):
        (JSC::MacroAssembler::andPtr):
        (JSC::MacroAssembler::move):
        (JSC::MacroAssembler::or32):
        (JSC::MacroAssembler::store32):
        (JSC::MacroAssembler::sub32):
        (JSC::MacroAssembler::subPtr):
        (JSC::MacroAssembler::xor32):
        (JSC::MacroAssembler::branchAdd32):
        (JSC::MacroAssembler::branchMul32):
        (JSC::MacroAssembler::branchSub32):
        (JSC::MacroAssembler::trustedImm32ForShift):
        (JSC::MacroAssembler::lshift32):
        (JSC::MacroAssembler::rshift32):
        (JSC::MacroAssembler::urshift32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::scratchRegisterForBlinding):
        (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchSubPtr):
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::scratchRegisterForBlinding):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::compileBinaryArithOp):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitAdd32Constant):
        (JSC::JIT::emitSub32Constant):
        (JSC::JIT::emitBinaryDoubleOp):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        * jit/JITStubCall.h:
        (JITStubCall):
        (JSC::JITStubCall::addArgument):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrack):

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        putByIndex should throw in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=80335

        Reviewed by Filip Pizlo.

        We'll need to pass an additional parameter.

        Part 1 - rename JSValue::put() for integer indices to JSValue::putByIndex()
        to match the method in the MethodTable, make this take a parameter indicating
        whether the put should throw. This fixes the cases where the base of the put
        is a primitive.

        * dfg/DFGOperations.cpp:
        (DFG):
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSObject.h:
        (JSC::JSValue::putByIndex):
        * runtime/JSValue.cpp:
        (JSC):
        * runtime/JSValue.h:
        (JSValue):

2012-03-05  Sam Weinig  <sam@webkit.org>

        Add support for hosting layers in the window server in WebKit2
        <rdar://problem/10400246>
        https://bugs.webkit.org/show_bug.cgi?id=80310

        Reviewed by Anders Carlsson.

        * wtf/Platform.h:
        Add HAVE_LAYER_HOSTING_IN_WINDOW_SERVER.

2012-03-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, attempted build fix for !ENABLE(JIT) after r109705.

        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter::applyMemoryUsageHeuristics):
        * bytecode/ExecutionCounter.h:

2012-03-05  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r109705.

        * bytecode/ExecutionCounter.cpp:
        * bytecode/ExecutionCounter.h:

2012-03-05  Andy Wingo  <wingo@igalia.com>

        Lexer: Specialize character predicates for LChar, UChar
        https://bugs.webkit.org/show_bug.cgi?id=79677

        Reviewed by Oliver Hunt.

        This patch specializes isIdentStart, isIdentPart, isWhiteSpace,
        and isLineTerminator to perform a more limited number of checks if
        the lexer is being instantiated to work on LChar sequences.  This
        is about a 1.5% win on the --parse-only suite, here.

        * parser/Lexer.cpp:
        (JSC::isLatin1): New static helper, specialized for LChar and
        UChar.
        (JSC::typesOfLatin1Characters): Rename from
        typesOfASCIICharacters, and expand to the range of the LChar
        type.  All uses of isASCII are changed to use isLatin1.  Generated
        using libunistring.
        (JSC::isNonLatin1IdentStart):
        (JSC::isIdentStart):
        (JSC::isNonLatin1IdentPart):
        (JSC::isIdentPart):
        (JSC::Lexer::shiftLineTerminator):
        (JSC::Lexer::parseIdentifier):
        (JSC::Lexer::parseIdentifierSlowCase):
        (JSC::Lexer::parseStringSlowCase):
        (JSC::Lexer::parseMultilineComment):
        (JSC::Lexer::lex):
        (JSC::Lexer::scanRegExp):
        (JSC::Lexer::skipRegExp): Sprinkle static_cast<T>(_) around.
        * parser/Lexer.h:
        (JSC::Lexer::isWhiteSpace):
        (JSC::Lexer::isLineTerminator):
        * KeywordLookupGenerator.py:
        (Trie.printAsC): Declare specialized isIdentPart static functions.

2012-03-05  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header file.

2012-03-05  Andy Wingo  <wingo@igalia.com>

        WTF: Micro-optimize cleanup of empty vectors and hash tables
        https://bugs.webkit.org/show_bug.cgi?id=79903

        Reviewed by Michael Saboff and Geoffrey Garen.

        This patch speeds up cleanup of vectors and hash tables whose
        backing store was never allocated.  This is the case by default
        for most vectors / hash tables that never had any entries added.

        The result for me is that calling checkSyntax 1000 times on
        concat-jquery-mootools-prototype.js goes from 6.234s to 6.068s, a
        2.4% speedup.

        * wtf/HashTable.h:
        (WTF::HashTable::~HashTable):
        (WTF::::clear): Don't deallocate the storage or frob member
        variables if there is no backing storage.
        * wtf/Vector.h:
        (WTF::VectorBufferBase::deallocateBuffer): Likewise.

2012-03-04  Filip Pizlo  <fpizlo@apple.com>

        JIT heuristics should be hyperbolic
        https://bugs.webkit.org/show_bug.cgi?id=80055
        <rdar://problem/10922260>

        Reviewed by Oliver Hunt.
        
        Added tracking of the amount of executable memory typically used for a bytecode
        instruction. Modified the execution counter scheme to use this, and the amount
        of free memory, to determine how long to wait before invoking the JIT.
        
        The result is that even if we bomb the VM with more code than can fit in our
        executable memory pool, we still keep running and almost never run out of
        executable memory - which ensures that if we have to JIT something critical, then
        we'll likely have enough memory to do so. This also does not regress performance
        on the three main benchmarks.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::predictedMachineCodeSize):
        (JSC):
        (JSC::CodeBlock::usesOpcode):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::checkIfJITThresholdReached):
        (JSC::CodeBlock::dontJITAnytimeSoon):
        (JSC::CodeBlock::jitAfterWarmUp):
        (JSC::CodeBlock::jitSoon):
        (JSC::CodeBlock::llintExecuteCounter):
        (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
        (JSC::CodeBlock::addressOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
        (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
        (JSC::CodeBlock::jitExecuteCounter):
        (JSC::CodeBlock::checkIfOptimizationThresholdReached):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        * bytecode/ExecutionCounter.cpp: Added.
        (JSC):
        (JSC::ExecutionCounter::ExecutionCounter):
        (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet):
        (JSC::ExecutionCounter::setNewThreshold):
        (JSC::ExecutionCounter::deferIndefinitely):
        (JSC::ExecutionCounter::applyMemoryUsageHeuristics):
        (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt):
        (JSC::ExecutionCounter::hasCrossedThreshold):
        (JSC::ExecutionCounter::setThreshold):
        (JSC::ExecutionCounter::reset):
        * bytecode/ExecutionCounter.h: Added.
        (JSC):
        (ExecutionCounter):
        (JSC::ExecutionCounter::formattedTotalCount):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * wtf/SimpleStats.h: Added.
        (WTF):
        (SimpleStats):
        (WTF::SimpleStats::SimpleStats):
        (WTF::SimpleStats::add):
        (WTF::SimpleStats::operator!):
        (WTF::SimpleStats::count):
        (WTF::SimpleStats::sum):
        (WTF::SimpleStats::sumOfSquares):
        (WTF::SimpleStats::mean):
        (WTF::SimpleStats::variance):
        (WTF::SimpleStats::standardDeviation):

2012-03-04  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Libraries are installed to /usr/lib and not /usr/lib64 on x86_64
        https://bugs.webkit.org/show_bug.cgi?id=71507

        Reviewed by Antonio Gomes.

        * CMakeLists.txt: Use ${LIB_INSTALL_DIR} instead of hardcoding "lib".

2012-03-04  David Kilzer  <ddkilzer@apple.com>

        Fix build when the classic interpreter is enabled

        Reviewed by Gavin Barraclough.

        Fixes the following build error when running the "Generate
        Derived Sources" build phase script:

            offlineasm: Parsing JavaScriptCore/llint/LowLevelInterpreter.asm and ../../JSCLLIntOffsetsExtractor and creating assembly file LLIntAssembly.h.
            ./JavaScriptCore/offlineasm/offsets.rb:145:in `offsetsAndConfigurationIndex': unhandled exception
                    from JavaScriptCore/offlineasm/asm.rb:131
            Command /bin/sh failed with exit code 1

        Gavin's fix in r109674 avoided the #error statement in
        JITStubs.h when compiling LLIntOffsetsExtractor.cpp, but it
        caused the "Generate Derived Sources" build phase script to fail
        when JavaScriptCore/offlineasm/asm.rb was run.  The solution is
        to detect when the classic interpreter is being built and simply
        exit early from asm.rb in that case.

        * llint/LLIntOffsetsExtractor.cpp:
        (JSC::LLIntOffsetsExtractor::dummy): Return NULL pointer if the
        JIT is disabled.  Note that offsets.rb doesn't care about the
        return value here, but instead it cares about finding the magic
        values in the binary.  The magic values are no longer present
        when the JIT is disabled.
        * offlineasm/asm.rb: Catch MissingMagicValuesException and exit
        early with a status message.
        * offlineasm/offsets.rb:
        (MissingMagicValuesException): Add new exception class.
        (offsetsAndConfigurationIndex): Throw
        MissingMagicValuesException when no magic values are found.

2012-03-04  Jurij Smakov  <jurij@wooyd.org>

        SPARC also needs aligned accesses.

        Rubber-stamped by Gustavo Noronha Silva.

        * wtf/Platform.h:

2012-03-04  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix.

        * jit/JITStubs.h:
            - Move ENABLE(JIT) to head of file.

2012-03-03  Gavin Barraclough  <barraclough@apple.com>

        Split JSArray's [[Put]] & [[DefineOwnProperty]] traps.
        https://bugs.webkit.org/show_bug.cgi?id=80217

        Reviewed by Filip Pizlo.

        putByIndex() provides similar behavior to put(), but for indexed property names.
        Many places in ArrayPrototype call putByIndex() where they really mean to call
        [[DefineOwnProperty]]. This is only okay due to a bug – putByIndex should be
        calling numeric accessors (& respecting numeric read only properties) on the
        prototype chain, but isn't. Add a new putDirectIndex (matching JSObject's
        putDirect* methods), to correctly provide a fast [[DefineOwnProperty]] interface.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        * runtime/JSArray.cpp:
        (JSC):
        (JSC::reject):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::putDirectIndexBeyondVectorLength):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        (JSArray):
        (JSC::JSArray::putDirectIndex):

2012-03-03  Benjamin Poulain  <benjamin@webkit.org>

        Implement the basis of KURLWTFURL
        https://bugs.webkit.org/show_bug.cgi?id=79600

        Reviewed by Adam Barth.

        Add an API to know if a ParsedURL is valid.

        * wtf/url/api/ParsedURL.cpp:
        (WTF::ParsedURL::ParsedURL):
        (WTF):
        (WTF::ParsedURL::isolatedCopy): This is needed by APIs moving URL objects between thread
        and by KURL's detach() on write.
        (WTF::ParsedURL::baseAsString):
        (WTF::ParsedURL::segment):
        Add a stronger constraint on accessors: the client of this API should never ask for the segments
        on an invalid URL.
        * wtf/url/api/ParsedURL.h:
        (WTF):
        (WTF::ParsedURL::ParsedURL):
        (ParsedURL):
        (WTF::ParsedURL::isValid):

2012-03-03  Hans Wennborg  <hans@chromium.org>

        Implement Speech JavaScript API
        https://bugs.webkit.org/show_bug.cgi?id=80019

        Reviewed by Adam Barth.

        Add ENABLE_SCRIPTED_SPEECH.

        * Configurations/FeatureDefines.xcconfig:

2012-03-02  Filip Pizlo  <fpizlo@apple.com>

        When getting the line number of a call into a call frame with no code block, it's
        incorrect to rely on the returnPC
        https://bugs.webkit.org/show_bug.cgi?id=80195

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):

2012-03-02  Han Hojong  <hojong.han@samsung.com>

        Expected results updated for checking type conversion
        https://bugs.webkit.org/show_bug.cgi?id=80138

        Reviewed by Gavin Barraclough.

        * tests/mozilla/ecma/TypeConversion/9.3.1-3.js:

2012-03-02  Kenichi Ishibashi  <bashi@chromium.org>

        Adding WebSocket per-frame DEFLATE extension
        https://bugs.webkit.org/show_bug.cgi?id=77522

        Added USE(ZLIB) flag.

        Reviewed by Kent Tamura.

        * wtf/Platform.h:

2012-03-02  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for platforms that have DFG_JIT disabled but PARALLEL_GC enabled.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2012-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFGCodeBlocks should not trace CodeBlocks that are also going to be traced by
        virtue of being in the transitive closure
        https://bugs.webkit.org/show_bug.cgi?id=80098
 
        Reviewed by Anders Carlsson.
        
        If DFGCodeBlocks traces a CodeBlock that might also be traced via its owner Executable,
        then you might have the visitAggregate() method called concurrently by multiple threads.
        This is benign on 64-bit -- visitAggregate() and everything it calls turns out to be
        racy and slightly imprecise but not unsound. But on 32-bit, visitAggregate() may crash
        due to word tearing in ValueProfile bucket updates inside of computeUpdatedPrediction().
        
        It would seem that the fix is just to have DFGCodeBlocks not trace CodeBlocks that are
        not jettisoned. But CodeBlocks may be jettisoned later during the GC, so it must trace
        any CodeBlock that it knows to be live by virtue of it being reachable from the stack.
        Hence the real fix is to make sure that concurrent calls into CodeBlock::visitAggregate()
        don't lead to two threads racing over each other as they clobber state. This patch
        achieves this with a simple CAS loop: whichever thread wins the CAS race (which is
        trivially linearizable) will get to trace the CodeBlock; all other threads give up and
        go home.
        
        Unfortunately there will be no new tests. It's possible to reproduce this maybe 1/10
        times by running V8-v6's raytrace repeatedly, using the V8 harness hacked to rerun it
        even when it's gotten sufficient counts. But that takes a while - sometimes up to a
        minute to get a crash. I have no other reliable repro case.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (DFGData):
        * heap/DFGCodeBlocks.cpp:
        (JSC::DFGCodeBlocks::clearMarks):

2012-03-01  Filip Pizlo  <fpizlo@apple.com>

        The JIT should not crash the entire process just because there is not enough executable
        memory, if the LLInt is enabled
        https://bugs.webkit.org/show_bug.cgi?id=79962

        Reviewed by Csaba Osztrogonác.
        
        Fix for ARM, SH4.

        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::executableCopy):

2012-03-01  Ryosuke Niwa  <rniwa@webkit.org>

        Revert my change. Broke builds.
        Source/JavaScriptCore/wtf/Atomics.h:188: error: redefinition of 'bool WTF::weakCompareAndSwap(volatile uintptr_t*, uintptr_t, uintptr_t)'
        Source/JavaScriptCore/wtf/Atomics.h:122: error: 'bool WTF::weakCompareAndSwap(volatile unsigned int*, unsigned int, unsigned i

        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):

2012-03-01  Ryosuke Niwa  <rniwa@webkit.org>

        Gcc build fix.

        Rubber-stamped by Filip Pizlo.

        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):

2012-03-01  Gavin Barraclough  <barraclough@apple.com>

        ES5.1-15.3.5.4. prohibits Function.caller from [[Get]]ting a strict caller
        https://bugs.webkit.org/show_bug.cgi?id=80011

        Reviewed by Oliver Hunt.

        Also, fix getting the caller from within a bound function, for within a getter,
        or setter (make our implementation match other browsers).

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
            - Allow this to get the caller of host functions.
        (JSC::Interpreter::retrieveCallerFromVMCode):
            - This should use getCallerInfo, and should skip over function bindings.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter):
            - This should never return a strict-mode function.

2012-03-01  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG local CSE for a node can be terminated earlier
        https://bugs.webkit.org/show_bug.cgi?id=80014

        Reviewed by Filip Pizlo.

        When one of the node's childredn is met in the process of back traversing
        the nodes, we don't need to traverse the remaining nodes.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):

2012-02-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG BasicBlocks should not require that their nodes have continuous indices in the graph
        https://bugs.webkit.org/show_bug.cgi?id=79899

        Reviewed by Filip Pizlo.

        This will make it more convenient to insert nodes into the DFG.
        With this capability we now place the Phi nodes in the corresponding
        blocks.
        Local CSE is modified to not to rely on the assumption of continuous
        node indices in a block.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        (AbstractState):
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (ArithNodeFlagsInferencePhase):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::determineReachability):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        (CFAPhase):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-02-29  Filip Pizlo  <fpizlo@apple.com>

        The JIT should not crash the entire process just because there is not
        enough executable memory, if the LLInt is enabled
        https://bugs.webkit.org/show_bug.cgi?id=79962
        <rdar://problem/10922215>

        Unreviewed, adding forgotten file.

        * jit/JITCompilationEffort.h: Added.
        (JSC):

2012-02-29  Filip Pizlo  <fpizlo@apple.com>

        The JIT should not crash the entire process just because there is not
        enough executable memory, if the LLInt is enabled
        https://bugs.webkit.org/show_bug.cgi?id=79962
        <rdar://problem/10922215>

        Reviewed by Gavin Barraclough.
        
        Added the notion of JITCompilationEffort. If we're JIT'ing as a result of
        a tier-up, then we set it to JITCompilationCanFail. Otherwise it's
        JITCompilationMustSucceed. This preserves the old behavior of LLInt is
        disabled or if we're compiling something that can't be interpreted (like
        an OSR exit stub).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        (ARMAssembler):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::~LinkBuffer):
        (LinkBuffer):
        (JSC::LinkBuffer::didFailToAllocate):
        (JSC::LinkBuffer::isValid):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::performFinalization):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * bytecode/CodeBlock.cpp:
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::jitCompile):
        (CodeBlock):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        (ExecutableAllocator):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compile):
        (JIT):
        * jit/JITCompilationEffort.h: Added.
        (JSC):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::jitCompile):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        * runtime/Executable.h:
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):

2012-02-29  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Qt][WK2] Get rid of the #ifdef mess in LayerTreeHost[Proxy]
        https://bugs.webkit.org/show_bug.cgi?id=79501

        Enable WTF_USE_UI_SIDE_COMPOSITING for Qt.

        Reviewed by Kenneth Rohde Christiansen.

        * wtf/Platform.h:

2012-02-29  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Oliver Hunt.

        * tests/mozilla/ecma_2/RegExp/constructor-001.js:
        * tests/mozilla/ecma_2/RegExp/function-001.js:
        * tests/mozilla/ecma_2/RegExp/properties-001.js:
            - Check in new test cases results.

2012-02-29  Mark Rowe  <mrowe@apple.com>

        Stop installing JSCLLIntOffsetsExtractor.

        Replace the separate TestRegExp and TestAPI xcconfig files with a single ToolExecutable xcconfig file
        that derives the product name from the target name. We can then use that xcconfig file for JSCLLIntOffsetsExtractor.
        This has the results of setting SKIP_INSTALL = YES for JSCLLIntOffsetsExtractor.

        While I was doing this fiddling I noticed that the JSCLLIntOffsetsExtractor target had a custom value
        for USER_HEADER_SEARCH_PATHS to allow it to find LLIntDesiredOffsets.h. A better way of doing that is
        to add LLIntDesiredOffsets.h to the Xcode project so that it'll be included in the header map. That
        allows us to remove the override of USER_HEADER_SEARCH_PATHS entirely. So I did that too!

        Reviewed by Filip Pizlo.

        * Configurations/TestRegExp.xcconfig: Removed.
        * Configurations/ToolExecutable.xcconfig: Renamed from Source/JavaScriptCore/Configurations/TestAPI.xcconfig.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-02-28  Filip Pizlo  <fpizlo@apple.com>

        RefCounted::deprecatedTurnOffVerifier() should not be deprecated
        https://bugs.webkit.org/show_bug.cgi?id=79864

        Reviewed by Oliver Hunt.
        
        Removed the word "deprecated" from the name of this method, since this method
        should not be deprecated. It works just fine as it is, and there is simply no
        alternative to calling this method for many interesting JSC classes.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::SourceProvider):
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::SharedSymbolTable):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
        (WTF::MetaAllocator::allocate):
        * wtf/RefCounted.h:
        (RefCountedBase):
        (WTF::RefCountedBase::turnOffVerifier):

2012-02-29  Gavin Barraclough  <barraclough@apple.com>

        'source' property of RegExp instance cannot be ""
        https://bugs.webkit.org/show_bug.cgi?id=79938

        Reviewed by Oliver Hunt.

        15.10.6.4 specifies that RegExp.prototype.toString must return '/' + source + '/',
        and also states that the result must be a valid RegularExpressionLiteral. '//' is
        not a valid RegularExpressionLiteral (since it is a single line comment), and hence
        source cannot ever validly be "". If the source is empty, return a different Pattern
        that would match the same thing.

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):
            - Do not return "" if the source is empty, this would lead to invalid behaviour in toString.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):
            - No need to special case the empty string - this should be being done by 'source'.

2012-02-29  Gavin Barraclough  <barraclough@apple.com>

        Writable attribute not set correctly when redefining an accessor to a data descriptor
        https://bugs.webkit.org/show_bug.cgi?id=79931

        Reviewed by Oliver Hunt.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            - use attributesOverridingCurrent instead of attributesWithOverride.
        * runtime/PropertyDescriptor.cpp:
        * runtime/PropertyDescriptor.h:
            - remove attributesWithOverride - attributesOverridingCurrent does the same thing.

2012-02-29  Kevin Ollivier  <kevino@theolliviers.com>

        Add JSCore symbol exports needed by wx port
        https://bugs.webkit.org/show_bug.cgi?id=77280

        Reviewed by Hajime Morita.

        * wtf/ArrayBufferView.h:
        * wtf/ExportMacros.h:

2012-02-28  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Always build wtf as a static library.
        https://bugs.webkit.org/show_bug.cgi?id=79857

        Reviewed by Eric Seidel.

        To help the efforts in bug 75673 to move WTF out of
        JavaScriptCore, act more like the other ports and remove the
        possibility of building WTF as a shared library.

        It does not make much sense to, for example, ship WTF as a
        separate .so with webkit-efl packages, and it should be small
        enough not to cause problems during linking.

        * wtf/CMakeLists.txt:

2012-02-28  Dmitry Lomov  <dslomov@google.com>

        [JSC] Implement ArrayBuffer transfer
        https://bugs.webkit.org/show_bug.cgi?id=73493.
        Implement ArrayBuffer transfer, per Khronos spec:  http://www.khronos.org/registry/typedarray/specs/latest/#9.
        This brings parity with V8 implementation of transferable typed arrays.

        Reviewed by Oliver Hunt.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Extra export.
        * wtf/ArrayBuffer.h:
        (ArrayBuffer): Added extra export.

2012-02-28  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix after recent LLInt additions.
        
        * wscript:

2012-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor SpeculativeJIT::emitAllocateJSFinalObject
        https://bugs.webkit.org/show_bug.cgi?id=79801

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Split emitAllocateJSFinalObject out to form this
        function, which is more generic in that it can allocate a variety of classes.
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Changed to use the new helper function.

2012-02-28  Gavin Barraclough  <barraclough@apple.com>

        [[Get]]/[[Put]] for primitives should not wrap on strict accessor call
        https://bugs.webkit.org/show_bug.cgi?id=79588

        Reviewed by Oliver Hunt.

        In the case of [[Get]], this is a pretty trivial bug - just don't wrap
        primitives at the point you call a getter.

        For setters, this is a little more involved, since we have already wrapped
        the value up in a synthesized object. Stop doing so. There is also a further
        subtely, that in strict mode all attempts to create a new data property on
        the object should throw.

        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
            - [[Put]] to a string primitive should use JSValue::putToPrimitive.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Remove static function called in one place.
        * runtime/JSObject.h:
        (JSC::JSValue::put):
            - [[Put]] to a non-cell JSValue should use JSValue::putToPrimitive.
        * runtime/JSValue.cpp:
        (JSC::JSValue::synthesizePrototype):
            - Add support for synthesizing the prototype of strings.
        (JSC::JSValue::putToPrimitive):
            - Added, implements [[Put]] for primitive bases, per 8.7.2.
        * runtime/JSValue.h:
        (JSValue):
            - Add declaration for JSValue::putToPrimitive.
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
            - Don't call ToObject on primitive this values.

2012-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Re-enable parallel GC on Mac
        https://bugs.webkit.org/show_bug.cgi?id=79837

        Rubber stamped by Filip Pizlo.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions): We accidentally disabled parallel GC with this line,
        so we removed it and things should go back to normal.

2012-02-28  Filip Pizlo  <fpizlo@apple.com>

        Some run-javascriptcore-tests broken for 32-bit debug
        https://bugs.webkit.org/show_bug.cgi?id=79844

        Rubber stamped by Oliver Hunt.
        
        These assertions are just plain wrong for 32-bit. We could either have a massive
        assertion that depends on value representation, that has to be changed every
        time we change the JITs, resulting in a bug tail of debug-mode crashes, or we
        could get rid of the assertions. I pick the latter.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2012-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Get rid of padding cruft in CopiedBlock
        https://bugs.webkit.org/show_bug.cgi?id=79686

        Reviewed by Filip Pizlo.

        * heap/CopiedBlock.h:
        (CopiedBlock): Removed the extra padding that was used for alignment purposes until 
        the calculation of the payload offset into CopiedBlocks was redone recently.

2012-02-28  Anders Carlsson  <andersca@apple.com>

        Fix build with newer versions of clang.

        Clang now warns since we're not passing a CFString literal to CFStringCreateWithFormatAndArguments,
        but it's OK to ignore this warning since clang is also checking that the caller (vprintf_stderr_common)
        takes a string literal.

        * wtf/Assertions.cpp:

2012-02-28  Mario Sanchez Prada  <msanchez@igalia.com>

        [GTK] Add GMainLoop and GMainContext to be handled by GRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=79496

        Reviewed by Martin Robinson.

        Handle GMainLoop and GMainContext in GRefPtr, by calling
        g_main_loop_(un)ref and g_main_context_(un)ref in the
        implementation of the refGPtr and derefGPtr template functions.

        * wtf/gobject/GRefPtr.cpp:
        (WTF::refGPtr):
        (WTF):
        (WTF::derefGPtr):
        * wtf/gobject/GRefPtr.h:
        (WTF):
        * wtf/gobject/GTypedefs.h:

2012-02-28  Yong Li  <yoli@rim.com>

        JSString::resolveRope() should report extra memory cost to the heap.
        https://bugs.webkit.org/show_bug.cgi?id=79555

        Reviewed by Michael Saboff.

        At the time a JSString is constructed with fibers, it doesn't report
        extra memory cost, which is reasonable because it hasn't allocate
        new memory. However when the rope is resolved, it should report meory
        cost for the new buffer.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope):

2012-02-27  Oliver Hunt  <oliver@apple.com>

        sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=79728

        Reviewed by Gavin Barraclough.

        When initialising a chained get instruction we may end up in a state where
        the instruction stream says we have a scopechain, but it has not yet been set
        (eg. if allocating the StructureChain itself is what leads to the GC).  We could
        re-order the allocation, but it occurs in a couple of places, so it seems less
        fragile simply to null check the scopechain slot before we actually visit the slot.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitStructures):

2012-02-27  Filip Pizlo  <fpizlo@apple.com>

        Old JIT's style of JSVALUE64 strict equality is subtly wrong
        https://bugs.webkit.org/show_bug.cgi?id=79700

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::comparePtr):
        (MacroAssemblerX86_64):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2012-02-27  Gavin Barraclough  <barraclough@apple.com>

        Implement support for op_negate and op_bitnot in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=79617

        Reviewed by Filip Pizlo.

        Add an ArithNegate op to the DFG JIT, to implement op_negate.

        This patch also adds support for op_negate to the JSVALUE64 baseline JIT
        (JSVALUE32_64 already had this), so that we can profile the slowpath usage.

        This is a 2.5%-3% Sunspider progression and a 1% win on Kraken.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::sub_S):
            - Added sub_S from immediate.
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::vneg):
            - Added double negate.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::negateDouble):
            - Added double negate.
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::branchNeg32):
            - Added.
        * assembler/MacroAssemblerX86.h:
        (MacroAssemblerX86):
            - moved loadDouble, absDouble to common.
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::absDouble):
            - implementation can be shared.
        (JSC::MacroAssemblerX86Common::negateDouble):
            - Added.
        (JSC::MacroAssemblerX86Common::loadDouble):
            - allow absDouble to have a common implementation.
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
            - moved loadDouble, absDouble to common.
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
            - support ArithNegate.
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
            - support ArithNegate.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
            - support ArithNegate.
        (JSC::DFG::ByteCodeParser::parseBlock):
            - support op_negate.
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
            - support ArithNegate.
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
            - support op_negate.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
            - support ArithNegate.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags):
            - support ArithNegate.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - support ArithNegate.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
            - Add support for op_negate in JSVALUE64.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_negate):
        (JSC::JIT::emitSlow_op_negate):
            - Add support for op_negate in JSVALUE64.

2012-02-27  Mahesh Kulkarni  <mahesh.kulkarni@nokia.com>

        Unreviewed. Build fix for linux-bot (qt) after r109021.

        * runtime/Error.cpp:

2012-02-27  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r108112): AWS Management Console at amazon.com fails to initialize
        https://bugs.webkit.org/show_bug.cgi?id=79693

        Reviewed by Filip Pizlo.

        Alas we can't provide the stack trace as an array, as despite everyone wanting
        an array, everyone arbitrarily creates the array by calling split on the stack
        trace.  To create the array we would have provided them in the first place.

        This changes the exception's stack property to a \n separated string.  To get the
        old array just do <exception>.stack.split("\n").

        * runtime/Error.cpp:
        (JSC::addErrorInfo):

2012-02-27  Gavin Barraclough  <barraclough@apple.com>

        RegExp lastIndex should behave as a regular property
        https://bugs.webkit.org/show_bug.cgi?id=79446

        Reviewed by Sam Weinig.

        lastIndex should be a regular data descriptor, with the attributes configurable:false,
        enumerable:false, writable:true. As such, it should be possible to reconfigure writable
        as false. If the lastIndex property is reconfigured to be read-only, we should respect
        this correctly.

        * runtime/CommonIdentifiers.h:
            - Removed some unused identifiers, added lastIndex.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::getOwnPropertyDescriptor):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::deleteProperty):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::getOwnPropertyNames):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::getPropertyNames):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::reject):
            - helper function for defineOwnProperty.
        (JSC::RegExpObject::defineOwnProperty):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::put):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::match):
            - Pass setLastIndex an ExecState, so it can throw if read-only.
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
            - Pass setLastIndex an ExecState, so it can throw if read-only.
        (RegExpObjectData):
            - Added lastIndexIsWritable.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
            - Pass setLastIndex an ExecState, so it can throw if read-only.

2012-02-27  Gavin Barraclough  <barraclough@apple.com>

        Implement support for op_negate and op_bitnot in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=79617

        Reviewed by Sam Weinig.

        Remove op_bitnop - this is redundant, ~x === x^-1.
        This is a fractional (<1%) progression.

        Remove not32(X) from the MacroAssemblers - make this an optimization to add32(-1, X).
        Remove CanReuse from the result type - this was unused.
        Remove op_bitnot.

        * assembler/MacroAssemblerARM.h:
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::xor32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::xor32):
        * assembler/MacroAssemblerMIPS.h:
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::xor32):
        * assembler/MacroAssemblerSH4.h:
        (MacroAssemblerSH4):
        (JSC::MacroAssemblerSH4::xor32):
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::xor32):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/NodesCodegen.cpp:
        (JSC):
        (JSC::BitwiseNotNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic32_64.cpp:
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITStubs.cpp:
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter32_64.asm:
        * parser/NodeConstructors.h:
        (JSC::NegateNode::NegateNode):
        (JSC::BitwiseNotNode::BitwiseNotNode):
        (JSC::MultNode::MultNode):
        (JSC::DivNode::DivNode):
        (JSC::ModNode::ModNode):
        (JSC::SubNode::SubNode):
        (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode):
        * parser/Nodes.h:
        (BitwiseNotNode):
        (JSC::BitwiseNotNode::expr):
        (JSC):
        * parser/ResultType.h:
        (ResultType):
        (JSC::ResultType::numberTypeIsInt32):
        (JSC::ResultType::stringOrNumberType):
        (JSC::ResultType::forAdd):
        (JSC::ResultType::forBitOp):

2012-02-27  Michael Saboff  <msaboff@apple.com>

        Error check regexp min quantifier
        https://bugs.webkit.org/show_bug.cgi?id=70648

        Reviewed by Gavin Barraclough.

        Added checking for min or only quantifier being UINT_MAX.
        When encountered this becomes a SyntaxError during parsing.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::parseQuantifier):
        (JSC::Yarr::Parser::parse):
        (Parser):

2012-02-27  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-02-26  Hajime Morrita  <morrita@chromium.org>

        Move ChromeClient::showContextMenu() to ContextMenuClient
        https://bugs.webkit.org/show_bug.cgi?id=79427

        Reviewed by Adam Barth.

        Added ACCESSIBILITY_CONTEXT_MENUS.

        * wtf/Platform.h:

2012-02-26  Filip Pizlo  <fpizlo@apple.com>

        LayoutTests/fast/xpath/xpath-functional-test.html is crashing in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=79616

        Reviewed by Oliver Hunt.
        
        Guard against the fact that in JSVALUE64, JSValue().isCell() == true.

        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::validate):

2012-02-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should support activations and nested functions
        https://bugs.webkit.org/show_bug.cgi?id=79554

        Reviewed by Sam Weinig.
        
        Fix 32-bit. The 32-bit function+activation code had some really weird
        register reuse bugs.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-26  Filip Pizlo  <fpizlo@apple.com>

        Getting the instruction stream for a code block should not require two loads
        https://bugs.webkit.org/show_bug.cgi?id=79608

        Reviewed by Sam Weinig.
        
        Introduced the RefCountedArray class, which contains a single inline pointer
        to a ref-counted non-resizeable vector backing store. This satisfies the
        requirements of CodeBlock, which desires the ability to share instruction
        streams with other CodeBlocks. It also reduces the number of loads required
        for getting the instruction stream by one.
        
        This patch also gets rid of the bytecode discarding logic, since we don't
        use it anymore and it's unlikely to ever work right with DFG or LLInt. And
        I didn't feel like porting dead code to use RefCountedArray.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::instructionOffsetForNth):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::handlerForBytecodeOffset):
        (JSC::CodeBlock::lineNumberForBytecodeOffset):
        (JSC::CodeBlock::expressionRangeForBytecodeOffset):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::numberOfInstructions):
        (JSC::CodeBlock::instructions):
        (JSC::CodeBlock::instructionCount):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::Label::setLocation):
        (JSC):
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::newLabel):
        * bytecompiler/BytecodeGenerator.h:
        (JSC):
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::instructions):
        * bytecompiler/Label.h:
        (JSC::Label::Label):
        (Label):
        * dfg/DFGByteCodeCache.h:
        (JSC::DFG::ByteCodeCache::~ByteCodeCache):
        (JSC::DFG::ByteCodeCache::get):
        * jit/JITExceptions.cpp:
        (JSC::genericThrow):
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::codeBlockWithBytecodeFor):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * wtf/RefCountedArray.h: Added.
        (WTF):
        (RefCountedArray):
        (WTF::RefCountedArray::RefCountedArray):
        (WTF::RefCountedArray::operator=):
        (WTF::RefCountedArray::~RefCountedArray):
        (WTF::RefCountedArray::size):
        (WTF::RefCountedArray::data):
        (WTF::RefCountedArray::begin):
        (WTF::RefCountedArray::end):
        (WTF::RefCountedArray::at):
        (WTF::RefCountedArray::operator[]):
        (Header):
        (WTF::RefCountedArray::Header::size):
        (WTF::RefCountedArray::Header::payload):
        (WTF::RefCountedArray::Header::fromPayload):
        * wtf/Platform.h:

2012-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        StringLiteral and NumericLiteral are allowed as ObjectLiteral getter / setter name
        https://bugs.webkit.org/show_bug.cgi?id=79571

        Reviewed by Gavin Barraclough.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        * parser/Parser.cpp:
        (JSC::::parseProperty):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createGetterOrSetterProperty):

2012-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implement fast path for op_new_array in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=78612

        Reviewed by Filip Pizlo.

        heap/CopiedAllocator.h:
        (CopiedAllocator): Friended the JIT to allow access to m_currentOffset.
        * heap/CopiedSpace.h:
        (CopiedSpace): Friended the JIT to allow access to isOversize.
        (JSC::CopiedSpace::allocator):
        * heap/Heap.h:
        (JSC::Heap::storageAllocator): Added a getter for the CopiedAllocator class so the JIT
        can use it for simple allocation i.e. when we can just bump the offset without having to 
        do anything else.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases): Added new slow case for op_new_array for when
        we have to bail out because the fast allocation path fails for whatever reason.
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicStorage): Added utility function that allows objects to 
        allocate generic backing stores. This function is used by emitAllocateJSArray.
        (JSC):
        (JSC::JIT::emitAllocateJSArray): Added utility function that allows the client to 
        more easily allocate JSArrays. This function is used by emit_op_new_array and I expect 
        it will also be used for emit_op_new_array_buffer.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array): Changed to do inline allocation of JSArrays. Still does 
        a stub call for oversize arrays.
        (JSC):
        (JSC::JIT::emitSlow_op_new_array): New slow path that just bails out to a stub call if we 
        fail in any way on the fast path.
        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h: Added lots of offset functions for all the fields that we need to 
        initialize in the JIT.
        (ArrayStorage):
        (JSC::ArrayStorage::lengthOffset):
        (JSC::ArrayStorage::numValuesInVectorOffset):
        (JSC::ArrayStorage::allocBaseOffset):
        (JSC::ArrayStorage::vectorOffset):
        (JSArray):
        (JSC::JSArray::sparseValueMapOffset):
        (JSC::JSArray::subclassDataOffset):
        (JSC::JSArray::indexBiasOffset):
        (JSC):
        (JSC::JSArray::storageSize): Moved this function from being a static function in the cpp file
        to being a static function in the JSArray class. This move allows the JIT to call it to 
        see what size it should allocate.

2012-02-26  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for ENABLE(CLASSIC_INTERPRETER) after r108681.

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC::Interpreter::getStackTrace):

2012-02-26  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r108681.

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        LLInt assembly file should be split into 32-bit and 64-bit parts
        https://bugs.webkit.org/show_bug.cgi?id=79584

        Reviewed by Sam Weinig.
        
        Moved LowLevelInterpreter.asm to LowLevelInterpreter32_64.asm. Gave offlineasm
        the ability to include files, and correctly track dependencies: it restricts
        the include mechanism to using the same directory as the source file, and uses
        the SHA1 hash of all .asm files in that directory as an input hash.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm: Added.
            - This is just the entire contents of what was previously LowLevelInterpreter.asm
        * llint/LowLevelInterpreter64.asm: Added.
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/generate_offset_extractor.rb:
        * offlineasm/parser.rb:
        * offlineasm/self_hash.rb:

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm should support X86_64
        https://bugs.webkit.org/show_bug.cgi?id=79581

        Reviewed by Oliver Hunt.

        * llint/LLIntOfflineAsmConfig.h:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/settings.rb:
        * offlineasm/x86.rb:

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        DFG should support activations and nested functions
        https://bugs.webkit.org/show_bug.cgi?id=79554

        Reviewed by Oliver Hunt.
        
        Wrote the simplest possible implementation of activations. Big speed-up on
        code that uses activations, no speed-up on major benchmarks (SunSpider, V8,
        Kraken) because they do not appear to have sufficient coverage over code
        that uses activations.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC):
        (JSC::isEmptyPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::needsActivation):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::storageAccessDataIndex):
        (Node):
        (JSC::DFG::Node::hasFunctionDeclIndex):
        (JSC::DFG::Node::functionDeclIndex):
        (JSC::DFG::Node::hasFunctionExprIndex):
        (JSC::DFG::Node::functionExprIndex):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-25  Benjamin Poulain  <benjamin@webkit.org>

        Add an empty skeleton of KURL for WTFURL
        https://bugs.webkit.org/show_bug.cgi?id=78990

        Reviewed by Adam Barth.

        * JavaScriptCore.xcodeproj/project.pbxproj: Export the relevant classes from WTFURL
        so that can use them in WebCore.

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build for DFG disabled and LLInt enabled.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the CopiedBlock offset alignment in a cross platform fashion
        https://bugs.webkit.org/show_bug.cgi?id=79556

        Reviewed by Filip Pizlo.

        Replaced m_payload with a payload() method that calculates the offset
        of the payload with the proper alignment. This change allows us to 
        avoid alignment-related issues in a cross-platform manner.

        * heap/CopiedAllocator.h:
        (JSC::CopiedAllocator::currentUtilization):
        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        (JSC::CopiedBlock::payload):
        (CopiedBlock):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneFillingBlock):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::borrowBlock):
        (JSC::CopiedSpace::allocateFromBlock):

2012-02-24  Michael Saboff  <msaboff@apple.com>

        Unreviewed, Windows build fix.  Changed signature in export to match
        change made in r108858.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-24  Filip Pizlo  <fpizlo@apple.com>

        DFG support for op_new_regexp should be enabled
        https://bugs.webkit.org/show_bug.cgi?id=79538

        Reviewed by Oliver Hunt.
        
        No performance change.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGCommon.h:

2012-02-24  Michael Saboff  <msaboff@apple.com>

        ASSERT(position < 0) in JSC::Yarr::Interpreter::InputStream::readChecked
        https://bugs.webkit.org/show_bug.cgi?id=73728

        Reviewed by Gavin Barraclough.

        Fixed the mixing of signed and unsigned character indeces in YARR
        interpreter.

        * runtime/RegExp.cpp:
        (JSC::RegExp::match): Added code to check for match longer than 2^31 and
        return no match after resetting the offsets.
        * yarr/YarrInterpreter.cpp: Changed to use unsigned for all character index
        handling except when matching back references.
        (JSC::Yarr::Interpreter::InputStream::readChecked):
        (JSC::Yarr::Interpreter::InputStream::checkInput):
        (JSC::Yarr::Interpreter::InputStream::uncheckInput):
        (JSC::Yarr::Interpreter::InputStream::atStart):
        (JSC::Yarr::Interpreter::InputStream::atEnd):
        (JSC::Yarr::Interpreter::InputStream::isAvailableInput):
        (JSC::Yarr::Interpreter::checkCharacter):
        (JSC::Yarr::Interpreter::checkCasedCharacter):
        (JSC::Yarr::Interpreter::checkCharacterClass):
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
        (JSC::Yarr::Interpreter::matchAssertionBOL):
        (JSC::Yarr::Interpreter::matchAssertionWordBoundary):
        (JSC::Yarr::Interpreter::backtrackPatternCharacter):
        (JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
        (JSC::Yarr::Interpreter::matchCharacterClass):
        (JSC::Yarr::Interpreter::backtrackCharacterClass):
        (JSC::Yarr::Interpreter::matchParenthesesOnceBegin):
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::Interpreter::interpret):
        (JSC::Yarr::ByteCompiler::assertionBOL):
        (JSC::Yarr::ByteCompiler::assertionEOL):
        (JSC::Yarr::ByteCompiler::assertionWordBoundary):
        (JSC::Yarr::ByteCompiler::atomPatternCharacter):
        (JSC::Yarr::ByteCompiler::atomCharacterClass):
        (JSC::Yarr::ByteCompiler::atomBackReference):
        (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin):
        (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin):
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin):
        (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        * yarr/YarrInterpreter.h:

2012-02-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix for builds where the DFG is disabled but the LLInt is
        enabled.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:

2012-02-24  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to handle variables getting captured
        https://bugs.webkit.org/show_bug.cgi?id=79469

        Reviewed by Oliver Hunt.
        
        Made captured variables work by placing a Flush on the SetLocal and
        forcing the emission of the GetLocal even if copy propagation tells us
        who has the value.
        
        Changed the CFA and various prediction codes to understand that we can't
        really prove anything about captured variables. Well, we could in the
        future by just looking at what side effects are happening, but in this
        first cut we just assume that we can't reason about captured variables.
        
        Also added a mode where the DFG pretends that all variables and arguments
        got captured. Used this mode to harden the code.
        
        This is performance neutral. Capturing all variables is a slow down, but
        not too big of one. This seems to predict that when we add activation
        support, the amount of speed benefit we'll get from increased coverage
        will far outweigh the pessimism that we'll have to endure for captured
        variables.

        * bytecode/CodeType.h:
        (JSC::codeTypeToString):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::merge):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGCommon.h:
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::needsActivation):
        (Graph):
        (JSC::DFG::Graph::argumentIsCaptured):
        (JSC::DFG::Graph::localIsCaptured):
        (JSC::DFG::Graph::isCaptured):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldGenerate):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (ValueSource):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-02-24  Gavin Barraclough  <barraclough@apple.com>

        Should not allow malformed \x escapes
        https://bugs.webkit.org/show_bug.cgi?id=79462

        Reviewed by Oliver Hunt.

        * parser/Lexer.cpp:
        (JSC::::parseString):
        (JSC::::parseStringSlowCase):
            - Prohibit malformed '\x' escapes
        * tests/mozilla/ecma/Array/15.4.5.1-1.js:
        * tests/mozilla/ecma/LexicalConventions/7.7.4.js:
        * tests/mozilla/ecma_2/RegExp/hex-001.js:
        * tests/mozilla/js1_2/regexp/hexadecimal.js:
            - Remove erroneous test cases (correct behaviour is tested by LayoutTests/sputnik).

2012-02-24  Daniel Bates  <dbates@webkit.org>

        Fix change log entry for changeset r108819; add bug URL
        https://bugs.webkit.org/show_bug.cgi?id=79504

        Changeset r108819 is associated with bug #79504.

        * ChangeLog

2012-02-24  Daniel Bates  <dbates@webkit.org>

        Substitute ENABLE(CLASSIC_INTERPRETER) for ENABLE(INTERPRETER) in Interpreter.cpp
        https://bugs.webkit.org/show_bug.cgi?id=79504

        Reviewed by Oliver Hunt.

        There are a few places in Interpreter.cpp that need to be updated to use
        ENABLE(CLASSIC_INTERPRETER) following the renaming of ENABLE_INTERPRETER to
        ENABLE_CLASSIC_INTERPRETER in changeset <http://trac.webkit.org/changeset/108020>
        (https://bugs.webkit.org/show_bug.cgi?id=78791).

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC::getCallerInfo):
        (JSC::getSourceURLFromCallFrame):

2012-02-24  Adam Roben  <aroben@apple.com>

        Undo the BUILDING_WTF part of r108808

        This broke the build, which is obviously worse than the linker warning it was trying to
        solve.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:

2012-02-24  Adam Roben  <aroben@apple.com>

        Fix linker warnings on Windows

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed symbols that are already
        exported via JS_EXPORTDATA.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: Define BUILDING_WTF. We
        aren't actually building WTF, but we are statically linking it, so we need to define this
        symbol so that we export WTF's exports.

2012-02-24  Philippe Normand  <pnormand@igalia.com>

        Fix GTK WebAudio build for WebKitGTK 1.7.90.

        Patch by Priit Laes <plaes@plaes.org> on 2012-02-24
        Rubber-stamped by Philippe Normand.

        * GNUmakefile.list.am: Add Complex.h to the list of files so it
        gets disted in the tarballs.

2012-02-24  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt] Buildfix for "Zero out CopiedBlocks on initialization".
        https://bugs.webkit.org/show_bug.cgi?id=79199

        Ruber stamped by Csaba Osztrogonác.

        Temporary fix since the new member wastes a little space on
        64 bit systems. Although it is harmless, it is only needed
        for 32 bit systems.

        * heap/CopiedBlock.h:
        (CopiedBlock):

2012-02-24  Han Hojong  <hojong.han@samsung.com>

        Remove useless jump instructions for short circuit
        https://bugs.webkit.org/show_bug.cgi?id=75602

        Reviewed by Michael Saboff.

        Jump instruction is inserted to make short circuit, 
        however it does nothing but moving to the next instruction.
        Therefore useless jump instructions are removed, 
        and jump list is moved into the case not for a short circuit,
        so that only necessary instructions are added to JIT code
        unless it has a 16 bit pattern character and an 8 bit string.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):

2012-02-24  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r108731.
        http://trac.webkit.org/changeset/108731
        https://bugs.webkit.org/show_bug.cgi?id=79464

        Broke Chromium Win tests (Requested by bashi on #webkit).

        * wtf/Platform.h:

2012-02-24  Andrew Lo  <anlo@rim.com>

        [BlackBerry] Enable requestAnimationFrame
        https://bugs.webkit.org/show_bug.cgi?id=79408

        Use timer implementation of requestAnimationFrame on BlackBerry.

        Reviewed by Rob Buis.

        * wtf/Platform.h:

2012-02-24  Mathias Bynens  <mathias@qiwi.be>

        `\u200c` and `\u200d` should be allowed in IdentifierPart, as per ES5
        https://bugs.webkit.org/show_bug.cgi?id=78908

        Add additional checks for zero-width non-joiner (0x200C) and
        zero-width joiner (0x200D) characters.

        Reviewed by Michael Saboff.

        * parser/Lexer.cpp:
        (JSC::isNonASCIIIdentPart)
        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexIdentifier)

2012-02-23  Kenichi Ishibashi  <bashi@chromium.org>

        Adding WebSocket per-frame DEFLATE extension
        https://bugs.webkit.org/show_bug.cgi?id=77522

        Added USE(ZLIB) flag.

        Reviewed by Kent Tamura.

        * wtf/Platform.h:

2012-02-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Zero out CopiedBlocks on initialization
        https://bugs.webkit.org/show_bug.cgi?id=79199

        Reviewed by Filip Pizlo.

        Made CopyBlocks zero their payloads during construction. This allows 
        JSArray to avoid having to manually clear its backing store upon allocation
        and also alleviates any future pain with regard to the garbage collector trying 
        to mark what it thinks are values in what is actually uninitialized memory.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::unshiftCountSlowCase):

2012-02-23  Oliver Hunt  <oliver@apple.com>

        Make Interpreter::getStackTrace be able to generate the line number for the top callframe if none is provided
        https://bugs.webkit.org/show_bug.cgi?id=79407

        Reviewed by Gavin Barraclough.

        Outside of exception handling, we don't know what our source line number is.  This
        change allows us to pass -1 is as the initial line number, and get the correct line
        number in the resultant stack trace.  We can't completely elide the initial line
        number (yet) due to some idiosyncrasies of the exception handling machinery.

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC):
        (JSC::Interpreter::getStackTrace):

2012-02-22  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit value profiling should have graceful handling of local variables and arguments
        https://bugs.webkit.org/show_bug.cgi?id=79310

        Reviewed by Gavin Barraclough.
        
        Previously, if we OSR exited because a prediction in a local was wrong, we'd
        only realize what the true type of the local was if the regular value profiling
        kicked in and told us. Unless the local was block-locally copy propagated, in
        which case we'd know from an OSR exit profile.
        
        This patch adds OSR exit profiling to all locals and arguments. Now, if we OSR
        exit because of a mispredicted local or argument type, we'll know what the type of
        the local or argument should be immediately upon exiting.
        
        The way that local variable OSR exit profiling works is that we now have a lazily
        added set of OSR-exit-only value profiles for exit sites that are BadType and that
        cited a GetLocal as their value source. The value profiles are only added if the
        OSR exit is taken, and are keyed by CodeBlock, bytecode index of the GetLocal, and
        operand. The look-up is performed by querying the
        CompressedLazyOperandValueProfileHolder in the CodeBlock, using a key that contains
        the bytecode index and the operand. Because the value profiles are added at random
        times, they are not sorted; instead they are just stored in an arbitrarily-ordered
        SegmentedVector. Look-ups are made fast by "decompressing": the DFG::ByteCodeParser
        creates a LazyOperandValueProfileParser, which turns the
        CompressedLazyOperandValueProfileHolder's contents into a HashMap for the duration
        of DFG parsing.
        
        Previously, OSR exits had a pointer to the ValueProfile that had the specFailBucket
        into which values observed during OSR exit would be placed. Now it uses a lazy
        thunk for a ValueProfile. I call this the MethodOfGettingAValueProfile. It may
        either contain a ValueProfile inside it (which works for previous uses of OSR exit
        profiling) or it may just have knowledge of how to go about creating the
        LazyOperandValueProfile in the case that the OSR exit is actually taken. This
        ensures that we never have to create NumOperands*NumBytecodeIndices*NumCodeBlocks
        value profiling buckets unless we actually did OSR exit on every single operand,
        in every single instruction, in each code block (that's probably unlikely).
        
        This appears to be neutral on the major benchmarks, but is a double-digit speed-up
        on code deliberately written to have data flow that spans basic blocks and where
        the code exhibits post-optimization polymorphism in a local variable.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::lazyOperandValueProfiles):
        * bytecode/LazyOperandValueProfile.cpp: Added.
        (JSC):
        (JSC::CompressedLazyOperandValueProfileHolder::CompressedLazyOperandValueProfileHolder):
        (JSC::CompressedLazyOperandValueProfileHolder::~CompressedLazyOperandValueProfileHolder):
        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
        (JSC::CompressedLazyOperandValueProfileHolder::add):
        (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
        (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
        (JSC::LazyOperandValueProfileParser::getIfPresent):
        (JSC::LazyOperandValueProfileParser::prediction):
        * bytecode/LazyOperandValueProfile.h: Added.
        (JSC):
        (LazyOperandValueProfileKey):
        (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
        (JSC::LazyOperandValueProfileKey::operator!):
        (JSC::LazyOperandValueProfileKey::operator==):
        (JSC::LazyOperandValueProfileKey::hash):
        (JSC::LazyOperandValueProfileKey::bytecodeOffset):
        (JSC::LazyOperandValueProfileKey::operand):
        (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
        (JSC::LazyOperandValueProfileKeyHash::hash):
        (JSC::LazyOperandValueProfileKeyHash::equal):
        (LazyOperandValueProfileKeyHash):
        (WTF):
        (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
        (LazyOperandValueProfile):
        (JSC::LazyOperandValueProfile::key):
        (CompressedLazyOperandValueProfileHolder):
        (LazyOperandValueProfileParser):
        * bytecode/MethodOfGettingAValueProfile.cpp: Added.
        (JSC):
        (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
        * bytecode/MethodOfGettingAValueProfile.h: Added.
        (JSC):
        (MethodOfGettingAValueProfile):
        (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
        (JSC::MethodOfGettingAValueProfile::operator!):
        * bytecode/ValueProfile.cpp: Removed.
        * bytecode/ValueProfile.h:
        (JSC):
        (ValueProfileBase):
        (JSC::ValueProfileBase::ValueProfileBase):
        (JSC::ValueProfileBase::dump):
        (JSC::ValueProfileBase::computeUpdatedPrediction):
        (JSC::MinimalValueProfile::MinimalValueProfile):
        (ValueProfileWithLogNumberOfBuckets):
        (JSC::ValueProfileWithLogNumberOfBuckets::ValueProfileWithLogNumberOfBuckets):
        (JSC::ValueProfile::ValueProfile):
        (JSC::getValueProfileBytecodeOffset):
        (JSC::getRareCaseProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::injectLazyOperandPrediction):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
        (DFG):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        (Graph):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
        (VariableAccessData):

2012-02-23  Filip Pizlo  <fpizlo@apple.com>

        Build fix.

        * llint/LLIntOffsetsExtractor.cpp:

2012-02-23  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Build fix, disable LLINT for now and fix ENABLE defines for it.

        * llint/LLIntOffsetsExtractor.cpp:
        * wtf/Platform.h:

2012-02-23  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Build fix for non-Mac wx builds.

        * runtime/DatePrototype.cpp:

2012-02-22  Filip Pizlo  <fpizlo@apple.com>

        DFG's logic for emitting a Flush is too convoluted and contains an inaccurate comment
        https://bugs.webkit.org/show_bug.cgi?id=79334

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flush):

2012-02-23  Gavin Barraclough  <barraclough@apple.com>

        Object.isSealed / Object.isFrozen don't work for native objects
        https://bugs.webkit.org/show_bug.cgi?id=79331

        Reviewed by Sam Weinig.

        Need to inspect all properties, including static ones.
        This exposes a couple of bugs in Array & Arguments:
            - getOwnPropertyDescriptor doesn't correctly report the writable attribute of array length.
            - Arguments object's defineOwnProperty does not handle callee/caller/length correctly.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - Add handling for callee/caller/length.
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertyDescriptor):
            - report length's writability correctly.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
            - Add spec-based implementation for non-final objects.

2012-02-23  Gavin Barraclough  <barraclough@apple.com>

        pop of array hole should get from the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=79338

        Reviewed by Sam Weinig.

        * runtime/JSArray.cpp:
        (JSC::JSArray::pop):
            - If the fast fast vector case fails, more closely follow the spec.

2012-02-23  Yong Li  <yoli@rim.com>

        JSString::outOfMemory() should ASSERT(isRope()) rather than !isRope()
        https://bugs.webkit.org/show_bug.cgi?id=79268

        Reviewed by Michael Saboff.

        resolveRope() is the only caller of outOfMemory(), and it calls outOfMemory()
        after it fails to allocate a buffer for m_value. So outOfMemory() should assert
        isRope() rather than !isRope().

        * runtime/JSString.cpp:
        (JSC::JSString::outOfMemory):

2012-02-23  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Add WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS macro
        https://bugs.webkit.org/show_bug.cgi?id=79371

        Reviewed by Daniel Bates.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:
        * wtf/CMakeLists.txt:

2012-02-23  Aron Rosenberg  <arosenberg@logitech.com>

        Fix the PRI macros used in WTF::String formatters to be compatible with Qt and Visual Studio 2005 and newer.
        https://bugs.webkit.org/show_bug.cgi?id=76210

        Add compile time check for Visual Studio 2005 or newer.

        Reviewed by Simon Hausmann.

        * os-win32/inttypes.h:

2012-02-22  Gavin Barraclough  <barraclough@apple.com>

        Implement [[DefineOwnProperty]] for the arguments object
        https://bugs.webkit.org/show_bug.cgi?id=79309

        Reviewed by Sam Weinig.

        * runtime/Arguments.cpp:
        (JSC::Arguments::deletePropertyByIndex):
        (JSC::Arguments::deleteProperty):
            - Deleting an argument should also delete the copy on the object, if any.
        (JSC::Arguments::defineOwnProperty):
            - Defining a property may override the live mapping.
        * runtime/Arguments.h:
        (Arguments):

2012-02-22  Gavin Barraclough  <barraclough@apple.com>

        Fix Object.freeze for non-final objects.
        https://bugs.webkit.org/show_bug.cgi?id=79286

        Reviewed by Oliver Hunt.

        For vanilla objects we implement this with a single transition, for objects
        with special properties we should just follow the spec defined algorithm.

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
            - this does need to handle inextensible objects.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
            - Implement spec defined algorithm for non-final objects.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):
            - freeze should set m_hasReadOnlyOrGetterSetterPropertiesExcludingProto.
        * runtime/Structure.h:
        (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (JSC::Structure::setContainsReadOnlyProperties):
        (Structure):
            - renamed m_hasReadOnlyOrGetterSetterPropertiesExcludingProto.

2012-02-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        Allocations from CopiedBlocks should always be 8-byte aligned
        https://bugs.webkit.org/show_bug.cgi?id=79271

        Reviewed by Geoffrey Garen.

        * heap/CopiedAllocator.h:
        (JSC::CopiedAllocator::allocate):
        * heap/CopiedBlock.h: Changed to add padding so that the start of the payload is always 
        guaranteed to be 8 byte aligned on both 64- and 32-bit platforms.
        (CopiedBlock):
        * heap/CopiedSpace.cpp: Changed all assertions of isPointerAligned to is8ByteAligned.
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::getFreshBlock):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::allocateFromBlock):
        * runtime/JSArray.h:
        (ArrayStorage): Added padding for ArrayStorage to make sure that it is always 8 byte 
        aligned on both 64- and 32-bit platforms.
        * wtf/StdLibExtras.h:
        (WTF::is8ByteAligned): Added new utility function that functions similarly to the 
        way isPointerAligned does, but it just always checks for 8 byte alignment.
        (WTF):

2012-02-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r108456.
        http://trac.webkit.org/changeset/108456
        https://bugs.webkit.org/show_bug.cgi?id=79223

        Broke fast/regex/pcre-test-4.html and cannot find anyone on
        IRC (Requested by zherczeg on #webkit).

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):

2012-02-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r108468.
        http://trac.webkit.org/changeset/108468
        https://bugs.webkit.org/show_bug.cgi?id=79219

        Broke Chromium Win release build (Requested by bashi on
        #webkit).

        * wtf/Platform.h:

2012-02-22  Kenichi Ishibashi  <bashi@chromium.org>

        Adding WebSocket per-frame DEFLATE extension
        https://bugs.webkit.org/show_bug.cgi?id=77522

        Added USE(ZLIB) flag.

        Reviewed by Kent Tamura.

        * wtf/Platform.h:

2012-02-22  Hojong Han  <hojong.han@samsung.com>

        Short circuit fixed for a 16 bt pattern character and an 8 bit string.
        https://bugs.webkit.org/show_bug.cgi?id=75602

        Reviewed by Gavin Barraclough.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        Build fix for systems with case sensitive disks.

        * llint/LLIntOfflineAsmConfig.h:

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        JSC should be a triple-tier VM
        https://bugs.webkit.org/show_bug.cgi?id=75812
        <rdar://problem/10079694>

        Reviewed by Gavin Barraclough.
        
        Implemented an interpreter that uses the JIT's calling convention. This
        interpreter is called LLInt, or the Low Level Interpreter. JSC will now
        will start by executing code in LLInt and will only tier up to the old
        JIT after the code is proven hot.
        
        LLInt is written in a modified form of our macro assembly. This new macro
        assembly is compiled by an offline assembler (see offlineasm), which
        implements many modern conveniences such as a Turing-complete CPS-based
        macro language and direct access to relevant C++ type information
        (basically offsets of fields and sizes of structs/classes).
        
        Code executing in LLInt appears to the rest of the JSC world "as if" it
        were executing in the old JIT. Hence, things like exception handling and
        cross-execution-engine calls just work and require pretty much no
        additional overhead.
        
        This interpreter is 2-2.5x faster than our old interpreter on SunSpider,
        V8, and Kraken. With triple-tiering turned on, we're neutral on SunSpider,
        V8, and Kraken, but appear to get a double-digit improvement on real-world
        websites due to a huge reduction in the amount of JIT'ing.
        
        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerCodeRef.h:
        (MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
        * bytecode/BytecodeConventions.h: Added.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC):
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::operator!):
        (CallLinkStatus):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC):
        (CodeBlock):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::jitCompile):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addLLIntCallLinkInfo):
        (JSC::CodeBlock::addGlobalResolveInfo):
        (JSC::CodeBlock::numberOfMethodCallLinkInfos):
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::dontJITAnytimeSoon):
        (JSC::CodeBlock::jitAfterWarmUp):
        (JSC::CodeBlock::jitSoon):
        (JSC::CodeBlock::llintExecuteCounter):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::wasSeenInJIT):
        (GetByIdStatus):
        * bytecode/Instruction.h:
        (JSC):
        (JSC::Instruction::Instruction):
        (Instruction):
        * bytecode/LLIntCallLinkInfo.h: Added.
        (JSC):
        (JSC::LLIntCallLinkInfo::LLIntCallLinkInfo):
        (LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::isLinked):
        (JSC::LLIntCallLinkInfo::unlink):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/Opcode.cpp:
        (JSC):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (PutByIdStatus):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitCatch):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * heap/Heap.h:
        (JSC):
        (JSC::Heap::firstAllocatorWithoutDestructors):
        (Heap):
        * heap/MarkStack.cpp:
        (JSC::visitChildren):
        * heap/MarkedAllocator.h:
        (JSC):
        (MarkedAllocator):
        * heap/MarkedSpace.h:
        (JSC):
        (MarkedSpace):
        (JSC::MarkedSpace::firstAllocator):
        * interpreter/CallFrame.cpp:
        (JSC):
        (JSC::CallFrame::bytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::setBytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::currentVPC):
        (JSC::CallFrame::setCurrentVPC):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (ExecState):
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::~Interpreter):
        (JSC):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getCallerInfo):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        (JSC::Interpreter::classicEnabled):
        * interpreter/RegisterFile.h:
        (JSC):
        (RegisterFile):
        * jit/ExecutableAllocator.h:
        (JSC):
        * jit/HostCallReturnValue.cpp: Added.
        (JSC):
        (JSC::getHostCallReturnValueWithExecState):
        * jit/HostCallReturnValue.h: Added.
        (JSC):
        (JSC::initializeHostCallReturnValue):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITCode.h:
        (JSC::JITCode::isOptimizingJIT):
        (JITCode):
        (JSC::JITCode::isBaselineCode):
        (JSC::JITCode::JITCode):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITExceptions.cpp:
        (JSC::jitThrow):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        (JSC):
        * jit/JSInterfaceJIT.h:
        * llint: Added.
        * llint/LLIntCommon.h: Added.
        * llint/LLIntData.cpp: Added.
        (LLInt):
        (JSC::LLInt::Data::Data):
        (JSC::LLInt::Data::performAssertions):
        (JSC::LLInt::Data::~Data):
        * llint/LLIntData.h: Added.
        (JSC):
        (LLInt):
        (Data):
        (JSC::LLInt::Data::exceptionInstructions):
        (JSC::LLInt::Data::opcodeMap):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp: Added.
        (LLInt):
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntEntrypoints.h: Added.
        (JSC):
        (LLInt):
        (JSC::LLInt::getEntrypoint):
        * llint/LLIntExceptions.cpp: Added.
        (LLInt):
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrowForThrownException):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntExceptions.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntOfflineAsmConfig.h: Added.
        * llint/LLIntOffsetsExtractor.cpp: Added.
        (JSC):
        (LLIntOffsetsExtractor):
        (JSC::LLIntOffsetsExtractor::dummy):
        (main):
        * llint/LLIntSlowPaths.cpp: Added.
        (LLInt):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::shouldJIT):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::resolveGlobal):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::genericCall):
        * llint/LLIntSlowPaths.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntThunks.cpp: Added.
        (LLInt):
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h: Added.
        (JSC):
        (LLInt):
        * llint/LowLevelInterpreter.asm: Added.
        * llint/LowLevelInterpreter.cpp: Added.
        * llint/LowLevelInterpreter.h: Added.
        * offlineasm: Added.
        * offlineasm/armv7.rb: Added.
        * offlineasm/asm.rb: Added.
        * offlineasm/ast.rb: Added.
        * offlineasm/backends.rb: Added.
        * offlineasm/generate_offset_extractor.rb: Added.
        * offlineasm/instructions.rb: Added.
        * offlineasm/offset_extractor_constants.rb: Added.
        * offlineasm/offsets.rb: Added.
        * offlineasm/opt.rb: Added.
        * offlineasm/parser.rb: Added.
        * offlineasm/registers.rb: Added.
        * offlineasm/self_hash.rb: Added.
        * offlineasm/settings.rb: Added.
        * offlineasm/transform.rb: Added.
        * offlineasm/x86.rb: Added.
        * runtime/CodeSpecializationKind.h: Added.
        (JSC):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (CommonSlowPaths):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC):
        (JSC::EvalExecutable::jitCompile):
        (JSC::samplingDescription):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC):
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h: Added.
        (JSC):
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        * runtime/JSArray.h:
        (JSC):
        (JSArray):
        * runtime/JSCell.h:
        (JSC):
        (JSCell):
        * runtime/JSFunction.h:
        (JSC):
        (JSFunction):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.h:
        (JSC):
        (JSGlobalObject):
        * runtime/JSObject.h:
        (JSC):
        (JSObject):
        (JSFinalObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC):
        (JSPropertyNameIterator):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        * runtime/JSTypeInfo.h:
        (JSC):
        (TypeInfo):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (LLInt):
        (JSValue):
        * runtime/JSVariableObject.h:
        (JSC):
        (JSVariableObject):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * runtime/ScopeChain.h:
        (JSC):
        (ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC):
        (Structure):
        * runtime/StructureChain.h:
        (JSC):
        (StructureChain):
        * wtf/InlineASM.h:
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        (SentinelLinkedList):
        (WTF::SentinelLinkedList::isEmpty):
        * wtf/text/StringImpl.h:
        (JSC):
        (StringImpl):

2012-02-21  Oliver Hunt  <oliver@apple.com>

        Unbreak double-typed arrays on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=79177

        Reviewed by Gavin Barraclough.

        The existing code had completely broken address arithmetic.

        * JSCTypedArrayStubs.h:
        (JSC):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::storeFloat):

2012-02-21  Gavin Barraclough  <barraclough@apple.com>

        Should be able to reconfigure a non-configurable property as read-only
        https://bugs.webkit.org/show_bug.cgi?id=79170

        Reviewed by Sam Weinig.

        See ES5.1 8.12.9 10.a.i - the spec prohibits making a read-only property writable,
        but does not inhibit making a writable property read-only.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::setInDefineOwnProperty):
        (JSGlobalData):
        (JSC::JSGlobalData::isInDefineOwnProperty):
            - Added flag, tracking whether we are in JSObject::defineOwnProperty.
        * runtime/JSObject.cpp:
        (JSC::JSObject::deleteProperty):
        (DefineOwnPropertyScope):
            - Always allow properties to be deleted by DefineOwnProperty - assume it knows what it is doing!
        (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope):
        (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope):
            - Added RAII helper.
        (JSC::JSObject::defineOwnProperty):
            - Track on the globalData when we are in this method.

2012-02-21  Oliver Hunt  <oliver@apple.com>

        Make TypedArrays be available in commandline jsc
        https://bugs.webkit.org/show_bug.cgi?id=79163

        Reviewed by Gavin Barraclough.

        Adds a compile time option to have jsc support a basic implementation
        of the TypedArrays available in WebCore.  This lets us test the typed
        array logic in the JIT witout having to build webcore.

        * JSCTypedArrayStubs.h: Added.
        (JSC):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject):
        (GlobalObject::addConstructableFunction):
        * runtime/JSGlobalData.h:
        (JSGlobalData):

2012-02-21  Tom Sepez  <tsepez@chromium.org>

        equalIgnoringNullity() only comparing half the bytes for equality
        https://bugs.webkit.org/show_bug.cgi?id=79135

        Reviewed by Adam Barth.

        * wtf/text/StringImpl.h:
        (WTF::equalIgnoringNullity):

2012-02-21  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        Unnecessary preprocessor macros in MainThread.h/cpp
        https://bugs.webkit.org/show_bug.cgi?id=79083

        Removed invalid/wrong PLATFORM(WINDOWS) preprocessor macro.

        * wtf/MainThread.cpp:
        (WTF):
        * wtf/MainThread.h:
        (WTF):

2012-02-21  Sam Weinig  <sam@webkit.org>

        Attempt to fix the Snow Leopard build.

        * Configurations/Base.xcconfig:

2012-02-21  Sam Weinig  <sam@webkit.org>

        Use libc++ when building with Clang on Mac
        https://bugs.webkit.org/show_bug.cgi?id=78981

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2012-02-21  Adam Roben  <aroben@apple.com>

        Roll out r108309, r108323, and r108326

        They broke the 32-bit Lion build.

        Original bugs is <http://webkit.org/b/75812> <rdar://problem/10079694>.

        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecode/BytecodeConventions.h: Removed.
        * bytecode/CallLinkStatus.cpp:
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        * bytecode/GetByIdStatus.h:
        * bytecode/Instruction.h:
        * bytecode/LLIntCallLinkInfo.h: Removed.
        * bytecode/MethodCallLinkStatus.cpp:
        * bytecode/Opcode.cpp:
        * bytecode/Opcode.h:
        * bytecode/PutByIdStatus.cpp:
        * bytecode/PutByIdStatus.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCapabilities.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        * heap/MarkedAllocator.h:
        * heap/MarkedSpace.h:
        * interpreter/CallFrame.cpp:
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * interpreter/RegisterFile.h:
        * jit/ExecutableAllocator.h:
        * jit/HostCallReturnValue.cpp: Removed.
        * jit/HostCallReturnValue.h: Removed.
        * jit/JIT.cpp:
        * jit/JITCode.h:
        * jit/JITDriver.h:
        * jit/JITExceptions.cpp:
        * jit/JITInlineMethods.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:
        * llint/LLIntCommon.h: Removed.
        * llint/LLIntData.cpp: Removed.
        * llint/LLIntData.h: Removed.
        * llint/LLIntEntrypoints.cpp: Removed.
        * llint/LLIntEntrypoints.h: Removed.
        * llint/LLIntExceptions.cpp: Removed.
        * llint/LLIntExceptions.h: Removed.
        * llint/LLIntOfflineAsmConfig.h: Removed.
        * llint/LLIntOffsetsExtractor.cpp: Removed.
        * llint/LLIntSlowPaths.cpp: Removed.
        * llint/LLIntSlowPaths.h: Removed.
        * llint/LLIntThunks.cpp: Removed.
        * llint/LLIntThunks.h: Removed.
        * llint/LowLevelInterpreter.asm: Removed.
        * llint/LowLevelInterpreter.cpp: Removed.
        * llint/LowLevelInterpreter.h: Removed.
        * offlineasm/armv7.rb: Removed.
        * offlineasm/asm.rb: Removed.
        * offlineasm/ast.rb: Removed.
        * offlineasm/backends.rb: Removed.
        * offlineasm/generate_offset_extractor.rb: Removed.
        * offlineasm/instructions.rb: Removed.
        * offlineasm/offset_extractor_constants.rb: Removed.
        * offlineasm/offsets.rb: Removed.
        * offlineasm/opt.rb: Removed.
        * offlineasm/parser.rb: Removed.
        * offlineasm/registers.rb: Removed.
        * offlineasm/self_hash.rb: Removed.
        * offlineasm/settings.rb: Removed.
        * offlineasm/transform.rb: Removed.
        * offlineasm/x86.rb: Removed.
        * runtime/CodeSpecializationKind.h: Removed.
        * runtime/CommonSlowPaths.h:
        * runtime/Executable.cpp:
        * runtime/Executable.h:
        * runtime/ExecutionHarness.h: Removed.
        * runtime/JSArray.h:
        * runtime/JSCell.h:
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.h:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSString.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSValue.cpp:
        * runtime/JSValue.h:
        * runtime/JSVariableObject.h:
        * runtime/Options.cpp:
        * runtime/Options.h:
        * runtime/ScopeChain.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:
        * runtime/StructureChain.h:
        * wtf/InlineASM.h:
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        * wtf/text/StringImpl.h:

2012-02-21  Gustavo Noronha Silva  <kov@debian.org> and Bob Tracy  <rct@frus.com>

        Does not build on IA64, SPARC and Alpha
        https://bugs.webkit.org/show_bug.cgi?id=79047

        Rubber-stamped by Kent Tamura.

        * wtf/dtoa/utils.h: these architectures also have correct double
        operations, so add them to the appropriate side of the check.

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        Fix massive crashes in all tests introduced by previous build fix, and fix non-DFG build.
        https://bugs.webkit.org/show_bug.cgi?id=75812

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGOperations.cpp:
        (JSC):
        * jit/HostCallReturnValue.h:
        (JSC::initializeHostCallReturnValue):

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        Attempted build fix for ELF platforms.

        * dfg/DFGOperations.cpp:
        (JSC):
        (JSC::getHostCallReturnValueWithExecState):
        * jit/HostCallReturnValue.cpp:
        (JSC):
        * jit/HostCallReturnValue.h:
        (JSC::initializeHostCallReturnValue):

2012-02-20  Filip Pizlo  <fpizlo@apple.com>

        JSC should be a triple-tier VM
        https://bugs.webkit.org/show_bug.cgi?id=75812
        <rdar://problem/10079694>

        Reviewed by Gavin Barraclough.
        
        Implemented an interpreter that uses the JIT's calling convention. This
        interpreter is called LLInt, or the Low Level Interpreter. JSC will now
        will start by executing code in LLInt and will only tier up to the old
        JIT after the code is proven hot.
        
        LLInt is written in a modified form of our macro assembly. This new macro
        assembly is compiled by an offline assembler (see offlineasm), which
        implements many modern conveniences such as a Turing-complete CPS-based
        macro language and direct access to relevant C++ type information
        (basically offsets of fields and sizes of structs/classes).
        
        Code executing in LLInt appears to the rest of the JSC world "as if" it
        were executing in the old JIT. Hence, things like exception handling and
        cross-execution-engine calls just work and require pretty much no
        additional overhead.
        
        This interpreter is 2-2.5x faster than our old interpreter on SunSpider,
        V8, and Kraken. With triple-tiering turned on, we're neutral on SunSpider,
        V8, and Kraken, but appear to get a double-digit improvement on real-world
        websites due to a huge reduction in the amount of JIT'ing.
        
        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerCodeRef.h:
        (MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
        * bytecode/BytecodeConventions.h: Added.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC):
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::operator!):
        (CallLinkStatus):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC):
        (CodeBlock):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::jitCompile):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addLLIntCallLinkInfo):
        (JSC::CodeBlock::addGlobalResolveInfo):
        (JSC::CodeBlock::numberOfMethodCallLinkInfos):
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::dontJITAnytimeSoon):
        (JSC::CodeBlock::jitAfterWarmUp):
        (JSC::CodeBlock::jitSoon):
        (JSC::CodeBlock::llintExecuteCounter):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::wasSeenInJIT):
        (GetByIdStatus):
        * bytecode/Instruction.h:
        (JSC):
        (JSC::Instruction::Instruction):
        (Instruction):
        * bytecode/LLIntCallLinkInfo.h: Added.
        (JSC):
        (JSC::LLIntCallLinkInfo::LLIntCallLinkInfo):
        (LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::isLinked):
        (JSC::LLIntCallLinkInfo::unlink):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/Opcode.cpp:
        (JSC):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (PutByIdStatus):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitCatch):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * heap/Heap.h:
        (JSC):
        (JSC::Heap::firstAllocatorWithoutDestructors):
        (Heap):
        * heap/MarkStack.cpp:
        (JSC::visitChildren):
        * heap/MarkedAllocator.h:
        (JSC):
        (MarkedAllocator):
        * heap/MarkedSpace.h:
        (JSC):
        (MarkedSpace):
        (JSC::MarkedSpace::firstAllocator):
        * interpreter/CallFrame.cpp:
        (JSC):
        (JSC::CallFrame::bytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::setBytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::currentVPC):
        (JSC::CallFrame::setCurrentVPC):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (ExecState):
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::~Interpreter):
        (JSC):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getCallerInfo):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        (JSC::Interpreter::classicEnabled):
        * interpreter/RegisterFile.h:
        (JSC):
        (RegisterFile):
        * jit/ExecutableAllocator.h:
        (JSC):
        * jit/HostCallReturnValue.cpp: Added.
        (JSC):
        (JSC::getHostCallReturnValueWithExecState):
        * jit/HostCallReturnValue.h: Added.
        (JSC):
        (JSC::initializeHostCallReturnValue):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITCode.h:
        (JSC::JITCode::isOptimizingJIT):
        (JITCode):
        (JSC::JITCode::isBaselineCode):
        (JSC::JITCode::JITCode):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITExceptions.cpp:
        (JSC::jitThrow):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        (JSC):
        * jit/JSInterfaceJIT.h:
        * llint: Added.
        * llint/LLIntCommon.h: Added.
        * llint/LLIntData.cpp: Added.
        (LLInt):
        (JSC::LLInt::Data::Data):
        (JSC::LLInt::Data::performAssertions):
        (JSC::LLInt::Data::~Data):
        * llint/LLIntData.h: Added.
        (JSC):
        (LLInt):
        (Data):
        (JSC::LLInt::Data::exceptionInstructions):
        (JSC::LLInt::Data::opcodeMap):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp: Added.
        (LLInt):
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntEntrypoints.h: Added.
        (JSC):
        (LLInt):
        (JSC::LLInt::getEntrypoint):
        * llint/LLIntExceptions.cpp: Added.
        (LLInt):
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrowForThrownException):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntExceptions.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntOfflineAsmConfig.h: Added.
        * llint/LLIntOffsetsExtractor.cpp: Added.
        (JSC):
        (LLIntOffsetsExtractor):
        (JSC::LLIntOffsetsExtractor::dummy):
        (main):
        * llint/LLIntSlowPaths.cpp: Added.
        (LLInt):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::shouldJIT):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::resolveGlobal):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::genericCall):
        * llint/LLIntSlowPaths.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntThunks.cpp: Added.
        (LLInt):
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h: Added.
        (JSC):
        (LLInt):
        * llint/LowLevelInterpreter.asm: Added.
        * llint/LowLevelInterpreter.cpp: Added.
        * llint/LowLevelInterpreter.h: Added.
        * offlineasm: Added.
        * offlineasm/armv7.rb: Added.
        * offlineasm/asm.rb: Added.
        * offlineasm/ast.rb: Added.
        * offlineasm/backends.rb: Added.
        * offlineasm/generate_offset_extractor.rb: Added.
        * offlineasm/instructions.rb: Added.
        * offlineasm/offset_extractor_constants.rb: Added.
        * offlineasm/offsets.rb: Added.
        * offlineasm/opt.rb: Added.
        * offlineasm/parser.rb: Added.
        * offlineasm/registers.rb: Added.
        * offlineasm/self_hash.rb: Added.
        * offlineasm/settings.rb: Added.
        * offlineasm/transform.rb: Added.
        * offlineasm/x86.rb: Added.
        * runtime/CodeSpecializationKind.h: Added.
        (JSC):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (CommonSlowPaths):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC):
        (JSC::EvalExecutable::jitCompile):
        (JSC::samplingDescription):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC):
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h: Added.
        (JSC):
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        * runtime/JSArray.h:
        (JSC):
        (JSArray):
        * runtime/JSCell.h:
        (JSC):
        (JSCell):
        * runtime/JSFunction.h:
        (JSC):
        (JSFunction):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.h:
        (JSC):
        (JSGlobalObject):
        * runtime/JSObject.h:
        (JSC):
        (JSObject):
        (JSFinalObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC):
        (JSPropertyNameIterator):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        * runtime/JSTypeInfo.h:
        (JSC):
        (TypeInfo):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (LLInt):
        (JSValue):
        * runtime/JSVariableObject.h:
        (JSC):
        (JSVariableObject):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * runtime/ScopeChain.h:
        (JSC):
        (ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC):
        (Structure):
        * runtime/StructureChain.h:
        (JSC):
        (StructureChain):
        * wtf/InlineASM.h:
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        (SentinelLinkedList):
        (WTF::SentinelLinkedList::isEmpty):
        * wtf/text/StringImpl.h:
        (JSC):
        (StringImpl):

2012-02-20  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, rolling out http://trac.webkit.org/changeset/108291
        It completely broke the 32-bit JIT.

        * heap/CopiedAllocator.h:
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.h:
        (JSC::Heap::allocatorForObjectWithDestructor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        * runtime/JSArray.cpp:
        (JSC::storageSize):
        (JSC):
        * runtime/JSArray.h:
        (ArrayStorage):
        (JSArray):

2012-02-20  Gavin Barraclough  <barraclough@apple.com>

        [[Put]] should throw if prototype chain contains a readonly property.
        https://bugs.webkit.org/show_bug.cgi?id=79069

        Reviewed by Oliver Hunt.

        Currently we only check the base of the put, not the prototype chain.
        Fold this check in with the test for accessors.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Updated to test all objects in the propotype chain for readonly properties.
        (JSC::JSObject::putDirectAccessor):
        (JSC::putDescriptor):
            - Record the presence of readonly properties on the structure.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - hasGetterSetterPropertiesExcludingProto expanded to hasReadOnlyOrGetterSetterPropertiesExcludingProto.
        * runtime/Structure.h:
        (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
            - hasGetterSetterPropertiesExcludingProto expanded to hasReadOnlyOrGetterSetterPropertiesExcludingProto.
        (JSC::Structure::setContainsReadOnlyProperties):
            - Added.

2012-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implement fast path for op_new_array in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=78612

        Reviewed by Filip Pizlo.

        * heap/CopiedAllocator.h:
        (CopiedAllocator): Friended the JIT to allow access to m_currentOffset.
        * heap/CopiedSpace.h:
        (CopiedSpace): Friended the JIT to allow access to 
        (JSC::CopiedSpace::allocator):
        * heap/Heap.h:
        (JSC::Heap::storageAllocator): Added a getter for the CopiedAllocator class so the JIT
        can use it for simple allocation i.e. when we can just bump the offset without having to 
        do anything else.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases): Added new slow case for op_new_array for when
        we have to bail out because the fast allocation path fails for whatever reason.
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicStorage): Added utility function that allows objects to 
        allocate generic backing stores. This function is used by emitAllocateJSArray.
        (JSC):
        (JSC::JIT::emitAllocateJSArray): Added utility function that allows the client to 
        more easily allocate JSArrays. This function is used by emit_op_new_array and I expect 
        it will also be used for emit_op_new_array_buffer.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array): Changed to do inline allocation of JSArrays. Still does 
        a stub call for oversize arrays.
        (JSC):
        (JSC::JIT::emitSlow_op_new_array): Just bails out to a stub call if we fail in any way on 
        the fast path.
        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h: Added lots of offset functions for all the fields that we need to 
        initialize in the JIT.
        (ArrayStorage):
        (JSC::ArrayStorage::lengthOffset):
        (JSC::ArrayStorage::numValuesInVectorOffset):
        (JSC::ArrayStorage::allocBaseOffset):
        (JSC::ArrayStorage::vectorOffset):
        (JSArray):
        (JSC::JSArray::sparseValueMapOffset):
        (JSC::JSArray::subclassDataOffset):
        (JSC::JSArray::indexBiasOffset):
        (JSC):
        (JSC::JSArray::storageSize): Moved this function from being a static function in the cpp file
        to being a static function in the JSArray class. This move allows the JIT to call it to 
        see what size it should allocate.

2012-02-20  Gavin Barraclough  <barraclough@apple.com>

        DefineOwnProperty fails with numeric properties & Object.prototype
        https://bugs.webkit.org/show_bug.cgi?id=79059

        Reviewed by Oliver Hunt.

        ObjectPrototype caches whether it contains any numeric properties (m_hasNoPropertiesWithUInt32Names),
        calls to defineOwnProperty need to update this cache.

        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::defineOwnProperty):
        (JSC):
        (JSC::ObjectPrototype::getOwnPropertySlotByIndex):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):

2012-02-20  Pino Toscano  <pino@debian.org>

        Does not build on GNU Hurd
        https://bugs.webkit.org/show_bug.cgi?id=79045

        Reviewed by Gustavo Noronha Silva.

        * wtf/Platform.h: define WTF_OS_HURD.
        * wtf/ThreadIdentifierDataPthreads.cpp: adds a band-aid fix
        for the lack of PTHREAD_KEYS_MAX definition, with a value which
        should not cause issues.

2012-02-20  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Undoing accidental changes

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):

2012-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Factor out allocation in CopySpace into a separate CopyAllocator
        https://bugs.webkit.org/show_bug.cgi?id=78610

        Reviewed by Oliver Hunt.

        Added a new CopyAllocator class, which allows us to do allocations without 
        having to load the current offset and store the current offset in the current 
        block. This change will allow us to easily do inline assembly in the JIT for 
        array allocations.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopiedAllocator.h: Added.
        (JSC):
        (CopiedAllocator):
        (JSC::CopiedAllocator::currentBlock):
        (JSC::CopiedAllocator::CopiedAllocator):
        (JSC::CopiedAllocator::allocate):
        (JSC::CopiedAllocator::fitsInCurrentBlock):
        (JSC::CopiedAllocator::wasLastAllocation):
        (JSC::CopiedAllocator::startedCopying):
        (JSC::CopiedAllocator::resetCurrentBlock):
        (JSC::CopiedAllocator::currentUtilization):
        (JSC::CopiedAllocator::resetLastAllocation):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        * heap/CopiedSpace.cpp: Moved some stuff from CopiedSpaceInlineMethods to here because we 
        weren't really getting any benefits from having such big functions in a header file.
        (JSC::CopiedSpace::CopiedSpace):
        (JSC):
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateSlowCase):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::tryReallocate):
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::getFreshBlock):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC):
        (JSC::CopiedSpace::startedCopying):
        (JSC::CopiedSpace::addNewBlock):
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::tryAllocate):
        (JSC::CopiedSpace::allocateFromBlock):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/HeapBlock.h:
        (HeapBlock):

2012-02-20  Patrick Gansterer  <paroga@webkit.org>

        Fix Visual Studio 2010 build.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):

2012-02-16  Gavin Barraclough  <barraclough@apple.com>

        Move special __proto__ property to Object.prototype
        https://bugs.webkit.org/show_bug.cgi?id=78409

        Reviewed by Oliver Hunt.

        Re-implement this as a regular accessor property.  This has three key benefits:
        1) It makes it possible for objects to be given properties named __proto__.
        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
            - No need to prohibit functions named __proto__.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            - Add __proto__ accessor to Object.prototype.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
            - Definition of the __proto__ accessor functions.
        * runtime/JSGlobalObjectFunctions.h:
            - Declaration of the __proto__ accessor functions.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
        (JSC::JSObject::putDirectAccessor):
            - Track on the structure whether an object contains accessors other than one for __proto__.
        (JSC::JSObject::defineOwnProperty):
            - No need to prohibit definition of own properties named __proto__.
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
            - Remove the special handling for __proto__.
        (JSC::JSValue::get):
            - Remove the special handling for __proto__.
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
            - Remove the special handling for __proto__.
        * runtime/JSValue.h:
        (JSValue):
            - Made synthesizePrototype public (this may be needed by the __proto__ getter).
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
            - Perform the security check & call prototype() directly.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
        * runtime/Structure.h:
        (JSC::Structure::hasGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

2012-02-20  Michael Saboff  <msaboff@apple.com>

        Update toLower and toUpper tests for Unicode 6.1 changes
        https://bugs.webkit.org/show_bug.cgi?id=78923

        Reviewed by Oliver Hunt.

        * tests/mozilla/ecma/String/15.5.4.11-2.js: Updated the test
        to handle a third set of results for updated Unicode 6.1
        changes.
        (getTestCases):
        (TestCaseMultiExpected):
        (writeTestCaseResultMultiExpected):
        (getTestCaseResultMultiExpected):
        (test):
        (GetUnicodeValues):
        (DecimalToHexString):

2012-02-20  Andy Wingo  <wingo@igalia.com>

        Remove unused features from CodeFeatures
        https://bugs.webkit.org/show_bug.cgi?id=78804

        Reviewed by Gavin Barraclough.

        * parser/Nodes.h:
        * parser/ASTBuilder.h:
        (JSC::ClosureFeature):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::usesClosures):
        Remove "ClosureFeature".  Since we track captured variables more
        precisely, this bit doesn't do us any good.

        (JSC::AssignFeature):
        (JSC::ASTBuilder::makeAssignNode):
        (JSC::ASTBuilder::makePrefixNode):
        (JSC::ASTBuilder::makePostfixNode):
        (JSC::ASTBuilder::usesAssignment):
        Similarly, remove AssignFeature.  It is unused.

2012-02-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing files.

2012-02-18  Sam Weinig  <sam@webkit.org>

        Fix style issues in DFG Phase classes
        https://bugs.webkit.org/show_bug.cgi?id=78983

        Reviewed by Ryosuke Niwa.

        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        Add a space before the colon in class declarations.

2012-02-18  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-18  Sam Weinig  <sam@webkit.org>

        Fix the libc++ build.

        Reviewed by Anders Carlsson.

        * heap/Weak.h:
        Libc++'s nullptr emulation does not allow default construction
        of the nullptr_t type. Work around this with the arguably clearer
        just returning nullptr.

2012-02-18  Filip Pizlo  <fpizlo@apple.com>

        DFGPropagator.cpp has too many things
        https://bugs.webkit.org/show_bug.cgi?id=78956

        Reviewed by Oliver Hunt.
        
        Added the notion of a DFG::Phase. Removed DFG::Propagator, and took its
        various things and put them into separate files. These new phases follow
        the naming convention "DFG<name>Phase" where <name> is a noun. They are
        called via functions of the form "perform<name>".

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp: Added.
        (DFG):
        (JSC::DFG::performArithNodeFlagsInference):
        * dfg/DFGArithNodeFlagsInferencePhase.h: Added.
        (DFG):
        * dfg/DFGCFAPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performCFA):
        * dfg/DFGCFAPhase.h: Added.
        (DFG):
        * dfg/DFGCSEPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performCSE):
        * dfg/DFGCSEPhase.h: Added.
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGPhase.cpp: Added.
        (DFG):
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h: Added.
        (DFG):
        (Phase):
        (JSC::DFG::Phase::Phase):
        (JSC::DFG::Phase::~Phase):
        (JSC::DFG::Phase::globalData):
        (JSC::DFG::Phase::codeBlock):
        (JSC::DFG::Phase::profiledBlock):
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        (JSC::DFG::runPhase):
        * dfg/DFGPredictionPropagationPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performPredictionPropagation):
        * dfg/DFGPredictionPropagationPhase.h: Added.
        (DFG):
        * dfg/DFGPropagator.cpp: Removed.
        * dfg/DFGPropagator.h: Removed.
        * dfg/DFGVirtualRegisterAllocationPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performVirtualRegisterAllocation):
        * dfg/DFGVirtualRegisterAllocationPhase.h: Added.
        (DFG):

2012-02-17  Filip Pizlo  <fpizlo@apple.com>

        DFG::Graph should have references to JSGlobalData, the CodeBlock being compiled, and
        the CodeBlock that was used for profiling
        https://bugs.webkit.org/show_bug.cgi?id=78954

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.h:
        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractState.h:
        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::parse):
        * dfg/DFGByteCodeParser.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::Graph):
        (Graph):
        (JSC::DFG::Graph::getJSConstantPrediction):
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::isInt32Constant):
        (JSC::DFG::Graph::isDoubleConstant):
        (JSC::DFG::Graph::isNumberConstant):
        (JSC::DFG::Graph::isBooleanConstant):
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        (JSC::DFG::Graph::baselineCodeBlockFor):
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JITCompiler):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::isNotNegZero):
        (JSC::DFG::Propagator::isNotZero):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::globalCFA):
        (JSC::DFG::propagate):
        * dfg/DFGPropagator.h:
        (DFG):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isConstant):
        (JSC::DFG::SpeculativeJIT::isJSConstant):
        (JSC::DFG::SpeculativeJIT::isInt32Constant):
        (JSC::DFG::SpeculativeJIT::isDoubleConstant):
        (JSC::DFG::SpeculativeJIT::isNumberConstant):
        (JSC::DFG::SpeculativeJIT::isBooleanConstant):
        (JSC::DFG::SpeculativeJIT::isFunctionConstant):
        (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
        (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
        (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):

2012-02-17  Ahmad Sharif  <asharif.tools@gmail.com>

        There is a warning in memset in glibc that gets triggered through a
        warndecl when the fill-value of memset is a non-zero constant and the
        size is zero. This warning is enabled when building with
        -D_FORTIFY_SOURCE=2. This patch fixes the warning.

        https://bugs.webkit.org/show_bug.cgi?id=78513

        Reviewed by Alexey Proskuryakov

        * wtf/Vector.h:

2012-02-17  Kalev Lember  <kalevlember@gmail.com>

        Remove unused parameters from WTF threading API
        https://bugs.webkit.org/show_bug.cgi?id=78389

        Reviewed by Adam Roben.

        waitForThreadCompletion() had an out param 'void **result' to get the
        'void *' returned by ThreadFunction. However, the implementation in
        ThreadingWin.cpp ignored the out param, not filling it in. This had
        led to a situation where none of the client code made use of the param
        and just ignored it.

        To clean this up, the patch changes the signature of ThreadFunction to
        return void instead of void* and drops the the unused 'void **result'
        parameter from waitForThreadCompletion. Also, all client code is
        updated for the API change.

        As mentioned in https://bugs.webkit.org/show_bug.cgi?id=78389 , even
        though the change only affects internal API, Safari is using it
        directly and we'll need to keep the old versions around for ABI
        compatibility. For this, the patch adds compatibility wrappers with
        the old ABI.

        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingThread::threadStartFunc):
        (JSC::SamplingThread::stop):
        * bytecode/SamplingTool.h:
        (SamplingThread):
        * heap/Heap.cpp:
        (JSC::Heap::~Heap):
        (JSC::Heap::blockFreeingThreadStartFunc):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::~MarkStackThreadSharedData):
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ThreadPrivate::workerThread):
        * wtf/ParallelJobsGeneric.h:
        (ThreadPrivate):
        * wtf/ThreadFunctionInvocation.h: Update the signature of
        ThreadFunction.
        (WTF):
        * wtf/Threading.cpp:
        (WTF::threadEntryPoint): Update for ThreadFunction signature change.
        (WTF):
        (WTF::ThreadFunctionWithReturnValueInvocation::ThreadFunctionWithReturnValueInvocation):
        ABI compatibility function for Safari.
        (ThreadFunctionWithReturnValueInvocation): Ditto.
        (WTF::compatEntryPoint): Ditto.
        (WTF::createThread): Ditto.
        (WTF::waitForThreadCompletion): Ditto.
        * wtf/Threading.h: Update the signature of ThreadFunction and
        waitForThreadCompletion.
        (WTF):
        * wtf/ThreadingPthreads.cpp: Implement the new API.
        (WTF::wtfThreadEntryPoint):
        (WTF):
        (WTF::createThreadInternal):
        (WTF::waitForThreadCompletion):
        * wtf/ThreadingWin.cpp: Implement the new API.
        (WTF::wtfThreadEntryPoint):
        (WTF::waitForThreadCompletion):

2012-02-16  Oliver Hunt  <oliver@apple.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Gavin Barraclough.

        Implement support for stack traces on exception objects.  This is a rewrite
        of the core portion of the last stack walking logic, but the mechanical work
        of adding the information to an exception comes from the original work by
        Juan Carlos Montemayor Elosua.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        (JSC):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC):
        (StackFrame):
        (JSC::StackFrame::toString):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-02-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename Bump* to Copy*
        https://bugs.webkit.org/show_bug.cgi?id=78573

        Reviewed by Geoffrey Garen.

        Renamed anything with "Bump" in the name to have "Copied" instead.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/BumpBlock.h: Removed.
        * heap/BumpSpace.cpp: Removed.
        * heap/BumpSpace.h: Removed.
        * heap/BumpSpaceInlineMethods.h: Removed.
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::genericAddPointer):
        * heap/ConservativeRoots.h:
        (ConservativeRoots):
        * heap/CopiedBlock.h: Added.
        (JSC):
        (CopiedBlock):
        (JSC::CopiedBlock::CopiedBlock):
        * heap/CopiedSpace.cpp: Added.
        (JSC):
        (JSC::CopiedSpace::tryAllocateSlowCase):
        * heap/CopiedSpace.h: Added.
        (JSC):
        (CopiedSpace):
        (JSC::CopiedSpace::isInCopyPhase):
        (JSC::CopiedSpace::totalMemoryAllocated):
        (JSC::CopiedSpace::totalMemoryUtilized):
        * heap/CopiedSpaceInlineMethods.h: Added.
        (JSC):
        (JSC::CopiedSpace::CopiedSpace):
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::contains):
        (JSC::CopiedSpace::pin):
        (JSC::CopiedSpace::startedCopying):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::recycleBlock):
        (JSC::CopiedSpace::getFreshBlock):
        (JSC::CopiedSpace::borrowBlock):
        (JSC::CopiedSpace::addNewBlock):
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::fitsInCurrentBlock):
        (JSC::CopiedSpace::tryAllocate):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::allocateFromBlock):
        (JSC::CopiedSpace::tryReallocate):
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::isOversize):
        (JSC::CopiedSpace::isPinned):
        (JSC::CopiedSpace::oversizeBlockFor):
        (JSC::CopiedSpace::blockFor):
        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC):
        (Heap):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::startCopying):
        (JSC::SlotVisitor::allocateNewSpace):
        (JSC::SlotVisitor::doneCopying):
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * runtime/JSArray.cpp:
        * runtime/JSObject.cpp:

2012-02-16  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add JSC code profiling support on Linux x86
        https://bugs.webkit.org/show_bug.cgi?id=78871

        Reviewed by Gavin Barraclough.

        We don't unwind the stack for now as we cannot guarantee all the
        libraries are compiled without -fomit-frame-pointer.

        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):
        * tools/CodeProfiling.cpp:
        (JSC):
        (JSC::profilingTimer):
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):

2012-02-16  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed. Rolling out r107980, because it broke 32 bit platforms.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-02-16  Filip Pizlo  <fpizlo@apple.com>

        ENABLE_INTERPRETER should be ENABLE_CLASSIC_INTERPRETER
        https://bugs.webkit.org/show_bug.cgi?id=78791

        Rubber stamped by Oliver Hunt.
        
        Just a renaming, nothing more. Also renamed COMPUTED_GOTO_INTERPRETER to
        COMPUTED_GOTO_CLASSIC_INTERPRETER.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/AbstractPC.h:
        (AbstractPC):
        * interpreter/CallFrame.h:
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        (Interpreter):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (NativeExecutable):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):
        * wtf/Platform.h:

2012-02-15  Geoffrey Garen  <ggaren@apple.com>

        Made Weak<T> single-owner, adding PassWeak<T>
        https://bugs.webkit.org/show_bug.cgi?id=78740

        Reviewed by Sam Weinig.

        This works basically the same way as OwnPtr<T> and PassOwnPtr<T>.

        This clarifies the semantics of finalizers: It's ambiguous and probably
        a bug to copy a finalizer (i.e., it's a bug to run a C++ destructor
        twice), so I've made Weak<T> non-copyable. Anywhere we used to copy a 
        Weak<T>, we now use PassWeak<T>.

        This also makes Weak<T> HashMaps more efficient.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype): Use PassWeak<T> instead of set(), since 
        set() is gone now.

        * JavaScriptCore.xcodeproj/project.pbxproj: Export!

        * heap/PassWeak.h: Added.
        (JSC):
        (PassWeak):
        (JSC::PassWeak::PassWeak):
        (JSC::PassWeak::~PassWeak):
        (JSC::PassWeak::get):
        (JSC::::leakHandle):
        (JSC::adoptWeak):
        (JSC::operator==):
        (JSC::operator!=): This is the Weak<T> version of PassOwnPtr<T>.

        * heap/Weak.h:
        (Weak):
        (JSC::Weak::Weak):
        (JSC::Weak::release):
        (JSC::Weak::hashTableDeletedValue):
        (JSC::=):
        (JSC): Changed to be non-copyable, removing a lot of copying-related
        APIs. Added hash traits so hash maps still work.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate): Use PassWeak<T>, as required by
        our new hash map API.

2012-02-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the broken viewport tests
        https://bugs.webkit.org/show_bug.cgi?id=78774

        Reviewed by Kenneth Rohde Christiansen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.cpp:
        (WTF):
        (WTF::toDoubleType): Template-ized to allow other functions to specify whether they
        want to allow trailing junk or not when calling strtod.
        (WTF::charactersToDouble):
        (WTF::charactersToFloat):
        (WTF::charactersToFloatIgnoringJunk): Created new version of charactersToFloat that allows 
        trailing junk.
        * wtf/text/WTFString.h:
        (WTF):

2012-02-16  Oliver Hunt  <oliver@apple.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Gavin Barraclough.

        Implement support for stack traces on exception objects.  This is a rewrite
        of the core portion of the last stack walking logic, but the mechanical work
        of adding the information to an exception comes from the original work by
        Juan Carlos Montemayor Elosua.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        (JSC):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC):
        (StackFrame):
        (JSC::StackFrame::toString):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-02-15  Gavin Barraclough  <barraclough@apple.com>

        Numerous trivial bugs in Object.defineProperty
        https://bugs.webkit.org/show_bug.cgi?id=78777

        Reviewed by Sam Weinig.

        There are a handful of really trivial bugs, related to Object.defineProperty:
            * Redefining an accessor with different attributes changes the attributes, but not the get/set functions!
            * Calling an undefined setter should only throw in strict mode.
            * When redefining an accessor to a data decriptor, if writable is not specified we should default to false.
            * Any attempt to redefine a non-configurable property of an array as configurable should be rejected.
            * Object.defineProperties should call toObject on 'Properties' argument, rather than throwing if it is not an object.
            * If preventExtensions has been called on an array, subsequent assignment beyond array bounds should fail.
            * 'isFrozen' shouldn't be checking the ReadOnly bit for accessor descriptors (we presently always keep this bit as 'false').
            * Should be able to redefine an non-writable, non-configurable property, with the same value and attributes.
            * Should be able to define an non-configurable accessor.
        These are mostly all one-line changes, e.g. inverted boolean checks, masking against wrong attribute.

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
            - Added ASSERT.
            - Calling an undefined setter should only throw in strict mode.
        (JSC::JSArray::putDescriptor):
            - Should be able to define an non-configurable accessor.
        (JSC::JSArray::defineOwnNumericProperty):
            - Any attempt to redefine a non-configurable property of an array as configurable should be rejected.
        (JSC::JSArray::putByIndexBeyondVectorLength):
            - If preventExtensions has been called on an array, subsequent assignment beyond array bounds should fail.
        * runtime/JSArray.h:
        (JSArray):
            - made enterDictionaryMode public, called from JSObject.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Calling an undefined setter should only throw in strict mode.
        (JSC::JSObject::preventExtensions):
            - Put array objects into dictionary mode to handle this!
        (JSC::JSObject::defineOwnProperty):
            - Should be able to redefine an non-writable, non-configurable property, with the same value and attributes.
            - Redefining an accessor with different attributes changes the attributes, but not the get/set functions!
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorDefineProperties):
            - Object.defineProperties should call toObject on 'Properties' argument, rather than throwing if it is not an object.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::attributesWithOverride):
            - When redefining an accessor to a data decriptor, if writable is not specified we should default to false.
        (JSC::PropertyDescriptor::attributesOverridingCurrent):
            - When redefining an accessor to a data decriptor, if writable is not specified we should default to false.
        * runtime/Structure.cpp:
        (JSC::Structure::freezeTransition):
            - 'freezeTransition' shouldn't be setting the ReadOnly bit for accessor descriptors (we presently always keep this bit as 'false').
        (JSC::Structure::isFrozen):
            - 'isFrozen' shouldn't be checking the ReadOnly bit for accessor descriptors (we presently always keep this bit as 'false').

2012-02-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should not check the types of arguments that are dead
        https://bugs.webkit.org/show_bug.cgi?id=78518

        Reviewed by Geoff Garen.
        
        The argument checks are now elided if the corresponding SetArgument is dead,
        and the abstract value of the argument is set to bottom (None, []). This is
        performance neutral on the benchmarks we currently track.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):

2012-02-15  Oliver Hunt  <oliver@apple.com>

        Ensure that the DFG JIT always plants a CodeOrigin when making calls
        https://bugs.webkit.org/show_bug.cgi?id=78763

        Reviewed by Gavin Barraclough.

        Make all calls plant a CodeOrigin prior to the actual
        call.  Also clobbers the Interpreter with logic to ensure
        that the interpreter always plants a bytecode offset.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (CallBeginToken):
        (JSC::DFG::JITCompiler::beginJSCall):
        (JSC::DFG::JITCompiler::beginCall):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (ExecState):
        (JSC::ExecState::setBytecodeOffsetForNonDFGCode):
        (JSC::ExecState::codeOriginIndexForDFG):

2012-02-14  Oliver Hunt  <oliver@apple.com>

        Fix Interpreter.

        * runtime/Executable.cpp:
        (JSC):
        * runtime/Executable.h:
        (ExecutableBase):

2012-02-14  Matt Lilek  <mrl@apple.com>

        Don't ENABLE_DASHBOARD_SUPPORT unconditionally on all Mac platforms
        https://bugs.webkit.org/show_bug.cgi?id=78629

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2012-02-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix for non-DFG platforms.

        * assembler/MacroAssembler.h:
        (MacroAssembler):

2012-02-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build and configuration goof.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::invert):
        * dfg/DFGCommon.h:

2012-02-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to emit code on control flow edges
        https://bugs.webkit.org/show_bug.cgi?id=78515

        Reviewed by Gavin Barraclough.
        
        This gets us a few steps closer to being able to perform global register allocation,
        by allowing us to have landing pads on control flow edges. This will let us reshuffle
        registers if it happens to be necessary due to different reg alloc decisions in
        differen blocks.
        
        This also introduces the notion of a landing pad for OSR entry, which will allow us
        to emit code that places data into registers when we're entering into the DFG from
        the old JIT.
        
        Finally, this patch introduces a verification mode that checks that the landing pads
        are actually emitted and do actually work as advertised. When verification is disabled,
        this has no effect on behavior.

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::invert):
        (JSC::MacroAssembler::isInvertible):
        * dfg/DFGCommon.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (DFG):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::branchDouble):
        (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
        (JSC::DFG::SpeculativeJIT::branch32):
        (JSC::DFG::SpeculativeJIT::branchTest32):
        (JSC::DFG::SpeculativeJIT::branchPtr):
        (JSC::DFG::SpeculativeJIT::branchTestPtr):
        (JSC::DFG::SpeculativeJIT::branchTest8):
        (JSC::DFG::SpeculativeJIT::jump):
        (JSC::DFG::SpeculativeJIT::haveEdgeCodeToEmit):
        (JSC::DFG::SpeculativeJIT::emitEdgeCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-14  Filip Pizlo  <fpizlo@apple.com>

        Assertion failure under JSC::DFG::AbstractState::execute loading economist.com
        https://bugs.webkit.org/show_bug.cgi?id=78153
        <rdar://problem/10861712> <rdar://problem/10861947>

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):

2012-02-14  Eric Seidel  <eric@webkit.org>

        Upstream Android's additions to Platform.h
        https://bugs.webkit.org/show_bug.cgi?id=78536

        Reviewed by Adam Barth.

        * wtf/Platform.h:

2012-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace old strtod with new strtod
        https://bugs.webkit.org/show_bug.cgi?id=68044

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp: Added template argument. This version allows junk after numbers.
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp: Ditto.
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        * runtime/LiteralParser.cpp: Ditto.
        (JSC::::Lexer::lexNumber):
        * wtf/dtoa.cpp: Replaced old strtod with a new version that uses the new StringToDoubleConverter.
        It takes a template argument to allow clients to determine statically whether it should allow 
        junk after the numbers or not.
        (WTF):
        (WTF::strtod):
        * wtf/dtoa.h:
        (WTF):
        * wtf/text/WTFString.cpp: Added template argument. This version does not allow junk after numbers.
        (WTF::toDoubleType):

2012-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        More windows build fixing

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-13  Oliver Hunt  <oliver@apple.com>

        Executing out of bounds in JSC::Yarr::YarrCodeBlock::execute / JSC::RegExp::match
        https://bugs.webkit.org/show_bug.cgi?id=76315

        Reviewed by Gavin Barraclough.

        Perform a 3 byte compare using two comparisons, rather than trying to perform the
        operation with a four byte load.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2012-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace old strtod with new strtod
        https://bugs.webkit.org/show_bug.cgi?id=68044

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp: Added template argument. This version allows junk after numbers.
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp: Ditto.
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        * runtime/LiteralParser.cpp: Ditto.
        (JSC::::Lexer::lexNumber):
        * wtf/dtoa.cpp: Replaced old strtod with a new version that uses the new StringToDoubleConverter.
        It takes a template argument to allow clients to determine statically whether it should allow 
        junk after the numbers or not.
        (WTF):
        (WTF::strtod):
        * wtf/dtoa.h:
        (WTF):
        * wtf/text/WTFString.cpp: Added template argument. This version does not allow junk after numbers.
        (WTF::toDoubleType):

2012-02-13  Sam Weinig  <sam@webkit.org>

        Move JSC related assertions out of Assertions.h and into their own header
        https://bugs.webkit.org/show_bug.cgi?id=78508

        Reviewed by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add GCAssertions.h

        * heap/GCAssertions.h: Added.
        Move assertions here.

        * runtime/WriteBarrier.h:
        Add #include of GCAssertions.h

        * wtf/Assertions.h:
        Remove JSC related assertions.

        * wtf/Compiler.h:
        Add compiler check for __has_trivial_destructor.

2012-02-13  Chao-ying Fu  <fu@mips.com>

        Update MIPS patchOffsetGetByIdSlowCaseCall
        https://bugs.webkit.org/show_bug.cgi?id=78392

        Reviewed by Gavin Barraclough.

        * jit/JIT.h:
        (JIT):

2012-02-13  Patrick Gansterer  <paroga@webkit.org>

        Remove obsolete #if from ThreadSpecific.h
        https://bugs.webkit.org/show_bug.cgi?id=78485

        Reviewed by Adam Roben.

        Since alle platform use either pthread or Win32 for threading,
        we can remove all PLATFORM() preprocessor statements.

        * wtf/ThreadSpecific.h:
        (ThreadSpecific):

2012-02-13  Jessie Berlin  <jberlin@apple.com>

        Fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-13  Sam Weinig  <sam@webkit.org>

        Use C11's _Static_assert for COMPILE_ASSERT if it is available
        https://bugs.webkit.org/show_bug.cgi?id=78506

        Rubber-stamped by Antti Koivisto.

        Use C11's _Static_assert for COMPILE_ASSERT if it is available to give slightly
        better error messages.

        * wtf/Assertions.h:
        Use _Static_assert if it is available.

        * wtf/Compiler.h:
        Add COMPILER_SUPPORTS support for _Static_assert when using the LLVM Compiler.

2012-02-13  Mario Sanchez Prada  <msanchez@igalia.com>

        [GTK] Add GSList to the list of GObject types in GOwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=78487

        Reviewed by Philippe Normand.

        Handle the GSList type in GOwnPtr, by calling g_slist_free in the
        implementation of the freeOwnedGPtr template function.

        * wtf/gobject/GOwnPtr.cpp:
        (WTF::GSList):
        (WTF):
        * wtf/gobject/GOwnPtr.h:
        (WTF):
        * wtf/gobject/GTypedefs.h:

2012-02-06  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [EFL] Drop support for the Curl network backend.
        https://bugs.webkit.org/show_bug.cgi?id=77874

        Reviewed by Eric Seidel.

        Nobody seems to be maintaining the Curl backend in WebCore, the
        EFL port developers all seem to be using the Soup backend and the
        port itself has many features which are only implemented for the
        latter.

        * wtf/PlatformEfl.cmake: Always build the gobject-dependent source
        files.

2012-02-13  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r107485.

        * bytecode/PolymorphicPutByIdList.cpp:

2012-02-13  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=78434
        Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        * runtime/ClassInfo.h:
        (MethodTable):
        (JSC):
        * runtime/JSCell.cpp:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC):
        * runtime/JSGlobalObjectFunctions.h:
        (JSC):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSValue::get):
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
        * runtime/JSValue.h:
        (JSValue):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (JSC::Structure::setHasGetterSetterProperties):
        (Structure):

2012-02-12  Ashod Nakashian  <ashodnakashian@yahoo.com>

        KeywordLookupGenerator.py script fails in some cases
        https://bugs.webkit.org/show_bug.cgi?id=77886

        Reviewed by Benjamin Poulain.

        * parser/Keywords.table: Converted to LF-only.

2012-02-12  Shinya Kawanaka  <shinyak@google.com>

        Introduce ShadowRootList.
        https://bugs.webkit.org/show_bug.cgi?id=78069

        Reviewed by Hajime Morita.

        DoublyLinkedList should have tail() method to take the last element.

        * wtf/DoublyLinkedList.h:
        (DoublyLinkedList):
        (WTF::::tail):
        (WTF):

2012-02-12  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Move source files in WTF_HEADERS to WTF_SOURCES.
        https://bugs.webkit.org/show_bug.cgi?id=78436

        Reviewed by Daniel Bates.

        * wtf/CMakeLists.txt: Move .cpp files from WTF_HEADERS to WTF_SOURCES,
        and correctly sort the files which start with 'M'.

2012-02-12  Sam Weinig  <sam@webkit.org>

        Move the NumberOfCores.h/cpp files into the WTF group of JavaScriptCore.xcodeproj.

        Rubber-stamped by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-02-12  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Remove unused or empty variable definitions.
        https://bugs.webkit.org/show_bug.cgi?id=78437

        Reviewed by Daniel Bates.

        * CMakeLists.txt: Remove unused JavaScriptCore_HEADERS definition.
        * shell/CMakeLists.txt: Remove unused JSC_HEADERS definition.
        * wtf/CMakeLists.txt: Remove empty WTF_LIBRARIES definition, it will
        be defined later by Platform*.cmake via LIST(APPEND WTF_LIBRARIES).

2012-02-12  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT calls fprintf() instead of dataLog in terminateSpeculativeExecution()
        https://bugs.webkit.org/show_bug.cgi?id=78431

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2012-02-11  Benjamin Poulain  <benjamin@webkit.org>

        Add back WTFURL to WebKit
        https://bugs.webkit.org/show_bug.cgi?id=77291

        Reviewed by Adam Barth.

        WTFURL was removed from WebKit in r86787.

        This patch adds the code back to WTF with the following changes:
        -Guard the feature with USE(WTFURL).
        -Change the typename CHAR to CharacterType to follow recent WebKit conventions.
        -Fix some coding style to make check-webkit-style happy.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Platform.h:
        * wtf/url/api/ParsedURL.cpp: Added.
        (WTF):
        (WTF::ParsedURL::ParsedURL):
        (WTF::ParsedURL::scheme):
        (WTF::ParsedURL::username):
        (WTF::ParsedURL::password):
        (WTF::ParsedURL::host):
        (WTF::ParsedURL::port):
        (WTF::ParsedURL::path):
        (WTF::ParsedURL::query):
        (WTF::ParsedURL::fragment):
        (WTF::ParsedURL::segment):
        * wtf/url/api/ParsedURL.h: Added.
        (WTF):
        (ParsedURL):
        (WTF::ParsedURL::spec):
        * wtf/url/api/URLString.h: Added.
        (WTF):
        (URLString):
        (WTF::URLString::URLString):
        (WTF::URLString::string):
        * wtf/url/src/RawURLBuffer.h: Added.
        (WTF):
        (RawURLBuffer):
        (WTF::RawURLBuffer::RawURLBuffer):
        (WTF::RawURLBuffer::~RawURLBuffer):
        (WTF::RawURLBuffer::resize):
        * wtf/url/src/URLBuffer.h: Added.
        (WTF):
        (URLBuffer):
        (WTF::URLBuffer::URLBuffer):
        (WTF::URLBuffer::~URLBuffer):
        (WTF::URLBuffer::at):
        (WTF::URLBuffer::set):
        (WTF::URLBuffer::capacity):
        (WTF::URLBuffer::length):
        (WTF::URLBuffer::data):
        (WTF::URLBuffer::setLength):
        (WTF::URLBuffer::append):
        (WTF::URLBuffer::grow):
        * wtf/url/src/URLCharacterTypes.cpp: Added.
        (WTF):
        ():
        * wtf/url/src/URLCharacterTypes.h: Added.
        (WTF):
        (URLCharacterTypes):
        (WTF::URLCharacterTypes::isQueryChar):
        (WTF::URLCharacterTypes::isIPv4Char):
        (WTF::URLCharacterTypes::isHexChar):
        ():
        (WTF::URLCharacterTypes::isCharOfType):
        * wtf/url/src/URLComponent.h: Added.
        (WTF):
        (URLComponent):
        (WTF::URLComponent::URLComponent):
        (WTF::URLComponent::fromRange):
        (WTF::URLComponent::isValid):
        (WTF::URLComponent::isNonEmpty):
        (WTF::URLComponent::isEmptyOrInvalid):
        (WTF::URLComponent::reset):
        (WTF::URLComponent::operator==):
        (WTF::URLComponent::begin):
        (WTF::URLComponent::setBegin):
        (WTF::URLComponent::length):
        (WTF::URLComponent::setLength):
        (WTF::URLComponent::end):
        * wtf/url/src/URLEscape.cpp: Added.
        (WTF):
        ():
        * wtf/url/src/URLEscape.h: Added.
        (WTF):
        (WTF::appendURLEscapedCharacter):
        * wtf/url/src/URLParser.h: Added.
        (WTF):
        (URLParser):
        ():
        (WTF::URLParser::isPossibleAuthorityTerminator):
        (WTF::URLParser::parseAuthority):
        (WTF::URLParser::extractScheme):
        (WTF::URLParser::parseAfterScheme):
        (WTF::URLParser::parseStandardURL):
        (WTF::URLParser::parsePath):
        (WTF::URLParser::parsePathURL):
        (WTF::URLParser::parseMailtoURL):
        (WTF::URLParser::parsePort):
        (WTF::URLParser::extractFileName):
        (WTF::URLParser::extractQueryKeyValue):
        (WTF::URLParser::isURLSlash):
        (WTF::URLParser::shouldTrimFromURL):
        (WTF::URLParser::trimURL):
        (WTF::URLParser::consecutiveSlashes):
        (WTF::URLParser::isPortDigit):
        (WTF::URLParser::nextAuthorityTerminator):
        (WTF::URLParser::parseUserInfo):
        (WTF::URLParser::parseServerInfo):
        * wtf/url/src/URLQueryCanonicalizer.h: Added.
        (WTF):
        (URLQueryCanonicalizer):
        (WTF::URLQueryCanonicalizer::canonicalize):
        (WTF::URLQueryCanonicalizer::isAllASCII):
        (WTF::URLQueryCanonicalizer::isRaw8Bit):
        (WTF::URLQueryCanonicalizer::appendRaw8BitQueryString):
        (WTF::URLQueryCanonicalizer::convertToQueryEncoding):
        * wtf/url/src/URLSegments.cpp: Added.
        (WTF):
        (WTF::URLSegments::length):
        (WTF::URLSegments::charactersBefore):
        * wtf/url/src/URLSegments.h: Added.
        (WTF):
        (URLSegments):
        ():
        (WTF::URLSegments::URLSegments):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Old JIT put_by_id profiling counts every put_by_id_transition as taking slow path
        https://bugs.webkit.org/show_bug.cgi?id=78430
        <rdar://problem/10849469> <rdar://problem/10849684>

        Reviewed by Gavin Barraclough.
        
        The old JIT's put_by_id transition caching involves repatching the slow call to
        a generated stub. That means that the call is counted as "slow case". So, this
        patch inserts code to decrement the slow case count if the stub succeeds.
        
        Looks like a ~1% speed-up on V8.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Build fix for Qt.

        * wtf/DataLog.h:

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to send all JSC debug logging to a file
        https://bugs.webkit.org/show_bug.cgi?id=78418

        Reviewed by Sam Weinig.
        
        Introduced wtf/DataLog, which defines WTF::dataFile, WTF::dataLog,
        and WTF::dataLogV. Changed all debugging- and profiling-related printfs
        to use WTF::dataLog() or one of its friends. By default, debug logging
        goes to stderr, unless you change the setting in wtf/DataLog.cpp.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::dumpLinkStatistics):
        (JSC::LinkBuffer::dumpCode):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::vprintfStdoutInstr):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::printGlobalResolveInfo):
        (JSC::printStructureStubInfo):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::dumpStatistics):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/Opcode.cpp:
        (JSC::OpcodeStats::~OpcodeStats):
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingFlags::stop):
        (JSC::SamplingRegion::dumpInternal):
        (JSC::SamplingTool::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCommon.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::printWhiteSpace):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
        (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::propagatePredictionsForward):
        (JSC::DFG::Propagator::propagatePredictionsBackward):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        (JSC::DFG::Propagator::startIndexForChildren):
        (JSC::DFG::Propagator::endIndexForPureCSE):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::eliminate):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::localCSE):
        (JSC::DFG::Propagator::allocateVirtualRegisters):
        (JSC::DFG::Propagator::performBlockCFA):
        (JSC::DFG::Propagator::performForwardCFA):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::dump):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::dump):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::dump):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):
        * heap/MarkedBlock.h:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dumpCaller):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * profiler/Profile.cpp:
        (JSC::Profile::debugPrintData):
        (JSC::Profile::debugPrintDataSampleStyle):
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::debugPrintData):
        (JSC::ProfileNode::debugPrintDataSampleStyle):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::dumpRegExpTrace):
        * runtime/RegExp.cpp:
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/SamplingCounter.cpp:
        (JSC::AbstractSamplingCounter::dump):
        * runtime/SamplingCounter.h:
        (JSC::DeletableSamplingCounter::~DeletableSamplingCounter):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::print):
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::report):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::dumpInternal):
        * wtf/CMakeLists.txt:
        * wtf/DataLog.cpp: Added.
        (WTF):
        (WTF::initializeLogFileOnce):
        (WTF::initializeLogFile):
        (WTF::dataFile):
        (WTF::dataLogV):
        (WTF::dataLog):
        * wtf/DataLog.h: Added.
        (WTF):
        * wtf/HashTable.cpp:
        (WTF::HashTableStats::~HashTableStats):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::dumpProfile):
        * wtf/text/WTFString.cpp:
        (String::show):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::dumpDisjunction):

2012-02-11  Gavin Barraclough  <barraclough@apple.com>

        Move special __proto__ property to Object.prototype
        https://bugs.webkit.org/show_bug.cgi?id=78409

        Reviewed by Oliver Hunt.

        Re-implement this as a regular accessor property.  This has three key benefits:
        1) It makes it possible for objects to be given properties named __proto__.
        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
            - No need to prohibit functions named __proto__.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            - Add __proto__ accessor to Object.prototype.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
            - Definition of the __proto__ accessor functions.
        * runtime/JSGlobalObjectFunctions.h:
            - Declaration of the __proto__ accessor functions.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
        (JSC::JSObject::putDirectAccessor):
            - Track on the structure whether an object contains accessors other than one for __proto__.
        (JSC::JSObject::defineOwnProperty):
            - No need to prohibit definition of own properties named __proto__.
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
            - Remove the special handling for __proto__.
        (JSC::JSValue::get):
            - Remove the special handling for __proto__.
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
            - Remove the special handling for __proto__.
        * runtime/JSValue.h:
        (JSValue):
            - Made synthesizePrototype public (this may be needed by the __proto__ getter).
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
            - Perform the security check & call prototype() directly.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
        * runtime/Structure.h:
        (JSC::Structure::hasGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA assumes that a WeakJSConstant's structure is known
        https://bugs.webkit.org/show_bug.cgi?id=78428
        <rdar://problem/10849492> <rdar://problem/10849621>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2012-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Qt debug build fix

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor): Platforms that don't use clang will allocate 
        JSFinalObjects in the destuctor subspace, so we should remove this assert so it 
        doesn't cause crashes.

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Old 32_64 JIT should assert that its use of map() is consistent with the DFG
        OSR exit's expectations
        https://bugs.webkit.org/show_bug.cgi?id=78419
        <rdar://problem/10817121>

        Reviewed by Oliver Hunt.

        * jit/JITInlineMethods.h:
        (JSC::JIT::map):

2012-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Reduce the reentrancy limit of the interpreter for the iOS simulator
        https://bugs.webkit.org/show_bug.cgi?id=78400

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.h: Lowered the maximum reentrancy limit for large thread stacks.
        (JSC):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        [DFG] Misuse of WeakJSConstants in silentFillGPR code.
        https://bugs.webkit.org/show_bug.cgi?id=78423
        <rdar://problem/10849353> <rdar://problem/10804043>

        Reviewed by Sam Weinig.
        
        The code was using Node::isConstant(), when it was supposed to use Node::hasConstant().
        This patch is a surgical fix; the bigger problem is: why do we have isConstant() and
        hasConstant() when hasConstant() is correct and isConstant() is almost always wrong?

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):

2012-02-11  Sam Weinig  <sam@webkit.org>

        Prepare JavaScriptCore to build with libc++
        <rdar://problem/10426673>
        https://bugs.webkit.org/show_bug.cgi?id=78424

        Reviewed by Anders Carlsson.

        * wtf/NullPtr.cpp:
        * wtf/NullPtr.h:
        libc++ provides std::nullptr emulation, so we don't have to.

2012-02-07  Filip Pizlo  <fpizlo@apple.com>

        DFG should have polymorphic put_by_id caching
        https://bugs.webkit.org/show_bug.cgi?id=78062
        <rdar://problem/10326439> <rdar://problem/10824839>

        Reviewed by Oliver Hunt.
        
        Implemented polymorphic put_by_id caching in the DFG, and added much of the
        machinery that would be needed to implement it in the old JIT as well.
        
        I decided against using the old PolymorphicAccessStructureList mechanism as
        this didn't quite fit with put_by_id. In particular, I wanted the ability to
        have one list that captured all relevant cases (including proto put_by_id
        if we ever decided to do it). And I wanted the code to have better
        encapsulation. And I didn't want to get confused by the fact that the
        original (non-list) put_by_id cache may itself consist of a stub routine.
        
        This code is still sub-optimal (for example adding a replace to a list whose
        previous elements are all transitions should just repatch the original code,
        but here it will generate a stub) but it already generates a >20% speed-up
        on V8-splay, leading to a 2% win overall in splay. Neutral elsewhere.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/PolymorphicPutByIdList.cpp: Added.
        (JSC):
        (JSC::PutByIdAccess::fromStructureStubInfo):
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        (JSC::PolymorphicPutByIdList::~PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::isFull):
        (JSC::PolymorphicPutByIdList::isAlmostFull):
        (JSC::PolymorphicPutByIdList::addAccess):
        (JSC::PolymorphicPutByIdList::visitWeak):
        * bytecode/PolymorphicPutByIdList.h: Added.
        (JSC):
        (PutByIdAccess):
        (JSC::PutByIdAccess::PutByIdAccess):
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::isSet):
        (JSC::PutByIdAccess::operator!):
        (JSC::PutByIdAccess::type):
        (JSC::PutByIdAccess::isTransition):
        (JSC::PutByIdAccess::isReplace):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::structure):
        (JSC::PutByIdAccess::newStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        (PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::currentSlowPathTarget):
        (JSC::PolymorphicPutByIdList::isEmpty):
        (JSC::PolymorphicPutByIdList::size):
        (JSC::PolymorphicPutByIdList::at):
        (JSC::PolymorphicPutByIdList::operator[]):
        (JSC::PolymorphicPutByIdList::kind):
        * bytecode/PutKind.h: Added.
        (JSC):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC):
        (JSC::isPutByIdAccess):
        (JSC::StructureStubInfo::initPutByIdList):
        (StructureStubInfo):
        (JSC::StructureStubInfo::reset):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        (DFG):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::appropriateGenericPutByIdFunction):
        (JSC::DFG::appropriateListBuildingPutByIdFunction):
        (DFG):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::dfgRepatchPutByID):
        (JSC::DFG::tryBuildPutByIdList):
        (JSC::DFG::dfgBuildPutByIdList):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGRepatch.h:
        (DFG):
        * runtime/WriteBarrier.h:
        (WriteBarrierBase):
        (JSC::WriteBarrierBase::copyFrom):

2012-02-10  Vineet Chaudhary  <rgf748@motorola.com>

        https://bugs.webkit.org/show_bug.cgi?id=72756
        DOMHTMLElement’s accessKey property is declared as available in WebKit version that didn’t have it 

        Reviewed by Timothy Hatcher.

        * API/WebKitAvailability.h: Added AVAILABLE_AFTER_WEBKIT_VERSION_5_1 and
          AVAILABLE_WEBKIT_VERSION_1_3_AND_LATER_BUT_DEPRECATED_AFTER_WEBKIT_VERSION_5_1 for the new versions.

2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing windows build

        Unreviewed build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-10  Adam Klein  <adamk@chromium.org>

        Enable MUTATION_OBSERVERS by default on all platforms
        https://bugs.webkit.org/show_bug.cgi?id=78196

        Reviewed by Ojan Vafai.

        * Configurations/FeatureDefines.xcconfig:

2012-02-10  Yong Li  <yoli@rim.com>

        ENABLE(ASSEMBLER_WX_EXCLUSIVE): LinkBuffer can leave pages not marked as executable.
        https://bugs.webkit.org/show_bug.cgi?id=76724

        Reviewed by Rob Buis.

        This issue only exists when both ENABLE(ASSEMBLER_WX_EXCLUSIVE) and ENABLE(BRANCH_COMPACTION) are on.
        The size used to call makeExecutable can be smaller than the one that was used for makeWritable.
        So it can leave pages behind that are not set back to default flags. When an assembly on one of those
        pages is executed or JIT returns to those pages in the case it was already executing from there, the
        software will crash.

        * assembler/LinkBuffer.h: Add m_initialSize and use it in performFinalization().
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::performFinalization):
        (LinkBuffer):

2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Split MarkedSpace into destructor and destructor-free subspaces
        https://bugs.webkit.org/show_bug.cgi?id=77761

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Switched over to use destructor-free space.
        * heap/Heap.h:
        (JSC::Heap::allocatorForObjectWithoutDestructor): Added to give clients (e.g. the JIT) the ability to 
        pick which subspace they want to allocate out of.
        (JSC::Heap::allocatorForObjectWithDestructor): Ditto.
        (Heap):
        (JSC::Heap::allocateWithDestructor): Added private function for CellAllocator to use.
        (JSC):
        (JSC::Heap::allocateWithoutDestructor): Ditto.
        * heap/MarkedAllocator.cpp: Added the cellsNeedDestruction flag to allocators so that they can allocate 
        their MarkedBlocks correctly.
        (JSC::MarkedAllocator::allocateBlock):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::cellsNeedDestruction):
        (MarkedAllocator):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC):
        (JSC::MarkedAllocator::init): Replaced custom set functions, which were only used upon initialization, with
        an init function that does all of that stuff in fewer lines.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::callDestructor): Templatized, along with specializedSweep and sweepHelper, to make 
        checking the m_cellsNeedDestructor flag faster and cleaner looking.
        (JSC):
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelper):
        * heap/MarkedBlock.h:
        (MarkedBlock):
        (JSC::MarkedBlock::cellsNeedDestruction):
        (JSC):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::canonicalizeCellLivenessData):
        (JSC::TakeIfUnmarked::operator()):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (Subspace):
        (JSC::MarkedSpace::allocatorFor): Needed function to differentiate between the two broad subspaces of 
        allocators.
        (JSC):
        (JSC::MarkedSpace::destructorAllocatorFor): Ditto.
        (JSC::MarkedSpace::allocateWithoutDestructor): Ditto.
        (JSC::MarkedSpace::allocateWithDestructor): Ditto.
        (JSC::MarkedSpace::forEachBlock):
        * jit/JIT.h:
        * jit/JITInlineMethods.h: Modified to use the proper allocator for JSFinalObjects and others.
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSFunction):
        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h:
        (JSArray):
        (JSC::JSArray::create):
        (JSC):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSCell.h:
        (JSCell):
        (JSC):
        (NeedsDestructor): Template struct that calculates at compile time whether the class in question requires 
        destruction or not using the compiler type trait __has_trivial_destructor. allocateCell then checks this 
        constant to decide whether to allocate in the destructor or destructor-free parts of the heap.
        (JSC::allocateCell): 
        * runtime/JSFunction.cpp:
        (JSC):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        (JSNonFinalObject):
        (JSC):
        (JSFinalObject):
        (JSC::JSFinalObject::create):

2012-02-10  Adrienne Walker  <enne@google.com>

        Remove implicit copy constructor usage in HashMaps with OwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=78071

        Reviewed by Darin Adler.

        Change the return type of emptyValue() in PairHashTraits to be the
        actual type returned rather than the trait type to avoid an implicit
        generation of the OwnPtr copy constructor. This happens for hash
        traits involving OwnPtr where the empty value is not zero and each
        hash bucket needs to be initialized with emptyValue().

        Also, update StructureTransitionTable to use default hash traits
        rather than rolling its own, in order to update it to handle
        EmptyValueType.

        Test: patch from bug 74154 compiles on Clang with this patch

        * runtime/StructureTransitionTable.h:
        (StructureTransitionTable):
        * wtf/HashTraits.h:
        (GenericHashTraits):
        (PairHashTraits):
        (WTF::PairHashTraits::emptyValue):

2012-02-10  Aron Rosenberg  <arosenberg@logitech.com>

        [Qt] Fix compiler warning in Visual Studio 2010 about TR1
        https://bugs.webkit.org/show_bug.cgi?id=63642

        Reviewed by Simon Hausmann.

        * JavaScriptCore.pri:

2012-02-10  Michael Saboff  <msaboff@apple.com>

        Yarr assert with regexp where alternative in *-quantified group matches empty
        https://bugs.webkit.org/show_bug.cgi?id=67752        

        Reviewed by Gavin Barraclough.

        Added backtracking for the prior alternative if it matched
        but didn't consume any input characters.

        * yarr/YarrJIT.cpp:
        (YarrOp): New jump.
        (JSC::Yarr::YarrGenerator::generate): Emit conditional jump
        when an alternative matches and no input was consumed.  Moved the
        zero length match check for a set of alternatives to the alternative
        code from the parentheses cases to the alternative end cases.
        Converted the existing zero length checks in the parentheses cases
        to runtime assertion checks.
        (JSC::Yarr::YarrGenerator::backtrack): Link new jump to backtrack
        to prior term.

2012-02-10  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        [Qt] GC should be parallel on Qt platform
        https://bugs.webkit.org/show_bug.cgi?id=73309

        Reviewed by Zoltan Herczeg.

        These changes made the parallel gc feature available for Qt port.
        The implementation of "registerGCThread" and "isMainThreadOrGCThread",
        and a local static function [initializeGCThreads] is moved from
        MainThreadMac.mm to the common MainThread.cpp to make them available
        for other platforms.

        Measurement results:
        V8           speed-up:  1.025x as fast  [From: 663.4ms  To: 647.0ms ]
        V8 Splay     speed-up:  1.185x as fast  [From: 138.4ms  To: 116.8ms ]

        Tested on Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz with 4-core.

        * JavaScriptCore.order:
        * wtf/MainThread.cpp:
        (WTF::initializeMainThread):
        (WTF):
        (WTF::initializeGCThreads):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):
        * wtf/MainThread.h:
        (WTF):
        * wtf/Platform.h:
        * wtf/mac/MainThreadMac.mm:
        (WTF):

2012-02-09  Andy Wingo  <wingo@igalia.com>

        Eliminate dead code in BytecodeGenerator::resolve()
        https://bugs.webkit.org/show_bug.cgi?id=78242

        Reviewed by Gavin Barraclough.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):
        BytecodeGenerator::shouldOptimizeLocals() is only true for
        FunctionCode, and thus cannot be true for GlobalCode.

2012-02-09  Andy Wingo  <wingo@igalia.com>

        Remove BytecodeGenerator::isLocal
        https://bugs.webkit.org/show_bug.cgi?id=78241

        Minor refactor to BytecodeGenerator.

        Reviewed by Gavin Barraclough.

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::isLocal):
        (JSC::BytecodeGenerator::isLocalConstant): Remove now-unused
        methods.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure): Use the ResolveResult mechanism
        instead of isLocal.  This will recognize more resolve nodes as
        being pure.
        (JSC::PrefixResolveNode::emitBytecode): Use isReadOnly on the
        location instead of isLocalConstant.

2012-02-09  Oliver Hunt  <oliver@apple.com>

        The JS Parser scope object needs a VectorTrait specialization
        https://bugs.webkit.org/show_bug.cgi?id=78308

        Reviewed by Gavin Barraclough.

        This showed up as a periodic crash in various bits of generated code
        originally, but I've added an assertion in the bytecode generator
        that makes the effected code much more crash-happy should it go
        wrong again.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolve):
        * parser/Parser.cpp:
        * parser/Parser.h:
        (JSC):
        * runtime/JSActivation.h:
        (JSC::JSActivation::isValidScopedLookup):
        (JSActivation):

2012-02-08  Oliver Hunt  <oliver@apple.com>

        Whoops, fix the build.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):

2012-02-08  Oliver Hunt  <oliver@apple.com>

        Fix issue encountered while debugging stacktraces
        https://bugs.webkit.org/show_bug.cgi?id=78147

        Reviewed by Gavin Barraclough.

        Debugging is easier if we always ensure that we have a non-null
        inferred name.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):

2012-02-08  Oliver Hunt  <oliver@apple.com>

        updateTopCallframe in the baseline JIT doesn't provide enough information to the stubs
        https://bugs.webkit.org/show_bug.cgi?id=78145

        Reviewed by Gavin Barraclough.

        Fix the updateTopCallFrame helper to store additional information
        that becomes necessary when we are trying to provide more stack
        frame information.

        * interpreter/CallFrame.h:
        (JSC::ExecState::bytecodeOffsetForBaselineJIT):
        (ExecState):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compileGetByIdProto):
        (JSC::JIT::compileGetByIdSelfList):
        (JSC::JIT::compileGetByIdProtoList):
        (JSC::JIT::compileGetByIdChainList):
        (JSC::JIT::compileGetByIdChain):
        (JSC::JIT::compilePutByIdTransition):
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):

2012-02-07  Robert Kroeger  <rjkroege@chromium.org>

        [chromium] Remove the enable marcro for the no longer necessary Chromium
        gesture recognizer.
        https://bugs.webkit.org/show_bug.cgi?id=77492

        Reviewed by Adam Barth.

        * wtf/Platform.h:

2012-02-07  Tony Chang  <tony@chromium.org>

        merge DashboardSupportCSSPropertyNames.in into CSSPropertyNames.in
        https://bugs.webkit.org/show_bug.cgi?id=78036

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig: Add ENABLE_DASHBOARD_SUPPORT to FEATURE_DEFINES.

2012-02-07  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Use *bin* and *lib* directories for executable and libraries.
        https://bugs.webkit.org/show_bug.cgi?id=77928

        Reviewed by Daniel Bates.

        CMake has used *Programs* directory for executable. In addition, shared libraries are being
        built in source directory. It is better to set common places in order to maintain executable
        and libraries. *bin* is for executable and *lib* is for library.

        * shell/CMakeLists.txt: Change *Programs* with *bin*.

2012-02-07  Gavin Barraclough  <barraclough@apple.com>

        Crash on http://www.rickshawbags.com/
        https://bugs.webkit.org/show_bug.cgi?id=78045

        Reviewed by Darin Adler.

        Problem URL is: http://www.rickshawbags.com/customize/custom-bag#!thl=rickshaw/bag()
        
        This is a bug introduced by https://bugs.webkit.org/show_bug.cgi?id=71933,
        isVariableObject() checks were excluding StaticScopeObjects, this patch
        inadvertently changed them to be included.

        * runtime/JSType.h:
            - sort JSType enum such that StaticScopeObjectType comes before VariableObjectType,
              and thus is excluded from isVariableObject() checks.

2012-02-06  Jer Noble  <jer.noble@apple.com>

        Use CMClock as a timing source for PlatformClock where available.
        https://bugs.webkit.org/show_bug.cgi?id=77885

        Reviewed by Eric Carlson.

        * wtf/Platform.h: Added WTF_USE_COREMEDIA.

2012-02-06  Filip Pizlo  <fpizlo@apple.com>

        ValueToNumber and ValueToDouble nodes don't do anything and should be removed
        https://bugs.webkit.org/show_bug.cgi?id=77855
        <rdar://problem/10811325>

        Reviewed by Gavin Barraclough.
        
        Removed ValueToNumber and ValueToDouble, because the only thing they were doing
        was wasting registers.
        
        This looks like a 1% win on V8 (with a 5% win on crypto) and a 2-3% win on Kraken,
        mostly due to a >10% win on gaussian-blur. No win anywhere else.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getToInt32):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::hasArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (Propagator):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::canonicalize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-06  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed WinCE build fix after r106197.

        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::notifyAllocator): getenv() isn't supported by WinCE. Don't call it.

2012-02-05  Gavin Barraclough  <barraclough@apple.com>

        Remove JSObject defineGetter/defineSetter lookupGetter/lookupSetter
        https://bugs.webkit.org/show_bug.cgi?id=77451

        Reviewed by Sam Weinig.

        These can now all be implemented in terms of defineOwnProperty & getPropertyDescriptor.
        Also remove initializeGetterSetterProperty, since this is equivalent to putDirectAccessor.

        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::defineOwnProperty):
        * debugger/DebuggerActivation.h:
        (DebuggerActivation):
        * runtime/ClassInfo.h:
        (MethodTable):
        (JSC):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSCell.cpp:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::defineOwnProperty):
        (JSC):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2012-02-06  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-02-05  Filip Pizlo  <fpizlo@apple.com>

        DFG's child references from one node to another should have room for type information
        https://bugs.webkit.org/show_bug.cgi?id=77797

        Reviewed by Oliver Hunt.
        
        The DFG::Node::child fields now contain both a DFG::NodeIndex (which is just an unsigned)
        and a DFG::UseKind (which is currently an effectively empty enum). They are encapsulated
        together as a DFG::NodeUse, which can in most cases still be used as an index (for
        example DFG::Graph, AbstractState, and SpeculativeJIT all accept NodeUse in most places
        where they really want a NodeIndex).
        
        The NodeUse stores both the index and the UseKind without bloating the memory usage of
        DFG::Node, since we really don't need full 32 bits for the NodeIndex (a DFG::Node is
        roughly 11 words, so if we assume that we never want to use more than 1GB to DFG compile
        something - likely a sensible assumption! - then we will only be able to have room for
        about 24 million nodes, which means we only need about 24.5 bits for the node index).
        Currently the DFG::NodeUse allocates 4 bits for the UseKind and 28 bits for the index,
        but stores the index as a signed number to make NoNode work naturally. Hence we really
        just have 27 bits for the index.
        
        This is performance-neutral on all benchmarks we track.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        (AbstractState):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        * dfg/DFGCommon.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        (JSC::DFG::Graph::operator[]):
        (JSC::DFG::Graph::at):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child1Unchecked):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        (JSC::DFG::Node::dumpChildren):
        (Node):
        * dfg/DFGNodeReferenceBlob.h: Added.
        (DFG):
        (NodeReferenceBlob):
        (JSC::DFG::NodeReferenceBlob::NodeReferenceBlob):
        (JSC::DFG::NodeReferenceBlob::child):
        (JSC::DFG::NodeReferenceBlob::child1):
        (JSC::DFG::NodeReferenceBlob::child2):
        (JSC::DFG::NodeReferenceBlob::child3):
        (JSC::DFG::NodeReferenceBlob::child1Unchecked):
        (JSC::DFG::NodeReferenceBlob::initialize):
        (JSC::DFG::NodeReferenceBlob::firstChild):
        (JSC::DFG::NodeReferenceBlob::setFirstChild):
        (JSC::DFG::NodeReferenceBlob::numChildren):
        (JSC::DFG::NodeReferenceBlob::setNumChildren):
        * dfg/DFGNodeUse.h: Added.
        (DFG):
        (NodeUse):
        (JSC::DFG::NodeUse::NodeUse):
        (JSC::DFG::NodeUse::indexUnchecked):
        (JSC::DFG::NodeUse::index):
        (JSC::DFG::NodeUse::setIndex):
        (JSC::DFG::NodeUse::useKind):
        (JSC::DFG::NodeUse::setUseKind):
        (JSC::DFG::NodeUse::isSet):
        (JSC::DFG::NodeUse::operator!):
        (JSC::DFG::NodeUse::operator==):
        (JSC::DFG::NodeUse::operator!=):
        (JSC::DFG::NodeUse::shift):
        (JSC::DFG::NodeUse::makeWord):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::canonicalize):
        (JSC::DFG::Propagator::startIndex):
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::performSubstitution):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::use):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-05  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Support javascriptcore test for EFL port. 
        https://bugs.webkit.org/show_bug.cgi?id=77425

        Reviewed by Daniel Bates.

        Efl and WinCE as well as Blackberry port are now using Cmake as its build system
        and they are share the make file to create jsc excutable. In order to run
        "run-javascriptcore-tests", EFL port needs to change jsc installation configuration
        with executable output directory(e.g. Programs). So, this patch change jsc installation
        configuration only for EFL port.

        * shell/CMakeLists.txt:

2012-02-04  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Sam Weinig.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::quantifyAtom):
            - Fix comment.

2012-02-04  Kalev Lember  <kalevlember@gmail.com>

        [GTK] CurrentTime: Reorder headers for win32
        https://bugs.webkit.org/show_bug.cgi?id=77808

        Reviewed by Martin Robinson.

        In GTK+ win32 port, monotonicallyIncreasingTime() implementation is
        based on g_get_monotonic_time(). Reorder headers to make sure glib.h
        gets included even when the platform is win32.

        CurrentTime.cpp: In function 'double WTF::monotonicallyIncreasingTime()':
        CurrentTime.cpp:321:53: error: 'g_get_monotonic_time' was not declared in this scope
        CurrentTime.cpp:322:1: warning: control reaches end of non-void function [-Wreturn-type]

        * wtf/CurrentTime.cpp:

2012-02-03  Anders Carlsson  <andersca@apple.com>

        Prefix the typedef in WTF_MAKE_FAST_ALLOCATED with underscores
        https://bugs.webkit.org/show_bug.cgi?id=77788

        Reviewed by Andreas Kling.

        The current typedef name, 'ThisIsHereToForceASemicolonAfterThisMacro', shows up when trying to 
        code-complete 'this' in Xcode. Prefix the typedef with two underscores to stop this from happening.

        * wtf/FastAllocBase.h:

2012-02-03  Rob Buis  <rbuis@rim.com>

        Fix alignment warnings in ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=55368

        Reviewed by Filip Pizlo.

        Use reinterpret_cast_ptr and static_cast to get rid of alignment issues in ARMv7 code.

        * heap/HandleTypes.h:
        (JSC::HandleTypes::getFromSlot):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::forEachCell):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::unvalidatedGet):

2012-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix

        Unreviewed build fix

        Forgot to add a couple files.

        * heap/MarkedAllocator.cpp: Added.
        (JSC):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h: Added.
        (JSC):
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::cellSize):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::setHeap):
        (JSC::MarkedAllocator::setCellSize):
        (JSC::MarkedAllocator::setMarkedSpace):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::zapFreeList):
        (JSC::MarkedAllocator::forEachBlock):

2012-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor MarkedBlock::SizeClass into a separate class
        https://bugs.webkit.org/show_bug.cgi?id=77600

        Reviewed by Geoffrey Garen.

        We pulled SizeClass out into its own class, named MarkedAllocator, and gave it
        the responsibility of allocating objects from the collection of MarkedBlocks 
        that it manages. Also limited the amount of coupling to internal data fields 
        from other places, although it's mostly unavoidable in the JIT code.

        Eventually MarkedAllocator will implement various policies to do with object 
        management, e.g. whether or not to run destructors on objects that it manages.
        MarkedSpace will manage a collection of MarkedAllocators with varying policies,
        as it does now but to a larger extent. 

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        (JSC::Heap::resetAllocators):
        * heap/Heap.h:
        (JSC::Heap::allocatorForObject):
        (Heap):
        * heap/MarkedAllocator.cpp: Added.
        (JSC):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h: Added.
        (JSC):
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::cellSize):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::setHeap):
        (JSC::MarkedAllocator::setCellSize):
        (JSC::MarkedAllocator::setMarkedSpace):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::zapFreeList):
        (JSC::MarkedAllocator::forEachBlock):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::canonicalizeCellLivenessData):
        (JSC::TakeIfUnmarked::operator()):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::allocatorFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::didAddBlock):
        (JSC::MarkedSpace::didConsumeFreeList):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):

2012-02-03  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Replace GNU linker script for exports with export macros in WTF/JSC
        https://bugs.webkit.org/show_bug.cgi?id=77723

        Reviewed by Tor Arne Vestbø.

        * wtf/Platform.h: Enable use of export macros.

2012-02-02  Hajime Morrita  <morrita@chromium.org>

        Unreviewed, removing an unnecessarily JS_PRIVATE_EXPORT annotation.

        * interpreter/Interpreter.h:
        (Interpreter):

2012-01-31  Hajime Morrita  <morrita@chromium.org>

        [Mac] eliminate JavaScriptCore.exp
        https://bugs.webkit.org/show_bug.cgi?id=72854

        Reviewed by Darin Adler.

        - Removed exp files and corresponding makefile entries.
        - Changed the build configuration no to use exp file.

        * Configurations/JavaScriptCore.xcconfig:
        * DerivedSources.make:
        * JavaScriptCore.JSVALUE32_64only.exp: Removed.
        * JavaScriptCore.JSVALUE64only.exp: Removed.
        * JavaScriptCore.exp: Removed.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Platform.h:

2012-02-02  Benjamin Poulain  <bpoulain@apple.com>

        Running a Web Worker on about:blank crashes the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=77593

        Reviewed by Michael Saboff.

        The method Interpreter::execute() was crashing on empty programs because
        the assumption is made the source is not null.

        This patch shortcut the execution when the String is null to avoid invalid
        memory access.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2012-02-02  Kalev Lember  <kalevlember@gmail.com>

        [GTK] Use win32 native threading
        https://bugs.webkit.org/show_bug.cgi?id=77676

        Reviewed by Martin Robinson.

        r97269 switched from glib threading to pthreads, breaking win32 GTK+.
        This is a follow up, removing some leftovers in ThreadSpecific.h and
        switching win32 to use the native threading in ThreadingWin.cpp.

        * GNUmakefile.list.am: Compile in win32 native threading support
        * wtf/ThreadSpecific.h: Remove GTK+-specific definitions
        (ThreadSpecific):
        (WTF::::destroy):

2012-02-02  Filip Pizlo  <fpizlo@apple.com>

        retrieveCallerFromVMCode should call trueCallerFrame
        https://bugs.webkit.org/show_bug.cgi?id=77684

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::retrieveCallerFromVMCode):

2012-02-02  Kalev Lember  <kalevlember@gmail.com>

        [GTK] Implement current executable path finding for win32
        https://bugs.webkit.org/show_bug.cgi?id=77677

        Reviewed by Martin Robinson.

        The WTF helper for getting the binary path that was added in r101710
        left out the win32 implementation. Fix this.

        * wtf/gobject/GlibUtilities.cpp:
        (getCurrentExecutablePath):

2012-02-02  Filip Pizlo  <fpizlo@apple.com>

        Throwing away bytecode and then reparsing during DFG optimization is just
        plain wrong and makes things crash
        https://bugs.webkit.org/show_bug.cgi?id=77680
        <rdar://problem/10798490>

        Reviewed by Oliver Hunt.

        This is the minimal surgical fix: it removes the code that triggered bytecode
        throw-away. Once we're confident that this is a good idea, we can kill all of
        the code that implements the feature.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::discardBytecodeLater):
        (JSC::CodeBlock::addValueProfile):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):

2012-02-02  Filip Pizlo  <fpizlo@apple.com>

        Release build debugging should be easier
        https://bugs.webkit.org/show_bug.cgi?id=77669

        Reviewed by Gavin Barraclough.

        * assembler/ARMAssembler.h:
        (ARMAssembler):
        (JSC::ARMAssembler::debugOffset):
        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::debugOffset):
        (ARMInstructionFormatter):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
        * assembler/AbstractMacroAssembler.h:
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::debugOffset):
        * assembler/AssemblerBuffer.h:
        (AssemblerBuffer):
        (JSC::AssemblerBuffer::debugOffset):
        * assembler/LinkBuffer.h:
        (LinkBuffer):
        (JSC::LinkBuffer::debugSize):
        * assembler/MIPSAssembler.h:
        (MIPSAssembler):
        (JSC::MIPSAssembler::debugOffset):
        * assembler/X86Assembler.h:
        (X86Assembler):
        (JSC::X86Assembler::debugOffset):
        (X86InstructionFormatter):
        (JSC::X86Assembler::X86InstructionFormatter::debugOffset):
        * bytecode/CodeBlock.cpp:
        (JSC):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (JSC):
        (JSC::CodeOrigin::inlineStack):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/PredictedType.cpp:
        (JSC):
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        (JSC):
        * bytecode/ValueRecovery.h:
        (ValueRecovery):
        (JSC::ValueRecovery::dump):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC):
        (JSC::BytecodeGenerator::setDumpsGeneratedCode):
        (JSC::BytecodeGenerator::dumpsGeneratedCode):
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGAbstractValue.h:
        (StructureAbstractValue):
        (JSC::DFG::StructureAbstractValue::dump):
        (AbstractValue):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGAssemblyHelpers.h:
        (DFG):
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGFPRInfo.h:
        (FPRInfo):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (GPRInfo):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGGraph.cpp:
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::arithNodeFlagsAsString):
        (Node):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::dumpChildren):
        * dfg/DFGOSRExit.cpp:
        (DFG):
        (JSC::DFG::OSRExit::dump):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * runtime/JSValue.cpp:
        (JSC):
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (JSValue):
        * wtf/BitVector.cpp:
        (WTF):
        (WTF::BitVector::dump):
        * wtf/BitVector.h:
        (BitVector):

2012-02-02  Oliver Hunt  <oliver@apple.com>

        Getters and setters cause line numbers in errors/console.log to be offset for the whole file
        https://bugs.webkit.org/show_bug.cgi?id=77675

        Reviewed by Timothy Hatcher.

        Our default literal parsing logic doesn't handle the extra work required for
        getters and setters.  When it encounters one, it rolls back the lexer and 
        then switches to a more complete parsing function.  Unfortunately it was only
        winding back the character position, and was ignoring the line number and
        other lexer data.  This led to every getter and setter causing the line number
        to be incorrectly incremented leading to increasingly incorrect numbers for
        the rest of the file.

        * parser/Parser.cpp:
        (JSC::::parseObjectLiteral):

2012-02-02  Andy Wingo  <wingo@igalia.com>

        Fix type punning warning in HashTable.h debug builds
        https://bugs.webkit.org/show_bug.cgi?id=77422

        Reviewed by Gavin Barraclough.

        * wtf/HashTable.h (WTF::HashTable::checkKey): Fix type punning
        warning appearing in debug builds with gcc-4.6.2 on GNU/Linux.

2012-02-01  Michael Saboff  <msaboff@apple.com>

        Yarr crash with regexp replace
        https://bugs.webkit.org/show_bug.cgi?id=67454

        Reviewed by Gavin Barraclough.

        Properly handle the case of a back reference to an unmatched
        subpattern by always matching without consuming any characters.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchBackReference):
        (JSC::Yarr::Interpreter::backtrackBackReference):

2012-02-01  Gavin Barraclough  <barraclough@apple.com>

        calling function on catch block scope containing an eval result in wrong this value being passed
        https://bugs.webkit.org/show_bug.cgi?id=77581

        Reviewed by Oliver Hunt.

        javascript:function F(){ return 'F' in this; }; try { throw F; } catch (e) { eval(""); alert(e()); }

        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createTryStatement):
        * parser/NodeConstructors.h:
        (JSC::TryNode::TryNode):
        * parser/Nodes.h:
        (TryNode):
        * parser/Parser.cpp:
        (JSC::::parseTryStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createTryStatement):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::isStaticScopeObject):
        (JSC):

2012-02-01  Oliver Hunt  <oliver@apple.com>

        Add support for inferred function names
        https://bugs.webkit.org/show_bug.cgi?id=77579

        Reviewed by Gavin Barraclough.

        Add new "inferred" names to function expressions, getters, and setters.
        This property is not exposed to JS, so is only visible in the debugger
        and profiler.

        * JavaScriptCore.exp:
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::calculatedFunctionName):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::makeAssignNode):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        (JSC::FunctionBodyNode::inferredName):
        (FunctionBodyNode):
        * profiler/Profiler.cpp:
        (JSC):
        (JSC::Profiler::createCallIdentifier):
        (JSC::createCallIdentifierFromFunctionImp):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::inferredName):
        (FunctionExecutable):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::calculatedDisplayName):
        (JSC):
        (JSC::getCalculatedDisplayName):
        * runtime/JSFunction.h:
        (JSC):

2012-02-01  Filip Pizlo  <fpizlo@apple.com>

        DFG should fold double-to-int conversions
        https://bugs.webkit.org/show_bug.cgi?id=77532

        Reviewed by Oliver Hunt.
        
        Performance neutral on major benchmarks. But it makes calling V8's
        Math.random() 4x faster.

        * bytecode/CodeBlock.cpp:
        (JSC):
        (JSC::CodeBlock::addOrFindConstant):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstant):
        (CodeBlock):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::isInt32Constant):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (Graph):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSValueInlineMethods.h:
        (JSC::JSValue::asDouble):

2012-02-01  Filip Pizlo  <fpizlo@apple.com>

        DFG graph dump for GetScopedVar should show the correct prediction
        https://bugs.webkit.org/show_bug.cgi?id=77530

        Reviewed by Geoff Garen.
        
        GetScopedVar has a heap prediction, not a variable prediction. But it does
        have a variable. Hence we need to check for heap predictions before checking
        for variable predictions.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2012-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace JSArray destructor with finalizer
        https://bugs.webkit.org/show_bug.cgi?id=77488

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::finalize): Added finalizer.
        (JSC::JSArray::allocateSparseMap): Factored out code for allocating new sparse maps.
        (JSC):
        (JSC::JSArray::deallocateSparseMap): Factored out code for deallocating sparse maps.
        (JSC::JSArray::enterDictionaryMode): Renamed enterSparseMode to enterDictionaryMode 
        because the old name was confusing because we could have a sparse array that never 
        called enterSparseMode.
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSArray):

2012-02-01  Andy Wingo  <wingo@igalia.com>

        Refactor identifier resolution in BytecodeGenerator
        https://bugs.webkit.org/show_bug.cgi?id=76285

        Reviewed by Geoffrey Garen.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult): New class, to describe the storage
        location corresponding to an identifier in a program.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve): New function, replacing
        findScopedProperty.
        (JSC::BytecodeGenerator::resolveConstDecl): New function,
        encapsulating what ConstDeclNode::emitBytecode used to do.
        (JSC::BytecodeGenerator::emitGetStaticVar):
        (JSC::BytecodeGenerator::emitPutStaticVar): New functions,
        corresponding to the old emitGetScopedVar and emitPutScopedVar.
        (JSC::BytecodeGenerator::registerFor): Remove version that took an
        Identifier&; replaced by ResolveResult::local().
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitResolveWithThis): Change to accept a
        "resolveResult" argument.  This is more clear, and reduces the
        amount of double analysis happening at compile-time.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixResolveNode::emitBytecode):
        (JSC::DeleteResolveNode::emitBytecode):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixResolveNode::emitBytecode):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode): Refactor to use the new
        ResolveResult structure.

2012-02-01  Csaba Osztrogonác  <ossy@webkit.org>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Unreviewed, rolling out r106407.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-01-31  Hajime Morrita  <morrita@chromium.org>

        Add missing JS_PRIVATE_EXPORTs
        https://bugs.webkit.org/show_bug.cgi?id=77507

        Reviewed by Kevin Ollivier.

        * heap/MarkedSpace.h:
        (MarkedSpace):
        * interpreter/Interpreter.h:
        (Interpreter):
        * runtime/JSValue.h:
        (JSValue):
        * wtf/text/AtomicString.h:
        (WTF::AtomicString::add):
        * wtf/text/WTFString.h:
        (WTF):

2012-01-31  Geoffrey Garen  <ggaren@apple.com>

        Stop using -fomit-frame-pointer
        https://bugs.webkit.org/show_bug.cgi?id=77403

        Reviewed by Filip Pizlo.
        
        JavaScriptCore is too fast. I'm just the man to fix it.

        * Configurations/JavaScriptCore.xcconfig:

2012-01-31  Michael Saboff  <msaboff@apple.com>

        StringProtoFuncToUpperCase should call StringImpl::upper similar to StringProtoToLowerCase
        https://bugs.webkit.org/show_bug.cgi?id=76647

        Reviewed by Darin Adler.

        Changed stringProtoFuncToUpperCase to call StringImpl::upper() in a manor similar
        to stringProtoFuncToLowerCase().  Fixed StringImpl::upper() to handle to special
        cases.  One case is s-sharp (0xdf) which converts to "SS".  The other case is 
        for characters which become 16 bit values when converted to upper case.  For
        those, we up convert the the source string and use the 16 bit path.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToUpperCase):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):
        * wtf/unicode/CharacterNames.h:
        (smallLetterSharpS): New constant

2012-01-31  Oliver Hunt  <oliver@apple.com>

        Remove unneeded sourceId property
        https://bugs.webkit.org/show_bug.cgi?id=77495

        Reviewed by Filip Pizlo.

        sourceId isn't used anymore, so we'll just remove it.

        * runtime/Error.cpp:
        (JSC):
        (JSC::addErrorInfo):
        (JSC::hasErrorInfo):

2012-01-31  Oliver Hunt  <oliver@apple.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Gavin Barraclough.

        Original patch by Juan Carlos Montemayor Elosua:
            This patch utilizes topCallFrame to create a stack trace when
            an error is thrown. Users will also be able to use the stack()
            command in jsc to get arrays with stack trace information.

        Modified to be correct on ToT, with a variety of correctness,
        performance, and security improvements.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::getCallerLine):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (JSC::StackFrame::toString):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Parser.h:
        (JSC::Parser::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:

2012-01-31  Scott Graham  <scottmg@chromium.org>

        [Chromium] Remove references to gyp cygwin build target
        https://bugs.webkit.org/show_bug.cgi?id=77253

        Reviewed by Julien Chaffraix.

        Target dependency is no longer required, it's done earlier in the
        build process.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-01-31  Michael Saboff  <msaboff@apple.com>

        ASSERT(m_jumpsToLink.isEmpty()) failing in ARMv7Assembler dtor
        https://bugs.webkit.org/show_bug.cgi?id=77443

        Reviewed by Gavin Barraclough.

        Removed failing ASSERT() and thus destructor.  The ASSERT isn't needed.
        We are hitting it in the YARR JIT case where we bail out and go to the
        interpreter with a partially JIT'ed function.  Since we haven't linked
        the JIT'ed code, there is likely to be some unresolved jumps in the vector
        when the ARMv7Assembler destructor is called.  For the case where we
        complete the JIT process, we clear the vector at the end of
        LinkBuffer::linkCode (LinkBuffer.h:292).

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):

2012-01-31  Anders Carlsson  <andersca@apple.com>

        Vector<T>::operator== shouldn't require T to have operator!=
        https://bugs.webkit.org/show_bug.cgi?id=77448

        Reviewed by Andreas Kling.

        Change VectorComparer::compare to use !(a == b) instead of a != b since
        it makes more sense for Vector::operator== to use the element's operator==.

        * wtf/Vector.h:

2012-01-30  Oliver Hunt  <oliver@apple.com>

        get_by_val_arguments is broken in the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=77389

        Reviewed by Gavin Barraclough.

        When get_by_val had wad a value profile added, the same slot was not added to
        get_by_val_arguments.  This broke the interpreter as the interpreter falls
        back on its regular get_by_val implementation.

        No tests are added as the interpreter is fairly broken in its
        current state (multiple tests fail due to this bug).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        ():
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetArgumentByVal):

2012-01-30  Oliver Hunt  <oliver@apple.com>

        Unexpected syntax error
        https://bugs.webkit.org/show_bug.cgi?id=77340

        Reviewed by Gavin Barraclough.

        Function calls and new expressions have the same semantics for
        assignment, so should simply share their lhs handling.

        * parser/Parser.cpp:
        (JSC::::parseMemberExpression):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed ARMv7 build fix.

        * tools/CodeProfiling.cpp:
        (JSC):
        (JSC::setProfileTimer):
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):

2012-01-30  David Levin  <levin@chromium.org>

        Using OS(WIN) or OS(MAC) should cause a build error.
        https://bugs.webkit.org/show_bug.cgi?id=77162

        Reviewed by Darin Adler.

        * wtf/Platform.h: Expand them into something that will
         cause a compile error.

2012-01-30  Yong Li  <yoli@rim.com>

        [BlackBerry] OS(QNX) also has TM_GMTOFF, TM_ZONE, and TIMEGM
        https://bugs.webkit.org/show_bug.cgi?id=77360

        Reviewed by Rob Buis.

        Turn on HAVE(TM_GMTOFF), HAVE(TM_ZONE), and HAVE(TIMEGM)
        for OS(QNX).

        * wtf/Platform.h:

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Speculative Windows build fix.

        * assembler/MacroAssemblerCodeRef.h:
        (FunctionPtr):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=77163
        MacroAssemblerCodeRef.h uses OS(WIN) instead of OS(WINDOWS)

        Rubber stamped by Geoff Garen

        * assembler/MacroAssemblerCodeRef.h:

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix for interpreter builds.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix following bug#76855

        * JavaScriptCore.exp:

2012-01-30  Michael Saboff  <msaboff@apple.com>

        CaseFoldingHash::hash() doesn't handle 8 bit strings directly
        https://bugs.webkit.org/show_bug.cgi?id=76652

        Reviewed by Andreas Kling.

        * wtf/text/StringHash.h:
        (WTF::CaseFoldingHash::hash): Added 8 bit string code path.

2012-01-30  Michael Saboff  <msaboff@apple.com>

        stringProtoFuncReplace converts 8 bit strings to 16 bit during replacement
        https://bugs.webkit.org/show_bug.cgi?id=76651

        Reviewed by Geoffrey Garen.

        Made local function substituteBackreferencesSlow a template function
        based on character width.  Cleaned up getCharacters() in both UString
        and StringImpl.  Changed getCharacters<UChar> to up convert an 8 bit
        string to 16 bits if necessary.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):
        (JSC::substituteBackreferences):
        * runtime/UString.h:
        (JSC::LChar):
        (JSC::UChar):
        * wtf/text/StringImpl.h:
        (WTF::UChar):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Clean up putDirect
        https://bugs.webkit.org/show_bug.cgi?id=76232

        Reviewed by Sam Weinig.

        Part 3 - merge op_put_getter & op_put_setter.

        Putting these separately is inefficient (and makes future optimiation,
        e.g. making GetterSetter immutable) harder. Change to emit a single
        op_put_getter_setter bytecode op. Ultimately we should probably be
        able to merge this with put direct, to create a common op to initialize
        object literal properties.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        ():
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutGetterSetter):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_getter_setter):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_getter_setter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        ():
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::putDirectAccessor):
        (JSC):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        ():
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):

2012-01-30  Michael Saboff  <msaboff@apple.com>

        Dromaeo tests call parseSimpleLengthValue() on 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=76649

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp: Added export for charactersToDouble.

2012-01-30  Michael Saboff  <msaboff@apple.com>

        WebCore decodeEscapeSequences unnecessarily converts 8 bit strings to 16 bit when decoding.
        https://bugs.webkit.org/show_bug.cgi?id=76648

        Reviewed by Geoffrey Garen.

        Added a new overloaded append member that takes a String& argument, an offest
        and a length to do direct sub string appending to a StringBuilder.

        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append):

2012-01-29  Zoltan Herczeg  <zherczeg@webkit.org>

        Custom written CSS lexer
        https://bugs.webkit.org/show_bug.cgi?id=70107

        Reviewed by Antti Koivisto and Oliver Hunt.

        Add new helper functions for the custom written CSS lexer.

        * wtf/ASCIICType.h:
        (WTF::toASCIILowerUnchecked):
        (WTF):
        (WTF::isASCIIAlphaCaselessEqual):

2012-01-29  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const
        https://bugs.webkit.org/show_bug.cgi?id=77146
        <rdar://problem/10770586>

        Reviewed by Oliver Hunt.
        
        The old JIT expects that the result of the last operation is in the lastResultRegister.  The DFG JIT is
        designed to correctly track the lastResultRegister by looking at SetLocal nodes.  However, when the DFG
        JIT inlines a code block, it forgets that the inlined code block's result would have been placed in the
        lastResultRegister.  Hence if we OSR exit on the first node following the end of an inlined code block
        that had a return value, and that first node uses the return value, the old JIT will get massively
        confused.  This patch takes a surgical approach: instead of making the DFG smarter, it makes the old
        JIT slightly dumber.

        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_call_put_result):

2012-01-29  Filip Pizlo  <fpizlo@apple.com>

        Build fix for Mac non-x64 platforms.

        * tools/CodeProfiling.cpp:
        (JSC):

2012-01-28  Gavin Barraclough  <barraclough@apple.com>

        Reserve 'let'
        https://bugs.webkit.org/show_bug.cgi?id=77293

        Rubber stamped by Oliver Hunt.

        'let' may become a keyword in ES6.  We're going to try experimentally reserving it,
        to see if this breaks the web.

        * parser/Keywords.table:

2012-01-27  Gavin Barraclough  <barraclough@apple.com>

        Implement a JIT-code aware sampling profiler for JSC
        https://bugs.webkit.org/show_bug.cgi?id=76855

        Reviewed by Oliver Hunt.

        To enable the profiler, set the JSC_CODE_PROFILING environment variable to
        1 (no tracing the C stack), 2 (trace one level of C code) or 3 (recursively
        trace all samples).

        The profiler requires -fomit-frame-pointer to be removed from the build flags.

        * JavaScriptCore.exp:
            - Removed an export.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files
        * bytecode/CodeBlock.cpp:
            - For baseline codeblocks, cache the result of canCompileWithDFG.
        * bytecode/CodeBlock.h:
            - For baseline codeblocks, cache the result of canCompileWithDFG.
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
            - Notify the profiler when the allocator is created.
        (JSC::ExecutableAllocator::allocate):
            - Inform the allocated of the ownerUID.
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
            - Notify the profiler when the allocator is created.
        (JSC::ExecutableAllocator::allocate):
            - Inform the allocated of the ownerUID.
        * jit/JITStubs.cpp:
            - If profiling, don't mask the return address in JIT code.
              (We do so to provide nicer backtraces in debug builds).
        * runtime/Completion.cpp:
        (JSC::evaluate):
            - Notify the profiler of script evaluations.
        * tools: Added.
        * tools/CodeProfile.cpp: Added.
        (JSC::symbolName):
            - Helper function to get the name of a symbol in the framework.
        (JSC::truncateTrace):
            - Helper to truncate traces into methods know to have uninformatively deep stacks.
        (JSC::CodeProfile::sample):
            - Record a stack trace classifying samples.
        (JSC::CodeProfile::report):
            - {Print profiler output.
        * tools/CodeProfile.h: Added.
            - new class, captures a set of samples associated with an evaluated script,
              and nested to record samples from subscripts.
        * tools/CodeProfiling.cpp: Added.
        (JSC::CodeProfiling::profilingTimer):
            - callback fired then a timer event occurs.
        (JSC::CodeProfiling::notifyAllocator):
            - called when the executable allocator is constructed.
        (JSC::CodeProfiling::getOwnerUIDForPC):
            - helper to lookup the codeblock from an address in JIT code
        (JSC::CodeProfiling::begin):
            - enter a profiling scope.
        (JSC::CodeProfiling::end):
            - exit a profiling scope.
        * tools/CodeProfiling.h: Added.
            - new class, instantialed from Completion to define a profiling scope.
        * tools/ProfileTreeNode.h: Added.
            - new class, used to construct a tree of samples.
        * tools/TieredMMapArray.h: Added.
            - new class, a malloc-free vector (can be used while the main thread is suspended,
              possibly holding the malloc heap lock).
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
        (WTF::MetaAllocator::allocate):
            - Allow allocation handles to track information about their owner.
        * wtf/MetaAllocator.h:
        (MetaAllocator):
            - Allow allocation handles to track information about their owner.
        * wtf/MetaAllocatorHandle.h:
        (MetaAllocatorHandle):
        (WTF::MetaAllocatorHandle::ownerUID):
            - Allow allocation handles to track information about their owner.
        * wtf/OSAllocator.h:
        (WTF::OSAllocator::reallocateCommitted):
            - reallocate an existing, committed memory allocation.

2012-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r106187.
        http://trac.webkit.org/changeset/106187
        https://bugs.webkit.org/show_bug.cgi?id=77276

        The last rollout was a false charge. (Requested by morrita on
        #webkit).

        * runtime/ExceptionHelpers.h:
        (InterruptedExecutionError):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/RegExp.h:
        (RegExp):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):

2012-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r106151.
        http://trac.webkit.org/changeset/106151
        https://bugs.webkit.org/show_bug.cgi?id=77275

        may break windows build (Requested by morrita on #webkit).

        * runtime/ExceptionHelpers.h:
        (InterruptedExecutionError):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/RegExp.h:
        (RegExp):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):

2012-01-28  Filip Pizlo  <fpizlo@apple.com>

        GC invoked while doing an old JIT property storage reallocation may lead
        to an object that refers to a dead structure
        https://bugs.webkit.org/show_bug.cgi?id=77273
        <rdar://problem/10770565>

        Reviewed by Gavin Barraclough.
        
        The put_by_id transition was already saving the old structure by virtue of
        having the object on the stack, so that wasn't going to get deleted. But the
        new structure was unprotected in the transition. I've now changed the
        transition code to save the new structure, ensuring that the GC will know it
        to be marked if invoked from within put_by_id_transition_realloc.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        (JSC):
        ():

2012-01-27  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r106167.
        http://trac.webkit.org/changeset/106167
        https://bugs.webkit.org/show_bug.cgi?id=77264

        broke LayoutTests/fast/js/string-capitalization.html
        (Requested by msaboff on #webkit).

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):

2012-01-27  Filip Pizlo  <fpizlo@apple.com>

        Build fix for interpreter platforms.

        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):

2012-01-27  Michael Saboff  <msaboff@apple.com>

        StringProtoFuncToUpperCase should call StringImpl::upper similar to StringProtoToLowerCase
        https://bugs.webkit.org/show_bug.cgi?id=76647

        Reviewed by Geoffrey Garen.

        Changed stringProtoFuncToUpperCase to call StringImpl::upper() is a manor similar
        to stringProtoFuncToLowerCase().  Fixed StringImpl::upper() to handle the two
        8 bit characters that when converted to upper case become 16 bit characters.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase): Removed extra trailing whitespace.
        (JSC::stringProtoFuncToUpperCase):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):

2012-01-27  Hajime Morita  <morrita@google.com>

        [JSC] ThunkGenerators.cpp should hide its asm-defined symbols
        https://bugs.webkit.org/show_bug.cgi?id=77244

        Reviewed by Filip Pizlo.

        * jit/ThunkGenerators.cpp: Added HIDE_SYMBOLS()
        * wtf/InlineASM.h: Moved some duplicated macros from ThunkGenerators.cpp

2012-01-27  Simon Hausmann  <simon.hausmann@nokia.com>

        [JSC] Asm-originated symbols should be marked as hidden
        https://bugs.webkit.org/show_bug.cgi?id=77150

        Reviewed by Filip Pizlo.

        * dfg/DFGOperations.cpp: The HIDE_SYMBOLS macros were present in the CPU(ARM) preprocessor branches,
        but they were missing in the CPU(X86) and the CPU(X86_64) cases.

2012-01-27  MORITA Hajime  <morrita@google.com>

        [JSC] Some JS_EXPORTDATA may not be necessary.
        https://bugs.webkit.org/show_bug.cgi?id=77145

        Reviewed by Darin Adler.

        Removed JS_EXPORTDATA attributes whose attributing symbols are
        not exported on Mac port.
        
        * runtime/ExceptionHelpers.h:
        (InterruptedExecutionError):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/RegExp.h:
        (RegExp):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):

2012-01-27  MORITA Hajime  <morrita@google.com>

        [WTF] WTFString.h has some extra JS_EXPORT_PRIVATEs
        https://bugs.webkit.org/show_bug.cgi?id=77113

        Reviewed by Darin Adler.

        * wtf/text/WTFString.h: Removed some WTF_EXPORT_PRIVATE attributes which we don't need to export.

2012-01-27  Zeno Albisser  <zeno@webkit.org>

        [Qt][Mac] Build fails after adding ICU support (r105997).
        https://bugs.webkit.org/show_bug.cgi?id=77118

        Use Apple code path for unicode date formats on mac.

        Reviewed by Tor Arne Vestbø.

        * runtime/DatePrototype.cpp:
        ():

2012-01-27  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Add a GKeyFile especialization to GOwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=77191

        Reviewed by Martin Robinson.

        * wtf/gobject/GOwnPtr.cpp:
        (WTF::GKeyFile): Implement freeOwnedGPtr for GKeyFile.
        * wtf/gobject/GOwnPtr.h: Add GKeyFile template.
        * wtf/gobject/GTypedefs.h: Add forward declaration for GKeyFile.

2012-01-25  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: should be possible to open function declaration from script popover
        https://bugs.webkit.org/show_bug.cgi?id=76913

        Added display function name and source location to the popover in scripts panel.
        Now when a function is hovered user can navigate to its definition.

        Reviewed by Pavel Feldman.

        * JavaScriptCore/JavaScriptCore.exp
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSFunction.h:
        (JSFunction):

2012-01-26  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix, wx uses the Mac ICU headers so we must match Mac behavior.
        
        * runtime/DatePrototype.cpp:
        ():

2012-01-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge AllocationSpace into MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=77116

        Reviewed by Geoffrey Garen.

        Merging AllocationSpace and MarkedSpace in preparation for future refactoring/enhancement to 
        MarkedSpace allocation.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/AllocationSpace.cpp: Removed.
        * heap/AllocationSpace.h: Removed.
        * heap/BumpSpace.h:
        (BumpSpace):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (Heap):
        ():
        * heap/HeapBlock.h:
        ():
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::tryAllocateHelper):
        (JSC):
        (JSC::MarkedSpace::tryAllocate):
        (JSC::MarkedSpace::allocateSlowCase):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::freeBlocks):
        (TakeIfUnmarked):
        (JSC::TakeIfUnmarked::TakeIfUnmarked):
        (JSC::TakeIfUnmarked::operator()):
        (JSC::TakeIfUnmarked::returnValue):
        (JSC::MarkedSpace::shrink):
        (GatherDirtyCells):
        (JSC::GatherDirtyCells::returnValue):
        (JSC::GatherDirtyCells::GatherDirtyCells):
        (JSC::GatherDirtyCells::operator()):
        (JSC::MarkedSpace::gatherDirtyCells):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::blocks):
        (JSC::MarkedSpace::forEachCell):
        (JSC):
        (JSC::MarkedSpace::allocate):

2012-01-26  Oliver Hunt  <oliver@apple.com>

        MSVC bug fix.
        <rdar://problem/10703671> MSVC generates bad code for enum compare.

        RS=Geoff

        Make bitfield large enough to work around MSVC's desire to make enums
        signed types.

        * bytecode/CallLinkInfo.h:
        (CallLinkInfo):

2012-01-26  Filip Pizlo  <fpizlo@apple.com>

        All DFG helpers that may call out to arbitrary JS code must know where they
        were called from due to inlining and call stack walking
        https://bugs.webkit.org/show_bug.cgi?id=77070
        <rdar://problem/10750834>

        Reviewed by Geoff Garen.
        
        Changed the DFG to always record a code origin index in the tag of the argument
        count (which we previously left blank for the benefit of LLInt, but is still
        otherwise unused by the DFG), so that if we ever need to walk the stack accurately
        we know where to start. In particular, if the current ExecState* points several
        semantic call frames away from the true semantic call frame because we had
        performed inlining, having the code origin index recorded means that we can reify
        those call frames as necessary to give runtime/library code an accurate view of
        the current JS state.
        
        This required several large but mechanical changes:
        
        - Calling a function from the DFG now plants a store32 instruction to store the
          code origin index. But the indices of code origins were previously picked by
          the DFG::JITCompiler after code generation completed. I changed this somewhat;
          even though the code origins are put into the CodeBlock after code gen, the
          code gen now knows a priori what their indices will be. Extensive assertions
          are in place to ensure that the two don't get out of sync, in the form of the
          DFG::CallBeginToken. Note that this mechanism has almost no effect on JS calls;
          those don't need the code origin index set in the call frame because we can get
          it by doing a binary search on the return PC.

        - Stack walking now always calls trueCallFrame() first before beginning the walk,
          since even the top call frame may be wrong. It still calls trueCallerFrame() as
          before to get to the next frame, though trueCallerFrame() is now mostly a
          wrapper around callerFrame()->trueCallFrame().
          
        - Because the mechanism for getting the code origin of a call frame is bimodal
          (either the call frame knows its code origin because the code origin index was
          set, or it's necessary to use the callee frame's return PC), I put in extra
          mechanisms to determine whether your caller, or your callee, corresponds to
          a call out of C++ code. Previously we just had the host call flag, but this is
          insufficient as it does not cover the case of someone calling JSC::call(). But
          luckily we can determine this just by looking at the return PC: if the return
          PC is in range of the ctiTrampiline, then two things are true: this call
          frame's PC will tell you nothing about where you came from in your caller, and
          the caller already knows where it's at because it must have set the code origin
          index (unless it's not DFG code, in which case we don't care because there is
          no inlining to worry about).
          
        - During testing this revealed a simple off-by-one goof in DFG::ByteCodeParser's
          inlining code, so I fixed it.

        - Finally because I was tired of doing random #if's for checking if I should be
          passing around an Instruction* or a ReturnAddressPtr, I created a class called
          AbstractPC that holds whatever notion of a PC is appropriate for the current
          execution environment. It's designed to work gracefully even if both the
          interpreter and the JIT are compiled in, and should integrate nicely with the
          LLInt.
          
        This is neutral on all benchmarks and fixes some nasty corner-case regressions of
        evil code that uses combinations of getters/setters and function.arguments.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOrigin):
        (CodeBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (CallBeginToken):
        (JSC::DFG::CallBeginToken::CallBeginToken):
        (JSC::DFG::CallBeginToken::assertCodeOriginIndex):
        (JSC::DFG::CallBeginToken::assertNoCodeOriginIndex):
        (DFG):
        (JSC::DFG::CallExceptionRecord::CallExceptionRecord):
        (CallExceptionRecord):
        (JSC::DFG::JITCompiler::JITCompiler):
        (JITCompiler):
        (JSC::DFG::JITCompiler::nextCallBeginToken):
        (JSC::DFG::JITCompiler::beginCall):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::addExceptionCheck):
        (JSC::DFG::JITCompiler::addFastExceptionCheck):
        * dfg/DFGOperations.cpp:
        ():
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/AbstractPC.cpp: Added.
        (JSC):
        (JSC::AbstractPC::AbstractPC):
        * interpreter/AbstractPC.h: Added.
        (JSC):
        (AbstractPC):
        (JSC::AbstractPC::AbstractPC):
        (JSC::AbstractPC::hasJITReturnAddress):
        (JSC::AbstractPC::jitReturnAddress):
        (JSC::AbstractPC::hasInterpreterReturnAddress):
        (JSC::AbstractPC::interpreterReturnAddress):
        (JSC::AbstractPC::isSet):
        (JSC::AbstractPC::operator!):
        ():
        * interpreter/CallFrame.cpp:
        (JSC):
        (JSC::CallFrame::trueCallFrame):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::abstractReturnPC):
        (JSC::ExecState::codeOriginIndexForDFGWithInlining):
        (ExecState):
        (JSC::ExecState::trueCallFrame):
        (JSC::ExecState::trueCallFrameFromVMCode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::retrieveArgumentsFromVMCode):
        (JSC::Interpreter::retrieveCallerFromVMCode):
        (JSC::Interpreter::findFunctionCallFrameFromVMCode):
        * interpreter/Interpreter.h:
        (Interpreter):
        ():
        * jit/JITStubs.cpp:
        (JSC):
        ():
        * jit/JITStubs.h:
        (JSC):
        (JSC::returnAddressIsInCtiTrampoline):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertyDescriptor):

2012-01-26  Peter Varga  <pvarga@webkit.org>

        Fix build when VERBOSE_SPECULATION_FAILURE is enabled in DFG
        https://bugs.webkit.org/show_bug.cgi?id=77104

        Reviewed by Filip Pizlo.

        * dfg/DFGOperations.cpp:
        ():

2012-01-26  Michael Saboff  <msaboff@apple.com>

        String::latin1() should take advantage of 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=76646

        Reviewed by Geoffrey Garen.

        * wtf/text/WTFString.cpp:
        (WTF::String::latin1): For 8 bit strings, use existing buffer
        without conversion.

2012-01-26  Michael Saboff  <msaboff@apple.com>

        Dromaeo tests usage of StringImpl find routines cause 8->16 bit conversions
        https://bugs.webkit.org/show_bug.cgi?id=76645

        Reviewed by Geoffrey Garen.

        * wtf/text/StringImpl.cpp:
        (WTF::equalIgnoringCase): New LChar version.
        (WTF::findInner): New helper function.
        (WTF::StringImpl::find): Added 8 bit path.
        (WTF::reverseFindInner): New helper funciton.
        (WTF::StringImpl::reverseFind): Added 8 bit path.
        (WTF::StringImpl::reverseFindIgnoringCase): Added 8 bit path.
        * wtf/text/StringImpl.h:
        (WTF):

2012-01-26  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt][Win] One more speculative buildfix after r105970.

        * JavaScriptCore.pri:

2012-01-26  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt][Win] Speculative buildfix after r105970.

        * JavaScriptCore.pri: Link lgdi for DeleteObject() and DeleteDC().

2012-01-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r105982.
        http://trac.webkit.org/changeset/105982
        https://bugs.webkit.org/show_bug.cgi?id=77090

        breaks the world (Requested by WildFox on #webkit).

        * wtf/MainThread.cpp:
        (WTF):
        * wtf/Platform.h:
        * wtf/mac/MainThreadMac.mm:
        (WTF):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):

2012-01-26  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        [Qt] GC should be parallel on Qt platform
        https://bugs.webkit.org/show_bug.cgi?id=73309

        Reviewed by Zoltan Herczeg.

        These changes made the parallel gc feature available for Qt port.
        The implementation of "registerGCThread" and "isMainThreadOrGCThread"
        is moved from MainThreadMac.mm to the common MainThread.cpp to make
        them available for other platforms.

        Measurement results:
        V8           speed-up:  1.071x as fast  [From: 746.1ms  To: 696.4ms ]
        WindScorpion speed-up:  1.082x as fast  [From: 3490.4ms To: 3226.7ms]
        V8 Splay     speed-up:  1.158x as fast  [From: 145.8ms  To: 125.9ms ]

        Tested on Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz with 4-core.

        * wtf/MainThread.cpp:
        (WTF):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):
        * wtf/Platform.h:
        * wtf/mac/MainThreadMac.mm:

2012-01-26  Andy Estes  <aestes@apple.com>

        REGRESSION (r105555): Incorrect use of OS() macro breaks OwnPtr when used with Win32 data types
        https://bugs.webkit.org/show_bug.cgi?id=77073

        Reviewed by Ryosuke Niwa.
        
        r105555 changed PLATFORM(WIN) to OS(WIN), but WTF_OS_WIN isn't defined.
        This should have been changed to OS(WINDOWS). This causes the
        preprocessor to strip out Win32 data type overrides for deleteOwnedPtr,
        causing allocations made by Win32 to be deleted by fastmalloc.

        * wtf/OwnPtrCommon.h:
        (WTF): Use OS(WINDOWS) instead of OS(WIN).

2012-01-25  Mark Rowe  <mrowe@apple.com>

        Attempted Mac build fix after r105939.

        * runtime/DatePrototype.cpp: Don't #include unicode/udat.h on Mac or iOS.
        It isn't used on these platforms and isn't available in the ICU headers
        for Mac.

2012-01-25  Mark Rowe  <mrowe@apple.com>

        Build in to an alternate location when USE_STAGING_INSTALL_PATH is set.

        <rdar://problem/10609417> Adopt USE_STAGING_INSTALL_PATH

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig: Define NORMAL_JAVASCRIPTCORE_FRAMEWORKS_DIR, which contains
        the path where JavaScriptCore is normally installed. Update JAVASCRIPTCORE_FRAMEWORKS_DIR
        to point to the staged frameworks directory when USE_STAGING_INSTALL_PATH is set.
        * Configurations/JavaScriptCore.xcconfig: Always set the framework's install name based on
        the normal framework location. This prevents an incorrect install name from being used when
        installing in to the staged frameworks directory.

2012-01-25  Eli Fidler  <efidler@rim.com>

        Implement Date.toLocaleString() using ICU
        https://bugs.webkit.org/show_bug.cgi?id=76714

        Reviewed by Darin Adler.

        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):

2012-01-25  Hajime Morita  <morrita@google.com>

        ENABLE_SHADOW_DOM should be available via build-webkit --shadow-dom
        https://bugs.webkit.org/show_bug.cgi?id=76863

        Reviewed by Dimitri Glazkov.

        Added a feature flag.

        * Configurations/FeatureDefines.xcconfig:

2012-01-25  Yong Li  <yoli@rim.com>

        [BlackBerry] Implement OSAllocator::commit/decommit.
        BlackBerry port should support virtual memory decommiting.
        https://bugs.webkit.org/show_bug.cgi?id=77013

        Reviewed by Rob Buis.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):
        * wtf/Platform.h:

2012-01-24  Oliver Hunt  <oliver@apple.com>

        Make DFG update topCallFrame
        https://bugs.webkit.org/show_bug.cgi?id=76969

        Reviewed by Filip Pizlo.

        Add NativeCallFrameTracer to manage topCallFrame assignment
        in the DFG operations, and make use of it.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        ():
        * interpreter/Interpreter.h:
        (JSC):
        (NativeCallFrameTracer):
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):

2012-01-24  Filip Pizlo  <fpizlo@apple.com>

        Inlining breaks call frame walking when the walking is done from outside the inlinee,
        but inside a code block that had inlining
        https://bugs.webkit.org/show_bug.cgi?id=76978
        <rdar://problem/10720904>

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOriginForReturn):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallerFrame):

2012-01-24  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=76855
        Implement a JIT-code aware sampling profiler for JSC

        Reviewed by Oliver Hunt.

        Add support to MetaAllocator.cpp to track all live handles in a map,
        allowing lookup based on any address within the allocation.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocatorTracker::notify):
        (WTF::MetaAllocatorTracker::release):
            - Track live handle objects in a map.
        (WTF::MetaAllocator::release):
            - Removed support for handles with null m_allocator (no longer used).
            - Notify the tracker of handles being released.
        (WTF::MetaAllocatorHandle::~MetaAllocatorHandle):
            - Moved functionality out into MetaAllocator::release.
        (WTF::MetaAllocatorHandle::shrink):
            - Removed support for handles with null m_allocator (no longer used).
        (WTF::MetaAllocator::MetaAllocator):
            - Initialize m_tracker.
        (WTF::MetaAllocator::allocate):
            - Notify the tracker of new allocations.
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocatorTracker::find):
            - Lookup a MetaAllocatorHandle based on an address inside the allocation.
        (WTF::MetaAllocator::trackAllocations):
            - Register a callback object to track allocation state.
        * wtf/MetaAllocatorHandle.h:
            - Remove unused createSelfManagedHandle/constructor.
        (WTF::MetaAllocatorHandle::key):
            - Added, for use in RedBlackTree.

2012-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use copying collector for out-of-line JSObject property storage
        https://bugs.webkit.org/show_bug.cgi?id=76665

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren): Changed to use copyAndAppend whenever the property storage is out-of-line.
        Also added a temporary variable to avoid warnings from GCC.
        (JSC::JSObject::allocatePropertyStorage): Changed to use tryAllocateStorage/tryReallocateStorage as opposed to 
        operator new. Also added a temporary variable to avoid warnings from GCC.
        * runtime/JSObject.h:

2012-01-24  Geoffrey Garen  <ggaren@apple.com>

        JSValue::toString() should return a JSString* instead of a UString
        https://bugs.webkit.org/show_bug.cgi?id=76861

        Fixed two failing layout tests after my last patch.

        Reviewed by Gavin Barraclough.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort): Call value() after calling toString(), as
        in all other cases.
        
        I missed this case because the JSString* type has a valid operator<,
        so the compiler didn't complain.

2012-01-24  Kenichi Ishibashi  <bashi@chromium.org>

        [V8] Add Uint8ClampedArray support
        https://bugs.webkit.org/show_bug.cgi?id=76803

        Reviewed by Kenneth Russell.

        * wtf/ArrayBufferView.h:
        (WTF::ArrayBufferView::isUnsignedByteClampedArray): Added.
        * wtf/Uint8ClampedArray.h:
        (WTF::Uint8ClampedArray::isUnsignedByteClampedArray): Overridden to return true.

2012-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Add WebKitDownload to WebKit2 GTK+ API
        https://bugs.webkit.org/show_bug.cgi?id=72949

        Reviewed by Martin Robinson.

        * wtf/gobject/GOwnPtr.cpp:
        (WTF::GTimer): Use g_timer_destroy() to free a GTimer.
        * wtf/gobject/GOwnPtr.h: Add GTimer template.
        * wtf/gobject/GTypedefs.h: Add GTimer forward declaration.

2012-01-24  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed build fix for Qt LinuxSH4 build after r105698.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2012-01-23  Geoffrey Garen  <ggaren@apple.com>

        JSValue::toString() should return a JSString* instead of a UString
        https://bugs.webkit.org/show_bug.cgi?id=76861

        Reviewed by Gavin Barraclough.
        
        This makes the common case -- toString() on a string -- faster and
        inline-able. (Not a measureable speedup, but we can now remove a bunch
        of duplicate hand-rolled code for this optimization.)
        
        This also clarifies the boundary between "C++ strings" and "JS strings".
        
        In all cases other than true, false, null, undefined, and multi-digit
        numbers, the JS runtime was just retrieving a UString from a JSString,
        so returning a JSString* is strictly better. In the other cases, we can
        optimize to avoid creating a new JSString if we care to, but it doesn't
        seem to be a big deal.

        * JavaScriptCore.exp: Export!
        
        * jsc.cpp:
        (functionPrint):
        (functionDebug):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):
        * API/JSValueRef.cpp:
        (JSValueToStringCopy):
        * bytecode/CodeBlock.cpp:
        (JSC::valueToSourceString): Call value() after calling toString(), to
        convert from "JS string" (JSString*) to "C++ string" (UString), since
        toString() no longer returns a "C++ string".

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationValueAddNotNumber):
        * jit/JITStubs.cpp:
        (op_add): Updated for removal of toPrimitiveString():
        all '+' operands can use toString(), except for object operands, which
        need to take a slow path to call toPrimitive().

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPush):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/DateConstructor.cpp:
        (JSC::dateParse):
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate): Call value() after calling toString(), as above.

        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create): Simplified down to one canonical create()
        function, to make string handling easier.

        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createInvalidParamError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort): Call value() after calling toString(), as above.

        * runtime/JSCell.cpp:
        * runtime/JSCell.h: Removed JSCell::toString() because JSValue does this
        job now. Doing it in JSCell is slower (requires extra type checking), and
        creates the misimpression that language-defined toString() behavior is
        an implementation detail of JSCell.
        
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncEval):
        (JSC::globalFuncParseInt):
        (JSC::globalFuncParseFloat):
        (JSC::globalFuncEscape):
        (JSC::globalFuncUnescape): Call value() after calling toString(), as above.

        * runtime/JSONObject.cpp:
        (JSC::unwrapBoxedPrimitive):
        (JSC::Stringifier::Stringifier):
        (JSC::JSONProtoFuncParse): Removed some manual optimization that toString()
        takes care of.

        * runtime/JSObject.cpp:
        (JSC::JSObject::toString):
        * runtime/JSObject.h: Updated to return JSString*.

        * runtime/JSString.cpp:
        * runtime/JSString.h:
        (JSC::JSValue::toString): Removed, since I removed JSCell::toString().

        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase): Removed toPrimitiveString(), and re-
        spawned toStringSlowCase() from its zombie corpse, since toPrimitiveString()
        basically did what we want all the time. (Note that the toPrimitive()
        preference changes from NoPreference to PreferString, because that's
        how ToString is defined in the language. op_add does not want this behavior.)

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString): A little simpler, now that toString()
        returns a JSString*.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable): More calls to value(), as above.

        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase): Need to check for object before taking the toString()
        fast path becuase adding an object to a string requires calling toPrimitive()
        on the object, not toString(). (They differ in their preferred conversion
        type.)

        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromArguments): This code gets simpler, now that toString()
        does the right thing.

        (JSC::jsAdd): Now checks for object, just like jsAddSlowCase().

        * runtime/RegExpConstructor.cpp:
        (JSC::setRegExpConstructorInput):
        (JSC::constructRegExp):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString): More calls to value(), as above.

        * runtime/StringConstructor.cpp:
        (JSC::constructWithStringConstructor):
        (JSC::callStringConstructor): This code gets simpler, now that toString()
        does the right thing.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncConcat):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::trimString): Some of this code gets simpler, now that toString()
        does the right thing. More calls to value(), as above.

2012-01-23  Luke Macpherson   <macpherson@chromium.org>

        Unreviewed, rolling out r105676.
        http://trac.webkit.org/changeset/105676
        https://bugs.webkit.org/show_bug.cgi?id=76665

        Breaks build on max due to compile warnings.

        * runtime/JSObject.cpp:
        (JSC::JSObject::finalize):
        (JSC::JSObject::visitChildren):
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:

2012-01-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use copying collector for out-of-line JSObject property storage
        https://bugs.webkit.org/show_bug.cgi?id=76665

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren): Changed to use copyAndAppend whenever the property storage is out-of-line.
        (JSC::JSObject::allocatePropertyStorage): Changed to use tryAllocateStorage/tryReallocateStorage as opposed to 
        operator new.
        * runtime/JSObject.h:

2012-01-23  Brian Weinstein  <bweinstein@apple.com>

        More build fixing after r105646.

        * JavaScriptCore.exp:

2012-01-23  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=76855
        Implement a JIT-code aware sampling profiler for JSC

        Reviewed by Geoff Garen.

        Step 2: generalize RedBlackTree. The profiler is going to want tio use
        a RedBlackTree, allow this class to work with subclasses of
        RedBlackTree::Node, Node should not need to know the names of the m_key
        and m_value fields (the subclass can provide a key() accessor), and
        RedBlackTree does not need to know anything about ValueType.

        * JavaScriptCore.exp:
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::findAndRemoveFreeSpace):
        (WTF::MetaAllocator::debugFreeSpaceSize):
        (WTF::MetaAllocator::addFreeSpace):
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocator::FreeSpaceNode::FreeSpaceNode):
        (WTF::MetaAllocator::FreeSpaceNode::key):
        * wtf/MetaAllocatorHandle.h:
        (WTF::MetaAllocatorHandle::key):
        * wtf/RedBlackTree.h:
        (WTF::RedBlackTree::Node::successor):
        (WTF::RedBlackTree::Node::predecessor):
        (WTF::RedBlackTree::Node::parent):
        (WTF::RedBlackTree::Node::setParent):
        (WTF::RedBlackTree::Node::left):
        (WTF::RedBlackTree::Node::setLeft):
        (WTF::RedBlackTree::Node::right):
        (WTF::RedBlackTree::Node::setRight):
        (WTF::RedBlackTree::insert):
        (WTF::RedBlackTree::remove):
        (WTF::RedBlackTree::findExact):
        (WTF::RedBlackTree::findLeastGreaterThanOrEqual):
        (WTF::RedBlackTree::findGreatestLessThanOrEqual):
        (WTF::RedBlackTree::first):
        (WTF::RedBlackTree::last):
        (WTF::RedBlackTree::size):
        (WTF::RedBlackTree::treeMinimum):
        (WTF::RedBlackTree::treeMaximum):
        (WTF::RedBlackTree::treeInsert):
        (WTF::RedBlackTree::leftRotate):
        (WTF::RedBlackTree::rightRotate):
        (WTF::RedBlackTree::removeFixup):

2012-01-23  Andy Estes  <aestes@apple.com>

        Fix the build after r105635.

        * JavaScriptCore.exp:

2012-01-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove StackBounds from JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=76310

        Reviewed by Sam Weinig.

        Removed StackBounds and the stack() function from JSGlobalData since it no 
        longer accessed any members of JSGlobalData.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::gatherFromCurrentThread):
        * parser/Parser.cpp:
        (JSC::::Parser):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:

2012-01-23  Gavin Barraclough  <barraclough@apple.com>

        Implement a JIT-code aware sampling profiler for JSC
        https://bugs.webkit.org/show_bug.cgi?id=76855

        Rubber stanmped by Geoff Garen.

        Mechanical change - pass CodeBlock through to the executable allocator,
        such that we will be able to map ranges of JIT code back to their owner.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::executableCopy):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2012-01-23  Xianzhu Wang  <wangxianzhu@chromium.org>

        Basic enhancements to StringBuilder
        https://bugs.webkit.org/show_bug.cgi?id=67081

        This change contains the following enhancements to StringBuilder,
        for convenience, performance, testability, etc.:
        - Change toStringPreserveCapacity() to const
        - new public methods: capacity(), swap(), toAtomicString(), canShrink()
          and append(const StringBuilder&)
        - == and != opearators to compare StringBuilders and a StringBuilder/String

        Unit tests: Tools/TestWebKitAPI/Tests/WTF/StringBuilder.cpp

        Reviewed by Darin Adler.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/AtomicString.cpp:
        (WTF::SubstringTranslator::hash):
        (WTF::SubstringTranslator::equal):
        (WTF::SubstringTranslator::translate):
        (WTF::AtomicString::add):
        (WTF::AtomicString::addSlowCase):
        * wtf/text/AtomicString.h:
        (WTF::AtomicString::AtomicString):
        (WTF::AtomicString::add):
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::reifyString):
        (WTF::StringBuilder::resize):
        (WTF::StringBuilder::canShrink):
        (WTF::StringBuilder::shrinkToFit):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append):
        (WTF::StringBuilder::toString):
        (WTF::StringBuilder::toStringPreserveCapacity):
        (WTF::StringBuilder::toAtomicString):
        (WTF::StringBuilder::isEmpty):
        (WTF::StringBuilder::capacity):
        (WTF::StringBuilder::is8Bit):
        (WTF::StringBuilder::swap):
        (WTF::equal):
        (WTF::operator==):
        (WTF::operator!=):
        * wtf/text/StringImpl.h:

2012-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files, remove deleted files and
        fix indentation.

2012-01-22  Filip Pizlo  <fpizlo@apple.com>

        Build fix for non-DFG platforms that error out on warn-unused-parameter.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):

2012-01-22  Filip Pizlo  <fpizlo@apple.com>

        Build fix for non-DFG platforms.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):

2012-01-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should not have code that directly decodes the states of old JIT inline
        cache data structures
        https://bugs.webkit.org/show_bug.cgi?id=76768

        Reviewed by Sam Weinig.
        
        Introduced new classes (like GetByIdStatus) that encapsulate the set of things
        that the DFG would like to know about property accesses and calls. Whereas it
        previously got this information by directly decoding the data structures used
        by the old JIT for inline caching, it now uses these classes, which do the work
        for it. This should make it somewhat more straight forward to introduce new
        ways of profiling the same information.
        
        Also hoisted StructureSet into bytecode/ from dfg/, because it's now used by
        code in bytecode/.
        
        Making this work right involved carefully ensuring that the heuristics for
        choosing how to handle property accesses was at least as good as what we had
        before, since I completely restructured that code. Currently the performance
        looks neutral. Since I rewrote the code I did change some things that I never
        liked before, like previously if a put_bu_id had executed exactly once then
        we'd compile it as if it had taken slow-path. Executing once is special because
        then the inline cache is not baked in, so there is no information about how the
        DFG should optimize the code. Now this is rationalized: if the put_by_id does
        not offer enough information to be optimized (i.e. had executed 0 or 1 times)
        then we turn it into a forced OSR exit (i.e. a patch point). However, get_by_id
        still has the old behavior; I left it that way because I didn't want to make
        too many changes at once.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkStatus.cpp: Added.
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h: Added.
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::operator!):
        (JSC::CallLinkStatus::couldTakeSlowPath):
        (JSC::CallLinkStatus::callTarget):
        * bytecode/GetByIdStatus.cpp: Added.
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h: Added.
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::state):
        (JSC::GetByIdStatus::isSet):
        (JSC::GetByIdStatus::operator!):
        (JSC::GetByIdStatus::isSimpleDirect):
        (JSC::GetByIdStatus::takesSlowPath):
        (JSC::GetByIdStatus::makesCalls):
        (JSC::GetByIdStatus::structureSet):
        (JSC::GetByIdStatus::offset):
        * bytecode/MethodCallLinkStatus.cpp: Added.
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/MethodCallLinkStatus.h: Added.
        (JSC::MethodCallLinkStatus::MethodCallLinkStatus):
        (JSC::MethodCallLinkStatus::isSet):
        (JSC::MethodCallLinkStatus::operator!):
        (JSC::MethodCallLinkStatus::needsPrototypeCheck):
        (JSC::MethodCallLinkStatus::structure):
        (JSC::MethodCallLinkStatus::prototypeStructure):
        (JSC::MethodCallLinkStatus::function):
        (JSC::MethodCallLinkStatus::prototype):
        * bytecode/PutByIdStatus.cpp: Added.
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h: Added.
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::state):
        (JSC::PutByIdStatus::isSet):
        (JSC::PutByIdStatus::operator!):
        (JSC::PutByIdStatus::isSimpleReplace):
        (JSC::PutByIdStatus::isSimpleTransition):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::oldStructure):
        (JSC::PutByIdStatus::newStructure):
        (JSC::PutByIdStatus::structureChain):
        (JSC::PutByIdStatus::offset):
        * bytecode/StructureSet.h: Added.
        (JSC::StructureSet::StructureSet):
        (JSC::StructureSet::clear):
        (JSC::StructureSet::add):
        (JSC::StructureSet::addAll):
        (JSC::StructureSet::remove):
        (JSC::StructureSet::contains):
        (JSC::StructureSet::isSubsetOf):
        (JSC::StructureSet::isSupersetOf):
        (JSC::StructureSet::size):
        (JSC::StructureSet::at):
        (JSC::StructureSet::operator[]):
        (JSC::StructureSet::last):
        (JSC::StructureSet::predictionFromStructures):
        (JSC::StructureSet::operator==):
        (JSC::StructureSet::dump):
        * dfg/DFGAbstractValue.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGStructureSet.h: Removed.

2012-01-20  Filip Pizlo  <fpizlo@apple.com>

        JIT compilation should not require ExecState
        https://bugs.webkit.org/show_bug.cgi?id=76729
        <rdar://problem/10731545>

        Reviewed by Gavin Barraclough.
        
        Changed the relevant JIT driver functions to take JSGlobalData& instead of
        ExecState*, since really they just needed the global data.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2012-01-20  David Levin  <levin@chromium.org>

        Make OwnPtr<HDC> work for the Chromium Windows port.
        https://bugs.webkit.org/show_bug.cgi?id=76738

        Reviewed by Jian Li.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Added OwnPtrWin.cpp to the
        Chromium Windows build.
        * wtf/OwnPtrCommon.h: Changed from platform WIN to OS WIN for
        OwnPtr<HDC> and similar constructs.

2012-01-19  Geoffrey Garen  <ggaren@apple.com>

        Removed some regexp entry boilerplate code
        https://bugs.webkit.org/show_bug.cgi?id=76687

        Reviewed by Darin Adler.
        
        1% - 2% speedup on regexp tests, no change overall.

        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
            - ASSERT that our startIndex is non-negative, because anything less
            would be uncivilized.
            
            - ASSERT that our input is not the null string for the same reason.

            - No need to test for startOffset being past the end of the string,
            since the regular expression engine will do this test for us.

            - No need to initialize the output vector, since the regular expression
            engine will fill it in for us.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::interpret):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):
        
            RegExp used to do these jobs for us, but now we do them for ourselves
            because it's a better separation of concerns, and the JIT can do them
            more efficiently than C++ code:

            - Test for "past the end" before doing any matching -- otherwise
            a* will match with zero length past the end of the string, which is wrong.

            - Initialize the output vector before doing any matching.

2012-01-20  Filip Pizlo  <fpizlo@apple.com>

        Build fix for no-DFG configuration.
        Needed for <rdar://problem/10727689>.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitProfiledOpcode):
        * jit/JIT.h:
        (JSC::JIT::emitValueProfilingSite):

2012-01-19  Filip Pizlo  <fpizlo@apple.com>

        Bytecode instructions that may have value profiling should have a direct inline
        link to the ValueProfile instance
        https://bugs.webkit.org/show_bug.cgi?id=76682
        <rdar://problem/10727689>

        Reviewed by Sam Weinig.
        
        Each opcode that gets value profiled now has a link to its ValueProfile. This
        required rationalizing the emission of value profiles for opcode combos, like
        op_method_check/op_get_by_id and op_call/op_call_put_result. It only makes
        sense for one of them to have a value profile link, and it makes most sense
        for it to be the one that actually sets the result. The previous behavior was
        to have op_method_check profile for op_get_by_id when they were used together,
        but otherwise for op_get_by_id to have its own profiles. op_call already did
        the right thing; all profiling was done by op_call_put_result.
        
        But rationalizing this code required breaking some of the natural boundaries
        that the code had; for instance the code in DFG that emits a GetById in place
        of both op_method_check and op_get_by_id must now know that it's the latter of
        those that has the value profile, while the first of those constitutes the OSR
        target. Hence each CodeOrigin must now have two bytecode indices - one for
        OSR exit and one for profiling.
        
        Finally this change required some refiddling of our optimization heuristics,
        because now all code blocks have "more instructions" due to the value profile
        slots.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::CodeOrigin):
        (JSC::CodeOrigin::bytecodeIndexForValueProfile):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitProfiledOpcode):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitGetScopedVar):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):
        * jit/JIT.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_call_put_result):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_call_put_result):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::emitSlow_op_method_check):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::emitSlow_op_method_check):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):
        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):

2012-01-20  ChangSeok Oh  <shivamidow@gmail.com>

        undefined reference to symbol eina_module_free
        https://bugs.webkit.org/show_bug.cgi?id=76681

        Reviewed by Martin Robinson.

        eina_module_free has been used without including eina libraries after r104936.

        * wtf/PlatformEfl.cmake: Add EINA_LIBRARIES.

2012-01-19  Tony Chang  <tony@chromium.org>

        [chromium] Remove an obsolete comment about features.gypi
        https://bugs.webkit.org/show_bug.cgi?id=76643

        There can be only one features.gypi.

        Reviewed by James Robinson.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-01-19  Geoffrey Garen  <ggaren@apple.com>

        Implicit creation of a regular expression should eagerly check for syntax errors
        https://bugs.webkit.org/show_bug.cgi?id=76642

        Reviewed by Oliver Hunt.
        
        This is a correctness fix and a slight optimization.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch): Check for syntax errors because that's the
        correct behavior.

        * runtime/RegExp.cpp:
        (JSC::RegExp::match): ASSERT that we aren't a syntax error. (One line
        of code change, many lines of indentation change.)

        Since we have no clients that try to match a RegExp that is a syntax error,
        let's optimize out the check.

2012-01-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implement a new allocator for backing stores
        https://bugs.webkit.org/show_bug.cgi?id=75181

        Reviewed by Filip Pizlo.

        We want to move away from using fastMalloc for the backing stores for 
        some of our objects (e.g. JSArray, JSObject, JSString, etc).  These backing 
        stores have a nice property in that they only have a single owner (i.e. a 
        single pointer to them at any one time).  One way that we can take advantage 
        of this property is to implement a simple bump allocator/copying collector, 
        which will run alongside our normal mark/sweep collector, that only needs to 
        update the single owner pointer rather than having to redirect an arbitrary 
        number of pointers in from-space to to-space.

        This plan can give us a number of benefits. We can beat fastMalloc in terms 
        of both performance and memory usage, we can track how much memory we're using 
        far more accurately than our rough estimation now through the use of 
        reportExtraMemoryCost, and we can allocate arbitrary size objects (as opposed 
        to being limited to size classes like we have been historically). This is also 
        another step toward moving away from lazy destruction, which will improve our memory footprint.

        We start by creating said allocator and moving the ArrayStorage for JSArray 
        to use it rather than fastMalloc.

        The design of the collector is as follows:
        Allocation:
        -The collector allocates 64KB chunks from the OS to use for object allocation.
        -Each chunk contains an offset, a flag indicating if the block has been pinned, 
         and a payload, along with next and prev pointers so that they can be put in DoublyLinkedLists.
        -Any allocation greater than 64KB gets its own separate oversize block, which 
         is managed separately from the rest.
        -If the allocator receives a request for more than the remaining amount in the 
         current block, it grabs a fresh block.
        -Grabbing a fresh block means grabbing one off of the global free list (which is now 
         shared between the mark/sweep allocator and the bump allocator) if there is one. 
         If there isn't a new one we do one of two things: allocate a new block from the OS 
         if we're not ready for a GC yet, or run a GC and then try again. If we still don't 
         have enough space after the GC, we allocate a new block from the OS.

        Garbage collection:
        -At the start of garbage collection during conservative stack scanning, if we encounter 
         what appears to be a pointer to a bump-allocated block of memory, we pin that block so 
         that it will not be copied for this round of collection.
        -We also pin any oversize blocks that we encounter, which effectively doubles as a 
         "mark bit" for that block. Any oversize blocks that aren't pinned at the end of copying 
         are given back to the OS.
        -Marking threads are now also responsible for copying bump-allocated objects to newSpace
        -Each marking thread has a private 64KB block into which it copies bump-allocated objects that it encounters.
        -When that block fills up, the marking thread gives it back to the allocator and requests a new one.
        -When all marking has concluded, each thread gives back its copy block, even if it isn't full.
        -At the conclusion of copying (which is done by the end of the marking phase), we un-pin 
         any pinned blocks and give any blocks left in from-space to the global free list.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        * heap/AllocationSpace.h:
        (JSC::AllocationSpace::waterMark):
        * heap/BumpBlock.h: Added.
        (JSC::BumpBlock::BumpBlock):
        * heap/BumpSpace.cpp: Added.
        (JSC::BumpSpace::tryAllocateSlowCase):
        * heap/BumpSpace.h: Added.
        (JSC::BumpSpace::isInCopyPhase):
        (JSC::BumpSpace::totalMemoryAllocated):
        (JSC::BumpSpace::totalMemoryUtilized):
        * heap/BumpSpaceInlineMethods.h: Added.
        (JSC::BumpSpace::BumpSpace):
        (JSC::BumpSpace::init):
        (JSC::BumpSpace::contains):
        (JSC::BumpSpace::pin):
        (JSC::BumpSpace::startedCopying):
        (JSC::BumpSpace::doneCopying):
        (JSC::BumpSpace::doneFillingBlock):
        (JSC::BumpSpace::recycleBlock):
        (JSC::BumpSpace::getFreshBlock):
        (JSC::BumpSpace::borrowBlock):
        (JSC::BumpSpace::addNewBlock):
        (JSC::BumpSpace::allocateNewBlock):
        (JSC::BumpSpace::fitsInBlock):
        (JSC::BumpSpace::fitsInCurrentBlock):
        (JSC::BumpSpace::tryAllocate):
        (JSC::BumpSpace::tryAllocateOversize):
        (JSC::BumpSpace::allocateFromBlock):
        (JSC::BumpSpace::tryReallocate):
        (JSC::BumpSpace::tryReallocateOversize):
        (JSC::BumpSpace::isOversize):
        (JSC::BumpSpace::isPinned):
        (JSC::BumpSpace::oversizeBlockFor):
        (JSC::BumpSpace::blockFor):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::blockFreeingThreadMain):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        (JSC::Heap::releaseFreeBlocks):
        * heap/Heap.h:
        (JSC::Heap::waterMark):
        (JSC::Heap::highWaterMark):
        (JSC::Heap::setHighWaterMark):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        * heap/HeapBlock.h: Added.
        (JSC::HeapBlock::HeapBlock):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::startCopying):
        (JSC::SlotVisitor::allocateNewSpace):
        (JSC::SlotVisitor::copy):
        (JSC::SlotVisitor::copyAndAppend):
        (JSC::SlotVisitor::doneCopying):
        * heap/MarkStack.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::SlotVisitor):
        * heap/TinyBloomFilter.h:
        (JSC::TinyBloomFilter::reset):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        (JSC::JSArray::finishCreation):
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::~JSArray):
        (JSC::JSArray::enterSparseMode):
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::unshiftCount):
        (JSC::JSArray::visitChildren):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
        (JSC::JSArray::subclassData):
        (JSC::JSArray::setSubclassData):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (JSC::JSArray::inSparseMode):
        (JSC::JSArray::isLengthWritable):
        * wtf/CheckedBoolean.h: Added.
        (CheckedBoolean::CheckedBoolean):
        (CheckedBoolean::~CheckedBoolean):
        (CheckedBoolean::operator bool):
        * wtf/DoublyLinkedList.h:
        (WTF::::push):
        * wtf/StdLibExtras.h:
        (WTF::isPointerAligned):

2012-01-19  Joi Sigurdsson  <joi@chromium.org>

        Enable use of precompiled headers in Chromium port on Windows.

        Bug 76381 - Use precompiled headers in Chromium port on Windows
        https://bugs.webkit.org/show_bug.cgi?id=76381

        Reviewed by Tony Chang.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Include WinPrecompile.gypi.

2012-01-18  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        Cross-platform processor core counter fix
        https://bugs.webkit.org/show_bug.cgi?id=76540

        Reviewed by Zoltan Herczeg.

        I attached "OS(FREEBSD)" to "#if OS(DARWIN) || OS(OPENBSD) || OS(NETBSD)"
        and I removed the OS checking macros from ParallelJobsGeneric.cpp because
        the NumberOfCores.cpp contains them for counting CPU cores.
        The processor core counter patch located at
        https://bugs.webkit.org/show_bug.cgi?id=76530

        * wtf/NumberOfCores.cpp:
        * wtf/ParallelJobsGeneric.cpp:

2012-01-18  Csaba Osztrogonác  <ossy@webkit.org>

        Cross-platform processor core counter
        https://bugs.webkit.org/show_bug.cgi?id=76530

        Unreviewed cross-MinGW buildfix after r105270.

        * wtf/NumberOfCores.cpp: Use windows.h instead of Windows.h.

2012-01-18  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        Cross-platform processor core counter
        https://bugs.webkit.org/show_bug.cgi?id=76530

        Reviewed by Zoltan Herczeg.

        Two files have been created that include the processor core counter function.
        It used to be in ParallelJobsGeneric.h/cpp before.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * wtf/CMakeLists.txt:
        * wtf/NumberOfCores.cpp: Added.
        (WTF::numberOfProcessorCores):
        * wtf/NumberOfCores.h: Added.
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        * wtf/ParallelJobsGeneric.h:

2012-01-18  Balazs Kelemen  <kbalazs@webkit.org>

        [Qt] Consolidate layout test crash logging
        https://bugs.webkit.org/show_bug.cgi?id=75088

        Reviewed by Simon Hausmann.

        Move backtrace generating logic into WTFReportBacktrace
        and add a way to deinstall signal handlers if we know
        that we have already printed the backtrace.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/Assertions.cpp:
        (WTFLogLocker::WTFReportBacktrace):
        (WTFLogLocker::WTFSetCrashHook):
        (WTFLogLocker::WTFInvokeCrashHook):
        * wtf/Assertions.h:

2012-01-17  Geoffrey Garen  <ggaren@apple.com>

        Factored out some code into a helper function.
        
        I think this might help getting rid of omit-frame-pointer.

        Reviewed by Sam Weinig.
        
        No benchmark change.

        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch): Moved to here...
        (JSC::replaceUsingRegExpSearch): ...from here.

2012-01-17  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Uint8ClampedArray support
        https://bugs.webkit.org/show_bug.cgi?id=74455

        Reviewed by Filip Pizlo.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC::isUint8ClampedArrayPrediction):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::clampDoubleToByte):
        (JSC::DFG::compileClampIntegerToByte):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.h:
        * wtf/Forward.h:
        * wtf/Uint8Array.h:
        * wtf/Uint8ClampedArray.h: Added.
        (WTF::Uint8ClampedArray::set):
        (WTF::Uint8ClampedArray::create):
        (WTF::Uint8ClampedArray::Uint8ClampedArray):
        (WTF::Uint8ClampedArray::subarray):

2012-01-17  Sam Weinig  <sam@webkit.org>

        Add helper macro for forward declaring objective-c classes
        https://bugs.webkit.org/show_bug.cgi?id=76485

        Reviewed by Anders Carlsson.

        * wtf/Compiler.h:
        Add OBJC_CLASS macro which helps reduce code when forward declaring an
        objective-c class in a header which can be included from both Objective-C
        and non-Objective-C files.

2012-01-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to do JS and custom getter caching
        https://bugs.webkit.org/show_bug.cgi?id=76361

        Reviewed by Csaba Osztrogonác.
        
        Fix for 32-bit.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-01-15  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to do JS and custom getter caching
        https://bugs.webkit.org/show_bug.cgi?id=76361
        <rdar://problem/10698060>

        Reviewed by Geoff Garen.
        
        Added the ability to cache JS getter calls and custom getter calls in the DFG.
        Most of this is pretty mundane, since the old JIT supported this functionality
        as well. But a couple interesting things had to happen:
        
        - There are now two variants of GetById: GetById, which works as before, and
          GetByIdFlush, which flushes registers prior to doing the GetById. Only
          GetByIdFlush can be used for caching getters. We detect which GetById style
          to use by looking at the inline caches of the old JIT.
        
        - Exception handling for getter calls planted in stubs uses a separate lookup
          handler routine, which uses the CodeOrigin stored in the StructureStubInfo.
          
        This is a 40% speed-up in the Dromaeo DOM Traversal average. It removes all of
        the DFG regressions we saw in Dromaeo. This is neutral on SunSpider, V8, and
        Kraken.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::willNeedFlush):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupResults):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::JITCompiler::addExceptionCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):

2012-01-16  Jon Lee  <jonlee@apple.com>

        Build fix for r105086.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2012-01-16  Jon Lee  <jonlee@apple.com>

        Remove HTML notifications support on Mac
        https://bugs.webkit.org/show_bug.cgi?id=76401
        <rdar://problem/10589881>

        Reviewed by Sam Weinig.

        * wtf/Platform.h: Define ENABLE_HTML_NOTIFICATIONS macro.

2012-01-16  Zeno Albisser  <zeno@webkit.org>

        [Qt] Fix QT_VERSION related warnings when building on Mac OS X
        https://bugs.webkit.org/show_bug.cgi?id=76340

        This bug was caused by r104826.
        As already mentioned for https://bugs.webkit.org/show_bug.cgi?id=57239
        we should not use "using namespace WebCore" in header files,
        because it might cause ambiguous references.
        This patch reverts the changes from r104826 and r104981
        and removes the "using namespace WebCore" statement from
        two header files.

        Reviewed by Tor Arne Vestbø.

        * wtf/Platform.h:

2012-01-16  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Fix typo.

2012-01-16  Pavel Heimlich  <tropikhajma@gmail.com>

        Solaris Studio supports alignment macros too
        https://bugs.webkit.org/show_bug.cgi?id=75453

        Reviewed by Hajime Morita.

        * wtf/Alignment.h:

2012-01-16  Yuqiang Xian  <yuqiang.xian@intel.com>

        Build fix on 32bit if verbose debug is enabled in DFG
        https://bugs.webkit.org/show_bug.cgi?id=76351

        Reviewed by Hajime Morita.

        Mostly change "%lu" to "%zu" to print a "size_t" variable.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):

2012-01-15  Filip Pizlo  <fpizlo@apple.com>

        The C calling convention logic in DFG::SpeculativeJIT should be available even
        when not generating code for the DFG speculative path
        https://bugs.webkit.org/show_bug.cgi?id=76355

        Reviewed by Dan Bernstein.
        
        Moved all of the logic for placing C call arguments into the right place (stack
        or registers) into a new class, DFG::CCallHelpers.  This class inherits from
        AssemblyHelpers, another DFG grab-bag of helper functions.  I could have moved
        this code into AssemblyHelpers, but decided against it, because I wanted to
        limit the number of methods each class in the JIT has.  Hence now we have a
        slightly odd organization of JIT classes in DFG: MacroAssembler (basic instruction
        emission) <= AssemblyHelpers (some additional JS smarts) <= CCallHelpers
        (understands calls to C functions) <= JITCompiler (can compile a graph to machine
        code).  Each of these except for JITCompiler can be reused for stub compilation.
        
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCCallHelpers.h: Added.
        (JSC::DFG::CCallHelpers::CCallHelpers):
        (JSC::DFG::CCallHelpers::resetCallArguments):
        (JSC::DFG::CCallHelpers::addCallArgument):
        (JSC::DFG::CCallHelpers::setupArguments):
        (JSC::DFG::CCallHelpers::setupArgumentsExecState):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (JSC::DFG::CCallHelpers::setupTwoStubArgs):
        (JSC::DFG::CCallHelpers::setupStubArguments):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::JITCompiler):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2012-01-15  Pablo Flouret  <pablof@motorola.com>

        Fix compilation errors on build-webkit --debug --no-video on mac.
        https://bugs.webkit.org/show_bug.cgi?id=75867

        Reviewed by Philippe Normand.

        Make ENABLE_VIDEO_TRACK conditional on ENABLE_VIDEO, video track feature
        doesn't build without video.

        * wtf/Platform.h:

2012-01-14  David Levin  <levin@chromium.org>

        HWndDC should be in platform/win instead of wtf.
        https://bugs.webkit.org/show_bug.cgi?id=76314

        Reviewed by Sam Weinig.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:

2012-01-13  David Levin  <levin@chromium.org>

        check-webkit-style: should encourage the use of Own* classes for Windows DC.
        https://bugs.webkit.org/show_bug.cgi?id=76227

        Reviewed by Dirk Pranke.

        * wtf/win/HWndDCWin.h:
        (WTF::HwndDC::HwndDC): Add a way to do GetDCEx.
        There are no users, but I want to catch this in check-webkit-style
        and tell any users to use HwndDC to avoid leaks.

2012-01-13  David Levin  <levin@chromium.org>

        Header file is missing header guard.

        Reviewed by Dirk Pranke.

        * wtf/win/HWndDCWin.h: Added the guards.

2012-01-13  Andy Wingo  <wingo@igalia.com>

        Eval in strict mode does not need dynamic checks
        https://bugs.webkit.org/show_bug.cgi?id=76286

        Reviewed by Oliver Hunt.

        * runtime/JSActivation.cpp (JSC::JSActivation::JSActivation):
        Eval in strict mode cannot introduce variables, so it not impose
        the need for dynamic checks.

2012-01-13  David Levin  <levin@chromium.org>

        HWndDC is a better name than HwndDC.
        https://bugs.webkit.org/show_bug.cgi?id=76281

        Reviewed by Darin Adler.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * wtf/win/HWndDCWin.h: Renamed from Source/JavaScriptCore/wtf/win/HwndDCWin.h.
        (WTF::HWndDC::HWndDC):
        (WTF::HWndDC::~HWndDC):
        (WTF::HWndDC::operator HDC):

2012-01-13  YoungTaeck Song  <youngtaeck.song@samsung.com>

        [EFL] Add OwnPtr specialization for Eina_Module.
        https://bugs.webkit.org/show_bug.cgi?id=76255

        Reviewed by Andreas Kling.

        Add an overload for deleteOwnedPtr(Eina_Module*) on EFL port.

        * wtf/OwnPtrCommon.h:
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):

2012-01-13  Yuqiang Xian  <yuqiang.xian@intel.com>

        Unreviewed build fix after r104787 if JIT_VERBOSE_OSR is defined

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2012-01-12  Hajime Morrita  <morrita@chromium.org>

        JavaScriptCore: Mark all exported symbols in the header file automatically.
        https://bugs.webkit.org/show_bug.cgi?id=72855

        Reviewed by Darin Adler.

        Added WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE based on JavaScriptCore.exp files.
        The change is generated by a tool calledListExportables (https://github.com/omo/ListExportables)

        * API/OpaqueJSString.h:
        * bytecode/CodeBlock.h:
        * bytecode/SamplingTool.h:
        * debugger/Debugger.h:
        * debugger/DebuggerActivation.h:
        * debugger/DebuggerCallFrame.h:
        * heap/AllocationSpace.h:
        * heap/HandleHeap.h:
        * heap/Heap.h:
        * heap/MachineStackMarker.h:
        * heap/MarkStack.h:
        * heap/VTableSpectrum.h:
        * heap/WriteBarrierSupport.h:
        * parser/Nodes.h:
        * parser/ParserArena.h:
        * profiler/Profile.h:
        * runtime/ArgList.h:
        * runtime/CallData.h:
        * runtime/Completion.h:
        * runtime/ConstructData.h:
        * runtime/DateInstance.h:
        * runtime/Error.h:
        * runtime/ExceptionHelpers.h:
        * runtime/FunctionConstructor.h:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.h:
        * runtime/InternalFunction.h:
        * runtime/JSArray.h:
        * runtime/JSByteArray.h:
        * runtime/JSCell.h:
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalThis.h:
        * runtime/JSLock.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        * runtime/JSValue.h:
        * runtime/JSVariableObject.h:
        * runtime/Lookup.h:
        * runtime/MemoryStatistics.h:
        * runtime/ObjectPrototype.h:
        * runtime/Options.h:
        * runtime/PropertyDescriptor.h:
        * runtime/PropertyNameArray.h:
        * runtime/PropertySlot.h:
        * runtime/RegExp.h:
        * runtime/RegExpObject.h:
        * runtime/SamplingCounter.h:
        * runtime/SmallStrings.h:
        * runtime/StringObject.h:
        * runtime/Structure.h:
        * runtime/TimeoutChecker.h:
        * runtime/UString.h:
        * runtime/WriteBarrier.h:
        * wtf/ArrayBufferView.h:
        * wtf/ByteArray.h:
        * wtf/CryptographicallyRandomNumber.h:
        * wtf/CurrentTime.h:
        * wtf/DateMath.h:
        * wtf/DecimalNumber.h:
        * wtf/FastMalloc.cpp:
        * wtf/FastMalloc.h:
        * wtf/MD5.h:
        * wtf/MainThread.h:
        * wtf/MetaAllocator.h:
        * wtf/MetaAllocatorHandle.h:
        * wtf/OSAllocator.h:
        * wtf/PageBlock.h:
        * wtf/RandomNumber.h:
        * wtf/RefCountedLeakCounter.h:
        * wtf/SHA1.h:
        * wtf/Threading.cpp:
        * wtf/Threading.h:
        * wtf/ThreadingPrimitives.h:
        * wtf/WTFThreadData.h:
        * wtf/dtoa.h:
        * wtf/text/AtomicString.h:
        * wtf/text/CString.h:
        * wtf/text/StringBuilder.h:
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.h:
        * wtf/unicode/Collator.h:
        * wtf/unicode/UTF8.h:
        * yarr/Yarr.h:
        * yarr/YarrPattern.h:

2012-01-12  MORITA Hajime  <morrita@google.com>

        [Chromium] JSExportMacros.h should be visible.
        https://bugs.webkit.org/show_bug.cgi?id=76147

        Reviewed by Tony Chang.

        * config.h:

2012-01-12  David Levin  <levin@chromium.org>

        HwndDC is a better name than OwnGetDC.
        https://bugs.webkit.org/show_bug.cgi?id=76235

        Reviewed by Dmitry Titov.

        This is a better name for two reasons:
        1. "Own" implies "delete". In this case, the final call is a release (ReleaseDC).
        2. "Ref" would be a better name due to the release but the RefPtr (and OwnPtr)
           classes always take something to hold on to. In this case, the object (the DC)
           is created by the class once it is given a Window to ensure that the HDC
           was actually created using GetDC.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * wtf/win/HwndDCWin.h: Renamed from Source/JavaScriptCore/wtf/win/OwnGetDCWin.h.
        (WTF::HwndDC::HwndDC):
        (WTF::HwndDC::~HwndDC):
        (WTF::HwndDC::operator HDC):

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        Clean up putDirect (part 2)
        https://bugs.webkit.org/show_bug.cgi?id=76232

        Reviewed by Sam Weinig.

        Rename putWithAttributes to putDirectVirtual, to identify that this
        has the same unchecked-DefineOwnProperty behaviour, change putDirectInternal
        to be templated on an enum indicating which behaviour it is supposed to be
        implementing, and change clients that are defining properties to call
        putDirectInternal correctly.

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::putDirectVirtual):
        * debugger/DebuggerActivation.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/ClassInfo.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::putDirectVirtual):
        * runtime/JSActivation.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::putDirectVirtual):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::putDirectVirtual):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::initializeGetterSetterProperty):
        (JSC::JSObject::defineSetter):
        (JSC::putDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirect):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::putDirectVirtual):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::putDirectVirtual):
        * runtime/JSVariableObject.h:

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        Clean up putDirect (part 1)
        https://bugs.webkit.org/show_bug.cgi?id=76232

        Reviewed by Sam Weinig.

        putDirect has ambiguous semantics, clean these up a bit.

        putDirect generally behaves a bit like a fast defineOwnProperty, but one that
        always creates the property, with no checking to validate the put it permitted.

        It also encompasses two slightly different behaviors.
        (1) a fast form of put for JSActivation, which doesn't have to handle searching
            the prototype chain, getter/setter properties, or the magic __proto__ value.
            Break this out as a new method, 'putOwnDataProperty'.
        (2) the version of putDirect on JSValue will also check for overwriting ReadOnly
            values, in strict mode. This is, however, not so smart on a few level, since
            it is only called from op_put_by_id with direct set, which is only used with
            an object as the base, and is only used to put new properties onto objects.

        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::put):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSObject.h:
        (JSC::JSObject::putOwnDataProperty):
        * runtime/JSValue.h:

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=76141
        defineSetter/defineGetter may fail to update Accessor attribute

        Reviewed by Oliver Hunt.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::initializeGetterSetterProperty):
        (JSC::JSObject::defineSetter):
        * runtime/Structure.cpp:
        (JSC::Structure::attributeChangeTransition):
        * runtime/Structure.h:

2012-01-12  David Levin  <levin@chromium.org>

        [chromium] Fix DC leak in WebScreenInfoFactory.
        https://bugs.webkit.org/show_bug.cgi?id=76203

        Reviewed by Dmitry Titov.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Added OwnGetDCWin.h
        * JavaScriptCore.gypi: Added OwnGetDCWin.h
        * JavaScriptCore/wtf/win/OwnGetDCWin.h: Made an owner class for GetDC which needs ReleaseDC as opposed to DeleteDC.

2012-01-11  Gavin Barraclough  <barraclough@apple.com>

        Allow accessor get/set property to be set to undefined
        https://bugs.webkit.org/show_bug.cgi?id=76148

        Reviewed by Oliver Hunt.

        AccessorDescriptor properties may have their get & set properties defined to reference a function
        (Callable object) or be set to undefined. Valid PropertyDescriptors created by toPropertyDescriptor
        (defined from JS code via Object.defineProperty, etc) have get and set properties that are in one of
        three states (1) nonexistent, (2) set to undefined, or (3) a function (any Callable object).

        On the PropertyDescriptor object these three states are represneted by JSValue(), jsUndefined(), and
        any JSObject* (with a constraint that this must be callable).

        Logically the get/set property of an accessor descriptor on an object might be in any of the three
        states above, but in practice there is no way to distinguish between the first two states. As such
        we stor the get/set values in property storage in a JSObject* field, with 0 indicating absent or
        undefined. When unboxing to a PropertyDescriptor, map this back to a JS undefined value.

        * runtime/GetterSetter.h:
        (JSC::GetterSetter::setGetter):
        (JSC::GetterSetter::setSetter):
            - Allow the getter/setter to be cleared.
        * runtime/JSArray.cpp:
        (JSC::JSArray::putDescriptor):
            - Changed to call getterObject/setterObject.
        (JSC::JSArray::defineOwnNumericProperty):
            - Added ASSERT.
        * runtime/JSObject.cpp:
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
            - Changed to call getterObject/setterObject.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
            - getter/setter values read from properties on object are never missing, they will now be set as undefined by 'setDescriptor'.
        (JSC::toPropertyDescriptor):
            - Do not translate undefined->empty, this loses an important distinction between a get/set property being absent, or being explicitly set to undefined.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::getterObject):
        (JSC::PropertyDescriptor::setterObject):
            - Accessors to convert the get/set property to an object pointer, converting undefined to 0.
        (JSC::PropertyDescriptor::setDescriptor):
        (JSC::PropertyDescriptor::setAccessorDescriptor):
            - Translate a getter/setter internally represented at 0 to undefined, indicating that it is present.
        * runtime/PropertyDescriptor.h:
            - Declare getterObject/setterObject.

2012-01-12  Zeno Albisser  <zeno@webkit.org>

        [Qt][WK2][Mac] Conflict of MacTypes.h defining a Fixed type after r104560.
        https://bugs.webkit.org/show_bug.cgi?id=76175

        Defining ENABLE_CSS_FILTERS leads to ambiguous references
        due to MacTypes.h being included.
        Defining CF_OPEN_SOURCE works around this problem.

        Reviewed by Simon Hausmann.

        * wtf/Platform.h:

2012-01-12  Simon Hausmann  <simon.hausmann@nokia.com>

        Make the new WTF module build on Qt
        https://bugs.webkit.org/show_bug.cgi?id=76163

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.pro: Removed wtf from the subdirs to build.

2012-01-11  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::m_executeCounter should be renamed to CodeBlock::m_jitExecuteCounter
        https://bugs.webkit.org/show_bug.cgi?id=76144
        <rdar://problem/10681711>

        Rubber stamped by Gavin Barraclough.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addressOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecuteCounter):
        (JSC::CodeBlock::jitExecuteCounter):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):

2012-01-11  Gavin Barraclough  <barraclough@apple.com>

        Merge 'Getter'/'Setter' attributes into 'Accessor'
        https://bugs.webkit.org/show_bug.cgi?id=76141

        Reviewed by Filip Pizlo.

        These are currently ambiguous (and used inconsistently). It would logically appear
        that either being bit set implies that the corresponding type of accessor is present
        but (a) we don't correctly enforce this, and (b) this means the attributes would not
        be able to distinguish between a data descriptor and an accessor descriptor with
        neither a getter nor setter defined (which is a descriptor permissible under the spec).
        This ambiguity would lead to unsafe property caching behavior (though this does not
        represent an actual current bug, since we are currently unable to create descriptors
        that have neither a getter nor setter, it just prevents us from doing so).

        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
        (JSC::JSArray::putDescriptor):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::initializeGetterSetterProperty):
        (JSC::JSObject::defineSetter):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorDefineProperty):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        (JSC::PropertyDescriptor::setAccessorDescriptor):
        (JSC::PropertyDescriptor::setSetter):
        (JSC::PropertyDescriptor::setGetter):
        (JSC::PropertyDescriptor::attributesOverridingCurrent):

2012-01-11  Gavin Barraclough  <barraclough@apple.com>

        Object.defineProperty([], 'length', {}) should not make length read-only
        https://bugs.webkit.org/show_bug.cgi?id=76097

        Reviewed by Oliver Hunt.

        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
            - We should be checking writablePresent().

2012-01-11  Filip Pizlo  <fpizlo@apple.com>

        Code duplication for invoking the JIT and DFG should be reduced
        https://bugs.webkit.org/show_bug.cgi?id=76117
        <rdar://problem/10680189>

        Rubber stamped by Geoff Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITDriver.h: Added.
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2012-01-11  Geoffrey Garen  <ggaren@apple.com>

        Bytecode dumping is broken for call opcodes (due to two new operands)
        https://bugs.webkit.org/show_bug.cgi?id=75886

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp): Made a helper function, so I wouldn't have
        to fix this more than once. The helper function skips the extra two operands
        at the end of the opcode, used for optimization.
        
        (JSC::CodeBlock::dump): Used the helper function.

        * bytecode/CodeBlock.h: Declared the helper function.

2012-01-09  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: d3 Bullet Charts demo doesn't work (call with argument assignment is broken)
        https://bugs.webkit.org/show_bug.cgi?id=75911

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNodeForLeftHandSide): Cleanup: No need to
        explicitly cast to our return type in C++.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode): Make sure to copy our function
        into a temporary register before evaluating our arguments, since argument
        evaluation might include function calls or assignments that overwrite our callee by name.

2012-01-11  Michael Saboff  <msaboff@apple.com>

        v8-regexp spends 35% of its time allocating and copying internal regexp results data
        https://bugs.webkit.org/show_bug.cgi?id=76079

        Reviewed by Geoffrey Garen.

        Added a new RegExpResults struct that has the input string, the number of
        subexpressions and the output vector.  Changed RegExpConstructor to
        include a RegExpConstructorPrivate instead of having a reference to one.
        Changed RegExpMatchesArray to include a RegExpResults instead of a 
        reference to a RegExpConstructorPrivate.  Created an overloaded assignment
        operator to assign a RegExpConstructorPrivate to a RegExpResults.
        Collectively this change is worth 24% performance improvement to v8-regexp.
        
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpResult::operator=):
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::~RegExpMatchesArray):
        (JSC::RegExpMatchesArray::fillArrayInstance):
        (JSC::RegExpConstructor::arrayOfMatches):
        (JSC::RegExpConstructor::getBackref):
        (JSC::RegExpConstructor::getLastParen):
        (JSC::RegExpConstructor::getLeftContext):
        (JSC::RegExpConstructor::getRightContext):
        (JSC::RegExpConstructor::setInput):
        (JSC::RegExpConstructor::input):
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpResult::RegExpResult):
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):

2012-01-11  Eugene Girard  <girard@google.com>

        Typo in error message: Unexpected token 'defualt'
        https://bugs.webkit.org/show_bug.cgi?id=75105

        Reviewed by Simon Fraser.

        * parser/Parser.h:
        (JSC::Parser::getTokenName):

2012-01-11  Anders Carlsson  <andersca@apple.com>

        Assertion failure in JSC::allocateCell trying to allocate a JSString
        https://bugs.webkit.org/show_bug.cgi?id=76101

        Reviewed by Adam Roben.

        Remove the ExecutableBase::s_info and JSString::s_info static member variables  from the .def file and
        export them explicitly using the JS_EXPORTDATA macro.

        member variables explicitly using 
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/Executable.h:
        * runtime/JSString.h:

2012-01-10  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/10673792> jsc should install directly in to versioned Resources subfolder

        This ensures that jsc ends up in a consistent location whether built in to the same DSTROOT
        as JavaScriptCore.framework or in to a different one.

        Rubber-stamped by Dan Bernstein.

        * Configurations/JSC.xcconfig: Update INSTALL_PATH.

2012-01-10  Filip Pizlo  <fpizlo@apple.com>

        DFG inlining block linking compares BlockIndex against bytecode index
        https://bugs.webkit.org/show_bug.cgi?id=76018
        <rdar://problem/10671979>

        Reviewed by Gavin Barraclough.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):

2012-01-10  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock.h declares too many things
        https://bugs.webkit.org/show_bug.cgi?id=76001

        Rubber stamped by Gavin Barraclough.
        
        Removed all non-CodeBlock type declarations from CodeBlock.h, and put them
        into separate header files. Also removed all non-CodeBlock method implementations
        from CodeBlock.cpp and put them into corresponding cpp files.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/RepatchBuffer.h:
        * bytecode/CallLinkInfo.cpp: Added.
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h: Added.
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::~CallLinkInfo):
        (JSC::CallLinkInfo::isLinked):
        (JSC::CallLinkInfo::seenOnce):
        (JSC::CallLinkInfo::setSeen):
        (JSC::getCallLinkInfoReturnLocation):
        (JSC::getCallLinkInfoBytecodeIndex):
        * bytecode/CallReturnOffsetToBytecodeOffset.h: Added.
        (JSC::CallReturnOffsetToBytecodeOffset::CallReturnOffsetToBytecodeOffset):
        (JSC::getCallReturnOffset):
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/CodeType.h: Added.
        * bytecode/ExpressionRangeInfo.h: Added.
        * bytecode/GlobalResolveInfo.h: Added.
        (JSC::GlobalResolveInfo::GlobalResolveInfo):
        * bytecode/HandlerInfo.h: Added.
        * bytecode/LineInfo.h: Added.
        * bytecode/MethodCallLinkInfo.cpp: Added.
        (JSC::MethodCallLinkInfo::reset):
        * bytecode/MethodCallLinkInfo.h: Added.
        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        (JSC::getMethodCallLinkInfoReturnLocation):
        (JSC::getMethodCallLinkInfoBytecodeIndex):
        * bytecode/StructureStubInfo.h:
        (JSC::getStructureStubInfoReturnLocation):
        (JSC::getStructureStubInfoBytecodeIndex):

2012-01-10  Anders Carlsson  <andersca@apple.com>

        Hang opening movie that requires authentication
        https://bugs.webkit.org/show_bug.cgi?id=75989
        <rdar://problem/9601915>

        Reviewed by Sam Weinig.

        * wtf/Functional.h:
        Add function wrapper for a function that takes three parameters.

2012-01-10  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::m_numParameters should be encapsulated
        https://bugs.webkit.org/show_bug.cgi?id=75985
        <rdar://problem/10671020>

        Reviewed by Oliver Hunt.
        
        Encapsulated CodeBlock::m_numParameters and hooked argument profile creation
        into it.  This appears to be performance neutral.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::setNumParameters):
        (JSC::CodeBlock::addParameter):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numParameters):
        (JSC::CodeBlock::addressOfNumParameters):
        (JSC::CodeBlock::offsetOfNumParameters):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::addParameter):
        (JSC::BytecodeGenerator::emitReturn):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::slideRegisterWindowForCall):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::arityCheckFor):
        (JSC::lazyLinkFor):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Build fix following https://bugs.webkit.org/show_bug.cgi?id=75935

        Fix 32-bit builds.

        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::setLength):

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Do not allow Array length to be set if it is non-configurable
        https://bugs.webkit.org/show_bug.cgi?id=75935

        Reviewed by Sam Weinig.

        Do not allow Array length to be set if it is non-configurable, and if the new
        length is less than the old length then intervening properties should removed
        in reverse order. Removal of properties should cease if an intervening indexed
        property being removed is non-configurable.

        * JavaScriptCore.exp:
            - Removed export for setLength.
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat):
            - JSArray::setLength now takes an ExecState*
        (JSC::arrayProtoFuncSlice):
            - JSArray::setLength now takes an ExecState*
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
            - JSArray::setLength now takes an ExecState*
        (JSC::JSArray::put):
            - JSArray::setLength now takes an ExecState*
        (JSC::compareKeysForQSort):
            - Keys extracted from the map can be stored as unsigneds.
        (JSC::JSArray::getOwnPropertyNames):
            - Keys extracted from the map can be stored as unsigneds.
        (JSC::JSArray::setLength):
            - Check lengthIsReadOnly(), rather than copying the entire map to iterate
              over to determine which keys to remove, instead just copy the keys from
              the map to a Vector. When inSparseMode sort the keys in the Vector so
              that we can remove properties in reverse order.
        * runtime/JSArray.h:
            - JSArray::setLength now takes an ExecState*

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Use SameValue to compare property descriptor values
        https://bugs.webkit.org/show_bug.cgi?id=75975

        Reviewed by Sam Weinig.

        Rather than strictEqual.

        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnNumericProperty):
            - Missing configurablePresent() check.
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            - call sameValue.
        * runtime/PropertyDescriptor.cpp:
        (JSC::sameValue):
            - Moved from JSArray.cpp, fix NaN comparison.
        (JSC::PropertyDescriptor::equalTo):
            - call sameValue.
        * runtime/PropertyDescriptor.h:
            - Added declaration for sameValue.
2012-01-09  Gavin Barraclough  <barraclough@apple.com>

        Error handling : in ISO8601 timezone
        https://bugs.webkit.org/show_bug.cgi?id=75919

        Reviewed by Sam Weinig.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):
            - need to increment the string position.

2012-01-09  Mark Rowe  <mrowe@apple.com>

        JavaScriptCore executable targets shouldn't explicitly depend on the JavaScriptCore framework target
        <http://webkit.org/b/75907> / <rdar://problem/10659862>

        We'd like for it to be possible to build jsc without building JavaScriptCore.framework and the explicit
        dependencies prevent this.

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-01-09  Adam Treat  <atreat@rim.com>

        Log is a little to verbose for blackberry port
        https://bugs.webkit.org/show_bug.cgi?id=75728

        The BlackBerry::Platform::Log* functions take care of the call to vfprintf
        which is resulting in unintentional noise in our logs.  Add a conditional
        directive to fix.

        Change to using BlackBerry::Platform::logStreamV which does not insert
        threading info and newlines unlike BlackBerry::Platform::log.

        Finally, add log locking and unlocking which the BlackBerry platform
        uses to ensure that N threads do not trample on each other's logs.

        Reviewed by Rob Buis.

        * wtf/Assertions.cpp:
        (WTFLogLocker::WTFReportAssertionFailure):
        (WTFLogLocker::WTFReportAssertionFailureWithMessage):
        (WTFLogLocker::WTFReportArgumentAssertionFailure):
        (WTFLogLocker::WTFReportFatalError):
        (WTFLogLocker::WTFReportError):
        (WTFLogLocker::WTFLog):
        (WTFLogLocker::WTFLogVerbose):

2012-01-09  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75789
        defineOwnProperty not implemented for Array objects

        Reviewed by Sam Weinig.

        Implements support for getter/setter & non-default attribute properties on arrays,
        by forcing them into a dictionary-like 'SparseMode'. This fixes ~300 test-262
        test failures.

        * JavaScriptCore.exp:
            - Updated exports.
        * dfg/DFGOperations.cpp:
            - JSArray::pop now requires an exec state.
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPop):
            - JSArray::pop now requires an exec state.
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
            - Add a potentially empty entry into the map.
        (JSC::SparseArrayValueMap::put):
            - Changed to call setter.
        (JSC::SparseArrayEntry::get):
            - calls getters.
        (JSC::SparseArrayEntry::getNonSparseMode):
            - does not call getters.
        (JSC::JSArray::enterSparseMode):
            - Convert into 'SparseMode' - removes the vectors, don't allow it to be recreated.
        (JSC::JSArray::putDescriptor):
            - Create a numeric property based on a descriptor.
        (JSC::sameValue):
            - See ES5.1 9.12.
        (JSC::reject):
            - Helper for the [[DefineOwnProperty]] algorithm.
        (JSC::JSArray::defineOwnNumericProperty):
            - Define an indexed property on an array object.
        (JSC::JSArray::setLengthWritable):
            - Marks the length read-only, enters SparseMode as necessary.
        (JSC::JSArray::defineOwnProperty):
            - Defines either an indexed property or 'length' on an array object.
        (JSC::JSArray::getOwnPropertySlotByIndex):
            - Updated to correctly handle accessor descriptors & attributes.
        (JSC::JSArray::getOwnPropertyDescriptor):
            - Updated to correctly handle accessor descriptors & attributes.
        (JSC::JSArray::put):
            - Pass strict mode flag to setLength.
        (JSC::JSArray::putByIndex):
            - putByIndexBeyondVectorLength requires an ExecState* rather than a JSGloablData&.
        (JSC::JSArray::putByIndexBeyondVectorLength):
            - Pass exec to SparseArrayValueMap::put.
        (JSC::JSArray::deletePropertyByIndex):
            - Do not allow deletion of non-configurable properties.
        (JSC::compareKeysForQSort):
            - used in implementation of getOwnPropertyNames.
        (JSC::JSArray::getOwnPropertyNames):
            - Properties in the sparse map should be iterated in order.
        (JSC::JSArray::setLength):
            - Updated to take a 'shouldThrow' flag, return a result indicating error.
        (JSC::JSArray::pop):
            - pop should throw an error if length is not writable, even if the array is empty.
        (JSC::JSArray::push):
            - putByIndexBeyondVectorLength requires an ExecState* rather than a JSGloablData&.
        (JSC::JSArray::sort):
            - Changed 'get' to 'getNonSparseMode' (can't be getters to call).
        (JSC::JSArray::compactForSorting):
            - Changed 'get' to 'getNonSparseMode' (can't be getters to call).
        * runtime/JSArray.h:
        (JSC::SparseArrayValueMap::lengthIsReadOnly):
            - Check if the length is read only.
        (JSC::SparseArrayValueMap::setLengthIsReadOnly):
            - Mark the length as read only.
        (JSC::SparseArrayValueMap::find):
            - Moved into header.
        (JSC::JSArray::isLengthWritable):
            - Wraps SparseArrayValueMap::lengthIsReadOnly.
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            - Should be returning the result of putDescriptor.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::attributesOverridingCurrent):
            - Added attributesOverridingCurrent - this should probably be merged with attributesWithOverride.
        * runtime/PropertyDescriptor.h:
            - Added attributesOverridingCurrent.

2012-01-09  Pavel Heimlich  <tropikhajma@gmail.com>

        There is no support for fastcall in Solaris Studio.
        Fixes build on Solaris.
        https://bugs.webkit.org/show_bug.cgi?id=75736

        Reviewed by Gavin Barraclough.

        * jit/JITStubs.h:

2012-01-09  Pavel Heimlich  <tropikhajma@gmail.com>

        Fix build failure on Solaris
        https://bugs.webkit.org/show_bug.cgi?id=75733

        Reviewed by Gavin Barraclough.

        * wtf/ByteArray.h:

2012-01-01  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Clean up some cruft from WTF's CMakeLists.txt
        https://bugs.webkit.org/show_bug.cgi?id=75420

        Reviewed by Daniel Bates.

        * wtf/CMakeLists.txt: Remove the unused WTF_PORT_FLAGS variable; add
        all needed paths to WTF_INCLUDE_DIRECTORIES in a single place.

2012-01-08  Xianzhu Wang  <wangxianzhu@chromium.org>

        Fix compilation error about ListHashSetReverseIterator
        https://bugs.webkit.org/show_bug.cgi?id=75372

        Reviewed by Darin Adler.

        There is a typo in class ListHashSetReverseIterator:
        typedef ListHashSetConstIterator<ValueArg, inlineCapacity, HashArg> const_reverse_iterator;
        Should be
        typedef ListHashSetConstReverseIterator<ValueArg, inlineCapacity, HashArg> const_reverse_iterator;

        * wtf/ListHashSet.h:

2012-01-08  Ryosuke Niwa  <rniwa@webkit.org>

        WinCE build fix after r104415.

        * jit/JITExceptions.cpp:
        * jit/JITExceptions.h:

2012-01-08  Filip Pizlo  <fpizlo@apple.com>

        The JIT's protocol for exception handling should be available to other parts of the system
        https://bugs.webkit.org/show_bug.cgi?id=75808
        <rdar://problem/10661025>

        Reviewed by Oliver Hunt.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * jit/JITExceptions.cpp: Added.
        (JSC::genericThrow):
        (JSC::jitThrow):
        * jit/JITExceptions.h: Added.
        * jit/JITStubs.cpp:
        * runtime/JSGlobalData.h:

2012-01-06  Hajime Morrita  <morrita@chromium.org>

        https://bugs.webkit.org/show_bug.cgi?id=75296
        JSString should not have JS_EXPORTCLASS annotation

        Reviewed by Kevin Ollivier.

        * runtime/JSString.h: Removed JS_EXPORTCLASS annotation.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Added missing symbols which were hidden by JS_EXPORTCLASS.

2012-01-06  Michael Saboff  <msaboff@apple.com>

        JSArray::pop() should compare SparseArrayValueMap::find() to SparseArrayValueMap::notFound()
        https://bugs.webkit.org/show_bug.cgi?id=75757

        Reviewed by Gavin Barraclough.

        * runtime/JSArray.cpp:
        (JSC::JSArray::pop): Changed map->end() to map->notFound().

2012-01-06  Filip Pizlo  <fpizlo@apple.com>

        JIT stub slow paths that would be identical to that of an interpreter should be factored out
        https://bugs.webkit.org/show_bug.cgi?id=75743
        <rdar://problem/10657024>

        Reviewed by Geoff Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/CommonSlowPaths.h: Added.
        (JSC::CommonSlowPaths::opInstanceOfSlow):
        (JSC::CommonSlowPaths::opIn):
        (JSC::CommonSlowPaths::opResolve):
        (JSC::CommonSlowPaths::opResolveSkip):
        (JSC::CommonSlowPaths::opResolveWithBase):
        (JSC::CommonSlowPaths::opResolveWithThis):

2012-01-06  Sam Weinig  <sam@webkit.org>

        Fix windows build.

        * wtf/TypeTraits.cpp:

2012-01-05  Michael Saboff  <msaboff@apple.com>

        Default HashTraits for Opcode don't work for Opcode = 0
        https://bugs.webkit.org/show_bug.cgi?id=75595

        Reviewed by Oliver Hunt.

        Removed the populating of the m_opcodeIDTable table in the
        case where the OpcodeID and Opcode are the same (m_enabled is false).
        Instead we just cast the one type to the other.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcodeID):

2012-01-06  Sam Weinig  <sam@webkit.org>

        Add a DecayArray type trait as a first step towards merging OwnPtr and OwnArrayPtr
        https://bugs.webkit.org/show_bug.cgi?id=75737

        Reviewed by Anders Carlsson.

        * wtf/TypeTraits.cpp:
        * wtf/TypeTraits.h:
        Added a DecayArray trait, that can convert T[] and T[3] -> T*. DecayArray
        is composed of some helpers which are also exposed, Conditional<>, which
        can provide one type or another based on a boolean predicate, IsArray<>
        which can deduce array types, and RemoveExtent<>, which removes the extent
        from an array type. 

2012-01-06  Oliver Hunt  <oliver@apple.com>

        GetByteArrayLength is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=75735

        Reviewed by Filip Pizlo.

        Load the byte array length from the correct location.
        This stops an existing test from hanging.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-01-06  Filip Pizlo  <fpizlo@apple.com>

        Fix build.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-01-06  Oliver Hunt  <oliver@apple.com>

        DFG no longer optimises CanvasPixelArray
        https://bugs.webkit.org/show_bug.cgi?id=75729

        Reviewed by Gavin Barraclough.

        Rename ByteArray (in its ClassInfo) to Uint8ClampedArray to match
        the future name when we switch over to the new typed-array based
        ImageData specification.

        * runtime/JSByteArray.cpp:

2012-01-06  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Use HashMap<OwnPtr> for SourceProviderCache items
        https://bugs.webkit.org/show_bug.cgi?id=75346

        Reviewed by Daniel Bates.

        * parser/Parser.cpp:
        * parser/SourceProviderCache.cpp:
        (JSC::SourceProviderCache::clear):
        (JSC::SourceProviderCache::add):
        * parser/SourceProviderCache.h:

2012-01-06  Sam Weinig  <sam@webkit.org>

        Remove unused OwnFastMallocPtr class.
        https://bugs.webkit.org/show_bug.cgi?id=75722

        Reviewed by Geoffrey Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/OwnFastMallocPtr.h: Removed.
        * wtf/text/StringImpl.h:
        * wtf/wtf.pro:

2012-01-06  Benjamin Poulain  <bpoulain@webkit.org>

        [Mac] Sort the resources of JavaScriptCore.xcodeproj and remove duplicates
        https://bugs.webkit.org/show_bug.cgi?id=75631

        Reviewed by Andreas Kling.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-01-06  Eric Seidel  <eric@webkit.org> and Gustavo Noronha Silva  <gustavo.noronha@collabora.com>

        Make the new WTF module build on Gtk
        https://bugs.webkit.org/show_bug.cgi?id=75669

        * GNUmakefile.am:

2012-01-06  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Remove un-needed VPATHs from project includes

        Reviewed by Simon Hausmann.

        * JavaScriptCore.pri:
        * wtf/wtf.pri:

2012-01-06  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Move listing of include paths and libs to pri files in sources

        Includepaths are sometimes modified by non-Qt contributors so keeping
        them in files inside Sources makes it more likely that they are updated
        along with project files for the other ports.

        Using pri files instead of prf files for this also has the benefit that
        the include() from the main target file can be parsed and followed by
        Qt Creator -- something that does not work with load().

        Dependency from a target to a library through the WEBKIT variable are
        handled through forwarding-files in Tools/qmake/mkspecs/modules, which
        set the source root of the module and include the right pri file.

        Ideally we'd use the variant of include() that takes an optional
        namespace to read the variables into, or the fromfile() function,
        but both of these add an overhead of about 40% on the total qmake
        runtime, due to making a deep copy of all the variables in the
        project or re-reading all the prf files from scratch.

        Reviewed by Simon Hausmann.
        Reviewed by Ossy.

        * JavaScriptCore.pri: Renamed from Tools/qmake/mkspecs/features/javascriptcore.prf.
        * Target.pri:
        * wtf/wtf.pri: Renamed from Tools/qmake/mkspecs/features/wtf.prf.
        * wtf/wtf.pro:

2012-01-06  Hajime Morrita  <morrita@chromium.org>

        WTF::String: Inline method shouldn't have WTF_EXPORT_PRIVATE
        https://bugs.webkit.org/show_bug.cgi?id=75612

        Reviewed by Kevin Ollivier.

        * wtf/text/WTFString.h:
        (WTF::String::findIgnoringCase):
        (WTF::String::append):
        (WTF::String::fromUTF8):
        (WTF::String::fromUTF8WithLatin1Fallback):
        (WTF::String::isHashTableDeletedValue):

2012-01-05  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/10633760> Update copyright strings

        Reviewed by Mark Rowe.

        * Info.plist:

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Date constructor handles infinite values incorrectly.
        https://bugs.webkit.org/show_bug.cgi?id=70998

        Reviewed by Filip Pizlo.

        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
            - should be checking !finite rather then isnan.

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        date.toISOString produces incorrect results for dates with ms prior to 1970
        https://bugs.webkit.org/show_bug.cgi?id=75684

        Reviewed by Sam Weinig.

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToISOString):

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.lastIndexOf ignores undefined fromIndex.
        https://bugs.webkit.org/show_bug.cgi?id=75678

        Reviewed by Sam Weinig.

        array.lastIndexOf(x, undefined) is equivalent to array.lastIndexOf(x, 0), not array.lastIndexOf(x)

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncLastIndexOf):
            - should check argumnet count, rather than checking agument value for undefined.

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Date parsing is too restrictive.
        https://bugs.webkit.org/show_bug.cgi?id=75671

        Reviewed by Oliver Hunt.

        ES5 date parsing currently requires all fields to be present, which does not match the spec (ES5.1 15.9.1.15).
        The spec allow a date to be date only, or date + time.

        The date portion on the should match: (pseudocode!:)
            [(+|-)YY]YYYY[-MM[-DD]]
        though we are slightly more liberal (permitted by the spec), allowing:
            [+|-]Y+[-MM[-DD]]
        The time portion should match:
            THH:mm[:ss[.sss]][Z|(+|-)HH:mm]
        again we're slightly more liberal, allowing:
            THH:mm[:ss[.s+]][Z|(+|-)HH:mm]

        * wtf/DateMath.cpp:
        (WTF::parseES5DatePortion):
            - Month/day fields are optional, default to 01.
        (WTF::parseES5TimePortion):
            - Hours/Minutes are requires, seconds/timezone are optional.
        (WTF::parseES5DateFromNullTerminatedCharacters):
            - Dates may be date only, or date + time.

2012-01-05  Bruno Dilly  <bdilly@profusion.mobi>

        [EFL] Undefined references to ICU_I18N symbols on WTF
        https://bugs.webkit.org/show_bug.cgi?id=75642

        Unreviewed build fix.

        Add ${ICU_I18N_LIBRARIES} to WTF_LIBRARIES on wtf efl platform cmake.
        Some undefined references were ucol_setAttribute_44, ucol_close_44,
        ucol_getAttribute_44...

        * wtf/PlatformEfl.cmake:

2012-01-05  Geoffrey Garen  <ggaren@apple.com>

        Refined the fast path for StringImpl::hash()
        https://bugs.webkit.org/show_bug.cgi?id=75178

        Reviewed by Darin Adler.

        Moved the hash calculation code into an out-of-line function to clean up
        the hot path.

        No measurable benchmark change, but this knocks some samples off in
        Instruments, and I think this is a step toward removing -fomit-frame-pointer.
        
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::hashSlowCase):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::hash): The patch.

        * wtf/text/StringStatics.cpp:
        (WTF::StringImpl::hashSlowCase): Abide by the cockamamie Windows build
        scheme, which requires all out-of-line StringImpl functions used by
        WebCore be defined in this file instead of StringImpl.cpp. (See http://trac.webkit.org/changeset/59187.)

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Literal tab in JSONString fails
        https://bugs.webkit.org/show_bug.cgi?id=71772

        Reviewed by Oliver Hunt.

        rfc4627 does not allow literal tab characters in JSON source.

        * runtime/LiteralParser.cpp:
        (JSC::isSafeStringCharacter):
            - do not allow literal tab in StrictJSON mode.

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        push/shift fifo may consume excessive memory
        https://bugs.webkit.org/show_bug.cgi?id=75610

        Reviewed by Sam Weinig.

        Array object commonly store data in a vector, consisting of a portion that is
        in use, a pre-capacity (m_indexBias) and a post-capacity (the delta between
        m_length and m_vectorLength). Calls to shift with grow the pre-capacity, and
        the current algorithm for increaseVectorLength (used by push, or [[Put]]) will
        never shrink the pre-capacity, so a push/shift fifo may consume an inordinate
        amount of memory, whilst having a relatively small active length.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorLength):
            - If m_indexBias is non-zero, decay it over time.

2012-01-05  Csaba Osztrogonác  <ossy@webkit.org>

        unshift/pop fifo may consume excessive memory
        https://bugs.webkit.org/show_bug.cgi?id=75588

        Reviewed by Zoltan Herczeg.

        Buildfix after r104120.

        * runtime/JSArray.cpp: Remove useless asserts, baecause unsigned expression >= 0 is always true
        (JSC::JSArray::unshiftCount):

2012-01-05  Zoltan Herczeg  <zherczeg@webkit.org>

        Unreviewed gardening after r104134.

        * wtf/Assertions.cpp:

2012-01-05  Zoltan Herczeg  <zherczeg@webkit.org>

        Unreviewed gardening after r75605.

        Rubber stamped by NOBODY Csaba Osztrogonác.

        * wtf/Assertions.cpp:

2012-01-05  Benjamin Poulain  <benjamin@webkit.org>

        Improve charactersAreAllASCII() to compare multiple characters at a time
        https://bugs.webkit.org/show_bug.cgi?id=74063

        Reviewed by Darin Adler.

        A new header ASCIIFastPath.h contains the functions related to
        the detection of ASCII by using machine words. Part of it comes from
        WebCore's TextCodecASCIIFastPath.h.

        The function charactersAreAllASCII() is moved to TextCodecASCIIFastPath.h
        and is implemented with computer word comparison.
        The gain over the previous implementation of charactersAreAllASCII() is of
        the order of how many comparison are avoided (4x, 8x, 16x depending on the
        format and the CPU type).

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/text/ASCIIFastPath.h: Added.
        (WTF::isAlignedToMachineWord):
        (WTF::alignToMachineWord):
        (WTF::isAllASCII):
        (WTF::charactersAreAllASCII):
        * wtf/text/WTFString.h:
        * wtf/wtf.pro:

2012-01-05  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/75606> [Mac] WTF logging functions should output to both stderr and ASL

        We should always log to both ASL and stderr on platforms where this won't result in launchd
        duplicating the messages.

        Reviewed by Dan Bernstein.

        * wtf/Assertions.cpp:
        (vprintf_stderr_common):

2012-01-05  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/75605> WTF logging functions should call vprintf_stderr_common only once per line

        Several of the WTF logging functions make multiple calls to vprintf_stderr_common to output a
        single line of text. This results in strangely formatted output if vprintf_stderr_common is
        retargeted to an output device that is message-oriented (such as ASL) rather than stream-oriented
        like stderr.

        Reviewed by Dan Bernstein.

        * wtf/Assertions.cpp:
        (vprintf_stderr_with_prefix): Helper function to prepend a given prefix on to the given format
        string before handing it off to vprintf_stderr_common. This requires disabling warnings about
        calling a printf-like function with a non-literal format string for this piece of code. It's
        safe in this particular case as vprintf_stderr_with_prefix is only ever given a literal prefix.
        (vprintf_stderr_with_trailing_newline): Helper function to append a trailling newline on to the
        given format string if one does not already exist. It requires the same treatment with regards
        to the non-literal format string warning.
        (WTFReportAssertionFailureWithMessage): Switch to using vprintf_stderr_with_prefix.
        (WTFReportBacktrace): Switch from calling fprintf directly to using fprintf_stderr_common.
        (WTFReportFatalError): Switch to using vprintf_stderr_with_prefix.
        (WTFReportError): Ditto.
        (WTFLog): Switch to using vprintf_stderr_with_trailing_newline.
        (WTFLogVerbose): Ditto.

2012-01-04  Gavin Barraclough  <barraclough@apple.com>

        unshift/pop fifo may consume excessive memory
        https://bugs.webkit.org/show_bug.cgi?id=75588

        Reviewed by Sam Weinig.

        The Array object commonly store data in a vector, consisting of a portion that
        is in use, a pre-capacity (m_indexBias) and a post-capacity (the delta between
        m_length and m_vectorLength). Calls to pop with grow the post-capacity, and the
        current algorithm for increasePrefixVectorLength (used by unshift) will never
        stink the post-capacity, so a unshift/pop fifo may consume an inordinate amount
        of memory, whilst having a relatively small active length.

        * runtime/JSArray.cpp:
        (JSC::storageSize):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>)
        (JSC::SparseArrayValueMap::put):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>)
        (JSC::JSArray::increaseVectorLength):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>)
        (JSC::JSArray::unshiftCountSlowCase):
            - renamed from increaseVectorPrefixLength (this was a bad name, since it
              also moved the ArrayStorage header), rewritten.
        (JSC::JSArray::shiftCount):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>), count should be unsigned
        (JSC::JSArray::unshiftCount):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>), count should be unsigned,
              increaseVectorPrefixLength renamed to unshiftCountSlowCase
        (JSC::JSArray::sortNumeric):
        * runtime/JSArray.h:
            - Updated function declarations, m_indexBias should be unsigned.

2012-01-04  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/75604> All instances of JSC::ArgumentsData appear to be leaked by JSC::Arguments

        Since JSC::Arguments has an OwnPtr for a member it needs to override destroy
        to ensure that the correct destructor is invoked. This is necessary because
        JSCell subclasses all intentionally have non-virtual destructors.

        Reviewed by Filip Pizlo.

        * runtime/Arguments.cpp:
        (JSC::Arguments::destroy):
        * runtime/Arguments.h:

2012-01-04  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, accidentally turned off the JIT in previous commit. Turning
        it back on.

        * wtf/Platform.h:

2012-01-04  Filip Pizlo  <fpizlo@apple.com>

        Changed "return" to "break" in some macrology I introduced in
        http://trac.webkit.org/changeset/104086. This is a benign change, as
        "return" was technically correct for all uses of the macro.

        Reviewed by Oliver Hunt.

        * dfg/DFGGraph.cpp:
        * wtf/Platform.h:

2012-01-04  Michael Saboff  <msaboff@apple.com>

        StructureStubInfo not reset when corresponding MethodCallLinkInfo is reset
        https://bugs.webkit.org/show_bug.cgi?id=75583

        Reviewed by Filip Pizlo.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally): Find the corresponding
        StructureStubInfo and reset the appropriate JIT and
        the StructureStubInfo itself when reseting a MethodCallLinkInfo.

2012-01-04  Michael Saboff  <msaboff@apple.com>

        Invalid ASSERT() in DFGRepatch.cpp near line 385
        https://bugs.webkit.org/show_bug.cgi?id=75584

        Reviewed by Filip Pizlo.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDProtoList): Fixed ASSERT to use ==.

2012-01-04  Filip Pizlo  <fpizlo@apple.com>

        Incorrect use of DFG node reference counts when mutating the graph
        https://bugs.webkit.org/show_bug.cgi?id=75580
        <rdar://problem/10644607>

        Reviewed by Oliver Hunt.
        
        Made deref(node) follow the pattern of ref(node), which it should have
        to begin with.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::refChildren):
        (JSC::DFG::Graph::derefChildren):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::deref):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixupNode):

2012-01-04  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Introduce new qmake variable 'WEBKIT' for signaling dependencies

        The custom qmake variable 'WEBKIT' is used for signaling that a
        target depends in some way on other subproject of the WebKit
        project. For now this is limited to the set of intermediate
        libraries: wtf, javascriptcore, webcore, and webkit2.

        This replaces the previous convension of using load(foo) for
        just include paths, and CONFIG += foo to also link against foo.

        Adding a dependency results in additional include paths being
        available, and potentially linking to the library. This is
        decided by the build system based on conditions such as what
        kind of target is being built and the general build config.

        An advantage to his approach is that it simplifies the individual
        foo.prf files, for example by allowing us to use INCLUDEPATH +=
        and LIBS += as normal instead of prepending.

        Reviewed by Simon Hausmann.

        * Target.pri:
        * jsc.pro:
        * wtf/wtf.pro:

2012-01-03  Filip Pizlo  <fpizlo@apple.com>

        DFG: The assertion that a double-voted variable cannot become double-unvoted is wrong
        https://bugs.webkit.org/show_bug.cgi?id=75516
        <rdar://problem/10640266>

        Reviewed by Gavin Barraclough.
        
        Removed the offending assertion, since it was wrong.  Also hardened the code to make
        this case less likely by first having the propagator fixpoint converge, and then doing
        double voting combined with a second fixpoint.  This is neutral on benchmarks and
        fixes the assertion in a fairly low-risk way (i.e. we won't vote a variable double
        until we've converged to the conclusion that it really is double).

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagatePredictions):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):

2012-01-03  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r98196-98236): Incorrect layout of iGoogle with RSS feeds
        https://bugs.webkit.org/show_bug.cgi?id=75303
        <rdar://problem/10633533>

        Reviewed by Gavin Barraclough.
        
        The this argument was not being kept alive in some cases during inlining and intrinsic
        optimizations.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionCheck):
        (JSC::DFG::ByteCodeParser::handleInlining):

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75140

        Reviewed by Sam Weinig.

        Rewrite JSArray::putSlowCase to be much cleaner & simpler.

        This rewrite only significantly changes behaviour for sparse array, specifically
        in how sparse arrays are reified back to vector form. This does not affect arrays
        with less than 10000 entries (since these always use a vector). The more common
        cases of sparse array behavior (though large sparse arrays are rare) - arrays that
        always remain sparse, and arrays that are filled in reverse sequential order -
        should be just as fast or faster (since reification is simpler & no longer
        requires map lookups) after these changes.

        Simplifying this code allows all cases of putByIndex that need to grow the vector
        to do so via increaseVectorLength, which means that this method can encapsulate
        the policy of determining how the vector should be grown.

        No performance impact.

        * runtime/JSArray.cpp:
        (JSC::isDenseEnoughForVector):
            - any array of length <= MIN_SPARSE_ARRAY_INDEX is dense enough for a vector.
        (JSC::JSArray::putByIndex):
            - simplify & comment.
        (JSC::JSArray::putByIndexBeyondVectorLength):
            - Re-written to be much clearer & simpler.
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::increaseVectorPrefixLength):
            - add explicit checks against MAX_STORAGE_VECTOR_LENGTH, so clients do not need do so.
        (JSC::JSArray::push):
            - simplify & comment.
        * runtime/JSArray.h:
            - removed SparseArrayValueMap::take.

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75140

        Reviewed by Sam Weinig.

        Simplify JSArray creation - remove ArgsList/JSValue* create methods
        (this functionality can be implemented in terms of tryCreateUninitialized).

        * JavaScriptCore.exp:
        * runtime/ArrayConstructor.cpp:
            - use constructArray/constructEmptyArray instead of calling JSArray::create directly
        (JSC::constructArrayWithSizeQuirk):
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
            - removed ArgsList/JSValue* create methods
        * runtime/JSGlobalObject.h:
        (JSC::constructEmptyArray):
        (JSC::constructArray):
            - changed to be implemented in terms of JSArray::tryCreateUninitialized

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75429
        ThrowTypeError should be a singleton object

        Reviewed by Sam Weinig.

        Per section 13.2.3 of the spec.
        We could change setAccessorDescriptor to be able to share the global
        GetterSetter object, rather than storing the accessor functions and
        creating a new GetterSetter in defineProperty - but this won't be a
        small change to PropertyDescriptors (and would probably mean making
        GetterSetter objects immutable?) - so I'll leave that for another
        patch.

        * JavaScriptCore.exp:
            - don't export setAccessorDescriptor
        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
            - call throwTypeErrorGetterSetter instead of createTypeErrorFunction
        * runtime/Error.cpp:
        * runtime/Error.h:
            - remove createTypeErrorFunction
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
            - remove unused createDescriptorForThrowingProperty
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
            - removed m_strictModeTypeErrorFunctionStructure.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::internalFunctionStructure):
            - removed m_strictModeTypeErrorFunctionStructure.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setAccessorDescriptor):
            - changed to take a GetterSetter
        * runtime/PropertyDescriptor.h:
            - changed to take a GetterSetter

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        Check in fixes for jsc tests following bug #75455.

        * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
        * tests/mozilla/ecma/GlobalObject/15.1.2.2-2.js:

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75452
        If argument to Error is undefined, message is not set

        Reviewed by Sam Weinig.

        Per section 15.11.1.1 of the spec.

        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        (JSC::ErrorInstance::finishCreation):

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        ES5 prohibits parseInt from supporting octal
        https://bugs.webkit.org/show_bug.cgi?id=75455

        Reviewed by Sam Weinig.

        See sections 15.1.2.2 and annex E.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=55343
        Global JSON should be configurable but isn't

        Reviewed by Sam Weinig.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            - make JSON configurable

2012-01-01  Filip Pizlo  <fpizlo@apple.com>

        Call instructions should leave room for linking information
        https://bugs.webkit.org/show_bug.cgi?id=75422
        <rdar://problem/10633985>

        Reviewed by Oliver Hunt.

        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):

2011-12-31  Dan Bernstein  <mitz@apple.com>

        Continue trying to fix the Windows build after r103823.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-31  Dan Bernstein  <mitz@apple.com>

        Start trying to fix the Windows build after r103823.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-30  Anders Carlsson  <andersca@apple.com>

        Add a ParamStorageTraits specialization for RetainPtr
        https://bugs.webkit.org/show_bug.cgi?id=75392

        Reviewed by Daniel Bates.

        * wtf/Functional.h:
        Add a partial specialization of ParamStorageTraits for RetainPtr<T>.

        * wtf/RetainPtr.h:
        Bring in the retainPtr function template from WTF.

2011-12-29  Sam Weinig  <sam@webkit.org>

        It should be easier to iterate a Vector backwards
        https://bugs.webkit.org/show_bug.cgi?id=75359

        Reviewed by Anders Carlsson.

        Adds Vector::rbegin(), Vector::rend(), and Vector::reversed(),
        a new proxy driven way to access a vector backwards. One can use
        reversed() in a range-based for loop like so:

            for (auto val: myVector.reversed())
                doSomething(val)

        * wtf/Vector.h:
        (WTF::Vector::~Vector):
        Fix style.

        (WTF::Vector::rbegin):
        (WTF::Vector::rend):
        Added using standard adaptor std::reverse_iterator.

        (WTF::Vector::reversed):
        (WTF::Vector::VectorReverseProxy::begin):
        (WTF::Vector::VectorReverseProxy::end):
        Add proxy similar to one used in HashMap for keys() and values()
        which allows access to a Vector backwards for use in range-based
        for loops.

2011-12-29  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75140

        Reviewed by Oliver Hunt.

        Start cleaning up JSArray construction. JSArray has a set of create methods,
        one of which (currently) takes a 'creation mode' enum parameter. Based on that
        parameter, the constructor does one of two completely different things. If the
        parameter is 'CreateInitialized' it creates an array, setting the length, but
        does not eagerly allocate a storage vector of the specified length. A small
        (BASE_VECTOR_LEN sized) initial vector will be allocated, and cleared, property
        access to the vector will read the hole value (return undefined). The alternate
        usage of this method ('CreateCompact') does something very different. It tries
        to create an array of the requested length, and also allocates a storage vector
        large enough to hold all properties. It does not clear the storage vector,
        leaving the memory uninitialized and requiring the user to call a method
        'uncheckedSetIndex' to initialize values in the vector.

        This patch factors out these two behaviours, moving the 'CreateCompact' mode
        into its own method, 'tryCreateUninitialized' (matching the naming for this
        functionality in the string classes). 'tryCreateUninitialized' may return 0 if
        memory allocation fails during construction of the object. The construction
        pattern changes such that values added during initialization will be marked if
        a GC is triggered during array allocation. 'CreateInitialized' no longer need
        be passed to create a normal, fully constructed array with a length, and this
        method is merged with the version of 'create' that does not take an initial
        length (length parameter defaults to 0).

        * JavaScriptCore.exp:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
            - removed 'CreateInitialized' argument
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):
            - changed to call 'tryCreateUninitialized'
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
            - changed to call 'tryCreateUninitialized'
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
            - initialize m_storage to null; if construction fails, make destruction safe
        (JSC::JSArray::finishCreation):
            - merge versions of this method, takes an initialLength parameter defaulting to zero
        (JSC::JSArray::tryFinishCreationUninitialized):
            - version of 'finishCreation' that tries to eagerly allocate storage; may fail & return 0
        (JSC::JSArray::~JSArray):
            - check for null m_storage, in case array construction failed.
        (JSC::JSArray::increaseVectorPrefixLength):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
            - merge versions of this method, takes an initialLength parameter defaulting to zero
        (JSC::JSArray::tryCreateUninitialized):
            - version of 'create' that tries to eagerly allocate storage; may fail & return 0
        (JSC::JSArray::initializeIndex):
        (JSC::JSArray::completeInitialization):
            - used in conjunction with 'tryCreateUninitialized' to initialize the array
        * runtime/JSGlobalObject.h:
        (JSC::constructEmptyArray):
            - removed 'CreateInitialized' argument
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::finishCreation):
            - removed 'CreateInitialized' argument

2011-12-29  Anders Carlsson  <andersca@apple.com>

        Add a retainPtr function template
        https://bugs.webkit.org/show_bug.cgi?id=75365

        Reviewed by Dan Bernstein.

        This makes it easier to make a RetainPtr using template argument deduction, which
        is useful when passing RetainPtr objects as function arguments.

        * wtf/RetainPtr.h:
        (WTF::retainPtr):

2011-12-28  Yuqiang Xian  <yuqiang.xian@intel.com>

        spill unboxed values in DFG 32_64
        https://bugs.webkit.org/show_bug.cgi?id=75291

        Reviewed by Filip Pizlo.

        Currently all the values are spilled as boxed in DFG 32_64, which is
        not necessary and introduces additional stores/loads. Instead we
        can spill them as unboxed if feasible. It can be applied to the
        Integers, Cells and Booleans in DFG 32_64. Doubles are left as is
        because they don't need to be boxed at all. The modifications to the
        spill/fill and the OSR exit are required, as well as a bug fix to the
        "isUnknownJS" logic.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::displacedInRegisterFile):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dump):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::isUnknownJS):
        (JSC::DFG::GenerationInfo::spill):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::isKnownNotBoolean):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):
        (JSC::DFG::SpeculativeJIT::spill):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-28  Anders Carlsson  <andersca@apple.com>

        Add an implicit block conversion operator to WTF::Function
        https://bugs.webkit.org/show_bug.cgi?id=75325

        Reviewed by Dan Bernstein.

        * wtf/Compiler.h:
        Add a define for COMPILER_SUPPORTS(BLOCKS). It's only defined for clang, since the gcc blocks implementation
        is buggy, especially when it comes to C++.

        * wtf/Functional.h:
        Add a block conversion operator that creates and returns an autoreleased block that will call the function when executed.

2011-12-27  Anders Carlsson  <andersca@apple.com>

        Add a new WTF::bind overload that takes 6 parameters
        https://bugs.webkit.org/show_bug.cgi?id=75287

        Reviewed by Sam Weinig.

        * wtf/Functional.h:

2011-12-27  Sam Weinig  <sam@webkit.org>

        Continue moving compiler feature checks to use the COMPILER_SUPPORTS() macro
        https://bugs.webkit.org/show_bug.cgi?id=75268

        Reviewed by Anders Carlsson.

        * wtf/Compiler.h:
        Add support for COMPILER_SUPPORTS(CXX_NULLPTR) and COMPILER_SUPPORTS(CXX_DELETED_FUNCTIONS).

        * wtf/Noncopyable.h:
        Use COMPILER_SUPPORTS(CXX_DELETED_FUNCTIONS).

        * wtf/NullPtr.cpp:
        * wtf/NullPtr.h:
        Use COMPILER_SUPPORTS(CXX_NULLPTR). Remove support for HAVE(NULLPTR).

        * wtf/RefPtr.h:
        * wtf/RetainPtr.h:
        Switch from HAVE(NULLPTR) to COMPILER_SUPPORTS(CXX_NULLPTR).

2011-12-27  Anders Carlsson  <andersca@apple.com>

        Misc fixes and cleanups in Functional.h
        https://bugs.webkit.org/show_bug.cgi?id=75281

        Reviewed by Andreas Kling.

        - Reformat template declarations so that the class begins on a new line.
        - Change the parameter template parameters to start at P1 instead of P0.
        - Add function wrappers and bind overloads for 4 and 5 parameter functions.
        - Change the Function call operator to be const so const functions can be called.

        * wtf/Functional.h:

2011-12-27  Tony Chang  <tony@chromium.org>

        [chromium] Minor cleanup of gyp files.
        https://bugs.webkit.org/show_bug.cgi?id=75269

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: msvs_guid is no longer needed
        and vim/emacs specific hooks should be added by the user.

2011-12-27  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75260
        Null name for host function can result in dereference of uninitialize memory

        Reviewed by Filip Pizlo.

        This is a recent regression in ToT, if the name passed to finishCreation of a host function is null,
        we are currently skipping the putDirect, which leaves memory uninitialized. This patch reverts the
        aspect of the change that introduced the issue.  It might be better if functions that don't have a
        name don't have this property at all, but that's change should be separate from fixing the bug.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
            - Always initialize the name property.

2011-12-27  Anders Carlsson  <andersca@apple.com>

        Function should handle wrapping/unwrapping RefPtr and PassRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=75266

        Reviewed by Sam Weinig.

        Add ParamStorageTraits that can be used for deciding how bound parameters should be stored
        and peeked at. For RefPtr we want to use the raw pointer when "peeking" to avoid ref-churn.
        For PassRefPtr, we want to use RefPtr for storage but still use the raw pointer when peeking.

        * wtf/Functional.h:
        (WTF::ParamStorageTraits::wrap):
        (WTF::ParamStorageTraits::unwrap):

2011-12-27  Tony Chang  <tony@chromium.org>

        [chromium] really enable wpo for WebCore libs and for WTF
        https://bugs.webkit.org/show_bug.cgi?id=75264

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Enable WPO for wtf and yarr.

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        Errk! OS X build fix.

        * JavaScriptCore.exp:

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSObject.h:

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75231
        Fail to throw in strict mode on assign to read only static properties

        Reviewed by Filip Pizlo.

        There are three bugs here:
        * symbolTablePut should throw for strict mode accesses.
        * lookupPut should throw for strict mode accesses.
        * NumberConstructor should override put to call lookupPut, to trap assignment to readonly properties.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::put):
        * runtime/JSActivation.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::symbolTablePut):
        * runtime/Lookup.h:
        (JSC::lookupPut):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::put):
        * runtime/NumberConstructor.h:

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        Fix miss-commit of utf8 change.

        Reviewed by Filip Pizlo

        Eeep, patch as landed a while ago had no effect! - acidentally landed
        modified version of patch used for performance testing.

        (This isn't covered by layout tests because layour tests don't use jsc,
        and the tests/mozilla tests use latin1, which was already supported!)

        Landing changes as intended (and as originally reviewed).

        * jsc.cpp:
        (jscSource):

2011-12-26  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for ARMv7.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16Signed):
        (JSC::MacroAssemblerARMv7::load8Signed):

2011-12-26  Hajime Morrita  <morrita@google.com>

        Rename WTF_INLINE, JS_INLINE to HIDDEN_INLINE
        https://bugs.webkit.org/show_bug.cgi?id=74990

        Reviewed by Kevin Ollivier.

        * runtime/JSExportMacros.h: Removed JS_INLINE
        * wtf/ExportMacros.h: Renamed WTF_INLINE to HIDDEN_INLINE

2011-12-24  Filip Pizlo  <fpizlo@apple.com>

        The ArgumentCount field in the CallFrame should have its tag left blank for other uses
        https://bugs.webkit.org/show_bug.cgi?id=75199
        <rdar://problem/10625105>
        <rdar://problem/10625106>

        Reviewed by Oliver Hunt.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/CallFrame.h:
        (JSC::ExecState::argumentCountIncludingThis):
        (JSC::ExecState::setArgumentCountIncludingThis):
        * interpreter/Register.h:
        (JSC::Register::unboxedInt32):
        (JSC::Register::unboxedBoolean):
        (JSC::Register::unboxedCell):
        (JSC::Register::payload):
        (JSC::Register::tag):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileOpCall):

2011-12-25  Andreas Kling  <awesomekling@apple.com>

        Yarr: Avoid copying vectors in CharacterClassConstructor.
        <http://webkit.org/b/75206>

        Reviewed by Darin Adler.

        Yarr::CharacterClassConstructor::charClass() was hot when loading twitter
        feeds (1.2%), replace the usage of Vector::append() by swap() since we're
        always clearing the source vector afterwards anyway.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::charClass):

2011-12-24  Darin Adler  <darin@apple.com>

        Specialize HashTraits for RefPtr to use PassRefPtr as "pass type" to reduce reference count churn
        https://bugs.webkit.org/show_bug.cgi?id=72476

        Reviewed by Sam Weinig.

        * wtf/HashTraits.h: Defined PassInType and store function in HashTraits<RefPtr>.

2011-12-23  Geoffrey Garen  <ggaren@apple.com>

        Inlined Yarr::execute
        https://bugs.webkit.org/show_bug.cgi?id=75180

        Reviewed reluctantly by Beth Dakin.
        
        Tiny speedup on SunSpider string tests. Removes some samples from
        Instruments. A step toward removing -fomit-frame-pointer.

        * yarr/YarrJIT.cpp:
        * yarr/YarrJIT.h:
        (JSC::Yarr::execute): ONE LINE FUNCTION, Y U NOT INLINED?!

2011-12-23  Filip Pizlo  <fpizlo@apple.com>

        DFG loads from signed 8-bit and 16-bit typed arrays are broken
        https://bugs.webkit.org/show_bug.cgi?id=75163

        Reviewed by Geoffrey Garen.
        
        Added 8-bit and 16-bit signed loads. Because doing so on ARM is less trivial, I'm
        currently disabling Int8Array and Int16Array optimizations on ARM.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8Signed):
        (JSC::MacroAssemblerX86Common::load16Signed):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movswl_mr):
        (JSC::X86Assembler::movsbl_mr):
        * bytecode/PredictedType.h:
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):

2011-12-23  Filip Pizlo  <fpizlo@apple.com>

        DFG does double-to-int conversion incorrectly when storing into int typed arrays
        https://bugs.webkit.org/show_bug.cgi?id=75164
        <rdar://problem/10557547>

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTruncateDoubleToUint32):
        (JSC::MacroAssemblerX86Common::truncateDoubleToUint32):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2011-12-23  Geoffrey Garen  <ggaren@apple.com>

        Refactored String.prototype.replace
        https://bugs.webkit.org/show_bug.cgi?id=75114
        
        Reviewed by Darin Adler.

        No performance difference.
        
        I think this is a step toward removing -fomit-frame-pointer.

        * runtime/JSString.cpp:
        * runtime/JSString.h: Removed the test and special case for a single-character
        search string because the standard path does this test and special case
        for us. (As an aside, if we do come up with a unique single-character
        replace optimization in future, it probably belongs in the replace function,
        and not in JSString.)

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace): Split this mega-sized function into:
        (JSC::replaceUsingStringSearch): - This reasonably sized function, and
        (JSC::replaceUsingRegExpSearch): - This still mega-sized function.

2011-12-23  Pierre Rossi  <pierre.rossi@gmail.com>

        [Qt] REGRESSION(r103467): It broke fast/images/animated-gif-restored-from-bfcache.html
        https://bugs.webkit.org/show_bug.cgi?id=75087

        monotonicallyIncreasingTime needs to hava a higher resolution than milliseconds.

        Reviewed by Darin Adler.

        * wtf/CurrentTime.cpp:
        (WTF::monotonicallyIncreasingTime):

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG should not speculate array even when predictions say that the base is not an array
        https://bugs.webkit.org/show_bug.cgi?id=75160
        <rdar://problem/10622646>
        <rdar://problem/10622649>

        Reviewed by Oliver Hunt.
        
        Added the ability to call slow path when the base is known to not be an array.
        Also rationalized the logic for deciding when the index is not an int, and
        cleaned up the logic for deciding when to speculate typed array.
        
        Neutral for the most part, with odd speed-ups and slow-downs. The slow-downs can
        likely be mitigated by having the notion of a polymorphic array access, where we
        try, but don't speculate, to access the array one way before either trying some
        other ways or calling slow path.

        * bytecode/PredictedType.h:
        (JSC::isActionableMutableArrayPrediction):
        (JSC::isActionableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):
        (JSC::DFG::Node::shouldSpeculateInt32Array):
        (JSC::DFG::Node::shouldSpeculateUint8Array):
        (JSC::DFG::Node::shouldSpeculateUint16Array):
        (JSC::DFG::Node::shouldSpeculateUint32Array):
        (JSC::DFG::Node::shouldSpeculateFloat32Array):
        (JSC::DFG::Node::shouldSpeculateFloat64Array):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::byValIsPure):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-22  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - fix stylebot issues from last patch.

        * runtime/JSArray.cpp:
        (JSC::JSArray::putSlowCase):

2011-12-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75151
        Add attributes field to JSArray's SparseMap

        Reviewed by Sam Weinig.

        This will be necessary to be able to support non- writable/configurable/enumerable
        properties, and helpful for getters/setters.

        Added a concept of being 'inSparseMode' - this indicates the array has a non-standard

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
            - JSArray::sort methods not allowed on arrays that are 'inSparseMode'.
              (must fall back to generic sort alogrithm).
        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
            - moved reportedMapCapacity into the SparseArrayValueMap object.
        (JSC::SparseArrayValueMap::find):
        (JSC::SparseArrayValueMap::put):
        (JSC::SparseArrayValueMap::visitChildren):
            - Added.
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::putSlowCase):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::visitChildren):
            - Updated for changes in SparseArrayValueMap.
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
            - Disallow on 'SparseMode' arrays.
        * runtime/JSArray.h:
        (JSC::SparseArrayEntry::SparseArrayEntry):
            - An entry in the sparse array - value (WriteBarrier) + attributes.
        (JSC::SparseArrayValueMap::SparseArrayValueMap):
        (JSC::SparseArrayValueMap::sparseMode):
        (JSC::SparseArrayValueMap::setSparseMode):
            - Flags to track whether an Array is forced into SparseMode.
        (JSC::SparseArrayValueMap::remove):
        (JSC::SparseArrayValueMap::notFound):
        (JSC::SparseArrayValueMap::isEmpty):
        (JSC::SparseArrayValueMap::contains):
        (JSC::SparseArrayValueMap::size):
        (JSC::SparseArrayValueMap::begin):
        (JSC::SparseArrayValueMap::end):
            - accessors to the map
        (JSC::SparseArrayValueMap::take):
            - only for use on non-SpareMode arrays.
        (JSC::JSArray::inSparseMode):
            - Added.

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA sometimes generates an incorrect proof that a node is known to be a typed array
        https://bugs.webkit.org/show_bug.cgi?id=75150
        <rdar://problem/10621900>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does exactly the wrong thing when doing strict equality on two known cells
        https://bugs.webkit.org/show_bug.cgi?id=75138
        <rdar://problem/10621526>

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):

2011-12-22  Balazs Kelemen  <kbalazs@webkit.org>

        Fix debug build with assertions disabled
        https://bugs.webkit.org/show_bug.cgi?id=75075

        Reviewed by Darin Adler.

        Check whether assertions are disabled instead of NDEBUG
        where appropriate to avoid "defined but not used" warnings.

        * wtf/DateMath.cpp:
        (WTF::initializeDates):

2011-12-22  Mariusz Grzegorczyk  <mariusz.g@samsung.com>

        [EFL] Missing plugins support for efl port
        https://bugs.webkit.org/show_bug.cgi?id=44505

        Reviewed by Anders Carlsson.

        Add define of ENABLE_PLUGIN_PACKAGE_SIMPLE_HASH for efl port.

        * wtf/Platform.h:

2011-12-22  Wei Charles  <charles.wei@torchmobile.com.cn>

        Remove un-used data member of LiteralParser::Lex::m_string
        https://bugs.webkit.org/show_bug.cgi?id=68216

        Reviewed by George Staikos.

        * runtime/LiteralParser.h:

2011-12-21  Dan Bernstein  <mitz@apple.com>

        OS X build fix after r103488.

        * JavaScriptCore.exp:

2011-12-21  Konrad Piascik  <kpiascik@rim.com>

        Implement the JavaScriptCore bindings for eventListenerHandlerLocation
        https://bugs.webkit.org/show_bug.cgi?id=74313

        Reviewed by Eric Seidel.

        Updated project files to get Windows and Mac builds working.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-12-21  Filip Pizlo  <fpizlo@apple.com>

        DFG ConvertThis optimizations do not honor the distinction between the global object and the global this object
        https://bugs.webkit.org/show_bug.cgi?id=75058
        <rdar://problem/10616612>
        <rdar://problem/10617500>

        Reviewed by Oliver Hunt.
        
        Added a call to toThisObject() in the DFG when planting a direct reference to the global this object.
        Instead of adding a separate toThisObject() method on JSCell which does not take ExecState*, I reascribed
        a new contract: if you're calling toThisObject() on JSObject or one of its subtypes, then the ExecState*
        is optional.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::globalThisObjectFor):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSObject.h:

2011-12-21  Pierre Rossi  <pierre.rossi@gmail.com>

        Implement montonicallyIncreasingClock() on Qt
        https://bugs.webkit.org/show_bug.cgi?id=62159

        Reviewed by Darin Adler.

        * wtf/CurrentTime.cpp:
        (WTF::monotonicallyIncreasingTime):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        32_64 baseline JIT should attempt to convert division results to integers, and record when that fails
        https://bugs.webkit.org/show_bug.cgi?id=74997
        <rdar://problem/10612389>

        Reviewed by Gavin Barraclough.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_div):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore should be consistent about how it reads and writes ArgumentCount
        https://bugs.webkit.org/show_bug.cgi?id=74989
        <rdar://problem/10612006>

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        Value Profiles for arguments should be more easily accessible to the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=74984
        <rdar://problem/10611364>

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setArgumentValueProfileSize):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        (JSC::CodeBlock::valueProfileForArgument):
        (JSC::CodeBlock::addValueProfile):
        (JSC::CodeBlock::valueProfile):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::totalNumberOfValueProfiles):
        (JSC::CodeBlock::getFromAllValueProfiles):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-12-20  Gavin Barraclough  <barraclough@apple.com>

        JSC shell should accept utf8 input.

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (jscSource):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):

2011-12-20  Gavin Barraclough  <barraclough@apple.com>

        Rubber Stamped by Sam Weinig

        * runtime/JSGlobalData.cpp:
            - removed some dead code.

2011-12-19  Geoffrey Garen  <ggaren@apple.com>

        Tightened up Vector<T>::append
        https://bugs.webkit.org/show_bug.cgi?id=74906

        Reviewed by Sam Weinig.

        Not a measurable speedup, but code inspection shows better code generated,
        and I believe this is a step toward turning off -fomit-frame-pointer.

        * wtf/Vector.h:
        (WTF::::append):
        (WTF::::appendSlowCase): Split out the slow case into a separate function
        to keep unnecessary instructions off the hot path. This means the hot
        path can now be inlined more often.
        
        Removed some old MSVC7 cruft. Hopefully, we don't need to hang on to a
        compiler work-around from 2007.

2011-12-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Temporary GPR should not be lazily allocated in DFG JIT on X86
        https://bugs.webkit.org/show_bug.cgi?id=74908

        Reviewed by Filip Pizlo.

        On X86, we used to allocate a temporary GPR lazily when it's really
        used rather than defined. This may cause potential issues of
        allocating registers inside control flow and result in problems in
        subsequent code generation, for example the DFG JIT may think an
        operand already being spilled (to satisfy the allocation request) and
        generate code to read the data from memory, but the allocation and
        spilling are in a branch which is not taken at runtime, so the
        generated code is incorrect.

        Although current DFG JIT code doesn't have this problematic pattern,
        it's better to cut-off the root to avoid any potential issues in the
        future.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::GPRTemporary::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove unused code for non-speculative Arith operations from DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=74905

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:

2011-12-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=74903
        Exceptions not thrown correctly from DFG JIT on 32bit

        Reviewed by Oliver Hunt.

        Arguments for lookupExceptionHandler are not setup correctly.
        In the case of ARMv7 we rely on lr being preserved over a call,
        this in invalid. On x86 we don't should be poking the arguments onto the stack!

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        * dfg/DFGGPRInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addExceptionCheck):
        (JSC::DFG::JITCompiler::addFastExceptionCheck):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:

2011-12-19  Filip Pizlo  <fpizlo@apple.com>

        If we detect that we can use the JIT, don't use computed opcode lookups
        https://bugs.webkit.org/show_bug.cgi?id=74899
        <rdar://problem/10604551>

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2011-12-19  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Qt build.

        Unreviewed.

        * wtf/ThreadSpecific.h: #include!

2011-12-18  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to change the value of an Options variable without recompiling the world
        https://bugs.webkit.org/show_bug.cgi?id=74807

        Reviewed by Gavin Barraclough.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * runtime/Options.h:

2011-12-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r103250.
        http://trac.webkit.org/changeset/103250
        https://bugs.webkit.org/show_bug.cgi?id=74877

        it still breaks codegen (Requested by olliej on #webkit).

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-16  Oliver Hunt  <oliver@apple.com>

        Rolling r103120 back in with merge errors corrected.

        PutByVal[Alias] unnecessarily reloads the storage buffer
        https://bugs.webkit.org/show_bug.cgi?id=74747

        Reviewed by Gavin Barraclough.

        Make PutByVal use GetIndexedStorage to load the storage buffer.
        This required switching PutByVal to a vararg node (which is
        responsible for most of the noise in this patch).  This fixes the
        remaining portion of the kraken regression caused by the GetByVal
        storage load elimination, and a 1-5% win on some of the sub tests of
        the typed array benchmark at:
        http://stepheneb.github.com/webgl-matrix-benchmarks/matrix_benchmark.html

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIndexIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-15  Geoffrey Garen  <ggaren@apple.com>

        Placement new does an unnecessary NULL check
        https://bugs.webkit.org/show_bug.cgi?id=74676

        Reviewed by Sam Weinig.

        We can define our own version, which skips the NULL check.
        
        Not a measurable speedup, but code inspection shows better code generated,
        and I believe this is a step toward turning off -fomit-frame-pointer.

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::create): Use the NotNull version of placement
        new to skip the NULL check.

        * API/JSCallbackObject.h: Removed a conflicting, unnecessaray placement new.

        (JSC::JSCallbackObject::create):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::grow):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::allocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::recycle):
        * jit/JITCode.h:
        (JSC::JITCode::clear):
        * jsc.cpp:
        (GlobalObject::create):
        * profiler/CallIdentifier.h:
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::create):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::create):
        (JSC::TerminatedExecutionError::create):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::create):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::create):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::create):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::create): Use the NotNull version of placement
        new to skip the NULL check.

        * runtime/JSCell.h: Removed a conflicting, unnecessaray placement new.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        * runtime/JSGlobalThis.h:
        (JSC::JSGlobalThis::create):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::create):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::create):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createNull):
        (JSC::RopeBuilder::create):
        (JSC::RopeBuilder::createHasOtherOwner):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::create):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        * runtime/RegExp.cpp:
        (JSC::RegExp::createWithoutCaching):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::create):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::createStructure):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        * testRegExp.cpp:
        (GlobalObject::create):
        * wtf/BitVector.cpp:
        (WTF::BitVector::OutOfLineBits::create): Use the NotNull version of placement
        new to skip the NULL check.

        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create): Standardized spacing to make grep easier.

        * wtf/ByteArray.cpp:
        (WTF::ByteArray::create):
        * wtf/Deque.h:
        (WTF::::append):
        (WTF::::prepend): Use NotNull, as above.

        * wtf/FastAllocBase.h: Added a placement new, since this class would otherwise
        hide the name of the global placement new.

        (WTF::fastNew): Standardized spacing. Most of these functions don't need
        NotNull, since they check for NULL, and the optimizer can see that.

        * wtf/HashTable.h:
        * wtf/HashTraits.h:
        (WTF::SimpleClassHashTraits::constructDeletedValue):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::allocFreeSpaceNode): NotNull, as above.

        * wtf/StdLibExtras.h:
        (throw): This is our NotNull placement new. Declaring that we throw is
        the C++ way to say that operator new will not return NULL.

        * wtf/ThreadSpecific.h:
        (WTF::T):
        * wtf/Vector.h:
        (WTF::::append):
        (WTF::::tryAppend):
        (WTF::::uncheckedAppend):
        (WTF::::insert):
        * wtf/text/AtomicStringHash.h:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::createUninitialized):
        (WTF::StringImpl::reallocate):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::tryCreateUninitialized):
        * wtf/text/StringStatics.cpp:
        (WTF::AtomicString::init): Use NotNull, as above.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::allocDisjunctionContext):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
        (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): Standardized
        spacing for easy grep.

2011-12-19  Eric Carlson  <eric.carlson@apple.com>

        Enable <track> for Mac build
        https://bugs.webkit.org/show_bug.cgi?id=74838

        Reviewed by Darin Adler.

        * wtf/Platform.h:

2011-12-18  Filip Pizlo  <fpizlo@apple.com>

        DFG is too sloppy with register allocation
        https://bugs.webkit.org/show_bug.cgi?id=74835

        Reviewed by Gavin Barraclough.
        
        Added assertions that at the end of a successfully generated basic block,
        all use counts should be zero. This revealed a number of bugs:
        
        - Array length optimizations were turning a must-generate node into one
          that is not must-generate, but failing to change the ref count
          accordingly.
          
        - Indexed property storage optimizations were failing to deref their
          children, or to deref the indexed property storage node itself. Also,
          they used the Phantom node as a replacement. But the Phantom node is
          must-generate, which was causing bizarre issues. So this introduces a
          Nop node, which should be used in cases where you want a node that is
          skipped and has no children.
          
        This does not have any significant performance effect, but it should
        relieve some register pressure. The main thing this patch adds, though,
        are the assertions, which should make it easier to do register allocation
        related changes in the future.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initConstant):
        (JSC::DFG::GenerationInfo::initInteger):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initCell):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::use):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::deref):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-18  Benjamin Poulain  <bpoulain@apple.com>

        Remove the duplicated code from ASCIICType.h
        https://bugs.webkit.org/show_bug.cgi?id=74771

        Reviewed by Andreas Kling.

        Use isASCIIDigit() and isASCIIAlpha() instead of copying the code.

        * wtf/ASCIICType.h:
        (WTF::isASCIIDigit):
        (WTF::isASCIIAlphanumeric):
        (WTF::isASCIIHexDigit):

2011-12-18  Anders Carlsson  <andersca@apple.com>

        Set the main frame view scroll position asynchronously
        https://bugs.webkit.org/show_bug.cgi?id=74823

        Reviewed by Sam Weinig.

        * JavaScriptCore.exp:

2011-12-10  Andreas Kling  <kling@webkit.org>

        OpaqueJSClass: Remove RVCT2 workarounds.
        <http://webkit.org/b/74250>

        Reviewed by Benjamin Poulain.

        We no longer need workarounds for the RVCT2 compiler since it was
        only used for the Symbian port of WebKit which is now defunct.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):

2011-12-16  Benjamin Poulain  <bpoulain@apple.com>

        Remove the duplicated code from ASCIICType.h
        https://bugs.webkit.org/show_bug.cgi?id=74771

        Reviewed by Andreas Kling.

        The functions were sharing similar code and were defined for the various input types.
        Use templates instead to avoid code duplication.

        * wtf/ASCIICType.h:
        (WTF::isASCII):
        (WTF::isASCIIAlpha):
        (WTF::isASCIIAlphanumeric):
        (WTF::isASCIIDigit):
        (WTF::isASCIIHexDigit):
        (WTF::isASCIILower):
        (WTF::isASCIIOctalDigit):
        (WTF::isASCIIPrintable):
        (WTF::isASCIISpace):
        (WTF::isASCIIUpper):
        (WTF::toASCIILower):
        (WTF::toASCIIUpper):
        (WTF::toASCIIHexValue):
        (WTF::lowerNibbleToASCIIHexDigit):
        (WTF::upperNibbleToASCIIHexDigit):

2011-12-16  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit may get confused about where in the scratch buffer it stored a value
        https://bugs.webkit.org/show_bug.cgi?id=74695

        Reviewed by Oliver Hunt.
        
        The code that reads from the scratch buffer now explicitly knows which locations to
        read from. No new tests, since this patch covers a case so uncommon that I don't know
        how to make a test for it.

        * dfg/DFGOSRExitCompiler.h:
        (JSC::DFG::OSRExitCompiler::badIndex):
        (JSC::DFG::OSRExitCompiler::initializePoisoned):
        (JSC::DFG::OSRExitCompiler::poisonIndex):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2011-12-16  Oliver Hunt  <oliver@apple.com>

        PutByVal[Alias] unnecessarily reloads the storage buffer
        https://bugs.webkit.org/show_bug.cgi?id=74747

        Reviewed by Gavin Barraclough.

        Make PutByVal use GetIndexedStorage to load the storage buffer.
        This required switching PutByVal to a vararg node (which is
        responsible for most of the noise in this patch).  This fixes the
        remaining portion of the kraken regression caused by the GetByVal
        storage load elimination, and a 1-5% win on some of the sub tests of
        the typed array benchmark at:
        http://stepheneb.github.com/webgl-matrix-benchmarks/matrix_benchmark.html

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIndexIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-16  Daniel Bates  <dbates@rim.com>

        Include BlackBerryPlatformLog.h instead of BlackBerryPlatformMisc.h

        Rubber-stamped by Antonio Gomes.

        BlackBerry::Platform::logV() is declared in BlackBerryPlatformLog.h. That is, it isn't
        declared in BlackBerryPlatformMisc.h. Hence, we should include BlackBerryPlatformLog.h
        instead of BlackBerryPlatformMisc.h.

        * wtf/Assertions.cpp:

2011-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize destructors
        https://bugs.webkit.org/show_bug.cgi?id=74331

        Reviewed by Geoffrey Garen.

        This is a megapatch which frees us from the chains of virtual destructors.

        In order to remove the virtual destructors, which are the last of the virtual 
        functions, from the JSCell hierarchy, we need to add the ClassInfo pointer to 
        the cell rather than to the structure because in order to be able to lazily call 
        the static destroy() functions that will replace the virtual destructors, we 
        need to be able to access the ClassInfo without the danger of the object's 
        Structure being collected before the object itself.

        After adding the ClassInfo to the cell, we can then begin to remove our use 
        of vptrs for optimizations within the JIT and the GC.  When we have removed 
        all of the stored vptrs from JSGlobalData, we can then also remove all of 
        the related VPtrStealingHack code.

        The replacement for virtual destructors will be to add a static destroy function 
        pointer to the MethodTable stored in ClassInfo.  Any subclass of JSCell that has 
        a non-trivial destructor will require its own static destroy function to static 
        call its corresponding destructor, which will now be non-virtual.  In future 
        patches we will slowly move away from destructors altogether as we make more and 
        more objects backed by GC memory rather than malloc-ed memory.  The GC will now 
        call the static destroy method rather than the virtual destructor.

        As we go through the hierarchy and add static destroy functions to classes, 
        we will also add a new assert, ASSERT_HAS_TRIVIAL_DESTRUCTOR, to those classes 
        to which it applies.  The future goal is to eventually have every class have that assert.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::destroy): Add a destroy function to statically call 
        ~JSCallbackConstructor because it has some extra destruction logic.
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp: Add trivial destructor assert for JSCallbackFunction.
        * API/JSCallbackObject.cpp: Add a destroy function to statically call ~JSCallbackObject 
        because it has a member OwnPtr that needs destruction.
        (JSC::::destroy):
        * API/JSCallbackObject.h:
        * JavaScriptCore.exp: Add/remove necessary symbols for JSC.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Same for Windows symbols.
        * debugger/DebuggerActivation.cpp: DebuggerActivation, for some strange reason, didn't 
        have its own ClassInfo despite the fact that it overrides a number of MethodTable 
        methods.  Added the ClassInfo, along with an assertion that its destructor is trivial.
        * debugger/DebuggerActivation.h:
        * dfg/DFGOperations.cpp: Remove global data first argument to isJSArray, isJSByteArray, 
        isJSString, as it is no longer necessary.
        (JSC::DFG::putByVal):
        * dfg/DFGRepatch.cpp:  Ditto.  Also remove uses of jsArrayVPtr in favor of using the 
        JSArray ClassInfo pointer.
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:  Replace uses of the old vptrs with new ClassInfo 
        comparisons since we don't have vptrs anymore.
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h: Ditto.
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * dfg/DFGSpeculativeJIT32_64.cpp: Ditto.
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp: Ditto.
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/Heap.cpp: Remove all uses of vptrs in GC optimizations and replace them with 
        ClassInfo comparisons.
        (JSC::Heap::Heap):
        * heap/MarkStack.cpp: Ditto.
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::visitChildren):
        (JSC::SlotVisitor::drain):
        * heap/MarkStack.h: Ditto.
        (JSC::MarkStack::MarkStack):
        * heap/MarkedBlock.cpp: Ditto.
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h: Ditto.
        * heap/SlotVisitor.h: Ditto.
        (JSC::SlotVisitor::SlotVisitor):
        * heap/VTableSpectrum.cpp: Now that we don't have vptrs, we can't count them.  
        We'll have to rename this class and make it use ClassInfo ptrs in a future patch.
        (JSC::VTableSpectrum::count):
        * interpreter/Interpreter.cpp: Remove all global data arguments from isJSArray, 
        etc. functions.
        (JSC::loadVarargs):
        (JSC::Interpreter::tryCacheGetByID):
        (JSC::Interpreter::privateExecute):
        * jit/JIT.h: Remove vptr argument from emitAllocateBasicJSObject 
        * jit/JITInlineMethods.h: Remove vptr planting, and add ClassInfo planting, 
        remove all vtable related code.
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITOpcodes.cpp: Replace vptr related branch code with corresponding ClassInfo.
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_convert_this):
        * jit/JITOpcodes32_64.cpp: Ditto.
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_convert_this):
        * jit/JITPropertyAccess.cpp: Ditto.
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITPropertyAccess32_64.cpp: Ditto.
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITStubs.cpp: Remove global data argument from isJSString, etc.
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/SpecializedThunkJIT.h: Replace vptr related stuff with ClassInfo stuff.
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        * runtime/ArrayConstructor.cpp: Add trivial destructor assert.
        * runtime/ArrayPrototype.cpp: Remove global data argument from isJSArray.
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/BooleanConstructor.cpp: Add trivial destructor assert.
        * runtime/BooleanObject.cpp: Ditto.
        * runtime/BooleanPrototype.cpp: Ditto.
        * runtime/ClassInfo.h: Add destroy function pointer to MethodTable.
        * runtime/DateConstructor.cpp: Add trivial destructor assert.
        * runtime/DateInstance.cpp: Add destroy function for DateInstance because it has a RefPtr 
        that needs destruction.
        (JSC::DateInstance::destroy):
        * runtime/DateInstance.h:
        * runtime/Error.cpp: Ditto (because of UString member).
        (JSC::StrictModeTypeErrorFunction::destroy):
        * runtime/Error.h:
        * runtime/ErrorConstructor.cpp: Add trivial destructor assert.
        * runtime/ErrorInstance.cpp: Ditto.
        * runtime/ExceptionHelpers.cpp: Ditto.
        * runtime/Executable.cpp: Add destroy functions for ExecutableBase and subclasses.
        (JSC::ExecutableBase::destroy):
        (JSC::NativeExecutable::destroy):
        (JSC::ScriptExecutable::destroy):
        (JSC::EvalExecutable::destroy):
        (JSC::ProgramExecutable::destroy):
        (JSC::FunctionExecutable::destroy):
        * runtime/Executable.h:
        * runtime/FunctionConstructor.cpp: Add trivial destructor assert.
        * runtime/FunctionPrototype.cpp: Ditto. Also remove global data first arg from isJSArray.
        (JSC::functionProtoFuncApply):
        * runtime/GetterSetter.cpp: Ditto.
        * runtime/InitializeThreading.cpp: Remove call to JSGlobalData::storeVPtrs since it no 
        longer exists.
        (JSC::initializeThreadingOnce):
        * runtime/InternalFunction.cpp: Remove vtableAnchor function, add trivial destructor assert, 
        remove first arg from isJSString.
        (JSC::InternalFunction::displayName):
        * runtime/InternalFunction.h: Remove VPtrStealingHack.
        * runtime/JSAPIValueWrapper.cpp: Add trivial destructor assert.
        * runtime/JSArray.cpp: Add static destroy to call ~JSArray.  Replace vptr checks in 
        destructor with ClassInfo checks.
        (JSC::JSArray::~JSArray):
        (JSC::JSArray::destroy):
        * runtime/JSArray.h: Remove VPtrStealingHack.  Remove globalData argument from isJSArray 
        and change them to check the ClassInfo rather than the vptrs.
        (JSC::isJSArray):
        * runtime/JSBoundFunction.cpp: Add trival destructor assert. Remove first arg from isJSArray.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSByteArray.cpp: Add static destroy function, replace vptr checks with ClassInfo checks.
        (JSC::JSByteArray::~JSByteArray):
        (JSC::JSByteArray::destroy):
        * runtime/JSByteArray.h: Remove VPtrStealingHack code.
        (JSC::isJSByteArray):
        * runtime/JSCell.cpp: Add trivial destructor assert.  Add static destroy function.
        (JSC::JSCell::destroy):
        * runtime/JSCell.h: Remove VPtrStealingHack code.  Add function for returning the offset 
        of the ClassInfo pointer in the object for use by the JIT.  Add the ClassInfo pointer to 
        the JSCell itself, and grab it from the Structure.  Remove the vptr and setVPtr functions, 
        as they are no longer used.  Add a validatedClassInfo function to JSCell for any clients 
        that want to verify, while in Debug mode, that the ClassInfo contained in the cell is the 
        same one as that contained in the Structure.  This isn't used too often, because most of 
        the places where we compare the ClassInfo to things can be called during destruction.  
        Since the Structure is unreliable during the phase when destructors are being called, 
        we can't call validatedClassInfo.
        (JSC::JSCell::classInfoOffset):
        (JSC::JSCell::structure):
        (JSC::JSCell::classInfo):
        * runtime/JSFunction.cpp: Remove VPtrStealingHack code.  Add static destroy, remove vtableAnchor, 
        remove first arg from call to isJSString.
        (JSC::JSFunction::destroy):
        (JSC::JSFunction::displayName):
        * runtime/JSFunction.h: 
        * runtime/JSGlobalData.cpp: Remove all VPtr stealing code and storage, including storeVPtrs, 
        as these vptrs are no longer needed in the codebase.
        * runtime/JSGlobalData.h:
        (JSC::TypedArrayDescriptor::TypedArrayDescriptor): Changed the TypedArrayDescriptor to use 
        ClassInfo rather than the vptr.
        * runtime/JSGlobalObject.cpp: Add static destroy function.
        (JSC::JSGlobalObject::destroy):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalThis.cpp: Add trivial destructor assert.
        * runtime/JSNotAnObject.cpp: Ditto.
        * runtime/JSONObject.cpp: Ditto. Remove first arg from isJSArray calls.
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp: 
        (JSC::JSFinalObject::destroy):
        (JSC::JSNonFinalObject::destroy):
        (JSC::JSObject::destroy):
        * runtime/JSObject.h: Add trivial destructor assert for JSObject, remove vtableAnchor 
        from JSNonFinalObject and JSFinalObject, add static destroy for JSFinalObject and 
        JSNonFinalObject, add isJSFinalObject utility function similar to isJSArray, remove all VPtrStealingHack code.
        (JSC::JSObject::finishCreation):
        (JSC::JSNonFinalObject::finishCreation):
        (JSC::JSFinalObject::finishCreation):
        (JSC::isJSFinalObject):
        * runtime/JSPropertyNameIterator.cpp: Add static destroy.
        (JSC::JSPropertyNameIterator::destroy):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp: Ditto.
        (JSC::JSStaticScopeObject::destroy):
        * runtime/JSStaticScopeObject.h: Ditto. 
        * runtime/JSString.cpp:
        (JSC::JSString::destroy):
        * runtime/JSString.h: Ditto. Remove VPtrStealingHack code. Also remove fixupVPtr code, 
        since we no longer need to fixup vptrs.
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsNontrivialString):
        (JSC::jsString):
        (JSC::jsSubstring8):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        (JSC::jsStringBuilder):
        (JSC::isJSString):
        * runtime/JSVariableObject.cpp: 
        (JSC::JSVariableObject::destroy):
        * runtime/JSVariableObject.h: Ditto.
        * runtime/JSWrapperObject.cpp:
        * runtime/JSWrapperObject.h: Add trivial destructor assert.
        * runtime/MathObject.cpp: Ditto.
        * runtime/NativeErrorConstructor.cpp: Ditto.
        * runtime/NumberConstructor.cpp: Ditto.
        * runtime/NumberObject.cpp: Ditto.
        * runtime/NumberPrototype.cpp: Ditto.
        * runtime/ObjectConstructor.cpp: Ditto.
        * runtime/ObjectPrototype.cpp: Ditto.
        * runtime/Operations.h: Remove calls to fixupVPtr, remove first arg to isJSString.
        (JSC::jsString):
        (JSC::jsLess):
        (JSC::jsLessEq):
        * runtime/RegExp.cpp: Add static destroy.
        (JSC::RegExp::destroy):
        * runtime/RegExp.h:
        * runtime/RegExpConstructor.cpp: Add static destroy for RegExpConstructor and RegExpMatchesArray.
        (JSC::RegExpConstructor::destroy):
        (JSC::RegExpMatchesArray::destroy):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp: Add static destroy.
        (JSC::RegExpObject::destroy):
        * runtime/RegExpObject.h:
        * runtime/ScopeChain.cpp: Add trivial destructor assert.
        * runtime/ScopeChain.h:
        * runtime/StrictEvalActivation.cpp: Ditto.
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp: Ditto. Remove vtableAnchor.
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp: Ditto.
        * runtime/Structure.cpp: Add static destroy.
        (JSC::Structure::destroy):
        * runtime/Structure.h: Move JSCell::finishCreation and JSCell constructor into Structure.h 
        because they need to have the full Structure type to access the ClassInfo to store in the JSCell.
        (JSC::JSCell::setStructure):
        (JSC::JSCell::validatedClassInfo):
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        * runtime/StructureChain.cpp: Add static destroy.
        (JSC::StructureChain::destroy):
        * runtime/StructureChain.h:
        * wtf/Assertions.h: Add new assertion ASSERT_HAS_TRIVIAL_DESTRUCTOR, which uses clangs 
        ability to tell us when a class has a trivial destructor. We will use this assert 
        more in future patches as we move toward having all JSC objects backed by GC memory, 
        which means moving away from using destructors/finalizers.

2011-12-15  Martin Robinson  <mrobinson@igalia.com>

        Fix 'make dist' in preparation for the GTK+ release.

        * GNUmakefile.list.am: Add missing header.

2011-12-15  Sam Weinig  <sam@webkit.org>

        <rdar://problem/10552550> JavaScriptCore uses obsolete 'cpy' mnemonic in ARM assembly

        Reviewed by Gavin Barraclough.

        Original patch by Jim Grosbach.

        * jit/JITStubs.cpp:
        (JSC::ctiTrampoline):
        (JSC::ctiVMThrowTrampoline):
        Replace uses of the 'cpy' mnemonic with 'mov'.

2011-12-15  Filip Pizlo  <fpizlo@apple.com>

        Value profiling should distinguished between NaN and non-NaN doubles
        https://bugs.webkit.org/show_bug.cgi?id=74682

        Reviewed by Gavin Barraclough.
        
        Added PredictDoubleReal and PredictDoubleNaN. PredictDouble is now the union
        of the two.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC::isDoubleRealPrediction):
        (JSC::isDoublePrediction):

2011-12-15  Anders Carlsson  <andersca@apple.com>

        Regression (r102866): Navigating away from or closing a page with a plugin crashes
        https://bugs.webkit.org/show_bug.cgi?id=74655
        <rdar://problem/10590024>

        Reviewed by Sam Weinig.

        Rewrite HasRefAndDeref to work if ref and deref are implemented in base classes,
        using a modified version of the technique described here:
        http://groups.google.com/group/comp.lang.c++.moderated/msg/e5fbc9305539f699
        
        * wtf/Functional.h:

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Warnings fixes in Interpreter.cpp and PrivateExecute.cpp
        https://bugs.webkit.org/show_bug.cgi?id=74624

        Reviewed by Darin Adler.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Fix variables unused in
        release mode.
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment): Fix
        signed/unsigned comparison warning, with a cast.

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Use more macrology in JSC::Options
        https://bugs.webkit.org/show_bug.cgi?id=72938

        Reviewed by Filip Pizlo.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * runtime/Options.h: Use macros to ensure that all heuristics are
        declared and have initializers.

2011-12-15  Anders Carlsson  <andersca@apple.com>

        Add ScrollingCoordinator class and ENABLE_THREADED_SCROLLING define
        https://bugs.webkit.org/show_bug.cgi?id=74639

        Reviewed by Andreas Kling.

        Add ENABLE_THREADED_SCROLLING #define.

        * wtf/Platform.h:

2011-12-15  Anders Carlsson  <andersca@apple.com>

        EventDispatcher should handle wheel events on the connection queue
        https://bugs.webkit.org/show_bug.cgi?id=74627

        Reviewed by Andreas Kling.

        Add a BoundFunctionImpl specialization that takes three parameters.

        * wtf/Functional.h:
        (WTF::C::):
        (WTF::R):
        (WTF::bind):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add WTF::Function to wtf/Forward.h
        https://bugs.webkit.org/show_bug.cgi?id=74576

        Reviewed by Adam Roben.

        * jsc.cpp:
        Work around a name conflict in the readline library.

        * wtf/Forward.h:
        Add Function.

2011-12-15  Igor Oliveira  <igor.oliveira@openbossa.org>

        [Qt] Support requestAnimationFrame API
        https://bugs.webkit.org/show_bug.cgi?id=74528

        Let Qt port use REQUEST_ANIMATION_FRAME_TIMER.

        Reviewed by Kenneth Rohde Christiansen.

        * wtf/Platform.h:

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Minor refactor to Parser::parseTryStatement
        https://bugs.webkit.org/show_bug.cgi?id=74507

        Reviewed by Geoffrey Garen.

        * parser/Parser.cpp (JSC::Parser::parseTryStatement): Use the
        Parser's declareVariable instead of going directly to the scope.
        This will facilitate future checks related to harmony block
        scoping.

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Rename JSC::Heuristics to JSC::Options
        https://bugs.webkit.org/show_bug.cgi?id=72889

        Reviewed by Filip Pizlo.

        * runtime/Options.cpp: Renamed from Source/JavaScriptCore/runtime/Heuristics.cpp.
        * runtime/Options.h: Renamed from Source/JavaScriptCore/runtime/Heuristics.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::reoptimizationRetryCounter):
        (JSC::CodeBlock::countReoptimization):
        (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeSoon):
        (JSC::CodeBlock::largeFailCountThreshold):
        (JSC::CodeBlock::largeFailCountThresholdForLoop):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        * heap/MarkStack.cpp:
        (JSC::MarkStackSegmentAllocator::allocate):
        (JSC::MarkStackSegmentAllocator::shrinkReserve):
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::donateSomeCellsTo):
        (JSC::MarkStackArray::stealSomeCellsFrom):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::donateSlow):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        * heap/MarkStack.h:
        (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
        (JSC::MarkStack::addOpaqueRoot):
        (JSC::MarkStackArray::canDonateSomeCells):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::donate):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce): Adapt callers and build systems.

        * testRegExp.cpp:
        (CommandLine::CommandLine):
        * jsc.cpp:
        (CommandLine::CommandLine):
        Rename from Options, to avoid name conflict.

2011-12-14  Sam Weinig  <sam@webkit.org>

        Revert unintentional change to JavaScriptCore.def

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-14  Sam Weinig  <weinig@apple.com>

        Remove whitespace from InheritedPropertySheets attributes in
        vsprops files to appease the Visual Studio project migrator.

        Reviewed by Adam Roben.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebug.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscProduction.vsprops:
        * JavaScriptCore.vcproj/jsc/jscRelease.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops:

2011-12-14  Anders Carlsson  <andersca@apple.com>

        binding a member function should ref/deref the object pointer if needed
        https://bugs.webkit.org/show_bug.cgi?id=74552

        Reviewed by Sam Weinig.

        Add a HasRefAndDeref helper class template which checks if a given class type has ref and deref
        member functions which the right type. Use this to determine if we should ref/deref the first parameter.

        * wtf/Functional.h:
        (WTF::R):
        (WTF::C::):
        (WTF::RefAndDeref::ref):
        (WTF::RefAndDeref::deref):

2011-12-14  Hajime Morrita  <morrita@chromium.org>

        JS_INLINE and WTF_INLINE should be visible from WebCore
        https://bugs.webkit.org/show_bug.cgi?id=73191

        - Moved Export related macro definitions from config.h to ExportMacros.h and JSExportMacros.h.
        - Moved WTF_USE_JSC and WTF_USE_V8 from various config.h family to Platform.h.
        - Replaced JS_EXPORTDATA in wtf moudule with newly introduced WTF_EXPORTDATA.

        Reviewed by Kevin Ollivier.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * config.h:
        * runtime/JSExportMacros.h: Added.
        * wtf/ExportMacros.h:
        * wtf/Platform.h:
        * wtf/WTFThreadData.h:
        * wtf/text/AtomicString.h:
        * wtf/text/StringStatics.cpp:

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Work around a bug in the MSVC2005 compiler
        https://bugs.webkit.org/show_bug.cgi?id=74550

        Reviewed by Sam Weinig.

        Add template parameters for the return types of the partial specializations of BoundFunctionImpl.

        * wtf/Functional.h:
        (WTF::R):

2011-12-13  Jon Lee  <jonlee@apple.com>

        Enable notifications on Mac.

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2011-12-14  David Kilzer  <ddkilzer@apple.com>

        Remove definition of old ENABLE(YARR) macro
        <http://webkit.org/b/74532>

        Reviewed by Darin Adler.

        * wtf/Platform.h: Removed ENABLE_YARR macros.

2011-12-14  Anders Carlsson  <andersca@apple.com>

        bind should handle member functions
        https://bugs.webkit.org/show_bug.cgi?id=74529

        Reviewed by Sam Weinig.

        Add FunctionWrapper partial specializations for member function pointers.

        * wtf/Functional.h:
        (WTF::C::):

2011-12-14  Gavin Barraclough  <barraclough@apple.com>

        DFG relies on returning a struct in registers
        https://bugs.webkit.org/show_bug.cgi?id=74527

        Reviewed by Geoff Garen.

        This will not work on all platforms. Returning a uint64_t will more reliably achieve
        what we want, on 32-bit platforms (on 64-bit, stick with the struct return).

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        (JSC::DFG::DFGHandler::dfgHandlerEncoded):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add unary and binary bind overloads
        https://bugs.webkit.org/show_bug.cgi?id=74524

        Reviewed by Sam Weinig.

        * wtf/Functional.h:
        (WTF::R):
        (WTF::FunctionWrapper::ResultType):
        (WTF::bind):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add back the callOnMainThread overload that takes a WTF::Function
        https://bugs.webkit.org/show_bug.cgi?id=74512

        Reviewed by Darin Adler.

        Add back the overload; the changes to WebCore should hopefully keep Windows building.

        * wtf/MainThread.cpp:
        (WTF::callFunctionObject):
        (WTF::callOnMainThread):
        * wtf/MainThread.h:

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should infer when local variables are doubles
        https://bugs.webkit.org/show_bug.cgi?id=74480

        Reviewed by Oliver Hunt.
        
        Introduced the notion that a local variable (though not an argument, yet!) can
        be stored as a double, and will be guaranteed to always contain a double. This
        requires more magic in the OSR (conversion in both entry and exit). The inference
        is quite unorthodox: all uses of a variable vote on whether they think it should
        be a double or a JSValue, based on how they use it. If they use it in an integer
        or boxed value context, they vote JSValue. If they use it in a double context,
        they vote double. This voting is interleaved in the propagator's fixpoint, so
        that variables voted double then have a double prediction propagated from them.
        This interleaving is needed because a variable that actually always contains an
        integer that always gets used in arithmetic that involves doubles may end up
        being voted double, which then means that all uses of the variable will see a
        double rather than an integer.
        
        This is worth 18% to SunSpider/3d-cube, 7% to Kraken/audio-beat-detection, 7%
        to Kraken/audio-fft, 6% to Kraken/imaging-darkroom, 20% to
        Kraken/imaging-gaussian-blur, and just over 1% to Kraken/json-parse-financial.
        It results in a 1% speed-up on SunSpider and a 4% speed-up in Kraken.  Similar
        results on JSVALUE32_64, though with a bigger win on Kraken (5%) and no overall
        win on SunSpider.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedDouble):
        (JSC::ValueRecovery::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::boxDouble):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::propagatePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::clearVotes):
        (JSC::DFG::VariableAccessData::vote):
        (JSC::DFG::VariableAccessData::doubleVoteRatio):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-13  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        Remove the callOnMainThread overload that takes a WTF::Function since it's not being used.

        * wtf/MainThread.cpp:
        * wtf/MainThread.h:

2011-12-13  Anders Carlsson  <andersca@apple.com>

        Add a very bare-bones implementation of bind and Function to WTF
        https://bugs.webkit.org/show_bug.cgi?id=74462

        Reviewed by Sam Weinig.

        In order to make it easier to package up function calls and send them across
        threads, add a (currently very simple) implementation of WTF::bind and WTF::Function to a new
        wtf/Functional.h header.

        Currently, all bind can do is bind a nullary function and return a Function object that can be called and copied,
        but I'll add more as the need arises.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Functional.h: Added.
        (WTF::R):
        (WTF::FunctionImplBase::~FunctionImplBase):
        (WTF::FunctionWrapper::ResultType):
        (WTF::FunctionBase::isNull):
        (WTF::FunctionBase::FunctionBase):
        (WTF::FunctionBase::impl):
        (WTF::bind):
        * wtf/MainThread.cpp:
        (WTF::callFunctionObject):
        (WTF::callOnMainThread):
        * wtf/MainThread.h:
        * wtf/wtf.pro:

2011-12-13  Geoffrey Garen  <ggaren@apple.com>

        <rdar://problem/10577239> GC Crash introduced in r102545

        Reviewed by Gavin Barraclough.
        
        MarkedArgumentBuffer was still marking items in forwards order, even though
        the argument order has been reversed.
        
        I fixed this bug, and replaced address calculation code with some helper
        functions -- mallocBase() and slotFor() -- so it stays fixed everywhere.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::markLists):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::at):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::last):
        (JSC::MarkedArgumentBuffer::slotFor):
        (JSC::MarkedArgumentBuffer::mallocBase):

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit for UInt32ToNumber should roll forward, not roll backward
        https://bugs.webkit.org/show_bug.cgi?id=74463

        Reviewed by Gavin Barraclough.
        
        Implements roll-forward OSR exit for UInt32ToNumber, which requires ValueRecoveries knowing
        how to execute the slow path of UInt32ToNumber.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::lastOSRExit):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::operator!=):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::uint32InGPR):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::dump):
        * dfg/DFGAssemblyHelpers.cpp:
        * dfg/DFGAssemblyHelpers.h:
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::valueRecoveryForOperand):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-13  Oliver Hunt  <oliver@apple.com>

        Arguments object doesn't handle mutation of length property correctly
        https://bugs.webkit.org/show_bug.cgi?id=74454

        Reviewed by Gavin Barraclough.

        Correct handling of arguments objects with overridden length property

        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        (JSC::Arguments::fillArgList):

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG GetByVal CSE rule should match PutByValAlias
        https://bugs.webkit.org/show_bug.cgi?id=74390

        Reviewed by Geoff Garen.
        
        Tiny win on some benchmarks. Maybe a 0.2% win on SunSpider.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):

2011-12-13  Andy Wingo  <wingo@igalia.com>

        Fix interpreter debug build.
        https://bugs.webkit.org/show_bug.cgi?id=74439

        Reviewed by Geoffrey Garen.

        * bytecode/ValueRecovery.h: Include stdio.h on debug builds.

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should know exactly why recompilation was triggered
        https://bugs.webkit.org/show_bug.cgi?id=74362

        Reviewed by Oliver Hunt.
        
        Each OSR exit is now individually counted, as well as counting the total number 
        of OSR exits that occurred in a code block. If recompilation is triggered, we
        check to see if there are OSR exit sites that make up a sufficiently large
        portion of the total OSR exits that occurred. For any such OSR exit sites, we
        add a description of the site (bytecode index, kind) to a data structure in the
        corresponding baseline CodeBlock. Then, when we recompile the code, we immediately
        know which speculations would be unwise based on the fact that previous such
        speculations proved to be fruitless.
        
        This means 2% win on two of the SunSpider string tests, a 4% win on V8's deltablue,
        and 5% on Kraken's imaging-darkroom. It is only a minor win in the averages, less
        than 0.5%.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::exitProfile):
        (JSC::CodeBlock::reoptimize):
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/DFGExitProfile.cpp: Added.
        (JSC::DFG::ExitProfile::ExitProfile):
        (JSC::DFG::ExitProfile::~ExitProfile):
        (JSC::DFG::ExitProfile::add):
        (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
        (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
        * bytecode/DFGExitProfile.h: Added.
        (JSC::DFG::exitKindToString):
        (JSC::DFG::exitKindIsCountable):
        (JSC::DFG::FrequentExitSite::FrequentExitSite):
        (JSC::DFG::FrequentExitSite::operator!):
        (JSC::DFG::FrequentExitSite::operator==):
        (JSC::DFG::FrequentExitSite::hash):
        (JSC::DFG::FrequentExitSite::bytecodeOffset):
        (JSC::DFG::FrequentExitSite::kind):
        (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
        (JSC::DFG::FrequentExitSiteHash::hash):
        (JSC::DFG::FrequentExitSiteHash::equal):
        (JSC::DFG::QueryableExitProfile::hasExitSite):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockForOriginAndBaselineCodeBlock):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-13  Michael Saboff  <msaboff@apple.com>

        Cleanup of StringImpl::equal in r102631 post commit
        https://bugs.webkit.org/show_bug.cgi?id=74421

        Reviewed by Darin Adler.

        * wtf/text/AtomicString.h:
        (WTF::operator==): Removed cast no longer needed.
        * wtf/text/StringImpl.h:
        (WTF::equal): Changed template to several overloaded methods.

2011-12-12  Michael Saboff  <msaboff@apple.com>

        Eliminate Duplicate word at a time equal code in StringImpl.cpp and StringHash.h
        https://bugs.webkit.org/show_bug.cgi?id=73622

        Reviewed by Oliver Hunt.

        Moved equal(charType1 *, charType2, unsigned) template methods
        from static StringImpl.cpp to StringImpl.h and then replaced the
        processor specific character comparison code in StringHash::equal
        with calls to these methods.

        This change is worth 3% on SunSpider string-unpack-code as reported
        by the SunSpider command line harness.  No other tests appear to
        have measurable performance changes.

        * wtf/text/AtomicString.h:
        (WTF::operator==):
        * wtf/text/StringHash.h:
        (WTF::StringHash::equal):
        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF::LChar):
        (WTF::UChar):
        (WTF::equal):

2011-12-12  Filip Pizlo  <fpizlo@apple.com>

        ARMv7 version of DFG soft modulo does register allocation inside of control flow
        https://bugs.webkit.org/show_bug.cgi?id=74354

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):

2011-12-12  Andy Wingo  <wingo@igalia.com>

        Simplify autotools configure.ac
        https://bugs.webkit.org/show_bug.cgi?id=74312

        Reviewed by Martin Robinson.

        * GNUmakefile.am: Add JSC_CPPFLAGS to javascriptcore_cppflags.

2011-12-12  Filip Pizlo  <fpizlo@apple.com>

        DFG GetByVal CSE incorrectly assumes that a non-matching PutByVal cannot clobber
        https://bugs.webkit.org/show_bug.cgi?id=74329

        Reviewed by Gavin Barraclough.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):

2011-12-09  Alexander Pavlov  <apavlov@chromium.org>

        WebKit does not enumerate over CSS properties in HTMLElement.style
        https://bugs.webkit.org/show_bug.cgi?id=23946

        Reviewed by Darin Adler.

        Add a few exports to follow the JSCSSStyleDeclaration.cpp changes,
        introduce an std::sort() comparator function.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:
        (WTF::codePointCompareLessThan): Used by std::sort() to sort properties.

2011-12-12  Alexander Pavlov  <apavlov@chromium.org>

        Unreviewed, build fix.

        Revert r102570 which broke SnowLeopard builders.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:

2011-12-09  Alexander Pavlov  <apavlov@chromium.org>

        WebKit does not enumerate over CSS properties in HTMLElement.style
        https://bugs.webkit.org/show_bug.cgi?id=23946

        Reviewed by Darin Adler.

        Add a few exports to follow the JSCSSStyleDeclaration.cpp changes,
        introduce an std::sort() comparator function.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:
        (WTF::codePointCompareLessThan): Used by std::sort() to sort properties.

2011-12-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am:

2011-12-11  Sam Weinig  <sam@webkit.org>

        Fix another signed vs. unsigned warning

        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):

2011-12-11  Sam Weinig  <sam@webkit.org>

        Fix a signed vs. unsigned warning.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::slowAppend):
        Cast inlineCapacity to an int to appease the warning. This is known OK
        since inlineCapacity is defined to be 8.

2011-12-11  Geoffrey Garen  <ggaren@apple.com>

        Rolled out *another* debugging change I committed accidentally.

        Unreviewed.

        * Configurations/Base.xcconfig:

2011-12-11  Geoffrey Garen  <ggaren@apple.com>
        
        Rolled out a debug counter I committed accidentally.

        Unreviewed.

        * jit/JITStubs.cpp:
        (JSC::arityCheckFor):

2011-12-10  Geoffrey Garen  <ggaren@apple.com>

        v8 benchmark takes 12-13 million function call slow paths due to extra arguments
        https://bugs.webkit.org/show_bug.cgi?id=74244

        Reviewed by Filip Pizlo.
        
        .arguments function of order the Reversed
        
        10% speedup on v8-raytrace, 1.7% speedup on v8 overall, neutral on Kraken
        and SunSpider.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfileForArgument): Clarified that the interface
        to this function is an argument number.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::isArgumentNumber): Switched to using CallFrame
        helper functions for computing offsets for arguments, rather than doing
        the math by hand.
        
        Switched to iterating argument offsets backwards (--) instead of forwards (++).

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::thisRegister):
        (JSC::CallArguments::argumentRegister):
        (JSC::CallArguments::registerOffset): Updated for arguments being reversed.

        * bytecompiler/NodesCodegen.cpp: Allocate arguments in reverse order.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack): Use abstract argument indices
        that just-in-time convert to bytecode operands (i.e., indexes in the register
        file) through helper functions. This means only one piece of code needs
        to know how arguments are laid out in the register file.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump): Ditto.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor): Ditto.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction): The whole point of this patch:
        Treat too many arguments as an arity match.

        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::variableForIndex):
        (JSC::DFG::OSRExit::operandForIndex): Use helper functions, as above.

        * dfg/DFGOperands.h:
        (JSC::DFG::operandToArgument):
        (JSC::DFG::argumentToOperand): These are now the only two lines of code in
        the DFG compiler that know how arguments are laid out in memory.

        (JSC::DFG::Operands::operand):
        (JSC::DFG::Operands::setOperand): Use helper functions, as above.

        * dfg/DFGOperations.cpp: The whole point of this patch:
        Treat too many arguments as an arity match.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.
        
        Also, don't tag the caller frame slot as a cell, because it's not a cell.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Use helper functions, as above.

        (JSC::DFG::SpeculativeJIT::checkArgumentTypes): Use already-computed
        argument virtual register instead of recomputing by hand.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callFrameSlot):
        (JSC::DFG::SpeculativeJIT::argumentSlot):
        (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): Added a few helper
        functions for dealing with callee arguments specifically. These still
        build on top of our other helper functions, and have no direct knowledge
        of how arguments are laid out in the register file.

        (JSC::DFG::SpeculativeJIT::resetCallArguments):
        (JSC::DFG::SpeculativeJIT::addCallArgument): Renamed argumentIndex to
        argumentOffset to match CallFrame naming.

        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): Use helper
        functions, as above.

        * interpreter/CallFrame.h:
        (JSC::ExecState::argumentOffset):
        (JSC::ExecState::argumentOffsetIncludingThis):
        (JSC::ExecState::argument):
        (JSC::ExecState::setArgument):
        (JSC::ExecState::thisArgumentOffset):
        (JSC::ExecState::thisValue):
        (JSC::ExecState::setThisValue):
        (JSC::ExecState::offsetFor):
        (JSC::ExecState::hostThisRegister):
        (JSC::ExecState::hostThisValue): Added a bunch of helper functions for
        computing where an argument is in the register file. Anything in the
        runtime that needs to access arguments should use these helpers.

        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setThis):
        (JSC::CallFrameClosure::setArgument):
        (JSC::CallFrameClosure::resetCallFrame): This stuff is a lot simpler, now
        that too many arguments counts as an arity match and doesn't require
        preserving two copies of our arguments.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::slideRegisterWindowForCall): Only need to do something
        special if the caller provided too few arguments.
        
        Key simplification: We never need to maintain two copies of our arguments
        anymore.

        (JSC::eval):
        (JSC::loadVarargs): Use helper functions.

        (JSC::Interpreter::unwindCallFrame): Updated for new interface.

        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall): Seriously, though: use helper
        functions.

        (JSC::Interpreter::privateExecute): No need to check for stack overflow
        when calling host functions because they have zero callee registers.

        (JSC::Interpreter::retrieveArguments): Explicitly tear off the arguments
        object, since there's no special constructor for this anymore.

        * interpreter/Interpreter.h: Reduced the C++ re-entry depth because some
        workers tests were hitting stack overflow in some of my testing. We should
        make this test more exact in future.

        * interpreter/RegisterFile.h: Death to all runtime knowledge of argument
        location that does not belong to the CallFrame class!

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile): I am a broken record and I use helper functions.
        
        Also, the whole point of this patch: Treat too many arguments as an arity match.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs): Updated the argument copying math to use
        helper functions, for backwards-correctness. Removed the condition
        pertaining to declared argument count because, now that arguments are
        always in just one place, this optimization is valid for all functions.
        Standardized the if predicate for each line of the optimization. This might
        fix a bug, but I couldn't get the bug to crash in practice.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_get_argument_by_val): Removed cti_op_create_arguments_no_params
        optimization because it's no longer an optimization, now that arguments
        are always contiguous in a known location.
        
        Updated argument access opcode math for backwards-correctness.

        * jit/JITStubs.cpp:
        (JSC::arityCheckFor): Updated just like slideRegisterWindowForCall. This
        function is slightly different because it copies the call frame in
        addition to the arguments. (In the Interpreter, the call frame is not
        set up by this point.)

        (JSC::lazyLinkFor): The whole point of this patch: Treat too many
        arguments as an arity match.

        (JSC::DEFINE_STUB_FUNCTION): Updated for new iterface to tearOff().

        * jit/JITStubs.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadDoubleArgument):
        (JSC::SpecializedThunkJIT::loadCellArgument):
        (JSC::SpecializedThunkJIT::loadInt32Argument): Use helper functions! They
        build strong bones and teeth!

        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::at):
        (JSC::MarkedArgumentBuffer::clear):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::removeLast):
        (JSC::MarkedArgumentBuffer::last):
        (JSC::ArgList::ArgList):
        (JSC::ArgList::at): Updated for backwards-correctness. WTF::Vector doesn't
        play nice with backwards-ness, so I changed to using manual allocation.
        
        Fixed a FIXME about not all values being marked in the case of out-of-line
        arguments. I had to rewrite the loop anyway, and I didn't feel like
        maintaining fidelity to its old bugs.

        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        (JSC::Arguments::copyToArguments):
        (JSC::Arguments::fillArgList):
        (JSC::Arguments::getOwnPropertySlotByIndex):
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::putByIndex):
        (JSC::Arguments::put):
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation): Secondary benefit of this